×

Automatically detecting malicious computer network reconnaissance by updating state codes in a histogram

  • US 7,734,776 B2
  • Filed: 02/29/2008
  • Issued: 06/08/2010
  • Est. Priority Date: 07/29/2003
  • Status: Expired due to Fees
First Claim
Patent Images

1. An intrusion detection system, comprising:

  • a memory device comprising a table containing a state code; and

    a processing means in communication with the memory device, the processing means configured to examine received packets flowing within computer network communications and increment the memory device state code in response to observing each of a predefined sequential triplet of TCP/IP protocol packets, the predefined sequential packet triplet comprising an initial SYN packet originating from a source address, a next sequential SYN/ACK packet issuing from a target device address in response to the SYN packet, and a last sequential RST packet originating from the source address in response to the SYN/ACK packet, each of the packets comprising a source address field, a target device address field, a source port field and a target device port field;

    wherein the processing means is configured to;

    dynamically update a memory device histogram by concatenating a source address field, a target device address field, a source port field and a target device port field of a packet of the predefined sequential triplet into a histogram table field as an ordered four-tuple;

    hash the ordered four-tuple; and

    use the hashed ordered four-tuple as a histogram location index; and

    wherein the processing means is configured to issue an alert if the predefined sequential triplet packet is detected, the predefined sequential triplet packets are each relevant to the source address and the incremented state code reaches a predefined alert value.

View all claims
  • 0 Assignments
Timeline View
Assignment View
    ×
    ×