Connection based detection of scanning attacks
First Claim
Patent Images
1. A computer implemented method of detecting scanning attacks, comprises:
- adding host-pair connection records to a first data structure stored on a computer readable medium when a host accesses another host during a first update period;
determining the number of new host pairs added to the first data structure over the first update period;
aggregating host-pair connection records from the first data structure into a second data structure which corresponds to a second update period that is greater than the first update period, wherein aggregating host-pair connection records involves partitioning hosts into groups that have similar connection habits;
determining the number of new host pairs added to the second data structure over the second update period; and
indicating a host as a scanner when at least one of the following conditions is true;
(1) the host appears in more than a first threshold number of host pairs within the first update period, and a first historical number of host pairs is smaller than the first threshold number by a first factor value; and
(2) the host appears in more than a second threshold number of host pairs within the second update period, and a second historical number of host pairs is smaller than the second threshold number by a second factor value.
21 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.
-
Citations
35 Claims
-
1. A computer implemented method of detecting scanning attacks, comprises:
-
adding host-pair connection records to a first data structure stored on a computer readable medium when a host accesses another host during a first update period; determining the number of new host pairs added to the first data structure over the first update period; aggregating host-pair connection records from the first data structure into a second data structure which corresponds to a second update period that is greater than the first update period, wherein aggregating host-pair connection records involves partitioning hosts into groups that have similar connection habits; determining the number of new host pairs added to the second data structure over the second update period; and indicating a host as a scanner when at least one of the following conditions is true; (1) the host appears in more than a first threshold number of host pairs within the first update period, and a first historical number of host pairs is smaller than the first threshold number by a first factor value; and (2) the host appears in more than a second threshold number of host pairs within the second update period, and a second historical number of host pairs is smaller than the second threshold number by a second factor value. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer implemented method of detecting port scanning attacks, the method comprises:
-
retrieving from a first data structure stored on a computer readable medium logged values of protocols and ports in host-pair connection records added in the first data structure during a first update period; determining the number of ports associated with a host over the first update period based on the host-pair connection records in the first data structure; aggregating host-pair connection records from the first data structure into a second data structure which corresponds to a second update period that is greater than the first update period, wherein aggregating host-pair connection records involves partitioning hosts into groups that have similar connection habits; determining the number of ports associated with a host over the second update period based on the host-pair connection records in the second data structure; and reporting a host associated with a port scan when at least one of the following conditions is true; (1) the number of ports associated with the host within the first update period is greater than a first threshold number, and a first historical number of ports associated with the host is smaller than the first threshold number by a first factor value; and (2) the number of ports associated with the host within the second update period is greater than a second threshold number, and a second historical number of ports associated with the host is smaller than the second threshold number by a second factor value. - View Dependent Claims (8, 9, 10)
-
-
11. A computer program product residing on a computer readable medium for detecting scanning attacks, comprises instructions for causing a computer to:
-
add host-pair connection records to a first data structure when a host accesses another host during a first update period; determine the number of new host pairs added to the first data structure over the first update period; aggregate host-pair connection records from the first data structure into a second data structure which corresponds to a second update period that is greater than the first update period, wherein aggregating host-pair connection records involves partitioning hosts into groups that have similar connection habits; determine the number of new host pairs added to the second data structure over the second update period; and indicate a host as a scanner when at least one of the following conditions is true; (1) the host appears in more than a first threshold number of host pairs within the first update period, and a first historical number of host pairs is smaller than the first threshold number by a first factor value; and (2) the host appears in more than a second threshold number of host pairs within the second update period, and a second historical number of host pairs is smaller than the second threshold number by a second factor value. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A computer program product residing on a computer readable medium for detecting port scanning attacks, the computer program product comprises instructions for causing a processor to:
-
retrieve from a first data structure logged values of protocols and ports in host-pair connection records in the first data structure during a first update period; determine the number of ports associated with a host over the first update period based on the host-pair connection records in the first data structure; aggregate host-pair connection records from the first data structure into a second data structure which corresponds to a second update period that is greater than the first update period, wherein aggregating host-pair connection records involves partitioning hosts into groups that have similar connection habits; determine the number of ports associated with a host over the second update period based on the host-pair connection records in the second data structure; and report a host associated with a port scan when at least one of the following conditions is true; (1) the number of ports associated with the host within the first update period is greater than a first threshold number, and a first historical number of ports associated with the host is smaller than the first threshold number by a first factor value; and (2) the number of ports associated with the host within the second update period is greater than a second threshold number, and a second historical number of ports associated with the host is smaller than the second threshold number by a second factor value. - View Dependent Claims (17, 18, 19)
-
-
20. Apparatus comprising:
-
circuitry for detecting scanning attacks, comprising; circuitry to add host-pair connection records to a first data structure when a host accesses another host during a first update period; circuitry to determine the number of new host pairs added to the first data structure over a first update period; circuitry to aggregate host-pair connection records from the first data structure into a second data structure which corresponds to a second update period that is greater than the first update period, wherein aggregating host-pair connection records involves partitioning hosts into groups that have similar connection habits; circuitry to determine the number of new host pairs added to the second data structure over the second update period; and circuitry to indicate a host as a scanner when at least one of the following conditions is true; (1) the host appears in more than a first threshold number of host pairs within the first update period, and a first historical number of host pairs is smaller than the first threshold number by a first factor value; and (2) the host appears in more than a second threshold number of host pairs within the second update period, and a second historical number of host pairs is smaller than the second threshold number by a second factor value. - View Dependent Claims (21, 22, 23)
-
-
24. Apparatus comprising:
-
a processing device; and a computer readable medium tangible embodying a computer program product for detecting scanning attacks, the computer program product comprising instructions for causing the processing device to; add host-pair connection records to a first data structure when a host accesses another host during a first update period; determine the number of new host pairs added to the first data structure over the first update period; aggregate host-pair connection records from the first data structure into a second data structure which corresponds to a second update period that is greater than the first update period, wherein aggregating host-pair connection records involves partitioning hosts into groups that have similar connection habits; determine the number of new host pairs added to the second data structure over the second update period; and indicate a host as a scanner when at least one of the following conditions is true; (1) the host appears in more than a first threshold number of host pairs within the first update period, and a first historical number of host pairs is smaller than the first threshold number by a first factor value; and (2) the host appears in more than a second threshold number of host pairs within the second update period, and a second historical number of host pairs is smaller than the second threshold number by a second factor value. - View Dependent Claims (25, 26, 27)
-
-
28. Apparatus comprising:
-
a processing device; a computer readable medium tangibly embodying a computer program product for detecting port scanning attacks, the computer program product comprises instructions for causing a processor to; retrieve from a first data structure logged values of protocols and ports in host-pair connection records in the first data structure during a first update period; determine the number of ports associated with a host over the first update period based on the host-pair connection records in the first data structure; aggregate host-pair connection records from the first data structure into a second data structure which corresponds to a second update period that is greater than the first update period, wherein aggregating host-pair connection records involves partitioning hosts into groups that have similar connection habits; determine the number of ports associated with a host over the second update period based on the host-pair connection records in the second data structure; and report a host associated with a port scan when at least one of the following conditions is true; (1) the number of ports associated with the host within the first update period is greater than a first threshold number, and a first historical number of ports associated with the host is smaller than the first threshold number by a first factor value; and (2) the number of ports associated with the host within the second update period is greater than a second threshold number, and a second historical number of ports associated with the host is smaller than the second threshold number by a second factor value. - View Dependent Claims (29, 30, 31)
-
-
32. A computer implemented method of detecting scanning attacks, comprises:
-
adding host-pair connection records to a first data structure stored on a computer readable medium when a host accesses another host during a first update period; determining the number of new host pairs added to the first data structure over the first update period; aggregating host-pair connection records from the first data structure into a second data structure which corresponds to a second update period that is greater than the first update period, wherein aggregating host-pair connection records involves partitioning hosts into groups that have similar connection habits; determining the number of new host pairs added to the second data structure over the second update period; and indicating a host as a scanner when the host appears in more than a first threshold number of host pairs within the first update period, and a first historical number of host pairs is smaller than the first threshold number by a first factor value.
-
-
33. A computer implemented method of detecting scanning attacks, comprises:
-
adding host-pair connection records to a first data structure stored on a computer readable medium when a host accesses another host during a first update period; determining the number of new host pairs added to the first data structure over the first update period; aggregating host-pair connection records from the first data structure into a second data structure which corresponds to a second update period that is greater than the first update period, wherein aggregating host-pair connection records involves partitioning hosts into groups that have similar connection habits; determining the number of new host pairs added to the second data structure over the second update period; and indicating a host as a scanner when the host appears in more than a second threshold number of host pairs within the second update period, and a second historical number of host pairs is smaller than the second threshold number by a second factor value.
-
-
34. A computer implemented method of detecting port scanning attacks, the method comprises:
-
retrieving from a first data structure stored on a computer readable medium logged values of protocols and ports in host-pair connection records added in the first data structure during a first update period; determining the number of ports associated with a host over the first update period based on the host-pair connection records in the first data structure; aggregating host-pair connection records from the first data structure into a second data structure which corresponds to a second update period that is greater than the first update period, wherein aggregating host-pair connection records involves partitioning hosts into groups that have similar connection habits; determining the number of ports associated with a host over the second update period based on the host-pair connection records in the second data structure; and reporting a host associated with a port scan when the number of ports associated with the host within the first update period is greater than a first threshold number, and a first historical number of ports associated with the host is smaller than the first threshold number by a first factor value.
-
-
35. A computer implemented method of detecting port scanning attacks, the method comprises:
-
retrieving from a first data structure stored on a computer readable medium logged values of protocols and ports in host-pair connection records added in the first data structure during a first update period; determining the number of ports associated with a host over the first update period based on the host-pair connection records in the first data structure; aggregating host-pair connection records from the first data structure into a second data structure which corresponds to a second update period that is greater than the first update period, wherein aggregating host-pair connection records involves partitioning hosts into groups that have similar connection habits; determining the number of ports associated with a host over the second update period based on the host-pair connection records in the second data structure; and reporting a host associated with a port scan when the number of ports associated with the host within the second update period is greater than a second threshold number, and a second historical number of ports associated with the host is smaller than the second threshold number by a second factor value.
-
Specification