Network traffic monitoring

US 20040047356A1
Filed: 09/06/2002
Published: 03/11/2004
Est. Priority Date: 09/06/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for a first device to process receiving network packets comprising:

tracking a rate at which network packets are received from a second device violating a validity metric, the validity metric including whether received network packets are addressed to a valid destination address;

determining a problem exists with the second device based at least in part on whether the rate exceeds a threshold; and

performing an action responsive to determining the problem.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intermediary network device, such as a router or other device through which network traffic passes or which may monitor passing network traffic, looks for suspicious network activity by a device. If a suspicious device is identified, then the suspicious device, assuming it supports management, may be managed to wholly or partially disable the device until its suspicious activity may be investigated. Assuming the intermediary passes network traffic for the suspicious device, in addition to or in lieu of management, the intermediary may be configured to wholly or to partially block communication to/from the suspicious device. Suspicious network activity may be identified through attempts to access network addresses not present in a routing table associated with the intermediary. Other indicia of suspicious activity are disclosed.

405 Citations

38 Claims

1. A method for a first device to process receiving network packets comprising:
- tracking a rate at which network packets are received from a second device violating a validity metric, the validity metric including whether received network packets are addressed to a valid destination address;
  
  determining a problem exists with the second device based at least in part on whether the rate exceeds a threshold; and
  
  performing an action responsive to determining the problem.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the action comprises:
    - configuring the second device to stop sending network packets.
  - 3. The method of claim 1, wherein the action comprises:
    - identifying a program executing on the second device associated with the network packets that violate the validity metric; and
      
      configuring the second device to stop the program.
  - 4. The method of claim 1, wherein the action comprises:
    - identifying a communication port associated with the network packets received from the second device that violate the validity metric; and
      
      dropping packets received from the second device using the communication port.
  - 5. The method of claim 1, wherein the action is selected ones of:
    - issuing a SNMP trap, sending an e-mail alert, executing a script, and logging the problem.
  - 6. The method of claim 1, wherein the rate comprises receiving from the second device at least 10 network packets per second violating the validity metric.
  - 7. The method of claim 1, wherein the rate corresponds to an aggregate measure of network packets that violate the validity metric received the second device and at least one other device.
  - 8. The method of claim 1, further comprising:
    - determining the problem asynchronously to the receiving network packets.
  - 9. The method of claim 1, further comprising:
    - a third device performing the determining the problem.
  - 10. The method of claim 1, further comprising:
    - a first module performing the receiving the network packets; and
      
      a second module performing the determining the problem asynchronously to the first program module.
  - 11. The method of claim 1, further comprising:
    - tracking only a subset of received network packets.
  - 12. The method of claim 11, further comprising:
    - determining the subset based at least in part on received network packets having selected ones of the following characteristics;
      
      being a communication session initiation packet, utilizing a particular communication port, and having a particular origin address.
  - 13. The method of claim 1, further comprising:
    - forwarding a received packet to a third device.
  - 14. The method of claim 1, further comprising:
    - dropping a received packet violating the validity metric.

15. A method for processing network packets comprising:
- determining a first rate at which network packets are received from a first originating device that violate a validity metric;
  
  accessing a second rate determined for network packets received by an other device from a second originating device that violate the validity metric;
  
  determining a problem exists with the originating device based at least in part on a combination of the first and second rates; and
  
  performing an action responsive to determining the problem.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The method of claim 15, wherein determining the problem comprises:
    - determining whether an addition of the rates exceeds a threshold
  - 17. The method of claim 15, wherein the first and second originating device are communicatively coupled.
  - 18. The method of claim 15, wherein the validity metric comprises determining whether received network packets are addressed to a valid destination address.
  - 19. The method of claim 15, wherein the action comprises:
    - configuring the second device to stop sending network packets.
  - 20. The method of claim 15, wherein the action comprises:
    - identifying a program executing on both the first and second originating device associated with the network packets that violate the validity metric; and
      
      instructing one of the first or second originating devices to stop the program.
  - 21. The method of claim 15, wherein the action comprises:
    - identifying a communication port associated with the network packets received from the first and second originating device that violate the validity metric; and
      
      dropping packets received from the second device using the communication port.
  - 22. The method of claim 15, wherein the action is selected ones of:
    - issuing a SNMP trap, sending an e-mail alert, executing a script, and logging the problem.
  - 23. The method of claim 15, further comprising:
    - determining the problem asynchronously to determining the first rate and accessing the second rate.
  - 24. The method of claim 15, further comprising:
    - tracking by the first and second devices of only a subset of network packets received thereto; and
      
      determining the subset based at least in part on received network packets having selected ones of the following characteristics;
      
      being a communication session initiation packet, utilizing a particular communication port, and having a particular origin address.

25. An article, comprising a machine-accessible media having associated data for directing a machine to process network packets, wherein the data, when accessed, results in the machine performing:
- tracking a rate at which network packets are received from a device violating a validity metric;
  
  determining a problem exists with the device based at least in part on whether the rate exceeds a threshold; and
  
  performing an action responsive to determining the problem.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
- - 26. The article of claim 25 wherein the machine-accessible media further includes data, which when accessed by the machine, results in the machine performing:
    - determining whether received network packets are addressed to a valid destination address.
  - 27. The article of claim 25 wherein the data for performing the action further includes data, which when accessed by the machine, results in the machine performing:
    - configuring the device to stop sending network packets.
  - 28. The article of claim 25 wherein the data for performing the action further includes data, which when accessed by the machine, results in the machine performing:
    - identifying a program executing on the device associated with the network packets that violate the validity metric; and
      
      configuring the device to stop the program.
  - 29. The article of claim 25 wherein the data for performing the action further includes data, which when accessed by the machine, results in the machine performing:
    - identifying a communication port associated with the network packets received from the device that violate the validity metric; and
      
      dropping packets received from the device using the communication port.
  - 30. The article of claim 25 wherein the data for performing the action further includes data, which when accessed by the machine, results in the machine performing:
    - issuing a SNMP trap;
      
      sending an e-mail alert;
      
      executing a script; and
      
      logging the problem.
  - 31. The article of claim 25 wherein the machine-accessible media further includes data, which when accessed by the machine, results in the machine performing:
    - determining the problem asynchronously to the receiving network packets.
  - 32. The article of claim 25 wherein the machine-accessible media further includes data, when accessed by the machine, results in the machine performing:
    - tracking only a subset of received network packets.

33. An article, comprising a machine-accessible media having associated data for processing network packets, wherein the data, when accessed, results in a machine performing:
- determining a first rate at which network packets are received from a first originating device that violate a validity metric;
  
  accessing a second rate determined for network packets received by an other device from a second originating device that violate the validity metric;
  
  determining a problem exists with the originating device based at least in part on a combination of the first and second rates; and
  
  performing an action responsive to determining the problem.
- View Dependent Claims (34, 35)
- - 34. The article of claim 33 wherein the data for determining the problem includes further data, which when accessed by the machine, results in the machine performing:
    - determining whether an addition of the rates exceeds a threshold
  - 35. The article of claim 33 wherein the machine-accessible media further includes data, when accessed by the machine, results in the machine performing:
    - determining whether received network packets are addressed to a valid destination address.

36. A system for processing network packets comprising:
- a network interface configured to receive network packets; and
  
  a machine communicatively coupled to the network interface and configured to perform;
  
  tracking a rate at which network packets are received from a device violating a validity metric, the validity metric including whether received network packets are addressed to a valid destination address;
  
  determining a problem exists with the device based at least in part on whether the rate exceeds a threshold; and
  
  performing an action responsive to determining the problem.
- View Dependent Claims (37, 38)
- - 37. The system of claim 36, wherein the machine is further configured to perform:
    - determining whether network packets received by the network interface are addressed to a valid destination address.
  - 38. The system of claim 36, wherein the action taken by the machine comprises performing:
    - managing the device

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Bauer, Blaine D.

Application Number

US10/236,402
Publication Number

US 20040047356A1
Time in Patent Office

Days
Field of Search
US Class Current

370/401
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/145 the attack involving the pr...

Network traffic monitoring

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

405 Citations

38 Claims

Specification

Use Cases

Quick Links

Others

Network traffic monitoring

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

405 Citations

38 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others