Operating a network monitoring entity

US 9,392,009 B2
Filed: 03/01/2007
Issued: 07/12/2016
Est. Priority Date: 03/02/2006
Status: Active Grant

First Claim

Patent Images

1. A method for operating a network monitoring entity (TE) to detect malicious network flow in a distributed network comprising at said network monitoring entity (TE) the steps of:

receiving network flow records (FR) from observation points in a plurality of different distributed administrative domains (ADs), each network flow record comprising measured properties of network flow of a set of data packets passing each observation point during a time interval;

performing an analysis (AN) of the network flow records (FR) to locate a source of malicious network flow by correlating network flow records with at least one of additional network flow records, trigger events, trigger flow records, and additional network flow information, constructing a higher level output, and analyzing the higher level output for at least one of a traffic profile, a traffic rate, and a traffic pattern indicative of malicious network flow and a source of the malicious network flow; and

providing serviced entities (SE) with a result (RE) of the analysis (AN).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network flow records from various administrative domains are provided to a network monitoring entity. The network monitoring entity analyzes the network flow records in a way to locate a source of malicious network flow.

26 Citations

18 Claims

1. A method for operating a network monitoring entity (TE) to detect malicious network flow in a distributed network comprising at said network monitoring entity (TE) the steps of:
- receiving network flow records (FR) from observation points in a plurality of different distributed administrative domains (ADs), each network flow record comprising measured properties of network flow of a set of data packets passing each observation point during a time interval;
  
  performing an analysis (AN) of the network flow records (FR) to locate a source of malicious network flow by correlating network flow records with at least one of additional network flow records, trigger events, trigger flow records, and additional network flow information, constructing a higher level output, and analyzing the higher level output for at least one of a traffic profile, a traffic rate, and a traffic pattern indicative of malicious network flow and a source of the malicious network flow; and
  
  providing serviced entities (SE) with a result (RE) of the analysis (AN).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, wherein the analysis step (S3) is conducted when a trigger event (TRE) is received from one of the administrative domains (ADs) or one of the serviced entities (SE).
  - 3. The method according to claim 2, wherein the trigger event (TRE) has a trigger network flow record (TRF) associated to it, and wherein information content of the trigger network flow record (TFR) is used in the analysis.
  - 4. The method according to claim 3, wherein the trigger event (TRE) comprises a spam signal and the trigger network flow record (TFR) comprises at least part of a respective spam message.
  - 5. The method according to claim 3, wherein the trigger event (TRE) comprises one of a virus signal and a worm signal.
  - 6. The method according to claim 1, wherein the result (RE) comprises a characteristic for the source of the malicious network flow.
  - 7. The method according to claim 1, further comprising a request step (S5) of the trusted entity (TE) requesting additional network flow information (AFI) for a given set of network flows from at least one of the administrative domains (ADs) for the analysis (AN).
  - 8. The method according to claim 1, further comprising the step of charging the serviced entities fees based on a respective amount (SUBS_AM) of subscribers.
  - 9. The method according to claim 1, wherein the serviced entities (SE) comprise at least one of the administrative domains (ADs).
  - 10. The method according to claim 9, wherein the serviced entities (SE) comprise at least one of the administrative domains (ADs) being charged based on the amount (FL_AM) of network flows reported within the respective administrative domain (AD).
  - 11. The method according to claim 1, wherein the serviced entities (SE) comprise one of a governmental, police, office, and military authority.
  - 12. The method according to claim 1, wherein the result (RE) comprises a spam characteristic.
  - 13. The method according to claim 1 wherein analyzing the higher level output comprises correlating traffic rates on specific ports to trace back at least one of a virus or worm to an injection point in the network as a source of malicious network flow.
  - 14. The method according to claim 1 wherein generating the higher level output comprises generating a map of traffic patterns based on the network flow records.
  - 15. The method according to claim 14 wherein analyzing the higher level output comprises detecting a traffic pattern spreading out like mushrooms in a star-formed way to identify at least one node originally infected with a worm.
  - 16. The method according to claim 14 wherein analyzing the higher level output comprises detecting a traffic pattern of star-formed activity in multiple nodes with increased activity toward a single destination to identify a denial of service attack.

17. A network monitoring entity to detect malicious network flow in a distributed network comprising:
- a receiving component for receiving network flow records (FR) from observation points in a plurality of different, distributed administrative domains (ADs), each network flow record comprising measured properties of network flow of a set of data packets passing each observation point during a time interval;
  
  an analysis component for performing an analysis (AN) on the network flow records (FR) in a way to locate a source of malicious network flow by correlating network flow records with at least one of additional network flow records, trigger events, trigger flow records, and additional network flow information, constructing a higher level output, and analyzing the higher level output for at least one of a traffic profile, a traffic rate, and a traffic pattern indicative of malicious network flow and a source of the malicious network flow; and
  
  a notification component for providing serviced entities (SE) with a result (RE) of the analysis (AN).

18. A non-transitory computer program product comprising a computer-readable medium storing program instructions executable by a processor to perform a method for operating a network monitoring entity (TE) to detect malicious network flow in a distributed network, said method comprising at said network monitoring entity (TE) the steps of:
- receiving network flow records (FR) from observation points in a plurality of different distributed administrative domains (ADs), each network flow record comprising measured properties of network flow of a set of data packets passing each observation point during a time interval;
  
  performing an analysis (AN) of the network flow records (FR) to locate a source of malicious network flow by correlating network flow records with at least one of additional network flow records, trigger events, trigger flow records, and additional network flow information, constructing a higher level output, and analyzing the higher level output for at least one of a traffic profile, a traffic rate, and a traffic pattern indicative of malicious network flow and a source of the malicious network flow; and
  
  providing serviced entities (SE) with a result (RE) of the analysis (AN).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Droz, Patrick, Haas, Robert, Kind, Andreas
Primary Examiner(s)
Eskandarnia, Arvin
Assistant Examiner(s)
DESAI, MARGISHI V

Application Number

US12/281,357
Publication Number

US 20090222924A1
Time in Patent Office

3,421 Days
Field of Search

726/22, 370/401
US Class Current

1/1
CPC Class Codes

H04L 43/04   Processing captured monitor...

H04L 63/1425   Traffic logging, e.g. anoma...

H04W 76/27   Transitions between radio r...

Operating a network monitoring entity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Operating a network monitoring entity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links