Method and system for diagnosing network intrusion

US 6,735,702 B1
Filed: 08/31/1999
Issued: 05/11/2004
Est. Priority Date: 08/31/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method for analyzing traffic on a network, the network comprising nodes, each node having a set of links, the method comprising:

at at least a first node on the network monitoring traffic; and

if a particular network condition is detected, gathering information about the traffic on the network using an agent which;

identifies which of the links on the node on which the agent operates accepts a class of traffic; and

traverses the link to the node across the link.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are disclosed for analyzing traffic on a network by monitoring network traffic and, when a particular network condition (for example, a network attack) is detected, gathering information about the traffic on the network by launching an agent and having the agent iteratively identify which of the links on the node on which the agent operates accepts a type or class of traffic, traverse the identified link to the node across the link, and repeat the process.

Citations

25 Claims

1. A method for analyzing traffic on a network, the network comprising nodes, each node having a set of links, the method comprising:
- at at least a first node on the network monitoring traffic; and
  
  if a particular network condition is detected, gathering information about the traffic on the network using an agent which;
  
  identifies which of the links on the node on which the agent operates accepts a class of traffic; and
  
  traverses the link to the node across the link.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 where the agent repeatedly identifies and traverses links.
  - 3. The method of claim 2 where the network condition is an attack condition.
  - 4. The method of claim 3 where the class of traffic is traffic having identifying characteristics of an attack.
  - 5. The method of claim 4 where the agent, after identifying a link, records the node on which the agent operates and the identified link.
  - 6. The method of claim 2 where the class of traffic is traffic including node attack traffic.
  - 7. The method of claim 2 where the class of traffic is traffic including unauthorized access attack traffic.
  - 8. The method of claim 2 where the class of traffic is traffic including denial of service attack traffic.
  - 9. The method of claim 1 further including:
10. The method of claim 1 where the node on which the agent initially operates is topologically near a node identified as being subject to the attack.

11. A method for analyzing a network, the network comprising nodes, each node connecting to a set of links, the method comprising:
- at at least a first node on the network monitoring for an attack condition; and
  
  at the first node, when an attack condition is detected, determining a set of traffic suspected to be attack traffic and launching an agent, the agent recording information about traffic by;
  
  detecting which among the links of the node at which the agent currently operates is receiving the most of a subset of the set of traffic suspected to be attack traffic;
  
  selecting a link found to be receiving the most of the subset of the set of traffic suspected to be attack traffic and recording the identity of the selected link; and
  
  attempting to move to the node connected to the selected.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11 where the agent repeats detecting, selecting and attempting to move until the agent fails to perform one of detecting, selecting and attempting to move.
  - 13. The method of claim 12 further including:
14. The method of claim 12 where the agent provides a report to a process executing on the first node.
15. The method of claim 12 where the information about the traffic includes at least a set of paths taken by the traffic.
16. The method of claim 12 where monitoring for an attack condition is performed by a monitoring agent.
17. The method of claim 12 where the agent detects which among the links of the node at which the agent currently operates is receiving the most of the set of traffic suspected to be attack traffic by determining which of the links is receiving the most of a certain type of traffic.

18. A system for analyzing traffic on a network, the network comprising nodes, each node having a set of links, the system comprising:
- an agent of to;
  
  identify which of the links on the node on which the agent operates accepts attack traffic; and
  
  traverse the link to the node across the link; and
  
  a module to monitor network traffic, and, when if an attack condition is detected, to gather information about traffic on the network by launching the agent.
- View Dependent Claims (19, 20, 21)
- - 19. The system of claim 18 where the attack traffic is identified by filtering for node attack packets.
  - 20. The system of claim 18 where the attack traffic is identified by filtering for unauthorized access attack packets.
  - 21. The system of claim 18 where the attack traffic is identified by filtering for denial of service attack packets.

22. A set of instructions residing in a storage medium, said set of instructions capable of being executed by a processor to implement a method for analyzing attack traffic a network, the network comprising nodes, each node connecting to a set of links, the method comprising:
- monitoring traffic at at least a first node on the network; and
  
  if an attack condition is detected, gathering information about the traffic on the network by having an agent repeatedly;
  
  identify which of the links on the node on which the agent operates accepts attack traffic; and
  
  traversing traverse the link to the node across the link.
- View Dependent Claims (23, 24, 25)
- - 23. The set of instructions of claim 22 where the attack traffic is identified by filtering for node attack packets.
  - 24. The set of instructions of claim 22 where the attack traffic is identified by filtering for unauthorized access attack packets.
  - 25. The set of instructions of claim 22 where the attack traffic is identified by filtering for denial of service attack packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Xiaomi Mobile Software Co., Ltd. (Xiaomi Corp.)
Original Assignee
Intel Corporation
Inventors
Yavatkar, Rajenda, Putzolu, David M.
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/386,586
Time in Patent Office

1,715 Days
Field of Search

713/190, 713/194, 713/200, 713/201
US Class Current

726/13
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

Method and system for diagnosing network intrusion

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for diagnosing network intrusion

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links