System and method for detection of aberrant network behavior by clients of a network access gateway

US 8,019,866 B2
Filed: 08/06/2009
Issued: 09/13/2011
Est. Priority Date: 03/10/2004
Status: Active Grant

First Claim

Patent Images

1. A system for detecting aberrant network, comprising:

a processor;

a first network interface coupled to the processor, wherein the first network interface is coupled to one or more clients;

a memory accessible by the processor;

wherein the system is configured to;

receive network communications at the first network interface, wherein each of the network communications is associated with a first client;

determine if aberrant network behavior is occurring with respect to the first client wherein determining if the network behavior is aberrant comprises;

analyzing the received network communications based upon one or more rules to determine if the network communication matches any of the one or more rules, wherein the one or more rules are configured to identify particular network communications,if a network communication associated with the first client matches a first rule;

updating a first list of statistical information associated with the first client and the first rule wherein the statistical information is accumulated over a time period, the first list is one of a first set of lists corresponding to the first client and each list comprises statistical information associated with at least one of the one or more rules; and

testing the statistical information in each list of the first set of lists using a set of conditions corresponding to aberrant network behavior, wherein each of the set of conditions is associated with at least one list of the first set of lists.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting aberrant network behavior. One embodiment provides a system of detecting aberrant network behavior behind a network access gateway comprising a processor, a first network interface coupled to the processor, a second network interface coupled to the processor, a storage media accessible by the processor and a set of computer instructions executable by the processor. The computer instructions can be executable to observe network communications arriving at the first network interface from multiple clients and determine when the traffic of a particular client is indicative of malware infection or other hostile network activity. If the suspicious network communication is determined to be of a sufficient volume, type, or duration the computer instructions can be executable to log such activity to storage media, or to notify an administrative entity via either the first network interface or second network interface, or to make the computer instructions be executable to perform other configured actions related to the functioning of the network access gateway.

Citations

19 Claims

1. A system for detecting aberrant network, comprising:
- a processor;
  
  a first network interface coupled to the processor, wherein the first network interface is coupled to one or more clients;
  
  a memory accessible by the processor;
  
  wherein the system is configured to;
  
  receive network communications at the first network interface, wherein each of the network communications is associated with a first client;
  
  determine if aberrant network behavior is occurring with respect to the first client wherein determining if the network behavior is aberrant comprises;
  
  analyzing the received network communications based upon one or more rules to determine if the network communication matches any of the one or more rules, wherein the one or more rules are configured to identify particular network communications,if a network communication associated with the first client matches a first rule;
  
  updating a first list of statistical information associated with the first client and the first rule wherein the statistical information is accumulated over a time period, the first list is one of a first set of lists corresponding to the first client and each list comprises statistical information associated with at least one of the one or more rules; and
  
  testing the statistical information in each list of the first set of lists using a set of conditions corresponding to aberrant network behavior, wherein each of the set of conditions is associated with at least one list of the first set of lists.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 16, 17, 18)
- - 2. The system of claim 1, wherein the computer instructions are further operable to monitor a network connected to a second network interface for a second network communication.
  - 3. The system of claim 1, wherein at least one of the one or more rules is a user-specific rule.
  - 4. The system of claim 1, dynamically adjusting the one or more rules.
  - 5. The system of claim 1, dynamically adjusting a threshold associated with the one or more rules.
  - 6. The system of claim 1, wherein the one or more rules comprise input rules and output rules.
  - 7. The system of claim 4, wherein the one or more rules are associated with a header of a packet.
  - 8. The system of claim 3, further comprising associating the first client with a first identifier.
  - 9. The system of claim 8, associating the set of lists associated with the client with the identifier.
  - 16. The method of claim 4, wherein the one or more rules are associated with a header of a packet.
  - 17. The method of claim 3, further comprising associating the first client with a first identifier.
  - 18. The method of claim 4, associating the set of lists associated with the client with the identifier.

10. A method for detecting aberrant network in a first network interface coupled to one or more clients, comprising:
- receiving network communications at the first network interface, wherein each of the network communications is associated with a first client;
  
  determining if an aberrant network behavior is occurring with respect to the first client wherein determining if the network behavior is aberrant comprises;
  
  analyzing the received network communications based upon one or more rules to determine if the network communication matches any of the one or more rules, wherein the one or more rules are configured to identify particular network communications,if a network communication associated with the first client matches a first rule;
  
  updating a first list of statistical information associated with the first client and the first rule wherein the statistical information is accumulated over a time period, the first list is one of a first set of lists corresponding to the first client and each list comprises statistical information associated with at least one of the one or more rules; and
  
  testing the statistical information in each list of the first set of lists using a set of conditions corresponding to aberrant network behavior, wherein each of the set of conditions is associated with at least one list of the first set of lists.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein the computer instructions are further operable to monitor a network connected to a second network interface for a second network communication.
  - 12. The method of claim 10, wherein at least one of the one or more rules is a user-specific rule.
  - 13. The method of claim 10, dynamically adjusting the one or more rules.
  - 14. The method of claim 10, dynamically adjusting a threshold associated with the one or more rules.
  - 15. The method of claim 10, wherein the one or more rules comprise input rules and output rules.

19. A method for detecting aberrant network, comprising providing a network interface card, the network interface card comprising a first network interface coupled to one or more clients and the first network interface is operable to receive network communications, wherein each of the network communications is associated with a first client and the network interface card is operable to determine if an aberrant network behavior is occurring with respect to the first client, wherein determining if the network behavior is aberrant utilizes:
- a network processing subsystem configured to;
  
  analyze the received network communications based upon one or more rules to determine if the network communication matches any of the one or more rules, wherein the one or more rules are configured to identify particular network communications,if a network communication from a first client matches a first rule, forming a notification corresponding to the first rule and first client and providing the notification to a suspicion accumulator; and
  
  the suspicion accumulator is configured to;
  
  maintain a set of lists, the set of lists corresponding to the first client and list of comprising statistical information associated with at least one of the one or more rules, the statistical information for each list accumulated over a time period;
  
  receive the notification from the network processing subsystems;
  
  determine that the notification is associated with the first rule and the first client;
  
  update a first list of the set of lists associated with the first client and the first rule based on the notification; and
  
  test the statistical information in each list of the set of lists using a set of conditions corresponding to aberrant network behavior, wherein each of the set of conditions is associated with at least one list of the sets of lists.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OpenTV, Inc. (Kudelski SA)
Original Assignee
Rocksteady Technologies LLC
Inventors
Tonnesen, Steven D.
Primary Examiner(s)
Bates, Kevin
Assistant Examiner(s)
Chacko, Joe

Application Number

US12/536,700
Publication Number

US 20090300177A1
Time in Patent Office

768 Days
Field of Search

709/224
US Class Current

709/224
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method for detection of aberrant network behavior by clients of a network access gateway

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detection of aberrant network behavior by clients of a network access gateway

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links