×

Connection based detection of scanning attacks

  • US 7,716,737 B2
  • Filed: 11/03/2003
  • Issued: 05/11/2010
  • Est. Priority Date: 11/04/2002
  • Status: Active Grant
First Claim
Patent Images

1. A computer implemented method of detecting scanning attacks, comprises:

  • adding host-pair connection records to a first data structure stored on a computer readable medium when a host accesses another host during a first update period;

    determining the number of new host pairs added to the first data structure over the first update period;

    aggregating host-pair connection records from the first data structure into a second data structure which corresponds to a second update period that is greater than the first update period, wherein aggregating host-pair connection records involves partitioning hosts into groups that have similar connection habits;

    determining the number of new host pairs added to the second data structure over the second update period; and

    indicating a host as a scanner when at least one of the following conditions is true;

    (1) the host appears in more than a first threshold number of host pairs within the first update period, and a first historical number of host pairs is smaller than the first threshold number by a first factor value; and

    (2) the host appears in more than a second threshold number of host pairs within the second update period, and a second historical number of host pairs is smaller than the second threshold number by a second factor value.

View all claims
  • 21 Assignments
Timeline View
Assignment View
    ×
    ×