Network surveillance using long-term and short-term statistical profiles to determine suspicious network activity

US 7,594,260 B2
Filed: 05/05/2003
Issued: 09/22/2009
Est. Priority Date: 11/09/1998
Status: Expired due to Fees

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method of network surveillance, comprising:

monitoring an event stream derived from network packets;

building a long-term statistical profile and multiple short-term statistical profiles from at least one measure of said event stream;

comparing one of the multiple short-term statistical profiles with the long-term statistical profile; and

determining whether the difference between the one of the multiple short-term statistical profiles and the long-term statistical profile indicates suspicious network activity.

View all claims

1 Assignment

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and a least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.

Citations

38 Claims

1. A method of network surveillance, comprising:
- monitoring an event stream derived from network packets;
  
  building a long-term statistical profile and multiple short-term statistical profiles from at least one measure of said event stream;
  
  comparing one of the multiple short-term statistical profiles with the long-term statistical profile; and
  
  determining whether the difference between the one of the multiple short-term statistical profiles and the long-term statistical profile indicates suspicious network activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein said network packets are one or more TCP/IP packets.
  - 3. The method of claim 1, wherein said at least one measure monitors data transfers by monitoring said event stream as derived from one or more network packet data transfer commands.
  - 4. The method of claim 1, wherein said at least one measure monitors data transfers by monitoring said event stream as derived from one or more network packet data transfer errors.
  - 5. The method of claim 1, wherein said at least one measure monitors data transfers by monitoring said event stream as derived from a network packet data transfer volume.
  - 6. The method of claim 1, wherein said at least one measure monitors network connections by monitoring said event stream as derived from one or more network connection requests.
  - 7. The method of claim 1, wherein said at least one measure monitors network connections by monitoring said event stream as derived from one or more network connection denials.
  - 8. The method of claim 1, wherein said at least one measure monitors network connections by monitoring said event stream as derived from a correlation of one or more network connections requests and one or more network connection denials.
  - 9. The method of claim 1, wherein said at least one measure monitors errors by monitoring said event stream as derived from one or more error codes included in a network packet.
  - 10. The method of claim 9, wherein at least one of the one or more error codes comprises a privilege error code.
  - 11. The method of claim 9, wherein at least one of the one or more error codes comprises an error code indicating a reason a packet was rejected.

12. A method of network surveillance, comprising:
- receiving network packets handled by a network entity;
  
  partitioning the network packets into one or more sessions representing a communication transaction between two hosts;
  
  building at least one short-term statistical profile and at least one long-term statistical profile from at least one measure of the network packets;
  
  comparing at least one long-term and at least one short-term statistical profile; and
  
  determining whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 13. The method of claim 12, wherein said at least one measure monitors network connections by monitoring one or more source port numbers and one or more destination port numbers included in a network packet.
  - 14. The method of claim 13, further comprising:
    - using said one or more source port numbers and said one or more destination port numbers to determine one or more port numbers on a host to which an administrator has not assigned any network service.
  - 15. The method of claim 14, wherein the long-term statistical profile is a set of one or more allowed network service ports.
  - 16. The method of claim 12, wherein said receiving network packets comprises receiving only a network packet header for each of said network packets.
  - 17. The method of claim 12, wherein said partitioning further comprises determining from the network packets which of the two hosts is a client and which of the two hosts is a server in a given one of the one or more sessions.
  - 18. The method of claim 12, wherein said at least one measure monitors data transfers by monitoring one or more network packet data transfer commands.
  - 19. The method of claim 12, wherein said at least one measure monitors data transfers by monitoring one or more network packet data transfer errors.
  - 20. The method of claim 12, wherein said at least one measure monitors data transfers by monitoring a network packet data transfer volume.
  - 21. The method of claim 12, wherein said at least one measure monitors network connections by monitoring one or more network connection requests.
  - 22. The method of claim 12, wherein said at least one measure monitors network connections by monitoring network one or more connection denials.
  - 23. The method of claim 12, wherein said at least one measure monitors network connections by monitoring a correlation of one or more network connections requests and one or more network connection denials.
  - 24. The method of claim 12, wherein said at least one measure monitors errors by monitoring one or more error codes included in a network packet.
  - 25. The method of claim 24, wherein at least one of the one or more error codes comprises a privilege error code.
  - 26. The method of claim 24, wherein at least one of the one or more error codes comprises an error code indicating a reason a packet was rejected.

27. A method of network surveillance, comprising:
- monitoring network packets handled by a network entity;
  
  building at least one long-term statistical profile and at least one short-term statistical profile from at least one measure of the network packets, wherein said building step accounts for a timing of said network packets being received by the network entity;
  
  comparing said at least one short-term statistical profile with said at least one long-term statistical profile; and
  
  determining whether the difference between said at least one short-term statistical profile and said at least one long-term statistical profile indicates suspicious network activity.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 28. The method of claim 27, wherein a plurality of different long-term statistical profiles are maintained for each hour of a day.
  - 29. The method of claim 27, wherein said building comprises allocating one or more bins based on a continuous measure of the network packets and tracking a frequency of observation of one or more values corresponding to said one or more bins.
  - 30. The method of claim 27, wherein said at least one measure monitors data transfers by monitoring one or more network packet data transfer commands.
  - 31. The method of claim 27, wherein said at least one measure monitors data transfers by monitoring one or more network packet data transfer errors.
  - 32. The method of claim 27, wherein said at least one measure monitors data transfers by monitoring a network packet data transfer volume.
  - 33. The method of claim 27, wherein said at least one measure monitors network connections by monitoring one or more network connection requests.
  - 34. The method of claim 27, wherein said at least one measure monitors network connections by monitoring one or more network connection denials.
  - 35. The method of claim 27, wherein said at least one measure monitors network connections by monitoring a correlation of one or more network connections requests and one or more network connection denials.
  - 36. The method of claim 27, wherein said at least one measure monitors errors by monitoring one or more error codes included in a network packet.
  - 37. The method of claim 36, wherein at least one of the one or more error codes comprises a privilege error code.
  - 38. The method of claim 36, wherein at least one of the one or more error codes comprises an error code indicating a reason a packet was rejected.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Porras, Phillip Andrew, Valdes, Alfonso
Primary Examiner(s)
Perveen, Rehana
Assistant Examiner(s)
Chang, Eric

Application Number

US10/429,611
Publication Number

US 20040010718A1
Time in Patent Office

2,332 Days
Field of Search

709223-225, 713/200, 713/201, 726/13
US Class Current

726/13
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 43/00   Arrangements for monitoring...

H04L 43/06   Generation of reports

H04L 43/0811   by checking connectivity

H04L 43/0888   Throughput

H04L 43/12   Network monitoring probes

H04L 43/16   Threshold monitoring

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

Network surveillance using long-term and short-term statistical profiles to determine suspicious network activity

First Claim

1 Assignment

Litigations

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Network surveillance using long-term and short-term statistical profiles to determine suspicious network activity

First Claim

1 Assignment

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links