NETWORK SURVEILLANCE

US 20100050248A1
Filed: 09/21/2009
Published: 02/25/2010
Est. Priority Date: 11/09/1998
Status: Active Grant

First Claim

Patent Images

1. A method of network surveillance, comprising:

monitoring an event stream derived from network packets;

building a long-term statistical profile and multiple short-term statistical profiles from at least one measure of said event stream;

comparing one of the multiple short-term statistical profiles with the long-term statistical profile; and

determining whether the difference between the one of the multiple short-term statistical profiles and the long-term statistical profile indicates suspicious network activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and at least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.

101 Citations

View as Search Results

20 Claims

1. A method of network surveillance, comprising:
- monitoring an event stream derived from network packets;
  
  building a long-term statistical profile and multiple short-term statistical profiles from at least one measure of said event stream;
  
  comparing one of the multiple short-term statistical profiles with the long-term statistical profile; and
  
  determining whether the difference between the one of the multiple short-term statistical profiles and the long-term statistical profile indicates suspicious network activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said network packets are one or more TCP/IP packets.
  - 3. The method of claim 1, wherein said at least one measure monitors data transfers by monitoring said event stream as derived from one or more network packet data transfer commands.
  - 4. The method of claim 1, wherein said at least one measure monitors data transfers by monitoring said event stream as derived from one or more network packet data transfer errors.
  - 5. The method of claim 1, wherein said at least one measure monitors data transfers by monitoring said event stream as derived from a network packet data transfer volume.
  - 6. The method of claim 1, wherein said at least one measure monitors network connections by monitoring said event stream as derived from one or more network connection requests.
  - 7. The method of claim 1, wherein said at least one measure monitors network connections by monitoring said event stream as derived from one or more network connection denials.
  - 8. The method of claim 1, wherein said at least one measure monitors network connections by monitoring said event stream as derived from a correlation of one or more network connections requests and one or more network connection denials.
  - 9. The method of claim 1, wherein said at least one measure monitors errors by monitoring said event stream as derived from one or more error codes included in a network packet.

10. A method of network surveillance, comprising:
- receiving network packets handled by a network entity;
  
  partitioning the network packets into one or more sessions representing a communication transaction between two hosts;
  
  building at least one short-term statistical profile and at least one long-term statistical profile from at least one measure of the network packets;
  
  comparing at least one long-term and at least one short-term statistical profile; and
  
  determining whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method of claim 10, wherein said at least one measure monitors network connections by monitoring one or more source port numbers and one or more destination port numbers included in a network packet.
  - 12. The method of claim 11, further comprising:
    - using said one or more source port numbers and said one or more destination port numbers to determine one or more port numbers on a host to which an administrator has not assigned any network service.
  - 13. The method of claim 10, wherein said step of receiving network packets comprises receiving only a network packet header for each of said network packets.
  - 14. The method of claim 10, wherein said partitioning further comprises further step determining from the network packets which party of the two hosts is a client and which of the two hosts is a server in a given one of the one of the one or more sessions.
  - 15. The method of claim 10, wherein said at least one measure monitors data transfers by monitoring one or more network packet data transfer commands.
  - 16. The method of claim 10, wherein said at least one measure monitors data transfers by monitoring one or more network packet data transfer errors.
  - 17. The method of claim 10, wherein said at least one measure monitors data transfers by monitoring B. network packet data transfer volume.
  - 18. The method of claim 10, wherein said at least one measure monitors network connections by monitoring one or more network connection requests.
  - 19. The method of claim 10, wherein said at least one measure monitors network connections by monitoring network one or more connection denials.

20. A method of network surveillance, comprising:
- monitoring network packets handled by a network entity;
  
  building at least one long-term statistical profile and at least one short-term statistical profile from at least one measure of the network packets, wherein said building step accounts for timing of said network packets being received by the network entity;
  
  comparing said at least one short-term statistical profile with said at least one long-term statistical profile; and
  
  determining whether the difference between said at least one short-term statistical profile and said at least one long-term statistical profile indicates suspicious network activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Valdes, Alfonso De Jesus, Porras, Phillip Andrew

Granted Patent

US 9,407,509 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 43/00   Arrangements for monitoring...

H04L 43/06   Generation of reports

H04L 43/0811   by checking connectivity

H04L 43/0888   Throughput

H04L 43/12   Network monitoring probes

H04L 43/16   Threshold monitoring

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

NETWORK SURVEILLANCE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

101 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

NETWORK SURVEILLANCE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others