Network surveillance

US 20040221191A1
Filed: 03/22/2004
Published: 11/04/2004
Est. Priority Date: 11/09/1998
Status: Abandoned Application

First Claim

Patent Images

1. Method for performing network surveillance, said method comprising the steps of:

receiving a plurality of network packets handled by a network entity;

building at least one statistical profile from at least one measure of said plurality of network packets; and

analyzing said at least one statistical profile to detect suspicious network activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and a least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.

150 Citations

View as Search Results

20 Claims

1. Method for performing network surveillance, said method comprising the steps of:
- receiving a plurality of network packets handled by a network entity;
  
  building at least one statistical profile from at least one measure of said plurality of network packets; and
  
  analyzing said at least one statistical profile to detect suspicious network activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein said at least one measure monitors data transfers by monitoring network packet data transfer commands.
  - 3. The method of claim 1, wherein said at least one measure monitors data transfers by monitoring network packet data transfer errors.
  - 4. The method of claim 1, wherein said at least one measure monitors data transfers by monitoring network packet data transfer volume.
  - 5. The method of claim 1, wherein said at least one measure monitors network connections by monitoring network connection requests.
  - 6. The method of claim 1, wherein said at least one measure monitors network connections by monitoring network connection denials.
  - 7. The method of claim 1, wherein said at least one measure monitors network connections by monitoring a correlation of network connections requests and network connection denials.
  - 8. The method of claim 1, wherein said at least one measure monitors errors by monitoring at least one error code included in a network packet, wherein said at least one error code comprises a privilege error code or an error code indicating a reason a packet was rejected.
  - 9. The method of claim 1, further comprising the step of:
    - responding based on determining whether said at least one statistical profile indicates suspicious network activity.
  - 10. The method of claim 9, wherein said responding step comprises transmitting an event record to a network monitor.
  - 11. The method of claim 10, wherein said transmitting the event record to a network monitor step comprises transmitting the event record to a hierarchically higher network monitor.
  - 12. The method of claim 11, wherein said transmitting the event record to a network monitor step comprises transmitting the event record to a network monitor that receives event records from a plurality of network monitors.
  - 13. The method of claim 12, wherein said network monitor that receives event records from said plurality of network monitors comprises a network monitor that correlates activity in said plurality of network monitors based on said received event records.
  - 14. The method of claim 9, wherein said responding step comprises altering said analysis of said plurality of network packets.
  - 15. The method of claim 9, wherein said responding step comprises severing a communication channel.
  - 16. The method of claim 1, wherein said network entity comprises at least one of a gateway, a router, a proxy server, a firewall, and a virtual private network (VPN) entity.
  - 17. The method of claim 1, wherein said plurality of network packets are partitioning into a plurality of sessions representing a communication transaction between two hosts.
  - 18. The method of claim 17, wherein said at least one measure monitors network connections by monitoring a source port number and a destination port number included in one of said network packets.

19. A computer-readable medium having stored thereon a plurality of instructions, the plurality of instructions including instructions which, when executed by a processor, cause the processor to perform the steps comprising of:
- receiving a, plurality of network packets handled by a network entity;
  
  building at least one statistical profile from at least one measure of said plurality of network packets; and
  
  analyzing said at least one statistical profile to detect suspicious network activity.

20. Apparatus for performing network surveillance, said apparatus comprising:
- means for receiving a plurality of network packets handled by a network entity;
  
  means for building at least one statistical profile from at least one measure of said plurality of network packets; and
  
  means for analyzing said at least one statistical profile to detect suspicious network activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Porras, Phillip Andrew, Valdes, Alfonso

Application Number

US10/805,729
Publication Number

US 20040221191A1
Time in Patent Office

Days
Field of Search
US Class Current

714/4
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 43/00   Arrangements for monitoring...

H04L 43/06   Generation of reports

H04L 43/0811   by checking connectivity

H04L 43/0888   Throughput

H04L 43/12   Network monitoring probes

H04L 43/16   Threshold monitoring

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

Network surveillance

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

150 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network surveillance

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

150 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links