Electrical computers and digital processing systems: multicomput – Computer network managing – Computer network monitoring
Reexamination Certificate
2002-09-25
2004-03-23
Heckler, Thomas M. (Department: 2115)
Electrical computers and digital processing systems: multicomput
Computer network managing
Computer network monitoring
C713S152000
Reexamination Certificate
active
06711615
ABSTRACT:
REFERENCE TO APPENDIX
An appendix consisting of 935 pages is included as part of the specification. The appendix includes material subject to copyright protection. The copyright owner does not object to the facsimile reproduction of the appendix, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights.
BACKGROUND
The invention relates to computer networks.
Computer networks offer users ease and efficiency in exchanging information. Networks tend to include conglomerates of integrated commercial and custom-made components, interoperating and sharing information at increasing levels of demand and capacity. Such varying networks manage a growing list of needs including transportation, commerce, energy management, communications, and defense.
Unfortunately, the very interoperability and sophisticated integration of technology that make networks such valuable assets also make them vulnerable to attack, and make dependence on networks a potential liability. Numerous examples of planned network attacks, such as the Internet worm, have shown how interconnectivity can be used to spread harmful program code. Accidental outages such as the 1980 ARPAnet collapse and the 1990 AT&T collapse illustrate how seemingly localized triggering events can have globally disastrous effects on widely distributed systems. In addition, organized groups have performed malicious and coordinated attacks against various online targets.
SUMMARY
In general, in one aspect, a method of network surveillance includes receiving network packets (e.g., TCP/IP packets) handled by a network entity and building at least one long-term and at least one short-term statistical profile from at least one measure of the network packets that monitors data transfers, errors, or network connections. A comparison of at least one long-term and at least one short-term statistical profile is used to determine whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity.
Embodiments may include one or more of the following features. The measure may monitor data transfers by monitoring network packet data transfer commands, data transfer errors, and/or monitoring network packet data transfer volume. The measure may monitor network connections by monitoring network connection requests, network connection denials, and/or a correlation of network connections requests and network connection denials. The measure may monitor errors by monitoring error codes included in a network packet such as privilege error codes and/or error codes indicating a reason a packet was rejected.
The method may also include responding based on the determining whether the difference between a short-term statistical profile and a long-term statistical profile indicates suspicious network activity. A response may include altering analysis of network packets and/or severing a communication channel. A response may include transmitting an event record to a network monitor, such as hierarchically higher network monitor and/or a network monitor that receives event records from multiple network monitors.
The network entity may be a gateway, a router, or a proxy server. The network entity may instead be a virtual private network entity (e.g., node).
In general, in another aspect, a method of network surveillance includes monitoring network packets handled by a network entity and building a long-term and multiple short-term statistical profiles of the network packets. A comparison of one of the multiple short-term statistical profiles with the long-term statistical profile is used to determine whether the difference between the short-term statistical profiles and the long-term statistical profile indicates suspicious network activity.
Embodiments may include one or more of the following. The multiple short-term statistical profiles may monitor different anonymous FTP sessions. Building multiple short-term statistical profiles may include deinterleaving packets to identify a short-term statistical profile.
In general, in another aspect, a computer program product, disposed on a computer readable medium, includes instructions for causing a processor to receive network packets handled by a network entity and to build at least one long-term and at least one short-term statistical profile from at least one measure of the network packets that monitors data transfers, errors, or network connections. The instructions compare a short-term and a long-term statistical profile to determine whether the difference between the short-term statistical profile and the long-term statistical profile indicates suspicious network activity.
In general, in another aspect, a method of network surveillance includes receiving packets at a virtual private network entity and statistically analyzing the received packets to determine whether the packets indicate suspicious network activity. The packets may or may not be decrypted before statistical analysis
Advantages may include one or more of the following. Using long-term and a short-term statistical profiles from measures that monitor data transfers, errors, or network connections protects network components from intrusion. As long-term profiles represent “normal” activity, abnormal activity may be detected without requiring an administrator to catalog each possible attack upon a network. Additionally, the ability to deinterleave packets to create multiple short-term profiles for comparison against a long-term profile enables the system to detect abnormal behavior that may be statistically ameliorated if only a single short-term profile was created.
The scheme of communication network monitors also protects networks from more global attacks. For example, an attack made upon one network entity may cause other entities to be alerted. Further, a monitor that collects event reports from different monitors may correlate activity to identify attacks causing disturbances in more than one network entity.
Additionally, statistical analysis of packets handled by a virtual private network enable detection of suspicious network activity despite virtual private network security techniques such as encryption of the network packets.
Other features and advantages will become apparent from the following description, including the drawings, and from the claims.
REFERENCES:
patent: 4672609 (1987-06-01), Humphrey et al.
patent: 4773028 (1988-09-01), Tallman
patent: 5210704 (1993-05-01), Husseiny
patent: 5440723 (1995-08-01), Arnold et al.
patent: 5539659 (1996-07-01), McKee et al.
patent: 5557742 (1996-09-01), Smaha et al.
patent: 5706210 (1998-01-01), Kumano et al.
patent: 5748098 (1998-05-01), Grace
patent: 5790799 (1998-08-01), Mogul
patent: 5878420 (1999-03-01), de la Salle
patent: 5919258 (1999-07-01), Kayashima et al.
patent: 5922051 (1999-07-01), Sidey
patent: 5940591 (1999-08-01), Boyle et al.
patent: 5974237 (1999-10-01), Shurmer et al.
patent: 5974457 (1999-10-01), Waclawshy et al.
patent: 5991881 (1999-11-01), Conklin et al.
patent: 6009467 (1999-12-01), Ratcliff et al.
patent: 6052709 (2000-04-01), Paul
patent: 6070244 (2000-05-01), Orchier et al.
patent: 6144961 (2000-11-01), de la Salle
patent: 6396845 (2002-05-01), Sugita
patent: 6453346 (2002-09-01), Garg et al.
patent: 6460141 (2002-10-01), Olden
patent: 6519703 (2003-02-01), Joyce
patent: 2002/0032717 (2002-03-01), Malan et al.
patent: 2002/0032793 (2002-03-01), Malan et al.
patent: 2002/0032880 (2002-03-01), Poletto et al.
patent: 2002/0035698 (2002-03-01), Malan et al.
patent: 2002/0138753 (2002-09-01), Munson
patent: 2002/0144156 (2002-10-01), Copeland, III
patent: 2003/0037136 (2003-02-01), Labovitz et al.
patent: 99/13427 (1999-03-01), None
patent: 99/57626 (1999-11-01), None
patent: 00/10278 (2000-02-01), None
patent: 00/25214 (2000-05-01), None
patent: 00/25527 (2000-05-01), None
patent: 00/34867 (2000-06-01), None
patent: 02/101516 (2002-12-01), None
Debar, et al., “Towards a Taxonomy of Intrusion-Detection Systems,” Computer Networks 31 (1999), 805-8
Porras Phillip Andrew
Valdes Alfonso
Heckler Thomas M.
Moser Patterson & Sheridan LLP.
SRI - International
Tong, Esq. Kin-Wah
LandOfFree
Network surveillance does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Network surveillance, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Network surveillance will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3211302