Network surveillance using long-term and short-term statistical profiles to determine suspicious network activity
DCFirst Claim
Patent Images
1. A method of network surveillance, comprising:
- monitoring an event stream derived from network packets;
building a long-term statistical profile and multiple short-term statistical profiles from at least one measure of said event stream;
comparing one of the multiple short-term statistical profiles with the long-term statistical profile; and
determining whether the difference between the one of the multiple short-term statistical profiles and the long-term statistical profile indicates suspicious network activity.
1 Assignment
Litigations
0 Petitions
Accused Products
Abstract
A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and a least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.
-
Citations
38 Claims
-
1. A method of network surveillance, comprising:
-
monitoring an event stream derived from network packets; building a long-term statistical profile and multiple short-term statistical profiles from at least one measure of said event stream; comparing one of the multiple short-term statistical profiles with the long-term statistical profile; and determining whether the difference between the one of the multiple short-term statistical profiles and the long-term statistical profile indicates suspicious network activity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of network surveillance, comprising:
-
receiving network packets handled by a network entity; partitioning the network packets into one or more sessions representing a communication transaction between two hosts; building at least one short-term statistical profile and at least one long-term statistical profile from at least one measure of the network packets; comparing at least one long-term and at least one short-term statistical profile; and determining whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A method of network surveillance, comprising:
-
monitoring network packets handled by a network entity; building at least one long-term statistical profile and at least one short-term statistical profile from at least one measure of the network packets, wherein said building step accounts for a timing of said network packets being received by the network entity; comparing said at least one short-term statistical profile with said at least one long-term statistical profile; and determining whether the difference between said at least one short-term statistical profile and said at least one long-term statistical profile indicates suspicious network activity. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
Specification