Method and apparatus for predictive and actual intrusion detection on a network
First Claim
1. A method of managing network usage comprising:
- defining a set of linguistic patterns, where each linguistic pattern is associated with a condition that is to be monitored;
capturing network packets during transmission;
decapsulating the network packets;
identifying linguistic patterns in the captured network packets;
scoring captured network packets based on similarity of at least one identified linguistic pattern to one or more of the defined set of linguistic patterns; and
when a packet that is scored above a specified threshold value is identified, implementing at least one responsive action.
15 Assignments
0 Petitions
Accused Products
Abstract
A method of managing network usage by defining a set of linguistic patterns, where each linguistic pattern is associated with a condition that is to be monitored. Network packets are captured during transmission and analyzed to identify linguistic patterns. Captured network packets are scored based on similarity of at least one linguistic pattern to one or more of the defined set of linguistic patterns. When a packet that is scored above a specified threshold value is identified, at least one responsive action is implemented. In this manner, a system implementing the method is able to identify network traffic that is associated with prospective malicious activity and thereby provide an early warning before damage has occurred.
-
Citations
32 Claims
-
1. A method of managing network usage comprising:
-
defining a set of linguistic patterns, where each linguistic pattern is associated with a condition that is to be monitored;
capturing network packets during transmission;
decapsulating the network packets;
identifying linguistic patterns in the captured network packets;
scoring captured network packets based on similarity of at least one identified linguistic pattern to one or more of the defined set of linguistic patterns; and
when a packet that is scored above a specified threshold value is identified, implementing at least one responsive action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A monitored networked computing system comprising:
-
a network;
a plurality of computing devices coupled to the network and configured to exchange information packets with each other;
a network analyzer coupled to the network, wherein the network analyzer includes mechanisms for capturing information packets; and
a linguistic analyzer coupled to the network analyzer and operable to identify preselected linguistic patterns in the captured information packets, wherein the linguistic patters are preselected to identify network packets that preemptively indicate a future network attack. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. The monitored network of claim 13 further comprising a report generator coupled to the linguistic analyzer and operable to generate reports based on the categorization
-
22-1. A computer implemented device for monitoring network traffic comprising:
-
computer code configured to be executed on a processor to cause the processor to capture information packets from a network;
computer code configured to be executed on a processor to cause the processor to identify linguistic patterns in the captured network packets;
computer code configured to be executed on a processor to cause the processor to score captured network packets based on similarity of at least one identified linguistic pattern to one or more of the defined set of linguistic patterns; and
computer code configured to be executed on a processor to cause the processor to implement at least one responsive action when a packet that is scored above a specified threshold value is identified.
-
-
23. A computing device configured to monitor network traffic, the computing device comprising:
-
a processor;
memory coupled to the processor;
a port coupled to an external network;
computer code executable using the processor and memory and operable to identify network traffic on the external network that is associated with prospective malicious activity. - View Dependent Claims (24, 25, 26, 27, 28, 29)
-
-
30. A method of detecting a prospective network attack by monitoring network traffic, the method comprising:
-
defining a set of linguistic patterns, where each linguistic pattern is associated with a condition that has been determined to be indicative of a prospective network attack;
monitoring the network traffic over time;
identifying the linguistic patterns when they occur in network traffic;
accumulating information about the identified occurrences of the linguistic patterns over time; and
using the accumulated information as a basis for determining likelihood of a prospective network attack. - View Dependent Claims (31, 32)
-
Specification