System and method for detection of aberrant network behavior by clients of a network access gateway

US 8,543,693 B2
Filed: 09/30/2011
Issued: 09/24/2013
Est. Priority Date: 03/10/2004
Status: Active Grant

First Claim

Patent Images

1. A system for detecting aberrant network, comprising:

a first network interface coupled to one or more clients, wherein the system is configured to;

receive network communications at the first network interface, wherein each of the network communications is associated with a first client;

determine if aberrant network behavior is occurring with respect to the first client, wherein determining if network behavior is aberrant comprises;

analyzing the received network communications to determine if a first rule of any of one or more rules corresponding to the network communications associated with the first client,updating a first set of statistical information associated with the first client responsive to a determination that the first rule, corresponding to the network communications, wherein the first set of statistical information is accumulated over a time period, andanalyzing the first set of statistical information to determine if aberrant network behavior is occurring with respect to the first client by applying a set of conditions to the first set of statistical information, each of the set of conditions corresponding to aberrant network behavior and comprising a threshold to be applied to at least a portion of the statistical information.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of systems and methods for detecting aberrant network behavior are disclosed. One embodiment comprises a network interface over which network communications are received from a client. These network communications can then be analyzed to determine if aberrant network behavior is occurring with respect to the client.

Citations

21 Claims

1. A system for detecting aberrant network, comprising:
- a first network interface coupled to one or more clients, wherein the system is configured to;
  
  receive network communications at the first network interface, wherein each of the network communications is associated with a first client;
  
  determine if aberrant network behavior is occurring with respect to the first client, wherein determining if network behavior is aberrant comprises;
  
  analyzing the received network communications to determine if a first rule of any of one or more rules corresponding to the network communications associated with the first client,updating a first set of statistical information associated with the first client responsive to a determination that the first rule, corresponding to the network communications, wherein the first set of statistical information is accumulated over a time period, andanalyzing the first set of statistical information to determine if aberrant network behavior is occurring with respect to the first client by applying a set of conditions to the first set of statistical information, each of the set of conditions corresponding to aberrant network behavior and comprising a threshold to be applied to at least a portion of the statistical information.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the first set of statistical information is associated with a second client.
  - 3. The system of claim 2, wherein the first set of statistical information is updated based on a second rule.
  - 4. The system of claim 2, further configured to:
    - receive network communications at the first network interface, wherein each of the network communications is associated with the second client;
      
      determine if aberrant network behavior is occurring with respect to the second client, wherein determining if network behavior is aberrant comprises;
      
      analyzing the received network communications to determine if any of one or more rules apply to the network communications and if a second rule applies to the network communications associated with the second client,updating the first set of statistical information associated based on the second rule, andapplying the set of conditions to the first set of statistical information.
  - 5. The system of claim 1, wherein the first statistical information comprises a first set of lists.
  - 6. The system of claim 5, wherein the first set of lists corresponds to the first client.
  - 7. The system of claim 6, wherein updating the first set of statistical information comprises updating a first list of the first set of lists wherein the first list is associated with at least the first rule of the one or more rules.

8. A method for detecting aberrant network behavior in one or more clients coupled to a first network interface, comprising:
- receiving network communications at the first network interface, wherein each of the network communications is associated with a first client;
  
  determining if aberrant network behavior is occurring with respect to the first client, wherein determining if network behavior is aberrant comprises;
  
  analyzing the received network communications to determine if a first rule of any of one or more rules corresponding to the network communications associated with the first client,updating a first set of statistical information associated with the first client responsive to a determination that the first rule corresponding to the network communications, wherein the first set of statistical information is accumulated over a time period, andanalyzing the first set of statistical information to determine if aberrant network behavior is occurring with respect to the first client by applying a set of conditions to the first set of statistical information, each of the set of conditions corresponding to aberrant network behavior and comprising a threshold to be applied to at least a portion of the statistical information.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the first set of statistical information is associated with a second client.
  - 10. The method of claim 9, wherein the first set of statistical information is updated based on a second rule.
  - 11. The method of claim 9, further comprising:
    - receiving network communications at the first network interface, wherein each of the network communications is associated with the second client;
      
      determining if aberrant network behavior is occurring with respect to the second client, wherein determining if network behavior is aberrant comprises;
      
      analyzing the received network communications to determine if any of one or more rules apply to the network communications and if a second rule applies to the network communications associated with the second client,updating the first set of statistical information associated based on the second rule, andapplying the set of conditions to the first set of statistical information.
  - 12. The method of claim 8, wherein the first statistical information comprises a first set of lists.
  - 13. The method of claim 12, wherein the first set of lists corresponds to the first client.
  - 14. The method of claim 13, wherein updating the first set of statistical information comprises updating a first list of the first set of lists wherein the first list is associated with at least the first rule of the one or more rules.

15. A tangible non-transitory computer readable medium comprising instructions for:
- receiving network communications at the first network interface, wherein each of the network communications is associated with a first client;
  
  determining if aberrant network behavior is occurring with respect to the first client, wherein determining if network behavior is aberrant comprises;
  
  analyzing the received network communications to determine if a first rule of any of one or more rules corresponding to the network communications associated with the first client,updating a first set of statistical information associated with the first client responsive to a determination that the first rule corresponding to the network communications, wherein the first set of statistical information is accumulated over a time period, andanalyzing the first set of statistical information to determine if aberrant network behavior is occurring with respect to the first client by applying a set of conditions to the first set of statistical information, each of the set of conditions corresponding to aberrant network behavior and comprising a threshold to be applied to at least a portion of the statistical information.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transistory computer readable medium of claim 15, wherein the first set of statistical information is associated with a second client.
  - 17. The non-transistory computer readable medium of claim 16, wherein the first set of statistical information is updated based on a second rule.
  - 18. The non-transistory computer readable medium of claim 16, further comprising instructions for:
    - receiving network communications at the first network interface, wherein each of the network communications is associated with the second client;
      
      determining if aberrant network behavior is occurring with respect to the second client, wherein determining if network behavior is aberrant comprises;
      
      analyzing the received network communications to determine if any of one or more rules apply to the network communications and if a second rule applies to the network communications associated with the second client,updating the first set of statistical information associated based on the second rule, andapplying the set of conditions to the first set of statistical information.
  - 19. The non-transistory computer readable medium of claim 15, wherein the first statistical information comprises a first set of lists.
  - 20. The non-transistory computer readable medium of claim 19, wherein the first set of lists corresponds to the first client.
  - 21. The non-transistory computer readable medium of claim 20, wherein updating the first set of statistical information comprises updating a first list of the first set of lists wherein the first list is associated with at least the first rule of the one or more rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OpenTV, Inc. (Kudelski SA)
Original Assignee
RPX Corporation
Inventors
Tonnesen, Steven D.
Primary Examiner(s)
Dharia, Rupal
Assistant Examiner(s)
Chacko, Joe

Application Number

US13/249,578
Publication Number

US 20120084858A1
Time in Patent Office

725 Days
Field of Search

709/224
US Class Current

709/224
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method for detection of aberrant network behavior by clients of a network access gateway

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detection of aberrant network behavior by clients of a network access gateway

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links