Traffic anomaly analysis for the detection of aberrant network code

US 20070064617A1
Filed: 09/16/2005
Published: 03/22/2007
Est. Priority Date: 09/15/2005
Status: Active Grant

First Claim

Patent Images

1. A method for detecting nodes of an enterprise network infected with aberrant code, the method comprising the steps of:

obtaining traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;

determining normal behavior associated with one or more traffic conversation factors from the traffic conversation information; and

analyzing the traffic conversation information to identify nodes of the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more traffic conversation factors as suspected infected nodes.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting nodes in an enterprise network infected with aberrant code is presented in which traffic conversation information representative of traffic conversation in the enterprise network over an analysis period is obtained. Analysis of the obtained traffic conversation information identifies suspected infected nodes in the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more traffic conversation factors. Anomaly analysis may be performed on traffic conversation information associated with the suspected infected nodes to identify any existing infected nodes in the enterprise network.

Citations

28 Claims

1. A method for detecting nodes of an enterprise network infected with aberrant code, the method comprising the steps of:
- obtaining traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
  
  determining normal behavior associated with one or more traffic conversation factors from the traffic conversation information; and
  
  analyzing the traffic conversation information to identify nodes of the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more traffic conversation factors as suspected infected nodes.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the determining step comprises:
    - determining a respective baseline operating range for corresponding one or more of the one or more traffic conversation factors; and
      
      associating the respective baseline operating range for the corresponding one or more of the one or more traffic conversation factors with the normal behavior associated with the corresponding one or more of the one or more traffic conversation factors.
  - 3. The method of claim 1, wherein:
    - the one or more traffic conversation factors comprise one or more of attempted contact by a node in the enterprise network with a high number of destinations relative to normal behavior, a low variation in frame number per conversation originating from a node relative to normal behavior, and a low variation in conversation size per conversation originating from a node relative to normal behavior.
  - 4. The method of claim 3, wherein the determining step comprises:
    - determining a respective baseline operating range for corresponding one or more of the one or more traffic conversation factors; and
      
      associating the respective baseline operating range for the corresponding one or more of the one or more traffic conversation factors with the normal behavior associated with the corresponding one or more of the one or more traffic conversation factors.
  - 5. The method of claim 1, further comprising:
    - analyzing the traffic conversation information associated with one or more respective suspected infected nodes for conversation anomalies to confirm or deny the presence of aberrant code on the respective suspected infected nodes.
  - 6. The method of claim 5, wherein the step for analyzing the traffic conversation information associated with one or more respective suspected infected nodes for conversation anomalies to confirm or deny the presence of aberrant code on the respective suspected infected nodes comprises:
    - confirming the presence of aberrant code on a respective suspected infected node if the traffic conversation information associated with the respective suspected infected node exhibits conversation anomalies comprising one or more of;
      
      attempted contact of a high number of destination hosts in adjacent address space relative to normal behavior, attempted contact of a high number of bogons relative to normal behavior, and attempted contact of a high number of destination hosts with unresolvable destination names relative to normal behavior.
  - 7. The method of claim 5, wherein:
    - the one or more traffic conversation factors comprise characteristics of source hosts; and
      
      the conversation anomalies comprise characteristics of destination hosts targeted by source hosts executing on the suspected infected nodes.

8. A computer readable storage medium tangibly embodying program instructions implementing a method for detecting nodes of an enterprise network infected with aberrant code, the method comprising the steps of:
- obtaining traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
  
  determining normal behavior associated with one or more traffic conversation factors from the traffic conversation information; and
  
  analyzing the traffic conversation information to identify nodes of the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more traffic conversation factors as suspected infected nodes.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer readable storage medium of claim 8, wherein the method step for determining normal behavior associated with one or more traffic conversation factors comprises:
    - determining a respective baseline operating range for corresponding one or more of the one or more traffic conversation factors; and
      
      associating the respective baseline operating range for the corresponding one or more of the one or more traffic conversation factors with the normal behavior associated with the corresponding one or more of the one or more traffic conversation factors.
  - 10. The computer readable storage medium of claim 8, wherein:
    - the one or more traffic conversation factors comprise one or more of attempted contact by a node in the enterprise network with a high number of destinations relative to normal behavior, a low variation in frame number per conversation originating from a node relative to normal behavior, and a low variation in conversation size per conversation originating from a node relative to normal behavior.
  - 11. The computer readable storage medium of claim 10, wherein the method step for determining normal behavior associated with one or more traffic conversation factors comprises:
    - determining a respective baseline operating range for corresponding one or more of the one or more traffic conversation factors; and
      
      associating the respective baseline operating range for the corresponding one or more of the one or more traffic conversation factors with the normal behavior associated with the corresponding one or more of the one or more traffic conversation factors.
  - 12. The computer readable storage medium of claim 8, the method further comprising the step of:
    - analyzing the traffic conversation information associated with one or more respective suspected infected nodes for conversation anomalies to confirm or deny the presence of aberrant code on the respective suspected infected nodes.
  - 13. The computer readable storage medium of claim 12, wherein the method step for analyzing the traffic conversation information associated with one or more respective suspected infected nodes for conversation anomalies to confirm or deny the presence of aberrant code on the respective suspected infected nodes comprises:
    - confirming the presence of aberrant code on a respective suspected infected node if the traffic conversation information associated with the respective suspected infected node exhibits conversation anomalies comprising one or more of;
      
      attempted contact of a high number of destination hosts in adjacent address space relative to normal behavior, attempted contact of a high number of bogons relative to normal behavior, and attempted contact of a high number of destination hosts with unresolvable destination names relative to normal behavior.
  - 14. The computer readable storage medium of claim 12, wherein:
    - the one or more traffic conversation factors comprise characteristics of source hosts; and
      
      the conversation anomalies comprise characteristics of destination hosts targeted by source hosts executing on the suspected infected nodes.

15. A method for detecting nodes in an enterprise network infected with aberrant code, the method comprising the steps of:
- obtaining traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
  
  determining normal behavior associated with one or more of a set of first traffic conversation factors from the traffic conversation information;
  
  analyzing the traffic conversation information to identify nodes in the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more of the set of first traffic conversation factors as suspected infected nodes;
  
  determining normal behavior associated with one or more of a set of second traffic conversation factors from the traffic conversation information; and
  
  analyzing the traffic conversation information associated with the suspected infected nodes to identify any existing infected nodes as suspected infected nodes that exhibit behavior outside of the normal behavior associated with the one or more of the set of second traffic conversation factors as suspected infected nodes.
- View Dependent Claims (16)
- - 16. The method of claim 15, wherein:
    - the one or more of the set of first traffic conversation factors and the one or more of the second traffic conversation factors each comprise one or more different ones of attempted contact of a high number of destination hosts relative to normal behavior, attempted contact of a plurality of destination hosts using a substantially non-varying conversation size, attempted contact of a plurality of destination hosts using a substantially non-varying number of frames per conversation, attempted contact of a high number of destination hosts in adjacent address space relative to normal behavior, attempted contact of a high number of bogons relative to normal behavior, and attempted contact of a high number of destination hosts with unresolvable destination names relative to normal behavior.

17. A computer readable storage medium tangibly embodying program instructions implementing a method for detecting nodes in an enterprise network infected with aberrant code, the method comprising the steps of:
- obtaining traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
  
  determining normal behavior associated with one or more of a set of first traffic conversation factors from the traffic conversation information; and
  
  analyzing the traffic conversation information to identify nodes in the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more of the set of first traffic conversation factors as suspected infected nodes;
  
  determining normal behavior associated with one or more of a set of second traffic conversation factors from the traffic conversation information; and
  
  analyzing the traffic conversation information associated with the suspected infected nodes to identify any existing infected nodes as suspected infected nodes that exhibit behavior outside of the normal behavior associated with the one or more of the set of second traffic conversation factors as suspected infected nodes.
- View Dependent Claims (18)
- - 18. The computer readable storage medium of claim 17, wherein:
    - the one or more of the set of first traffic conversation factors and the one or more of the second traffic conversation factors each comprise one or more different ones of attempted contact of a high number of destination hosts relative to normal behavior, attempted contact of a plurality of destination hosts using a substantially non-varying conversation size, attempted contact of a plurality of destination hosts using a substantially non-varying number of frames per conversation, attempted contact of a high number of destination hosts in adjacent address space relative to normal behavior, attempted contact of a high number of bogons relative to normal behavior, and attempted contact of a high number of destination hosts with unresolvable destination names relative to normal behavior.

19. A method for detecting nodes in an enterprise network infected with aberrant code, the method comprising the steps of:
- obtaining traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
  
  determining normal source host behavior associated with one or more traffic conversation factors from the traffic conversation information;
  
  analyzing the traffic conversation information to identify nodes in the enterprise network with source hosts that exhibit behavior outside of the normal source host behavior associated with the one or more traffic conversation factors as suspected infected nodes; and
  
  analyzing the traffic conversation information associated with the suspected infected nodes for destination characteristics indicative of aberrant code to identify any existing infected nodes.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19, wherein the one or more traffic conversation factors comprise one or more of attempted contact by a source host with a high number of destinations relative to normal behavior, a low variation in conversation size relative to normal behavior, a low variation in frame number per conversation relative to normal behavior, and a low variation in conversation size relative to normal behavior.
  - 21. The method of claim 20, wherein the destination characteristics include one or more of attempted contact of a high number of destination hosts in adjacent address space relative to normal behavior, attempted contact of a high number of bogons relative to normal behavior, and attempted contact of a high number of destination hosts with unresolvable destination names relative to normal behavior.

22. A computer readable storage medium tangibly embodying program instructions implementing a method for detecting nodes in an enterprise network infected with aberrant code, the method comprising the steps of:
- obtaining traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
  
  determining normal source host behavior associated with one or more traffic conversation factors from the traffic conversation information;
  
  analyzing the traffic conversation information to identify nodes in the enterprise network executing source hosts that exhibit behavior outside of the normal source host behavior associated with the one or more traffic conversation factors as suspected infected nodes; and
  
  analyzing the traffic conversation information associated with the suspected infected nodes for destination characteristics indicative of aberrant code to identify any existing infected nodes.
- View Dependent Claims (23, 24)
- - 23. The computer readable storage medium of claim 22, wherein the one or more traffic conversation factors comprise one or more of attempted contact by a source host with a high number of destinations relative to normal behavior, a low variation in conversation size relative to normal behavior, a low variation in frame number per conversation relative to normal behavior, and a low variation in conversation size relative to normal behavior.
  - 24. The computer readable storage medium of claim 23, wherein the destination characteristics include one or more of attempted contact of a high number of destination hosts in adjacent address space relative to normal behavior, attempted contact of a high number of bogons relative to normal behavior, and attempted contact of a high number of destination hosts with unresolvable destination names relative to normal behavior.

25. An enterprise network comprising:
- one or more nodes;
  
  a data collector which obtains traffic conversation information representative of traffic conversation in the enterprise network over an analysis period;
  
  a statistical analyzer which determines normal behavior associated with one or more of a set of first traffic conversation factors from the traffic conversation information; and
  
  a traffic conversation information analyzer which analyzes the traffic conversation information to identify nodes in the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more of the set of first traffic conversation factors as suspected infected nodes.
- View Dependent Claims (26, 27, 28)
- - 26. The enterprise network of claim 25, further comprising:
    - an anomaly analyzer which analyzes the traffic conversation information associated with one or more respective suspected infected nodes for conversation anomalies to confirm or deny the presence of aberrant code on the respective suspected infected nodes.
  - 27. The enterprise network of claim 26, wherein:
    - the conversation anomalies comprise one or more of;
      
      attempted contact of a high number of destination hosts in adjacent address space relative to normal behavior, attempted contact of a high number of bogons relative to normal behavior, and attempted contact of a high number of destination hosts with unresolvable destination names relative to normal behavior.
  - 28. The enterprise network of claim 26, wherein:
    - the one or more traffic conversation factors comprise characteristics of source hosts; and
      
      the conversation anomalies comprise characteristics of destination hosts targeted by source hosts executing on the suspected infected nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Reves, Joseph

Granted Patent

US 9,467,462 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/252
CPC Class Codes

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Traffic anomaly analysis for the detection of aberrant network code

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Traffic anomaly analysis for the detection of aberrant network code

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links