Detection of unauthorized access in a network
First Claim
Patent Images
1. A computer implemented method comprising:
- retrieving connection pairs from a connection table for a host that is attempting to gain access to another host in a networked computer system;
determining whether that one host attempting to gain access has accessed the other host accessed previously; and
if that one host has not accessed the other host previously,determining if other anomalies in the connection patterns of each host exist to establish an event severity level indicating a likelihood that the host attempting to access another host is attempting an unauthorized access,determining whether conditions exit to decrease the severity level assigned to an event; and
if an event is still indicated,sending an event warning message with a determined level of severity to an operator.
21 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.
49 Citations
30 Claims
-
1. A computer implemented method comprising:
-
retrieving connection pairs from a connection table for a host that is attempting to gain access to another host in a networked computer system; determining whether that one host attempting to gain access has accessed the other host accessed previously; and
if that one host has not accessed the other host previously,determining if other anomalies in the connection patterns of each host exist to establish an event severity level indicating a likelihood that the host attempting to access another host is attempting an unauthorized access, determining whether conditions exit to decrease the severity level assigned to an event; and
if an event is still indicated,sending an event warning message with a determined level of severity to an operator. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product embodied on a computer readable medium for detecting unauthorized access in a computer network comprising instructions for causing a computing device to:
-
retrieve connection pairs from a connection table for a host that is attempting to gain access to another host; determine whether that one host attempting to gain access has accessed the other host accessed previously; and
if that one host has not accessed the other host previously,determine if other anomalies in the connection patterns of each host exist to establish an event severity level indicating a likelihood that the host attempting to access another host is attempting an unauthorized access, determining whether conditions exit to decrease the severity level assigned to an event; and
if an event is still indicated,sending an event warning message with a determined level of severity to an operator. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. Apparatus comprising:
-
a processing device; a memory; a computer readable medium storing a computer program product for detecting unauthorized access in a computer network comprising instructions for causing the device to; retrieve connection pairs from a connection table for a host that is attempting to gain access to another host; determine whether that one host attempting to gain access has accessed the other host accessed previously; and
if that one host has not accessed the other host previously,determine if other anomalies in the connection patterns of each host exist to establish an event severity level indicating a likelihood that the host attempting to access another host is attempting an unauthorized access, determining whether conditions exit to decrease the severity level assigned to an event; and
if an event is still indicated,sending an event warning message with a determined level of severity to an operator. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification