Connection based anomaly detection
First Claim
Patent Images
1. A computer implemented method of detecting a new host connecting to a network comprises:
- receiving by a computer statistics collected from a host in the network; and
indicating by the computer to a console that the host is a new host if, during a period of time T, the host transmits at least N packets and receives at least N packets, and if the host had never transmitted and received more than N packets in any previous period of time with a duration of T.
22 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.
-
Citations
9 Claims
-
1. A computer implemented method of detecting a new host connecting to a network comprises:
-
receiving by a computer statistics collected from a host in the network; and indicating by the computer to a console that the host is a new host if, during a period of time T, the host transmits at least N packets and receives at least N packets, and if the host had never transmitted and received more than N packets in any previous period of time with a duration of T. - View Dependent Claims (2)
-
-
3. A method executed in a computing device for detecting a failed host in a network comprises:
-
determining in the computing device, if both a mean historical rate of server response packets from a host is greater than M and a ratio of a standard deviation of historical rate of server response packets from the host to a mean profiled rate of server response packets from the host is less than R over a period of time; and indicating the host as a potential failed host if both conditions are present. - View Dependent Claims (4, 5)
-
-
6. A device, comprising:
-
a processor; memory associated with the processor; and a non-transitory storage medium storing a computer program product for detecting a new host connecting to a network comprises instructions to; receive statistics collected from a host in the network; and indicate to a console that the host is a new host if during a period of time T, the host transmits at least N packets and receives at least N packets, and if the host had never transmitted and received more than N packets in any previous period of time with a duration of T.
-
-
7. A device, comprising:
-
a processor; memory associated with the processor; and a non-transitory storage medium storing a computer program product for detecting a failed host in a network comprises instructions to; determine if both a mean historical rate of server response packets from a host is greater than M and a ratio of a standard deviation of historical rate of server response packets from the host to a mean profiled rate of server response packets from the host is less than R over a period of time; and indicate the host as a potential failed host if both conditions are present. - View Dependent Claims (8, 9)
-
Specification