Inter-arrival time intrusion-detection technique to provide enhanced cybersecurity
First Claim
1. A method for performing an intrusion-detection technique to differentiate between packets received from malicious remote users and legitimate local users in a networked computer system, comprising:
- determining arrival times for incoming packets at a node in the networked computer system;
determining inter-arrival times between the incoming packets from the arrival times;
determining a mean cumulative function (MCF) for the inter-arrival times by computing a cumulative sum of the inter-arrival times;
monitoring a piecewise continuous digitized inter-arrival time MCF fingerprinting for all authenticated users;
in response to detecting a change in a slope of the MCF, generating an alarm to indicate that a malicious remote user is generating some of the incoming packets; and
wherein generating the alarm additionally comprises terminating the traffic of the malicious remote user.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed embodiments relate to a system that performs an intrusion-detection technique to differentiate between packets received from malicious remote users and legitimate local users in a networked computer system. During operation, the system determines arrival times for incoming packets at a node in the networked computer system. Next, the system determines inter-arrival times between the incoming packets from the arrival times. The system then determines a mean cumulative function (MCF) for the inter-arrival times by computing a cumulative sum of the inter-arrival times. Finally, upon detecting a change in a slope of the MCF, the system generates an alarm to indicate that a malicious remote user may be generating some of the incoming packets.
-
Citations
20 Claims
-
1. A method for performing an intrusion-detection technique to differentiate between packets received from malicious remote users and legitimate local users in a networked computer system, comprising:
-
determining arrival times for incoming packets at a node in the networked computer system; determining inter-arrival times between the incoming packets from the arrival times; determining a mean cumulative function (MCF) for the inter-arrival times by computing a cumulative sum of the inter-arrival times; monitoring a piecewise continuous digitized inter-arrival time MCF fingerprinting for all authenticated users; in response to detecting a change in a slope of the MCF, generating an alarm to indicate that a malicious remote user is generating some of the incoming packets; and wherein generating the alarm additionally comprises terminating the traffic of the malicious remote user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for performing an intrusion-detection technique to differentiate between packets received from malicious remote users and legitimate local users in a networked computer system, the method comprising:
-
determining arrival times for incoming packets at a node in the networked computer system; determining inter-arrival times between the incoming packets from the arrival times; determining a mean cumulative function (MCF) for the inter-arrival times by computing a cumulative sum of the inter-arrival times; monitoring a piecewise continuous digitized inter-arrival time MCF fingerprinting for all authenticated users; in response to detecting a change in a slope of the MCF, generating an alarm to indicate that a malicious remote user is generating some of the incoming packets; and wherein generating the alarm additionally comprises terminating the traffic of the malicious remote user. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system that performs an intrusion-detection technique to differentiate between packets received from malicious remote users and legitimate local users in a networked computer system, comprising:
-
an intrusion-detection mechanism that operates in the networked computer system; wherein during operation, the intrusion-detection mechanism, determines arrival times for incoming packets at a node in the networked computer system; determines inter-arrival times between the incoming packets from the arrival times; determines a mean cumulative function (MCF) for the inter-arrival times by computing a cumulative sum of the inter-arrival times; monitor a piecewise continuous digitized inter-arrival time MCF fingerprinting for all authenticated users; in response to detecting a change in a slope of the MCF, generates an alarm to indicate that a malicious remote user is generating some of the incoming packets; and wherein generating the alarm additionally comprises terminating the traffic of the malicious remote user. - View Dependent Claims (18, 19, 20)
-
Specification