Detecting outlier pairs of scanned ports

Assignee

• PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD. · IL

Inventors

• Idan Amit · Ramat Gan, IL
• Yinnon Meshi · Yeroham, IL
• Jonathan Allon · Haifa, IL
• Aviad Meyer · Hod HaSharon, IL

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/0254
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A method, including identifying, in network data traffic, multiple scans, each of the scans including an access, in the traffic, of a plurality of ports on a given destination node by a given source node during a predefined period. Respective first probabilities of being accessed during any given scan computed for the communication ports that were accessed in the identified scans, and a respective second probability that both of the ports in the pair were accessed during any given scan are computed for each pair of the ports in the identified scans. Upon detecting a scan by one of the nodes including accesses of first and second ports on a given destination node for which the respective second probability for the pair of the first and second ports is lower than a threshold dependent upon the respective first probabilities of the first and second ports, a preventive action is initiated.