Detection of unauthorized access in a network

US 7,461,404 B2
Filed: 11/03/2003
Issued: 12/02/2008
Est. Priority Date: 11/04/2002
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

retrieving connection pairs from a connection table for a host that is attempting to gain access to another host in a networked computer system;

determining whether that one host attempting to gain access has accessed the other host accessed previously; and

if that one host has not accessed the other host previously,determining if other anomalies in the connection patterns of each host exist to establish an event severity level indicating a likelihood that the host attempting to access another host is attempting an unauthorized access,determining whether conditions exit to decrease the severity level assigned to an event; and

if an event is still indicated,sending an event warning message with a determined level of severity to an operator.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

49 Citations

View as Search Results

30 Claims

1. A computer implemented method comprising:
- retrieving connection pairs from a connection table for a host that is attempting to gain access to another host in a networked computer system;
  
  determining whether that one host attempting to gain access has accessed the other host accessed previously; and
  
  if that one host has not accessed the other host previously,determining if other anomalies in the connection patterns of each host exist to establish an event severity level indicating a likelihood that the host attempting to access another host is attempting an unauthorized access,determining whether conditions exit to decrease the severity level assigned to an event; and
  
  if an event is still indicated,sending an event warning message with a determined level of severity to an operator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein determining other anomalies includes determining whether previous connection patterns of the hosts indicate that the hosts are in roles that are not normal for the hosts.
  - 3. The method of claim 1 determining other anomalies includes determining whether the connection request uses the transport control protocol (TCP).
  - 4. The method of claim 3 determining other anomalies includes determining whether the connection requests use ports that are not well-known indicating a possible Trojan virus attack.
  - 5. The method of claim 3 determining other anomalies includes using heuristics to provide an indication to an operator that elevates severity of a possible unauthorized access event.
  - 6. The method of claim 1 wherein determining other anomalies includes determining whether the connection requests use ports that have not been used previously.
  - 7. The method of claim 1 wherein determining other anomalies includes determining if several short connections occurred over a short time period by examining connection behavior between two hosts based on connection pattern data retrieved from the connection table.
  - 8. The method of claim 1 further comprising:
    - determining whether conditions exist to decrease the severity assigned to an event.
  - 9. The method of claim 8 wherein determining whether conditions exist to decrease the severity assigned to an event, comprises:
    - determining whether the hosts are in roles that commonly access each other.
  - 10. The method of claim 8 wherein determining whether conditions exist to decrease the severity assigned to an event, comprises:
    - determining whether the host being connected to commonly receives connections from new hosts.

11. A computer program product embodied on a computer readable medium for detecting unauthorized access in a computer network comprising instructions for causing a computing device to:
- retrieve connection pairs from a connection table for a host that is attempting to gain access to another host;
  
  determine whether that one host attempting to gain access has accessed the other host accessed previously; and
  
  if that one host has not accessed the other host previously,determine if other anomalies in the connection patterns of each host exist to establish an event severity level indicating a likelihood that the host attempting to access another host is attempting an unauthorized access,determining whether conditions exit to decrease the severity level assigned to an event; and
  
  if an event is still indicated,sending an event warning message with a determined level of severity to an operator.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer program product of claim 11 wherein instructions to determine other anomalies includes instructions to determine whether previous connection patterns of the hosts indicate that the hosts are in roles that are not normal for the hosts.
  - 13. The computer program product of claim 11 wherein instructions to determine other anomalies includes instructions to determine whether the connection request uses the transport control protocol (TCP).
  - 14. The computer program product of claim 11 wherein instructions to determine other anomalies includes instructions to determine whether the connection requests use ports that are not well-known indicating a possible Trojan virus attack.
  - 15. The computer program product of claim 11 wherein instructions to determine includes instructions to use heuristics to provide an indication to an operator that elevates severity of a possible unauthorized access event.
  - 16. The computer program product of claim 11 wherein instructions to determine other anomalies includes instructions to determine whether the connection requests use ports that have not been used previously.
  - 17. The computer program product of claim 11 wherein instructions to determine other anomalies includes instructions to determine if several short connections occurred over a short time period by examining connection behavior between two hosts based on connection pattern data retrieved from the connection table.
  - 18. The computer program product of claim 11 further comprising instructions to:
    - determine whether conditions exist to decrease the severity assigned to an event.
  - 19. The computer program product of claim 18 wherein instructions to determine whether conditions exist to decrease the severity assigned to an event, comprises instructions to:
    - determine whether the hosts are in roles that commonly access each other.
  - 20. The computer program product of claim 18 wherein instructions to determine whether conditions exist to decrease the severity assigned to an event, comprises instructions to:
    - determine whether the host being connected to commonly receives connections from new hosts.

21. Apparatus comprising:
- a processing device;
  
  a memory;
  
  a computer readable medium storing a computer program product for detecting unauthorized access in a computer network comprising instructions for causing the device to;
  
  retrieve connection pairs from a connection table for a host that is attempting to gain access to another host;
  
  determine whether that one host attempting to gain access has accessed the other host accessed previously; and
  
  if that one host has not accessed the other host previously,determine if other anomalies in the connection patterns of each host exist to establish an event severity level indicating a likelihood that the host attempting to access another host is attempting an unauthorized access,determining whether conditions exit to decrease the severity level assigned to an event; and
  
  if an event is still indicated,sending an event warning message with a determined level of severity to an operator.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The apparatus of claim 21 wherein instructions to determine other anomalies includes instructions to determine whether previous connection patterns of the hosts indicate that the hosts are in roles that are not normal for the hosts.
  - 23. The apparatus of claim 21 wherein instructions to determine other anomalies includes instructions to determine whether the connection request uses the transport control protocol (TCP).
  - 24. The apparatus of claim 21 wherein instructions to determine other anomalies includes instructions to determine whether the connection requests use ports that are not well-known indicating a possible Trojan virus attack.
  - 25. The apparatus of claim 21 wherein instructions to determine includes instructions to use heuristics to provide an indication to an operator that elevates severity of a possible unauthorized access event.
  - 26. The apparatus of claim 21 wherein instructions to determine other anomalies includes instructions to determine whether the connection requests use ports that have not been used previously.
  - 27. The apparatus of claim 21 wherein instructions to determine other anomalies includes instructions to determine if several short connections occurred over a short time period by examining connection behavior between two hosts based on connection pattern data retrieved from the connection table.
  - 28. The apparatus of claim 21 further comprising instructions to:
    - determine whether conditions exist to decrease the severity assigned to an event.
  - 29. The apparatus of claim 28 wherein instructions to determine whether conditions exist to decrease the severity assigned to an event, comprises instructions to:
    - determine whether the hosts are in roles that commonly access each other.
  - 30. The apparatus of claim 28 wherein instructions to determine whether conditions exist to decrease the severity assigned to an event, comprises instructions to:
    - determine whether the host being connected to commonly receives connections from new hosts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Mazu Networks, Inc. (Riverbed Technology Incorporated)
Inventors
Poletto, Massimiliano Antonio, Weber, Daniel, Dudfield, Anne Elizabeth
Primary Examiner(s)
Parthasarathy; Pramila

Application Number

US10/701,400
Publication Number

US 20040215975A1
Time in Patent Office

1,856 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 69/16   Implementation or adaptatio...

H04L 69/166   IP fragmentation; TCP segme...

Detection of unauthorized access in a network

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of unauthorized access in a network

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links