SYSTEM AND METHOD FOR DETECTION OF ABERRANT NETWORK BEHAVIOR BY CLIENTS OF A NETWORK ACCESS GATEWAY

US 20100191850A1
Filed: 04/01/2010
Published: 07/29/2010
Est. Priority Date: 03/10/2004
Status: Active Grant

First Claim

Patent Images

1. A system for detecting aberrant network, comprising:

a processor;

a first network interface coupled to the processor, wherein the first network interface is coupled to one or more clients;

a memory accessible by the processor;

wherein the system is configured to;

receive network communications at the first network interface, wherein each of the network communications is associated with a first client;

determine if aberrant network behavior is occurring with respect to the first client wherein determining if the network behavior is aberrant comprises;

analyzing the received network communications based upon one or more rules to determine if the network communications match any of the one or more rules, wherein the one or more rules are configured to identify particular network communications,if a network communication associated with the first client matches a first rule;

updating a first set of statistical information associated with the first client, wherein the first set of statistical information is accumulated over a time period and is associated with at least the first rule of the one or more rules; and

applying a set of conditions to the first set of statistical information, each of the set of conditions corresponding to aberrant network behavior and comprising a threshold to be applied to at least a portion of the statistical information.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting aberrant network behavior. One embodiment provides a system of detecting aberrant network behavior behind a network access gateway comprising a processor, a first network interface coupled to the processor, a second network interface coupled to the processor, a storage media accessible by the processor and a set of computer instructions executable by the processor. The computer instructions can be executable to observe network communications arriving at the first network interface from multiple clients and determine when the traffic of a particular client is indicative of malware infection or other hostile network activity. If the suspicious network communication is determined to be of a sufficient volume, type, or duration the computer instructions can be executable to log such activity to storage media, or to notify an administrative entity via either the first network interface or second network interface, or to make the computer instructions be executable to perform other configured actions related to the functioning of the network access gateway.

Citations

21 Claims

1. A system for detecting aberrant network, comprising:
- a processor;
  
  a first network interface coupled to the processor, wherein the first network interface is coupled to one or more clients;
  
  a memory accessible by the processor;
  
  wherein the system is configured to;
  
  receive network communications at the first network interface, wherein each of the network communications is associated with a first client;
  
  determine if aberrant network behavior is occurring with respect to the first client wherein determining if the network behavior is aberrant comprises;
  
  analyzing the received network communications based upon one or more rules to determine if the network communications match any of the one or more rules, wherein the one or more rules are configured to identify particular network communications,if a network communication associated with the first client matches a first rule;
  
  updating a first set of statistical information associated with the first client, wherein the first set of statistical information is accumulated over a time period and is associated with at least the first rule of the one or more rules; and
  
  applying a set of conditions to the first set of statistical information, each of the set of conditions corresponding to aberrant network behavior and comprising a threshold to be applied to at least a portion of the statistical information.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the first set of statistical information is associated with a second client.
  - 3. The system of claim 2, wherein the first set of statistical information is associated with a second rule.
  - 4. The system of claim 2, further configured to:
    - receive network communications at the first network interface, wherein each of the network communications is associated with the second client;
      
      determine if aberrant network behavior is occurring with respect to the second client wherein determining if the network behavior is aberrant comprises;
      
      analyzing the received network communications based upon the one or more rules to determine if the network communication matches any of the one or more rules, wherein the one or more rules are configured to identify particular network communications, andif a network communication associated with the second client matches the second rule updating the first set of statistical information; and
      
      applying the set of conditions to the first set of statistical information.
  - 5. The system of claim 1, wherein the first statistical information comprises a first set of lists.
  - 6. The system of claim 5, wherein the first set of lists corresponds to the first client.
  - 7. The system of claim 6, wherein updating the first set of statistical information comprises updating a first list of the first set of lists wherein the first list is associated with at least the first rule of the one or more rules.

8. A method for detecting aberrant network in a first network interface coupled to one or more clients, comprising:
- a processor;
  
  a first network interface coupled to the processor, wherein the first network interface is coupled to one or more clients;
  
  a memory accessible by the processor comprising computer readable instructions to;
  
  receive network communications at the first network interface, wherein each of the network communications is associated with a first client;
  
  determine if aberrant network behavior is occurring with respect to the first client wherein determining if the network behavior is aberrant comprises;
  
  analyzing the received network communications based upon one or more rules to determine if the network communication matches any of the one or more rules, wherein the one or more rules are configured to identify particular network communications,if a network communication associated with the first client matches a first rule;
  
  updating a first set of statistical information associated with the first client, wherein the first set of statistical information is accumulated over a time period and is associated with at least the first rule of the one or more rules; and
  
  applying a set of conditions to the first set of statistical information, each of the set of conditions corresponding to aberrant network behavior and comprising a threshold to be applied to at least a portion of the statistical information.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the first set of statistical information is associated with a second client.
  - 10. The method of claim 9, wherein the first set of statistical information is associated with a second rule.
  - 11. The method of claim 9, further comprising instructions to:
    - receive network communications at the first network interface, wherein each of the network communications is associated with the second client;
      
      determine if aberrant network behavior is occurring with respect to the second client wherein determining if the network behavior is aberrant comprises;
      
      analyzing the received network communications based upon the one or more rules to determine if the network communication matches any of the one or more rules, wherein the one or more rules are configured to identify particular network communications,if a network communication associated with the second client matches the second rule updating the first set of statistical information; and
      
      applying the set of conditions to the first set of statistical information.
  - 12. The method of claim 8, wherein the first statistical information comprises a first set of lists.
  - 13. The method of claim 12, wherein the first set of lists corresponds to the first client.
  - 14. The method of claim 13, wherein updating the first set of statistical information comprises updating a first list of the first set of lists wherein the first list is associated with at least the first rule of the one or more rules.

15. A tangible computer readable medium comprising instructions to:
- receive network communications at the first network interface, wherein each of the network communications is associated with a first client;
  
  determine if aberrant network behavior is occurring with respect to the first client wherein determining if the network behavior is aberrant comprises;
  
  analyzing the received network communications based upon one or more rules to determine if the network communication matches any of the one or more rules, wherein the one or more rules are configured to identify particular network communications,if a network communication associated with the first client matches a first rule;
  
  updating a first set of statistical information associated with the first client, wherein the first set of statistical information is accumulated over a time period and is associated with at least the first rule of the one or more rules; and
  
  applying a set of conditions to the first set of statistical information, each of the set of conditions corresponding to aberrant network behavior and comprising a threshold to be applied to at least a portion of the statistical information.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer readable medium of claim 15, wherein the first set of statistical information is associated with a second client.
  - 17. The computer readable medium of claim 16, wherein the first set of statistical information is associated with a second rule.
  - 18. The computer readable medium of claim 16, receive network communications at the first network interface, wherein each of the network communications is associated with the second client;
    - determine if aberrant network behavior is occurring with respect to the second client wherein determining if the network behavior is aberrant comprises;
      
      analyzing the received network communications based upon the one or more rules to determine if the network communication matches any of the one or more rules, wherein the one or more rules are configured to identify particular network communications,if a network communication associated with the second client matches the second rule updating the first set of statistical information; and
      
      applying the set of conditions to the first set of statistical information.
  - 19. The computer readable medium of claim 15, wherein the first statistical information comprises a first set of lists.
  - 20. The computer readable medium of claim 19, wherein the first set of lists corresponds to the first client.
  - 21. The computer readable medium of claim 20, wherein updating the first set of statistical information comprises updating a first list of the first set of lists wherein the first list is associated with at least the first rule of the one or more rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OpenTV, Inc. (Kudelski SA)
Original Assignee
Eric White
Inventors
Tonnesen, Steven D.

Granted Patent

US 8,060,607 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

SYSTEM AND METHOD FOR DETECTION OF ABERRANT NETWORK BEHAVIOR BY CLIENTS OF A NETWORK ACCESS GATEWAY

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DETECTION OF ABERRANT NETWORK BEHAVIOR BY CLIENTS OF A NETWORK ACCESS GATEWAY

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links