Method and system for diagnosing network intrusion
First Claim
Patent Images
1. A method for analyzing traffic on a network, the network comprising nodes, each node having a set of links, the method comprising:
- at at least a first node on the network monitoring traffic; and
if a particular network condition is detected, gathering information about the traffic on the network using an agent which;
identifies which of the links on the node on which the agent operates accepts a class of traffic; and
traverses the link to the node across the link.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system are disclosed for analyzing traffic on a network by monitoring network traffic and, when a particular network condition (for example, a network attack) is detected, gathering information about the traffic on the network by launching an agent and having the agent iteratively identify which of the links on the node on which the agent operates accepts a type or class of traffic, traverse the identified link to the node across the link, and repeat the process.
-
Citations
25 Claims
-
1. A method for analyzing traffic on a network, the network comprising nodes, each node having a set of links, the method comprising:
-
at at least a first node on the network monitoring traffic; and
if a particular network condition is detected, gathering information about the traffic on the network using an agent which;
identifies which of the links on the node on which the agent operates accepts a class of traffic; and
traverses the link to the node across the link. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
launching the agent from a second node.
-
-
10. The method of claim 1 where the node on which the agent initially operates is topologically near a node identified as being subject to the attack.
-
11. A method for analyzing a network, the network comprising nodes, each node connecting to a set of links, the method comprising:
-
at at least a first node on the network monitoring for an attack condition; and
at the first node, when an attack condition is detected, determining a set of traffic suspected to be attack traffic and launching an agent, the agent recording information about traffic by;
detecting which among the links of the node at which the agent currently operates is receiving the most of a subset of the set of traffic suspected to be attack traffic;
selecting a link found to be receiving the most of the subset of the set of traffic suspected to be attack traffic and recording the identity of the selected link; and
attempting to move to the node connected to the selected. - View Dependent Claims (12, 13, 14, 15, 16, 17)
recording a set of samples of traffic receive at a node in the network;
determining, from the set of samples, the type of attack which is occurring; and
tailoring the agent to follow traffic based on the type of attack.
-
-
14. The method of claim 12 where the agent provides a report to a process executing on the first node.
-
15. The method of claim 12 where the information about the traffic includes at least a set of paths taken by the traffic.
-
16. The method of claim 12 where monitoring for an attack condition is performed by a monitoring agent.
-
17. The method of claim 12 where the agent detects which among the links of the node at which the agent currently operates is receiving the most of the set of traffic suspected to be attack traffic by determining which of the links is receiving the most of a certain type of traffic.
-
18. A system for analyzing traffic on a network, the network comprising nodes, each node having a set of links, the system comprising:
-
an agent of to;
identify which of the links on the node on which the agent operates accepts attack traffic; and
traverse the link to the node across the link; and
a module to monitor network traffic, and, when if an attack condition is detected, to gather information about traffic on the network by launching the agent. - View Dependent Claims (19, 20, 21)
-
-
22. A set of instructions residing in a storage medium, said set of instructions capable of being executed by a processor to implement a method for analyzing attack traffic a network, the network comprising nodes, each node connecting to a set of links, the method comprising:
-
monitoring traffic at at least a first node on the network; and
if an attack condition is detected, gathering information about the traffic on the network by having an agent repeatedly;
identify which of the links on the node on which the agent operates accepts attack traffic; and
traversing traverse the link to the node across the link. - View Dependent Claims (23, 24, 25)
-
Specification