Aggregator for connection based anomaly detection

US 20040221190A1
Filed: 11/03/2003
Published: 11/04/2004
Est. Priority Date: 11/04/2002
Status: Active Grant

First Claim

Patent Images

1. A device, comprising:

a processor;

a memory storing a connection table that maps each node of a network to a record object that stores information about traffic to or from the node.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

145 Citations

View as Search Results

24 Claims

1. A device, comprising:
- a processor;
  
  a memory storing a connection table that maps each node of a network to a record object that stores information about traffic to or from the node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The device of claim 1 wherein the memory further stores an aggregator process to aggregate occurrences of network anomalies into events.
  - 3. The device of claim 1 wherein the aggregator further comprises:
    - a process that communicates occurrences of network events to an operator.
  - 4. The device of claim 1 wherein the aggregator device further comprises:
    - a process to aggregate anomalies into the network events according to connection patterns.
  - 5. The device of claim 1 wherein the connection table includes a plurality of records that are indexed by source address.
  - 6. The device of claim 1 wherein the connection table includes a plurality of records that are indexed by destination address.
  - 7. The device of claim 1 wherein the connection table includes a plurality of records that are indexed by time.
  - 8. The device of claim 1 wherein the connection table includes a plurality of records that are indexed by source address, destination address and time.
  - 9. The device of claim 1 wherein the connection table includes a plurality of connection sub-tables to track data at different time scales.
  - 10. The device of claim 1 wherein the connection sub-tables include a time-slice connection table that operates on a small unit of time and at least one other sub-table that operates on a larger unit of time than the time slice sub-table with each sub-table holding the sum of records received from all collectors during respective units of time.
  - 11. The device of claim 4 wherein the process to determine events tracks a moving average to allow the device to adapt to slowly changing network conditions.
  - 12. The device of claim 4 wherein the process to determine events tracks a variance of a parameter to allow the device to account for burstiness in network traffic.
  - 13. The device of claim 4 wherein the amount of memory spaced used by the aggregator is bounded in order to avoid denial of service attacks on the aggregator.
  - 14. The device of claim 13 wherein if the Aggregator exceeds a memory use threshold “
    - m_{hi}”
      
      , the aggregator de-allocates records until its memory use falls below the threshold “
      
      m_{hi}”
      
      .
  - 15. The device of claim 14 wherein the aggregator de-allocates records by random eviction or records.
  - 16. The device of claim 14 wherein the aggregator de-allocates records by picking records of low-connectivity hosts to evict over high connectivity hosts.
  - 17. The device of claim 14 wherein the aggregator de-allocates records by picking records of high-connectivity hosts to evict before records of low connectivity hosts.
  - 18. The device of claim 14 wherein the aggregator de-allocates records by evicting records of most recently added hosts first.

19. A computer program product residing on a computer readable medium for use in detecting network intrusions comprises instructions for causing a processor to:
- store a connection table that maps each node of a network to a record object that stores information about traffic to or from the node.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The program of claim 19 wherein the instructions further comprise instructions to:
    - store an aggregator process to aggregate occurrences of network anomalies into events.
  - 21. The program of claim 19 wherein the instructions further comprise instructions to:
    - communicate occurrences of network events to an operator.
  - 22. The program of claim 19 wherein the instructions further comprise instructions to:
    - aggregate anomalies into the network events according to connection patterns.
  - 23. The program of claim 19 wherein the instructions further comprise instructions to:
    - determine events by tracking a moving average to adapt to slowly changing network conditions.
  - 24. The program of claim 19 wherein the instructions further comprise instructions to:
    - track a variance of a parameter to allow the device to account for burstiness in network traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Retin, Andrew, Roletto, Massimiliano Antonio, Gorelik, Andrew

Granted Patent

US 8,479,057 B2
Time in Patent Office

Days
Field of Search
US Class Current

714/4
CPC Class Codes

H04L 41/0233   Object-oriented techniques,...

H04L 41/0631   using root cause analysis; ...

H04L 41/0681   Configuration of triggering...

H04L 41/0893   Assignment of logical group...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

H04L 43/0811   by checking connectivity

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

Aggregator for connection based anomaly detection

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

145 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Aggregator for connection based anomaly detection

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

145 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links