Network surveillance

US 20030088791A1
Filed: 09/25/2002
Published: 05/08/2003
Est. Priority Date: 11/09/1998
Status: Active Grant

First Claim

Patent Images

1. A method of network surveillance, comprising:

receiving network packets handled by a network entity;

building at least one long-term and at least one short-term statistical profile from at least one measure of the network packets, the at least one measure monitoring data transfers, errors, or network connections;

comparing at least one long-term and at least one short-term statistical profile; and

determining whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and a least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.

Citations

27 Claims

1. A method of network surveillance, comprising:
- receiving network packets handled by a network entity;
  
  building at least one long-term and at least one short-term statistical profile from at least one measure of the network packets, the at least one measure monitoring data transfers, errors, or network connections;
  
  comparing at least one long-term and at least one short-term statistical profile; and
  
  determining whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein the measure monitors data transfers by monitoring network packet data transfer commands.
  - 3. The method of claim 1, wherein the measure monitors data transfers by monitoring network packet data transfer errors.
  - 4. The method of claim 1, wherein the measure monitors data transfers by monitoring network packet data transfer volume.
  - 5. The method of claim 1, wherein the measure monitors network connections by monitoring network connection requests.
  - 6. The method of claim 1, wherein the measure monitors network connections by monitoring network connection denials.
  - 7. The method of claim 1, wherein the measure monitors network connections by monitoring a correlation of network connections requests and network connection denials.
  - 8. The method of claim 1, wherein the measure monitors errors by monitoring error codes included in a network packet.
  - 9. The method of claim 8, wherein an error code comprises a privilege error code.
  - 10. The method of claim 8, wherein an error code comprises an error code indicating a reason a packet was rejected.
  - 11. The method of claim 1, further comprising responding based on the determining whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity.
  - 12. The method of claim 11, wherein responding comprises transmitting an event record to a network monitor.
  - 13. The method of claim 12, wherein transmitting the event record to a network monitor comprises transmitting the event record to a hierarchically higher network monitor.
  - 14. The method of claim 13, wherein transmitting the event record to a network monitor comprises transmitting the event record to a network monitor that receives event records from multiple network monitors.
  - 15. The method of claim 14, wherein the monitor that receives event records from multiple network monitors comprises a network monitor that correlates activity in the multiple network monitors based on the received event records.
  - 16. The method of claim 11, wherein responding comprises altering analysis of the network packets.
  - 17. The method of claim 11, wherein responding comprises severing a communication channel.
  - 18. The method of claim 1, wherein the network packets comprise TCP/IP packets.
  - 19. The method of claim 1, wherein the network entity comprises a gateway, a router, or a proxy server.
  - 20. The method of claim 1, wherein the network entity comprises a virtual private network entity.

21. A method of network surveillance, comprising:
- monitoring network packets handled by a network entity;
  
  building a long-term and multiple short-term statistical profiles of the network packets;
  
  comparing one of the multiple short-term statistical profiles with the long-term statistical profile; and
  
  determining whether the difference between the one of the multiple short-term statistical profiles and the long-term statistical profile indicates suspicious network activity.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, wherein the multiple short-term statistical profiles comprise profiles that monitor different anonymous FTP sessions.
  - 23. The method of claim 21, wherein building multiple short-term statistical profiles comprises deinterleaving packets to identify a short-term statistical profile.

24. A computer program product, disposed on a computer readable medium, the product including instructions for causing a processor to:
- receive network packets handled by a network entity;
  
  build at least one long-term and at least one short-term statistical profile from at least one measure of the network packets, the measure monitoring data transfers, errors, or network connections;
  
  compare at least one short-term and at least one long-term statistical profile; and
  
  determine whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity.

25. A method of network surveillance, comprising:
- receiving packets at a virtual private network entity; and
  
  building at least one long-term and at least one short-term statistical profile based on the received packets, and comparing at least one long-term statistical profile with at least one short-term statistical profile to determine whether the packets indicate suspicious network activity.
- View Dependent Claims (26, 27)
- - 26. The method of claim 25, further comprising decrypting the packets before statistically analyzing the packets.
  - 27. The method of claim 25, further comprising not decrypting the packets before statistically analyzing the packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Porras, Phillip Andrew, Valdes, Alfonso

Granted Patent

US 6,711,615 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 43/00   Arrangements for monitoring...

H04L 43/06   Generation of reports

H04L 43/0811   by checking connectivity

H04L 43/0888   Throughput

H04L 43/12   Network monitoring probes

H04L 43/16   Threshold monitoring

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

Network surveillance

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Network surveillance

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links