Intrusion detection system using self-organizing clusters
DCFirst Claim
1. A machine readable storage having stored thereon a computer program for detecting network intrusions, said computer program comprising a routine set of instructions which when executed cause the machine to perform the steps of:
- monitoring network traffic passing across a network communications path;
extracting network packets from said passing traffic;
storing individual components of said network packets in a database;
constructing multi-dimensional vectors from at least two of said stored individual components and applying at least one multi-variate analysis to said constructed multi-dimensional vectors, said at least one multi-variate analysis producing a corresponding output set;
establishing a correlation between individual output sets based upon a selected metric to identify anomalous behavior; and
,classifying said anomalous behavior as one of a network fault or a network attack.
8 Assignments
Litigations
0 Petitions
Accused Products
Abstract
An intrusion detection system (IDS). An IDS which has been configured in accordance with the present invention can include a traffic sniffer for extracting network packets from passing network traffic; a traffic parser configured to extract individual data from defined packet fields of the network packets; and, a traffic logger configured to store individual packet fields of the network packets in a database. A vector builder can be configured to generate multi-dimensional vectors from selected features of the stored packet fields. Notably, at least one self-organizing clustering module can be configured to process the multi-dimensional vectors to produce a self-organized map of clusters. Subsequently, an anomaly detector can detect anomalous correlations between individual ones of the clusters in the self-organized map based upon at least one configurable correlation metric. Finally, a classifier can classify detected anomalous correlations as one of an alarm and normal behavior.
-
Citations
6 Claims
-
1. A machine readable storage having stored thereon a computer program for detecting network intrusions, said computer program comprising a routine set of instructions which when executed cause the machine to perform the steps of:
-
monitoring network traffic passing across a network communications path;
extracting network packets from said passing traffic;storing individual components of said network packets in a database; constructing multi-dimensional vectors from at least two of said stored individual components and applying at least one multi-variate analysis to said constructed multi-dimensional vectors, said at least one multi-variate analysis producing a corresponding output set; establishing a correlation between individual output sets based upon a selected metric to identify anomalous behavior; and
,classifying said anomalous behavior as one of a network fault or a network attack. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A machine readable storage having stored thereon a computer program for detecting network intrusions, said computer program comprising a routine set of instructions which when executed cause the machine to perform the steps of:
-
monitoring network traffic passing across a network communications path destined for multiple target devices in multiple independent network domains and extracting network packets from said passing traffic; identifying protocol boundaries in each extracted network packet and storing data from each field separated by said identified protocol boundaries in a database; associating said data in said database with at least one of a corresponding target device, a target network domain, a target customer, and a target customer sub-net; processing said stored data using at least one self-organizing clustering method to establish correlations between fields of different network packets destined for different ones of said multiple independent network domains; and
,identifying a network attack, a network fault, or a change in network performance based upon said established correlations.
-
Specification