Network surveillance
First Claim
Patent Images
1. A method of network surveillance, comprising:
- receiving suspicious activity reports from network monitors, the suspicious activity reports indicating events that the network monitors identified as abnormal activity based on analysis of respective subsets of network packet data derived from network packet contents, each of the respective subsets of network packet data being selected from one or more of the following categories;
network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in network packets, network connection acknowledgments, and network packets indicative of a network-service protocol selected from the group consisting of FTP, Telnet, SMTP, and HTTP;
generating a first event stream from the suspicious activity reports of a first network monitor;
generating a second event stream from the suspicious activity reports of a second network monitor;
analyzing, by a third network monitor, the first and second event streams;
identifying suspicious network activity from the analysis of the first and second event streams; and
invoking a countermeasure in response to the identified suspicious network activity.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and at least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.
129 Citations
21 Claims
-
1. A method of network surveillance, comprising:
-
receiving suspicious activity reports from network monitors, the suspicious activity reports indicating events that the network monitors identified as abnormal activity based on analysis of respective subsets of network packet data derived from network packet contents, each of the respective subsets of network packet data being selected from one or more of the following categories;
network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in network packets, network connection acknowledgments, and network packets indicative of a network-service protocol selected from the group consisting of FTP, Telnet, SMTP, and HTTP;generating a first event stream from the suspicious activity reports of a first network monitor; generating a second event stream from the suspicious activity reports of a second network monitor; analyzing, by a third network monitor, the first and second event streams; identifying suspicious network activity from the analysis of the first and second event streams; and invoking a countermeasure in response to the identified suspicious network activity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An enterprise network monitoring system, comprising:
-
one or more processors; a first network monitor associated with the one or more processors, the first network monitor being capable of being installed within an enterprise network, said first network monitor configured to analyze network packet contents to identify abnormal activity and to generate reports of suspicious activity indicating the identified abnormal activity based on analysis of a first subset of network packet data derived from network packet contents, the first subset of network packet data selected from one or more of the following categories;
network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in network packets, network connection acknowledgments, and network packets indicative of a network-service protocol selected from the group consisting of FTP, Telnet, SMTP, and HTTP;a second network monitor associated with the one or more processors, the second network monitor being capable of being installed within the enterprise network, said second network monitor configured to analyze network packet contents to identify abnormal activity and to generate reports of suspicious activity indicating the identified abnormal activity based on analysis of a second subset of network packet data derived from network packet contents, the second subset of network packet data selected from one or more of the following categories;
network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in network packets, network connection acknowledgments, and network packets indicative of a network-service protocol selected from the group consisting of FTP, Telnet, SMTP, and HTTP, the second subset of network packet data being different from the first subset of network packet data; anda hierarchical network monitor associated with the one or more processors, the hierarchical network monitor being capable of being installed within the enterprise network, the hierarchical network monitor configured to automatically receive reports of suspicious activity from the first network monitor and from the second network monitor, and to generate an analysis report that reflects underlying commonalities in abnormal activity indicated by the reports of suspicious activity. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
Specification