DETECTION OF NETWORK ADDRESS SPOOFING AND FALSE POSITIVE AVOIDANCE

US 20110088092A1
Filed: 10/14/2009
Published: 04/14/2011
Est. Priority Date: 10/14/2009
Status: Active Grant

First Claim

Patent Images

1. A method for detection of network address spoofing and false positive avoidance in a network, the network including one or more hosts and a network management system, the method comprising:

identifying a suspicious host in the network by the network management system;

detecting a condition indicative of network address spoofing by the suspicious host;

determining whether the condition is expected in normal traffic of the network; and

determining the suspicious host generated normal traffic in response to determining the condition is expected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detection of network address spoofing and false positive avoidance in a network is described herein. The network may include one or more hosts and a network management system. The network management system may identify a suspicious host in the network. A condition indicative of network address spoofing by the suspicious host may be detected. It may be determined whether the spoofing condition is expected in normal traffic of the network. In response to a determination that the spoofing condition is expected, it is determined that the suspicious host generated normal traffic.

79 Citations

View as Search Results

20 Claims

1. A method for detection of network address spoofing and false positive avoidance in a network, the network including one or more hosts and a network management system, the method comprising:
- identifying a suspicious host in the network by the network management system;
  
  detecting a condition indicative of network address spoofing by the suspicious host;
  
  determining whether the condition is expected in normal traffic of the network; and
  
  determining the suspicious host generated normal traffic in response to determining the condition is expected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein identifying the suspicious host comprises:
    - inspecting a plurality of traffic summaries, each traffic summary associated with one or more data packets traversing the network, wherein each traffic summary includes a source MAC address, a source IP address; and
      
      a time to live (TTL) value;
      
      tracking the source MAC address, the source IP address; and
      
      the TTL value of each traffic summary in a hash map;
      
      detecting a source MAC address in the hash map that is associated with multiple varying source IP addresses; and
      
      identifying the source MAC address that is associated with multiple varying source IP addresses as the suspicious host.
  - 3. The method of claim 2, wherein the TTL value is correlated with a computer operating system of a host of the one or more hosts in the network which generated the data packet.
  - 4. The method of claim 1, wherein detecting the condition comprises determining that the suspicious host is associated with a plurality of varying TTL values.
  - 5. The method of claim 1, wherein determining whether the condition is expected comprises determining whether the suspicious host is a router.
  - 6. The method of claim 1, wherein determining whether the condition is expected comprises:
    - comparing a plurality of TTL values associated with the suspicious host to a list of TTL values correlated with computer operating systems; and
      
      determining the condition is not expected where a TTL value of the plurality of TTL values associated with the suspicious host appears on the list of TTL values correlated with computer operating systems.
  - 7. The method of claim 1, wherein determining whether the condition is expected comprises:
    - compare the source MAC address of the suspicious host to a list of MAC addresses of known routers in the network; and
      
      determining the condition is expected where the source MAC address of the suspicious host appears on the list.
  - 8. The method of claim 1, further comprising:
    - disable access to the network by the suspicious host.
  - 9. The method of claim 1, wherein detecting the condition comprises detecting an out-of-sequence reset flag in a traffic summary of a plurality of traffic summaries, each traffic summary associated with one or more data packets traversing the network.
  - 10. The method of claim 1, wherein determining whether the condition is expected comprises:
    - determining a number of out-of-sequence reset flags detected during a time interval;
      
      comparing the number of out-of-sequence reset flags with a threshold; and
      
      determining the condition is not expected in normal traffic of the network where the number of out-of-sequence reset flags exceeds the threshold.

11. A system for detection of network address spoofing in a network, the network including one or more hosts and a plurality of network devices, the system comprising:
- a processor; and
  
  a memory coupled to the processor, the memory configured to store an electronic document;
  
  wherein the processor is configured to;
  
  identify a suspicious host in the network by the network management system;
  
  detect a condition indicative of network address spoofing by the suspicious host;
  
  determine whether the condition is expected in normal traffic of the network; and
  
  determine the suspicious host generated normal traffic in response to determining the condition is expected.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11, wherein the processor is configured to detect the condition by determining that the suspicious host is associated with a plurality of varying TTL values, and wherein the processor is configured to determine whether the condition is expected comprises determining whether the suspicious host is a router.
  - 13. The system of claim 11, wherein the processor is configured to detect the condition by detecting an out-of-sequence reset flag in a traffic summary of a plurality of traffic summaries, each traffic summary associated with one or more data packets traversing the network.
  - 14. The system of claim 11, wherein the processor is configured to determine whether the condition is expected by:
    - determining a number of out-of-sequence reset flags detected during a time interval;
      
      comparing the number of out-of-sequence reset flags with a threshold; and
      
      determining the condition is not expected in normal traffic of the network where the number of out-of-sequence reset flags exceeds the threshold.

15. A computer-readable medium storing a plurality of instructions for detection of network address spoofing and false positive avoidance in a network, the network including one or more hosts and a network management system, the plurality of instructions comprising:
- instructions that cause the data processor to identify a suspicious host in the network by the network management system;
  
  instructions that cause the data processor to detect a condition indicative of network address spoofing by the suspicious host;
  
  instructions that cause the data processor to determine whether the condition is expected in normal traffic of the network; and
  
  instructions that cause the data processor to determining the suspicious host generated normal traffic in response to determining the condition is expected.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium of claim 15, wherein the instructions that cause the data processor to detect the condition comprises:
    - instructions that cause the data processor to determine that the suspicious host is associated with a plurality of varying TTL values.
  - 17. The computer-readable medium of claim 15, wherein the instructions that cause the data processor to determine whether the condition is expected comprises:
    - instructions that cause the data processor to determine whether the suspicious host is a router.
  - 18. The computer-readable medium of claim 15, wherein the instructions that cause the data processor to determine whether the condition is expected comprises:
    - instructions that cause the data processor to compare a plurality of TTL values associated with the suspicious host to a list of TTL values correlated with computer operating systems; and
      
      instructions that cause the data processor to determine the condition is not expected where a TTL value of the plurality of TTL values associated with the suspicious host appears on the list of TTL values correlated with computer operating systems.
  - 19. The computer-readable medium of claim 15, wherein the instructions that cause the data processor to detect the condition comprises:
    - instructions that cause the data processor to detect an out-of-sequence reset flag in a traffic summary of a plurality of traffic summaries, each traffic summary associated with one or more data packets traversing the network.
  - 20. The computer-readable medium of claim 15, wherein the instructions that cause the data processor to determine whether the condition is expected comprises:
    - instructions that cause the data processor to determine a number of out-of-sequence reset flags detected during a time interval;
      
      instructions that cause the data processor to compare the number of out-of-sequence reset flags with a threshold; and
      
      instructions that cause the data processor to determine the condition is not expected in normal traffic of the network where the number of out-of-sequence reset flags exceeds the threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Nguyen, Lynette, Nguyen, Ted T.

Granted Patent

US 9,413,616 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 41/28   Restricting access to netwo...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

DETECTION OF NETWORK ADDRESS SPOOFING AND FALSE POSITIVE AVOIDANCE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTION OF NETWORK ADDRESS SPOOFING AND FALSE POSITIVE AVOIDANCE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links