Event detection/anomaly correlation heuristics
First Claim
Patent Images
1. A method for detecting conditions in a network, comprising:
- finding, by computer, anomalies by analyzing connection patterns, wherein anomalies are differences in connection patterns between hosts relative to some comparison period; and
collecting anomalies into operationally relevant events, wherein an operationally relevant event is a collection of anomalies related to a singular cause, wherein collecting anomalies into events comprises traversing a connection table to identify and correlate anomalies by determining connection patterns that correlate with a particular event class.
24 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.
-
Citations
20 Claims
-
1. A method for detecting conditions in a network, comprising:
-
finding, by computer, anomalies by analyzing connection patterns, wherein anomalies are differences in connection patterns between hosts relative to some comparison period; and collecting anomalies into operationally relevant events, wherein an operationally relevant event is a collection of anomalies related to a singular cause, wherein collecting anomalies into events comprises traversing a connection table to identify and correlate anomalies by determining connection patterns that correlate with a particular event class. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer program product tangibly stored in a non-transitory computer readable medium for detecting intrusions in a network, comprising instructions for causing a processor to:
-
find anomalies by analyzing connection patterns, wherein anomalies are differences in connection patterns between hosts relative to some comparison period; and collect anomalies into operationally relevant events, wherein an operationally relevant event is a collection of anomalies related to a singular cause, wherein collecting anomalies into events comprises traversing a connection table to identify and correlate anomalies by determining connection patterns that correlate with a particular event class. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A device for detecting conditions in a network, comprising:
-
circuitry to find anomalies by analyzing connection patterns, wherein anomalies are differences in connection patterns between hosts relative to some comparison period; and circuitry to collect anomalies into operationally relevant events, wherein an operationally relevant event is a collection of anomalies related to a singular cause, wherein collecting anomalies into events comprises traversing a connection table to identify and correlate anomalies by determining connection patterns that correlate with a particular event class. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification