US 11,936,748 B1
Continuous scanning engine with automatic protocol detection
Jeff Cody, Huntertown, IN (US); David Adrian, Denver, CO (US); J. Alex Halderman, Ann Arbor, MI (US); and Paul A. Parkanzky, Ann Arbor, MI (US)
Assigned to Censys, Inc., Ann Arbor, MI (US)
Filed by Censys, Inc., Ann Arbor, MI (US)
Filed on Oct. 29, 2021, as Appl. No. 17/515,121.
Int. Cl. H04L 67/51 (2022.01); H04L 43/18 (2022.01); H04L 69/12 (2022.01)
CPC H04L 67/51 (2022.05) [H04L 43/18 (2013.01); H04L 69/12 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A system, comprising:
one or more computers with one or more processors and associated memory configured to implement a continuous scanning engine with automatic protocol detection, wherein the continuous scanning engine comprises one or more discovery components and one or more protocol inspection components, wherein the one or more discovery components are configured to perform a transport-layer scan process comprising:
send initial packets to a plurality of ports at a plurality of network addresses of a network;
receive responses to a least some of the initial packets;
asynchronously match the received responses to the sent initial packets;
determine that at least some of the ports at at least some of the network addresses corresponding to the matched received responses require further analysis; and
provide information comprising the at least some ports and the at least some network addresses to the one or more protocol inspection components;
wherein, based at least in part on the transport-layer scan process completing, the one or more discovery components are configured to perform the transport-layer scan process again; and
wherein the one or more protocol inspection components are configured to:
attempt to communicate with the at least some ports of the at least some network addresses using a plurality of different application-layer communication protocols;
determine that at least one of the attempted application-layer communication protocols resulted in a successful communication with a service executing on at least one port of at least one network address and the successful communication elicited information about the service from the service;
store an inspection record in a database, wherein the inspection record indicates the at least one port, the at least one network address, the at least one attempted application-layer communication protocol that resulted in the successful communication, and the information elicited from the service; and
periodically perform a refresh of the inspection record, wherein the refresh includes to attempt another communication with the at least one port using the application-layer communication protocol indicated in the record to determine whether the service is still present on the at least one port and the information elicited from the service has changed.