`
`
`
`
`
`
`
`
`United States Patent
`(12)
`US 7,185,368 B2
`(10) Patent No.:
`
`
`
`
`
`
`
`Feb. 27, 2007
`(45) Date of Patent:
`Copeland, HI
`
`
`
`
`
`US007185368B2
`
`
`
`
`
`
`(54) FLOW-BASED DETECTION OF NETWORK
`INTRUSIONS
`
`
`
`
`(75)
`
`
`
`Inventor:
`
`
`
`
`
`
`
`John A. Copeland, II, Atlanta, GA
`
`(US)
`
`
`
`
`
`
`(73) Assignee: Lancope, Inc., Atlanta, GA (US)
`
`
`
`
`
`
`
`
`(*) Notice:
`Subject to any disclaimer, the term ofthis
`
`
`
`
`patent is extended or adjusted under 35
`
`
`
`
`US.C. 154(b) by 887 days.
`
`
`
`
`(21) Appl. No.: 10/000,396
`
`(22)
`
`
`
`Filed:
`
`
`
`
`
`Nov. 30, 2001
`
`
`
`
`
`FOREIGN PATENT DOCUMENTS
`
`
`
`WO
`
`
`
`PCT/US99/29080
`
`
`
`6/2000
`
`
`
`
`
`
`(Continued)
`
`OTHER PUBLICATIONS
`
`
`
`
`
`
`
`Javitz H S et al.: “The SRI IDESStatistical Anomaly Detector’,
`
`
`
`
`
`Proceedings of the Symposium on Research in Security and Privacy
`
`
`
`
`
`
`
`
`US Los Alamitos, IEEE Comp.Soc. Press, v. Symp. 12, pp. 316-326
`
`
`
`
`
`
`XP000220803ISBN; 0-8186-2168-0, p. 316, col. 1, line 1, p. 318,
`
`
`
`col. 1, line 3.*
`
`
`
`
`
`
`
`
`
`
`(Continued)
`
`
`
`Primary Examiner—Nasser Moazzami
`
`
`
`Assistant Examiner—Ronald Baum
`
`
`
`
`
`(74) Attorney, Agent, or Firm—Morris, Manning & Martin,
`
`LLP
`
`
`
`
`
`
`
`(57)
`
`ABSTRACT
`
`
`
`(65)
`
`
`
`(51)
`
`
`
`
`
`(56)
`
`
`
`
`
`
`
`
`
`
`
`
`
`Prior Publication Data
`
`
`
`US 2003/0105976 Al
`Jun. 5, 2003
`
`
`oo
`
`
`
`
`Related U.S. Application Data
`
`
`
`
`
`
`(60) Provisional application No. 60/265,194, filed on Jan.
`
`
`
`
`
`31, 2001, provisional application No. 60/250,261,
`
`
`
`
`filed on Nov. 30, 2000.
`
`
`Int. Cl.
`
`
`
`
`
`
`
`
`
`
`
`A flow-based intrusion detection system for detecting intru-
`(2006.01)
`GO6F 11/30
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`sions in computer communication networks. Data packets
`(52) US. CL wee 726/25; 726/22; 726/23;
`
`
`
`
`
`
`
`
`
`representing communications between hosts in a computer-
`726/26; 713/151; 709/203; 709/224; tel
`twork
`to-
`ti
`icati
`d
`d
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(58) Field of Classification Search ........0.00000.... None oeeT COTICANON DEIVORS,
`abe Processes
`an
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`See application file for complete search history.
`assigned to various client/server flows. Statistics are col-
`
`
`
`
`
`
`
`
`
`
`lected for each flow. Then, the flow statistics are analyzed to
`
`
`
`
`
`
`
`
`
`
`
`
`determine if the flow appears to be legitimate traffic or
`References Cited
`
`
`
`
`
`
`
`possible suspicious activity. A concern index value is
`U.S. PATENT DOCUMENTS
`
`
`
`
`
`
`
`
`
`assigned to each flow that appears suspicious. By assigning
`
`
`
`
`
`
`
`
`
`
`a value to each flow that appears suspicious and adding that
`
`
`
`
`
`
`
`value to the total concern index of the responsible host, it is
`
`
`
`
`
`
`
`
`possible to identify hosts that are engaged in intrusion
`
`
`
`
`
`
`
`activity. When the concern index value of a host exceeds a
`
`
`
`
`
`
`
`
`preset alarm value, an alert is issued and appropriate action
`can be taken.
`
`
`
`
`
`
`
`
`
`8/1995 Van Gilst oo... eee 119/73
`5,437,244 A *
`9/1996 Brown et al. .........0.. 382/115
`5,557,686 A *
`
`
`
`
`
`
`
`
`
`
`
`9/1996 Smahaetal.
`5,557,742 A
`
`
`
`
`
`4/1997 Lermuzeauxet al.
`5,621,889 A
`
`
`
`
`
`
`8/1998 Esbensen..............008 713/201
`5,796,942 A *
`
`
`
`
`
`5,825,750 A * 10/1998 Thompson ............00 370/244
`
`
`
`
`5,970,227 A
`10/1999 Dayan et al.
`
`
`
`
`(Continued)
`
`
`
`
`
`
`37 Claims, 9 Drawing Sheets
`
`
`
`MULTIPLEPACKETS FROM SAME SOURCE PORTTO MULTIPLE PORTS.
`[pao" rLow(s)
`(HIGH NO. OF SYN’)
`J=TTYPE TRAFFIC FROM HIGH SERVER PORT
`CONCERN J)
`a omnenHALFOPENATTACK(b
`)
`
`INDEX EVENTS Topw/BAD FLAGS IP = 128.0.0.1
`uoPvNO DATA
`SERVERHOSTH2 (42)] 4.39
`e
`
`
`
`ORK
`
`
`
`
`
`
`
`
`
`i!!
`
`
`
`
`
`
`[HosT#1 (H1)]
`
`
`FLOW-BASED
`
`INTRUSION
`Ip = 208.60.232.1919
`
`
`
`
`
`
`
`DETECTION
` OTHERHOSTSONNETWORK
`
`
`
`
`
`
`(FBID)
`LEGITIMATE(NORMAL)
`
`TELNET 23|1
`
`
`PACKETFLOWS 101
`
`
`
`
`
`
`EMAILSMTP 25||
`
`or
`
`
`
`|!'
`78
`FINGER
`|
`NS.
`PACKET HEADER|*,
`a0
`Pp
`
`
`
`
`
`
`
`a TIME=330sec=>FLOWTERMINATION
`KERBEROS 88
`(IP ADDR, PORT)
`
`
`443
`HTTPS
`I
`DATA
`
`“iiswo P10! eet SB B a P3P2 Pi
`
`LOGIN 513|3
`
`ata
`& i Bi meee
`
`
` FLOW F3EG.MAIL,
`Ht
`
`
`
`FLOW 469
`REA 168
`DATA
`waDATA
`TIME
`ee AS A
`FST INDEX(chy ZsINPOTHER
`
`WO IP1 PORTO PORT1 TIME,
`
`
`
`
`
`12
`i
`ELATED
`
`
`
`
`26 “3s
`er j
`
`
`
`
`ia 3,980]
`166
`BATA
`
`
`
`
`
`
`
`
`H1 }H2 2456] 80)
`|
`162
`{E.G.3.500) ~> ALERT
`Cl> ALARM YARESHOLDag
`
`4/7
`
`
`
`wssUSER@
`HACKERICRACKER!
`Host#3(H3)) = 110.5.47.224
`191
`
`
`
`
`
`
`
`
` LEGITIMATEUSER/CLIENT
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`SMTP)
`
`
`
`SYS ADMIN
`
`FLOW-BASED INTRUSION DETECTION
`
`
`
`
`
`
`
`
`
`
`
`
`Splunk Inc.—Exhibit 1007 Page 1
`
`Splunk Inc. Exhibit 1007 Page 1
`
`

`

`
`
`US 7,185,368 B2
`
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`
`
`
`
`
`
`
`
`
`
`11/1999 Conklin etal.
`5,991,881 A
`
`
`
`
`
`9/2000 Shipley ....... eee 713/201
`6,119,236 A *
`
`
`
`
`
`1/2001 Reidetal.
`6,182,226 Bl
`
`
`
`
`
`8/2001 Bernhardetal.
`6,275,942 Bl
`
`
`
`
`
`
`11/2001 Porraset al.
`6,321,338 BI
`
`
`
`
`
`
`
`3/2002 Comayetal. ............. 726/22
`6,363,489 BI1*
`
`
`
`
`
`
`
`
`
`9/2002 Trcka et al.
`...
`we 709/224
`6,453,345 B2*
`
`
`
`
`
`
`
`
`
`6,502,131 B1* 12/2002 Vaid et al.
`.....
`we 709/224
`
`
`
`
`
`
`
`6,628,654 B1*
`9/2003 Albert et al.
`we 370/389
`
`
`
`
`
`
`
`6,853,619 BI*
`2/2005 Grenot
`..........
`we 370/232
`
`
`
`
`
`
`
`
`6,891,839 B2*
`5/2005 Albert et al.
`.. 370/401
`..
`2002/0104017 Al*
`8/2002 Stefan ...........
`713/201
`
`
`
`
`
`
`
`
`2002/0133586 Al*
`9/2002 Shanklin et al.
`we 709/224
`
`
`
`
`
`
`
`
`
`2004/0187032 Al*
`9/2004 Gels et al.
`........
`we 713/201
`
`
`
`
`
`
`
`
`
`
`2004/0237098 Al* 11/2004 Watson et al. ..........0. 725/25
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FOREIGN PATENT DOCUMENTS
`
`
`PCT/US00/29490
`5/2001
`
`
`
`
`
`
`
`
`WO
`
`
`
`OTHER PUBLICATIONS
`
`
`
`
`
`
`
`
`
`
`Lunt T F et al: “Knowledge-based Intrusion Detection”, Proceed-
`
`
`
`
`
`
`
`ings of the Annual Artificial Intelligence Systems in Government
`
`
`
`
`
`
`
`
`
`
`Conf. US, Washington, IEEE Comp. Soc. Press, vol. Conf. 4, pp.
`
`
`
`
`
`
`
`
`
`102-107 XP000040018 p. 102, col. 1, line 1, p. 105, col. 2, line 21.*
`
`
`
`
`
`
`
`
`Mahoney, M., “Network Traffic Anomaly Detection Based on
`
`
`
`
`
`
`
`
`
`Packet Bytes”, ACM, 2003, Fl. Institute of Technology, entire
`
`
`document, http://www.cs.fit.edu/~mmahoney/paper6.pdf.*
`
`
`
`
`
`
`
`
`
`
`
`Copeland, John A., et. al., “IP Flow Identification for IP Traffic
`
`
`
`
`
`
`
`
`Carried Over Switched Networks,” The International Journal of
`
`
`
`
`
`Computer Telecommunications Networking Computer Networks 31
`
`
`
`(1999), pp. 493-504.
`
`
`
`
`
`
`Cooper, Mark “An Overview of Intrusion Detection Systems,”
`
`
`
`
`
`
`
`Zinetica White Paper, (www.xinetica.com) Nov. 19, 2001.
`
`
`
`
`
`
`
`
`
`
`Newman,P,, et. al. “RFC 1953: Ipsilon Flow Management Protocol
`
`
`
`
`
`Specification for IPv4 Version 1.0” (www.xyweb.com/rfe/rfc1953.
`
`
`
`html) May 19, 1999.
`
`
`
`
`
`
`
`
`Paxson, Vern, “Bro: A System for Detecting Network Intruders in
`
`
`
`
`
`
`Real-Time,”
`7th USENIX Security Symposium, Lawrence
`
`
`
`
`
`
`
`Berkkeley National Laboratory, San Antonio, TX Jan. 26-29, 1998.
`
`
`
`
`
`
`
`Mukherjee, Biswanath,et. al., “Network Intrusion Detection,” IEEE
`
`
`
`Network, May/Jun. 1994.
`“Network-vs Host-Based Intrusion Detection: A Guide to Intrusion
`
`
`
`
`
`
`
`
`
`
`
`
`Detection,” ISS Internet Security Systems, Oct. 2, 1998, Atlanta,
`GA.
`
`
`
`
`
`
`
`
`
`Barford, Paul, et. al. “Characteristics of Network Traffic Flow
`
`
`
`
`
`Anomalies,” ACM SIGCOMM Internet Measurement Workshop
`
`
`
`
`2001 (http://www.cs.wisc.edu/pb/ublications.html) Jul. 2001.
`
`
`
`
`
`Frincke, Deborah,et. al., “A Framework for Cooperative Intrusion
`
`
`
`
`
`
`Detection” 21st National Information Systems Security Conference,
`
`
`
`
`
`Oct. 1998, Crystal City, VA.
`
`
`
`
`
`
`
`
`
`
`
`Phrack Magazine, vol. 8, Issue 53, Jul. 8, 1998, Article 11 of 15.
`
`
`
`
`
`
`
`
`“LANSleuth Fact Sheet,” LANSleuth LAN Analyzer for Ethernet
`
`
`
`
`
`and Token Ring Networks,
`(www.lansleuth.com/features.html),
`
`
`Aurora, Illinois.
`
`
`“LANSleuth General Features,”
`
`
`
`html), Aurora, Illinois.
`
`
`
`
`
`
`
`
`
`
`Copeland, John A., et al, “IP Flow Identification for IP Traffic
`
`
`
`
`
`
`
`
`Carried Over Switched Networks,” The International Journal of
`
`
`
`
`
`
`Computer and Telecommunications Networking Computer Net-
`
`
`
`
`works 31 (1999), pp. 493-504.
`
`
`
`
`
`
`Cooper, Mark “An Overview of Instrusion Detection Systems,”
`
`
`
`
`
`
`
`Xinetica White Paper, (www.xinetica.com) Nov. 19, 2001.
`
`
`
`
`
`
`
`Newman,P,, et al. “RFC 1953: Ipsilon Flow Management Protocol
`
`
`
`
`
`Specificaiton for IPv4 Version 1.0” (www.xyweb.com/rfe/rfc1953.
`
`
`
`html) May 19, 1999.
`
`
`* cited by examiner
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(www.lansleuth.com/features.
`
`
`
`
`
`Splunk Inc.—Exhibit 1007 Page 2
`
`Splunk Inc. Exhibit 1007 Page 2
`
`

`

`U.S. Patent
`
`Feb. 27, 2007
`
`Sheet 1 of 9
`
`US 7,185,368 B2
`
`l
`
`oglMYOMIAN|||qCEA
`
`
`
`
`SLVWLLIOST1—--—(WNO1LdO)[(LH)L##1soH],—SsTivMauls.|_SxANSITIO/HaSN
`11d"ReeeeNO-On?—LT]%eLoliwal6L'ZEZ'09'B0Z=dl
`
`
`z9lPt|NOLLOSLAGNOISNYINIGaSva-MoTs
`
` /|COHSSYHLWeWT¥<19LOu
`
`
`bO'O'SSL=di~C(4Of}(2H)Z#1s0H]NaAUASeNOONIASopSANSAaXSQNI=
`
`dasve-MO027
`
`posse}SYds.iv1aegh|GHwaysas
` 1!SeSNSNIA23LOLSMOT14i(alga)ee2ih(T¥WYON)SLVWLLIST\LZdida'}NOILOSLAGLaNOWd
`
`
`
`WivdVivaISd29hMOTs9911SOHv3
`
`
`
`aSdLIHi88SOMESBEBeepoo
`
`
`
`
`S$1LYOdAIdLLINWOLLYOdAONNOSAWVSWOUSLAMOVdSTALIN
`mois//Ldish[sz_,|bH|
`vivaLzlzLy991
`WLWadid7)a2
`YAaHLOAWLLbLeOd018OdIdi0Lyd1SV1
`
`
`dSNUAONOD(aia
`
`
`
`LYOdUSAUSSHOHWOUOldaVaLLJdALLENTALWSHIO®.LOLp2zZrSOLL=di—[(eH)e#10H]
`
`
`(S,NASJO'ONHOIH)HOVLLYNadO-41VH@yasnsin
`
`0gditHbd2d€dtdSd9dLdBdbd8USONIS|NOLLVNINUSLMOA<=9980g=NLLsl
`
`ADIASEG|-ean7TS
`
`
`c~
`
`
`(s)mo14,Gva,JHEOWEOYSHOVH
`<TC]07)—==awAe
`
`_¢
`
`(10)XAQNI
`
`1SOH
`
`*9)'3)
`
`
`
`Law<-(00¢‘€“9°S)
`
`Splunk Inc.
`
`Exhibit 1007
`
`Page 3
`
`Splunk Inc. Exhibit 1007 Page 3
`
`
`
`
`

`

`
`U.S. Patent
`
`
`
`
`
`Feb. 27, 2007
`
`
`
`
`Sheet 2 of 9
`
`
`
`US 7,185,368 B2
`
`IP HEADER
`
`220
`
`
`
`
`TCP/IP PACKET
`
`210
`
`
`
`
`0
`VERSION
`
`
`
`4
`
`&
`
`
`
`
`
`
`
`
`
`
`
`
`SOURCE PORT
`
`
`
`
`
`DESTINATION PORT
`
`
`
`
`
`
`
`¢
`
`6
`
`
`
`
`
`
`
`31
`19
`16
`
`
`TYPE OF SERVICE
`
`
`
`
`TOTAL LENGTH
`
`
`
`
`
`
`
`FRAGMENT OFFSET
`IDENTIFICATION
`FLAGS
`
`
`
`
`
`HEADER CHECKSUM
`PROTOCOL
`TIME TO LIVE
`
`
`
`
`
`SOURCEIP ADDRESS
`
`
`
`DESTINATION IP ADDRESS
`
`
`
`
`
`SEQUENCE NUMBER
`
`
`
`ACKNOWLEDGMENT NUMBER
`
`
`
`|(reserveo)|ujaje{Risfe[ winnow
`
`
`
`
`
`
`
`
`
`
`
`
`
`DATABYTE 3
`DATA BYTE 1
`DATA BYTE 2
`
`DATA BYTE 4
`®
`
`
`
`
`TCP/IP DATAGRAM
`TCP DATA SEGMENT
`
`
`
`
`235
`
`
`TCP HEADER
`
`230
`
`
`
`
`
`UDP PACKET
`
`240
`
`
`
`0
`
`
`
`
`
`UDP SOURCE PORT
`
`
`UDP MESSAGE LENGTH
`
`
`DATA BYTE 1
`
`
`
`16
`
`
`
`31
`
`
`
`
`
`
`
`UDP DESTINATION PORT
`
`
`UBP CHECKSUM
`
`
`DATA BYTE 3
`
`
`
`DATA BYTE 4
`
`
`
`DATA BYTE 2
`
`
`
`UDP DATAGRAM
`
`
`
`UDPDATA SEGMENT
`
`255
`
`
`
`
`
`0
`
`
`
`8
`
`16
`
`
`
`31
`
`
`
`
`
`
`
`
`ZERO
`
`
`
`UDP PSEUDO HEADER
`
`250
`
`
`DESTINATION ADDRESS
`
`
`
`IP PROTOCOL TYPE
`
`
`
`
`UDP LENGTH
`
`
`
`
`
`PACKET HEADERS
`
`FIG. 2
`
`
`
`
`
`Splunk Inc.—Exhibit 1007 Page 4
`
`Splunk Inc. Exhibit 1007 Page 4
`
`

`

`
`U.S. Patent
`
`
`
`
`
`Feb. 27, 2007
`
`
`
`
`Sheet 3 of 9
`
`
`
`US 7,185,368 B2
`
`
`TCP/IP SESSION
`
`300
`
`
`
`
`
`
`EVENTS
`
`
`AT HOST 1
`
`
`SEND SYN
`
`
`
`
`RECEIVE SYN-ACK
`SEND ACK
`
`
`
`
`
`
`RECEIVE ACK
`
`SEND FIN-ACK
`
`
`
`
`
`RECEIVE ACK
`
`
`
`
`RECEIVE FIN-ACK
`
`
`SEND ACK
`
`
`
`RECEIVE ACK
`
`
`EVENTS
`
`AT HOST2
`
`RECEIVE SYN
`
`
`
`SEND SYN-ACK
`
`
`
`
`
`RECEIVE ACK
`
`
`SEND ACK
`
`
`RECEIVE FIN-ACK
`
`
`SEND ACK
`
`
`
`
`SEND FIN-ACK
`
`
`
`
`
`
`
`
`FIG. 3
`
`Splunk Inc.
`
`Exhibit1007
`
`Page5
`
`Splunk Inc. Exhibit 1007 Page 5
`
`

`

`
`U.S. Patent
`
`
`
`
`
`Feb. 27, 2007
`
`
`
`
`Sheet 4 of 9
`
`
`
`US 7,185,368 B2
`
`
`
`TIMEDIFFERENTIAL
`
`
`
`DETERMINESSEPARATE
`
`
`
`
`
`
`FLOWS
`SMTP2
`SMTP1
`
`SERVER 130
`
`
`
`
`
`
`ona
`oO
`
`ao
`
`
`
`
`CLIENT110
`
`
`
`
`st
`Os=
`
`
`Q
`5
`
`
`We
`g
`
`aD>
`
`
`
`w5
`
`
`LOWE
`<—| ©
`NITHIANTN
`
`
`|
`
`
`
`Splunk Inc.
`
`Exhibit1007
`
`Page6é
`
`
`
`g
`
`Oo
`
`~
`
`LL
`
`
`
`
`
`
`on
`
`aw
`
`Oo
`a
`
`
`
`
`
`
`
`
`
`
`Splunk Inc. Exhibit 1007 Page 6
`
`

`

`
`U.S. Patent
`
`
`
`
`
`Feb. 27, 2007
`
`
`
`
`Sheet 5 of 9
`
`
`
`US 7,185,368 B2
`
`
`
`
`
`FLOW BASED ENGINE
`
`155
`
`
`\
`
`160
`
`
`
`
`a7
`
`
`510
`
`
`
`
`PACKET
`162
`yO
`
`
`
`FLOW DATA
`CLASSIFIER
`
`
`THREAD
`
`
`
`
`~S
`
`
`\
`
`/
`
`
`
`
`
`
`
`
`
`520
`
`
`
`166
`FLOW
`
`HOST DATA
`COLLECTOR
`
`(FIG. 9C)
`
`
`
`
`
`
`
`
`
`Uf
`
`
`
`
`/a“”
`
`
`THREAD \Crestoan>/ THREAD
`
`
`
`
`
`530
`
`ALERT
`
`MANAGER
`
`(FIG.9B)
`
`
`
`/
`
`
`/
`
`
`\_
`
`
`
`
`
`542
`
`OPERATOR
`NOTIFICATION
`
`
`
`
`544
`
`FIREWALL
`
`MANAGER
`
`
`546
`
`ALERT
`
`LIST
`
`
`
`
`
`
`548
`
`
`QUERIES &
`
`REPORTS
`
`
`
`
`
`PROGRAM THREADS: SQUARES
`
`
`
`
`DATA STRUCTURES: OVALS
`
`
`
`
`
`DATA INPUT/OUTPUT: CIRCLES
`
`
`
`
`FIG. 5
`
`Splunk Inc.
`
`Exhibit1007
`
`Page7
`
`Splunk Inc. Exhibit 1007 Page 7
`
`

`

`U.S. Patent
`
`Feb. 27, 2007
`
`Sheet 6 of 9
`
`L0S+000S
`
`HOW-NASYad
`
`
`
`Yad0101+0008
`
`fYSAOLYOd
`
`dadOLOL+0008
`
`7YSAOLYOd
`
`S1asay
`
`S13yOVdJOYSSWNN
`
`SNivA1
`
`dW5i40YaaWNN
`
`SLANOVdSTAVIIVAVNALeOd
`
`
`SLAMOdaTaVITIVAYNN
`
`SVIVN
`
`
`
`AOUNOSSWSWOdsSLAWoVdATLINNNVOSLYOdHLIVALSdol
`
`aSNOdSsag 131aVvl
`
`
`
`
`TIEVIUVAYNNLYOddiNOlS1LYOdNOILWNILSSOLNSYSdSIGOLLeOd
`YOONIH_LONFOUNOSSWSWOusdSLEMOVdAILLINWNVOSLYOdHLIVSLSdan
`
`
`
`
`SLaMOVdLASAYSLAMOVddolBeOuddOLWILNSLOd
`
`
`
`
`1Y0ddWdIASayoVddanag0udddnWILNAaLOd
`
`SYOV-NASSNASJOALVaCNVYSaNNHOIHMOW.LLIWNAdO-41VH
`
`US 7,185,368 B2
`
`
`
`SANIVA[D9daSva-MOoTs
`
`9‘Sl
`
`Splunk Inc.
`
`Exhibit 1007
`
`Page 8
`
`
`
`
`
`S1LYOdNOLLWNILSAGLNSYaddIdOLLeOd
`
`
`
`
`
`
`
`Splunk Inc. Exhibit 1007 Page 8
`
`
`

`

`U.S. Patent
`
`Feb. 27, 2007
`
`Sheet 7 of 9
`
`StIWAtS
`
`
`
`YSONaINTWWiLNaLOd
`
`SVN
`
`WaTaVvl
`
`00¢
`
`002
`
`
`
`SOV1dGSNISSQNN
`
`sovidavd
`
`
`
`
`
`SALAdVLVOJSS371LamnOovVdddn
`
`
`
`ddanLYOHS
`
`HLIMLanOvddol SSNOdSaa
`
`104150¥3dOO0E
`
`
`
`S13S3YYOONIHLON@NVHLAYOWOLSLANOVd
`
`
`
`NvoSsSSSYqdv
`
`
`
`LANENSAWVSNOSLSOH
`
`1YOdYadOLOL
`
`pyYaAO
`
`
`
`
`
`SLassyS1LYOdfpNVHLSYOWOLSLEMOVd
`
`
`
`NVOSLYOd
`
`US 7,185,368 B2
`
`SANIVALNAAAID
`
`Z‘9l4
`
`Splunk Inc.
`
`Exhibit 1007
`
`Page 9
`
`Splunk Inc. Exhibit 1007 Page 9
`
`

`

`
`U.S. Patent
`
`
`
`Feb. 27
`
`, 2007
`
`Sheet 8 of 9
`
`US 7,
`
`185,368 B2
`
`008
`
`
`
`8‘Ole
`
`FYNLOALHOYV
`
`
`
`
`
`
`SYVMCGYVH
`7—_—_—=J
`GEL|:668SHOMALEN'SONICNYOMLAN§
`
`
`
`
` CVAYHLHOLDSTI00MOTs|vivaMon|OVAUHLUSISSVIOLaNOVdIOLG
`
`
`
`Lunt
`
`SplunkInc.
`
`Exhibit 1007
`
`Page 10
`
`Splunk Inc. Exhibit 1007 Page 10
`
`

`

`
`U.S. Patent
`
`
`
`
`
`Feb. 27, 2007
`
`
`
`
`Sheet 9 of 9
`
`
`
`US 7,185,368 B2
`
`
`910
`
`
`PACKET CLASSIFIER
`
`THREAD
`
`
`
`NEW PACKET
`
`
`AVAILABLE?
`
`
`
`
`
`
`
`
`
`
` 914
`
`
`
`
`START
`
`
`
`
`CREATE
`
`UPDATE
`
`
`
`
`FLOW RECORD
`
`FLOW RECORDS
`
`
`FIG. 9A
`
`
`540
`
`FLOW COLLECTOR
`
`THREAD
`
`
`
`TIME ELAPSE?
`
`
`
`
`
`
`
`
`
`INACTIVITY
`
`SEARCH
`
`
`
`
`944
`
`
`
`
`LOGIC TREE ANALYSIS
`
`
`
`
`(FLOW CLASSIFICATION)
`
`\ 943
`Se PERIODIC
`
`
`
`
`
`
`947
`
`
`
`
`
` 946
`
`
`ASSIGN
`
` WRITE TO
`
`
`
`CONCERNINDEX
`
`LOG FILE
`
`
`945
`
`FIG. 9B
`
`
`570
`ALERT MANAGER
`
`THREAD
`
`
`\
`
`
`
`
`
`
`
`NO
`
`
`
`PERIODIC
`
`
`TIME ELAPSED?
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`CREATE
`
`ALARM
` THRESHOLD
`
`
`
`Cl SEARCH
`
`
`
`OUTPUT FILES
`
`SIGNAL
`
`
`
`
`EXCEEDED?
`
`
`
`
`
`
`
`FIG. 9C
`
`
`
`Splunk Inc.—Exhibit 1007 Page 11
`
`Splunk Inc. Exhibit 1007 Page 11
`
`

`

`
`
`US 7,185,368 B2
`
`
`1
`FLOW-BASED DETECTION OF NETWORK
`
`
`INTRUSIONS
`
`
`CROSS REFERENCE To RELATED
`
`
`APPLICATIONS
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`This Patent Application claimspriority to the U.S. pro-
`
`
`
`
`
`
`
`visional patent application Ser. No. 60/250,261 entitled
`
`
`
`
`
`
`
`“System and Method for Monitoring Network Traffic”filed
`
`
`
`
`
`
`
`
`
`Nov. 30, 2000 and U.S. provisional patent application Ser.
`
`
`
`
`
`
`
`No. 60/265,194 entitled “The Use of Flows to Analyze
`
`
`
`
`
`
`
`
`
`Network Traffic” filed on Jan. 31, 2001, both of which are
`
`
`
`
`
`
`
`incorporated in their entirety by reference and madea part
`hereof.
`
`
`
`2
`
`
`
`
`
`
`
`
`
`
`the firewall, or the controlled host can scan or attack
`
`
`
`
`
`
`
`computers anywhere in the world. Many organizations have
`
`
`
`
`
`
`pursued protecting their borders by the implementation of
`
`
`
`
`
`
`firewalls and intrusion detection systems (IDS).
`
`
`
`
`
`
`
`Firewalls merely limit access between networks. Fire-
`
`
`
`
`
`
`
`
`walls are typically designedto filter network traffic based on
`
`
`
`
`
`
`
`
`attributes such as source or destination addresses, port
`
`
`
`
`
`
`
`numbers, or transport layer protocols. Firewalls are suscep-
`
`
`
`
`
`
`
`
`tible to maliciously crafted traffic designed bypass the
`
`
`
`
`
`
`blocking rules established. Additionally, almost all commer-
`
`
`
`
`
`
`
`cially available IDS are signature based detection systems or
`
`
`
`anomaly based systems.
`
`
`
`
`
`
`
`Signature based detection systems piece together the
`
`
`
`
`
`
`packets in a connection to collect a stream of bytes being
`
`
`
`
`
`
`
`
`transmitted. The stream is then analyzed for certain strings
`
`
`
`
`
`
`
`
`of characters in the data commonly referred to as “signa-
`
`
`
`
`
`
`
`
`
`tures.” These signatures are particular strings that have been
`
`
`
`
`
`
`
`
`discovered in known exploits. The more signatures that are
`
`
`
`
`
`
`stored in a database, the longerit takes to do on exhaustive
`
`
`
`
`
`
`
`
`
`search on each data stream. For larger networks with mas-
`
`
`
`
`
`
`
`sive amounts of data transferred, a string comparison
`
`
`
`
`
`
`approach is unfeasible. Substantial computing resources are
`
`
`
`
`
`
`needed to analyze all of the communicationtraffic.
`
`
`
`
`
`
`Besides, even if a known exploit signature has been
`
`
`
`
`
`
`
`
`discovered, the signature is not useful until it is has been
`
`
`
`
`
`
`installed and is available to the network. In addition, signa-
`
`
`
`
`
`
`
`
`ture analysis only protects a system from knownattacks. Yet,
`
`
`
`
`
`
`
`new attacks are being implemented all the time. Unfortu-
`
`
`
`
`
`
`
`nately, a signature based detection system would not detect
`these new attacks and leave the network vulnerable.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Another approach to intrusion detection includes detec-
`
`
`
`
`
`
`
`
`tion of unusual deviation from normaldata traffic commonly
`
`
`
`
`
`referred to as “anomalies.” Like signature-based detection
`
`
`
`
`
`
`
`systems, many current anomaly based intrusion detection
`
`
`
`
`
`
`
`systems only detect known methods of attacks. Some of
`
`
`
`
`
`
`
`
`these known anomaly based attacks include TCP/IP stack
`
`
`
`
`
`
`
`fingerprinting, half-open attacks, and port scanning. How-
`
`
`
`
`
`
`
`
`ever, systems relying on knownattacks are easy to circum-
`
`
`
`
`
`
`
`
`navigate and leave the system vulnerable. In addition, some
`
`
`
`
`
`
`
`abnormal network traffic happens routinely, often non-ma-
`
`
`
`
`
`
`
`liciously, in normal networktraffic. For example, an incor-
`
`
`
`
`
`
`
`rectly entered address could be sent to an unauthorized port
`
`
`
`
`
`and be interpreted as an abnormality. Consequently, known
`
`
`
`
`
`
`
`anomaly based systems tend to generate an undesirable
`
`
`
`
`
`
`
`numberoffalse alarms which creates a tendencyto haveall
`
`
`
`
`alarms generated to becomeignored.
`
`
`
`
`
`
`
`
`Some known intrusion detection systems have tried to
`
`
`
`
`
`
`
`detect statistical anomalies. The approach is to measure a
`
`
`
`
`
`
`
`
`
`baseline and then trigger an alarm when deviation is
`
`
`
`
`
`
`
`
`detected. For example, if a system typically has no traflic
`
`
`
`
`
`
`
`from individual workstations at 2 am, activity during this
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`As the world proceeds into the 21°century, the Internet
`time frame would be considered suspicious. However, base-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`continues to grow without bounds. Networks have become
`line systems have typically been ineffective because the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`indispensable for conducting all
`forms of business and
`small amount of malicious activity is masked by the large
`
`
`
`
`
`
`
`
`
`
`
`
`
`personal communications. Networked systems allow one to
`amounts of highly variable normal activity. On the aggre-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`access needed information rapidly, collaborate with part-
`gate, it is extremely difficult to detect the potential attacks.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ners, and conductelectronic commerce. The benefits offered
`Other intrusion detection systems compare long term
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`by Internet technologies are too great to ignore. However, as
`profiled data streams to short term profiled data streams. One
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`with all
`technology advances, a trade-off ensues. While
`such system is described in U.S. Pat. No. 6,321,338 to Porras
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`computer networks revolutionize the way one does business,
`et al. entitled “Network Surveillance.” The system described
`
`
`
`
`
`
`
`
`
`
`the risks introduced can be substantial. Attacks on networks
`
`
`
`
`
`
`
`in this patent does not necessarily analyze all the network
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`can lead to lost money, time, reputation, and confidential
`traffic, but instead focus on narrow data streams. The system
`information.
`
`
`
`
`
`
`
`
`
`
`filters data packet into various data streams and compares
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`short term profiles to profiles collected over a long period.
`One primary danger to avoid is having outside intruders
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`However,data traffic is typically too varied to meaningfully
`gaining control of a host on a network. Once control is
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`compare short
`term profiles to long term profiles. For
`achieved, private company files can be downloaded,
`the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`example, merely because the average FTP streams may be 3
`controlled host can be used to attack other computers inside
`
`Splunk Inc.—Exhibit 1007 Page 12
`
`
`
`
`
`
`
`
`REFERENCE TO COMPUTER PROGRAM
`
`
`LISTING SUBMITTED ON CD
`
`
`
`
`
`
`
`
`
`
`
`This application incorporates by reference the computer
`20
`
`
`
`
`
`
`
`program listing appendix submitted on (1) CD-ROM
`
`
`
`
`
`
`
`entitled “Flow-Based Engine Computer Program Listing” in
`
`
`
`
`
`
`accordance with 37 C.F.R. §1.52(e). Pursuant to 37 C.F.R.
`
`
`
`
`
`
`§1.77(b)(4), the material on said CD-ROM is incorporated
`
`
`
`
`
`
`
`
`by reference herein, said material being identified as fol-
`lows:
`
`
`25
`
`
`
`Sizein
`
`
`Bytes
`
`Date of
`
`
`Creation
`
`File Name
`
`
`
`154,450
`
`
`
`
`Nov. 30, 2001
`
`
`
`
`LANcope Code.txt
`
`
`
`
`
`
`
`
`
`
`
`
`A portion of the disclosure of this patent document
`
`
`
`
`
`
`
`
`including said computer code contains material
`that
`is
`
`
`
`
`
`
`
`subject to copyright protection. The copyright owner has no
`
`
`
`
`
`
`
`objection to the facsimile reproduction by anyone of the
`
`
`
`
`
`
`
`patent documentor the patent disclosure, as it appears in the
`
`
`
`
`
`
`
`
`
`Patent and Trademark Office patent file or records, but
`
`
`
`
`
`
`otherwise reserves all copyright rights whatsoever.
`
`TECHNICAL FIELD
`
`
`
`
`
`
`
`
`
`
`
`The invention relates generally to the field of network
`
`
`
`
`
`monitoring and, more particularly, to an intrusion detection
`
`
`
`
`
`
`
`system that
`inspects all
`inbound and outbound network
`
`
`
`
`
`
`
`activity and identifies suspicious patterns that may indicate
`
`
`
`
`
`a network or system attack or intrusion.
`
`
`
`
`
`
`BACKGROUND ART
`
`
`
`
`30
`
`
`
`35
`
`
`
`40
`
`
`
`45
`
`
`
`50
`
`
`
`55
`
`
`
`60
`
`
`
`65
`
`
`
`Splunk Inc. Exhibit 1007 Page 12
`
`

`

`
`
`US 7,185,368 B2
`
`
`4
`
`
`
`
`
`FIG. 2 is a diagram illustrating headers of datagrams.
`
`
`
`
`
`FIG. 3 is a functional block diagram illustrating an
`
`
`
`
`exemplary normal TCP communication.
`
`
`
`
`
`FIG. 4 is a functional block diagram illustrating C/S
`flows.
`
`
`
`
`
`FIG. 5 is a functional block illustrating a flow-based
`
`
`
`intrusion detection engine.
`
`
`
`
`
`
`
`FIG.6 is a table illustrating concern index value for C/S
`flows.
`
`
`
`
`
`
`
`
`FIG.7 is a table illustrating concern index values for other
`hostactivities.
`
`
`
`
`
`
`
`FIG.8 is a functional block diagram illustrating hardware
`architecture.
`
`
`
`
`
`
`
`
`FIG.9, consisting of FIGS. 9A through 9C,are flow charts
`
`
`
`
`
`of the program threads in an exemplary embodimentof the
`invention.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`BEST MODE
`
`
`
`
`
`
`
`
`20
`
`25
`
`
`
`30
`
`
`
`35
`
`
`
`40
`
`
`
`45
`
`
`
`50
`
`
`
`55
`
`
`
`
`3
`
`
`
`
`
`
`
`
`
`megabytes over the long term does not indicate that a 20
`
`
`
`
`
`
`
`megabyte stream is an anomaly. Consequently, these sys-
`
`
`
`
`
`
`
`tems generate a significant amount of false alarms or the
`
`
`
`
`
`
`
`
`
`malicious activity can be masked by not analyzing the
`
`
`
`proper data streams.
`
`
`
`
`
`
`Consequently, a scalable intrusion detection system that
`
`
`
`
`
`
`
`effectively tracks characterized and tracks network activity
`
`
`
`
`
`
`
`to differentiate abnormal behavior. Dueto the impracticality
`
`
`
`
`
`
`
`
`
`
`of analyzing all the data flowing through the network, the
`
`
`
`
`
`
`
`
`system cannot rely on signature based methods. The detec-
`
`
`
`
`
`
`
`
`
`tion system must be able to function even with the data
`
`
`
`
`
`
`
`
`traffic of larger networks. In addition, the system needs to
`
`
`
`
`
`
`
`
`quickly and efficiently determine if the network has under-
`
`
`
`
`
`
`
`gone an attack without an excessive amountof false alarms.
`DISCLOSURE OF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`
`
`invention provides a more accurate and
`The present
`
`
`
`
`
`
`
`reliable method for detecting network attacks based in large
`
`
`
`
`
`
`part on “flows” as opposed to signatures or anomalies. This
`
`
`
`
`
`
`
`
`novel detection system does not require an updated database
`
`
`
`
`
`
`
`of signatures.
`Instead,
`the intrusion detection system
`
`
`
`
`
`
`
`
`inspects all inbound and outbound activity and identifies
`
`
`
`
`
`
`
`
`suspicious patterns that denote non-normal flows and may
`
`
`
`
`
`
`
`
`indicate an attack. The computational simplicity of the
`
`
`
`
`
`
`
`
`technique allows for operation at much higher speedsthan is
`
`
`
`
`
`
`possible with a signature-based system on comparable hard-
`ware.
`
`
`
`
`
`
`
`
`According to one aspect of the invention, the detection
`
`
`
`
`
`
`
`system works by assigning data packets to various client/
`
`
`
`
`
`
`
`
`
`server (C/S) flows. Statistics are collected for each deter-
`
`
`
`
`
`
`
`
`
`mined flow. Then, the flow statistics are analyzed to deter-
`
`
`
`
`
`
`
`mine if the flow appears to be legitimate traffic or possible
`
`
`
`
`
`
`suspiciousactivity. A value, referred to as a “concern index,”
`
`
`
`
`
`
`
`
`is assigned to each flow that appears suspicious. By assign-
`
`
`
`
`
`
`
`
`
`ing a value to each flow that appears suspicious and adding
`that value to an accumulated concern index associated with
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the responsible host, it is possible to identify hosts that are
`
`
`
`
`
`
`engagedin intruderactivity without generation of significant
`unwarranted false alarms. When the concern index value of
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`a host exceeds a preset alarm value, an alert is issued and
`
`
`
`
`appropriate action can be taken.
`
`
`
`
`
`
`
`Generally speaking, the intrusion detection system ana-
`
`
`
`
`
`
`
`lyzes network communicationtraffic for potential detrimen-
`
`
`
`
`
`
`
`
`
`tal activity. The system collects flow data from packet
`
`
`
`
`
`
`
`
`headers between two hosts or
`Internet Protocol
`(IP)
`
`
`
`
`
`
`
`
`addresses. Collecting flow data from packet headers asso-
`
`
`
`
`
`
`
`
`
`ciated with a single service where at least one port remains
`
`
`
`
`
`
`
`
`constant allows for more efficient analysis of the flow data.
`
`
`
`
`
`
`
`
`The collected flow data is analyzed to assign a concern index
`
`
`
`
`
`
`
`
`
`
`value to the flow based upon a probability that the flow was
`not normal for data communications. A host list is main-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`tained containing an accumulated concern index derived
`from the flows associated with the host. Once the accumu-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`lated concern index has exceeded an alarm threshold value,
`
`
`
`
`an alarm signal is generated.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`60
`
`
`
`65
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`The described embodiment discloses a system that pro-
`
`
`
`
`
`
`
`vides an efficient, reliable and scalable method of detecting
`
`
`
`
`
`
`
`network intrusions by analyzing communication flow sta-
`
`
`
`
`
`
`
`tistics. The network intrusions are detected by a flow-based
`
`
`
`
`
`
`
`
`engine that characterizes and tracks network activities to
`
`
`
`
`
`
`
`differentiate between abnormalactivity and normal commu-
`
`
`
`
`
`
`
`nications. Flow-based detection does not rely on analyzing
`
`
`
`
`
`
`
`
`the data of packets for signatures of known attacks. Ana-
`
`
`
`
`
`
`
`
`lyzing character strings for know attacks is extremely
`
`
`
`
`
`
`
`
`resource intensive and does not protect against new
`
`
`
`
`
`
`
`unknownattacks. Instead, the present intruder detection is
`
`
`
`
`
`accomplished by analyzing communication flows to deter-
`mine if the communication has the flow characteristics of
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`probes or attacks. Those skilled in the art will readily
`
`
`
`
`
`
`appreciate that numerous communications in addition to
`
`
`
`
`
`
`
`those explicitly described may indicate intrusion activity. By
`
`
`
`
`
`
`
`analyzing communications for flow abnormal flow charac-
`
`
`
`
`
`
`
`
`
`teristics, attacks can be determined without the need for
`
`
`
`
`
`resource intensive packet data analysis.
`
`
`
`
`
`
`
`
`
`However,
`it is useful to discuss the basics of Internet
`
`
`
`
`communications to gain an understandingof the operation of
`
`
`
`
`
`
`the flow-based engine. Consequently, initially an overview
`
`
`
`
`
`
`
`of a flow-based detection system will be discussed. Follow-
`
`
`
`
`
`
`
`ing the overview, discussions on various aspects of Internet
`
`
`
`
`
`communications will follow. A detailed functionality of the
`
`
`
`
`
`flow-based engine of the present invention is described in
`
`
`
`
`
`
`detail in reference to FIG. 5 through FIG.9.
`Overview
`
`
`
`
`
`
`
`
`
`Turning to the figures, in which like numerals indicate
`
`
`
`
`
`
`
`
`like elements throughoutthe severalfigures, FIG. 1 provides
`
`
`
`
`
`
`an overview of a flow-based intrusion detection system or
`
`
`
`
`
`
`engine 155 in accordance with an exemplary embodimentof
`
`
`
`
`
`
`
`the present invention. The flow-based intrusion detection
`
`
`
`
`
`
`system 155 monitors network computer communications.
`
`
`
`
`
`
`
`The network computer communications are routed via a
`
`
`
`
`
`
`
`known global computer network commonly knownas the
`
`
`
`
`
`
`Internet 199. In accordance with an aspect of the invention,
`
`
`
`
`
`
`
`the intrusion detection engine 155 is incorporated into a
`
`
`
`
`
`
`
`
`monitoring appliance 150, together with a database 160 that
`
`
`
`
`
`
`stores information utilized in the intrusion detection meth-
`
`
`
`
`
`
`
`Benefits and further features of the present invention will
`
`
`
`
`
`
`
`odology.
`be apparent from a detailed description of preferred embodi-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ment thereof taken in conjunction with the following draw-
`The operating environment of the intrusion detection
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ings, wherein like elements are referred to with like refer-
`system 155 is contemplated to have numerous hosts con-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ence numbers, and wherein:
`nected by the Internet 199, e.g. Host #1, Host #2, Host #3
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(also referred to as H1—-H3 respectively). Hosts are any
`FIG. 1 is a functional block diagram illustrating a flow-
`
`
`
`
`
`
`
`
`
`
`
`
`
`computers that have full two-way access to other computers
`based intrusion detection system constructed in accordance
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`on the Internet 199 and have their own unique IP address.
`with a preferred embodiment of the present invention.
`
`Splunk Inc.—Exhibit 1007 Page 13
`
`Splunk Inc. Exhibit 1007 Page 13
`
`

`

`
`
`US 7,185,368 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`6
`5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`vide. Outgoing email typically utilizes the known Simple
`For example Host #1 has an exemplary IP address of
`
`
`
`
`
`
`
`208.60.239.19. The Internet 199 connects clients 110 with a
`
`
`
`
`
`
`
`
`Mail Transfer Protocol (SMTP)