Centralized analysis and management of network packets
First Claim
1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon that, when executed by a computer, cause the computer to at least:
- receive and store a first plurality of packets identified by a plurality of packet-detecting devices within a network;
define a baseline behavior pattern applicable to a behavior of the network;
define a threshold applicable to a deviation of the behavior of the network from the baseline behavior pattern;
perform a first analysis of the first plurality of packets to identify a first abnormal deviation in the baseline behavior pattern that exceeds the threshold;
identify a first attack against the network, as exhibited by the first abnormal deviation;
provide a first remedy for the first abnormal deviation to recover from the first attack;
receive and store a second plurality of packets identified by the plurality of packet-detecting devices within the network;
perform a second analysis of the second plurality of packets to identify a second abnormal deviation in the baseline behavior pattern that exceeds the threshold;
identify a second attack against the network, as exhibited by the second abnormal deviation;
compare the second plurality of packets to the first remedy to determine that the second abnormal deviation is caused by a change from first attack tactics used for the first attack to second attack tactics used for the second attack, the first attack tactics being changed to the second attack tactics in response to the first remedy; and
provide a second remedy based on the change from the first attack tactics to the second attack tactics.
1 Assignment
0 Petitions
Accused Products
Abstract
This description provides tools and techniques for centralized analysis and management of network packets. These tools may provide methods that include storing network packets as identified by packet-detecting devices within networks. These methods may also define baseline behavior patterns applicable to the network, as well as thresholds applicable to deviations in network behavior, relative to the baseline behavior patterns. These methods may also identify attacks against the network, as exhibited by deviations in the behavior patterns that exceed the threshold.
-
Citations
18 Claims
-
1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon that, when executed by a computer, cause the computer to at least:
-
receive and store a first plurality of packets identified by a plurality of packet-detecting devices within a network; define a baseline behavior pattern applicable to a behavior of the network; define a threshold applicable to a deviation of the behavior of the network from the baseline behavior pattern; perform a first analysis of the first plurality of packets to identify a first abnormal deviation in the baseline behavior pattern that exceeds the threshold; identify a first attack against the network, as exhibited by the first abnormal deviation; provide a first remedy for the first abnormal deviation to recover from the first attack; receive and store a second plurality of packets identified by the plurality of packet-detecting devices within the network; perform a second analysis of the second plurality of packets to identify a second abnormal deviation in the baseline behavior pattern that exceeds the threshold; identify a second attack against the network, as exhibited by the second abnormal deviation; compare the second plurality of packets to the first remedy to determine that the second abnormal deviation is caused by a change from first attack tactics used for the first attack to second attack tactics used for the second attack, the first attack tactics being changed to the second attack tactics in response to the first remedy; and provide a second remedy based on the change from the first attack tactics to the second attack tactics. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A centralized packet analysis system for analyzing and managing packets of a network, the centralized packet analysis system comprising at least:
-
a processor; and memory coupled to the processor, the memory comprising instructions configured to enable the processor to; receive and store a first plurality of packets identified by a plurality of packet-detecting devices within a network, define a baseline behavior pattern applicable to a behavior of the network, define a threshold applicable to a deviation of the behavior of the network from the baseline behavior pattern, perform a first analysis of the first plurality of packets to identify a first abnormal deviation in the baseline behavior pattern that exceeds the threshold, identify a first attack against the network, as exhibited by the first abnormal deviation, provide a first remedy for the first abnormal deviation to recover from the first attack, receive and store a second plurality of packets identified by the plurality of packet-detecting devices within the network, perform a second analysis of the second plurality of packets to identify a second abnormal deviation in the baseline behavior pattern that exceeds the threshold, identify a second attack against the network, as exhibited by the second abnormal deviation, compare the second plurality of packets to the first remedy to determine that the second abnormal deviation is caused by a change from first attack tactics used for the first attack to second attack tactics used for the second attack, the first attack tactics being changed to the second attack tactics in response to the first remedy, and provide a second remedy based on the change from the first attack tactics to the second attack tactics. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A method for analyzing and managing packets of a network, the method comprising at least:
-
receiving and storing a first plurality of packets identified by a plurality of packet-detecting devices within a network; defining a baseline behavior pattern applicable to a behavior of the network; defining a threshold applicable to a deviation of the behavior of the network from the baseline behavior pattern; performing a first analysis of the first plurality of packets to identify a first abnormal deviation in the baseline behavior pattern that exceeds the threshold; identifying a first attack against the network, as exhibited by the first abnormal deviation; providing a first remedy for the first abnormal deviation to recover from the first attack; receiving and storing a second plurality of packets identified by the plurality of packet-detecting devices within the network; performing a second analysis of the second plurality of packets to identify a second abnormal deviation in the baseline behavior pattern that exceeds the threshold; identifying a second attack against the network, as exhibited by the second abnormal deviation; comparing the second plurality of packets to the first remedy to determine that the second abnormal deviation is caused by a change from first attack tactics used for the first attack to second attack tactics used for the second attack, the first attack tactics being changed to the second attack tactics in response to the first remedy; and providing a second remedy based on the change from the first attack tactics to the second attack tactics.
-
Specification