Event detection/anomaly correlation heuristics
First Claim
1. A method for detecting conditions in a network, comprising:
- finding anomalies, which are low-level differences in network operation relative to some comparison period; and
collecting anomalies into operationally relevant events.
22 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.
-
Citations
21 Claims
-
1. A method for detecting conditions in a network, comprising:
-
finding anomalies, which are low-level differences in network operation relative to some comparison period; and
collecting anomalies into operationally relevant events. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer readable medium tangible storing a computer program product for detecting intrusions in a network, comprises instructions for causing a processor to:
-
find anomalies, which are low-level differences in network operation relative to some comparison period; and
collect anomalies into operationally relevant events. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A device for detecting conditions in a network, comprising:
-
circuitry to find anomalies, which are low-level differences in network operation relative to some comparison period; and
circuitry to collect anomalies into operationally relevant events. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification