Operating a network monitoring entity
First Claim
Patent Images
1. A method for operating a network monitoring entity (TE) to detect malicious network flow in a distributed network comprising at said network monitoring entity (TE) the steps of:
- receiving network flow records (FR) from observation points in a plurality of different distributed administrative domains (ADs), each network flow record comprising measured properties of network flow of a set of data packets passing each observation point during a time interval;
performing an analysis (AN) of the network flow records (FR) to locate a source of malicious network flow by correlating network flow records with at least one of additional network flow records, trigger events, trigger flow records, and additional network flow information, constructing a higher level output, and analyzing the higher level output for at least one of a traffic profile, a traffic rate, and a traffic pattern indicative of malicious network flow and a source of the malicious network flow; and
providing serviced entities (SE) with a result (RE) of the analysis (AN).
1 Assignment
0 Petitions
Accused Products
Abstract
Network flow records from various administrative domains are provided to a network monitoring entity. The network monitoring entity analyzes the network flow records in a way to locate a source of malicious network flow.
-
Citations
18 Claims
-
1. A method for operating a network monitoring entity (TE) to detect malicious network flow in a distributed network comprising at said network monitoring entity (TE) the steps of:
-
receiving network flow records (FR) from observation points in a plurality of different distributed administrative domains (ADs), each network flow record comprising measured properties of network flow of a set of data packets passing each observation point during a time interval; performing an analysis (AN) of the network flow records (FR) to locate a source of malicious network flow by correlating network flow records with at least one of additional network flow records, trigger events, trigger flow records, and additional network flow information, constructing a higher level output, and analyzing the higher level output for at least one of a traffic profile, a traffic rate, and a traffic pattern indicative of malicious network flow and a source of the malicious network flow; and providing serviced entities (SE) with a result (RE) of the analysis (AN). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A network monitoring entity to detect malicious network flow in a distributed network comprising:
-
a receiving component for receiving network flow records (FR) from observation points in a plurality of different, distributed administrative domains (ADs), each network flow record comprising measured properties of network flow of a set of data packets passing each observation point during a time interval; an analysis component for performing an analysis (AN) on the network flow records (FR) in a way to locate a source of malicious network flow by correlating network flow records with at least one of additional network flow records, trigger events, trigger flow records, and additional network flow information, constructing a higher level output, and analyzing the higher level output for at least one of a traffic profile, a traffic rate, and a traffic pattern indicative of malicious network flow and a source of the malicious network flow; and a notification component for providing serviced entities (SE) with a result (RE) of the analysis (AN).
-
-
18. A non-transitory computer program product comprising a computer-readable medium storing program instructions executable by a processor to perform a method for operating a network monitoring entity (TE) to detect malicious network flow in a distributed network, said method comprising at said network monitoring entity (TE) the steps of:
-
receiving network flow records (FR) from observation points in a plurality of different distributed administrative domains (ADs), each network flow record comprising measured properties of network flow of a set of data packets passing each observation point during a time interval; performing an analysis (AN) of the network flow records (FR) to locate a source of malicious network flow by correlating network flow records with at least one of additional network flow records, trigger events, trigger flow records, and additional network flow information, constructing a higher level output, and analyzing the higher level output for at least one of a traffic profile, a traffic rate, and a traffic pattern indicative of malicious network flow and a source of the malicious network flow; and providing serviced entities (SE) with a result (RE) of the analysis (AN).
-
Specification