Claims
- 1. A collector device comprises:
a processor; and a memory, the memory executing a computer program product to collect statistical information on packets that are sent between nodes on a network, including instructions to: determine, which host in a host connection pair is performing a server process and which is performing a client process.
- 2. The device of claim 1 wherein instructions to determine, determines the protocol used in a connection between the host pair.
- 3. The device of claim 2 wherein if the protocol is a connection type protocol, then the device identifies which host sent a sync packet and which host sent a synch_ack packet.
- 4. The device of claim 1 wherein the protocol is TCP.
- 5. The device of claim 1 wherein the source of the sync packet is the client and the source of the synch_ack is the server.
- 6. The device of claim 1 wherein if the protocol is not a connection based protocol the instructions to determine, determine the ports that the hosts communicate over.
- 7. The device of claim 6 wherein if the hosts are transacting over a well know port, the instructions to determine, determines the server from a list of well know ports.
- 8. The device of claim 7 wherein the list of well know ports has identification of hosts based on previous sources of synch_ack packets, with the host that sent the synch_ack packet assumed to be the server.
- 9. The device of claim 1 wherein if a connection involves two ports, neither of which is known the host that connects to the lower port number is the server process.
- 10. The device of claim 1 wherein server/client statistics are used when attempting to identify worm intrusions.
- 11. A method executed on a computing device comprises:
collecting statistical information on packets that are sent between nodes on a network; and determining from the statistical information, which host in a host connection pair is performing a server process and which is performing a client process.
- 12. The method of claim 11 wherein determining, determines the protocol used in a connection between the host pair.
- 13. The method of claim 12 wherein determining, determines if the protocol is a connection type protocol and identifies which host sent a sync packet and which host sent a synch_ack packet.
- 14. The method of claim 13 wherein the protocol is TCP.
- 15. The method of claim 14 wherein determining, determines the source of the sync packet as the client and the source of the synch_ack as the server.
- 16. The method of claim 11 wherein if determining, determines the protocol is not a connection based protocol determining determines the ports that the hosts communicated over.
- 17. The method of claim 16 wherein if the hosts are transacting over a well know port, determining, determines the server from a list of well know ports.
- 18. The method of claim 17 wherein the list is populated with identification of hosts based on previous sources of synch_ack packets, with the host that sent the synch-ack packet assumed to be the server.
- 19. The method of claim 11 wherein if a connection involves two ports, neither of which is known the host that connects to the lower port number is the server process.
- 20. The method of claim 11 wherein server/client statistics are used when attempting to identify worm intrusions.
- 21. A device comprises:
circuitry to collect statistical information on packets that are sent between nodes on a network; and circuitry to determine from the statistical information, which host in a host connection pair is performing a server process and which is performing a client process.
- 22. The device of claim 21 wherein the circuitry to determine, determines the protocol used in a connection between the host pair.
- 23. The device of claim 22 wherein circuitry to determine, determines if the protocol is a connection type protocol, to identify which host sent a sync packet and which host sent a synch_ack packet.
- 24. The device of claim 23 wherein circuitry to determine, determines the source of the sync packet as the client and the source of the synch_ack as the server.
- 25. The device of claim 21 wherein circuitry to determine, determines the protocol is not a connection based protocol, the circuitry determines ports that the hosts communicated over.
- 26. The device of claim 21 wherein if the hosts are transacting over a well know port, circuitry to determine, determines the server from a list of well know ports.
- 27. A computer readable medium tangible storing a computer program product for detecting intrusions in a network, comprises instructions for causing a processor to:
collect statistical information on packets that are sent between nodes on a network; and determine, which host in a host connection pair is performing a server process and which is performing a client process.
- 28. The product of claim 27 wherein instructions to determine, determines the protocol used in a connection between the host pair.
- 29. The product of claim 28 wherein if the protocol is a connection type protocol, then the device identifies which host sent a sync packet and which host sent a synch_ack packet, with the source of the sync packet being the client and the source of the synch_ack being the server.
- 30. The product of claim 27 wherein if the protocol is not a connection based protocol the instructions to determine, determine the ports that the hosts communicate over.
Parent Case Info
[0001] This application claims the benefit of U.S. Provisional Application Ser. No. 60/423,557, filed Nov. 4, 2002 entitled “ALGORITHMS FOR NETWORK ANOMALY DETECTION IN THE MAZU NETWORK PROFILER”; U.S. Provisional Application Ser. No. 60/427,294, filed Nov. 18, 2002 entitled “ANOMALY DETECTION AND ROLE CLASSIFICATION IN A DISTRIBUTED COMPUTING NETWORK” and U.S. Provisional Application Ser. No. 60/429,050, filed Nov. 25, 2002 entitled “ROLE CLASSIFICATION OF HOSTS WITHIN ENTERPRISE NETWORKS BASED ON CONNECTION PATTERNS.”
Provisional Applications (3)
|
Number |
Date |
Country |
|
60423557 |
Nov 2002 |
US |
|
60427294 |
Nov 2002 |
US |
|
60429050 |
Nov 2002 |
US |