Connection based anomaly detection
First Claim
Patent Images
1. A system, comprising:
- a plurality of collector devices that are disposed to collect statistical information on packets that are sent between nodes on a network;
an aggregator that receives network data from the plurality of collector devices, and which produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node.
22 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.
153 Citations
24 Claims
-
1. A system, comprising:
-
a plurality of collector devices that are disposed to collect statistical information on packets that are sent between nodes on a network;
an aggregator that receives network data from the plurality of collector devices, and which produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method, comprises:
-
providing a plurality of collector devices in a network to collect statistical information on packets that are sent between nodes on a network; and
sending statistical information from the collector devices to an aggregator, the aggregator producing a connection table that maps each node on the network to a record that stores information about traffic to or from the node. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A method of detecting a new host connecting to a network comprises:
-
receiving statistics collected from a host in the network; and
indicating to a console that the host is a new host if, during a period of time T, the host transmits at least N packets and receives at least N packets, and if the host had never transmitted and received more than N packets in any previous period of time with a duration of T.
-
-
24. A method of detecting a failed host in a network comprises:
-
determining if both a mean historical rate of server response packets from a host is greater than M, and a ratio of a standard deviation of historical rate of server response packets from the host to a mean profiled rate of server response packets from the host is less than R over a period of time; and
indicating the host as a potential failed host if both conditions are present.
-
Specification