Centralized Analysis and Management of Network Packets

US 20100097945A1
Filed: 10/21/2008
Published: 04/22/2010
Est. Priority Date: 10/21/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage medium having computer-executable instructions stored thereon that, when executed by a computer, cause the computer to:

store a plurality of packets as identified by a plurality of packet-detecting devices within at least one network;

define at least one baseline behavior pattern applicable to behavior of the network;

define at least one threshold applicable to deviation of the behavior of the network from the baseline behavior pattern;

performing a centralized analysis of the packets to identify at least one deviation in the behavior patterns that exceed the threshold; and

identify at least one attack against the network, as exhibited by the deviations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This description provides tools and techniques for centralized analysis and management of network packets. These tools may provide methods that include storing network packets as identified by packet-detecting devices within networks. These methods may also define baseline behavior patterns applicable to the network, as well as thresholds applicable to deviations in network behavior, relative to the baseline behavior patterns. These methods may also identify attacks against the network, as exhibited by deviations in the behavior patterns that exceed the threshold.

Citations

20 Claims

1. A computer-readable storage medium having computer-executable instructions stored thereon that, when executed by a computer, cause the computer to:
- store a plurality of packets as identified by a plurality of packet-detecting devices within at least one network;
  
  define at least one baseline behavior pattern applicable to behavior of the network;
  
  define at least one threshold applicable to deviation of the behavior of the network from the baseline behavior pattern;
  
  performing a centralized analysis of the packets to identify at least one deviation in the behavior patterns that exceed the threshold; and
  
  identify at least one attack against the network, as exhibited by the deviations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The storage medium of claim 1, further comprising instructions for remediating the deviation in behavior across the network.
  - 3. The storage medium of claim 2, wherein the instructions for remediating the deviation include instructions for reconfiguring at least one packet-detecting element within the network.
  - 4. The storage medium of claim 2, wherein the instructions for remediating the deviation include instructions for reconfiguring at least one packet-deterring element within the network.
  - 5. The storage medium of claim 2, wherein the instructions for remediating the deviation include instructions for notifying at least one network element that is originating the packets.
  - 6. The storage medium of claim 2, wherein the instructions for remediating the deviation include instructions for enforcing a rate limiting scheme applicable to least one port receiving discarded packets.
  - 7. The storage medium of claim 2, wherein the instructions for remediating the deviation include instructions for allocating or de-allocating network capacity to at least one component within the network.
  - 8. The storage medium of claim 1, wherein the instructions for defining a baseline behavior pattern and a threshold include instructions for defining at least one baseline and threshold applicable to at least one particular day of a week.
  - 9. The storage medium of claim 1, wherein the instructions for defining a baseline behavior pattern and a threshold include instructions for defining at least one baseline and threshold applicable to at least one particular day within a month.
  - 10. The storage medium of claim 1, wherein the instructions for defining a baseline behavior pattern and a threshold include instructions for defining at least one baseline and threshold applicable to at least one recurring event.
  - 11. The storage medium of claim 1, wherein the instructions for defining a baseline behavior pattern and a threshold include instructions for defining at least one baseline and threshold applicable to at least one non-recurring event.
  - 12. The storage medium of claim 1, wherein the instructions for defining a baseline behavior pattern and a threshold include instructions for defining at least one baseline and threshold applicable to at least one induced spike in network traffic.

13. A centralized packet analysis system for offloading, from a plurality of network elements, overhead associated with analyzing a plurality of identified packets to identify deviations in behavior within at least one network, the system comprising:
- means for receiving the packets as identified by the network elements;
  
  means for defining at least one baseline behavior pattern applicable to behavior of the network;
  
  means for defining at least one threshold applicable to deviation of the behavior of the network from the baseline behavior pattern;
  
  means for performing a centralized analysis of the packets to identify at least one deviation in the behavior patterns that exceed the threshold; and
  
  means for identifying at least one attack against the network, as exhibited by the deviations.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The centralized packet analysis system of claim 13, wherein the means for identifying at least one attack include means for identifying predefined patterns appearing within the identified packets, wherein the predefined patterns are associated with particular types of attacks.
  - 15. The centralized packet analysis system of claim 13, further comprising means for remediating the deviation in behavior across the network, and further comprising means for storing information representing the remediation in a remediation history.
  - 16. The centralized packet analysis system of claim 15, further comprising means for identifying a change in tactics exhibited by an attacker perpetrating the attack against the network, based at least in part on the remediation history.
  - 17. The centralized packet analysis system of claim 16, further comprising means for identifying a change in tactics exhibited by an attacker perpetrating the attack against the network, based at least in part on the remediation history.
  - 18. The centralized packet analysis system of claim 17, further comprising means for correlating the change in tactics with at least one previous remediation, and further comprising means for remediating against the change in tactics.
  - 19. The centralized packet analysis system of claim 13, further comprising means for predicting future behavior of the network, based at least in part on analyzing the packets.
  - 20. The centralized packet analysis system of claim 19, further comprising means for proactively configuring at least one network element in response to the predicted future behavior of the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Mohamed, Dagash, Raftelis, Michael

Granted Patent

US 8,085,681 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/252
CPC Class Codes

H04L 63/1441 Countermeasures against mal...

Centralized Analysis and Management of Network Packets

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Centralized Analysis and Management of Network Packets

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links