Network surveillance

DC CAFC

US 6,711,615 B2
Filed: 09/25/2002
Issued: 03/23/2004
Est. Priority Date: 11/09/1998
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:

deploying a plurality of network monitors in the enterprise network;

detecting, by the network monitors, suspicious network activity based on analysis of network traffic data selected from one or more of the following categories;

{network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet, network connection acknowledgements, and network packets indicative of well-known network-service protocols};

generating, by the monitors, reports of said suspicious activity; and

automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Reexaminations

Accused Products

Abstract

A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and a least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.

251 Citations

93 Claims

1. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:
- deploying a plurality of network monitors in the enterprise network;
  
  detecting, by the network monitors, suspicious network activity based on analysis of network traffic data selected from one or more of the following categories;
  
  {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet, network connection acknowledgements, and network packets indicative of well-known network-service protocols};
  
  generating, by the monitors, reports of said suspicious activity; and
  
  automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein integrating comprises correlating intrusion reports reflecting underlying commonalities.
  - 3. The method of claim 1, wherein integrating further comprises invoking countermeasures to a suspected attack.
  - 4. The method of claim 1, wherein the plurality of network monitors include an API for encapsulation of monitor functions and integration of third-party tools.
  - 5. The method of claim 1, wherein the enterprise network is a TCP/IP network.
  - 6. The method of claim 1, wherein the network monitors are deployed at one or more of the following facilities of the enterprise network:
    - {gateways, routers, proxy servers}.
  - 7. The method of claim 1, wherein at least one of said network monitors utilizes a statistical detection method.
  - 8. The method of claim 1, wherein deploying the network monitors includes placing a plurality of service monitors among multiple domains of the enterprise network.
  - 9. The method of claim 8, wherein receiving and integrating is performed by a domain monitor with respect to a plurality of service monitors within the domain monitor'"'"'s associated network domain.
  - 10. The method of claim 1, wherein deploying the network monitors includes deploying a plurality of domain monitors within the enterprise network, each domain monitor being associated with a corresponding domain of the enterprise network.
  - 11. The method of claim 10, wherein receiving and integrating is performed by an enterprise monitor with respect to a plurality of domain monitors within the enterprise network.
  - 12. The method of claim 10, wherein the plurality of domain monitors within the enterprise network establish peer-to-peer relationships with one another.

13. An enterprise network monitoring system comprising:
- a plurality of network monitors deployed within an enterprise network, said plurality of network monitors detecting suspicious network activity based on analysis of network traffic data selected from one or more of the following categories;
  
  {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet, network connection acknowledgements, and network packets indicative of well-known network-service protocols};
  
  said network monitors generating reports of said suspicious activity; and
  
  one or more hierarchical monitors in the enterprise network, the hierarchical monitors adapted to automatically receive and integrate the reports of suspicious activity.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The system of claim 13, wherein the integration comprises correlating intrusion reports reflecting underlying commonalities.
  - 15. The system of claim 13, wherein the integration further comprises invoking countermeasures to a suspected attack.
  - 16. The system of claim 13, wherein the plurality of network monitors include an application programming interface (API) for encapsulation of monitor functions and integration of third-party tools.
  - 17. The system of claim 13, wherein the enterprise network is a TCP/IP network.
  - 18. The system of claim 13, wherein the network monitors are deployed at one or more of the following facilities of the enterprise network:
    - {gateways, routers, proxy servers}.
  - 19. The system of claim 13, wherein the plurality of network monitors includes a plurality of service monitors among multiple domains of the enterprise network.
  - 20. The system of claim 19, wherein a domain monitor associated with the plurality of service monitors within the domain monitor'"'"'s associated network domain is adapted to automatically receive and integrate the reports of suspicious activity.
  - 21. The system of claim 13, wherein the plurality of network monitors include a plurality of domain monitors within the enterprise network, each domain monitor being associated with a corresponding domain of the enterprise network.
  - 22. The system of claim 21, wherein an enterprise monitor associated with a plurality of domain monitors is adapted to automatically receive and integrate the reports of suspicious activity.
  - 23. The system of claim 21, wherein the plurality of domain monitors within the enterprise network interface as a plurality of peer-to-peer relationships with one another.

24. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:
- deploying a plurality of network monitors in the enterprise network, wherein the enterprise network is a virtual private network (VPN);
  
  detecting, by the network monitors, suspicious network activity based on analysis of network traffic data;
  
  generating, by the monitors, reports of said suspicious activity; and
  
  automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 25. The method of claim 24, wherein said integrating comprises correlating intrusion reports reflecting underlying commonalities.
  - 26. The method of claim 24, wherein said integrating further comprises invoking countermeasures to a suspected attack.
  - 27. The method of claim 24, wherein the plurality of network monitors include an API for encapsulation of monitor functions and integration of third-party tools.
  - 28. The method of claim 24, wherein said network traffic data is selected from one or more of the following categories:
    - {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet}.
  - 29. The method of claim 24, wherein said deploying the network monitors includes placing a plurality of service monitors among multiple domains of the enterprise network.
  - 30. The method of claim 29, wherein said receiving and integrating is performed by a domain monitor with respect to a plurality of service monitors within the domain monitor'"'"'s associated network domain.
  - 31. The method of claim 24, wherein said deploying the network monitors includes deploying a plurality of domain monitors within the enterprise network, each domain monitor being associated with a corresponding domain of the enterprise network.
  - 32. The method of claim 31, wherein said receiving and integrating is performed by an enterprise monitor with respect to a plurality of domain monitors within the enterprise network.
  - 33. The method of claim 31, wherein the plurality of domain monitors within the enterprise network establish peer-to-peer relationships with one another.

34. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:
- deploying a plurality of network monitors in the enterprise network, wherein at least one of the network monitors is deployed at a gateway;
  
  detecting, by the network monitors, suspicious network activity based on analysis of network traffic data;
  
  generating, by the monitors, reports of said suspicious activity; and
  
  automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 35. The method of claim 34, wherein said integrating comprises correlating intrusion reports reflecting underlying commonalities.
  - 36. The method of claim 34, wherein said integrating further comprises invoking countermeasures to a suspected attack.
  - 37. The method of claim 34, wherein the plurality of network monitors include an API for encapsulation of monitor functions and integration of third-party tools.
  - 38. The method of claim 34, wherein said network traffic data is selected from one or more of the following categories:
    - {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet}.
  - 39. The method of claim 34, wherein said deploying the network monitors includes placing a plurality of service monitors among multiple domains of the enterprise network.
  - 40. The method of claim 39, wherein said receiving and integrating is performed by a domain monitor with respect to a plurality of service monitors within the domain monitor'"'"'s associated network domain.
  - 41. The method of claim 34, wherein said deploying the network monitors includes deploying a plurality of domain monitors within the enterprise network, each domain monitor being associated with a corresponding domain of the enterprise network.
  - 42. The method of claim 41, wherein said receiving and integrating is performed by an enterprise monitor with respect to a plurality of domain monitors within the enterprise network.
  - 43. The method of claim 41, wherein the plurality of domain monitors within the enterprise network establish peer-to-peer relationships with one another.

44. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:
- deploying a plurality of network monitors in the enterprise network, wherein at least one of the network monitors is deployed at a router;
  
  detecting, by the network monitors, suspicious network activity based on analysis of network traffic data;
  
  generating, by the monitors, reports of said suspicious activity; and
  
  automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 45. The method of claim 44, wherein said integrating comprises correlating intrusion reports reflecting underlying commonalities.
  - 46. The method of claim 44, wherein said integrating further comprises invoking countermeasures to a suspected attack.
  - 47. The method of claim 44, wherein the plurality of network monitors include an API for encapsulation of monitor functions and integration of third-party tools.
  - 48. The method of claim 44, wherein said network traffic data is selected from one or more of the following categories:
    - {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet}.
  - 49. The method of claim 44, wherein said deploying the network monitors includes placing a plurality of service monitors among multiple domains of the enterprise network.
  - 50. The method of claim 49, wherein said receiving and integrating is performed by a domain monitor with respect to a plurality of service monitors within the domain monitor'"'"'s associated network domain.
  - 51. The method of claim 44, wherein said deploying the network monitors includes deploying a plurality of domain monitors within the enterprise network, each domain monitor being associated with a corresponding domain of the enterprise network.
  - 52. The method of claim 51, wherein said receiving and integrating is performed by an enterprise monitor with respect to a plurality of domain monitors within the enterprise network.
  - 53. The method of claim 51, wherein the plurality of domain monitors within the enterprise network establish peer-to-peer relationships with one another.

54. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:
- deploying a plurality of network monitors in the enterprise network, wherein at least one of the network monitors is deployed at a proxy server;
  
  detecting, by the network monitors, suspicious network activity based on analysis of network traffic data;
  
  generating, by the monitors, reports of said suspicious activity; and
  
  automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors.
- View Dependent Claims (55, 56, 57, 58, 59, 60, 61, 62, 63)
- - 55. The method of claim 54, wherein said integrating comprises correlating intrusion reports reflecting underlying commonalities.
  - 56. The method of claim 54, wherein said integrating further comprises invoking countermeasures to a suspected attack.
  - 57. The method of claim 54, wherein the plurality of network monitors include an API for encapsulation of monitor functions and integration of third-party tools.
  - 58. The method of claim 54, wherein said network traffic data is selected from one or more of the following categories:
    - {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet}.
  - 59. The method of claim 54, wherein said deploying the network monitors includes placing a plurality of service monitors among multiple domains of the enterprise network.
  - 60. The method of claim 59, wherein said receiving and integrating is performed by a domain monitor with respect to a plurality of service monitors within the domain monitor'"'"'s associated network domain.
  - 61. The method of claim 54, wherein said deploying the network monitors includes deploying a plurality of domain monitors within the enterprise network, each domain monitor being associated with a corresponding domain of the enterprise network.
  - 62. The method of claim 61, wherein said receiving and integrating is performed by an enterprise monitor with respect to a plurality of domain monitors within the enterprise network.
  - 63. The method of claim 61, wherein the plurality of domain monitors within the enterprise network establish peer-to-peer relationships with one another.

64. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:
- deploying a plurality of network monitors in the enterprise network, wherein at least one of the network monitors is deployed at a firewall;
  
  detecting, by the network monitors, suspicious network activity based on analysis of network traffic data;
  
  generating, by the monitors, reports of said suspicious activity; and
  
  automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors.
- View Dependent Claims (65, 66, 67, 68, 69, 70, 71, 72, 73)
- - 65. The method of claim 64, wherein said integrating comprises correlating intrusion reports reflecting underlying commonalities.
  - 66. The method of claim 64, wherein said integrating further comprises invoking countermeasures to a suspected attack.
  - 67. The method of claim 64, wherein the plurality of network monitors include an API for encapsulation of monitor functions and integration of third-party tools.
  - 68. The method of claim 64, wherein said network traffic data is selected from one or more of the following categories:
    - {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet}.
  - 69. The method of claim 64, wherein said deploying the network monitors includes placing a plurality of service monitors among multiple domains of the enterprise network.
  - 70. The method of claim 69, wherein said receiving and integrating is performed by a domain monitor with respect to a plurality of service monitors within the domain monitor'"'"'s associated network domain.
  - 71. The method of claim 64, wherein said deploying the network monitors includes deploying a plurality of domain monitors within the enterprise network, each domain monitor being associated with a corresponding domain of the enterprise network.
  - 72. The method of claim 71, wherein said receiving and integrating is performed by an enterprise monitor with respect to a plurality of domain monitors within the enterprise network.
  - 73. The method of claim 71, wherein the plurality of domain monitors within the enterprise network establish peer-to-peer relationships with one another.

74. An enterprise network monitoring system comprising:
- a plurality of network monitors deployed within an enterprise network, wherein the enterprise network is a virtual private network (VPN), said plurality of network monitors detecting suspicious network activity based on analysis of network traffic data;
  
  said network monitors generating reports of said suspicious activity; and
  
  one or more hierarchical monitors in the enterprise network, the hierarchical monitors adapted to automatically receive and integrate the reports of suspicious activity.
- View Dependent Claims (75, 76, 77, 78, 79, 80, 81, 82, 83)
- - 75. The system of claim 74, wherein the integration comprises correlating intrusion reports reflecting underlying commonalities.
  - 76. The system of claim 74, wherein the integration further comprises invoking countermeasures to a suspected attack.
  - 77. The system of claim 74, wherein the plurality of network monitors include an application programming interface (API) for encapsulation of monitor functions and integration of third-party tools.
  - 78. The system of claim 74, wherein said network traffic data is selected from one or more of the following categories:
    - {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet}.
  - 79. The system of claim 74, wherein the plurality of network monitors includes a plurality of service monitors among multiple domains of the enterprise network.
  - 80. The system of claim 79, wherein a domain monitor associated with the plurality of service monitors within the domain monitor'"'"'s associated network domain is adapted to automatically receive and integrate the reports of suspicious activity.
  - 81. The system of claim 74, wherein the plurality of network monitors include a plurality of domain monitors within the enterprise network, each domain monitor being associated with a corresponding domain of the enterprise network.
  - 82. The system of claim 81, wherein an enterprise monitor associated with a plurality of domain monitors is adapted to automatically receive and integrate the reports of suspicious activity.
  - 83. The system of claim 81, wherein the plurality of domain monitors within the enterprise network interface as a plurality of peer-to-peer relationships with one another.

84. An enterprise network monitoring system comprising:
- a plurality of network monitors deployed within an enterprise network, wherein at least one of the network monitors is deployed at one or more of the following facilities of the enterprise network;
  
  {gateways, routers, proxy servers, firewalls}, said plurality of network monitors detecting suspicious network activity based on analysis of network traffic data;
  
  said network monitors generating reports of said suspicious activity; and
  
  one or more hierarchical monitors in the enterprise network, the hierarchical monitors adapted to automatically receive and integrate the reports of suspicious activity.
- View Dependent Claims (85, 86, 87, 88, 89, 90, 91, 92, 93)
- - 85. The system of claim 84, wherein the integration comprises correlating intrusion reports reflecting underlying commonalities.
  - 86. The system of claim 84, wherein the integration further comprises invoking countermeasures to a suspected attack.
  - 87. The system of claim 84, wherein the plurality of network monitors include an application programming interface (API) for encapsulation of monitor functions and integration of third-party tools.
  - 88. The system of claim 84, wherein said network traffic data is selected from one or more of the following categories:
    - {network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet}.
  - 89. The system of claim 84, wherein the plurality of network monitors includes a plurality of service monitors among multiple domains of the enterprise network.
  - 90. The system of claim 89, wherein a domain monitor associated with the plurality of service monitors within the domain monitor'"'"'s associated network domain is adapted to automatically receive and integrate the reports of suspicious activity.
  - 91. The system of claim 84, wherein the plurality of network monitors include a plurality of domain monitors within the enterprise network, each domain monitor being associated with a corresponding domain of the enterprise network.
  - 92. The system of claim 91, wherein an enterprise monitor associated with a plurality of domain monitors is adapted to automatically receive and integrate the reports of suspicious activity.
  - 93. The system of claim 91, wherein the plurality of domain monitors within the enterprise network interface as a plurality of peer-to-peer relationships with one another.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Valdes, Alfonso, Porras, Phillip Andrew
Primary Examiner(s)
Heckler, Thomas M.

Application Number

US10/254,457
Publication Number

US 20030088791A1
Time in Patent Office

545 Days
Field of Search

713/200, 713/201, 709/223-225
US Class Current

709/224
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 43/00   Arrangements for monitoring...

H04L 43/06   Generation of reports

H04L 43/0811   by checking connectivity

H04L 43/0888   Throughput

H04L 43/12   Network monitoring probes

H04L 43/16   Threshold monitoring

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

Network surveillance

First Claim

2 Assignments

Litigations

0 Petitions

Reexaminations

Accused Products

Abstract

251 Citations

93 Claims

Specification

Solutions

Use Cases

Quick Links

Network surveillance

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Reexaminations

Accused Products

Subscription Required

Abstract

251 Citations

93 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links