SYSTEM AND METHOD OF SPOOF DETECTION
First Claim
1. A method comprising:
- analyzing, via a first capture agent, packets processed by a first environment in a network associated with a first host to yield first data;
analyzing, via a second capture agent, packets processed by a second environment in the network associated with a second host to yield second data, wherein the first capture agent is located within a first layer of the network and the second capture agent is located in a second layer of the network, and wherein the first layer and the second layer are different layers of the network;
collecting the first data and the second data at a collector to yield aggregated data;
based on the aggregated data, generating a database comprising a topological map of the network and a history of network activity associated with the first environment and the second environment to yield historical data;
extracting network data from a packet to yield extracted network data, the extracted network data identifying a reported source of the packet;
comparing the extracted network data with stored network data in the database to yield a comparison; and
when the comparison indicates that the extracted network data does not match the stored network data, determining that the packet is a spoofed packet.
1 Assignment
0 Petitions
Accused Products
Abstract
Managing a network environment to identify spoofed packets is disclosed. A method includes analyzing, via a first capture agent, packets processed by a first environment in a network associated with a first host, and analyzing, via a second capture agent, packets processed by a second environment in the network associated with a second host. The method includes collecting the first data and the second data at a collector and generating a topological map of the network and a history of network activity associated with the first environment and the second environment. The method includes extracting network data from a packet and comparing the extracted network data with stored network data in the database. When the comparison indicates that the extracted network data does not match the stored network data (i.e., the reported source does not match an expected source for the packet), determining that the packet is a spoofed packet.
113 Citations
20 Claims
-
1. A method comprising:
-
analyzing, via a first capture agent, packets processed by a first environment in a network associated with a first host to yield first data; analyzing, via a second capture agent, packets processed by a second environment in the network associated with a second host to yield second data, wherein the first capture agent is located within a first layer of the network and the second capture agent is located in a second layer of the network, and wherein the first layer and the second layer are different layers of the network; collecting the first data and the second data at a collector to yield aggregated data; based on the aggregated data, generating a database comprising a topological map of the network and a history of network activity associated with the first environment and the second environment to yield historical data; extracting network data from a packet to yield extracted network data, the extracted network data identifying a reported source of the packet; comparing the extracted network data with stored network data in the database to yield a comparison; and when the comparison indicates that the extracted network data does not match the stored network data, determining that the packet is a spoofed packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system comprising:
-
a processor; and a computer-readable storage medium storing instructions which, when executed by the processor, cause the processor to perform operations comprising; analyzing, via a first capture agent, packets processed by a first environment in a network associated with a first host to yield first data; analyzing, via a second capture agent, packets processed by a second environment in the network associated with a second host to yield second data, wherein the first capture agent is located within a first layer of the network and the second capture agent is located in a second layer of the network, and wherein the first layer and the second layer are different layers of the network; collecting the first data and the second data at a collector to yield aggregated data; based on the aggregated data, generating a database comprising a topological map of the network and a history of network activity associated with the first environment and the second environment to yield historical data; extracting network data from a packet to yield extracted network data, the extracted network data identifying a reported source of the packet; comparing the extracted network data with stored network data in the database to yield a comparison; and when the comparison indicates that the extracted network data does not match the stored network data, determining that the packet is a spoofed packet. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer-readable storage device that stores instructions which, when executed by a processor, cause the processor to perform operations comprising:
-
analyzing, via a first capture agent, packets processed by a first environment in a network associated with a first host to yield first data; analyzing, via a second capture agent, packets processed by a second environment in the network associated with a second host to yield second data, wherein the first capture agent is located within a first layer of the network and the second capture agent is located in a second layer of the network, and wherein the first layer and the second layer are different layers of the network; collecting the first data and the second data at a collector to yield aggregated data; based on the aggregated data, generating a database comprising a topological map of the network and a history of network activity associated with the first environment and the second environment to yield historical data; extracting network data from a packet to yield extracted network data, the extracted network data identifying a reported source of the packet; comparing the extracted network data with stored network data in the database to yield a comparison; and when the comparison indicates that the extracted network data does not match the stored network data, determining that the packet is a spoofed packet. - View Dependent Claims (20)
-
Specification