Packet Sampling Flow-Based Detection of Network Intrusions

US 20050210533A1
Filed: 05/26/2005
Published: 09/22/2005
Est. Priority Date: 11/30/2001
Status: Active Grant

First Claim

Patent Images

1. A method for the analysis of sampled network communication traffic for potential intrusion activity, the method comprising the steps of:

assigning sampled data packets to a flow;

scaling the sampled data based on a sample rate;

collecting flow data from packet headers;

determining a primary flow in the event that multiple devices report the same flow;

analyzing collected flow data to assign a concern index value to the flow based upon a probability that the flow was not normal for data communications;

maintaining an accumulated concern index from flows associated with a host; and

issuing an alarm signal once the accumulated concern index has exceeded an alarm threshold value.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A flow-based intrusion detection system for detecting intrusions in computer communication networks. Data packets representing communications between hosts in a computer-to-computer communication network are processed and assigned to various client/server flows. Statistics are collected for each flow. Then, the flow statistics are analyzed to determine if the flow appears to be legitimate traffic or possible suspicious activity. A concern index value is assigned to each flow that appears suspicious. By assigning a value to each flow that appears suspicious and adding that value to the total concern index of the responsible host, it is possible to identify hosts that are engaged in intrusion activity. When the concern index value of a host exceeds a preset alarm value, an alert is issued and appropriate action can be taken.

488 Citations

23 Claims

1. A method for the analysis of sampled network communication traffic for potential intrusion activity, the method comprising the steps of:
- assigning sampled data packets to a flow;
  
  scaling the sampled data based on a sample rate;
  
  collecting flow data from packet headers;
  
  determining a primary flow in the event that multiple devices report the same flow;
  
  analyzing collected flow data to assign a concern index value to the flow based upon a probability that the flow was not normal for data communications;
  
  maintaining an accumulated concern index from flows associated with a host; and
  
  issuing an alarm signal once the accumulated concern index has exceeded an alarm threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the flow consists of the packets exchanged between two hosts that are associated with a single service.
  - 3. The method of claim 1, wherein the alarm signal updates a firewall for filtering packets transmitted by a host.
  - 4. The method of claim 1, wherein the alarm signal generates a notification to the network administrator.
  - 5. The method of claim 1, wherein each concern index value associated with a respective potential intrusion activity is a predetermined fixed value.
  - 6. The method of claim 1, wherein the alarm signal causes the sample rate to increase on a specified device.
  - 7. The method of claim 1, wherein in the event that multiple devices report the same flow, all reports of the flow are aggregated into a report representing a single flow.
  - 8. The method of claim 7, wherein the flow consists of the packets exchanged between two hosts that are associated with a single service.
  - 9. The method of claim 7, wherein the alarm signal updates a firewall for filtering packets transmitted by a host.
  - 10. The method of claim 7, wherein the alarm signal generates a notification to the network administrator.
  - 11. The method of claim 7, wherein each concern index value associated with a respective potential intrusion activity is a predetermined fixed value.
  - 12. The method of claim 7, wherein the alarm signal causes the sample rate to increase on a specified device.

13. A method for the analysis of network communication traffic for potential intrusion activity, the method comprising the steps of:
- assigning sampled data packets to a flow wherein a flow consists of the packets exchanged between two hosts that are associated with a single service;
  
  scaling the sampled data based upon a sample rate;
  
  collecting flow data from packet headers;
  
  determining a primary flow in the event that multiple devices report the same flow;
  
  analyzing collected flow data to assign a concern index value wherein each concern index value associated with a respective potential intrusion activity is a predetermined fixed value;
  
  maintaining an accumulated concern index from flows associated with a host; and
  
  issuing an alarm signal once the accumulated concern index has exceeded an alarm threshold value.
- View Dependent Claims (14)
- - 14. The method of claim 13, wherein in the event that multiple devices report the same flow, all reports of the flow are aggregated into a report representing a single flow.

15. A method of analyzing network communication traffic for potential intrusion activity, comprising the steps of:
- assigning sampled data packets to a flow wherein a flow consists of the packets exchanged between two Internet Protocol addresses with at least one port remains constant;
  
  scaling the sampled data based upon a sample rate;
  
  collecting flow data from packet headers;
  
  determining a primary flow in the event that multiple devices report the same flow;
  
  analyzing collected flow data to assign a concern index value to the flow;
  
  maintaining a host structure containing an accumulated concern index from flows associated with the host; and
  
  issuing an alarm once the accumulated concern index has exceeded an alarm threshold value.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, wherein each concern index value associated with a respective potential intrusion activity is a predetermined fixed value.
  - 17. The method of claim 15, wherein all reports of the flow are aggregated into a report representing a single flow, in the event that multiple devices report the same flow.
  - 18. The method of claim 17, wherein each concern index value associated with a respective potential intrusion activity is a predetermined fixed value.

19. A computer system for the analysis of network communication traffic, the computer system comprising:
- a computer system operable to;
  
  (i) classify sampled data packets into flows;
  
  (ii) scale the sampled data based upon a sample rate;
  
  (iii) collect flow data from packet header information;
  
  (iv) determine a primary flow in the event that multiple devices report the same flow;
  
  (v) analyze collected flow data to assign a concern index value, wherein each concern index value associated with a respective potential intrusion activity is a predetermined fixed value;
  
  (vi) generate an alarm signal; and
  
  a communication system coupled to the computer system operable to send packets from one host to another host.
- View Dependent Claims (20)
- - 20. The computer system of claim 19, wherein in the event that multiple devices report the same flow, all reports of the flow are aggregated into a report representing a single flow.

21. A system for the analysis of network communication traffic, the system comprising:
- a processor operable to;
  
  (i) classify sampled data packets into flows;
  
  (ii) scale the sampled data based upon a sample rate;
  
  (iii) collect flow data from packet header information;
  
  (iv) determine a primary flow in the event that multiple devices report the same flow;
  
  (v) analyze collected flow data to assign a concern index value wherein each concern index value associated with a respective potential intrusion activity is a predetermined fixed value;
  
  (vi) generate an alarm signal;
  
  memory coupled to the processor operable to store the flow data;
  
  a database coupled to processor operable to store log files; and
  
  a network interface coupled to the processor operable to monitor network traffic.
- View Dependent Claims (22)
- - 22. The system of claim 21, wherein all reports of the flow are aggregated into a report representing a single flow, in the event that multiple devices report the same flow.

23. A method of analyzing network communication traffic for potential intrusion activity, comprising the steps of:
- assigning sampled data packets to a flow;
  
  scaling the sampled data based on a sample rate;
  
  collecting flow data from packet headers;
  
  analyzing packet header information;
  
  determining a transport level protocol specifying a format of a data area;
  
  issuing an alarm when the transport level protocol is identified as User Datagram Protocol and the data segment associated with User Datagram Protocol packet contains two or less bytes of data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Lancope, Inc. (Cisco Systems, Inc.)
Inventors
Jerrim, John, Copeland, John A.

Granted Patent

US 7,512,980 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Packet Sampling Flow-Based Detection of Network Intrusions

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

488 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Packet Sampling Flow-Based Detection of Network Intrusions

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

488 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links