Network surveillance
First Claim
Patent Images
1. A method of network surveillance, comprising:
- monitoring an event stream derived from network packets;
building a long-term and multiple short-term statistical profiles from at least one measure of said event stream;
comparing one of the multiple short-term statistical profiles with the long-term statistical profile; and
determining whether the difference between the one of the multiple short-term statistical profiles and the long-term statistical profile indicates suspicious network activity.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and a least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.
-
Citations
88 Claims
-
1. A method of network surveillance, comprising:
-
monitoring an event stream derived from network packets;
building a long-term and multiple short-term statistical profiles from at least one measure of said event stream;
comparing one of the multiple short-term statistical profiles with the long-term statistical profile; and
determining whether the difference between the one of the multiple short-term statistical profiles and the long-term statistical profile indicates suspicious network activity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of network surveillance, comprising:
-
receiving network packets handled by a network entity;
partitioning the received network packets into sessions representing a communication transaction between two hosts;
building at least one short-term and at least one long-term statistical profile from at least one measure of the network packets;
comparing at least one long-term and at least one short-term statistical profile; and
determining whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A method of network surveillance, comprising:
-
monitoring network packets handled by a network entity;
building at least one long-term profile and at least one short-term statistical profile from at least one measure of the network packets, wherein said building step accounts for timing of said network packets being received by the network entity;
comparing said at least one short-term statistical profile with said at least one long-term statistical profile; and
determining whether the difference between said at least one short-term statistical profile and said at least one long-term statistical profile indicates suspicious network activity. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A method of network surveillance, comprising:
-
receiving a plurality of packets at a virtual private network entity; and
building at least one statistical profile from at least one measure of said plurality of packets, and analyzing said at least one statistical profile to detect suspicious network activity. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48)
-
-
49. A method of network surveillance, comprising:
-
receiving a plurality of packets at a network entity, wherein said network entity comprises a gateway; and
building at least one statistical profile from at least one measure of said plurality of packets, and analyzing said at least one statistical profile to detect suspicious network activity. - View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58)
-
-
59. A method of network surveillance, comprising:
-
receiving a plurality of packets at a network entity, wherein said network entity comprises a router; and
building at least one statistical profile from at least one measure of said plurality of packets, and analyzing said at least one statistical profile to detect suspicious network activity. - View Dependent Claims (60, 61, 62, 63, 64, 65, 66, 67, 68)
-
-
69. A method of network surveillance, comprising:
-
receiving a plurality of packets at a network entity, wherein said network entity comprises a proxy server; and
building at least one statistical profile from at least one measure of said plurality of packets, and analyzing said at least one statistical profile to detect suspicious network activity. - View Dependent Claims (70, 71, 72, 73, 74, 75, 76, 77, 78)
-
-
79. A method of network surveillance, comprising:
-
receiving a plurality of packets at a network entity, wherein said network entity comprises a firewall; and
building at least one statistical profile from at least one measure of said plurality of packets, and analyzing said at least one statistical profile to detect suspicious network activity. - View Dependent Claims (80, 81, 82, 83, 84, 85, 86, 87, 88)
-
Specification