Patent · US Active

Automatically detecting distributed port scans in computer networks

US7957372B2 · kind B2 · utility

9Cited by

15References

34Claims

0Family size

Assignee

International Business Machines Corporation · US

Inventors

Alan Boulanger · Amherst, US
Robert Danford · Raleigh, US
Kevin D. Himberger · Durham, US
Clark Debs Jeffries · Durham, US

Key dates

Filing date	Jul 22, 2004
Grant date	Jun 7, 2011
Priority date	—
Expiry date	Oct 23, 2028

Classification

Technology area (CPC H)Electricity
CPC primaryH04L63/1466
WIPO fieldDigital communication
WIPO sectorElectrical engineering

Abstract

A detection and response system including a set of algorithms for detecting within a stream of normal computer traffic a subset of (should focus on network traffic eliciting a response) TCP or UDP packets with one IP Source Address (SA) value, one or a few Destination Address (DA) values, and a number exceeding a threshold of distinct Destination Port (DP) values. A lookup mechanism such as a Direct Table and Patricia search tree record and trace sets of packets with one SA and one DA as well as the set of DP values observed for the given SA, DA combination. The detection and response system reports the existence of such a subset and the header values including SA, DA, and multiple DPs of the subset. The detection and response system also includes various administrative responses to reports.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.