Detecting malicious attacks using network behavior and...

Multiplex communications – Diagnostic testing

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

C726S024000

Reexamination Certificate

active

07936682

ABSTRACT:
A method and apparatus for detecting malicious attacks is described. The method may comprise obtaining routing information from a packet communicated via a network and maintaining a count of packets associated with a device associated with the routing information. For example, the routing information may a source or destination IP address, a port number, or any other routing information. The device may be classified as a potentially malicious device when the count exceeds a threshold. The count may be incremented when the TCP SYN flag is set and the TCP ACK flag is not set. An embodiment comprises obtaining a source hash of the source IP address and a destination hash of the destination IP address. Thereafter, the source hash and the destination hash may be mapped to multi stage filters. The device associated with the packet may then be selectively categorizing as a suspicious device.

REFERENCES:
patent: 4734856 (1988-03-01), Davis
patent: 6016546 (2000-01-01), Kephart et al.
patent: 6279113 (2001-08-01), Vaidya
patent: 6477651 (2002-11-01), Teal
patent: 6519703 (2003-02-01), Joyce
patent: 6578147 (2003-06-01), Shanklin et al.
patent: 6738814 (2004-05-01), Cox et al.
patent: 6829635 (2004-12-01), Townshend
patent: 6988208 (2006-01-01), Hrabik et al.
patent: 7080408 (2006-07-01), Pak et al.
patent: 7089592 (2006-09-01), Adjaoute
patent: 7130981 (2006-10-01), Nachenberg
patent: 7251692 (2007-07-01), Raz
patent: 7451309 (2008-11-01), Aaron et al.
patent: 7535909 (2009-05-01), Singh et al.
patent: 2002/0107953 (2002-08-01), Ontiveros et al.
patent: 2002/0129140 (2002-09-01), Peled et al.
patent: 2003/0004689 (2003-01-01), Gupta et al.
patent: 2003/0067921 (2003-04-01), Sivalingham
patent: 2003/0105973 (2003-06-01), Liang et al.
patent: 2003/0115485 (2003-06-01), Milliken
patent: 2003/0145232 (2003-07-01), Poletto et al.
patent: 2003/0226035 (2003-12-01), Robert et al.
patent: 2004/0054925 (2004-03-01), Etheridge et al.
patent: 2004/0064737 (2004-04-01), Milliken et al.
patent: 2004/0073617 (2004-04-01), Milliken et al.
patent: 2004/0117648 (2004-06-01), Kissel
patent: 2004/0215976 (2004-10-01), Jain
patent: 2004/0257994 (2004-12-01), Paskett et al.
patent: 2005/0041955 (2005-02-01), Beuque
patent: 2005/0060535 (2005-03-01), Bartas
patent: 2005/0060754 (2005-03-01), Simyon
patent: 2005/0076228 (2005-04-01), Davis et al.
patent: 2005/0111367 (2005-05-01), Chao et al.
patent: 2005/0114700 (2005-05-01), Barrie et al.
patent: 2005/0229254 (2005-10-01), Singh et al.
patent: 2005/0262556 (2005-11-01), Waisman et al.
patent: 2005/0262561 (2005-11-01), Gassoway
patent: 2006/0048209 (2006-03-01), Shelest et al.
patent: 2006/0064746 (2006-03-01), Aaron et al.
patent: 2006/0072464 (2006-04-01), Aaron et al.
patent: 2006/0098687 (2006-05-01), Singh et al.
patent: 2006/0107318 (2006-05-01), Jeffries et al.
patent: 2006/0117126 (2006-06-01), Leung et al.
patent: 2006/0139187 (2006-06-01), Helfman et al.
patent: 2006/0150249 (2006-07-01), Gassen et al.
patent: 2006/0161986 (2006-07-01), Singh et al.
patent: 2006/0242703 (2006-10-01), Abeni
patent: 2007/0025243 (2007-02-01), Ayyagari et al.
patent: 2007/0047457 (2007-03-01), Harijono et al.
patent: 2007/0094728 (2007-04-01), Julisch et al.
patent: 2007/0112714 (2007-05-01), Fairweather
patent: 2007/0192863 (2007-08-01), Kapoor et al.
patent: 2008/0140631 (2008-06-01), Pandya
patent: 2008/0140912 (2008-06-01), Pandya
patent: 2008/0140991 (2008-06-01), Pandya
patent: 2008/0219178 (2008-09-01), Barrett
patent: WO-2005103899 (2005-11-01), None
“U.S. Appl. No. 10/822,226, Final Office Action mailed May 23, 2008”, 21 pgs.
“U.S. Appl. No. 10/822,226, Final Office Action mailed Aug. 12, 2009”, 29 pgs.
“U.S. Appl. No. 10/822,226, Non Final Office Action mailed Feb. 4, 2009”, 26 pgs.
“U.S. Appl. No. 10/822,226, Non Final Office Action mailed Aug. 11, 2008”, 20 pgs.
“U.S. Appl. No. 10/822,226, Non Final Office Action mailed Oct. 4, 2007”, 20 pgs.
“U.S. Appl. No. 10/822,226, Non Final Office Action mailed Oct. 22, 2009”, 6 pgs.
“U.S. Appl. No. 10/822,226, Response filed Jan. 28, 2008 to Non Final Office Action mailed Oct. 4, 2007”, 24 pgs.
“U.S. Appl. No. 10/822,226, Response filed Apr. 9, 2009 to Non Final Office Action mailed Feb. 4, 2009”, 33 pgs.
“U.S. Appl. No. 10/822,226, Response filed Jul. 15, 2008 to Final Office Action mailed May 23, 2008”, 30 pgs.
“U.S. Appl. No. 10/822,226, Response filed Oct. 9, 2009 to Final Office Action mailed Aug. 12, 2009”, 38 pgs.
“U.S. Appl. No. 10/822,226, Response filed Nov. 10, 2008 to Non Final Office Action mailed Aug. 11, 2008”, 29 pgs.
“Data Reduction”,Microsoft Computer Dictionary, 5th Edition, (2002), p. 144.
“Data Reduction”,Chambers Dictionary of Science and Technology,, (1999), p. 303.
“Data Reduction”,McGraw-Hill Dictionary of Scientific and Technichal Terms 6th Edition., (2003), p. 505.
“International Application Serial No. PCT/US2004/040149, International Preliminary Report on Patentability mailed Oct. 11, 2006”, 11 pgs.
“International Application Serial No. PCT/US2004/040149, International Search Report and Written Opinion mailed Apr. 11, 2005”, 10 pgs.
“Snort Web Site”, [Online]. Retrieved from the Internet: <URL: http://www.snort.org/>, (May 23, 2009), 1 pg.
Bloom, Burton, “Space/Time Trade-offs in Hash Coding with Allowable Errors”, Communications of the ACM vol. 23 No. 7, (Jul. 1970), 422-426.
Estan, Christian, et al., “Building a Better NewFlow”,SIGCOMM 2004 Tech Report, (Aug. 2004), 12 pgs.
Fan, Li, et al., “Summary Cache: A Acalable Wide-Area Web Cache Sharing Protocol”,ACM SIGCOMM, (Sep. 1998), 12 pgs.
Graham, Paul, “A Plan for Spam”, [Online]. Retrieved from the Internet: <URL: http://www.paulgraham.com/spam.html>, (Aug. 2002), 13 pgs.
Manber, Udi, “Finding Similar Files in a Large File System”,USENIX Technical Conference, (Jan. 1994), 11 pgs.
Moore, David, et al., “Inferring Internet Denial-of-Service Activity”,Proceedings of the 10th USENIX Security Symposium, (Aug. 2001), 14 pgs.
Moore, David, et al., “Internet Quarantine: Requirements for Containing Self-Propagating Code”,22nd Annual Joint Conference of the IEEE Computer and Communications Societies, (Apr. 2003), 10 pgs.
Rabin, Michael O, “Fingerprinting by Random Polynomials”,Center for Research in Computing Technology, Harvard University Report TR-15-91, (1981), 14 pgs.
Singh, Sumeet, et al., “Automated Worm Fingerprinting”,6th Symposium on Operating Systems Design and Implementation. USENIX Association, (Dec. 2004), 45-60.
U.S. Appl. No. 10/822,226, Examiner Interview Summary mailed Nov. 18, 2010, 3 pgs.
U.S. Appl. No. 10/822,226, Office Action response filed Nov. 15, 2010, 10 pgs.
U.S. Appl. No. 10/822,226, Non-Final Office Action mailed May 13, 2010, 12 pgs.

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

Detecting malicious attacks using network behavior and... does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Detecting malicious attacks using network behavior and..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Detecting malicious attacks using network behavior and... will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-2700284

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.