Monitoring network activity

US 20040117478A1
Filed: 01/12/2004
Published: 06/17/2004
Est. Priority Date: 09/13/2000
Status: Active Grant

First Claim

Patent Images

1. A system for analysing network traffic, comprising the steps of using detecting means to detect data packets which meet criteria defined by one or more functions in the detecting means, forwarding details of the detected packets to data processing means, and storing details of the detected packets so as to be accessible for use in analysis by the data processing means in conjunction with the details of other detected packets.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for analysing network traffic, particularly to detect suspect packets and identify attacks or potential attacks. Data packets which meet defined criteria are detected and their details forwarded to a database server where the details are stored so as to be accessible for use in analysis in conjunction with the details of other detected packets. Packet detection uses a tap and a packet factory which creates a packet for analysis consisting of the received packet and a unique identifier. A series of adapters are used to apply functions to different parts of the packets, to detect those meeting the criteria

Citations

34 Claims

1. A system for analysing network traffic, comprising the steps of using detecting means to detect data packets which meet criteria defined by one or more functions in the detecting means, forwarding details of the detected packets to data processing means, and storing details of the detected packets so as to be accessible for use in analysis by the data processing means in conjunction with the details of other detected packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. A system as claimed in claim 1, wherein the detecting means comprises a tap which receives packets of data from network traffic, and packet creating means which for each received packet creates a packet for analysis which consists of the received packet and a unique identifier.
  - 3. A system as claimed in claim 2, wherein the unique identifier includes an identifier for the tap and a time stamp.
  - 4. A system as claimed in claim 2 or 3, wherein the tap carries out an initial filtering stage in respect of types of network traffic.
  - 5. A system as claimed in claim 2, 3 or 4 wherein packets for analysis are filtered, to detect packets which meet the defined criteria, by means of an adapter which enables the application of a function to part of a packet.
  - 6. A system as claimed in claim 5, wherein a plurality of adapters are provided which enable the application of functions to different parts of a packet.
  - 7. A system as claimed in any of claims 2 to 6, wherein packets received by the tap are placed in a static buffer, and the packet creating means copies the packet from the static buffer into a structure allocated from a memory pool.
  - 8. A system as claimed in claim 7, wherein the packet creating means puts a pointer to the structure in a buffer.
  - 9. A system as claimed in claim 8, wherein the buffer grows dynamically to accommodate peaks in traffic.
  - 10. A system as claimed in any of claims 2 to 9, wherein a plurality of taps are provided, each with an associated packet creating means
  - 11. A system as claimed in any preceding claim wherein detected packets are collected and forwarded to the data processing means in groups.
  - 12. A system as claimed in claim 11 wherein collected packets are forwarded as a group to the data processing means at predetermined time intervals.
  - 13. A system as claimed in claim 12, wherein if the number of packets collected exceeds a predetermined limit before the expiry of the predetermined time interval, then the collected packets are analysed in accordance with predetermined criteria to establish whether some only of the packets may be forwarded to the data processing means as representative of a series of like packets.
  - 14. A system as claimed in any preceding claim, wherein functions applied to the packets, to detect those which meet the defined criteria, are encoded into a function tree.
  - 15. A system as claimed in any preceding claim, which is configured to detect suspect network traffic and provide alerts by means of an alert process in the event that an attack or potential network attack is identified.
  - 16. A system as claimed in claim 15, wherein a logger forwards details of detected packets to the data processing means for analysis, the logger also forwarding details of high priority packets to the alert process.
  - 17. A system as claimed in claim 15 or 16, wherein the data processing means includes a database server hosting a database on which details of detected packets are stored, and at least one data series server which queries the database to create statistics and provides information to the alert process.
  - 18. A system as claimed in claim 17, comprising a plurality of data series servers which create different types of statistics.
  - 19. A system as claimed in any of claims 15 to 18, wherein a historical analysis is carried out on details of detected packets stored by the data processing means.
  - 20. A system as claimed in any of claims 15 to 19, wherein means are provided so that information concering a number of detected packets which are related may be aggregated and a single alert provided.
  - 21. A system as claimed in any of claims 15 to 20, wherein means are provided so that a list may be stored to identify network attacks on which resources are to be concentrated.
  - 22. A system as claimed in any of claims 15 to 21, wherein means are provided so that a list may be stored of permitted data and all packets which do not correspond to this list are detected.
  - 23. A system as claimed in any of claims 15 to 22, wherein patterns are identified in the stored data and used to predict the next sequence of packets if an attack is identified.
  - 24. A system as claimed in any of claims 15 to 23, which is configured to detect a distributed denial of service attack as a deviation from normal traffic patterns.

25. A system for detecting packets in network traffic which meet predetermined criteria, comprising a tap which receives packets of data from network traffic, and packet creating means which for each received packet creates a packet for analysis which consists of the received packet and a unique identifier.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 26. A system as claimed in claim 25, wherein the unique identifier includes an identifier for the tap and a time stamp.
  - 27. A system as claimed in claim 25 or 26, wherein the tap carries out an initial filtering stage in respect of types of network traffic.
  - 28. A system as claimed in claim 25, 26 or 27 wherein packets for analysis are filtered, to detect packets which meet the predetermined criteria, by an adapter which enables the application of a function to part of a packet.
  - 29. A system as claimed in claim 28, wherein a plurality of adapters are provided which enable the application of functions to different parts of a packet.
  - 30. A system as claimed in any of claims 25 to 29, wherein packets received by the tap are placed in a static buffer, and the packet creating means copies the packet from the static buffer into a structure allocated from a memory pool.
  - 31. A system as claimed in claim 30, wherein the packet creating means puts a pointer to the structure in a buffer.
  - 32. A system as claimed in claim 31, wherein the buffer grows dynamically to accommodate peaks in traffic.
  - 33. A system as claimed in any of claims 25 to 32, wherein a plurality of taps are provided, each with an associated packet creating means
  - 34. A system as claimed in any of claims 25 to 33, wherein functions applied to the packets, to detect those which meet the predetermined criteria, are encoded into a function tree.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Datamonitor Systems LLC
Original Assignee
Adriaan W. Joubert, Arrigo G.B. Triulzi
Inventors
Triulzi, Arrigo G.B., Joubert, Adriaan W.

Granted Patent

US 7,594,009 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 2463/102   applying security measure f...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Monitoring network activity

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring network activity

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links