Determining the identity of hosts on a network is an important capability of security appliances that intend to track behavior of hosts over extended periods of time. Network hosts (e.g. servers, laptops, mobile devices) are commonly identified by their Internet Protocol (IP) address, Media Access Control (MAC) address, host name, or other identifiers. However, often a given host's IP address may change as the host connects at different times and/or from different locations, for instance. Further, one or more host names may be duplicates. For example, three users with identical cell phones may all share the same host name (e.g. “iPhone”). Increasingly, company networks allow users to “bring your own device” (BYOD) to work, which may further create host naming duplications. As such, there is a demand for accurately establishing a consistent mechanism of identifying a particular host that appropriately handles shared host names, hosts changing networks, and other complexities.
While some conventional approaches rely on information provided to the security appliance from external sources (in either a “pull” model, where the security appliance queries the external sources, or a “push” model, where such information is pushed by the external source into the security appliance), these approaches are difficult to configure and maintain. Further, these approaches often only cover a subset of the hosts in a company's network. Further, malicious entities that attack networks often assume that network security defense devices are seeking to track the host by IP addresses. As such, the malicious entities commonly switch IP addresses or spoof other identification data in an effort to stymie the network security devices.
As is evident, there is a demand for a host identification mechanism that can efficiently and accurately identify hosts over time, in different networks, and/or hosts that use spoofed identifiers.