Network surveillance
DC CAFCFirst Claim
Patent Images
1. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:
- deploying a plurality of network monitors in the enterprise network;
detecting, by the network monitors, suspicious network activity based on analysis of network traffic data selected from one or more of the following categories;
{network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet, network connection acknowledgements, and network packets indicative of well-known network-service protocols};
generating, by the monitors, reports of said suspicious activity; and
automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors.
2 Assignments
Litigations
0 Petitions
Reexaminations
Accused Products
Abstract
A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and a least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.
251 Citations
93 Claims
-
1. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:
-
deploying a plurality of network monitors in the enterprise network;
detecting, by the network monitors, suspicious network activity based on analysis of network traffic data selected from one or more of the following categories;
{network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet, network connection acknowledgements, and network packets indicative of well-known network-service protocols};
generating, by the monitors, reports of said suspicious activity; and
automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An enterprise network monitoring system comprising:
-
a plurality of network monitors deployed within an enterprise network, said plurality of network monitors detecting suspicious network activity based on analysis of network traffic data selected from one or more of the following categories;
{network packet data transfer commands, network packet data transfer errors, network packet data volume, network connection requests, network connection denials, error codes included in a network packet, network connection acknowledgements, and network packets indicative of well-known network-service protocols};
said network monitors generating reports of said suspicious activity; and
one or more hierarchical monitors in the enterprise network, the hierarchical monitors adapted to automatically receive and integrate the reports of suspicious activity. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:
-
deploying a plurality of network monitors in the enterprise network, wherein the enterprise network is a virtual private network (VPN);
detecting, by the network monitors, suspicious network activity based on analysis of network traffic data;
generating, by the monitors, reports of said suspicious activity; and
automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:
-
deploying a plurality of network monitors in the enterprise network, wherein at least one of the network monitors is deployed at a gateway;
detecting, by the network monitors, suspicious network activity based on analysis of network traffic data;
generating, by the monitors, reports of said suspicious activity; and
automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:
-
deploying a plurality of network monitors in the enterprise network, wherein at least one of the network monitors is deployed at a router;
detecting, by the network monitors, suspicious network activity based on analysis of network traffic data;
generating, by the monitors, reports of said suspicious activity; and
automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53)
-
-
54. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:
-
deploying a plurality of network monitors in the enterprise network, wherein at least one of the network monitors is deployed at a proxy server;
detecting, by the network monitors, suspicious network activity based on analysis of network traffic data;
generating, by the monitors, reports of said suspicious activity; and
automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors. - View Dependent Claims (55, 56, 57, 58, 59, 60, 61, 62, 63)
-
-
64. A computer-automated method of hierarchical event monitoring and analysis within an enterprise network comprising:
-
deploying a plurality of network monitors in the enterprise network, wherein at least one of the network monitors is deployed at a firewall;
detecting, by the network monitors, suspicious network activity based on analysis of network traffic data;
generating, by the monitors, reports of said suspicious activity; and
automatically receiving and integrating the reports of suspicious activity, by one or more hierarchical monitors. - View Dependent Claims (65, 66, 67, 68, 69, 70, 71, 72, 73)
-
-
74. An enterprise network monitoring system comprising:
-
a plurality of network monitors deployed within an enterprise network, wherein the enterprise network is a virtual private network (VPN), said plurality of network monitors detecting suspicious network activity based on analysis of network traffic data;
said network monitors generating reports of said suspicious activity; and
one or more hierarchical monitors in the enterprise network, the hierarchical monitors adapted to automatically receive and integrate the reports of suspicious activity. - View Dependent Claims (75, 76, 77, 78, 79, 80, 81, 82, 83)
-
-
84. An enterprise network monitoring system comprising:
-
a plurality of network monitors deployed within an enterprise network, wherein at least one of the network monitors is deployed at one or more of the following facilities of the enterprise network;
{gateways, routers, proxy servers, firewalls}, said plurality of network monitors detecting suspicious network activity based on analysis of network traffic data;
said network monitors generating reports of said suspicious activity; and
one or more hierarchical monitors in the enterprise network, the hierarchical monitors adapted to automatically receive and integrate the reports of suspicious activity. - View Dependent Claims (85, 86, 87, 88, 89, 90, 91, 92, 93)
-
Specification