CPC H04L 63/1425 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1441 (2013.01); H04L 63/166 (2013.01)] | 23 Claims |
1. A method, comprising:
identifying, in data traffic transmitted between multiple nodes that communicate over a network, a set of port scans, each of the port scans comprising an access, in the data traffic, of a plurality of communication ports on a given destination node by a given source node during a specified time period;
identifying in the data traffic a group of high-traffic ports, comprising one or more of the communication ports that receive respective volumes of the data traffic that are in excess of a predefined threshold; and
upon detecting a port scan not comprising the access of any of the identified high-traffic ports, initiating a preventive action.
|