US2004221191A1PendingUtilityA1

Network surveillance

50
Priority: Nov 9, 1998Filed: Mar 22, 2004Published: Nov 4, 2004
Est. expiryNov 9, 2018(expired)· nominal 20-yr term from priority
H04L 43/12H04L 43/0888H04L 43/0811H04L 63/1416H04L 43/16H04L 43/06H04L 63/1408H04L 41/142H04L 63/145H04L 63/1458H04L 43/00
50
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and a least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.

Claims

exact text as granted — not AI-modified
What is claimed is:  
     
         1 . Method for performing network surveillance, said method comprising the steps of: 
 receiving a plurality of network packets handled by a network entity;    building at least one statistical profile from at least one measure of said plurality of network packets; and    analyzing said at least one statistical profile to detect suspicious network activity.    
     
     
         2 . The method of  claim 1 , wherein said at least one measure monitors data transfers by monitoring network packet data transfer commands.  
     
     
         3 . The method of  claim 1 , wherein said at least one measure monitors data transfers by monitoring network packet data transfer errors.  
     
     
         4 . The method of  claim 1 , wherein said at least one measure monitors data transfers by monitoring network packet data transfer volume.  
     
     
         5 . The method of  claim 1 , wherein said at least one measure monitors network connections by monitoring network connection requests.  
     
     
         6 . The method of  claim 1 , wherein said at least one measure monitors network connections by monitoring network connection denials.  
     
     
         7 . The method of  claim 1 , wherein said at least one measure monitors network connections by monitoring a correlation of network connections requests and network connection denials.  
     
     
         8 . The method of  claim 1 , wherein said at least one measure monitors errors by monitoring at least one error code included in a network packet, wherein said at least one error code comprises a privilege error code or an error code indicating a reason a packet was rejected.  
     
     
         9 . The method of  claim 1 , further comprising the step of: 
 responding based on determining whether said at least one statistical profile indicates suspicious network activity.    
     
     
         10 . The method of  claim 9 , wherein said responding step comprises transmitting an event record to a network monitor.  
     
     
         11 . The method of  claim 10 , wherein said transmitting the event record to a network monitor step comprises transmitting the event record to a hierarchically higher network monitor.  
     
     
         12 . The method of  claim 11 , wherein said transmitting the event record to a network monitor step comprises transmitting the event record to a network monitor that receives event records from a plurality of network monitors.  
     
     
         13 . The method of  claim 12 , wherein said network monitor that receives event records from said plurality of network monitors comprises a network monitor that correlates activity in said plurality of network monitors based on said received event records.  
     
     
         14 . The method of  claim 9 , wherein said responding step comprises altering said analysis of said plurality of network packets.  
     
     
         15 . The method of  claim 9 , wherein said responding step comprises severing a communication channel.  
     
     
         16 . The method of  claim 1 , wherein said network entity comprises at least one of a gateway, a router, a proxy server, a firewall, and a virtual private network (VPN) entity.  
     
     
         17 . The method of  claim 1 , wherein said plurality of network packets are partitioning into a plurality of sessions representing a communication transaction between two hosts.  
     
     
         18 . The method of  claim 17 , wherein said at least one measure monitors network connections by monitoring a source port number and a destination port number included in one of said network packets.  
     
     
         19 . A computer-readable medium having stored thereon a plurality of instructions, the plurality of instructions including instructions which, when executed by a processor, cause the processor to perform the steps comprising of: 
 receiving a, plurality of network packets handled by a network entity;    building at least one statistical profile from at least one measure of said plurality of network packets; and    analyzing said at least one statistical profile to detect suspicious network activity.    
     
     
         20 . Apparatus for performing network surveillance, said apparatus comprising: 
 means for receiving a plurality of network packets handled by a network entity;    means for building at least one statistical profile from at least one measure of said plurality of network packets; and    means for analyzing said at least one statistical profile to detect suspicious network activity.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.