Packet sampling flow-based detection of network intrusions
First Claim
1. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
- receiving sampling information from a plurality of sampling devices corresponding to a sampling of packets constituting the network communication traffic, the sampling information being provided in an sFlow datagram;
in response to the sampling information, determining a client/server (C/S) flow corresponding to a predetermined plurality of packets exchanged between two hosts on the network that relate to a single service and is characterized by a predetermined C/S flow characteristic;
assigning a concern index value to a determined C/S flow based upon a predetermined concern index characteristic of the C/S flow;
maintaining an accumulated concern index comprising concern index values for one or more determined C/S flows associated with a host; and
issuing an alarm signal in the event that the accumulated concern index for a host exceeds an alarm threshold value.
12 Assignments
0 Petitions
Accused Products
Abstract
A flow-based intrusion detection system for detecting intrusions in computer communication networks. Data packets representing communications between hosts in a computer-to-computer communication network are processed and assigned to various client/server flows. Statistics are collected for each flow. Then, the flow statistics are analyzed to determine if the flow appears to be legitimate traffic or possible suspicious activity. A concern index value is assigned to each flow that appears suspicious. By assigning a value to each flow that appears suspicious and adding that value to the total concern index of the responsible host, it is possible to identify hosts that are engaged in intrusion activity. When the concern index value of a host exceeds a preset alarm value, an alert is issued and appropriate action can be taken.
147 Citations
123 Claims
-
1. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
-
receiving sampling information from a plurality of sampling devices corresponding to a sampling of packets constituting the network communication traffic, the sampling information being provided in an sFlow datagram; in response to the sampling information, determining a client/server (C/S) flow corresponding to a predetermined plurality of packets exchanged between two hosts on the network that relate to a single service and is characterized by a predetermined C/S flow characteristic; assigning a concern index value to a determined C/S flow based upon a predetermined concern index characteristic of the C/S flow; maintaining an accumulated concern index comprising concern index values for one or more determined C/S flows associated with a host; and issuing an alarm signal in the event that the accumulated concern index for a host exceeds an alarm threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
-
receiving sampled packet headers from a plurality of sampling devices corresponding to a sampling of packets constituting the network communication traffic, the sampling information provided in an sFlow datagram; in response to the sampled packet headers, determining a client/server (C/S) flow corresponding to a predetermined plurality of packets exchanged between two hosts on the network that relate to a single service and is characterized by a predetermined C/S flow characteristic; collecting C/S flow data from packet headers of the packets in the determined C/S flow; based on the collected C/S flow data, assigning a concern index value to a determined C/S flow based on a predetermined concern index characteristic of the C/S flow; maintaining an accumulated concern index from C/S flows that are associated with a particular host; issuing an alarm signal in the event that the accumulated concern index for the particular host exceeds an alarm threshold value; and in response to the alarm signal, sending a message to a utilization component. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
-
receiving sampling information from a plurality of sampling devices corresponding to a sampling of packets constituting the network communication traffic, the sampling information being provided in a predetermined format; in response to the sampling information, determining a client/server (C/S) flow corresponding to a predetermined plurality of packets exchanged between two hosts on the network that relate to a single service and is characterized by a predetermined C/S flow characteristic, the C/S flow determined by aggregating sampling information from the plurality of sampling devices into a single flow; assigning a concern index value to a determined C/S flow based upon a predetermined concern index characteristic of the C/S flow; maintaining an accumulated concern index comprising concern index values for one or more determined C/S flows associated with a host; and issuing an alarm signal in the event that the accumulated concern index for a host exceeds an alarm threshold value. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73)
-
-
74. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
-
receiving sampled packet headers from a plurality of sampling devices corresponding to a sampling of packets constituting the network communication traffic, the sampling information provided in a predetermined format; in response to the sampled packet headers, determining a client/server (C/S) flow corresponding to a predetermined plurality of packets exchanged between two hosts on the network that relate to a single service and is characterized by a predetermined C/S flow characteristic, by aggregating sampling information from the plurality of sampling devices into a single flow; collecting C/S flow data from packet headers of the packets in the determined C/S flow; based on the collected C/S flow data, assigning a concern index value to a determined C/S flow based on a predetermined concern index characteristic of the C/S flow; maintaining an accumulated concern index from C/S flows that are associated with a particular host; issuing an alarm signal in the event that the accumulated concern index for the particular host exceeds an alarm threshold value; and in response to the alarm signal, sending a message to a utilization component. - View Dependent Claims (75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86)
-
-
87. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
-
receiving sampling information from a plurality of sampling devices corresponding to a sampling of packets constituting the network communication traffic, the sampling information being provided in a predetermined format; in response to the sampling information, determining a client/server (C/S) flow corresponding to a predetermined plurality of packets exchanged between two hosts on the network that relate to a single service and is characterized by a predetermined C/S flow characteristic; assigning a concern index value to a determined C/S flow based upon a predetermined concern index characteristic of the C/S flow; increasing the concern index value associated with a particular host based on the occurrence of a minimum number of multiple samples of a predetermined event derived from the determined C/S flow, wherein the minimum number of predetermined events is based on a sample rate and threshold value; maintaining an accumulated concern index comprising concern index values for one or more determined C/S flows associated with a host; and issuing an alarm signal in the event that the accumulated concern index for a host exceeds an alarm threshold value. - View Dependent Claims (88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113)
-
-
114. A method of analyzing network communication traffic on a data communication network for determining whether the traffic is legitimate or potential suspicious activity, comprising the steps of:
-
receiving sampled packet headers from a plurality of sampling devices corresponding to a sampling of packets constituting the network communication traffic, the sampling information provided in a predetermined format; in response to the sampled packet headers, determining a client/server (C/S) flow corresponding to a predetermined plurality of packets exchanged between two hosts on the network that relate to a single service and is characterized by a predetermined C/S flow characteristic; collecting C/S flow data from packet headers of the packets in the determined C/S flow; based on the collected C/S flow data, assigning a concern index value to a determined C/S flow based on a predetermined concern index characteristic of the C/S flow; increasing the concern index value associated with a particular host based on the occurrence of a minimum number of multiple samples of a predetermined event derived from the determined C/S flow, wherein the minimum number of predetermined events is based on a sample rate and threshold value; maintaining an accumulated concern index from C/S flows that are associated with a particular host; issuing an alarm signal in the event that the accumulated concern index for the particular host exceeds an alarm threshold value; and in response to the alarm signal, sending a message to a utilization component. - View Dependent Claims (115, 116, 117, 118, 119, 120, 121, 122, 123)
-
Specification