Event detection/anomaly correlation heuristics

Information security – Monitoring or scanning of software or data including attack... – Intrusion detection

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

C726S003000, C726S004000, C726S005000, C726S006000, C726S013000, C726S027000, C726S028000, C726S029000, C713S151000, C713S152000, C713S153000, C713S154000, C713S187000, C713S188000, C713S193000, C713S194000, C709S223000, C709S224000, C709S225000, C709S226000

Reexamination Certificate

active

07363656

ABSTRACT:
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

REFERENCES:
patent: 5793753 (1998-08-01), Hershey et al.
patent: 5796942 (1998-08-01), Esbensen
patent: 5796956 (1998-08-01), Jones
patent: 5886643 (1999-03-01), Diebboll et al.
patent: 5892903 (1999-04-01), Klaus
patent: 5940870 (1999-08-01), Chi et al.
patent: 5991881 (1999-11-01), Conklin et al.
patent: 6061341 (2000-05-01), Andersson et al.
patent: 6061789 (2000-05-01), Hauser et al.
patent: 6088804 (2000-07-01), Hill et al.
patent: 6108782 (2000-08-01), Fletcher et al.
patent: 6269330 (2001-07-01), Cidon et al.
patent: 6269401 (2001-07-01), Fletcher et al.
patent: 6279113 (2001-08-01), Vaidya
patent: 6282546 (2001-08-01), Gleichauf et al.
patent: 6301668 (2001-10-01), Gleichauf et al.
patent: 6304262 (2001-10-01), Maloney et al.
patent: 6321338 (2001-11-01), Porras et al.
patent: 6353385 (2002-03-01), Molini et al.
patent: 6363489 (2002-03-01), Comay et al.
patent: 6370116 (2002-04-01), Giroux et al.
patent: 6381649 (2002-04-01), Carlson
patent: 6388992 (2002-05-01), Aubert et al.
patent: 6389448 (2002-05-01), Primak et al.
patent: 6442694 (2002-08-01), Bergman et al.
patent: 6487666 (2002-11-01), Shanklin et al.
patent: 6499107 (2002-12-01), Gleichauf et al.
patent: 6535484 (2003-03-01), Hughes et al.
patent: 6578147 (2003-06-01), Shanklin et al.
patent: 6591306 (2003-07-01), Redlich
patent: 6597661 (2003-07-01), Bonn
patent: 6597957 (2003-07-01), Beakley
patent: 6609205 (2003-08-01), Bernhard et al.
patent: 6678827 (2004-01-01), Rothermel et al.
patent: 6691213 (2004-02-01), Luu et al.
patent: 6725378 (2004-04-01), Schuba et al.
patent: 6735702 (2004-05-01), Yavatkar et al.
patent: 6738814 (2004-05-01), Cox et al.
patent: 6751688 (2004-06-01), El-Demerdash et al.
patent: 6775657 (2004-08-01), Baker
patent: 6789203 (2004-09-01), Belissent
patent: 6807667 (2004-10-01), Bar et al.
patent: 6816910 (2004-11-01), Ricciulli
patent: 6816973 (2004-11-01), Gleichauf et al.
patent: 6848005 (2005-01-01), Plevyak et al.
patent: 6918067 (2005-07-01), Bartucca et al.
patent: 6944673 (2005-09-01), Malan et al.
patent: 2002/0023089 (2002-02-01), Woo
patent: 2002/0031134 (2002-03-01), Poletto et al.
patent: 2002/0032774 (2002-03-01), Kohler, Jr. et al.
patent: 2002/0032871 (2002-03-01), Malan et al.
patent: 2002/0032880 (2002-03-01), Poletto et al.
patent: 2002/0035628 (2002-03-01), Gil et al.
patent: 2002/0035683 (2002-03-01), Kaashoek et al.
patent: 2002/0035698 (2002-03-01), Malan et al.
patent: 2002/0038339 (2002-03-01), Xu
patent: 2002/0095492 (2002-07-01), Kaashoek et al.
patent: 2002/0103886 (2002-08-01), Rawson, III
patent: 2002/0103916 (2002-08-01), Chen et al.
patent: 2002/0116491 (2002-08-01), Boyd et al.
patent: 2003/0041264 (2003-02-01), Black et al.
patent: 2003/0046577 (2003-03-01), Silverman
patent: 2003/0065409 (2003-04-01), Raeth et al.
patent: 2003/0149919 (2003-08-01), Greenwald et al.
patent: 2004/0205374 (2004-10-01), Poletto et al.
patent: 2004/0220984 (2004-11-01), Dudfield et al.
patent: 2004/0236963 (2004-11-01), Danford et al.
patent: 2006/0047807 (2006-03-01), Magnaghi et al.
patent: 1 079 583 (2001-02-01), None
Steve Bellovin. ICMP Traceback Messages. AT&T Labs Research, Mar. 2000. http://www.research.att.com/˜smb/papers/draft-bellovin-itrace-00.txt.
Cisco. Characterizing and Tracing Packet Floods Using Cisco Routers. http://www.cisco.com/warp/public/707/22.html.
D. Senie. RFC2644 (BCP34), Changing the Default for Directed Broadcasts in Routers. IETF, Aug. 1999. http://www.ietf.org/rfc/rfc2644.txt.
P. Ferguson, D. Senie. RFC2827 (BCP38): Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. IETF, May 2000. http://www.ietf.org/rfc/rfc2827.txt.
David G. Andersen, Hari Balakrishnan, and M. Frans Kaashoek, Robert Morris. The Case for Resilient Overlay Networks. Proc. of HotOS-VIII, Schloss Elmau, Germany, May 2001. http:/
ms.lcs.mit.edu/papers/ron-hotos2001.pdf.
Cisco. Web-Site Security and Denial-of-Service Protection. http://www.cisco.com/warp/public/cc/pd/si/11000/prodlit/cswsc13wi.htm.
Analysis of a Denial of Service Attack on TCP by Schuba et al Proceedings of the 1997 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, May 1997.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson. Practical Network Support for IP Traceback. Work in progress Technical Report UW-CSE-00-02-01. Date unknown. http://www.cs.washington.edu/homes/savage/traceback.html.
Web page entitled “Aggregate Based Congestion Control and Pushback” last modified Apr. 2001 Found at http://www.aciri.org/pushback.
D. Song et al., “Advanced and Authenticated Marking Schemes for IP Traceback”, Proc. IEEE INFOCOM, Apr. 2001, pp. 878-880.
R. Stone, “CenterTrack: An IP Overlay Network for Tracking DoS Floods”, Proceedings of 9th USENIX Security Symposium, Denver, CO, Aug. 2000, pp. 199-212.
H. Burch et al., “Tracing Anonymous Packets to Their Approximate Source”, Proc. USENIX LISA 00, Dec. 2000, pp. 319-327.
“A System for Distributed Intrusion Detection”, Snapp et al., Compcon Spring '91, Digest of Papers, Davis, CA, Mar. 1991, pp. 1 and 170-176.
Messmer, Apr. 2000, Network World.
Communications News, Jun. 2000, 37, 6, 48.
McFadden, Oct. 25, 2000, Ent. 5, 17, 22.
Greene, Feb. 16, 1998, p. 20.
Johnson, Nov. 27, 2000, Network World.
Martin, Aug. 14, 2000, Network World, p. 86.
Snyder, Jul. 19, 1999, Network World, p. 53.
Mell, P. et al., “Mobile Agent Attack Resistant Distributed Hierarchical Intrusion Detection Systems,” RAID 1999, Sep. 99, pp. 1-8.
Mansfield et al., “Towards trapping wily intruders in the large”, RAID 1999, Sep. 99, pp. 1-13.
Stallings, William, “Cryptography and Network Security”, Principles and Practice, 2nd Edition, Intruders and Viruses, Chapter 15, pp. 478-501.
Roesch, Martin, “Snort—Lightweight Intrusion Detection for Networks”, Proceedings of LISA XIII '99: 13th Systems Administration Conference, Nov. 7-12, 1999, pp. 229-238.
Ohta et al., “Detection, Defense, and Tracking of Internet-Wide Illegal Access in a Distributed Manner”, Internet Society, Jul. 18-21, 2000, Retrieved from the Internet on Oct. 27, 2004: <URL: http://www.isoc.org/inet2000/cdproceedings/lf/lf—2.htm>.
Steve Bellovin. DDoS Attacks and Pushback. NANOG21, Feb. 18, 2001 http://www.aciri.org/pushback.
Ratul Manajan, Steven M. Bellovin, Sally Floyd, Vern Paxson, Scott Shenker, and John Ioannidis. http://www.aciri.org/pushback.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson. Practical Network Support for IP Traceback. Proceedings of 2000 ACM SIGCOMM, Stockholm, Sweden, Aug. 2000. http://www.cs.washington.edu/homes/savage/traceback.html.

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

Event detection/anomaly correlation heuristics does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Event detection/anomaly correlation heuristics, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Event detection/anomaly correlation heuristics will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-2756624

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.