FACILITATING A USER TO DETECT DESIRED ANOMALIES IN DATA FLOWS OF NETWORKS
First Claim
Patent Images
1. A method of detecting anomalous packets received according to a protocol having a definition of permissible sequences of packets, said method being performed in a device, said method comprising:
- enabling a user to specify said permissible sequences of packets as a configurable data;
receiving a plurality of packets according to said protocol;
determining whether said plurality of packets are consistent with said definition of permissible sequences; and
concluding that an anomaly is detected if said plurality of packets are not consistent with said definition of permissible sequences specified as said configurable data.
3 Assignments
0 Petitions
Accused Products
Abstract
A detection system in which a user can indicate the permissible sequences of packets (e.g., by virtue of a state transition table), and the detection system detects packets which are inconsistent with such permissible sequences. As a result, all anomalies (which are inconsistent with the user specified normal behavior) may be reliably detected.
-
Citations
16 Claims
-
1. A method of detecting anomalous packets received according to a protocol having a definition of permissible sequences of packets, said method being performed in a device, said method comprising:
-
enabling a user to specify said permissible sequences of packets as a configurable data;
receiving a plurality of packets according to said protocol;
determining whether said plurality of packets are consistent with said definition of permissible sequences; and
concluding that an anomaly is detected if said plurality of packets are not consistent with said definition of permissible sequences specified as said configurable data. - View Dependent Claims (2, 3)
-
-
4. A method of processing packets in a device, said method comprising:
-
enabling a user to provide data indicating a plurality of acceptable states for a protocol, a set of acceptable inputs at each of said plurality of acceptable states, and a next state corresponding to a combination of a first acceptable state and a corresponding input, wherein said next state and said corresponding input are respectively comprised in said plurality of acceptable states and said set of acceptable inputs, and each acceptable input corresponds to a packet according to said protocol with a corresponding content;
receiving a first packet according to said protocol when in a present state, wherein said present state is contained in said plurality of acceptable states;
examining the content of said first packet to determine whether the content of said first packet forms an acceptable input for said present state; and
determining that receiving said first packet is an anomaly if the content of said first packet does not form said acceptable input for said present state. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer readable medium carrying one or more sequences of instructions for causing a network device to detect anomalous packets received according to a protocol having a definition of permissible sequences of packets, wherein execution of said one or more sequences of instructions by a plurality of processors contained in said network device causes said one or more processors to perform the actions of:
-
enabling a user to specify said permissible sequences of packets as a configurable data;
receiving a plurality of packets according to said protocol;
determining whether said plurality of packets are consistent with said definition of permissible sequences; and
concluding that an anomaly is detected if said plurality of packets are not consistent with said definition of permissible sequences specified as said configurable data. - View Dependent Claims (16)
-
Specification