Network surveillance

US 9,407,509 B2
Filed: 09/21/2009
Issued: 08/02/2016
Est. Priority Date: 11/09/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of network surveillance, comprising:

receiving suspicious activity reports from network monitors, the suspicious activity reports indicating events that the network monitors identified as abnormal activity based on analysis of respective subsets of network packet data derived from network packet contents, each of the respective subsets of network packet data being selected from one or more of the following categories;

network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in network packets, network connection acknowledgments, and network packets indicative of a network-service protocol selected from the group consisting of FTP, Telnet, SMTP, and HTTP;

generating a first event stream from the suspicious activity reports of a first network monitor;

generating a second event stream from the suspicious activity reports of a second network monitor;

analyzing, by a third network monitor, the first and second event streams;

identifying suspicious network activity from the analysis of the first and second event streams; and

invoking a countermeasure in response to the identified suspicious network activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and at least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.

129 Citations

21 Claims

1. A method of network surveillance, comprising:
- receiving suspicious activity reports from network monitors, the suspicious activity reports indicating events that the network monitors identified as abnormal activity based on analysis of respective subsets of network packet data derived from network packet contents, each of the respective subsets of network packet data being selected from one or more of the following categories;
  
  network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in network packets, network connection acknowledgments, and network packets indicative of a network-service protocol selected from the group consisting of FTP, Telnet, SMTP, and HTTP;
  
  generating a first event stream from the suspicious activity reports of a first network monitor;
  
  generating a second event stream from the suspicious activity reports of a second network monitor;
  
  analyzing, by a third network monitor, the first and second event streams;
  
  identifying suspicious network activity from the analysis of the first and second event streams; and
  
  invoking a countermeasure in response to the identified suspicious network activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the suspicious network activity includes activity involving two or more different domains.
  - 3. The method of claim 1, wherein invoking a countermeasure comprises reconfiguring at least one component of the network.
  - 4. The method of claim 3, wherein reconfiguring at least one component of the network comprises reconfiguring a component that is not associated with the suspicious activity reports.
  - 5. The method of claim 1, wherein invoking a countermeasure comprises gathering additional information about a source of the suspicious network activity.
  - 6. The method of claim 1, wherein invoking a countermeasure comprises determining whether a network component has been affected by the suspicious network activity.
  - 7. The method of claim 1, wherein identifying suspicious network activity from the analysis of the first and second event streams comprises:
    - identifying commonalities among (i) events in the first event stream that the first network monitor identified as abnormal activity and (ii) events in the second event stream that the first network monitor identified as abnormal activity; and
      
      identifying suspicious network activity based on the identified commonalities.
  - 8. The method of claim 1, wherein receiving suspicious activity reports from network monitors, the suspicious activity reports indicating events that the network monitors identified as abnormal activity based on analysis of respective subsets of network packet data derived from network packet contents, comprises:
    - receiving, from a particular network monitor of the network monitors, a suspicious activity report indicating events that the particular network monitor identified as abnormal activity based on analysis of discarded traffic comprising packets not allowed through a gateway of the enterprise network.
  - 9. The method of claim 1, wherein receiving suspicious activity reports from network monitors, the suspicious activity reports indicating events that the network monitors identified as abnormal activity based on analysis of respective subsets of network packet data derived from network packet contents, comprises:
    - receiving, from a particular network monitor of the network monitors, a suspicious activity report indicating events that the particular network monitor identified as abnormal activity based on analysis of a set of packets allowed into a network from external sources.
  - 10. The method of claim 1, wherein receiving suspicious activity reports from network monitors, the suspicious activity reports indicating events that the network monitors identified as abnormal activity based on analysis of respective subsets of network packet data derived from network packet contents, comprises:
    - receiving, from a particular network monitor of the network monitors, a suspicious activity report indicating events that the particular network monitor identified as abnormal activity based on analysis of a set of network connection management packets.
  - 11. The method of claim 1, wherein receiving suspicious activity reports from network monitors, the suspicious activity reports indicating events that the network monitors identified as abnormal activity based on analysis of respective subsets of network packet data derived from network packet contents, comprises:
    - receiving, from a particular network monitor of the network monitors, a suspicious activity report indicating events that the particular network monitor identified as abnormal activity based on analysis of a set of packets targeting ports that (i) are not assigned to any network service in a particular network and (ii) that are unblocked by a firewall for the particular network.
  - 12. The method of claim 1, wherein receiving suspicious activity reports from network monitors, the suspicious activity reports indicating events that the network monitors identified as abnormal activity based on analysis of respective subsets of network packet data derived from network packet contents, comprises:
    - receiving, from a particular network monitor of the network monitors, a suspicious activity report indicating events that the particular network monitor identified as abnormal activity based on analysis of a set of packets selected from network traffic according to packet source addresses or destination addresses.
  - 13. The method of claim 1, wherein receiving suspicious activity reports from network monitors, the suspicious activity reports indicating events that the network monitors identified as abnormal activity based on analysis of respective subsets of network packet data derived from network packet contents, comprises:
    - receiving, from a particular network monitor of the network monitors, a suspicious activity report indicating events that the particular network monitor identified as abnormal activity based on analysis of a set of packets that target a particular network service or application.

14. An enterprise network monitoring system, comprising:
- one or more processors;
  
  a first network monitor associated with the one or more processors, the first network monitor being capable of being installed within an enterprise network, said first network monitor configured to analyze network packet contents to identify abnormal activity and to generate reports of suspicious activity indicating the identified abnormal activity based on analysis of a first subset of network packet data derived from network packet contents, the first subset of network packet data selected from one or more of the following categories;
  
  network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in network packets, network connection acknowledgments, and network packets indicative of a network-service protocol selected from the group consisting of FTP, Telnet, SMTP, and HTTP;
  
  a second network monitor associated with the one or more processors, the second network monitor being capable of being installed within the enterprise network, said second network monitor configured to analyze network packet contents to identify abnormal activity and to generate reports of suspicious activity indicating the identified abnormal activity based on analysis of a second subset of network packet data derived from network packet contents, the second subset of network packet data selected from one or more of the following categories;
  
  network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in network packets, network connection acknowledgments, and network packets indicative of a network-service protocol selected from the group consisting of FTP, Telnet, SMTP, and HTTP, the second subset of network packet data being different from the first subset of network packet data; and
  
  a hierarchical network monitor associated with the one or more processors, the hierarchical network monitor being capable of being installed within the enterprise network, the hierarchical network monitor configured to automatically receive reports of suspicious activity from the first network monitor and from the second network monitor, and to generate an analysis report that reflects underlying commonalities in abnormal activity indicated by the reports of suspicious activity.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The enterprise network monitoring system of claim 14, wherein the first network monitor generates reports of suspicious activity based on an analysis of discarded packets.
  - 16. The enterprise network monitoring system of claim 14, wherein the first network monitor generates reports of suspicious activity based on an analysis of packets targeting ports to which no network service is assigned.
  - 17. The enterprise network monitoring system of claim 14, wherein the first network monitor generates reports of suspicious activity based on an analysis of packet source address.
  - 18. The enterprise network monitoring system of claim 14, wherein the first network monitor is configured to generate reports of suspicious activity based on an analysis of events as a function of time.
  - 19. The enterprise network monitoring system of claim 14, further comprising:
    - a resolver capable of being installed within the enterprise network, the resolver configured to invoke a countermeasure to suspicious activity reported to the hierarchical network monitor.
  - 20. The system of claim 14, wherein, to analyze network packet contents to identify abnormal activity, the first network monitor is configured to analyze a subset of network packet data identified as discarded traffic.
  - 21. The system of claim 14, wherein, to analyze network packet contents to identify abnormal activity, the first network monitor is configured to analyze a subset of network packet data identified as packets allowed into a network from external sources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Porras, Phillip Andrew, Valdes, Alfonso De Jesus
Primary Examiner(s)
Huynh, Kim
Assistant Examiner(s)
Chang, Eric

Application Number

US12/563,875
Publication Number

US 20100050248A1
Time in Patent Office

2,507 Days
Field of Search

726/13
US Class Current

1/1
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 43/00   Arrangements for monitoring...

H04L 43/06   Generation of reports

H04L 43/0811   by checking connectivity

H04L 43/0888   Throughput

H04L 43/12   Network monitoring probes

H04L 43/16   Threshold monitoring

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

Network surveillance

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

129 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Network surveillance

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others