Search

US-12627713-B2 - Secure service advertisement in multicast DNS

US12627713B2US 12627713 B2US12627713 B2US 12627713B2US-12627713-B2

Abstract

A method for a network device is provided, the method comprising obtaining device fingerprint data representing a first set of characteristics of a device connected to the network and an associated confidence score representative of a confidence in the first set of characteristics, obtaining a threshold confidence score, receiving a service advertisement message from the device, the service advertisement message including an indication of a second set of characteristics of the device. The method then involves determining whether the first set of characteristics are inconsistent with the second set of characteristics and performing a predetermined action in dependence on an outcome of this determining and on a comparison of the confidence score with the threshold confidence score. A network device configured to perform the method, and a non-transitory computer-readable storage medium comprising instructions for executing the method are also provided.

Inventors

  • Shashi Hosakere Ankaiah
  • Trevor Miranda
  • Vivek Lakshminarayana Atreya

Assignees

  • CAMBIUM NETWORKS LTD

Dates

Publication Date
20260512
Application Date
20231115
Priority Date
20230509

Claims (18)

  1. 1 . A computer-implemented method for controlling a network, the method comprising: obtaining device fingerprint data representing a first set of characteristics of a device connected to the network and an associated confidence score representative of a confidence in the first set of characteristics; obtaining a threshold confidence score representing a threshold confidence for the first set of characteristics; receiving a service advertisement message from the device, the service advertisement message including an indication of a second set of characteristics of the device; determining whether the first set of characteristics are inconsistent with the second set of characteristics, the determining comprising comparing: a first characteristic of the first set of characteristics, the first characteristic corresponding to a first characteristic type, with a second characteristic of the second set of characteristics, the second characteristic corresponding to a second, different, characteristic type, wherein the comparing takes account of a set of rules describing one or more inconsistencies between the first characteristic type and the second characteristic type; and performing a predetermined action in dependence on an outcome of the determining whether the first set of characteristics are inconsistent with the second set of characteristics and on a comparison of the confidence score with the threshold confidence score, wherein the confidence score associated with the fingerprint data is dependent on a time elapsed since the first set of characteristics were determined.
  2. 2 . The computer-implemented method of claim 1 , wherein the predetermined action includes: forwarding the service advertisement message into the network; or rejecting the service advertisement message to prevent the service advertisement message from being distributed in the network.
  3. 3 . The computer-implemented method of claim 2 , wherein forwarding the service advertisement message into the network is dependent on at least one the following conditions being met: the first set of characteristics are consistent with the second set of characteristics and the confidence score represented in the fingerprint data does not exceed the threshold confidence score; the first set of characteristics are consistent with the second set of characteristics and the confidence score represented in the fingerprint data exceeds the threshold confidence score; and the first set of characteristics are inconsistent with the second set of characteristics and the confidence score represented in the fingerprint data does not exceed the threshold confidence score.
  4. 4 . The computer-implemented method of claim 3 , wherein forwarding the service advertisement message when the first set of characteristics are inconsistent with the second set of characteristics and the confidence score does not exceed the threshold confidence score is subject to administrator approval.
  5. 5 . The computer-implemented method of claim 2 , wherein rejecting the service advertisement message to prevent the service advertisement message from being distributed in the network is performed in response to a determination that the first set of characteristics are inconsistent with the second set of characteristics and the confidence score represented in the fingerprint data exceeds the threshold score.
  6. 6 . The computer-implemented method of claim 1 , wherein obtaining the fingerprint data includes receiving the fingerprint data from a further device attached to the network that is configured to generate the fingerprint data.
  7. 7 . The computer-implemented method of claim 1 , wherein obtaining the fingerprint data includes generating the fingerprint data.
  8. 8 . The computer-implemented method of claim 7 , wherein generating the device fingerprint data includes deriving the first set of characteristics from one or more messages received from the device, and wherein the method includes at least one of: performing passive scans of devices attached to the network to obtain messages from said devices; and performing active scans of the devices attached to the network to obtain messages from said devices.
  9. 9 . The computer-implemented method of claim 8 , wherein the confidence score is determined based on at least one of the following: an amount of data received in messages from the device that are used to derive the first set of characteristics; a number of messages used to derive the first set of characteristics; whether characteristics of the first set of characteristics are inferred from the messages or explicitly signaled in the messages; a number of characteristics included in the first set of characteristics; and the type of messages received from the device.
  10. 10 . The computer-implemented method of claim 1 , wherein the first and second set of characteristics each include at least one of: a device type; an operating system; an indication of software running on the device; a device model; an identification number associated with the device; and an indication of services provided by the device.
  11. 11 . A network device configured to act as an access point for devices to connect to a network, the network device comprising a processor and storage, the storage comprising executable instructions which, when executed by the processor, cause the network device to: obtain device fingerprint data representing a first set of characteristics of a device connected to the network and an associated confidence score representative of a confidence in the first set of characteristics; obtain a threshold confidence score representing a threshold confidence for the first set of characteristics; receive a service advertisement message from the device, the service advertisement message including an indication of a second set of characteristics of the device; determine whether the first set of characteristics are inconsistent with the second set of characteristics by comparing: a first characteristic of the first set of characteristics, the first characteristic corresponding to a first characteristic type, with a second characteristic of the second set of characteristics, the second characteristic corresponding to a second, different, characteristic type, wherein the comparing takes account of a set of rules describing one or more inconsistencies between the first characteristic type and the second characteristic type; and perform a predetermined action in dependence on an outcome of the determining whether the first set of characteristics are inconsistent with the second set of characteristics and on a comparison of the confidence score with the threshold confidence score, wherein the confidence score associated with the fingerprint data is dependent on a time elapsed since the first set of characteristics were determined.
  12. 12 . The network device according to claim 11 , wherein the predetermined action includes: forwarding the service advertisement message into the network; or rejecting the service advertisement message to prevent the service advertisement message from being distributed in the network.
  13. 13 . The network device according to claim 12 , wherein forwarding the service advertisement message into the network is dependent on at least one of the following conditions being met: the first set of characteristics are consistent with the second set of characteristics and the confidence score represented in the fingerprint data does not exceed the threshold confidence score; the first set of characteristics are consistent with the second set of characteristics and the confidence score represented in the fingerprint data exceeds the threshold confidence score; and the first set of characteristics are inconsistent with the second set of characteristics and the confidence score represented in the fingerprint data does not exceed the threshold confidence score.
  14. 14 . The network device according to claim 12 , wherein rejecting the service advertisement message to prevent the service advertisement message from being distributed in the network is performed in response to a determination that the first set of characteristics are inconsistent with the second set of characteristics and the confidence score represented in the fingerprint data exceeds the threshold confidence score.
  15. 15 . The network device according to claim 11 , wherein obtaining the fingerprint data includes generated the fingerprint data by deriving the first set of characteristics from one or more messages received from the device, and wherein the instructions, when executed by the processor, cause the network device to perform at least one of the following: passive scans of devices attached to the network to obtain messages from said devices; and active scans of devices attached to the network to obtain messages from said devices.
  16. 16 . The network device according to claim 15 , wherein the confidence score is determined based on at least one of the following: an amount of data received in messages from the device that are used to derive the first set of characteristics; a number of messages used to derive the first set of characteristics; whether characteristics of the first set of characteristics are inferred from the messages or explicitly signaled in the messages; and the type of messages received from the device.
  17. 17 . The network device according to claim 11 , wherein the first and second set of characteristics each include at least one of: a device type; an operating system; an indication of software running on the device; a device model; an identification number associated with the device; port information corresponding to the device; and an indication of services provided by the device.
  18. 18 . A non-transitory computer-readable storage medium comprising computer-executable instructions which, when executed by a processor, cause the processor to: obtain device fingerprint data representing a first set of characteristics of a device connected to the network and an associated confidence score representative of a confidence in the first set of characteristics; obtain a threshold confidence score representing a threshold confidence for the first set of characteristics; receive a service advertisement message from the device, the service advertisement message including an indication of a second set of characteristics of the device; determine whether the first set of characteristics are inconsistent with the second set of characteristics by comparing: a first characteristic of the first set of characteristics, the first characteristic corresponding to a first characteristic type, with a second characteristic of the second set of characteristics, the second characteristic corresponding to a second, different, characteristic type, wherein the comparing takes account of a set of rules describing one or more inconsistencies between the first characteristic type and the second characteristic type; and perform a predetermined action in dependence on an outcome of the determining whether the first set of characteristics are inconsistent with the second set of characteristics and on a comparison of the confidence score with the threshold confidence score, wherein the confidence score associated with the fingerprint data is dependent on a time elapsed since the first set of characteristics were determined.

Description

CROSS-REFERENCE TO RELATED APPLICATION This application claims priority to India Patent Application No. 202341032655 filed on May 9, 2023, the entirety of which is hereby fully incorporated by reference herein. BACKGROUND OF THE INVENTION Field of the Invention This application relates to network security and more specifically, though not exclusively, service discovery in multicast DNS enabled networks. Description of the Related Technology Multicast Domain Name System (mDNS) is a protocol that enables devices on a network to discover and communicate with each other using domain names without the need for a centralized DNS server. It is based on the DNS protocol, but instead of using a traditional DNS server to resolve domain names to IP addresses, mDNS uses multicast DNS messages to enable devices to discover each other. When a device running mDNS joins a network, it sends out a multicast DNS message to announce its presence and provide information about the services it offers. Other devices on the network can then discover the device by sending out multicast DNS queries using the device's domain name. If the device is available, it responds to the query with its IP address and any other information requested. A consequence of mDNS is that it enables automatic discovery of devices and services on a network without the need for manual configuration or a dedicated DNS server. mDNS protocol is part of a set of technologies typically referred to as “Zero-Configuration Networking”, often abbreviated to “zerconf”. This makes it especially useful for home networks and office networks where setting up and maintaining a DNS server may not be practical or necessary. There are security concerns around the use of mDNS protocols, primarily related to the potential for unauthorized devices to join a network and potentially launch attacks or compromise network security. Identifying and acting against unauthorized devices can be particularly difficult in large networks, such as across enterprises. It is desirable to address some of the security concerns of mDNS protocol enabled networks. SUMMARY In accordance with a first aspect of the present disclosure there is provided a computer-implemented method for controlling a network, the method comprising; obtaining device fingerprint data representing a first set of characteristics of a device connected to the network and an associated confidence score representative of a confidence in the first set of characteristics; obtaining a threshold confidence score representing a threshold confidence for the first set of characteristics; receiving a service advertisement message from the device, the service advertisement message including an indication of a second set of characteristics of the device; determining whether the first set of characteristics are inconsistent with the second set of characteristics; and performing a predetermined action in dependence on an outcome of the determining whether the first set of characteristics are inconsistent with the second set of characteristics and on a comparison of the confidence score with the threshold confidence score. By configuring a network device to handle service advertisement messages based on both a determination of whether the advertising device is advertising characteristics that are inconsistent with the characteristics known by the network device, and a comparison of a confidence score with a threshold confidence score, the accuracy of identifying and protecting against fraudulent service advertisement messages may be increased. It is desirable to reject service advertisement messages from devices if they are advertising characteristics that are inconsistent with determined characteristics, as this is often exhibited when malicious devices are spoofing legitimate devices. However, it has been found that by basing the actions additionally on a comparison of a confidence score, it is possible to mitigate the rejection of service advertisement messages from legitimate devices where the characteristics described in the fingerprint data are not accurate, or where there is low confidence in those characteristics. The predetermined action may include: forwarding the service advertisement message into the network; or rejecting the service advertisement message to prevent the service advertisement message from being distributed in the network. In this way it is possible to protect other user devices from fraudulent or malicious service advertisement messages, while also allowing legitimate devices to advertise their services in the network. Forwarding the service advertisement message into the network may be dependent on at least one of the following conditions being met: (i) the first set of characteristics are consistent with the second set of characteristics and the confidence score represented in the fingerprint data does not exceed the threshold confidence score; (ii) the first set of characteristics are consistent with the secon