Systems and methods for identifying anomalies in network data streams

US 20030097439A1
Filed: 11/06/2002
Published: 05/22/2003
Est. Priority Date: 10/23/2000
Status: Abandoned Application

First Claim

Patent Images

1. A method of identifying anomalous traffic in a communications network, comprising:

performing traffic analysis on network traffic to produce traffic analysis data;

removing data associated with expected traffic from the traffic analysis data; and

identifying remaining traffic analysis data as anomalous traffic.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A traffic auditor (130) analyzes traffic in a communications network (100). The traffic auditor (130) performs traffic analysis on traffic in the communications network (100) and develops a model of expected traffic behavior based on the traffic analysis. The traffic auditor (130) analyzes traffic in the communications network (100) to identify a deviation from the expected traffic behavior model.

360 Citations

44 Claims

1. A method of identifying anomalous traffic in a communications network, comprising:
- performing traffic analysis on network traffic to produce traffic analysis data;
  
  removing data associated with expected traffic from the traffic analysis data; and
  
  identifying remaining traffic analysis data as anomalous traffic.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising:
    - investigating the anomalous traffic.
  - 3. The method of claim 1, further comprising:
    - tracing the anomalous network traffic to a point of origin in the communications network.
  - 4. The method of claim 1, further comprising:
    - capturing one or more blocks of data of the anomalous traffic; and
      
      sending the one or more blocks of data to a traceback device for tracing the anomalous network traffic to a point of origin in the communications network.

5. A device for auditing network traffic, comprising:
- a memory configured to store instructions; and
  
  a processing unit configured to execute the instructions in memory to;
  
  conduct traffic analysis on the network traffic to produce traffic analysis data, identify expected network traffic, eliminate data associated with the expected traffic from the traffic analysis data, and identify remaining traffic analysis data as anomalous traffic.
- View Dependent Claims (6, 7, 8)
- - 6. The device of claim 5, the processing unit further configured to:
    - investigate the anomalous network traffic.
  - 7. The device of claim 5, the processing unit further configured to:
    - initiate tracing of the anomalous network traffic to a point of origin in the communications network.
  - 8. The device of claim 5, the processing unit further configured to:
    - capture one or more blocks of data of the anomalous traffic, and send the one or more blocks of data to a traceback device for tracing the anomalous network traffic to a point of origin in the communications network.

9. A computer-readable medium containing instructions for controlling at least one processor to perform a method of identifying anomalous traffic in a communications network, the method comprising:
- performing traffic analysis on network traffic to produce traffic analysis data;
  
  identifying expected network traffic;
  
  removing data associated with the expected traffic from the traffic analysis data; and
  
  identifying remaining traffic analysis data as anomalous traffic.
- View Dependent Claims (10, 11, 12)
- - 10. The computer-readable medium of claim 9, the method further comprising:
    - investigating the anomalous network traffic.
  - 11. The computer-readable medium of claim 9, the method further comprising:
    - tracing the anomalous network traffic to a point of origin in the communications network.
  - 12. The computer-readable medium of claim 9, the method further comprising:
    - capturing one or more blocks of data of the anomalous traffic; and
      
      sending the one or more blocks of data to a traceback device for tracing the anomalous network traffic to a point of origin in the communications network.

13. A method of analyzing traffic in a communications network, comprising:
- performing traffic analysis on traffic in the communications network;
  
  developing a model of expected traffic behavior based on the traffic analysis; and
  
  analyzing traffic in the communications network to identify a deviation from the expected traffic behavior model.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, further comprising:
    - investigating the deviation from the expected traffic behavior.
  - 15. The method of claim 14, further comprising:
    - reporting on results of the investigation.
  - 16. The method of claim 13, further comprising:
    - tracing traffic associated with the deviation to a point of origin in the communications network.

17. A device for analyzing traffic in a communications network, comprising:
- a memory configured to store instructions; and
  
  a processing unit configured to execute the instructions in memory to;
  
  conduct traffic analysis on traffic in the communications network;
  
  construct a model of expected traffic behavior based on the traffic analysis; and
  
  analyze traffic in the communications network to identify a deviation from the expected traffic behavior model.
- View Dependent Claims (18, 19, 20)
- - 18. The device of claim 17, the processing unit further configured to:
    - investigate the deviation from the expected traffic behavior.
  - 19. The device of claim 18, the processing unit further configured to:
    - report on results of the investigation.
  - 20. The device of claim 17, the processing unit further configured to:
    - initiate the tracing of traffic associated with the deviation to a point of origin in the communications network.

21. A computer-readable medium containing instructions for controlling at least one processor to perform a method for analyzing traffic in a communications network, the method comprising:
- conducting traffic analysis on traffic at one or more locations in the communications network;
  
  constructing a model of expected traffic behavior based on the traffic analysis; and
  
  analyzing traffic at the one or more locations in the communications network to identify a deviation from the expected traffic behavior model.
- View Dependent Claims (22, 23, 24)
- - 22. The computer-readable medium of claim 21, the method further comprising:
    - investigating the deviation from the expected traffic behavior.
  - 23. The computer-readable medium of claim 22, further comprising:
    - reporting on results of the investigation.
  - 24. The computer-readable of claim 21, the method further comprising:
    - tracing traffic associated with the deviation to a point of origin in the communications network.

25. A method of tracing suspicious traffic flows back to a point of origin in a network, comprising:
- performing traffic analysis on one or more flows of network traffic;
  
  identifying at least one of the one or more flows as a suspicious flow based on the traffic analysis; and
  
  tracing the suspicious flow to a point of origin in the network.
- View Dependent Claims (26, 27, 28)
- - 26. The method of claim 25, wherein tracing the suspicious flow to a point of origin comprises:
    - capturing at least one block of data associated with the suspicious flow; and
      
      forwarding the captured block of data to a traceback device for tracing the suspicious flow to the point of origin in the network.
  - 27. The method of claim 25, wherein performing traffic analysis comprises:
    - utilizing at least one of discrete time Fourier transform (DFT), one-dimensional spectral density (periodogram), Lomb periodogram, one-dimensional cepstrum, cross spectral density, coherence, cross-spectrum, time varying grams, model-based spectral, statistical, and fractal and wavelet based time-frequency techniques in analyzing the one or more flows of traffic.
  - 28. The method of claim 25, further comprising:
    - prohibiting traffic flows from the point of origin.

29. A traffic auditing device, comprising:
- a memory configured to store instructions; and
  
  a processing unit configured to execute the instructions in memory to;
  
  conduct traffic analysis on one or more flows of network traffic, identify at least one of the one or more flows as a suspicious flow based on the traffic analysis, and trace the suspicious flow to a point of origin in the network.
- View Dependent Claims (30, 31, 32)
- - 30. The device of claim 29, the processing unit further configured to:
    - capture at least one block of data associated with the suspicious flow; and
      
      initiate the sending of the captured data block to a traceback device for tracing the suspicious flow to the point of origin in the network.
  - 31. The device of claim 29, the processing unit further configured to:
    - utilize at least one of discrete time Fourier transform (DFT), one-dimensional spectral density (periodogram), Lomb periodogram, one-dimensional cepstrum, cross spectral density, coherence, cross-spectrum, time varying grams, model-based spectral, statistical, and fractal and wavelet based time-frequency techniques in conducting traffic analysis on the one or more flows of traffic.
  - 32. The device of claim 29, the processing unit further configured to:
    - prohibit traffic flows from the point of origin.

33. A computer-readable medium containing instructions for controlling at least one processor to perform a method of tracing suspicious traffic flows back to a point of origin in a network, the method comprising:
- conducting traffic analysis on one or more flows of network traffic;
  
  identifying at least one of the one or more flows as a suspicious flow based on the traffic analysis; and
  
  tracing the suspicious flow to a point of origin in the network.
- View Dependent Claims (34, 35, 36)
- - 34. The computer-readable medium of claim 33, wherein tracing the suspicious flow to a point of origin comprises:
    - capturing at least one block of data associated with the suspicious flow; and
      
      sending the captured block of data to a traceback device for tracing the suspicious flow to the point of origin in the network.
  - 35. The computer-readable medium of claim 33, wherein conducting traffic analysis comprises:
    - utilizing at least one of discrete time Fourier transform (DFT), one-dimensional spectral density (periodogram), Lomb periodogram, one-dimensional cepstrum, cross spectral density, coherence, cross-spectrum techniques, time varying grams, model-based spectral techniques, statistical techniques, and fractal and wavelet based time-frequency techniques in analyzing the one or more flows of traffic.
  - 36. The computer-readable medium of claim 33, the method further comprising:
    - prohibiting traffic flows from the point of origin.

37. A system for analyzing traffic in a communications network, comprising:
- means for performing traffic analysis on traffic in the communications network;
  
  means for developing a model of expected traffic behavior based on the traffic analysis; and
  
  means for analyzing traffic in the communications network to identify a deviation from the expected traffic behavior model.

38. A method of providing one or more authorizations to at least one of a source and destination of traffic in a communications network, comprising:
- performing traffic analysis on traffic between the source and destination to determine whether the traffic between the source and destination was intercepted or contaminated; and
  
  selectively issuing, based on results of the traffic analysis, one or more authorizations to the at least one of the source and destination, the one or more authorizations indicating that the traffic between the source and destination was not intercepted or contaminated.
- View Dependent Claims (39, 40, 41, 42)
- - 39. The method of claim 38, wherein, upon receipt of the one or more authorizations, the at least one of the source and destination uses selected data contained within the traffic.
  - 40. The method of claim 38, further comprising:
    - refraining from issuing, based on results of the traffic analysis, any authorizations to the at least one of the source and destination.
  - 41. The method of claim 40, wherein, upon not receiving any authorizations, the at least one of the source and destination does not use selected data contained within the traffic.
  - 42. The method of claim 38, wherein performing traffic analysis comprises:
    - utilizing at least one of discrete time Fourier transform (DFT), one-dimensional spectral density (periodogram), Lomb periodogram, one-dimensional cepstrum, cross spectral-density, coherence, cross-spectrum, time varying grams, model-based spectral, statistical, and fractal and wavelet based time-frequency techniques in analyzing the traffic between the source and destination.

43. A device for providing one or more authorizations to at least one of a source and destination of traffic in a communications network, comprising:
- a memory configured to store instructions; and
  
  a processing unit configured to execute the instructions in memory to;
  
  perform traffic analysis on traffic between the source and destination to determine whether the traffic between the source and destination was intercepted or contaminated, and selectively issue, based on results of the traffic analysis, one or more authorizations to the at least one of the source and destination, the one or more authorizations indicating that the traffic between the source and destination was not intercepted or contaminated.

44. A computer-readable medium containing instructions for controlling at least one processor to perform a method of providing one or more authorizations to at least one of a source and destination of traffic in a communications network, the method comprising:
- performing traffic analysis on traffic between the source and destination to determine whether the traffic between the source and destination was intercepted or contaminated; and
  
  selectively issuing, based on results of the traffic analysis, one or more authorizations to the at least one of the source and destination, the one or more authorizations indicating that the traffic between the source and destination was not intercepted or contaminated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BBN Technologies (Rtx Corporation)
Original Assignee
BBN Technologies (Rtx Corporation)
Inventors
Partridge, Craig, Strayer, William Timothy, Weixel, James K.

Application Number

US10/289,247
Publication Number

US 20030097439A1
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 51/234 for tracking messages

H04L 63/1408 by monitoring network traff...

Systems and methods for identifying anomalies in network data streams

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

360 Citations

44 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for identifying anomalies in network data streams

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

360 Citations

44 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others