US2004221191A1PendingUtilityA1
Network surveillance
Priority: Nov 9, 1998Filed: Mar 22, 2004Published: Nov 4, 2004
Est. expiryNov 9, 2018(expired)· nominal 20-yr term from priority
H04L 43/12H04L 43/0888H04L 43/0811H04L 63/1416H04L 43/16H04L 43/06H04L 63/1408H04L 41/142H04L 63/145H04L 63/1458H04L 43/00
50
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and a least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . Method for performing network surveillance, said method comprising the steps of:
receiving a plurality of network packets handled by a network entity; building at least one statistical profile from at least one measure of said plurality of network packets; and analyzing said at least one statistical profile to detect suspicious network activity.
2 . The method of claim 1 , wherein said at least one measure monitors data transfers by monitoring network packet data transfer commands.
3 . The method of claim 1 , wherein said at least one measure monitors data transfers by monitoring network packet data transfer errors.
4 . The method of claim 1 , wherein said at least one measure monitors data transfers by monitoring network packet data transfer volume.
5 . The method of claim 1 , wherein said at least one measure monitors network connections by monitoring network connection requests.
6 . The method of claim 1 , wherein said at least one measure monitors network connections by monitoring network connection denials.
7 . The method of claim 1 , wherein said at least one measure monitors network connections by monitoring a correlation of network connections requests and network connection denials.
8 . The method of claim 1 , wherein said at least one measure monitors errors by monitoring at least one error code included in a network packet, wherein said at least one error code comprises a privilege error code or an error code indicating a reason a packet was rejected.
9 . The method of claim 1 , further comprising the step of:
responding based on determining whether said at least one statistical profile indicates suspicious network activity.
10 . The method of claim 9 , wherein said responding step comprises transmitting an event record to a network monitor.
11 . The method of claim 10 , wherein said transmitting the event record to a network monitor step comprises transmitting the event record to a hierarchically higher network monitor.
12 . The method of claim 11 , wherein said transmitting the event record to a network monitor step comprises transmitting the event record to a network monitor that receives event records from a plurality of network monitors.
13 . The method of claim 12 , wherein said network monitor that receives event records from said plurality of network monitors comprises a network monitor that correlates activity in said plurality of network monitors based on said received event records.
14 . The method of claim 9 , wherein said responding step comprises altering said analysis of said plurality of network packets.
15 . The method of claim 9 , wherein said responding step comprises severing a communication channel.
16 . The method of claim 1 , wherein said network entity comprises at least one of a gateway, a router, a proxy server, a firewall, and a virtual private network (VPN) entity.
17 . The method of claim 1 , wherein said plurality of network packets are partitioning into a plurality of sessions representing a communication transaction between two hosts.
18 . The method of claim 17 , wherein said at least one measure monitors network connections by monitoring a source port number and a destination port number included in one of said network packets.
19 . A computer-readable medium having stored thereon a plurality of instructions, the plurality of instructions including instructions which, when executed by a processor, cause the processor to perform the steps comprising of:
receiving a, plurality of network packets handled by a network entity; building at least one statistical profile from at least one measure of said plurality of network packets; and analyzing said at least one statistical profile to detect suspicious network activity.
20 . Apparatus for performing network surveillance, said apparatus comprising:
means for receiving a plurality of network packets handled by a network entity; means for building at least one statistical profile from at least one measure of said plurality of network packets; and means for analyzing said at least one statistical profile to detect suspicious network activity.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.