This invention relates to techniques to detect network anomalies.
Networks allow computers to communicate with each other whether via a public network, e.g., the Internet or private networks. Managing networks is increasingly costly, while the business cost of network problems becomes increasingly high. Managing an enterprise network involves a number of inter-related activities including establishing a topology, establishing policies for the network and monitoring network performance. Another task for managing a network is detecting and dealing with security violations, such as denial of service attacks, worm propagation and so forth.
When collecting data on network traffic it is often necessary to determine the protocol/port used. Most traffic on the Internet uses well-known transport level port numbers. For example, the Hyper-Text Transfer Protocol (HTTP) usually uses port 80/Transmission Control Protocol (tcp); Domain Naming Service (DNS) protocol usually uses port 53/User datagram protocol (udp) and so forth. Some protocols, however, use short-lived (ephemeral), dynamically negotiated port numbers; each connection or transaction might use a different ephemeral port number.