Traffic anomaly analysis for the detection of aberrant network code
First Claim
1. A method for detecting nodes of an enterprise network infected with aberrant code, the method comprising the steps of:
- obtaining traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
determining normal behavior associated with one or more traffic conversation factors from the traffic conversation information; and
analyzing the traffic conversation information to identify nodes of the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more traffic conversation factors as suspected infected nodes.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting nodes in an enterprise network infected with aberrant code is presented in which traffic conversation information representative of traffic conversation in the enterprise network over an analysis period is obtained. Analysis of the obtained traffic conversation information identifies suspected infected nodes in the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more traffic conversation factors. Anomaly analysis may be performed on traffic conversation information associated with the suspected infected nodes to identify any existing infected nodes in the enterprise network.
-
Citations
28 Claims
-
1. A method for detecting nodes of an enterprise network infected with aberrant code, the method comprising the steps of:
-
obtaining traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
determining normal behavior associated with one or more traffic conversation factors from the traffic conversation information; and
analyzing the traffic conversation information to identify nodes of the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more traffic conversation factors as suspected infected nodes. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer readable storage medium tangibly embodying program instructions implementing a method for detecting nodes of an enterprise network infected with aberrant code, the method comprising the steps of:
-
obtaining traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
determining normal behavior associated with one or more traffic conversation factors from the traffic conversation information; and
analyzing the traffic conversation information to identify nodes of the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more traffic conversation factors as suspected infected nodes. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method for detecting nodes in an enterprise network infected with aberrant code, the method comprising the steps of:
-
obtaining traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
determining normal behavior associated with one or more of a set of first traffic conversation factors from the traffic conversation information;
analyzing the traffic conversation information to identify nodes in the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more of the set of first traffic conversation factors as suspected infected nodes;
determining normal behavior associated with one or more of a set of second traffic conversation factors from the traffic conversation information; and
analyzing the traffic conversation information associated with the suspected infected nodes to identify any existing infected nodes as suspected infected nodes that exhibit behavior outside of the normal behavior associated with the one or more of the set of second traffic conversation factors as suspected infected nodes. - View Dependent Claims (16)
-
-
17. A computer readable storage medium tangibly embodying program instructions implementing a method for detecting nodes in an enterprise network infected with aberrant code, the method comprising the steps of:
-
obtaining traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
determining normal behavior associated with one or more of a set of first traffic conversation factors from the traffic conversation information; and
analyzing the traffic conversation information to identify nodes in the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more of the set of first traffic conversation factors as suspected infected nodes;
determining normal behavior associated with one or more of a set of second traffic conversation factors from the traffic conversation information; and
analyzing the traffic conversation information associated with the suspected infected nodes to identify any existing infected nodes as suspected infected nodes that exhibit behavior outside of the normal behavior associated with the one or more of the set of second traffic conversation factors as suspected infected nodes. - View Dependent Claims (18)
-
-
19. A method for detecting nodes in an enterprise network infected with aberrant code, the method comprising the steps of:
-
obtaining traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
determining normal source host behavior associated with one or more traffic conversation factors from the traffic conversation information;
analyzing the traffic conversation information to identify nodes in the enterprise network with source hosts that exhibit behavior outside of the normal source host behavior associated with the one or more traffic conversation factors as suspected infected nodes; and
analyzing the traffic conversation information associated with the suspected infected nodes for destination characteristics indicative of aberrant code to identify any existing infected nodes. - View Dependent Claims (20, 21)
-
-
22. A computer readable storage medium tangibly embodying program instructions implementing a method for detecting nodes in an enterprise network infected with aberrant code, the method comprising the steps of:
-
obtaining traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
determining normal source host behavior associated with one or more traffic conversation factors from the traffic conversation information;
analyzing the traffic conversation information to identify nodes in the enterprise network executing source hosts that exhibit behavior outside of the normal source host behavior associated with the one or more traffic conversation factors as suspected infected nodes; and
analyzing the traffic conversation information associated with the suspected infected nodes for destination characteristics indicative of aberrant code to identify any existing infected nodes. - View Dependent Claims (23, 24)
-
-
25. An enterprise network comprising:
-
one or more nodes;
a data collector which obtains traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
a statistical analyzer which determines normal behavior associated with one or more of a set of first traffic conversation factors from the traffic conversation information; and
a traffic conversation information analyzer which analyzes the traffic conversation information to identify nodes in the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more of the set of first traffic conversation factors as suspected infected nodes. - View Dependent Claims (26, 27, 28)
-
Specification