| CPC H04L 63/1425 (2013.01) [H04L 41/142 (2013.01); H04L 43/04 (2013.01); H04L 43/0852 (2013.01); H04L 43/106 (2013.01); H04L 63/1408 (2013.01); H04L 63/1416 (2013.01); H04L 63/30 (2013.01); H04L 2463/121 (2013.01)] | 8 Claims |
|
1. A surveillance system connectable to a network, comprising:
a communication module; and
a management module;
said system being configured to, during a first phase:
a. intercept a first message from the network, said first message being sent to a first device;
b. intercept a second message from the network, said second message being a response from the first device to the first message;
c. calculate a time interval between the interception of the first message and the interception of the second message;
d. repeat the steps a. to c. to determine further time intervals;
e. determine a distribution of said time intervals;
f. store with reference to the first device, the distribution of the time intervals; and during a second phase, said system being configured to:
g. intercept a third message from the network, said message being sent to the first device;
h. intercept a fourth message from the network, said fourth message being a response from the first device to the third message;
i. calculate a new time interval between the interception of the third message and the interception of the fourth message; and
j. verify that the new time interval is within the distribution of time intervals,
wherein the messages are at least of two types, a transport layer message and an application layer message, and the system is further configured to calculate the time intervals only from the application layer messages, and
wherein the surveillance system is further configured to analyze the messages to further extract a message type, said distribution of time intervals being determined by message type, the message type being determined based on message content.
|