1. Field of the Invention
This invention pertains in general to monitoring traffic on computer networks and in particular to monitoring traffic to detect unsanctioned usage of network services.
2. Description of the Related Art
A large enterprise, such as a corporation or government agency, can have a computer network with thousands of computer connected to it. Many of the computers are clients that are used by end-users, such as employees, to perform their day-to-day tasks. These tasks may include writing documents, exchanging emails, and browsing the World Wide Web. Some of the computers are servers that perform dedicated tasks. For example, an email server will route email messages sent or received by the end-users. A web server will serve web pages requested by clients inside or outside the enterprise, and a domain name system (DNS) server will perform domain name resolution in response to client requests.
Often, it is easy for an end-user to turn a client into a server. For example, the end-user can purposely install mail server or web server software on a client. Once this software is activated, the client effectively becomes a server. In another scenario, an end-user can accidentally install software that causes a client to act as a server. The accidental installation can occur, for example, when the end-user downloads malicious software, such as a worm or Trojan horse, from the Internet. Likewise, a worm that penetrates the enterprise's security can install servers on a large number of clients in a short amount of time.
In most enterprises, an administrator is responsible for maintaining the network. Network security is of paramount concern to the administrator, and unsanctioned servers running on client computers represents a large security risk. Therefore, the administrator must constantly monitor the network for unsanctioned servers or other indications of malicious activity.
The administrator's job is difficult because network configurations and topologies change frequently. Client computers are added, mail servers are reconfigured, and countless other changes are made to the network during the day-to-day operations of the enterprise. As a result, an administrator has trouble in both detecting new servers and differentiating between sanctioned and unsanctioned servers. Therefore, there is a need in the art for a way to detect unsanctioned servers.