Flow-based detection of network intrusions

US 7,475,426 B2
Filed: 01/18/2007
Issued: 01/06/2009
Est. Priority Date: 11/30/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:

receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;

assigning a concern index value to a determined C/S flow based upon a predetermined concern index characteristic of the C/S flow;

maintaining an accumulated concern index comprising concern index values for one or more determined C/S flows associated with a host; and

issuing an alarm signal in the event that the accumulated concern index for a host exceeds an alarm threshold value.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A flow-based intrusion detection system for detecting intrusions in computer communication networks. Data packets representing communications between hosts in a computer-to-computer communication network are processed and assigned to various client/server flows. Statistics are collected for each flow. Then, the flow statistics are analyzed to determine if the flow appears to be legitimate traffic or possible suspicious activity. A concern index value is assigned to each flow that appears suspicious. By assigning a value to each flow that appears suspicious and adding that value to the total concern index of the responsible host, it is possible to identify hosts that are engaged in intrusion activity. When the concern index value of a host exceeds a preset alarm value, an alert is issued and appropriate action can be taken.

66 Citations

View as Search Results

76 Claims

1. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
- receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;
  
  assigning a concern index value to a determined C/S flow based upon a predetermined concern index characteristic of the C/S flow;
  
  maintaining an accumulated concern index comprising concern index values for one or more determined C/S flows associated with a host; and
  
  issuing an alarm signal in the event that the accumulated concern index for a host exceeds an alarm threshold value.
- View Dependent Claims (2, 3, 4, 5, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 35, 36, 37, 38, 39, 40, 41, 42)
- - 2. The method of claim 1, wherein the predetermined C/S flow characteristic of a C/S flow is selected from the group comprising:
    - the elapse of a predetermined period of time wherein no packets are exchanged between two hosts, the occurrence of a FIN flag, predetermined characteristics of traffic on a given port, and the occurrence of a RESET packet.
  - 3. The method of claim 1, further comprising the step of communicating a message to a firewall to drop packets going to or from the particular host in response to the alarm signal.
  - 4. The method of claim 1, wherein the alarm signal generates a notification to a network administrator.
  - 5. The method of claim 1, wherein each concern index value associated with a predetermined concern index characteristic is a predetermined fixed value.
  - 16. The method of claim 1, wherein the single service comprises a port number remaining constant for a plurality of packets.
  - 17. The method of claim 1, wherein the suspicious activity is from an inside address or from an outside address.
  - 18. The method of claim 1, wherein the concern index for a suspicious activity is derived by reference to a table of predetermined suspicious activities each having a predetermined concern index value.
  - 19. The method of claim 1, wherein the host for which the concern index is accumulated is an inside host.
  - 20. The method of claim 1, wherein the host for which the concern index is accumulated is an outside host.
  - 21. The method of claim 1, wherein the steps are carried out in a monitoring appliance.
  - 22. The method of claim 21, wherein the monitoring appliance is installed behind a firewall.
  - 23. The method of claim 21, wherein the monitoring appliance is connected before a firewall.
  - 24. The method of claim 21, wherein the monitoring appliance is connected in a DMZ.
  - 25. The method of claim 21, wherein the monitoring appliance is configured to operate as a pass-by filter.
  - 26. The method of claim 21, wherein the monitoring appliance is coupled to a network device.
  - 27. The method of claim 26, wherein the network device is selected from group comprising:
    - router, switch, hub, tap.
  - 28. The method of claim 26, wherein the network device is a network security device.
  - 29. The method of claim 1, wherein the alarm signal is provided to a utilization component.
  - 30. The method of claim 29, wherein the utilization component is selected from the group comprising:
    - network security device, email, SNMP trap message, beeper, cellphone, firewall, network monitor, user interface display to an operator.
  - 31. The method of claim 1, wherein the predetermined concern index characteristic comprises a characteristic selected from a table comprising a plurality of prestored second predetermined characteristics each having a predetermined concern index (CI) value.
  - 32. The method of claim 1, wherein the predetermined concern index characteristic comprises one or more of the following characteristics:
    - potential TCP probe, potential UDP probe, half-open attack, TCP stealth port scan, UDP stealth port scan, bad flags, short UDP, address scan, port scan.
  - 35. The method of claim 1, wherein the information corresponding to a determined C/S flow comprises flow data.
  - 36. The method of claim 35, wherein the flow data comprises information identifying two hosts on the network and statistics associated with the exchange of a plurality of packets between the two hosts.
  - 37. The method of claim 35, wherein the flow data is provided via a flow data structure that receives input from a packet classifier.
  - 38. The method of claim 37, further comprising the steps of:
    - updating the flow data structure to insert a new record upon the detection of a new C/S flow, andupdating information in an existing record in the flow data structure based upon receipt of data associated with a packet of a C/S flow already having a record in the flow data structure.
  - 39. The method of claim 1, wherein the information corresponding to a determined C/S flow comprises host data.
  - 40. The method of claim 39, wherein the host data comprises information corresponding to a particular host on the network identified as participating in at least one C/S flow, statistics associated with communications involving the particular host, and the accumulated concern index associated with the particular host.
  - 41. The method of claim 39, wherein the host data is provided via a host data structure that receives input from a packet classifier.
  - 42. The method of claim 41, further comprising the steps of:
    - updating the host data structure to insert a new record upon the identification of a new host participating in a C/S flow, andupdating information in an existing record in the host data structure based upon receipt of an incremental addition to a concern index value for a particular host already having a record in the host data structure.

6. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
- receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;
  
  based on received information corresponding to a determined C/S flow, assigning a concern index value to the determined C/S flow based on a predetermined concern index characteristic of the C/S flow;
  
  maintaining an accumulated concern index from C/S flows that are associated with a particular host;
  
  issuing an alarm signal in the event that the accumulated concern index for the particular host exceeds an alarm threshold value; and
  
  in response to the alarm signal, sending a message to a utilization component.
- View Dependent Claims (7, 12, 33, 34, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 7. The method of claim 6, wherein the utilization component is selected from the group comprising:
    - network security device, email, SNMP trap message, beeper, cellphone, firewall, network monitor, user interface display to an operator.
  - 12. The method of claim 6, wherein a C/S flow is characterized by a predetermined C/S flow characteristic selected from the group comprising:
    - the elapse of predetermined period of time where no packets are exchanged between two hosts, the occurrence of a FIN flag, predetermined characteristics of traffic on a given port, and the occurrence of a RESET packet.
  - 33. The method of claim 6, wherein the predetermined concern index characteristic comprises a characteristic selected from a table comprising a plurality of prestored second predetermined characteristics each having a predetermined concern index (CI) value.
  - 34. The method of claim 6, wherein the predetermined concern index characteristic comprises one or more of the following characteristics:
    - potential TCP probe, potential UDP probe, half-open attack, TCP stealth port scan, UDP stealth port scan, bad flags, short UDP, address scan, port scan.
  - 43. The method of claim 6, further comprising the step of collecting C/S flow data from packet headers in a determined C/S flow.
  - 44. The method of claim 6, wherein the information corresponding to a determined C/S flow comprises flow data.
  - 45. The method of claim 44, wherein the flow data comprises information identifying two hosts on the network and statistics associated with the exchange of a plurality of packets between the two hosts.
  - 46. The method of claim 44, wherein the flow data is provided via a flow data structure that receives input from a packet classifier.
  - 47. The method of claim 46, further comprising the steps of:
    - updating the flow data structure to insert a new record upon the detection of a new C/S flow, andupdating information in an existing record in the flow data structure based upon receipt of data associated with a packet of a C/S flow already having a record in the flow data structure.
  - 48. The method of claim 6, wherein the information corresponding to a determined C/S flow comprises host data.
  - 49. The method of claim 48, wherein the host data comprises information corresponding to a particular host on the network identified as participating in at least one C/S flow, statistics associated with communications involving the particular host, and the accumulated concern index associated with the particular host.
  - 50. The method of claim 48, wherein the host data is provided via a host data structure that receives input from a packet classifier.
  - 51. The method of claim 50, further comprising the steps of:
    - updating the host data structure to insert a new record upon the identification of a new host participating in a C/S flow, andupdating information in an existing record in the host data structure based upon receipt of an incremental addition to a concern index value for a particular host already having a record in the host data structure.

8. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
- receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets that are (i) exchanged between two hosts each having a particular Internet Protocol (IP) address on the data communication network and (ii) exchanged between a particular port, of a particular one of the hosts, that remains constant during the plurality of packets;
  
  based on received information corresponding to a determined C/S flow, assigning a concern index value to the determined C/S flow;
  
  maintaining a host data structure containing accumulated concern index values from a plurality of determined C/S flows that are associated with the particular host; and
  
  issuing an alarm in the event that the accumulated concern index values for the particular host has exceeded an alarm threshold value.
- View Dependent Claims (9, 13, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 9. The method of claim 8, wherein each concern index value associated with a respective potential suspicious activity is a predetermined fixed value.
  - 13. The method of claim 8, wherein a C/S flow is characterized by a predetermined C/S flow characteristic selected from the group comprising:
    - the elapse of a predetermined period of time wherein no packets are exchanged between two hosts, the occurrence of a FIN flag, predetermined characteristics of traffic on a given port, and the occurrence of a RESET packet.
  - 52. The method of claim 8, further comprising the step of collecting C/S flow data from packet headers in a determined C/S flow.
  - 53. The method of claim 8, wherein the information corresponding to a determined C/S flow comprises flow data.
  - 54. The method of claim 53, wherein the flow data comprises information identifying two hosts on the network and statistics associated with the exchange of a plurality of packets between the two hosts.
  - 55. The method of claim 53, wherein the flow data is provided via a flow data structure that receives input from a packet classifier.
  - 56. The method of claim 55, further comprising the steps of:
    - updating the flow data structure to insert a new record upon the detection of a new C/S flow, andupdating information in an existing record in the flow data structure based upon receipt of data associated with a packet of a C/S flow already having a record in the flow data structure.
  - 57. The method of claim 8, wherein the information corresponding to a determined C/S flow comprises host data.
  - 58. The method of claim 57, wherein the host data comprises information corresponding to a particular host on the network identified as participating in at least one C/S flow, statistics associated with communications involving the particular host, and the accumulated concern index associated with the particular host.
  - 59. The method of claim 8, wherein the host data structure receives input from a packet classifier.
  - 60. The method of claim 8, further comprising the steps of:
    - updating the host data structure to insert a new record upon the identification of a new host participating in a C/S flow, andupdating information in an existing record in the host data structure based upon receipt of an incremental addition to a concern index value for a particular host already having a record in the host data structure.

10. A system for analyzing network communication traffic and determining potential suspicious activity, comprising:
- a computer system operative to;
  
  a) receive information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;
  
  b)analyze C/S flows in order to assign a concern index value to a C/S flow that may signify potential suspicious activity, wherein each concern index value associated with a respective potential suspicious activity is of a predetermined fixed value;
  
  d) generate an alarm signal in response to cumulated concern index values; and
  
  a communication system coupled to the computer system operative to receive the information corresponding to client/server (C/S) flows communicated between hosts on the network.
- View Dependent Claims (14, 61, 62, 63, 64, 65, 66, 67, 68)
- - 14. The system of claim 10, wherein a C/S flow is characterized by a predetermined C/S flow characteristic selected from the group comprising:
    - the elapse of a predetermined period of time wherein no packets are exchanged between two hosts, the occurrence of a FIN flag, predetermined characteristics of traffic on a given port, and the occurrence of a RESET packet.
  - 61. The system of claim 10, wherein the information corresponding to a determined C/S flow comprises flow data.
  - 62. The system of claim 61, wherein the flow data comprises information identifying two hosts on the network and statistics associated with the exchange of a plurality of packets between the two hosts.
  - 63. The system of claim 61, wherein the flow data is provided via a flow data structure that receives input from a packet classifier.
  - 64. The system of claim 63, wherein the computer system is further operative to:
    - update the flow data structure to insert a new record upon the detection of a new C/S flow, andupdate information in an existing record in the flow data structure based upon receipt of data associated with a packet of a C/S flow already having a record in the flow data structure.
  - 65. The system of claim 10, wherein the information corresponding to a determined C/S flow comprises host data.
  - 66. The system of claim 65, wherein the host data comprises information corresponding to a particular host on the network identified as participating in at least one C/S flow, statistics associated with communications involving the particular host, and an accumulated concern index associated with the particular host.
  - 67. The system of claim 65, wherein the host data is provided via a host data structure that receives input from a packet classifier.
  - 68. The system of claim 67, wherein the computer system is further operative to:
    - update the host data structure to insert a new record upon the identification of a new host participating in a C/S flow, andupdate information in an existing record in the host data structure based upon receipt of an incremental addition to a concern index value for a particular host already having a record in the host data structure.

11. A system for analyzing network communication traffic and determining potential suspicious activity, comprising:
- a processor operative to;
  
  a) receive information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged between two hosts on the data communication network that relate to a single service and is characterized by a predetermined C/S flow characteristic;
  
  b) maintain a flow data structure for storing data corresponding to a plurality of C/S flows;
  
  c) analyze the data in the flow data structure in order to assign a concern index value to a C/S flow that may signify potential suspicious activity, wherein each concern index value associated with a respective potential suspicious activity is of a predetermined fixed value;
  
  d) cumulate assigned concern index values of one or more C/S flows associated with a particular host;
  
  e) maintain a host data structure for storing data associating a cumulated concern index value with each one of a plurality of hosts; and
  
  f) generate an alarm signal in response to cumulated concern index values in the host data structure;
  
  a memory coupled to the processor and operative to store the flow data structure and the host data structure; and
  
  a network interface coupled to the processor operative to receive the information corresponding to a determined C/S flow.
- View Dependent Claims (15, 69, 70, 71, 72, 73, 74, 75, 76)
- - 15. The system of claim 11, wherein a C/S flow is characterized by a predetermined C/S flow characteristic selected from the group comprising:
    - the elapse of a predetermined period of time wherein no packets are exchanged between two hosts, the occurrence of a FIN flag, predetermined characteristics of traffic on a given port, and the occurrence of a RESET packet.
  - 69. The system of claim 11, wherein the information corresponding to a determined C/S flow comprises flow data that is stored in the flow data structure.
  - 70. The system of claim 69, wherein the flow data comprises information identifying two hosts on the network and statistics associated with the exchange of a plurality of packets between the two hosts.
  - 71. The system of claim 69, wherein the flow data is provided from a packet classifier.
  - 72. The system of claim 69, wherein the processor is further operative to:
    - update the flow data structure to insert a new record upon the detection of a new C/S flow, andupdate information in an existing record in the flow data structure based upon receipt of data associated with a packet of a C/S flow already having a record in the flow data structure.
  - 73. The system of claim 11, wherein the information corresponding to a determined C/S flow comprises host data that is stored in the host data structure.
  - 74. The system of claim 73, wherein the host data comprises information corresponding to a particular host on the network identified as participating in at least one C/S flow, statistics associated with communications involving the particular host, and the cumulated concern index value associated with the particular host.
  - 75. The system of claim 73, wherein the host data is provided from a packet classifier.
  - 76. The system of claim 11, wherein the processor is further operative to:
    - update the host data structure to insert a new record upon the identification of a new host participating in a C/S flow, andupdate information in an existing record in the host data structure based upon receipt of an incremental addition to a concern index value for a particular host already having a record in the host data structure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Lancope, Inc. (Cisco Systems, Inc.)
Inventors
Copeland, John A. III
Primary Examiner(s)
Kincaid; Kristine
Assistant Examiner(s)
Baum; Ronald

Application Number

US11/624,441
Publication Number

US 20070180526A1
Time in Patent Office

719 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1441 Countermeasures against mal...

Flow-based detection of network intrusions

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

76 Claims

Specification

Solutions

Use Cases

Quick Links

Flow-based detection of network intrusions

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

76 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links