Detecting anomaly action within a computer network
First Claim
1. A method for network monitoring, comprising:
- intercepting, in an anomaly detection module, data packets transmitted over a network;
extracting from the intercepted data packets, first data packets, each of the first data packets including two or more identities in a manner indicative that the two or more identities represent a same entity, the first data packets including packets of a network address assignment protocol, packets of a network address advertisement and discovery protocol and packets of a network diagnosis and error reporting protocol;
recording the two or more identities from the each of the first data packets, as identity associations in an association data structure forming associations between network addresses and strong identities;
assigning confidence levels to the identity associations, responsive to respective protocols from which the identity associations were derived;
when two or more of the identity associations conflict, choosing to record one of the conflicting identity associations in the association data structure responsive to the confidence levels of the conflicting identity associations;
identifying in the intercepted data packets, by the anomaly detection module, second data packets transmitted over the network and containing network addresses of the second data packets;
responsively to the network addresses of the second data packets and the identity associations in the association data structure, associating the second data packets with respective ones of the strong identities; and
analyzing the second data packets in order to detect anomalous behavior and to attribute the anomalous behavior to the respective ones of the strong identities.
3 Assignments
0 Petitions
Accused Products
Abstract
A method for network monitoring includes intercepting, in an anomaly detection module, a first data packet transmitted over a network in accordance with a predefined protocol to or from an entity on the network. Both a network address that is assigned to the entity and a strong identity, which is incorporated in the first data packet in accordance with the predefined protocol, of the entity are extracted from the intercepted first data packet. An association is recorded between the network address and the strong identity. Second data packets transmitted over the network are intercepted, containing the network address. Responsively to the recorded association and the network address, the second data packets are associated with the strong identity. The associated second data packets are analyzed in order to detect anomalous behavior and to attribute the anomalous behavior to the entity.
122 Citations
32 Claims
-
1. A method for network monitoring, comprising:
-
intercepting, in an anomaly detection module, data packets transmitted over a network; extracting from the intercepted data packets, first data packets, each of the first data packets including two or more identities in a manner indicative that the two or more identities represent a same entity, the first data packets including packets of a network address assignment protocol, packets of a network address advertisement and discovery protocol and packets of a network diagnosis and error reporting protocol; recording the two or more identities from the each of the first data packets, as identity associations in an association data structure forming associations between network addresses and strong identities; assigning confidence levels to the identity associations, responsive to respective protocols from which the identity associations were derived; when two or more of the identity associations conflict, choosing to record one of the conflicting identity associations in the association data structure responsive to the confidence levels of the conflicting identity associations; identifying in the intercepted data packets, by the anomaly detection module, second data packets transmitted over the network and containing network addresses of the second data packets; responsively to the network addresses of the second data packets and the identity associations in the association data structure, associating the second data packets with respective ones of the strong identities; and analyzing the second data packets in order to detect anomalous behavior and to attribute the anomalous behavior to the respective ones of the strong identities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 31)
-
-
20. Network monitoring apparatus, comprising:
-
a sensor configured to intercept data packets transmitted over a network; a memory; and a processor, which is configured to extract from the intercepted data packets, first data packets, each of the first data packets including two or more identities in a manner indicative that the two or more identities represent a same entity, the first data packets including packets of a network address assignment protocol, packets of a network address advertisement and discovery protocol and packets of a network diagnosis and error reporting protocol, to record the two or more identities from the each of the first data packets, as identity associations in an association data structure in the memory, wherein the identity associations associate between network addresses and strong identities, to assign confidence levels to the identity associations, responsive to respective protocols from which the identity associations were derived, when two or more of the identity associations conflict, to choose to record one of the conflicting identity associations in the association data structure in the memory responsive to the confidence levels of the conflicting identity associations, to identify in the intercepted data packets, second data packets transmitted over the network and containing specific network addresses of the second data packets, to associate the second data packets with respective ones of the strong identities responsively to the specific network addresses of the second data packets and the identity associations in the association data structure, and to analyze the second data packets in order to detect anomalous behavior and to attribute the anomalous behavior to the respective ones of the strong identities. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
32. A computer software product, comprising a non-transitory computer-readable medium in which program instructions are stored, the instructions, when read by a computer, cause the computer to intercept data packets transmitted over a network, to extract from the intercepted data packets, first data packets including packets of a network address assignment protocol, packets of a network address advertisement and discovery protocol and packets of a network diagnosis and error reporting protocol, wherein each of the first data packets including two or more identities in a manner indicative that the two or more identities represent a same entity, and to record the two or more identities from the each of the first data packets, as identity associations in an association data structure forming associations between network addresses and strong identities, to assign confidence levels to the identity associations, responsive to respective protocols from which the identity associations were derived, when two or more of the identity associations conflict, to choose to record one of the conflicting identity associations responsive to the confidence levels of the conflicting identity associations, to identify in the intercepted data packets, second data packets transmitted over the network and containing network addresses of the second data packets, wherein the instructions further cause the computer to associate, responsively to the network addresses of the second data packets and the identity associations in the association data structure, the second data packets with respective ones of the strong identities, and to analyze the second data packets in order to detect anomalous behavior and to attribute the anomalous behavior to the respective ones of the strong identities.
Specification