Claims
- 1. A method of identifying anomalous traffic in a communications network, comprising:
performing traffic analysis on network traffic to produce traffic analysis data; removing data associated with expected traffic from the traffic analysis data; and identifying remaining traffic analysis data as anomalous traffic.
- 2. The method of claim 1, further comprising:
investigating the anomalous traffic.
- 3. The method of claim 1, further comprising:
tracing the anomalous network traffic to a point of origin in the communications network.
- 4. The method of claim 1, further comprising:
capturing one or more blocks of data of the anomalous traffic; and sending the one or more blocks of data to a traceback device for tracing the anomalous network traffic to a point of origin in the communications network.
- 5. A device for auditing network traffic, comprising:
a memory configured to store instructions; and a processing unit configured to execute the instructions in memory to:
conduct traffic analysis on the network traffic to produce traffic analysis data, identify expected network traffic, eliminate data associated with the expected traffic from the traffic analysis data, and identify remaining traffic analysis data as anomalous traffic.
- 6. The device of claim 5, the processing unit further configured to:
investigate the anomalous network traffic.
- 7. The device of claim 5, the processing unit further configured to:
initiate tracing of the anomalous network traffic to a point of origin in the communications network.
- 8. The device of claim 5, the processing unit further configured to:
capture one or more blocks of data of the anomalous traffic, and send the one or more blocks of data to a traceback device for tracing the anomalous network traffic to a point of origin in the communications network.
- 9. A computer-readable medium containing instructions for controlling at least one processor to perform a method of identifying anomalous traffic in a communications network, the method comprising:
performing traffic analysis on network traffic to produce traffic analysis data; identifying expected network traffic; removing data associated with the expected traffic from the traffic analysis data; and identifying remaining traffic analysis data as anomalous traffic.
- 10. The computer-readable medium of claim 9, the method further comprising:
investigating the anomalous network traffic.
- 11. The computer-readable medium of claim 9, the method further comprising:
tracing the anomalous network traffic to a point of origin in the communications network.
- 12. The computer-readable medium of claim 9, the method further comprising:
capturing one or more blocks of data of the anomalous traffic; and sending the one or more blocks of data to a traceback device for tracing the anomalous network traffic to a point of origin in the communications network.
- 13. A method of analyzing traffic in a communications network, comprising:
performing traffic analysis on traffic in the communications network; developing a model of expected traffic behavior based on the traffic analysis; and analyzing traffic in the communications network to identify a deviation from the expected traffic behavior model.
- 14. The method of claim 13, further comprising:
investigating the deviation from the expected traffic behavior.
- 15. The method of claim 14, further comprising:
reporting on results of the investigation.
- 16. The method of claim 13, further comprising:
tracing traffic associated with the deviation to a point of origin in the communications network.
- 17. A device for analyzing traffic in a communications network, comprising:
a memory configured to store instructions; and a processing unit configured to execute the instructions in memory to:
conduct traffic analysis on traffic in the communications network; construct a model of expected traffic behavior based on the traffic analysis; and analyze traffic in the communications network to identify a deviation from the expected traffic behavior model.
- 18. The device of claim 17, the processing unit further configured to:
investigate the deviation from the expected traffic behavior.
- 19. The device of claim 18, the processing unit further configured to:
report on results of the investigation.
- 20. The device of claim 17, the processing unit further configured to:
initiate the tracing of traffic associated with the deviation to a point of origin in the communications network.
- 21. A computer-readable medium containing instructions for controlling at least one processor to perform a method for analyzing traffic in a communications network, the method comprising:
conducting traffic analysis on traffic at one or more locations in the communications network; constructing a model of expected traffic behavior based on the traffic analysis; and analyzing traffic at the one or more locations in the communications network to identify a deviation from the expected traffic behavior model.
- 22. The computer-readable medium of claim 21, the method further comprising:
investigating the deviation from the expected traffic behavior.
- 23. The computer-readable medium of claim 22, further comprising:
reporting on results of the investigation.
- 24. The computer-readable of claim 21, the method further comprising:
tracing traffic associated with the deviation to a point of origin in the communications network.
- 25. A method of tracing suspicious traffic flows back to a point of origin in a network, comprising:
performing traffic analysis on one or more flows of network traffic; identifying at least one of the one or more flows as a suspicious flow based on the traffic analysis; and tracing the suspicious flow to a point of origin in the network.
- 26. The method of claim 25, wherein tracing the suspicious flow to a point of origin comprises:
capturing at least one block of data associated with the suspicious flow; and forwarding the captured block of data to a traceback device for tracing the suspicious flow to the point of origin in the network.
- 27. The method of claim 25, wherein performing traffic analysis comprises:
utilizing at least one of discrete time Fourier transform (DFT), one-dimensional spectral density (periodogram), Lomb periodogram, one-dimensional cepstrum, cross spectral density, coherence, cross-spectrum, time varying grams, model-based spectral, statistical, and fractal and wavelet based time-frequency techniques in analyzing the one or more flows of traffic.
- 28. The method of claim 25, further comprising:
prohibiting traffic flows from the point of origin.
- 29. A traffic auditing device, comprising:
a memory configured to store instructions; and a processing unit configured to execute the instructions in memory to:
conduct traffic analysis on one or more flows of network traffic, identify at least one of the one or more flows as a suspicious flow based on the traffic analysis, and trace the suspicious flow to a point of origin in the network.
- 30. The device of claim 29, the processing unit further configured to:
capture at least one block of data associated with the suspicious flow; and initiate the sending of the captured data block to a traceback device for tracing the suspicious flow to the point of origin in the network.
- 31. The device of claim 29, the processing unit further configured to:
utilize at least one of discrete time Fourier transform (DFT), one-dimensional spectral density (periodogram), Lomb periodogram, one-dimensional cepstrum, cross spectral density, coherence, cross-spectrum, time varying grams, model-based spectral, statistical, and fractal and wavelet based time-frequency techniques in conducting traffic analysis on the one or more flows of traffic.
- 32. The device of claim 29, the processing unit further configured to:
prohibit traffic flows from the point of origin.
- 33. A computer-readable medium containing instructions for controlling at least one processor to perform a method of tracing suspicious traffic flows back to a point of origin in a network, the method comprising:
conducting traffic analysis on one or more flows of network traffic; identifying at least one of the one or more flows as a suspicious flow based on the traffic analysis; and tracing the suspicious flow to a point of origin in the network.
- 34. The computer-readable medium of claim 33, wherein tracing the suspicious flow to a point of origin comprises:
capturing at least one block of data associated with the suspicious flow; and sending the captured block of data to a traceback device for tracing the suspicious flow to the point of origin in the network.
- 35. The computer-readable medium of claim 33, wherein conducting traffic analysis comprises:
utilizing at least one of discrete time Fourier transform (DFT), one-dimensional spectral density (periodogram), Lomb periodogram, one-dimensional cepstrum, cross spectral density, coherence, cross-spectrum techniques, time varying grams, model-based spectral techniques, statistical techniques, and fractal and wavelet based time-frequency techniques in analyzing the one or more flows of traffic.
- 36. The computer-readable medium of claim 33, the method further comprising:
prohibiting traffic flows from the point of origin.
- 37. A system for analyzing traffic in a communications network, comprising:
means for performing traffic analysis on traffic in the communications network; means for developing a model of expected traffic behavior based on the traffic analysis; and means for analyzing traffic in the communications network to identify a deviation from the expected traffic behavior model.
- 38. A method of providing one or more authorizations to at least one of a source and destination of traffic in a communications network, comprising:
performing traffic analysis on traffic between the source and destination to determine whether the traffic between the source and destination was intercepted or contaminated; and selectively issuing, based on results of the traffic analysis, one or more authorizations to the at least one of the source and destination, the one or more authorizations indicating that the traffic between the source and destination was not intercepted or contaminated.
- 39. The method of claim 38, wherein, upon receipt of the one or more authorizations, the at least one of the source and destination uses selected data contained within the traffic.
- 40. The method of claim 38, further comprising:
refraining from issuing, based on results of the traffic analysis, any authorizations to the at least one of the source and destination.
- 41. The method of claim 40, wherein, upon not receiving any authorizations, the at least one of the source and destination does not use selected data contained within the traffic.
- 42. The method of claim 38, wherein performing traffic analysis comprises:
utilizing at least one of discrete time Fourier transform (DFT), one-dimensional spectral density (periodogram), Lomb periodogram, one-dimensional cepstrum, cross spectral-density, coherence, cross-spectrum, time varying grams, model-based spectral, statistical, and fractal and wavelet based time-frequency techniques in analyzing the traffic between the source and destination.
- 43. A device for providing one or more authorizations to at least one of a source and destination of traffic in a communications network, comprising:
a memory configured to store instructions; and a processing unit configured to execute the instructions in memory to:
perform traffic analysis on traffic between the source and destination to determine whether the traffic between the source and destination was intercepted or contaminated, and selectively issue, based on results of the traffic analysis, one or more authorizations to the at least one of the source and destination, the one or more authorizations indicating that the traffic between the source and destination was not intercepted or contaminated.
- 44. A computer-readable medium containing instructions for controlling at least one processor to perform a method of providing one or more authorizations to at least one of a source and destination of traffic in a communications network, the method comprising:
performing traffic analysis on traffic between the source and destination to determine whether the traffic between the source and destination was intercepted or contaminated; and selectively issuing, based on results of the traffic analysis, one or more authorizations to the at least one of the source and destination, the one or more authorizations indicating that the traffic between the source and destination was not intercepted or contaminated.
CROSS REFERENCE TO RELATED APPLICATIONS
[0001] The instant application claims priority from provisional application number 60/355,573 (Attorney Docket No. 02-4010PRO1), filed Feb. 5, 2002, the disclosure of which is incorporated by reference herein in its entirety.
[0002] The present application is a continuation-in-part of U.S. application Ser. No. 10/167,620 (Attorney Docket No. 00-4056), filed Oct. 19, 2001, the disclosure of which is incorporated by reference herein in its entirety.
[0003] The instant application is related to co-pending application Ser. No. 10/044,073 (Attorney Docket No. 01-4001), entitled “Systems and Methods for Point of Ingress Traceback of a Network Attack” and filed Jan. 11, 2002.
Provisional Applications (2)
|
Number |
Date |
Country |
|
60355573 |
Feb 2002 |
US |
|
60242598 |
Oct 2000 |
US |
Continuation in Parts (1)
|
Number |
Date |
Country |
Parent |
10167620 |
Oct 2001 |
US |
Child |
10289247 |
Nov 2002 |
US |