NETWORK ACTIVITY ANOMALY DETECTION

US 20090180391A1
Filed: 01/16/2008
Published: 07/16/2009
Est. Priority Date: 01/16/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method for determining whether anomalous activity exists on a network, comprising:

receiving a packet from the network, the packet including one or more fields;

determining a classification of the packet based on the one or more fields;

incrementing, based on the classification, a first counter of one or more counters associated with detecting the anomalous activity;

determining, based on the incrementing, an activity metric associated with the one or more counters wherein the activity metric is anticipated to fall within a threshold; and

determining whether the anomalous activity exists on the network based on whether the activity metric falls within the threshold.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for determining whether anomalous activity exists on a network includes receiving a packet from the network, the packet including one or more fields. A classification of the packet based on the one or more fields is determined. A first counter of one or more counters associated with detecting the anomalous activity is incremented based on the classification. An activity metric associated with the one or more counters is determined based on the incrementing, wherein the activity metric is anticipated to fall within a threshold. Whether the anomalous activity exists on the network is determined based on whether the activity metric falls within the threshold.

Citations

20 Claims

1. A method for determining whether anomalous activity exists on a network, comprising:
- receiving a packet from the network, the packet including one or more fields;
  
  determining a classification of the packet based on the one or more fields;
  
  incrementing, based on the classification, a first counter of one or more counters associated with detecting the anomalous activity;
  
  determining, based on the incrementing, an activity metric associated with the one or more counters wherein the activity metric is anticipated to fall within a threshold; and
  
  determining whether the anomalous activity exists on the network based on whether the activity metric falls within the threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein determining the classification comprises comparing the one or more fields to one or more classification rules associated with the classification.
  - 3. The method of claim 1 wherein, incrementing the first counter comprises:
    - receiving a first packet from the network, the first packet being associated with a first classification;
      
      receiving a second packet from the network, the second packet being associated with the first classification;
      
      determining a rate between the receiving the first packet and the receiving the second packet; and
      
      tracking the rate via the first counter.
  - 4. The method of claim 1, wherein incrementing the first counter comprises signaling the first counter to increment.
  - 5. The method of claim 1, wherein incrementing the counter comprises:
    - determining, based on the classification, that the first counter is associated with the packet; and
      
      incrementing the first counter.
  - 6. The method of claim 1, wherein determining the activity metric comprises determining a difference between two or more of the counters.
  - 7. The method of claim 1, wherein determining the activity metric comprises determining a ratio between two or more of the counters.
  - 8. The method of claim 1, wherein the determining, based on the incrementing the activity metric comprises determining a ratio between a first counter incremented based on a receipt of a first transmission control packet and a second counter incremented based on a receipt of a second transmission control packet.
  - 9. The method of claim 1, further comprising determining a response to the anomalous activity based on a determination that the activity metric exceeds the threshold.
  - 10. The method of claim 1 comprising:
    - hashing the one or more fields of the packet to determine the classification, wherein the classification is associated with a flow of one or more packets comprising similar values in the one or more fields; and
      
      incrementing, based on the classification, the first counter associated with the flow.

11. A network device associated comprising:
- a parser configured to parse a packet into one or more fields;
  
  a classification module configured to determine a classification of the packet based on the one or more fields;
  
  an action table including the classification of the packet and one or more corresponding actions;
  
  a monitor configured to determine when a counter is incremented based on the corresponding actions, wherein the counter is associated with a set of one or more counters;
  
  an activity engine configured to determine, based on the set of one or more counters and including the incremented counter, an activity metric associated with the packet; and
  
  comparison logic configured to determine whether anomalous activity exists on the network based on a comparison of the activity metric to a threshold associated with the anomalous activity.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The network device of claim 11, wherein the parser is configured to receive the packet.
  - 13. The network device of claim 11, wherein the classification module is configured to compare the one or more fields to one or more rules associated with classifying the packet.
  - 14. The network device of claim 13, wherein the one or more rules correspond to one or more of the actions.
  - 15. The network device of claim 11, wherein the action table comprises one or more rules associated with the classification of the packet and the one or more corresponding actions.
  - 16. The network device of claim 11, wherein the monitor is configured to determine which of a plurality of counters is included in the set of one or more counters.
  - 17. The network device of claim 11, wherein the activity engine is configured to:
    - retrieve values from each of the set one or more counters associated with the incremented counter, including the incremented counter; and
      
      compute the activity metric based on the retrieved values.
  - 18. The network device of claim 11, further comprising a response module configured to determine a response to the anomalous activity based on the comparison of the activity metric to the threshold.

19. A computer program product for detecting anomalous activity on a network, the computer program product being tangibly embodied on a computer-readable medium configured to cause a data processing apparatus to detect the anomalous activity on the network, the computer program product configured to:
- determine a classification of a packet received from the network based on one or more classification rules associated with the classification;
  
  determine one or more actions to be performed based on the classification, the one or more actions including incrementing a first counter of a plurality of counters associated with detecting the anomalous activity;
  
  determine an activity metric based on the plurality of counters, wherein the activity metric is anticipated to fall within a threshold; and
  
  determine a response to the anomalous activity based upon a determination that the activity metric falls beyond the threshold.
- View Dependent Claims (20)
- - 20. The computer program product of claim 19, wherein the computer program product is configured to determine the response to the anomalous activity, wherein the response is anticipated to offset at least a portion of the anomalous activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies General IP PTE Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Chung, Edgar, Petersen, Brian

Application Number

US12/015,387
Publication Number

US 20090180391A1
Time in Patent Office

Days
Field of Search
US Class Current

370/252
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 41/5022   by giving priorities, e.g. ...

H04L 41/5025   by proactively reacting to ...

H04L 43/0876   Network utilisation, e.g. v...

H04L 43/16   Threshold monitoring

NETWORK ACTIVITY ANOMALY DETECTION

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK ACTIVITY ANOMALY DETECTION

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links