Centralized analysis and management of network packets

US 8,085,681 B2
Filed: 10/21/2008
Issued: 12/27/2011
Est. Priority Date: 10/21/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon that, when executed by a computer, cause the computer to at least:

receive and store a first plurality of packets identified by a plurality of packet-detecting devices within a network;

define a baseline behavior pattern applicable to a behavior of the network;

define a threshold applicable to a deviation of the behavior of the network from the baseline behavior pattern;

perform a first analysis of the first plurality of packets to identify a first abnormal deviation in the baseline behavior pattern that exceeds the threshold;

identify a first attack against the network, as exhibited by the first abnormal deviation;

provide a first remedy for the first abnormal deviation to recover from the first attack;

receive and store a second plurality of packets identified by the plurality of packet-detecting devices within the network;

perform a second analysis of the second plurality of packets to identify a second abnormal deviation in the baseline behavior pattern that exceeds the threshold;

identify a second attack against the network, as exhibited by the second abnormal deviation;

compare the second plurality of packets to the first remedy to determine that the second abnormal deviation is caused by a change from first attack tactics used for the first attack to second attack tactics used for the second attack, the first attack tactics being changed to the second attack tactics in response to the first remedy; and

provide a second remedy based on the change from the first attack tactics to the second attack tactics.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This description provides tools and techniques for centralized analysis and management of network packets. These tools may provide methods that include storing network packets as identified by packet-detecting devices within networks. These methods may also define baseline behavior patterns applicable to the network, as well as thresholds applicable to deviations in network behavior, relative to the baseline behavior patterns. These methods may also identify attacks against the network, as exhibited by deviations in the behavior patterns that exceed the threshold.

Citations

18 Claims

1. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon that, when executed by a computer, cause the computer to at least:
- receive and store a first plurality of packets identified by a plurality of packet-detecting devices within a network;
  
  define a baseline behavior pattern applicable to a behavior of the network;
  
  define a threshold applicable to a deviation of the behavior of the network from the baseline behavior pattern;
  
  perform a first analysis of the first plurality of packets to identify a first abnormal deviation in the baseline behavior pattern that exceeds the threshold;
  
  identify a first attack against the network, as exhibited by the first abnormal deviation;
  
  provide a first remedy for the first abnormal deviation to recover from the first attack;
  
  receive and store a second plurality of packets identified by the plurality of packet-detecting devices within the network;
  
  perform a second analysis of the second plurality of packets to identify a second abnormal deviation in the baseline behavior pattern that exceeds the threshold;
  
  identify a second attack against the network, as exhibited by the second abnormal deviation;
  
  compare the second plurality of packets to the first remedy to determine that the second abnormal deviation is caused by a change from first attack tactics used for the first attack to second attack tactics used for the second attack, the first attack tactics being changed to the second attack tactics in response to the first remedy; and
  
  provide a second remedy based on the change from the first attack tactics to the second attack tactics.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The non-transitory computer-readable storage medium of claim 1, wherein the first plurality of packet and the second plurality of packets comprise a malicious packet discarded by the plurality of packet-detecting devices and a packet identified as requiring further analysis.
  - 3. The non-transitory computer-readable storage medium of claim 1, wherein providing the first remedy for the first abnormal deviation comprises reconfiguring a packet-detecting device of the plurality of packet-detecting devices within the network.
  - 4. The non-transitory computer-readable storage medium of claim 1, wherein providing the first remedy for the first abnormal deviation comprises reconfiguring a packet-deterring element within the network.
  - 5. The non-transitory computer-readable storage medium of claim 1, wherein providing the first remedy for the first abnormal deviation comprises notifying a network element that is originating the first plurality of packets.
  - 6. The non-transitory computer-readable storage medium of claim 1, wherein providing the first remedy for the first abnormal deviation comprises enforcing a rate limiting scheme applicable to a port of a packet-detecting device of the plurality of packet-detecting devices.
  - 7. The non-transitory computer-readable storage medium of claim 1, wherein providing the first remedy for the first abnormal deviation comprises allocating network capacity to at least one component within the network.
  - 8. The non-transitory computer-readable storage medium of claim 1, wherein the baseline behavior pattern and the threshold are defined based on a particular day of a week.
  - 9. The non-transitory computer-readable storage medium of claim 1, wherein the baseline behavior pattern and the threshold are defined based on a particular day within a month.
  - 10. The non-transitory computer-readable storage medium of claim 1, wherein the baseline behavior pattern and the threshold are defined based on a recurring event.
  - 11. The non-transitory computer-readable storage medium of claim 1, wherein the baseline behavior pattern and the threshold are defined based on a non-recurring event.
  - 12. The non-transitory computer-readable storage medium of claim 1, wherein the baseline behavior pattern and the threshold are defined based on an induced spike in network traffic.

13. A centralized packet analysis system for analyzing and managing packets of a network, the centralized packet analysis system comprising at least:
- a processor; and
  
  memory coupled to the processor, the memory comprising instructions configured to enable the processor to;
  
  receive and store a first plurality of packets identified by a plurality of packet-detecting devices within a network,define a baseline behavior pattern applicable to a behavior of the network,define a threshold applicable to a deviation of the behavior of the network from the baseline behavior pattern,perform a first analysis of the first plurality of packets to identify a first abnormal deviation in the baseline behavior pattern that exceeds the threshold,identify a first attack against the network, as exhibited by the first abnormal deviation,provide a first remedy for the first abnormal deviation to recover from the first attack,receive and store a second plurality of packets identified by the plurality of packet-detecting devices within the network,perform a second analysis of the second plurality of packets to identify a second abnormal deviation in the baseline behavior pattern that exceeds the threshold,identify a second attack against the network, as exhibited by the second abnormal deviation,compare the second plurality of packets to the first remedy to determine that the second abnormal deviation is caused by a change from first attack tactics used for the first attack to second attack tactics used for the second attack, the first attack tactics being changed to the second attack tactics in response to the first remedy, andprovide a second remedy based on the change from the first attack tactics to the second attack tactics.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The centralized packet analysis system of claim 13, wherein identifying the attack against the network comprises identifying predefined patterns appearing within the first plurality of the packets, wherein the predefined patterns are associated with particular types of attacks.
  - 15. The centralized packet analysis system of claim 13, wherein the processor is further enabled to store the first remedy and the second remedy in a remediation history.
  - 16. The centralized packet analysis system of claim 13, wherein the processor is further enabled to predict a future behavior of the network, based at least in part on analyzing the first plurality of the packets and the second plurality of the packets.
  - 17. The centralized packet analysis system of claim 16, wherein the processor is further enabled to proactively configure a network element in response to the future behavior of the network.

18. A method for analyzing and managing packets of a network, the method comprising at least:
- receiving and storing a first plurality of packets identified by a plurality of packet-detecting devices within a network;
  
  defining a baseline behavior pattern applicable to a behavior of the network;
  
  defining a threshold applicable to a deviation of the behavior of the network from the baseline behavior pattern;
  
  performing a first analysis of the first plurality of packets to identify a first abnormal deviation in the baseline behavior pattern that exceeds the threshold;
  
  identifying a first attack against the network, as exhibited by the first abnormal deviation;
  
  providing a first remedy for the first abnormal deviation to recover from the first attack;
  
  receiving and storing a second plurality of packets identified by the plurality of packet-detecting devices within the network;
  
  performing a second analysis of the second plurality of packets to identify a second abnormal deviation in the baseline behavior pattern that exceeds the threshold;
  
  identifying a second attack against the network, as exhibited by the second abnormal deviation;
  
  comparing the second plurality of packets to the first remedy to determine that the second abnormal deviation is caused by a change from first attack tactics used for the first attack to second attack tactics used for the second attack, the first attack tactics being changed to the second attack tactics in response to the first remedy; and
  
  providing a second remedy based on the change from the first attack tactics to the second attack tactics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Raftelis, Michael, Dagash, Mohamed
Primary Examiner(s)
Pham, Chi
Assistant Examiner(s)
Elallam, Ahmed

Application Number

US12/255,037
Publication Number

US 20100097945A1
Time in Patent Office

1,162 Days
Field of Search

370/229, 370/235, 370/252, 370/253, 726/2, 726/5, 726/6, 726/7, 726/11, 726/13, 726/15, 726/22, 726/23, 726/25
US Class Current

370/252
CPC Class Codes

H04L 63/1441 Countermeasures against mal...

Centralized analysis and management of network packets

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Centralized analysis and management of network packets

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links