Data collectors in connection-based intrusion detection

US 20040250134A1
Filed: 11/03/2003
Published: 12/09/2004
Est. Priority Date: 11/04/2002
Status: Active Grant

First Claim

Patent Images

1. A collector device comprises:

a processor; and

a memory, the memory executing a computer program product to collect statistical information on packets that are sent between nodes on a network, including instructions to;

determine, which host in a host connection pair is performing a server process and which is performing a client process.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

Citations

30 Claims

1. A collector device comprises:
- a processor; and
  
  a memory, the memory executing a computer program product to collect statistical information on packets that are sent between nodes on a network, including instructions to;
  
  determine, which host in a host connection pair is performing a server process and which is performing a client process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The device of claim 1 wherein instructions to determine, determines the protocol used in a connection between the host pair.
  - 3. The device of claim 2 wherein if the protocol is a connection type protocol, then the device identifies which host sent a sync packet and which host sent a synch_ack packet.
  - 4. The device of claim 1 wherein the protocol is TCP.
  - 5. The device of claim 1 wherein the source of the sync packet is the client and the source of the synch_ack is the server.
  - 6. The device of claim 1 wherein if the protocol is not a connection based protocol the instructions to determine, determine the ports that the hosts communicate over.
  - 7. The device of claim 6 wherein if the hosts are transacting over a well know port, the instructions to determine, determines the server from a list of well know ports.
  - 8. The device of claim 7 wherein the list of well know ports has identification of hosts based on previous sources of synch_ack packets, with the host that sent the synch_ack packet assumed to be the server.
  - 9. The device of claim 1 wherein if a connection involves two ports, neither of which is known the host that connects to the lower port number is the server process.
  - 10. The device of claim 1 wherein server/client statistics are used when attempting to identify worm intrusions.

11. A method executed on a computing device comprises:
- collecting statistical information on packets that are sent between nodes on a network; and
  
  determining from the statistical information, which host in a host connection pair is performing a server process and which is performing a client process.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11 wherein determining, determines the protocol used in a connection between the host pair.
  - 13. The method of claim 12 wherein determining, determines if the protocol is a connection type protocol and identifies which host sent a sync packet and which host sent a synch_ack packet.
  - 14. The method of claim 13 wherein the protocol is TCP.
  - 15. The method of claim 14 wherein determining, determines the source of the sync packet as the client and the source of the synch_ack as the server.
  - 16. The method of claim 11 wherein if determining, determines the protocol is not a connection based protocol determining determines the ports that the hosts communicated over.
  - 17. The method of claim 16 wherein if the hosts are transacting over a well know port, determining, determines the server from a list of well know ports.
  - 18. The method of claim 17 wherein the list is populated with identification of hosts based on previous sources of synch_ack packets, with the host that sent the synch-ack packet assumed to be the server.
  - 19. The method of claim 11 wherein if a connection involves two ports, neither of which is known the host that connects to the lower port number is the server process.
  - 20. The method of claim 11 wherein server/client statistics are used when attempting to identify worm intrusions.

21. A device comprises:
- circuitry to collect statistical information on packets that are sent between nodes on a network; and
  
  circuitry to determine from the statistical information, which host in a host connection pair is performing a server process and which is performing a client process.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The device of claim 21 wherein the circuitry to determine, determines the protocol used in a connection between the host pair.
  - 23. The device of claim 22 wherein circuitry to determine, determines if the protocol is a connection type protocol, to identify which host sent a sync packet and which host sent a synch_ack packet.
  - 24. The device of claim 23 wherein circuitry to determine, determines the source of the sync packet as the client and the source of the synch_ack as the server.
  - 25. The device of claim 21 wherein circuitry to determine, determines the protocol is not a connection based protocol, the circuitry determines ports that the hosts communicated over.
  - 26. The device of claim 21 wherein if the hosts are transacting over a well know port, circuitry to determine, determines the server from a list of well know ports.

27. A computer readable medium tangible storing a computer program product for detecting intrusions in a network, comprises instructions for causing a processor to:
- collect statistical information on packets that are sent between nodes on a network; and
  
  determine, which host in a host connection pair is performing a server process and which is performing a client process.
- View Dependent Claims (28, 29, 30)
- - 28. The product of claim 27 wherein instructions to determine, determines the protocol used in a connection between the host pair.
  - 29. The product of claim 28 wherein if the protocol is a connection type protocol, then the device identifies which host sent a sync packet and which host sent a synch_ack packet, with the source of the sync packet being the client and the source of the synch_ack being the server.
  - 30. The product of claim 27 wherein if the protocol is not a connection based protocol the instructions to determine, determine the ports that the hosts communicate over.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Kohler, Edward W. Jr., Ratin, Andrew, Poletto, Massimiliano Antonio

Granted Patent

US 7,664,963 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Data collectors in connection-based intrusion detection

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Data collectors in connection-based intrusion detection

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links