US2012210425A1PendingUtilityA1

Network Surveillance

55
Assignee: PORRAS PHILLIP ANDREWPriority: Nov 9, 1998Filed: Apr 20, 2012Published: Aug 16, 2012
Est. expiryNov 9, 2018(expired)· nominal 20-yr term from priority
H04L 63/145H04L 63/1416H04L 63/1408H04L 63/1458H04L 43/00H04L 43/0888H04L 43/12H04L 43/06H04L 43/16H04L 41/142H04L 43/0811
55
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and at least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.

Claims

exact text as granted — not AI-modified
1 . A computer-automated method comprising:
 automatically receiving, at one or more hierarchical network monitors, reports of suspicious network activity from a plurality of network monitors, wherein the suspicious network activity was detected based on analysis of network traffic data selected from the following categories: network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, and error codes included in a network packet; and   automatically integrating, by the one or more hierarchical network monitors, the reports of suspicious network activity.   
     
     
         2 . The method of  claim 1 , wherein integrating the reports of suspicious network activity comprises correlating intrusion reports reflecting underlying commonalities. 
     
     
         3 . The method of  claim 1 , wherein integrating the reports of suspicious network activity further comprises initiating countermeasures to a suspected attack. 
     
     
         4 . The method of  claim 1 , wherein the plurality of network monitors is located within an enterprise network, and wherein the enterprise network is a TCP/IP network. 
     
     
         5 . The method of  claim 1 , wherein the plurality of network monitors is located at one or more of the following facilities of an enterprise network: gateways, routers, proxy servers. 
     
     
         6 . A computer-automated method comprising:
 automatically receiving, at one or more hierarchical network monitors, reports of suspicious network activity from a plurality of network monitors, wherein the plurality of network monitors includes a plurality of service monitors located among multiple domains of an enterprise network, and wherein the suspicious network activity was detected based on analysis of network traffic data selected from the following categories: network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, and error codes included in a network packet; and   automatically integrating, by the one or more hierarchical network monitors, the reports of suspicious network activity.   
     
     
         7 . The method of  claim 6 , wherein receiving and integrating the reports of suspicious network activity is performed by a domain monitor with respect to a plurality of service monitors within the domain monitor's associated network domain. 
     
     
         8 . The method of  claim 6 , wherein the one or more hierarchical network monitors include a plurality of domain monitors within an enterprise network, each domain monitor being associated with a corresponding domain of the enterprise network. 
     
     
         9 . The method of  claim 8 , wherein integrating the reports of suspicious network activity is performed by an enterprise monitor with respect to a plurality of domain monitors within the enterprise network. 
     
     
         10 . The method of  claim 8 , wherein the plurality of domain monitors within the enterprise network establish peer-to-peer relationships with one another. 
     
     
         11 . A system comprising:
 one or more hierarchical network monitors, the hierarchical network monitors being configured to automatically receive reports of suspicious network activity from a plurality of network monitors, and being further configured to automatically integrate the reports of suspicious network activity;   wherein the suspicious network activity was detected based on analysis of network traffic data selected from the following categories: network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, and error codes included in a network packet.   
     
     
         12 . The system of  claim 11 , wherein the integration of the reports of suspicious network activity comprises correlating intrusion reports reflecting underlying commonalities. 
     
     
         13 . The system of  claim 11 , wherein the integration of the reports of suspicious network activity further comprises initiating countermeasures to a suspected attack. 
     
     
         14 . The system of  claim 11 , wherein the plurality of network monitors is located within an enterprise network, and wherein the enterprise network is a TCP/IP network. 
     
     
         15 . The system of  claim 11 , wherein the plurality of network monitors is located at one or more of the following facilities of an enterprise network: gateways, routers, proxy servers. 
     
     
         16 . A system comprising:
 one or more hierarchical network monitors, the hierarchical network monitors being configured to automatically receive reports of suspicious network activity from a plurality of network monitors, wherein the plurality of network monitors includes a plurality of service monitors among multiple domains of an enterprise network, and being further configured to automatically integrate the reports of suspicious network activity;   wherein the suspicious network activity was detected based on analysis of network traffic data selected from the following categories: network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, and error codes included in a network packet.   
     
     
         17 . The system of  claim 16 , wherein a domain monitor associated with the plurality of service monitors within the domain monitor's associated network domain is configured to receive and integrate the reports of suspicious network activity. 
     
     
         18 . The system of  claim 16 , wherein the plurality of network monitors includes a plurality of domain monitors within the enterprise network, each domain monitor being associated with a corresponding domain of the enterprise network. 
     
     
         19 . The system of  claim 18 , wherein an enterprise monitor associated with the plurality of domain monitors is configured to receive and integrate the reports of suspicious network activity. 
     
     
         20 . The system of  claim 18 , wherein the plurality of domain monitors within the enterprise network interface as a plurality of peer-to-peer relationships with one another.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.