Access chain tracing system, network system, and storage medium

US 20010014093A1
Filed: 01/26/2001
Published: 08/16/2001
Est. Priority Date: 02/02/2000
Status: Active Grant

First Claim

Patent Images

1. For a system wherein a packet is transmitted across a network along an access chain constituted by a plurality of connections, an access chain tracing method comprising the steps of:

comparing the size of the data in a packet at the time a first connection is made with the size of the data in a said packet at the time a second connection is made; and

employing the comparison result to determine whether said first connection and said second connection are to be included in the same chain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Log data for a packet that is exchanged across a network are recorded in a log box. At this time, the data size of the packet and the detection time are recorded. When an illegal access has occurred at a target computer, the tracing of an access chain is performed on the log information. The tracing of the access chain is performed as follows. A change in the size of the data in a packet in accordance with the time of the first connection, and a change in the size of the data in a packet in accordance with the time of the second connection are calculated using the log data, and then the shapes of the graphs formed by these packet series are compared. When the shapes of the graphs are similar, it is ascertained that the pertinent connections are included in the same chain.

Citations

16 Claims

1. For a system wherein a packet is transmitted across a network along an access chain constituted by a plurality of connections, an access chain tracing method comprising the steps of:
- comparing the size of the data in a packet at the time a first connection is made with the size of the data in a said packet at the time a second connection is made; and
  
  employing the comparison result to determine whether said first connection and said second connection are to be included in the same chain.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The access chain tracing method according to claim 1, wherein said comparison step includes a step of calculating a difference between a first series, which is specified based on said data size and a detection time of said packet at said first connection, and a second series, which is specified based on said data size and a detection time of said packet at said second connection;
    - and wherein, at said determination step, said difference is employed to determine said first and said second connections are to be included in the same chain.
  - 3. The access chain tracing method according to claim 1, further comprising steps of:
    - receiving first packet data that includes said data size and said detection time of said packet at said first connection;
      
      searching comparison packet data based on said detection time included in said first packet data that are received; and
      
      selecting a packet at said second connection based on the search results obtained at said search step.
  - 4. The access chain tracing method according to claim 1, wherein said detection time is specified by a time stamp included in packet data, and said data size is specified by a sequence number.
  - 5. The access chain tracing method according to claim 1, wherein said comparison step includes a step of sequentially comparing said first series with a plurality of segments of said second series that are formed by shifting the first term.

6. An access chain tracing method comprising the steps of:
- recording first packet data that include the size of the data in a packet at a first connection and a detection time for said packet;
  
  recording second packet data that include the size of the data in said packet at a second connection and a detection time for said packet;
  
  transmitting said first packet data that are recorded;
  
  receiving said first packet data;
  
  comparing said first packet data with said second packet data to determine what change there was in the size of the data in said packet at the time of said first connection and in the size of the data in said packet at the time of said second connection;
  
  employing the comparison result obtained at said comparison step to determine whether said first connection and said second connection are included in the same chain; and
  
  transmitting the determination result obtained at said determination step.

7. A computer-readable storage medium on which a program is stored to permit a computer to perform the method for an access chain tracing method comprising the steps of:
- comparing the size of the data in a packet at the time a first connection is made with the size of the data in a said packet at the time a second connection is made; and
  
  employing the comparison result to determine whether said first connection and said second connection are to be included in the same chain.

8. For a system wherein a packet is transmitted across a network along an access chain constituted by a plurality of connections, an access chain tracing system comprising:
- a comparator for comparing the size of the data in a packet at the time of a first connection with the size of the data in said packet at the time of a second connection; and
  
  a determiner for employing the comparison result obtained by said comparator to determine whether said first connection and said second connection are included in the same chain.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The access chain tracing system according to claim 8, wherein said comparator calculates a difference between a first series, which is specified based on said data size and a detection time of said packet at said first connection, and a second series, which is specified based on said data size and a detection time of said packet at said second connection;
    - and determiner employs said difference to determine said first and said second connections are to be included in the same chain.
  - 10. The access chain tracing system according to claim 8, further comprising:
    - a receiver for receiving first packet data that includes said data size and said detection time of said packet at said first connection;
      
      a transmitter for transmitting the results obtained by said determiner.
  - 11. The access chain tracing system according to claim 10, further comprising:
    - a searching unit for searching comparison packet data based on said detection time included in said first packet data that are received; and
      
      a selector for selecting a packet at said second connection based on the search results obtained at said searching unit.
  - 12. The access chain tracing system according to claim 8, wherein said detection time is specified by a time stamp included in packet data, and said data size is specified by a sequence number.
  - 13. The access chain tracing system according to claim 8, wherein said comparator sequentially compares said first series with a plurality of segments of said second series that are formed by shifting the first term.

14. For a system wherein a packet is transmitted across a network along an access chain constituted by a plurality of connections, an access chain tracing system comprising:
- a recording unit for recording packet data that include information concerning packet size and detection time;
  
  a transmitter for transmitting said packet data to a different site for a determination to be made; and
  
  a receiver for receiving the determination result from said different site.

15. A network system comprising:
- a first collection device for collecting first packet data that include the size of data in packet and a detection time, and for transmitting said first packet data;
  
  a second collection device for collecting second packet data that include the size of data in said packet and a detection time; and
  
  a calculation system for comparing said first packet data with said second packet data to determine what change there was in the size of the data in said packet at the time of a first connection and in the size of the data in said packet at the time of a second connection, and for employing the comparison result to determine whether said first connection and said second connection are included in the same chain.
- View Dependent Claims (16)
- - 16. The network system according to claim 15, wherein said calculation system calculates a difference between a first series, which is specified based on said data size and a detection time of said packet at said first connection, and a second series, which is specified based on said data size and a detection time of said packet at said second connection, and employs said difference to determine said first and said second connections are to be included in the same chain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Yoda, Kunikazu, Etoh, Hiroaki

Granted Patent

US 7,127,510 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 43/00   Arrangements for monitoring...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Access chain tracing system, network system, and storage medium

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Access chain tracing system, network system, and storage medium

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links