Detecting denial of service attacks on communication networks
First Claim
1. A system for detecting malicious traffic on a communication network, the system comprising:
- a data store including historical traffic data for a communication node of the communication network, wherein the historical traffic data includes statistical information regarding data packets received at the communication node during a first period of time, the statistical information including at least an average entropy value and a standard deviation of entropy;
a computing device configured with computer-executable instructions that, when executed, cause the computing device to;
obtain traffic information regarding a set of data packets received at the communication node over a second period of time;
calculate an entropy value for the traffic information;
determine that the entropy value for the traffic information differs from the average entropy value by at least a threshold number of standard deviations;
detect that a network attack is occurring at the communication node based at least in part on the entropy value for the traffic information differing from the average entropy value by at least the threshold number of standard deviations; and
transmit a notification indicating that a network attack has been observed at the communication node.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are described to enable detection of network attacks in communication networks. An attack detection system receives information regarding network traffic occurring at nodes of a communication network, and analyzes the information for anomalous traffic patterns. The attack detection system can use multiple, parallel metric evaluation units programmed to detect specific types of anomalies within traffic patterns. In one instance, a metric evaluation unit is programmed to detect changes in entropy for the traffic, as distributed according to a characteristic such as source address, protocol, or country of origin. Where the entropy of a set of traffic differs from historical averages by a large amount, such as by many standard deviations, the attack detection system may flag the traffic as indicative of an attack, even when the absolute volume of traffic has not changed.
-
Citations
21 Claims
-
1. A system for detecting malicious traffic on a communication network, the system comprising:
-
a data store including historical traffic data for a communication node of the communication network, wherein the historical traffic data includes statistical information regarding data packets received at the communication node during a first period of time, the statistical information including at least an average entropy value and a standard deviation of entropy; a computing device configured with computer-executable instructions that, when executed, cause the computing device to; obtain traffic information regarding a set of data packets received at the communication node over a second period of time; calculate an entropy value for the traffic information; determine that the entropy value for the traffic information differs from the average entropy value by at least a threshold number of standard deviations; detect that a network attack is occurring at the communication node based at least in part on the entropy value for the traffic information differing from the average entropy value by at least the threshold number of standard deviations; and transmit a notification indicating that a network attack has been observed at the communication node. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method for detecting malicious traffic on a communication network, the computer-implemented method comprising:
-
receiving historical traffic data for a communication node of the communication network, wherein the historical traffic data includes statistical information regarding data packets received at the communication node during a first period of time, the statistical information including at least an average entropy value and a dispersion value; receiving traffic information regarding a set of data packets received at the communication node over a second period of time; calculating an entropy value for the traffic information; determining that the entropy value for the traffic information differs from the average entropy value by at least a threshold number, the threshold number based at least in part on the dispersion value; detecting that a network attack is occurring at the communication node based at least in part on the entropy value for the traffic information differing from the average entropy value by at least the threshold number; and transmitting a notification indicating that a network attack has been observed at the communication node. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. Non-transitory computer-readable media including computer-executable instructions that, when executed by a computing system, cause the computing system to:
-
obtain historical traffic data for a communication node of the communication network, wherein the historical traffic data includes information regarding a first set of data packets received at the communication node during a first period of time, the information including at least a baseline value of the first set of data packets and a measurement of dispersion of the baseline value; obtain information regarding a second set of data packets received at the communication node over a second period of time; determine that the information regarding the second set of data packets differs from the baseline value by at least a threshold number, the threshold number based at least in part on the measurement of dispersion; detect that a network attack is occurring at the communication node based at least in part on the second set of data packets differing from the baseline value by at least a threshold number; and transmit a notification indicating that a network attack has been observed at the communication node. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
Specification