EFFECTIVE DETECTION OF A COMMUNICATION APPARATUS PERFORMING AN ABNORMAL COMMUNICATION

US 20190312901A1
Filed: 04/02/2019
Published: 10/10/2019
Est. Priority Date: 04/06/2018
Status: Active Grant

First Claim

Patent Images

1. A network monitoring device comprising:

a memory; and

a processor coupled to the memory and configured to;

extract a server process from a communication in a network to generate log data in which a combination of addresses of access sources in the server process is recorded, andcompare a combination of past addresses recorded in the log data with a combination of addresses in a specific target access to identify a first communication apparatus performing an abnormal communication.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus extracts a server process from a communication in a network to generate log data in which a combination of addresses of access sources in the server process is recorded, and compares a combination of past addresses recorded in the log data with a combination of addresses in a specific target access to identify a first communication apparatus performing an abnormal communication.

Citations

12 Claims

1. A network monitoring device comprising:
- a memory; and
  
  a processor coupled to the memory and configured to;
  
  extract a server process from a communication in a network to generate log data in which a combination of addresses of access sources in the server process is recorded, andcompare a combination of past addresses recorded in the log data with a combination of addresses in a specific target access to identify a first communication apparatus performing an abnormal communication.
- View Dependent Claims (2, 3)
- - 2. The network monitoring device of claim 1, whereinthe processor identifies a communication apparatus accessed by a combination of addresses not existing in the log data as the first communication apparatus, in the specific target access.
  - 3. The network monitoring device of claim 1, whereinthe processor is configured to:
    - set a first value to a flag for each of communication apparatuses having the server process,change the flag of a communication apparatus not identified as the first communication apparatus from the first value to a second value, andoutput an address of a communication apparatus whose flag is set to the first value as a list of the first communication apparatuses.

4. A network monitoring method comprising:
- extracting a server process from a communication in a network to generate log data in which a combination of addresses of access sources in the server process is recorded; and
  
  comparing a combination of past addresses recorded in the log data with a combination of addresses in a specific target access to identify a first communication apparatus performing an abnormal communication.
- View Dependent Claims (5, 6)
- - 5. The network monitoring method of claim 4, further comprising identifying a communication apparatus accessed by a combination of addresses not existing in the log data as the first communication apparatus, in the specific target access.
  - 6. The network monitoring method of claim 4, further comprising:
    - setting a first value to a flag for each of communication apparatuses having the server process;
      
      changing the flag of a communication apparatus not identified as the first communication apparatus from the first value to a second value; and
      
      outputting an address of a communication apparatus whose flag is set to the first value as a list of the first communication apparatuses.

7. A network monitoring method comprising:
- monitoring communications within a network;
  
  identifying a source address and a destination address for each of the communications;
  
  aggregating server process addresses and groups of addresses based on the source address and the destination address for each of the communications;
  
  generating a profile database based on the aggregating;
  
  identifying a server as an intruder server, using the profile database; and
  
  registering the intruder server in an intruder list.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, further comprising generating an authentication log based on the source address and the destination address.
  - 9. The method of claim 7, further comprising determining that the source address and the destination address belong to a specific segment.
  - 10. The method of claim 9, wherein the identifying comprises determining that an address of the intruder server does not belong to the segment.
  - 11. The method of claim 7, further comprising blocking a communication from the intruder server.
  - 12. The method of claim 7, further comprising comparing addresses stored in the profile database with addresses in a target access list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Saito, Satomi, Fujishima, Yuki, Torii, Satoru

Granted Patent

US 11,233,807 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/1425   Traffic logging, e.g. anoma...

EFFECTIVE DETECTION OF A COMMUNICATION APPARATUS PERFORMING AN ABNORMAL COMMUNICATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

EFFECTIVE DETECTION OF A COMMUNICATION APPARATUS PERFORMING AN ABNORMAL COMMUNICATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links