Detecting denial of service attacks on communication networks

US 10,027,694 B1
Filed: 03/28/2016
Issued: 07/17/2018
Est. Priority Date: 03/28/2016
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malicious traffic on a communication network, the system comprising:

a data store including historical traffic data for a communication node of the communication network, wherein the historical traffic data includes statistical information regarding data packets received at the communication node during a first period of time, the statistical information including at least an average entropy value and a standard deviation of entropy;

a computing device configured with computer-executable instructions that, when executed, cause the computing device to;

obtain traffic information regarding a set of data packets received at the communication node over a second period of time;

calculate an entropy value for the traffic information;

determine that the entropy value for the traffic information differs from the average entropy value by at least a threshold number of standard deviations;

detect that a network attack is occurring at the communication node based at least in part on the entropy value for the traffic information differing from the average entropy value by at least the threshold number of standard deviations; and

transmit a notification indicating that a network attack has been observed at the communication node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described to enable detection of network attacks in communication networks. An attack detection system receives information regarding network traffic occurring at nodes of a communication network, and analyzes the information for anomalous traffic patterns. The attack detection system can use multiple, parallel metric evaluation units programmed to detect specific types of anomalies within traffic patterns. In one instance, a metric evaluation unit is programmed to detect changes in entropy for the traffic, as distributed according to a characteristic such as source address, protocol, or country of origin. Where the entropy of a set of traffic differs from historical averages by a large amount, such as by many standard deviations, the attack detection system may flag the traffic as indicative of an attack, even when the absolute volume of traffic has not changed.

Citations

21 Claims

1. A system for detecting malicious traffic on a communication network, the system comprising:
- a data store including historical traffic data for a communication node of the communication network, wherein the historical traffic data includes statistical information regarding data packets received at the communication node during a first period of time, the statistical information including at least an average entropy value and a standard deviation of entropy;
  
  a computing device configured with computer-executable instructions that, when executed, cause the computing device to;
  
  obtain traffic information regarding a set of data packets received at the communication node over a second period of time;
  
  calculate an entropy value for the traffic information;
  
  determine that the entropy value for the traffic information differs from the average entropy value by at least a threshold number of standard deviations;
  
  detect that a network attack is occurring at the communication node based at least in part on the entropy value for the traffic information differing from the average entropy value by at least the threshold number of standard deviations; and
  
  transmit a notification indicating that a network attack has been observed at the communication node.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the network attack is a denial of service (DoS) attack.
  - 3. The system of claim 1, wherein the communication node is at least one of a router, a switch, a server, or a computing device configured to implement functionality of a router, a switch or a server.
  - 4. The system of claim 1, wherein the entropy value is calculated according to a distribution of the set of data packets, distributed according to a characteristic of data packets within the set of data packets.
  - 5. The system of claim 4, wherein the characteristic is at least one of packet size, protocol, port, source network address, destination network address, geographical location associated with the source network address, inter-packet arrival time, ingress interface, or type of service.
  - 6. The system of claim 4, wherein the entropy value is calculated according to proportions of the set of data packets sharing a value for the characteristic, and wherein the proportions are proportions of at least one of bytes, number of packets, and number of requests.

7. A computer-implemented method for detecting malicious traffic on a communication network, the computer-implemented method comprising:
- receiving historical traffic data for a communication node of the communication network, wherein the historical traffic data includes statistical information regarding data packets received at the communication node during a first period of time, the statistical information including at least an average entropy value and a dispersion value;
  
  receiving traffic information regarding a set of data packets received at the communication node over a second period of time;
  
  calculating an entropy value for the traffic information;
  
  determining that the entropy value for the traffic information differs from the average entropy value by at least a threshold number, the threshold number based at least in part on the dispersion value;
  
  detecting that a network attack is occurring at the communication node based at least in part on the entropy value for the traffic information differing from the average entropy value by at least the threshold number; and
  
  transmitting a notification indicating that a network attack has been observed at the communication node.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computer-implemented method of claim 7, wherein the communication node is at least one of a router, a switch, a server, or a computing device configured to implement functionality of a router, a switch or a server.
  - 9. The computer-implemented method of claim 7, wherein the dispersion value is at least one of standard deviation, interquartile range, range, mean absolute difference, mean absolute deviation, average absolute deviation, coefficient of variation, or a relative mean difference.
  - 10. The computer-implemented method of claim 7, wherein the statistical information further includes (i) an average volume of data packets sharing a first characteristic and (ii) a dispersion value for the average volume, and wherein the computer-implemented method further comprises:
    - calculating a volume of data packets, from the set of data packets, that share the characteristic; and
      
      determining that the volume of the data packets that share the first characteristic differs from the average volume of data packets sharing the first characteristic by at least the threshold number; and
      
      wherein detecting that the network attack is occurring is further based at least in part on the volume of the data packets that share the characteristic differing from the average volume of data packets sharing the characteristic by at least the threshold number.
  - 11. The computer-implemented method of claim 7, wherein the notification is transmitted to at least one of a computing device associated with an administrator of the communication network or a computing device configured to mitigate the network attack.
  - 12. The computer-implemented method of claim 7, wherein the notification is transmitted to a computing device configured to generate a signature for the network attack based at least in part on comparing information regarding the data packets received at the communication node during a first period of time and information regarding the set of data packets received at the communication node over the second period of time.
  - 13. The computer-implemented method of claim 7 further comprising determining a potential target of the network attack at least partly by determining a destination network address associated with the set of data packets.

14. Non-transitory computer-readable media including computer-executable instructions that, when executed by a computing system, cause the computing system to:
- obtain historical traffic data for a communication node of the communication network, wherein the historical traffic data includes information regarding a first set of data packets received at the communication node during a first period of time, the information including at least a baseline value of the first set of data packets and a measurement of dispersion of the baseline value;
  
  obtain information regarding a second set of data packets received at the communication node over a second period of time;
  
  determine that the information regarding the second set of data packets differs from the baseline value by at least a threshold number, the threshold number based at least in part on the measurement of dispersion;
  
  detect that a network attack is occurring at the communication node based at least in part on the second set of data packets differing from the baseline value by at least a threshold number; and
  
  transmit a notification indicating that a network attack has been observed at the communication node.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The non-transitory computer-readable media of claim 14, wherein detecting that the network attack is occurring is further based at least in part on one of a volume of data packets sharing a characteristic, an entropy of a distribution of data packets sharing the characteristic, a rate of change of the volume, or a rate of change of the entropy.
  - 16. The non-transitory computer-readable media of claim 15, wherein the volume is calculated based on at least one of a number of bytes, a number of packets, or a number of requests.
  - 17. The non-transitory computer-readable media of claim 14, wherein the baseline value represents at least one of a mean, median or mode of an attribute of the first set of data packets.
  - 18. The non-transitory computer-readable media of claim 14, wherein the information further includes at least a second baseline value of the first set of data packets and a measurement of dispersion of the second baseline value, and wherein the computer-executable instructions further cause the computing system to determine that the second set of data packets differs from the second baseline value by at least a second threshold number, the second threshold number based at least in part on the measurement of dispersion of the second baseline value, and wherein detecting that a network attack is occurring is further based at least in part on the second set of data packets differing from the second baseline value by at least the second threshold number.
  - 19. The non-transitory computer-readable media of claim 14, wherein the notification is transmitted to a component of the communication network wherein the component is a computing device configured to generate a signature for the network attack based at least in part on comparing information regarding the first set of data packets and information regarding the second set of data packets.
  - 20. The non-transitory computer-readable media of claim 14, wherein the computer-executable instructions further cause the computing system to determine a potential target of the network attack at least partly by determining a destination network address associated with the second set of data packets.
  - 21. The non-transitory computer-readable media of claim 14, wherein the computer-executable instructions further cause the computing system to:
    - obtain information regarding a third set of data packets received at the communication node over a third period of time;
      
      determine that the information regarding the third set of data packets does not differ from the baseline value of the first set of data packets by at least the threshold number; and
      
      update the historical traffic data for the communication node based at least partly on the information regarding the third set of data packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Gupta, Piyush, Mhatre, Amit J., Stevenson, William Alexander, Beheray, Atulya S.
Primary Examiner(s)
Shepperd, Eric W

Application Number

US15/083,183
Time in Patent Office

841 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1458 Denial of Service

Detecting denial of service attacks on communication networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting denial of service attacks on communication networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links