Identification of potential network threats using a distributed threshold random walk
First Claim
1. A method comprising:
- recording, with a plurality of intermediate devices located on a set of asymmetrically routed paths within a network, a number of network flows sourced by a host device on the network and a number of network flows sent to the host device on the network;
determining whether a difference between the number of network flows sourced by the host device and the number of network flows sent to the host device exceeds a first threshold; and
rerouting network traffic from the host device when the difference exceeds the first threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
In general, the invention is directed to techniques of identifying an infected network device in a computer network where traffic to and from the infected network device is not necessarily routed through a single point on the computer network. For example, individual line cards in network devices count incoming network flows from network devices in host tables. The host tables of all line cards of all participating network devices are then correlated. It is then determined whether the number of flows from a network device outweighs the number of flows to the network device to a significant degree. If so, the network device may be considered suspicious. Packets from a suspicious network device may be rerouted to a network security device for more thorough inspection.
197 Citations
41 Claims
-
1. A method comprising:
-
recording, with a plurality of intermediate devices located on a set of asymmetrically routed paths within a network, a number of network flows sourced by a host device on the network and a number of network flows sent to the host device on the network; determining whether a difference between the number of network flows sourced by the host device and the number of network flows sent to the host device exceeds a first threshold; and rerouting network traffic from the host device when the difference exceeds the first threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A network device,
wherein the network device is a member of a plurality of intermediate devices located on a set of asymmetrically routed paths within a network; - and
wherein the network device comprises; a device correlation module to record a number of flows sourced by a host device on the network and the number of network flows sent to the host device on the network; a threat identification module to determine whether a difference between a number of network flows sourced by a host device on a network via a plurality of network paths and a number of network flows sent to the host device on the network via the plurality of network paths exceeds a first threshold; and a traffic redirection module to reroute network traffic from the host device to a network security device when the threat identification module determines that the difference exceeds the first threshold. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- and
-
39. A computer-readable medium comprising instructions, the instructions causing a programmable processor to:
-
record, with a plurality of intermediate devices located on a set of asymmetrically routed paths within a network, a number of network flows sourced by a host device on the network and a number of network flows sent to the host device on the network; determine whether a difference between a number of network flows sent from a host device on a network via a plurality of network paths and a number of network flows sent to the host device on the network via the plurality of network paths exceeds a first threshold; and reroute network traffic from the host device to a network security device when it is determined that the difference exceeds the first threshold. - View Dependent Claims (40, 41)
-
Specification