Data collectors in connection-based intrusion detection
First Claim
Patent Images
1. A collector device comprises:
- a processor; and
a memory, the memory executing a computer program product to collect statistical information on packets that are sent between nodes on a network, including instructions to;
determine, which host in a host connection pair is performing a server process, and which host in the host connection pair is performing a client process, by determining what protocol was used in establishing a network connection for the host connection pair; and
if the protocol is not a connection based protocol and involves at least two ports, neither of which is known,determine the ports that the hosts communicate over,determine the port number for each of the at least two ports, andreport in the statistical information, the host that communicates using a lower port number of the two port numbers as performing the server process or the host that communicates using a higher port number of the two port numbers as performing the client process.
21 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.
13 Citations
26 Claims
-
1. A collector device comprises:
-
a processor; and a memory, the memory executing a computer program product to collect statistical information on packets that are sent between nodes on a network, including instructions to; determine, which host in a host connection pair is performing a server process, and which host in the host connection pair is performing a client process, by determining what protocol was used in establishing a network connection for the host connection pair; and if the protocol is not a connection based protocol and involves at least two ports, neither of which is known, determine the ports that the hosts communicate over, determine the port number for each of the at least two ports, and report in the statistical information, the host that communicates using a lower port number of the two port numbers as performing the server process or the host that communicates using a higher port number of the two port numbers as performing the client process. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method executed on a computing device comprises:
-
collecting statistical information on packets that are sent between nodes on a network; and determining which host in a host connection pair is performing a server process, and which host in the host connection pair is performing a client process, by determining what protocol was used in establishing a network connection for the host connection pair; and determining whether the protocol is a connection based protocol, and if the protocol is not a connection based protocol and involves at least two ports, neither of which is known; determining the ports that the hosts communicate over; determining the port number for each of the at least two ports; and
reporting in the statistical information, the host that communicates using the lower of the two port numbers as performing the server process or the host that communicates using the higher of the two port numbers as performing the client process. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A device comprises:
-
circuitry to collect statistical information on packets that are sent between nodes on a network; circuitry to determine from the statistical information, which host in a host connection pair is performing a server process, and which host in the host connection pair is performing a client process, circuitry to determine what protocol was used in establishing a network connection for the host connection pair; and circuitry to determine whether the protocol is a connection based protocol, and circuitry, responsive to an outcome from the circuitry to determine whether the protocol is connection based to determine the ports that the hosts communicate over if the protocol is not connection based and involves at least two ports, neither of which is known; circuitry to determine the port number for each of the at least two ports; and circuitry to report in the statistical information the host that communicates using the lower of the two port numbers as performing the server process or the host that communicates using the higher of the two port numbers as performing the client process. - View Dependent Claims (16, 17, 18, 26)
-
-
19. A computer readable medium tangible storing a computer program product for detecting intrusions in a network, comprises instructions for causing a processor to:
-
collect statistical information on packets that are sent between nodes on a network; determine, which host in a host connection pair is performing a server process, and which host in the host connection pair is performing a client process, by determining what protocol was used in establishing a network connection for the host connection pair and wherein if the protocol is not a connection based protocol and involves at least two ports, neither of which is known the instructions to determine the ports that the hosts communicate over; determining the port number for each of the at least two ports; and report in the statistical information, the host that communicates using the lower of the two port numbers as performing the server process or the host that communicates using the higher of the two port numbers as performing the client process. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
Specification