System and method for real-time reporting of anomalous internet protocol attacks
First Claim
1. A computer system for monitoring security of a destination subnet, the computer system comprising:
- a memory; and
a processor in communications with the memory, wherein the computer system is configured to perform a method, the method comprising;
detecting, by the processor, Internet traffic messages that are recognized as anomalous attacks;
counting by the processor, a number of the Internet traffic messages that are recognized as the anomalous attacks seen by a destination subnet within a current interval to provide a count;
computing by the processor, over a plurality of intervals, a running average, wherein the running average comprises an average number of Internet traffic messages that are recognized as anomalous attacks per interval of the plurality of intervals;
comparing the count to the running average;
based on determining that the count is greater than a first multiple of the running average, providing an anomalous attack alarm for the destination subnet; and
based on determining that the count is smaller than a second multiple of the running average, checking the memory for an anomalous attack alarm for the destination subnet, and clearing any anomalous attack alarm for the subnet located in the memory, wherein the second multiple is a smaller multiple than the first multiple.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and a method for detecting anomalous attacks in Internet network flow operate by counting a number of Internet traffic messages that are detected as anomalous attacks to provide a count; computing a running average of the number of messages that are detected as anomalous attacks; and comparing the count to the running average to provide an anomalous attack alarm if the count is greater than a multiple of the running average. The attacks can include at least one of spoofing attacks or denial of service attacks. A computer readable storage medium stores instructions of a computer program, which when executed by a computer system, results in performance of steps of the method.
16 Citations
26 Claims
-
1. A computer system for monitoring security of a destination subnet, the computer system comprising:
-
a memory; and a processor in communications with the memory, wherein the computer system is configured to perform a method, the method comprising; detecting, by the processor, Internet traffic messages that are recognized as anomalous attacks; counting by the processor, a number of the Internet traffic messages that are recognized as the anomalous attacks seen by a destination subnet within a current interval to provide a count; computing by the processor, over a plurality of intervals, a running average, wherein the running average comprises an average number of Internet traffic messages that are recognized as anomalous attacks per interval of the plurality of intervals; comparing the count to the running average; based on determining that the count is greater than a first multiple of the running average, providing an anomalous attack alarm for the destination subnet; and based on determining that the count is smaller than a second multiple of the running average, checking the memory for an anomalous attack alarm for the destination subnet, and clearing any anomalous attack alarm for the subnet located in the memory, wherein the second multiple is a smaller multiple than the first multiple. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for monitoring Internet traffic, comprising:
-
a memory comprising a database; and a processor in communications with the memory, wherein the computer system is configured to perform a method, the method comprising; detecting, by the processor, Internet traffic messages as anomalous attacks in a network flow; counting, by the processor, a number of Internet traffic messages that are detected as anomalous attacks seen by a destination subnet within a current interval to provide a count; computing, by the processor over a plurality of intervals, a running average, wherein the running average comprises an average number of Internet traffic messages that are detected as the anomalous attacks per interval of the plurality of intervals; comparing the count to the running average; based on determining that the count is greater than a first multiple of the running average, sending an anomalous attack alarm for the destination subnet to the database; and based on determining that count is smaller than a second multiple of the running average, checking the database for an anomalous attack alarm for the destination subnet, and based on locating the anomalous attack alarm for the destination subnet in the database, clearing the located anomalous attack alarm for the destination subnet from the database, wherein the second multiple is a smaller multiple than the first multiple. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for monitoring Internet traffic comprising:
-
obtaining, by a processor, a network flow and detecting anomalous attacks in the network flow; counting, by the processor, a number of Internet traffic messages in the network flow that are detected as anomalous attacks seen by a destination subnet within a current interval and providing a count; computing, by the processor, over a plurality of intervals, a running average, wherein the running average comprises an average number of messages that are detected as anomalous attacks per interval of the plurality of intervals; comparing the count to the running average; based on determining that the count is greater than a first multiple of the running average, providing an anomalous attack alarm for the destination subnet; and based on determining that the count is smaller than a second multiple of the running average, checking the memory for an anomalous attack alarm for the destination subnet, and clearing any anomalous attack alarm for the subnet located in the memory, wherein the second multiple is a smaller multiple than the first multiple. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer readable non-transitory storage medium storing instructions of a computer program which when executed by a computer system results in performance of a method, comprising:
-
obtaining, by a processor, a network flow and detecting anomalous attacks in the network flow; counting, by the processor, a number of Internet traffic messages in the network flow that are detected as anomalous attacks seen by a destination subnet within a current interval and providing a count; computing, by the processor, over a plurality of intervals, a running average, wherein the running average comprises an average number of messages that are detected as anomalous attacks per interval of the plurality of intervals; comparing the count to the running average; based on determining that the count is greater than a first multiple of the running average, providing an anomalous attack alarm for the destination subnet; and based on determining that the count is smaller than a second multiple of the running average, checking the memory for an anomalous attack alarm for the destination subnet, and clearing any anomalous attack alarm for the subnet located in the memory, wherein the second multiple is a smaller multiple than the first multiple. - View Dependent Claims (26)
-
Specification