Method and apparatus for facilitating detection of network intrusion
First Claim
1. A method of deriving a threat metric that characterizes a threat potential for a specific session in a packet network, the method comprising:
- accumulating historical data corresponding to at least some of a plurality of traffic parameters;
measuring the plurality of traffic parameters for the specific session;
producing a plurality of summary parameters characterizing the plurality of traffic parameters for the specific session;
producing, at least in part by scaling summary parameters using the historical data, a plurality of component metrics defining a point corresponding to the specific session in a multi-dimensional space containing a distribution of points corresponding to current sessions; and
determining a distance of the point from a centroid of the distribution to produce the threat metric.
3 Assignments
0 Petitions
Accused Products
Abstract
System for facilitating detection of network intrusion. Through continuous accumulation of network traffic parameter information, data for a particular session is reduced to a single metric that represents the threat potential of the session as compared to normal network traffic. An analysis station accumulates and maintains the historical data and defines a point for each specific session within a distribution. The dimensions in the distribution space take into account various network traffic parameters useful in identifying an attack. The distance between a session'"'"'s point and the centroid of the distribution represents the threat metric. The analysis station can display the threat metric as a point or points on a display. The intensity of the point is an indication of the threat potential. The easy-to-read display calls anomalous traffic to the attention of an operator and facilitates discrimination among ambiguous cases.
206 Citations
70 Claims
-
1. A method of deriving a threat metric that characterizes a threat potential for a specific session in a packet network, the method comprising:
-
accumulating historical data corresponding to at least some of a plurality of traffic parameters;
measuring the plurality of traffic parameters for the specific session;
producing a plurality of summary parameters characterizing the plurality of traffic parameters for the specific session;
producing, at least in part by scaling summary parameters using the historical data, a plurality of component metrics defining a point corresponding to the specific session in a multi-dimensional space containing a distribution of points corresponding to current sessions; and
determining a distance of the point from a centroid of the distribution to produce the threat metric. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for deriving a threat metric that characterizes a threat potential for a specific session in a packet network, the system comprising:
-
means for measuring a plurality of traffic parameters;
means for accumulating historical data corresponding to at least some of the plurality of traffic parameters;
means for producing a plurality of summary parameters characterizing the plurality of traffic parameters for the specific session;
means for producing a plurality of component metrics defining a point corresponding to the specific session in a multi-dimensional space containing a distribution of points corresponding to current sessions; and
means for determining a distance of the point from a centroid of the distribution to produce the threat metric. - View Dependent Claims (13)
-
-
14. A method of establishing and displaying a threat potential for each of a plurality of current sessions in a packet network, the method comprising:
-
accumulating historical data corresponding to at least some of a plurality of traffic parameters;
receiving, for each specific session of the plurality of current sessions, a plurality of summary parameters characterizing the plurality of traffic parameters for the specific session;
producing, at least in part by scaling summary parameters using the historical data, a plurality of component metrics defining a point for each specific session in a multi-dimensional space containing a distribution of points corresponding to the current sessions;
determining, for each specific session, a distance of the point for the specific session from a centroid of the distribution; and
displaying an indication of the distance for each specific session in connection with a network address associated with the specific session specific session as an indication of the threat potential. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A computer program product including a computer program for enabling the display of a threat potential for each of a plurality of current sessions in a packet network, the computer program comprising:
-
instructions for accumulating historical data corresponding to at least some of a plurality of traffic parameters;
instructions for receiving, for each specific session of the plurality of current sessions, a plurality of summary parameters characterizing the plurality of traffic parameters for the specific session;
instructions for producing, at least in part by scaling summary parameters using the historical data, a plurality of component metrics defining a point for each specific session in a multi-dimensional space containing a distribution of points corresponding to the current sessions;
instructions for determining, for each specific session, a distance of the point for the specific session from a centroid of the distribution; and
instructions for displaying an indication of the distance for each specific session in connection with a network address associated with the specific session specific session as an indication of the threat potential. - View Dependent Claims (25, 26, 27, 28, 29)
-
-
30. An instruction execution system operable as an analysis station for displaying of a threat potential for each of a plurality of current sessions in a packet network, the instruction execution system comprising:
-
a network interface operable to receive, for each specific session of the plurality of current sessions, a plurality of summary parameters characterizing a plurality of traffic parameters for the specific session;
a processing system operatively connected to the network interface, the processing system operable to accumulate historical data corresponding to at least some of the plurality of traffic parameters, and to produce, at least in part by scaling summary parameters, a plurality of component metrics defining a point for each specific session in a multi-dimensional space containing a distribution of points corresponding to the current sessions, and to determine a distance of the point for the specific session from a centroid of the distribution; and
a display operably connected to the processing system, the display further being operable under the control of the processing system to display an indication of the distance for each specific session in connection with a network address associated with the specific session as an indication of the threat potential. - View Dependent Claims (31, 32, 33, 34, 35)
-
-
36. A method of monitoring traffic in a packet network to facilitate the characterization of a threat potential for each of a plurality of current sessions, the method comprising:
-
measuring a plurality of traffic parameters for each specific session in the plurality of current sessions;
producing a plurality of summary parameters characterizing the plurality of traffic parameters, the plurality of summary parameters being calculated to enable the determination of component metrics defining a point for each specific session in a multi-dimensional space containing a distribution of points corresponding to the current sessions, wherein a distance for the point from a centroid of the distribution characterizes the threat potential; and
sending the plurality of summary parameters to an analysis station over the packet network. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43)
-
-
44. An instruction execution system operable as a monitoring agent for facilitating the characterization of a threat potential for each of a plurality of current sessions in a packet network, the instruction execution system comprising:
-
a first network interface operable to capture packets associated with the plurality of current sessions;
a processing system operatively connected to the first network interface, the processing system operable to control the instruction execution system to measure, based on captured packets, a plurality of traffic parameters for each specific session in the plurality of current sessions and to produce a plurality of summary parameters characterizing the plurality of traffic parameters, the plurality of summary parameters being calculated to enable the determination of component metrics defining a point for each specific session in a multi-dimensional space containing a distribution of points corresponding to the current sessions, wherein a distance for the point from a centroid of the distribution characterizes the threat potential; and
a second network interface operatively connected to the processing system operable to forward the plurality of summary parameters to an analysis station. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51)
-
-
52. A computer program product including a monitoring agent program for monitoring traffic in a packet network to facilitate the characterization of a threat potential for each of a plurality of current sessions, the monitoring agent program comprising:
-
instructions for measuring a plurality of traffic parameters for each specific session in the plurality of current sessions;
instructions for producing a plurality of summary parameters characterizing the plurality of traffic parameters, the plurality of summary parameters being calculated to enable the determination of component metrics defining a point for each specific session in a multi-dimensional space containing a distribution of points corresponding to the current sessions; and
instructions for sending the plurality of summary parameters to an analysis station over the packet network. - View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
-
Specification