Aggregator for connection based anomaly detection
First Claim
Patent Images
1. A device, comprising:
- a processor;
a memory storing;
a connection table that maps each node of a network to a host object that stores information about traffic to the node and from the node, wherein the connection table includes a plurality of sub-tables to track data at different time-scales, and the connection sub-tables include a time-slice connection table that operates on a small unit of time and at least one other sub-table that operates on a larger unit of time than the time slice sub-table with each sub-table holding the sum of records received from all collectors during respective units of time; and
a computer readable medium storing a computer program product comprising instructions for causing the device to;
detect anomalies in network traffic based on information in the connection table and to aggregate the anomalies into network events according to connection patterns.
23 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.
130 Citations
30 Claims
-
1. A device, comprising:
-
a processor; a memory storing; a connection table that maps each node of a network to a host object that stores information about traffic to the node and from the node, wherein the connection table includes a plurality of sub-tables to track data at different time-scales, and the connection sub-tables include a time-slice connection table that operates on a small unit of time and at least one other sub-table that operates on a larger unit of time than the time slice sub-table with each sub-table holding the sum of records received from all collectors during respective units of time; and a computer readable medium storing a computer program product comprising instructions for causing the device to; detect anomalies in network traffic based on information in the connection table and to aggregate the anomalies into network events according to connection patterns. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer program product residing on a non-transitory computer readable medium for use in detecting network intrusions comprises instructions for causing a processor to:
-
store a connection table that maps each node of a network to a host object, the connection table stores information about traffic to or from the node, wherein the connection table includes a plurality of sub-tables to track data at different time-scales, and the connection sub-tables include a time-slice connection table that operates on a small unit of time and at least one other sub-table that operates on a larger unit of time than the time slice sub-table with each sub-table holding the sum of records received from all collectors during respective units of time; and aggregate anomalies determined from information in the connection table into network events according to connection patterns. - View Dependent Claims (19, 20, 21, 22)
-
-
23. A method comprising:
-
producing in a computer system a connection table that maps each node of a network to a host object, the connection table stores information about traffic to or from the node, wherein the connection table includes a plurality of sub-tables to track data at different time-scales, and the connection sub-tables include a time-slice connection table that operates on a small unit of time and at least one other sub-table that operates on a larger unit of time than the time slice sub-table with each sub-table holding the sum of records received from all collectors during respective units of time; and aggregating anomalies into the network events according to connection patterns. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
Specification