Method and apparatus for capturing and filtering datagrams for network security monitoring
First Claim
Patent Images
1. A method for network security monitoring in a computer network, comprising the steps of:
- providing a default path in the computer network for suspect datagrams, the computer network configured as a Local Area Network (LAN);
capturing suspect datagrams transmitted on said default path, the suspect datagrams generated by clients within the computer network the suspect datagrams having destination addresses that do not match any of the destination addresses located in routing tables of network routers within the LAN;
filtering said captured suspect datagrams and transmitting said filtered datagrams to a network monitor wherein filtering said captured suspect datagrams comprises limiting a rate of the suspect datagrams to be transmitted to the network monitor, a quantity of suspect datagrams to be transmitted to the network monitor, a size of the suspect datagrams to be transmitted to the network monitor, and a bandwidth associated with the suspect datagrams to be transmitted to the network monitor;
wherein said providing step further comprises advertising a low-cost network perimeter route to a network router such that said router enters said low-cost network perimeter route into a routing table as said default path,identifying, by the network monitor, a compromised client within the LAN based upon the filtered datagrams generated within the LAN and received by the network monitor, anddisabling LAN access for the compromised client within the LAN to disable further propagation of the suspect datagrams within the LAN.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for security monitoring in a computer network has a packet sink with filtering and data analysis capabilities. The packet sink is a default destination for data packets having an address unrecognized by the network routers. At the packet sink, the packets are filtered and statistical summaries about the data traffic are created. The packet sink then forwards the data to a monitor, the information content depending on the level of traffic in the network.
-
Citations
17 Claims
-
1. A method for network security monitoring in a computer network, comprising the steps of:
-
providing a default path in the computer network for suspect datagrams, the computer network configured as a Local Area Network (LAN); capturing suspect datagrams transmitted on said default path, the suspect datagrams generated by clients within the computer network the suspect datagrams having destination addresses that do not match any of the destination addresses located in routing tables of network routers within the LAN; filtering said captured suspect datagrams and transmitting said filtered datagrams to a network monitor wherein filtering said captured suspect datagrams comprises limiting a rate of the suspect datagrams to be transmitted to the network monitor, a quantity of suspect datagrams to be transmitted to the network monitor, a size of the suspect datagrams to be transmitted to the network monitor, and a bandwidth associated with the suspect datagrams to be transmitted to the network monitor; wherein said providing step further comprises advertising a low-cost network perimeter route to a network router such that said router enters said low-cost network perimeter route into a routing table as said default path, identifying, by the network monitor, a compromised client within the LAN based upon the filtered datagrams generated within the LAN and received by the network monitor, and disabling LAN access for the compromised client within the LAN to disable further propagation of the suspect datagrams within the LAN. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A network security system, comprising:
-
means for providing a default path in a Local Area Network (LAN) for suspect datagrams, the suspect datagrams generated within the LAN; means for capturing datagrams transmitted on said default path within the LAN; means for filtering said captured datagrams and means for transmitting said filtered datagrams to a network monitor wherein means for filtering said captured suspect datagrams comprises means for limiting a rate of the suspect datagrams to be transmitted to the network monitor, a quantity of suspect datagrams to be transmitted to the network monitor, a size of the suspect datagrams to be transmitted to the network monitor, and a bandwidth associated with the suspect datagrams to be transmitted to the network monitor; wherein said means for providing further comprises means for advertising a low-cost network perimeter route to a network router such that said router enters said low-cost network perimeter route into a routing table as said default path, wherein the network monitor comprises means for identifying a compromised client within the LAN based upon the filtered datagrams generated within the LAN and received by the network monitor, and means for disabling LAN access for the compromised client within the LAN to disable further propagation of the suspect datagrams within the LAN. - View Dependent Claims (14, 15, 16)
-
-
17. A computer program product having a computer-readable medium including computer program logic encoded thereon that, when performed on a computer system directs the computer system to perform the method of:
-
providing a default path in a network for suspect datagrams, the computer network configured as a Local Area Network (LAN); capturing suspect datagrams transmitted on said default path, the suspect datagrams generated by clients within the computer network, the suspect datagrams having destination addresses that do not match any of the destination addresses located in routing tables of network routers within the LAN; filtering said captured datagrams and transmitting said filtered datagrams to a network monitor wherein filtering said captured suspect datagrams comprises limiting a rate of the suspect datagrams to be transmitted to the network monitor, a quantity of suspect datagrams to be transmitted to the network monitor, a size of the suspect datagrams to be transmitted to the network monitor, and a bandwidth associated with the suspect datagrams to be transmitted to the network monitor; wherein providing further comprises advertising a low-cost network perimeter route to a network router such that said router enters said low-cost network perimeter route into a routing table as said default path, identifying, by the network monitor, a compromised client within the LAN based upon the filtered datagrams generated within the LAN and received by the network monitor, and disabling LAN access for the compromised client within the LAN to disable further propagation of the suspect datagrams within the LAN.
-
Specification