| Patent application number | Description | Published |
|---|
| 20100046378 | METHODS AND SYSTEMS FOR ANOMALY DETECTION USING INTERNET PROTOCOL (IP) TRAFFIC CONVERSATION DATA - A computer-based method for detecting anomalies in the traffic passing through an internet protocol (IP) network is described. The method includes extracting, from a database, a single instance of each unique packet header associated with a plurality of IP-to-IP packets, the IP-to-IP packets having been transmitted across the IP network over a predefined period of time, analyzing the packet headers to identify anomalous conversations based on at least one of a conversation uniqueness, a time of week uniqueness, and a data quantity uniqueness, and providing alerts corresponding to detected anomalous conversations. | 02-25-2010 |
| 20100046393 | METHODS AND SYSTEMS FOR INTERNET PROTOCOL (IP) TRAFFIC CONVERSATION DETECTION AND STORAGE - A computer-based method for collecting and storing types and quantities of traffic passing through an internet protocol (IP) network is described. The method includes extracting, from a database, a single instance of each unique packet header associated with a plurality of IP-to-IP packets, the IP-to-IP packets having been transmitted across the computer network over a predefined period of time, determining a highest probability service port for each IP-to-IP packet combination using the extracted packet headers, accumulating all IP-to-IP-on-Port packet combinations into a single record, the single record including a first packet time, a last packet time, and a total number of bytes transferred, storing the records for all IP-to-IP-on-Port conversations in the database, accumulating the packets based on IP-to-IP-on-protocol if the packets were part of a protocol where port numbers do not exist, and storing the accumulated packets where port numbers do not exist in the database. | 02-25-2010 |
| 20100050084 | METHODS AND SYSTEMS FOR COLLECTION, TRACKING, AND DISPLAY OF NEAR REAL TIME MULTICAST DATA - A computer-based method for depicting the participating devices of a multicast group based on the transmit and the receive activities of the devices in a computer network is described. The method includes extracting, from a database, a single instance of each unique packet header associated with a plurality of multicast packets, the multicast packets having been transmitted across the computer network over a predefined period of time, calculating a number of bytes transferred for each source internet protocol (IP) to destination IP multicast tuple from the extracted packets, determining a location of the source IP address and a bandwidth associated with the source IP address from the extracted packets, determining a location of the devices subscribing to the packets and a bandwidth associated with each of the destination sites, and providing a display of all multicast traffic, wherein the multicast traffic is summarized in a user selectable list. | 02-25-2010 |
| 20100050256 | METHODS AND SYSTEMS FOR INTERNET PROTOCOL (IP) PACKET HEADER COLLECTION AND STORAGE - A computer-based method for providing information about a potential security incident ascertained from received internet protocol (IP) packets is described. The method includes capturing IP packets from a computer network, stripping packet header data from the captured IP packets, reviewing the stripped packet header data for multiple occurrences of matching packet header data, and storing, in a database, only a single instance of packet header data for any reviewed packet header data that is determined to have occurred multiple times. | 02-25-2010 |
| 20100050262 | METHODS AND SYSTEMS FOR AUTOMATED DETECTION AND TRACKING OF NETWORK ATTACKS - Methods for tracking attacking nodes are described and include extracting, from a database, an instance of each unique packet header associated with IP-to-IP packets transmitted over a time period. The method includes determining from extracted headers, which nodes have attempted to establish a connection with an excessive number of other nodes over a period, identifying these as potential attacking nodes, determining from the headers, which other nodes responded with a TCP SYN/ACK packet indicating a willingness to establish connections, and a potential for compromise. Nodes scanned by potential attacking nodes are disqualified from the identified nodes based on at least one of: data in the headers relating to at least one of an amount of data transferred, and scanning activities conducted by the nodes that responded to a potential attacking node with a TCP SYN/ACK packet. Any remaining potential attacking nodes and scanned nodes are presented to a user. | 02-25-2010 |
