DETECTING SUSPICIOUS NETWORK ACTIVITY USING FLOW SAMPLING
First Claim
1. A method for network security, comprising:
- receiving flow sampled network traffic from a plurality of network devices with a network monitoring computing device for network traffic among a plurality of computing devices;
comparing source ports and destination ports in the flow sampled network traffic to a list of approved ports with the network monitoring computing device; and
detecting suspicious network activity for flow sampled network traffic having a source port and a destination port exceptional to the list of approved ports with the network monitoring computing device.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, media, and computing devices for network security can include receiving flow sampled network traffic from multiple network devices with a network monitoring computing device for network traffic among multiple computing devices, comparing source ports and destination ports in the flow sampled network traffic to a list of approved ports with the network monitoring computing device, and detecting suspicious network activity for flow sampled network traffic having a source port and a destination port exceptional to the list of approved ports with the network monitoring computing device. Alternatively, a suspicious network activity list can be maintained for flow sampled network traffic having source and destination ports exceptional to the list of approved ports. Alternatively, a network administrator can be alerted when a port is added to the suspicious network activity list in response to a total number of ports in the suspicious network activity list exceeding a threshold number.
33 Citations
15 Claims
-
1. A method for network security, comprising:
-
receiving flow sampled network traffic from a plurality of network devices with a network monitoring computing device for network traffic among a plurality of computing devices; comparing source ports and destination ports in the flow sampled network traffic to a list of approved ports with the network monitoring computing device; and detecting suspicious network activity for flow sampled network traffic having a source port and a destination port exceptional to the list of approved ports with the network monitoring computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computing device readable medium storing instructions for network security executable by a computing device to cause the computing device to:
-
receive flow sampled network traffic from a plurality of network devices for network traffic among a plurality of computing devices; compare source ports and destination ports in the flow sampled network traffic to a list of approved ports; and maintain a suspicious network activity list for flow sampled network traffic having source and destination ports exceptional to the list of approved ports. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A network monitoring computing device for network security, comprising:
-
memory resources; processing resources coupled to the memory resources to; compare source ports and destination ports in flow sampled network traffic to a list of approved ports; maintain a suspicious network activity list for flow sampled network traffic received from a plurality of network devices, the flow sampled network traffic having source ports and destination ports exceptional to the list of approved ports; and alert a network administrator when a port is added to the suspicious network activity list in response to a total number of ports in the suspicious network activity list exceeding a threshold number. - View Dependent Claims (14, 15)
-
Specification