Data collectors in connection-based intrusion detection

US 7,664,963 B2
Filed: 11/03/2003
Issued: 02/16/2010
Est. Priority Date: 11/04/2002
Status: Active Grant

First Claim

Patent Images

1. A collector device comprises:

a processor; and

a memory, the memory executing a computer program product to collect statistical information on packets that are sent between nodes on a network, including instructions to;

determine, which host in a host connection pair is performing a server process, and which host in the host connection pair is performing a client process, by determining what protocol was used in establishing a network connection for the host connection pair; and

if the protocol is not a connection based protocol and involves at least two ports, neither of which is known,determine the ports that the hosts communicate over,determine the port number for each of the at least two ports, andreport in the statistical information, the host that communicates using a lower port number of the two port numbers as performing the server process or the host that communicates using a higher port number of the two port numbers as performing the client process.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

13 Citations

View as Search Results

26 Claims

1. A collector device comprises:
- a processor; and
  
  a memory, the memory executing a computer program product to collect statistical information on packets that are sent between nodes on a network, including instructions to;
  
  determine, which host in a host connection pair is performing a server process, and which host in the host connection pair is performing a client process, by determining what protocol was used in establishing a network connection for the host connection pair; and
  
  if the protocol is not a connection based protocol and involves at least two ports, neither of which is known,determine the ports that the hosts communicate over,determine the port number for each of the at least two ports, andreport in the statistical information, the host that communicates using a lower port number of the two port numbers as performing the server process or the host that communicates using a higher port number of the two port numbers as performing the client process.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The device of claim 1 wherein if the protocol is a connection type protocol, then the device identifies which host sent a sync packet and which host sent a synch_ack packet.
  - 3. The device of claim 2 wherein a source of the sync packet is the client and a source of the synch_ack is the server.
  - 4. The device of claim 1 wherein if the hosts are transacting over a well know port, the instructions to determine, determines the server from a list of well known ports.
  - 5. The device of claim 4 wherein the list of well known ports has identification of hosts based on previous sources of synch_ack packets, with the host that sent the synch_ack packet assumed to be the server.
  - 6. The device of claim 1 wherein if the connection involves two ports, neither of which is known the instructions to report the host that connects to the lower port number as the server process and the host that connects to the higher port number as the client process.
  - 7. The device of claim 1 wherein server/client statistics are used when attempting to identify worm intrusions.

8. A method executed on a computing device comprises:
- collecting statistical information on packets that are sent between nodes on a network; and
  
  determining which host in a host connection pair is performing a server process, and which host in the host connection pair is performing a client process, by determining what protocol was used in establishing a network connection for the host connection pair; and
  
  determining whether the protocol is a connection based protocol, and if the protocol is not a connection based protocol and involves at least two ports, neither of which is known;
  
  determining the ports that the hosts communicate over;
  
  determining the port number for each of the at least two ports; and
  
  reporting in the statistical information, the host that communicates using the lower of the two port numbers as performing the server process or the host that communicates using the higher of the two port numbers as performing the client process.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 wherein if determining determines that the protocol is a connection type protocol, the method identifies which host sent a sync packet and which host sent a synch_ack packet.
  - 10. The method of claim 9 wherein determining, determines a source of the sync packet as the client and a source of the synch_ack as the server.
  - 11. The method of claim 8 wherein if the hosts are transacting over a well known port, determining, determines the server from a list of well know ports.
  - 12. The method of claim 11 wherein the list is populated with identification of hosts based on previous sources of synch_ack packets, with the host that sent the synch_ack packet assumed to be the server 8.
  - 13. The method of claim 8 wherein if the connection involves two ports, neither of which is known the reporting further includes reporting the host that connects to the lower port number as performing the server process and the host that connects to the higher port number as performing the client process.
  - 14. The method of claim 8 wherein server/client statistics are used when attempting to identify worm intrusions.

15. A device comprises:
- circuitry to collect statistical information on packets that are sent between nodes on a network;
  
  circuitry to determine from the statistical information, which host in a host connection pair is performing a server process, and which host in the host connection pair is performing a client process,circuitry to determine what protocol was used in establishing a network connection for the host connection pair; and
  
  circuitry to determine whether the protocol is a connection based protocol, andcircuitry, responsive to an outcome from the circuitry to determine whether the protocol is connection based to determine the ports that the hosts communicate over if the protocol is not connection based and involves at least two ports, neither of which is known;
  
  circuitry to determine the port number for each of the at least two ports; and
  
  circuitry to report in the statistical information the host that communicates using the lower of the two port numbers as performing the server process or the host that communicates using the higher of the two port numbers as performing the client process.
- View Dependent Claims (16, 17, 18, 26)
- - 16. The device of claim 15 wherein the circuitry to determine whether the protocol is a connection type protocol identifies which host sent a sync packet and which host sent a synch_ack packet.
  - 17. The device of claim 16 wherein circuitry to determine, determines a source of the sync packet as the client and a source of the synch_ack as the server.
  - 18. The device of claim 15 wherein if the hosts are transacting over a well known port, circuitry to determine, determines the server from a list of well know ports.
  - 26. The device of claim 15 wherein circuitry to determine, determines if the connection involves two ports, neither of which is known and the circuitry to report, reports the host that connects to a lower port number of two ports numbers involving the two ports, as the server process, and the host that connects to a higher of the two port numbers, as the client process.

19. A computer readable medium tangible storing a computer program product for detecting intrusions in a network, comprises instructions for causing a processor to:
- collect statistical information on packets that are sent between nodes on a network;
  
  determine, which host in a host connection pair is performing a server process, and which host in the host connection pair is performing a client process, by determining what protocol was used in establishing a network connection for the host connection pair and wherein if the protocol is not a connection based protocol and involves at least two ports, neither of which is known the instructions to determine the ports that the hosts communicate over;
  
  determining the port number for each of the at least two ports; and
  
  report in the statistical information, the host that communicates using the lower of the two port numbers as performing the server process or the host that communicates using the higher of the two port numbers as performing the client process.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The product of claim 19 wherein if the protocol is a connection type protocol, then the instructions to determine identify which host sent a sync packet and which host sent a synch_ack packet, with the source of the sync packet being the client and the source of the synch_ack being the server.
  - 21. The product of claim 19 wherein if the protocol is not a connection based protocol the instructions to determine the ports that the hosts communicate over.
  - 22. The product of claim 21 further comprising instructions to:
    - determine if the hosts are transacting over a well know port; and
      
      access a list of well-known ports to determine the server from the list of well known ports.
  - 23. The product of claim 22 wherein the list of well known ports has identification of hosts based on previous sources of synch_ack packets, with the host that sent the synch_ack packet assumed to be the server.
  - 24. The device of claim 22 wherein if a connection involves two ports, neither of which is known, the ports having port numbers with the host that connects to a lower port number of the port numbers of the two ports is reported as the server.
  - 25. The device of claim 22 wherein server/client statistics are used when attempting to identify worm intrusions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Kohler, Edward W. Jr., Ratin, Andrew, Poletto, Massimiliano Antonio
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
Debnath; Suman

Application Number

US10/702,073
Publication Number

US 20040250134A1
Time in Patent Office

2,297 Days
Field of Search

713/154, 713/188, 709/223, 709/225, 709/227
US Class Current

713/188
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Data collectors in connection-based intrusion detection

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Data collectors in connection-based intrusion detection

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links