Detecting suspicious network activity using flow sampling

US 9,521,154 B2
Filed: 08/03/2011
Issued: 12/13/2016
Est. Priority Date: 08/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method for network security, comprising:

receiving flow sampled network traffic from a plurality of network devices with a network monitoring computing device for network traffic among a plurality of computing devices;

comparing source ports and destination ports in the flow sampled network traffic to a list of approved ports with the network monitoring computing device; and

detecting suspicious network activity for flow sampled network traffic having a source port and a destination port exceptional to the list of approved ports with the network monitoring computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, media, and computing devices for network security can include receiving flow sampled network traffic from multiple network devices with a network monitoring computing device for network traffic among multiple computing devices, comparing source ports and destination ports in the flow sampled network traffic to a list of approved ports with the network monitoring computing device, and detecting suspicious network activity for flow sampled network traffic having a source port and a destination port exceptional to the list of approved ports with the network monitoring computing device. Alternatively, a suspicious network activity list can be maintained for flow sampled network traffic having source and destination ports exceptional to the list of approved ports. Alternatively, a network administrator can be alerted when a port is added to the suspicious network activity list in response to a total number of ports in the suspicious network activity list exceeding a threshold number.

24 Citations

15 Claims

1. A method for network security, comprising:
- receiving flow sampled network traffic from a plurality of network devices with a network monitoring computing device for network traffic among a plurality of computing devices;
  
  comparing source ports and destination ports in the flow sampled network traffic to a list of approved ports with the network monitoring computing device; and
  
  detecting suspicious network activity for flow sampled network traffic having a source port and a destination port exceptional to the list of approved ports with the network monitoring computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein detecting suspicious network activity comprises detecting suspicious network activity for flow sampled traffic having neither a source port nor a destination port on the list of approved ports and adding at least one of the source port and the destination port from the flow sampled network traffic to a suspicious network activity list.
  - 3. The method of claim 2, wherein detecting suspicious network activity includes associating the at least one of the source port and the destination port on the suspicious network activity list with a corresponding source address or destination address for each instance of the at least one of the source port and the destination port in the flow sampled network traffic.
  - 4. The method of claim 3, wherein the method includes:
    - sorting the suspicious network activity list in order according to a number of addresses associated with each port in the suspicious network activity list; and
      
      receiving an input from a network administrator to remove a particular port from the suspicious network activity list and add the particular port to the list of approved ports.
  - 5. The method of claim 2, wherein detecting suspicious network activity includes generating a suspicious network activity alert when a new port is added to the suspicious network activity list in response to a total number of ports in the suspicious network activity list exceeding a threshold number of ports.
  - 6. The method of claim 1, wherein the method includes:
    - storing the received flow sampled network traffic in a database;
      
      populating a suspicious network activity list with the detected suspicious network activity;
      
      updating the list of approved ports; and
      
      repopulating the suspicious network activity list using the stored flow sampled network traffic from the database according to the updated list of approved ports.
  - 7. The method of claim 1, wherein the method includes:
    - storing the received flow sampled network traffic in a database;
      
      populating a suspicious network activity list with the detected suspicious network activity;
      
      updating the list of approved ports; and
      
      erasing the suspicious network activity list in response to the list of approved ports being updated.

8. A non-transitory computing device readable medium storing instructions for network security executable by a computing device to cause the computing device to:
- receive flow sampled network traffic from a plurality of network devices for network traffic among a plurality of computing devices;
  
  compare source ports and destination ports in the flow sampled network traffic to a list of approved ports; and
  
  maintain a suspicious network activity list for flow sampled network traffic having source and destination ports exceptional to the list of approved ports.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The medium of claim 8, wherein the instructions executable by the computing device to maintain the suspicious network activity list include instructions to:
    - add at least one of a source port and a destination port to the suspicious activity list for the flow sampled network traffic having source and destination ports exceptional to the list of approved ports; and
      
      add at least one corresponding source addresses and corresponding destination addresses to the suspicious activity list for each instance of the at least one of the source port and the destination port in the flow sampled network traffic.
  - 10. The medium of claim 9, wherein the instructions executable by the computing device to:
    - maintain the suspicious network activity list include instructions to sort the suspicious network activity list in descending order according to a number of addresses associated with each port in the suspicious network activity list; and
      
      display the sorted suspicious network activity list to a network administrator.
  - 11. The medium of claim 8, including instructions executable by the computing device to alert a network administrator when a port is added to the suspicious network activity list in response to a total number of ports in the suspicious network activity list being below a threshold number of ports.
  - 12. The medium of claim 11, including instructions executable by the computing device to receive a modification to the threshold number of ports.

13. A network monitoring computing device for network security, comprising:
- memory resources;
  
  processing resources coupled to the memory resources to;
  
  compare source ports and destination ports in flow sampled network traffic to a list of approved ports;
  
  maintain a suspicious network activity list for flow sampled network traffic received from a plurality of network devices, the flow sampled network traffic having source ports and destination ports exceptional to the list of approved ports; and
  
  alert a network administrator when a port is added to the suspicious network activity list in response to a total number of ports in the suspicious network activity list exceeding a threshold number.
- View Dependent Claims (14, 15)
- - 14. The network monitoring computing device of claim 13, including the memory and processing resources to alert the network administrator by prompting the network administrator to restrict at least one of the suspicious network activity and a particular one of the plurality of user computing devices associated with the suspicious network activity.
  - 15. The network monitoring computing device of claim 13, wherein the flow sampled network traffic is received from the plurality of network devices comprising switches having statistical flow sampling enabled.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Worth, Kevin M.
Primary Examiner(s)
Powers, William
Assistant Examiner(s)
Tran, Tongoc

Application Number

US13/197,402
Publication Number

US 20130036469A1
Time in Patent Office

1,959 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/00 Security arrangements for p...

H04L 63/1408 by monitoring network traff...

Detecting suspicious network activity using flow sampling

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting suspicious network activity using flow sampling

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links