Data collectors in connection-based intrusion detection
First Claim
Patent Images
1. A collector device comprises:
- a processor; and
a memory, the memory executing a computer program product to collect statistical information on packets that are sent between nodes on a network, including instructions to;
determine, which host in a host connection pair is performing a server process and which is performing a client process.
21 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.
-
Citations
30 Claims
-
1. A collector device comprises:
-
a processor; and
a memory, the memory executing a computer program product to collect statistical information on packets that are sent between nodes on a network, including instructions to;
determine, which host in a host connection pair is performing a server process and which is performing a client process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method executed on a computing device comprises:
-
collecting statistical information on packets that are sent between nodes on a network; and
determining from the statistical information, which host in a host connection pair is performing a server process and which is performing a client process. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A device comprises:
-
circuitry to collect statistical information on packets that are sent between nodes on a network; and
circuitry to determine from the statistical information, which host in a host connection pair is performing a server process and which is performing a client process. - View Dependent Claims (22, 23, 24, 25, 26)
-
-
27. A computer readable medium tangible storing a computer program product for detecting intrusions in a network, comprises instructions for causing a processor to:
-
collect statistical information on packets that are sent between nodes on a network; and
determine, which host in a host connection pair is performing a server process and which is performing a client process. - View Dependent Claims (28, 29, 30)
-
Specification