Detection of scanning attacks
First Claim
Patent Images
1. A method comprising:
- detecting scans emanating from hosts;
analyzing records of scans to determine receivers of a scan and determine which of those receivers of scans that later became sources for a subsequent scan; and
reconstructing the path by which a worm spread based on the analyzed records; and
sending notification of the reconstructed path to a console.
3 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.
362 Citations
16 Claims
-
1. A method comprising:
-
detecting scans emanating from hosts;
analyzing records of scans to determine receivers of a scan and determine which of those receivers of scans that later became sources for a subsequent scan; and
reconstructing the path by which a worm spread based on the analyzed records; and
sending notification of the reconstructed path to a console. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer program product residing on a computer readable medium for detecting worm propagating comprising instructions for causing a computer to:
-
detect scans emanating from hosts;
analyze records of scans to determine receivers of a scan and determine which of those receivers of scans that later became sources for a subsequent scan; and
reconstruct the path by which a worm spread based on the analyzed records. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. Apparatus comprising:
-
a processing device;
a memory;
a computer readable medium storing a computer program product for detecting worm propagating comprising instructions for causing the processor device to;
detect scans emanating from hosts;
analyze records of scans to determine receivers of a scan and determine which of those receivers of scans that later became sources for a subsequent scan; and
reconstruct the path by which a worm spread based on the analyzed records. - View Dependent Claims (14, 15, 16)
-
Specification