Flow-based detection of network intrusions
First Claim
1. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
- monitoring packet headers of packets exchanged between two hosts on the data communication network;
based on the packet headers, determining the existence of a client/server (C/S) flow as corresponding to a predetermined plurality of packets exchanged between the two hosts that relate to a single service and is characterized by a predetermined C/S flow characteristic;
assigning a concern index value to a determined C/S flow based upon a predetermined concern index characteristic of the C/S flow;
maintaining an accumulated concern index comprising concern index values for one or more determined C/S flows associated with a host; and
issuing an alarm signal in the event that the accumulated concern index for a host exceeds an alarm threshold value.
12 Assignments
0 Petitions
Accused Products
Abstract
A flow-based intrusion detection system for detecting intrusions in computer communication networks. Data packets representing communications between hosts in a computer-to-computer communication network are processed and assigned to various client/server flows. Statistics are collected for each flow. Then, the flow statistics are analyzed to determine if the flow appears to be legitimate traffic or possible suspicious activity. A concern index value is assigned to each flow that appears suspicious. By assigning a value to each flow that appears suspicious and adding that value to the total concern index of the responsible host, it is possible to identify hosts that are engaged in intrusion activity. When the concern index value of a host exceeds a preset alarm value, an alert is issued and appropriate action can be taken.
-
Citations
37 Claims
-
1. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
-
monitoring packet headers of packets exchanged between two hosts on the data communication network; based on the packet headers, determining the existence of a client/server (C/S) flow as corresponding to a predetermined plurality of packets exchanged between the two hosts that relate to a single service and is characterized by a predetermined C/S flow characteristic; assigning a concern index value to a determined C/S flow based upon a predetermined concern index characteristic of the C/S flow; maintaining an accumulated concern index comprising concern index values for one or more determined C/S flows associated with a host; and issuing an alarm signal in the event that the accumulated concern index for a host exceeds an alarm threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 27)
-
-
25. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
-
monitoring packet headers of packets exchanged between two hosts that are associated with a single service on the data communications network; based on the packet headers, determining the existence of a client/server (C/S) flow as corresponding to a predetermined plurality of packets exchanged between the two hosts; collecting C/S flow data from packet headers of the packets in the determined flow; based on the collected C/S flow data, assigning a concern index value to a determined C/S flow based on a predetermined concern index characteristic of the C/S flow; maintaining an accumulated concern index from C/S flows that are associated with a particular host; issuing an alarm signal in the event that the accumulated concern index for the particular host exceeds an alarm threshold value; and in response to the alarm signal, sending a message to a utilization component. - View Dependent Claims (26, 28, 29)
-
-
30. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
-
monitoring the packet headers from an exchange of packets between two hosts each having a particular Internet Protocol (IP) address; based on monitored packet headers, determining the existence of a client/sewer (C/S) flow as corresponding to a predetermined plurality of packets exchanged between a particular port of one of the hosts that remains constant during the plurality of packets; collecting C/S flow data from packet headers of the packets in a determined C/S flow; based on the collected C/S flow data, assigning a concern index value to a determined C/S flow; maintaining a host data structure containing accumulated concern index values from a plurality of determined C/S flows that are associated with the particular host; and issuing an alarm in the event that the accumulated concern index values for the particular host has exceeded an alarm threshold value. - View Dependent Claims (31, 32)
-
-
33. A system for analyzing network communication traffic and determining potential suspicious activity, comprising:
-
a computer system operative to; a) monitor packet headers resulting from the communication of packets on a data communication network; b) based on monitored packet headers, classify the monitored packets into client/server (C/S) flows, wherein a C/S flow corresponds to a predetermined plurality of packets exchanged between two hosts that are associated with a single service on the network; c) analyze the C/S flows in order to assign a concern index value to a C/S flow that may signify potential suspicious activity, wherein each concern index value associated with a respective potential suspicious activity is of a predetermined fixed value; d) generate an alarm signal in response to cumulated concern index values; and a communication system coupled to the computer system operative to receive packets communicated between hosts on the network. - View Dependent Claims (34)
-
-
35. A system for analyzing network communication traffic and determining potential suspicious activity, comprising:
-
a processor operative to; a) monitor packet headers resulting from the communication of packets on a data communication network; b) classify the monitored packets into client/server (C/S) flows, wherein a C/S flow corresponds to a predetermined plurality of packets exchanged between two hosts that are associated with a single service on the network; c) maintain a flow data structure for storing data corresponding to a plurality of C/S flows; d) analyze the C/S flows in the flow data structure in order to assign a concern index value to a C/S flow that may signify potential suspicious activity, wherein each concern index value associated with a respective potential suspicious activity is of a predetermined fixed value; e) cumulate assigned concern index values of one or more C/S flows associated with a particular host; f) maintain a host data structure for storing data associating a cumulated concern index value with each one of a plurality of hosts; and g) generate an alarm signal in response to cumulated concern index values in the host data structure; a memory coupled to the processor and operative to store the flow data structure and the host data structure; and a network interface coupled to the processor operative to receive packets on the data communication network. - View Dependent Claims (36)
-
-
37. A method of analyzing network communication traffic on a data communication network for potential suspicious activity, comprising the steps of:
-
monitoring packets exchanged between two hosts on the data communication network; identifying packets provided by one of the two hosts that have a transport level protocol specifying a packet format that includes a data segment; in response to determination that the transport level protocol is a User Datagram Protocol (UDP) packet and the data segment associated with the UDP packet contains two bytes or less of data, storing a concern index value of a predetermined amount in a memory in association with information identifying the host that issued the UDP packet; and issuing an alarm when the cumulated concern index value associated with the host exceeds a predetermined threshold level.
-
Specification