Method, program and system for automatically detecting malicious computer network reconnaissance
First Claim
Patent Images
1. A method to detect unauthorized reconnaissance or scanning of a computer network comprising the acts of:
- (a) monitoring communications within the network;
(b) detecting predefined sequence of packets flowing within said communications; and
(c) issuing an alert indicating unauthorized scanning if the predefined sequence of packets is detected.
2 Assignments
0 Petitions
Accused Products
Abstract
A detection and response system that generates an Alert if unauthorized scanning is detected on a computer network that includes a look-up table to record state value corresponding to the sequence in which SYN, SYN/ACK and RST packets are observed. A set of algorithms executed on a processing engine adjusts the state value in response to observing the packets. When the state value reaches a predetermined value indicating that all three packets have been seen, the algorithm generates an Alert.
-
Citations
35 Claims
-
1. A method to detect unauthorized reconnaissance or scanning of a computer network comprising the acts of:
-
(a) monitoring communications within the network;
(b) detecting predefined sequence of packets flowing within said communications; and
(c) issuing an alert indicating unauthorized scanning if the predefined sequence of packets is detected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An intrusion detection system including:
-
a table containing at least one characteristic identifying network devices and a set of state code corresponding to a sequence in which a predefined set of packets are observed; and
a controller operable to examine received packets, to adjust the state code and to generate an alert if one of the set of state code reaches a predefined value. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A program product including:
-
a medium; and
a computer program recorded on said medium, said computer program including a first set of instructions that examine packets to detect a predefined sequence of packets; and
a second set of instructions that generate an alert if the predefined sequence of packets are detected. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A method to deploy an intrusion detection system on a network device including acts of:
-
providing an algorithm to detect a predefined set of packets; and
generating an alert if the predefined set of packets is detected. - View Dependent Claims (26, 27, 28, 29)
-
-
30. A method to protect devices from malicious attacks launched on a computer network including the acts of:
-
providing on a device to be protected a software program that monitors packets; and
issuing an alert if a predefined set of packets are detected. - View Dependent Claims (31, 32, 33, 34, 35)
-
Specification