Connection based anomaly detection

US 8,504,879 B2
Filed: 11/03/2003
Issued: 08/06/2013
Est. Priority Date: 11/04/2002
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method of detecting a new host connecting to a network comprises:

receiving by a computer statistics collected from a host in the network; and

indicating by the computer to a console that the host is a new host if, during a period of time T, the host transmits at least N packets and receives at least N packets, and if the host had never transmitted and received more than N packets in any previous period of time with a duration of T.

View all claims

22 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

Citations

9 Claims

1. A computer implemented method of detecting a new host connecting to a network comprises:
- receiving by a computer statistics collected from a host in the network; and
  
  indicating by the computer to a console that the host is a new host if, during a period of time T, the host transmits at least N packets and receives at least N packets, and if the host had never transmitted and received more than N packets in any previous period of time with a duration of T.
- View Dependent Claims (2)
- - 2. The method of claim 1 wherein indicating comprises:
    - determining the minimal rate of N/T packets/second to avoid false positives caused by scans or spoofing attacks.

3. A method executed in a computing device for detecting a failed host in a network comprises:
- determining in the computing device, if both a mean historical rate of server response packets from a host is greater than M and a ratio of a standard deviation of historical rate of server response packets from the host to a mean profiled rate of server response packets from the host is less than R over a period of time; and
  
  indicating the host as a potential failed host if both conditions are present.
- View Dependent Claims (4, 5)
- - 4. The method of claim 3 wherein indicating comprises:
    - determining a period seconds of continuous inactivity of the potential failed host to expire the potential failed host after the period of continuous inactivity; and
      
      generating a new host event if the expired failed host sends traffic on the network after the period of continuous inactivity has elapsed.
  - 5. The method of claim 3 wherein a host failure indicates an inability by the host to generate traffic on the network or an application failure.

6. A device, comprising:
- a processor;
  
  memory associated with the processor; and
  
  a non-transitory storage medium storing a computer program product for detecting a new host connecting to a network comprises instructions to;
  
  receive statistics collected from a host in the network; and
  
  indicate to a console that the host is a new host if during a period of time T, the host transmits at least N packets and receives at least N packets, and if the host had never transmitted and received more than N packets in any previous period of time with a duration of T.

7. A device, comprising:
- a processor;
  
  memory associated with the processor; and
  
  a non-transitory storage medium storing a computer program product for detecting a failed host in a network comprises instructions to;
  
  determine if both a mean historical rate of server response packets from a host is greater than M and a ratio of a standard deviation of historical rate of server response packets from the host to a mean profiled rate of server response packets from the host is less than R over a period of time; and
  
  indicate the host as a potential failed host if both conditions are present.
- View Dependent Claims (8, 9)
- - 8. The device of claim 7 wherein instructions to indicate comprises instructions to:
    - determine the minimal rate of NIT packets/second to avoid false positives caused by scans or spoofing attacks; and
      
      wherein a host failure indicates an inability by the host to generate traffic on the network or an application failure.
  - 9. The device of claim 7 wherein instructions to indicate comprises instructions to:
    - determine a period seconds of continuous inactivity of the potential failed host to expire the potential failed host after the period of continuous inactivity; and
      
      generate a new host event if the expired failed host sends traffic on the network after the period of continuous inactivity has elapsed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Poletto, Massimiliano Antonio, Kohler, Edward W. Jr., Ratin, Andrew, Gorelik, Andrew
Primary Examiner(s)
Bonzo, Bryce
Assistant Examiner(s)
Mehrmanesh, Elmira

Application Number

US10/701,154
Publication Number

US 20040205374A1
Time in Patent Office

3,564 Days
Field of Search

714/4, 714/47, 714/48, 714/4.1, 714 471- 473, 709/223, 709/224, 709/225, 709/226, 726/22, 726/23, 726/2
US Class Current

714/47.2
CPC Class Codes

H04L 41/064   involving time analysis

H04L 43/0811   by checking connectivity

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

Connection based anomaly detection

First Claim

22 Assignments

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Connection based anomaly detection

First Claim

22 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links