Flow-based detection of network intrusions

US 7,185,368 B2
Filed: 11/30/2001
Issued: 02/27/2007
Est. Priority Date: 11/30/2000
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:

monitoring packet headers of packets exchanged between two hosts on the data communication network;

based on the packet headers, determining the existence of a client/server (C/S) flow as corresponding to a predetermined plurality of packets exchanged between the two hosts that relate to a single service and is characterized by a predetermined C/S flow characteristic;

assigning a concern index value to a determined C/S flow based upon a predetermined concern index characteristic of the C/S flow;

maintaining an accumulated concern index comprising concern index values for one or more determined C/S flows associated with a host; and

issuing an alarm signal in the event that the accumulated concern index for a host exceeds an alarm threshold value.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A flow-based intrusion detection system for detecting intrusions in computer communication networks. Data packets representing communications between hosts in a computer-to-computer communication network are processed and assigned to various client/server flows. Statistics are collected for each flow. Then, the flow statistics are analyzed to determine if the flow appears to be legitimate traffic or possible suspicious activity. A concern index value is assigned to each flow that appears suspicious. By assigning a value to each flow that appears suspicious and adding that value to the total concern index of the responsible host, it is possible to identify hosts that are engaged in intrusion activity. When the concern index value of a host exceeds a preset alarm value, an alert is issued and appropriate action can be taken.

Citations

37 Claims

1. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
- monitoring packet headers of packets exchanged between two hosts on the data communication network;
  
  based on the packet headers, determining the existence of a client/server (C/S) flow as corresponding to a predetermined plurality of packets exchanged between the two hosts that relate to a single service and is characterized by a predetermined C/S flow characteristic;
  
  assigning a concern index value to a determined C/S flow based upon a predetermined concern index characteristic of the C/S flow;
  
  maintaining an accumulated concern index comprising concern index values for one or more determined C/S flows associated with a host; and
  
  issuing an alarm signal in the event that the accumulated concern index for a host exceeds an alarm threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 27)
- - 2. The method of claim 1, wherein the predetermined C/S flow characteristic of a C/S flow is selected from the group comprising:
    - the elapse of a predetermined period of time wherein no packets are exchanged between two hosts, the occurrence of a FiN flag, predetermined characteristics of traffic on a given port, and the occurrence of a RESET packet.
  - 3. The method of claim 1, further comprising the step of communicating a message to a firewall to drop packets going to or from the particular host in response to the alarm signal.
  - 4. The method of claim 1, wherein the alarm signal generates a notification to a network administrator.
  - 5. The method of claim 1, wherein each concern index value associated with a predetermined concern index characteristic is a predetermined fixed value.
  - 6. The method of claim 1, wherein the single service comprises a port number remaining constant for a plurality of packets.
  - 7. The method of claim 1, wherein the suspicious activity is from an inside address or from an outside address.
  - 8. The method of claim 1, wherein the concern index for a suspicious activity is derived by reference to a table of predetermined suspicious activities each having a predetermined concern index value.
  - 9. The method of claim 1, wherein the host for which the concern index is accumulated is an inside host.
  - 10. The method of claim 1, wherein the host for which the concern index is accumulated is an outside host.
  - 11. The method of claim 1, wherein the steps are carried out in a monitoring appliance.
  - 12. The method of claim 11, wherein the monitoring appliance is installed behind a firewall.
  - 13. The method of claim 11, wherein the monitoring appliance is connected before a firewall.
  - 14. The method of claim 11, wherein the monitoring appliance is connected in a DMZ.
  - 15. The method of claim 11, wherein the monitoring appliance is configured to operate as a pass-by filter.
  - 16. The method of claim 11, wherein the monitoring appliance is coupled to a network device.
  - 17. The method of claim 16, wherein the network device is selected from group comprising:
    - router, switch, hub, tap.
  - 18. The method of claim 16, wherein the network device is a network security device.
  - 19. The method of claim 1, wherein the monitoring of packets comprises monitoring on packet header information only.
  - 20. The method of claim 1, wherein the monitoring of packets is carried out in a device operating in a promiscuous mode.
  - 21. The method of claim 1, wherein the alarm signal is provided to a utilization component.
  - 22. The method of claim 21, wherein the utilization component is selected from the group comprising:
    - network security device, email, SNMP trap message, beeper, cellphone, firewall, network monitor, user interface display to an operator.
  - 23. The method of claim 1, wherein the predetermined concern index characteristic comprises a characteristic selected from a table comprising a plurality of prestored second predetermined characteristics each having a predetermined concern index (CI) value.
  - 24. The method of claim 1, wherein the predetermined concern index characteristic comprises one or more of the following characteristics:
    - potential TCP probe, potential UDP probe, half-open attack, TCP stealth port scan, UDP stealth port scan, bad flags, short UDP, address scan, port scan.
  - 27. The method of claim 6, wherein a C/S flow is characterized by a predetermined C/S flow characteristic selected from the group comprising:
    - the elapse of predetermined period of time where no packets are exchanged between two hosts, the occurrence of a FiN flag, predetermined characteristics of traffic on a given port, and the occurrence of a RESET packet.

25. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
- monitoring packet headers of packets exchanged between two hosts that are associated with a single service on the data communications network;
  
  based on the packet headers, determining the existence of a client/server (C/S) flow as corresponding to a predetermined plurality of packets exchanged between the two hosts;
  
  collecting C/S flow data from packet headers of the packets in the determined flow;
  
  based on the collected C/S flow data, assigning a concern index value to a determined C/S flow based on a predetermined concern index characteristic of the C/S flow;
  
  maintaining an accumulated concern index from C/S flows that are associated with a particular host;
  
  issuing an alarm signal in the event that the accumulated concern index for the particular host exceeds an alarm threshold value; and
  
  in response to the alarm signal, sending a message to a utilization component.
- View Dependent Claims (26, 28, 29)
- - 26. The method of claim 25, wherein the utilization component is selected from the group comprising:
    - network security device, email, SNMP trap message, beeper, cellphone, firewall, network monitor, user interface display to an operator.
  - 28. The method of claim 25, wherein the predetermined concern index characteristic comprises a characteristic selected from a table comprising a plurality of prestored second predetermined characteristics each having a predetermined concern index (CI) value.
  - 29. The method of claim 25, wherein the predetermined concern index characteristic comprises one or more of the following characteristics:
    - potential TCP probe,potential UDP probe,half-open attack,TCP stealth port scan,UDP stealth port scan,bad flags,short UDP,address scan,port scan.

30. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
- monitoring the packet headers from an exchange of packets between two hosts each having a particular Internet Protocol (IP) address;
  
  based on monitored packet headers, determining the existence of a client/sewer (C/S) flow as corresponding to a predetermined plurality of packets exchanged between a particular port of one of the hosts that remains constant during the plurality of packets;
  
  collecting C/S flow data from packet headers of the packets in a determined C/S flow;
  
  based on the collected C/S flow data, assigning a concern index value to a determined C/S flow;
  
  maintaining a host data structure containing accumulated concern index values from a plurality of determined C/S flows that are associated with the particular host; and
  
  issuing an alarm in the event that the accumulated concern index values for the particular host has exceeded an alarm threshold value.
- View Dependent Claims (31, 32)
- - 31. The method of claim 30, wherein each concern index value associated with a respective potential suspicious activity is a predetermined fixed value.
  - 32. The method of claim 30, wherein a C/S flow is characterized by a predetermined C/S flow characteristic selected from the group comprising:
    - the elapse of a predetermined period of time wherein no packets are exchanged between two hosts, the occurrence of a FiN flag, predetermined characteristics of traffic on a given port, and the occurrence of a RESET packet.

33. A system for analyzing network communication traffic and determining potential suspicious activity, comprising:
- a computer system operative to;
  
  a) monitor packet headers resulting from the communication of packets on a data communication network;
  
  b) based on monitored packet headers, classify the monitored packets into client/server (C/S) flows, wherein a C/S flow corresponds to a predetermined plurality of packets exchanged between two hosts that are associated with a single service on the network;
  
  c) analyze the C/S flows in order to assign a concern index value to a C/S flow that may signify potential suspicious activity, wherein each concern index value associated with a respective potential suspicious activity is of a predetermined fixed value;
  
  d) generate an alarm signal in response to cumulated concern index values; and
  
  a communication system coupled to the computer system operative to receive packets communicated between hosts on the network.
- View Dependent Claims (34)
- - 34. The system of claim 33, wherein a C/S flow is characterized by a predetermined C/S flow characteristic selected from the group comprising:
    - the elapse of a predetermined period of time wherein no packets are exchanged between two hosts, the occurrence of a FiN flag, predetermined characteristics of traffic on a given port, and the occurrence of a RESET packet.

35. A system for analyzing network communication traffic and determining potential suspicious activity, comprising:
- a processor operative to;
  
  a) monitor packet headers resulting from the communication of packets on a data communication network;
  
  b) classify the monitored packets into client/server (C/S) flows, wherein a C/S flow corresponds to a predetermined plurality of packets exchanged between two hosts that are associated with a single service on the network;
  
  c) maintain a flow data structure for storing data corresponding to a plurality of C/S flows;
  
  d) analyze the C/S flows in the flow data structure in order to assign a concern index value to a C/S flow that may signify potential suspicious activity, wherein each concern index value associated with a respective potential suspicious activity is of a predetermined fixed value;
  
  e) cumulate assigned concern index values of one or more C/S flows associated with a particular host;
  
  f) maintain a host data structure for storing data associating a cumulated concern index value with each one of a plurality of hosts; and
  
  g) generate an alarm signal in response to cumulated concern index values in the host data structure;
  
  a memory coupled to the processor and operative to store the flow data structure and the host data structure; and
  
  a network interface coupled to the processor operative to receive packets on the data communication network.
- View Dependent Claims (36)
- - 36. The system of claim 35, wherein a C/S flow is characterized by a predetermined C/S flow characteristic selected from the group comprising:
    - the elapse of a predetermined period of time wherein no packets are exchanged between two hosts, the occurrence of a FiN flag, predetermined characteristics of traffic on a given port, and the occurrence of a RESET packet.

37. A method of analyzing network communication traffic on a data communication network for potential suspicious activity, comprising the steps of:
- monitoring packets exchanged between two hosts on the data communication network;
  
  identifying packets provided by one of the two hosts that have a transport level protocol specifying a packet format that includes a data segment;
  
  in response to determination that the transport level protocol is a User Datagram Protocol (UDP) packet and the data segment associated with the UDP packet contains two bytes or less of data, storing a concern index value of a predetermined amount in a memory in association with information identifying the host that issued the UDP packet; and
  
  issuing an alarm when the cumulated concern index value associated with the host exceeds a predetermined threshold level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Lancope, Inc. (Cisco Systems, Inc.)
Inventors
Copeland, John A. III
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Baum; Ronald

Application Number

US10/000,396
Publication Number

US 20030105976A1
Time in Patent Office

1,915 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 9/40   Network security protocols

Flow-based detection of network intrusions

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Flow-based detection of network intrusions

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links