Intrusion detection based on amount of network traffic
First Claim
Patent Images
1. A method for combating malicious programs, the method comprising:
- maintaining a network model representing a normal usage of network resources by a device, the network model predetermined by a user, the network model identifying a predetermined number of packets to be transmitted in a predetermined period of time by the device;
monitoring network traffic generated by the device;
based on the network traffic that is monitored, identifying an average number of packets actually transmitted in the predetermined period of time by the device;
modifying the network model by replacing the predetermined number of packets identified in the network model with the average number of packets actually transmitted by the device;
after the modification of the network model, monitoring network traffic from the device;
after the modification of the network model, determining that the device is transmitting an observed amount of network traffic that is greater than the average number of packets identified by the network model as modified, the observed amount of network traffic being greater than the average number of packets by a margin of a specified number of standard deviations; and
disabling transmission of said network traffic for said device determined to be transmitting the observed amount of network traffic that is greater than the average number of packets by the margin of a specified number of standard deviations.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for combating malicious programs including monitoring network traffic from one or more devices, analyzing the network traffic to determine the presence of a malicious program in the one or more devices and disabling transmission of the network traffic for those of the one or more devices determined to have the malicious program present.
50 Citations
50 Claims
-
1. A method for combating malicious programs, the method comprising:
-
maintaining a network model representing a normal usage of network resources by a device, the network model predetermined by a user, the network model identifying a predetermined number of packets to be transmitted in a predetermined period of time by the device; monitoring network traffic generated by the device; based on the network traffic that is monitored, identifying an average number of packets actually transmitted in the predetermined period of time by the device; modifying the network model by replacing the predetermined number of packets identified in the network model with the average number of packets actually transmitted by the device; after the modification of the network model, monitoring network traffic from the device; after the modification of the network model, determining that the device is transmitting an observed amount of network traffic that is greater than the average number of packets identified by the network model as modified, the observed amount of network traffic being greater than the average number of packets by a margin of a specified number of standard deviations; and disabling transmission of said network traffic for said device determined to be transmitting the observed amount of network traffic that is greater than the average number of packets by the margin of a specified number of standard deviations. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system for combating malicious programs comprising:
-
a computer system operable to execute a software application stored on a recording media locally accessible to the computer system, the software application operable when executed by the computer system to; maintain a network model representing a normal usage of network resources by a device, the network model predetermined by a user, the network model identifying a predetermined number of packets to be transmitted in a predetermined period of time by the device; monitor network traffic generated by the device; based on the network traffic that is monitored, identify an average number of packets actually transmitted in the predetermined period of time by the device; modify the network model by replacing the predetermined number of packets identified in the network model with the average number of packets actually transmitted by the device; after the modification of the network model, monitor network traffic from the device; after the modification of the network model, determine that the device is transmitting an observed amount of network traffic that is greater than the average number of packets identified by the network model as modified, the observed amount of network traffic being greater than the average number of packets by a margin of a specified number of standard deviations; and disable transmission of said network traffic for said device determined to be transmitting the observed amount of network traffic that is greater than the average number of packets by the margin of a specified number of standard deviations. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A computer system comprising:
-
a processor; and a program storage device readable by the computer system, embodying a program of instructions executable by the processor to perform a method for combating malicious programs, the method comprising; maintaining a network model representing a normal usage of network resources by a device, the network model predetermined by a user, the network model identifying a predetermined number of packets to be transmitted in a predetermined period of time by the device; monitoring network traffic generated by the device; based on the network traffic that is monitored, identifying an average number of packets actually transmitted in the predetermined period of time by the device; modifying the network model by replacing the predetermined number of packets identified in the network model with the average number of packets actually transmitted by the device; after the modification of the network model, monitoring network traffic from the device; after the modification of the network model, determining that the device is transmitting an observed amount of network traffic that is greater than the average number of packets identified by the network model as modified, the observed amount of network traffic being greater than the average number of packets by a margin of a specified number of standard deviations; and disabling transmission of said network traffic for said device determined to be transmitting the observed amount of network traffic that is greater than the average number of packets by the margin of a specified number of standard deviations. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A non-transitory computer recording medium including computer executable code for combating malicious programs, the computer executable code comprising:
-
code for maintaining a network model representing a normal usage of network resources by a device, the network model predetermined by a user, the network model identifying a predetermined number of packets to be transmitted in a predetermined period of time by the device; code for monitoring network traffic generated by the device; code for identifying, based on the network traffic that is monitored, an average number of packets actually transmitted in the predetermined period of time by the device; code for modifying the network model by replacing the predetermined number of packets identified in the network model with the average number of packets actually transmitted by the device; code for monitoring network traffic from the device after the modification of the network model; code for determining, after the modification of the network model, that the device is transmitting an observed amount of network traffic that is greater than the average number of packets identified by the network model as modified, the observed amount of network traffic being greater than the average number of packets by a margin of a specified number of standard deviations; and code for disabling transmission of said network traffic for said device determined to be transmitting the observed amount of network traffic that is greater than the average number of packets by the margin of a specified number of standard deviations. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
-
-
50. A method for combating malicious programs, the method comprising:
-
maintaining a network model representing a normal usage of network resources by a device, the network model predetermined by a network administrator, the network model identifying a predetermined number of packets to be transmitted in a predetermined period of time by the device; monitoring network traffic from the device; based on the network traffic that is monitored, identifying an average number of packets actually transmitted in the predetermined period of time by the device; modifying the network model by replacing the predetermined number of packets identified by the network administrator with an average number of packets actually transmitted in the predetermined period of time by the device; after the modification of the network model, monitoring network traffic from the device; after the modification of the network model, determining that the device is transmitting an observed amount of network traffic that is greater than the average number of packets identified by the network model as modified, the observed amount of network traffic being greater than the average number of packets by a margin of a specified number of standard deviations; and disabling transmission of said network traffic for said device determined to be transmitting the observed amount of network traffic that is greater than the average number of packets by the margin of a specified number of standard deviations.
-
Specification