| US 7,475,426 B2 | ||
| Flow-based detection of network intrusions | ||
| John A. Copeland, III, Atlanta, Ga. (US) | ||
| Assigned to Lancope, Inc., Atlanta, Ga. (US) | ||
| Filed on Jan. 18, 2007, as Appl. No. 11/624,441. | ||
| Application 11/624441 is a continuation of application No. 10/000396, filed on Nov. 30, 2001, granted, now 7,185,368. | ||
| Prior Publication US 2007/0180526 A1, Aug. 02, 2007 | ||
| Int. Cl. G06F 11/30 (2006.01) | ||
| U.S. Cl. 726—23 [726/22; 726/25; 726/26; 713/151; 709/203; 709/224; 709/227; 705/51] | 76 Claims |
| 1. A method of analyzing network communication traffic on a data communication network for determining whether the traffic
is legitimate or potential suspicious activity, comprising the steps of:
receiving information corresponding to a determined client/server (C/S) flow corresponding to a plurality of packets exchanged
between two hosts on the data communication network that relate to a single service and is characterized by a predetermined
C/S flow characteristic;
assigning a concern index value to a determined C/S flow based upon a predetermined concern index characteristic of the C/S
flow;
maintaining an accumulated concern index comprising concern index values for one or more determined C/S flows associated with
a host; and
issuing an alarm signal in the event that the accumulated concern index for a host exceeds an alarm threshold value.
|