Research Menu

Skip Search Box
Lightweight Process for Interactive Vector Correlation



Technical Challenge:

An attacker can easily mask his originating IP through publicly available or illicit "hops" across administrative domains. The target of the attack can only conclude that the last hop IP address may belong to the attacker. A method for correlating activity from independent data sets is required to make a more accurate threat assessment. A cost-effective solution that can also work at backbone speeds must be lightweight.


IVEC is designed to detect correlated malicious activity for the purpose of automatically and more accurately identifying the true source. The technology is a series of processes implemented in the form of software. Interactive session packets (short packets such as those of typed characters in telnet sessions) are extracted from network traffic (live devices or files). Sequences of packets in a flow (unique host/port pairs) form vectors that can be correlated in time with those from other flows and/or datasets. The IVEC Correlation tool could be used by any organization that needs to analyze large volumes of data to protect their computer networks.

Demonstration Capability:

A briefing is available that illustrates the creation of vectors and correlation results from actual network traffic. Scripts are available to process pcap files (tcpdump).

Potential Commercial Application(s):

Network Security Applications and Information Assurance Products.

Patent Status:

A patent application has been filed with USPTO.

Reference Number: 1281

If you are interested in exploring this technology further, please express your interest in writing to the:

National Security Agency
NSA Technology Transfer Program
9800 Savage Road, Suite 6541
Fort George G. Meade, Maryland 20755-6541


Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15 2009