System and method for detection of aberrant network behavior by clients of a network access gateway

US 8,977,747 B2
Filed: 09/20/2013
Issued: 03/10/2015
Est. Priority Date: 03/10/2004
Status: Active Grant

First Claim

Patent Images

1. A system for determining if aberrant network behavior is occurring with respect to a first client, comprising:

a first network interface coupled to one or more clients, wherein the first network interface includes a processor and at least one memory, the at least one memory including instructions to configure the processor to;

analyze received network communications to determine if a first rule of any of one or more rules corresponds to the received network communications associated with the first client;

updating a first set of statistical information associated with the first client responsive to a determination that the first rule corresponds to the network communications, wherein the first set of statistical information is accumulated over a time period; and

analyzing the first set of statistical information to determine if aberrant network behavior is occurring with respect to the first client by applying a set of conditions to the first set of statistical information, each of the set of conditions corresponding to aberrant network behavior and comprising a threshold to be applied to at least a portion of the statistical information.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first network interface coupled to one or more clients. The first network interface analyzes received network communications to determine if a first rule of any of one or more rules corresponds to the received network communications associated with a first client. The network interface updates a first set of statistical information accumulated over a time period associated with the first client responsive to a determination that the first rule corresponds to the network communications. The network interface analyzes the first set of statistical information to determine if aberrant network behavior is occurring with respect to the first client by applying a set of conditions to the first set of statistical information. Each of the set of conditions corresponds to aberrant network behavior and comprises a threshold to be applied to at least a portion of the statistical information.

Citations

20 Claims

1. A system for determining if aberrant network behavior is occurring with respect to a first client, comprising:
- a first network interface coupled to one or more clients, wherein the first network interface includes a processor and at least one memory, the at least one memory including instructions to configure the processor to;
  
  analyze received network communications to determine if a first rule of any of one or more rules corresponds to the received network communications associated with the first client;
  
  updating a first set of statistical information associated with the first client responsive to a determination that the first rule corresponds to the network communications, wherein the first set of statistical information is accumulated over a time period; and
  
  analyzing the first set of statistical information to determine if aberrant network behavior is occurring with respect to the first client by applying a set of conditions to the first set of statistical information, each of the set of conditions corresponding to aberrant network behavior and comprising a threshold to be applied to at least a portion of the statistical information.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1 further including a second set of statistical information associated with a second client.
  - 3. The system of claim 2, wherein the first set of statistical information is updated based on the first rule and a second rule.
  - 4. The system of claim 2, further configured to:
    - receive network communications at the first network interface, wherein each of the network communications is associated with the second client;
      
      determine if the aberrant network behavior is occurring with respect to the second client, wherein determining if network behavior is aberrant comprises;
      
      analyzing the received network communications to determine if any of one or more rules apply to the network communications and if a second rule applies to the network communications associated with the second client;
      
      updating the second set of statistical information associated based on the second rule; and
      
      applying the set of conditions to the second set of statistical information.
  - 5. The system of claim 1, wherein the first statistical information comprises a first set of lists.
  - 6. The system of claim 5, wherein the first set of lists corresponds to the first client.
  - 7. The system of claim 6, wherein updating the first set of statistical information comprises updating a first list of the first set of lists wherein the first list is associated with at least the first rule of the one or more rules.

8. A method determining if aberrant network behavior is occurring with respect to a first client, comprising:
- analyzing received network communications associated with the first client to determine if a first rule of any of one or more rules corresponds to the received network communications associated with the first client;
  
  updating a first set of statistical information associated with the first client responsive to a determination that the first rule corresponds to the received network communications, wherein the first set of statistical information is accumulated over a time period; and
  
  analyzing the first set of statistical information to determine if aberrant network behavior is occurring with respect to the first client by applying a set of conditions to the first set of statistical information, each of the set of conditions corresponding to aberrant network behavior and comprising a threshold to be applied to at least a portion of the statistical information.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 further including a second set of statistical information associated with a second client.
  - 10. The method of claim 9, wherein the first set of statistical information is updated based on the first rule and a second rule.
  - 11. The method of claim 9, further comprising:
    - receiving network communications at the first network interface, wherein each of the network communications is associated with the second client;
      
      determining if the aberrant network behavior is occurring with respect to the second client, wherein determining if network behavior is aberrant comprises;
      
      analyzing the received network communications to determine if any of one or more rules apply to the network communications and if a second rule applies to the network communications associated with the second client;
      
      updating the second set of statistical information associated based on the second rule; and
      
      applying the set of conditions to the second set of statistical information.
  - 12. The method of claim 8, wherein the first statistical information comprises a first set of lists.
  - 13. The method of claim 12, wherein the first set of lists corresponds to the first client.
  - 14. The method of claim 13, wherein updating the first set of statistical information comprises updating a first list of the first set of lists wherein the first list is associated with at least the first rule of the one or more rules.

15. A method for detecting aberrant network behavior in one or more clients coupled to a first network interface, comprising:
- receiving network communications at a first network interface, wherein each of the received network communications is associated with a first client;
  
  analyzing the received network communications to determine if a first rule of any of one or more rules corresponds to the received network communications associated with the first client;
  
  updating the first set of statistical information associated with the first client responsive to a determination that the first rule corresponds to the network communications; and
  
  analyzing a first set of statistical information accumulated over a period of time associated with the first client to determine if aberrant network behavior is occurring with respect to the first client by applying a set of conditions to the first set of statistical information, each of the set of conditions corresponding to the aberrant network behavior and comprising a threshold to be applied to at least a portion of the statistical information.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15 further including a second set of statistical information associated with a second client.
  - 17. The method of claim 15, further comprising:
    - receiving network communications at the first network interface, wherein each of the network communications is associated with a second client;
      
      determining if aberrant network behavior is occurring with respect to the second client, wherein determining if network behavior is aberrant comprises;
      
      analyzing the received network communications to determine if any of one or more rules apply to the network communications and if a second rule applies to the network communications associated with the second client;
      
      updating the second set of statistical information associated based on the second rule; and
      
      applying the set of conditions to the second set of statistical information.
  - 18. The method of claim 15, wherein the first statistical information comprises a first set of lists.
  - 19. The method of claim 18, wherein the first set of lists corresponds to the first client.
  - 20. The method of claim 18, wherein updating the first set of statistical information comprises updating a first list of the first set of lists wherein the first list is associated with at least the first rule of the one or more rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OpenTV, Inc. (Kudelski SA)
Original Assignee
RPX Corporation
Inventors
Tonnesen, Steven D.
Primary Examiner(s)
Dharia, Rupal
Assistant Examiner(s)
Chacko, Joe

Application Number

US14/032,460
Publication Number

US 20140026215A1
Time in Patent Office

536 Days
Field of Search

709223-225
US Class Current

709/224
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method for detection of aberrant network behavior by clients of a network access gateway

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detection of aberrant network behavior by clients of a network access gateway

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links