Method and apparatus for predictive and actual intrusion detection on a network
First Claim
1. A method of managing network usage, the method comprising:
- defining a set of linguistic patterns, where each linguistic pattern is associated with a condition that is to be monitored;
capturing network packets containing content during transmission;
decapsulating the captured network packets;
identifying linguistic patterns in the content of the captured network packets;
scoring captured network packets based on similarity of at least one of the identified linguistic patterns to one or more of the defined set of linguistic patterns; and
when a packet that is scored above a specified threshold value is identified, implementing at least one responsive action.
14 Assignments
0 Petitions
Accused Products
Abstract
A method of managing network usage by defining a set of linguistic patterns, where each linguistic pattern is associated with a condition that is to be monitored. Network packets are captured during transmission and analyzed to identify linguistic patterns. Captured network packets are scored based on similarity of at least one linguistic pattern to one or more of the defined set of linguistic patterns. When a packet that is scored above a specified threshold value is identified, at least one responsive action is implemented. In this manner, a system implementing the method is able to identify network traffic that is associated with prospective malicious activity and thereby provide an early warning before damage has occurred.
66 Citations
32 Claims
-
1. A method of managing network usage, the method comprising:
-
defining a set of linguistic patterns, where each linguistic pattern is associated with a condition that is to be monitored; capturing network packets containing content during transmission; decapsulating the captured network packets; identifying linguistic patterns in the content of the captured network packets; scoring captured network packets based on similarity of at least one of the identified linguistic patterns to one or more of the defined set of linguistic patterns; and when a packet that is scored above a specified threshold value is identified, implementing at least one responsive action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A tangible computer readable storage disk or device comprising instructions that, when executed, cause a machine to at least:
-
define a set of linguistic patterns, where each linguistic pattern is associated with a condition that is to be monitored; capture network packets containing content during transmission; decapsulate the captured network packets; identify linguistic patterns in the content of the captured network packets; score captured network packets based on similarity of at least one of the identified linguistic patterns to one or more of the defined set of linguistic patterns; and when a packet that is scored above a specified threshold value is identified, implement at least one responsive action.
-
-
12. A monitored networked computing system comprising:
-
a network; a plurality of computing devices coupled to the network and configured to exchange information packets containing packet information and content; a network analyzer coupled to the network, wherein the network analyzer includes mechanisms for capturing the information packets; and a linguistic analyzer coupled to the network analyzer and operable to identify preselected linguistic patterns in the content of the captured information packets, wherein the linguistic patterns are preselected to identify the information packets that preemptively indicate a future network attack. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A device for monitoring network traffic, the device comprising:
-
a memory comprising instructions; and a processor to execute the instructions to; capture network packets containing packet information and content from a network; identify linguistic patterns in the content of the captured network packets; score captured network packets based on similarity of at least one of the identified linguistic patterns to one or more of a defined set of linguistic patterns; and implement at least one responsive action when a packet that is scored above a specified threshold value is identified.
-
-
23. A computing device configured to monitor content of network traffic, the computing device comprising:
-
a processor; memory coupled to the processor; a port coupled to an external network; and computer code executable using the processor and the memory and operable to analyze linguistic patterns in the network traffic content and thereby identify network traffic on the external network by comparing the linguistic patterns in the network traffic to known linguistic patterns. - View Dependent Claims (24, 25, 26, 27, 28, 29)
-
-
30. A method of detecting a prospective network attack, the method comprising:
-
defining a set of linguistic patterns, where each linguistic pattern is associated with a condition that has been determined to be indicative of a prospective network attack; monitoring content of network traffic over time; identifying linguistic patterns when they occur in the network traffic; accumulating information about the identified occurrences of the defined set of linguistic patterns over time; and using the accumulated information as a basis for determining, using a processor, a likelihood of a prospective network attack. - View Dependent Claims (31, 32)
-
Specification