FIELD: physics; computer engineering.
SUBSTANCE: invention relates to computer engineering and can be used in automated information security media with the objective of monitoring local area networks to detect computer attacks on network resources. The method of detecting local area network devices, operating in network traffic capture mode, involves using a control network node for detecting devices, in which a threshold value for the coefficient of correlation is given. The response time of workstations on the network is then determined. ICMP packets with a submit field, which is not in the probed network, are broadcast on the network, and network loading is recorded. After that, the correlation coefficient of values of network loading parametres and response time of workstations is determined and, if the correlation coefficient exceeds the threshold value, there is a device on the network, operating in network traffic capture mode.
EFFECT: reduced number of false alarms on results of analysing response time of network nodes and increased probability of detecting workstations, operating in network traffic capture mode.
3 dwg
