Packet Sampling Flow-Based Detection of Network Intrusions
First Claim
1. A method for the analysis of sampled network communication traffic for potential intrusion activity, the method comprising the steps of:
- assigning sampled data packets to a flow;
scaling the sampled data based on a sample rate;
collecting flow data from packet headers;
determining a primary flow in the event that multiple devices report the same flow;
analyzing collected flow data to assign a concern index value to the flow based upon a probability that the flow was not normal for data communications;
maintaining an accumulated concern index from flows associated with a host; and
issuing an alarm signal once the accumulated concern index has exceeded an alarm threshold value.
12 Assignments
0 Petitions
Accused Products
Abstract
A flow-based intrusion detection system for detecting intrusions in computer communication networks. Data packets representing communications between hosts in a computer-to-computer communication network are processed and assigned to various client/server flows. Statistics are collected for each flow. Then, the flow statistics are analyzed to determine if the flow appears to be legitimate traffic or possible suspicious activity. A concern index value is assigned to each flow that appears suspicious. By assigning a value to each flow that appears suspicious and adding that value to the total concern index of the responsible host, it is possible to identify hosts that are engaged in intrusion activity. When the concern index value of a host exceeds a preset alarm value, an alert is issued and appropriate action can be taken.
-
Citations
23 Claims
-
1. A method for the analysis of sampled network communication traffic for potential intrusion activity, the method comprising the steps of:
-
assigning sampled data packets to a flow;
scaling the sampled data based on a sample rate;
collecting flow data from packet headers;
determining a primary flow in the event that multiple devices report the same flow;
analyzing collected flow data to assign a concern index value to the flow based upon a probability that the flow was not normal for data communications;
maintaining an accumulated concern index from flows associated with a host; and
issuing an alarm signal once the accumulated concern index has exceeded an alarm threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for the analysis of network communication traffic for potential intrusion activity, the method comprising the steps of:
-
assigning sampled data packets to a flow wherein a flow consists of the packets exchanged between two hosts that are associated with a single service;
scaling the sampled data based upon a sample rate;
collecting flow data from packet headers;
determining a primary flow in the event that multiple devices report the same flow;
analyzing collected flow data to assign a concern index value wherein each concern index value associated with a respective potential intrusion activity is a predetermined fixed value;
maintaining an accumulated concern index from flows associated with a host; and
issuing an alarm signal once the accumulated concern index has exceeded an alarm threshold value. - View Dependent Claims (14)
-
-
15. A method of analyzing network communication traffic for potential intrusion activity, comprising the steps of:
-
assigning sampled data packets to a flow wherein a flow consists of the packets exchanged between two Internet Protocol addresses with at least one port remains constant;
scaling the sampled data based upon a sample rate;
collecting flow data from packet headers;
determining a primary flow in the event that multiple devices report the same flow;
analyzing collected flow data to assign a concern index value to the flow;
maintaining a host structure containing an accumulated concern index from flows associated with the host; and
issuing an alarm once the accumulated concern index has exceeded an alarm threshold value. - View Dependent Claims (16, 17, 18)
-
-
19. A computer system for the analysis of network communication traffic, the computer system comprising:
-
a computer system operable to;
(i) classify sampled data packets into flows;
(ii) scale the sampled data based upon a sample rate;
(iii) collect flow data from packet header information;
(iv) determine a primary flow in the event that multiple devices report the same flow;
(v) analyze collected flow data to assign a concern index value, wherein each concern index value associated with a respective potential intrusion activity is a predetermined fixed value;
(vi) generate an alarm signal; and
a communication system coupled to the computer system operable to send packets from one host to another host. - View Dependent Claims (20)
-
-
21. A system for the analysis of network communication traffic, the system comprising:
-
a processor operable to;
(i) classify sampled data packets into flows;
(ii) scale the sampled data based upon a sample rate;
(iii) collect flow data from packet header information;
(iv) determine a primary flow in the event that multiple devices report the same flow;
(v) analyze collected flow data to assign a concern index value wherein each concern index value associated with a respective potential intrusion activity is a predetermined fixed value;
(vi) generate an alarm signal;
memory coupled to the processor operable to store the flow data;
a database coupled to processor operable to store log files; and
a network interface coupled to the processor operable to monitor network traffic. - View Dependent Claims (22)
-
-
23. A method of analyzing network communication traffic for potential intrusion activity, comprising the steps of:
-
assigning sampled data packets to a flow;
scaling the sampled data based on a sample rate;
collecting flow data from packet headers;
analyzing packet header information;
determining a transport level protocol specifying a format of a data area;
issuing an alarm when the transport level protocol is identified as User Datagram Protocol and the data segment associated with User Datagram Protocol packet contains two or less bytes of data.
-
Specification