Detection of scanning attacks

US 20050033989A1
Filed: 11/03/2003
Published: 02/10/2005
Est. Priority Date: 11/04/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

detecting scans emanating from hosts;

analyzing records of scans to determine receivers of a scan and determine which of those receivers of scans that later became sources for a subsequent scan; and

reconstructing the path by which a worm spread based on the analyzed records; and

sending notification of the reconstructed path to a console.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

362 Citations

16 Claims

1. A method comprising:
- detecting scans emanating from hosts;
  
  analyzing records of scans to determine receivers of a scan and determine which of those receivers of scans that later became sources for a subsequent scan; and
  
  reconstructing the path by which a worm spread based on the analyzed records; and
  
  sending notification of the reconstructed path to a console.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising:
    - examining ports used by the worm to determine which services were exploited by the scan.
  - 3. The method of claim 2 further comprises:
    - analyzing scan anomalies for the sets of hosts scanned.
  - 4. The method of claim 3 further comprising:
    - determining that a worm has passed from a first host to a second host over a time period.
  - 5. The method of claim 1 further comprising:
    - determining ports that a worm spread through to identify vulnerable services in the hosts.
  - 6. The method of claim 1 wherein detecting scans further comprises:
    - executing a scan detection process to determine hosts that were targets of scans.

7. A computer program product residing on a computer readable medium for detecting worm propagating comprising instructions for causing a computer to:
- detect scans emanating from hosts;
  
  analyze records of scans to determine receivers of a scan and determine which of those receivers of scans that later became sources for a subsequent scan; and
  
  reconstruct the path by which a worm spread based on the analyzed records.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product of claim 7 further comprising instructions to:
    - examine ports used by the worm to determine which services were exploited by the scan.
  - 9. The computer program product of claim 7 further comprises instructions to:
    - analyze scan anomalies for the sets of hosts scanned.
  - 10. The computer program product of claim 9 further comprising instructions to:
    - determine that a worm has passed from a first host to a second host over a time period.
  - 11. The computer program product of claim 7 further comprising instructions to:
    - determine ports that a worm spread through to identify vulnerable services in the hosts.
  - 12. The computer program product of claim 7 wherein instructions to detect scans further comprises instructions to:
    - execute a scan detection process to determine hosts that were targets of scans.

13. Apparatus comprising:
- a processing device;
  
  a memory;
  
  a computer readable medium storing a computer program product for detecting worm propagating comprising instructions for causing the processor device to;
  
  detect scans emanating from hosts;
  
  analyze records of scans to determine receivers of a scan and determine which of those receivers of scans that later became sources for a subsequent scan; and
  
  reconstruct the path by which a worm spread based on the analyzed records.
- View Dependent Claims (14, 15, 16)
- - 14. The apparatus of claim 13 further comprising instructions to:
    - examine ports used by the worm to determine which services were exploited by the scan.
  - 15. The apparatus of claim 13 further comprises instructions to:
    - analyze scan anomalies for the sets of hosts scanned.
  - 16. The apparatus of claim 13 further comprising instructions to:
    - determine that a worm has passed from a first host to a second host over a time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology Incorporated
Original Assignee
Riverbed Technology Incorporated
Inventors
Poletto, Massimiliano Antonio, Wilken, Benjamin

Application Number

US10/701,353
Publication Number

US 20050033989A1
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1458 Denial of Service

Detection of scanning attacks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

362 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Detection of scanning attacks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

362 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others