SYSTEM AND PROCESS FOR DETECTING ANOMALOUS NETWORK TRAFFIC

US 20100138919A1
Filed: 11/02/2007
Published: 06/03/2010
Est. Priority Date: 11/03/2006
Status: Abandoned Application

First Claim

Patent Images

1. A process for detecting anomalous network traffic in a communications network, the process including:

generating reference address distribution data representing a statistical distribution of source addresses of packets received over a first time period, the received packets being considered to represent normal network traffic;

generating second address distribution data representing a statistical distribution of source addresses of packets received over a second time period; and

determining whether the packets received over the second time period represent normal network traffic on the basis of a comparison of the second address distribution data and the reference address distribution data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process for detecting anomalous network traffic in a communications network, the process including: generating reference address distribution data representing a statistical distribution of source addresses of packets received over a first time period, the received packets being considered to represent normal network traffic; generating second address distribution data representing a statistical distribution of source addresses of packets received over a second time period; and determining whether the packets received over the second time period represent normal network traffic on the basis of a comparison of the second address distribution data and the reference address distribution data.

Citations

25 Claims

1. A process for detecting anomalous network traffic in a communications network, the process including:
- generating reference address distribution data representing a statistical distribution of source addresses of packets received over a first time period, the received packets being considered to represent normal network traffic;
  
  generating second address distribution data representing a statistical distribution of source addresses of packets received over a second time period; and
  
  determining whether the packets received over the second time period represent normal network traffic on the basis of a comparison of the second address distribution data and the reference address distribution data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The process of claim 1, wherein the statistical distributions of source addresses are statistical distributions of aggregated source addresses.
  - 3. The process of claim 2, wherein the source addresses have structure and are aggregated on the basis of said structure.
  - 4. The process of claim 1, wherein each of the statistical distributions of source addresses represents numbers of received packets or proportions of the total number of received packets having source address octets with corresponding values.
  - 5. The process of any of claim 1, wherein each of the statistical distributions of source addresses represents numbers or proportions of received packets having portions of source addresses with corresponding values.
  - 6. The process of claim 1, wherein the source addresses are aggregated on the basis of geographical locations associated with said source addresses.
  - 7. The process of claim 1, wherein said step of determining includes generating distribution distance data representing a measure of similarity of the reference address distribution data and the second address distribution data, and determining whether the packets received over the second time period represent normal network traffic on the basis of the distribution distance data.
  - 8. The process of claim 7, wherein said step of generating distribution distance data includes generating address subset distance data representing measures of similarity of respective portions of the reference address distribution data and corresponding portions of the second address distribution data, said portions corresponding to respective subsets of source addresses, said distribution distance data being generated from the address subset distance data.
  - 9. The process of claim 8, wherein the step of generating the distribution distance data from the address subset distance data includes generating a weighted linear combination of the respective measures of similarity.
  - 10. The process of claim 7, wherein said step of generating distance data includes determining a Mahalanobis distance between the two distributions.
  - 11. The process of claim 7, wherein said step of determining includes processing respective distribution distance data generated for successive second time periods to generate filtered distribution distance data, said step of determining whether the packets received over the second time period represent normal network traffic being based on the filtered distribution distance data to improve the reliability of said determining.
  - 12. The process of claim 11, wherein said step of processing includes generating a cumulative sum of the distribution distance data generated for successive second time periods.
  - 13. The process of claim 1, wherein each of said reference address distribution data and said second address distribution data includes count data representing numbers of received packets having source addresses falling within respective source address subsets, and proportion data representing proportions of received packets having source addresses falling within said respective source address subsets.
  - 14. The process of claim 1, wherein the process includes processing the reference address distribution data and the second address distribution data to generate updated reference address distribution data representing a statistical distribution of network addresses of packets received over an updated time period determined by extending the first time period to include the second time period, providing that said step of determining determines that the packets received over the second time period represent normal network traffic;
    - wherein subsequently the updated reference address distribution data is used as the reference address distribution data and the updated time period is used as the first time period.
  - 15. The process of claim 14, wherein the updated reference address distribution data is generated as a weighted linear combination of the reference address distribution data and the second address distribution data.
  - 16. The process of claim 15, wherein the process includes selecting, in response to determining that the packets received over the second time period do not represent normal network traffic, at least one subset of the source addresses of packets received over the second time period, the subset of source addresses being selected on the basis of the comparison of the second address distribution data and the reference address distribution data.
  - 17. The process of claim 16, including generating goodness values for respective selected source addresses, each of the goodness values representing a likelihood of packets having the corresponding source address representing abnormal network traffic.
  - 18. The process of claim 17, wherein said goodness values are generated based on prior visiting behaviour associated with the selected source addresses.
  - 19. The process of claim 18, including determining whether to block, rate-limit, or further process packets having each selected source address on the basis of said goodness value.
  - 20. The process of claim 1, wherein the step of determining whether the packets received over the second time period represent normal network traffic includes determining whether the packets received over the second time period may represent a denial of service attack.
  - 21. A computer-readable storage medium having stored thereon program instructions for executing the steps of claim 1.
  - 22. A system having components for executing the steps of claim 1.

23. A system for detecting anomalous network traffic in a communications network, the system including:
- a source address distribution generator for generating;
  
  reference address distribution data representing a statistical distribution of source addresses of packets received over a first time period, the received packets being considered to represent normal network traffic; and
  
  second address distribution data representing a statistical distribution of source addresses of packets received over a second time period; and
  
  a network traffic assessment component for determining whether the packets received over the second time period represent normal network traffic on the basis of a comparison of the second address distribution data and the reference address distribution data.
- View Dependent Claims (24, 25)
- - 24. The system of claim 23, wherein the source address distribution generator maintains address distribution data structures representing statistical distributions of source addresses of received packets, the address distribution data structures including a packet count data structure storing counts of received packets having source addresses falling within respective subsets of source addresses, and a packet proportion data structure storing proportions of the total number of received packets having source addresses falling within respective subsets of source addresses.
  - 25. The system of claim 24, wherein the subsets of source addresses correspond to respective octets of said source addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intelliguard I.T. Pty., Ltd.
Original Assignee
Intelliguard I.T. Pty., Ltd.
Inventors
Peng, Tao, Leckie, Christopher Andrew, Kotagiri, Ramamohanarao

Application Number

US12/513,501
Publication Number

US 20100138919A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 61/00   Network arrangements, proto...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

SYSTEM AND PROCESS FOR DETECTING ANOMALOUS NETWORK TRAFFIC

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND PROCESS FOR DETECTING ANOMALOUS NETWORK TRAFFIC

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links