IPFIX-based detection of amplification attacks on databases

US 10,404,738 B2
Filed: 02/27/2017
Issued: 09/03/2019
Est. Priority Date: 02/27/2017
Status: Active Grant

First Claim

Patent Images

1. A system for protecting against amplification attacks, the system comprising:

a data store;

an appliance comprises one or more processors coupled to the data store, wherein the processors are configured to;

collect a plurality of samples of IPFIX data;

use the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each server sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds;

identify a first plurality of the server samples that are labeled positive for amplification attacks indicating that the first plurality of the server samples are associated with amplification attacks;

identify a second plurality of server samples that are labeled negative for amplification attacks indicating that the second plurality of the server samples are not associated with amplification attacks; and

automatically label at least some of the remaining server samples as positive or negative based on the previously identified labeled samples, by using the previously identified labeled samples to predict, with confidence above a predetermined threshold, that the at least some of the remaining server samples should be labeled as positive or negative; and

a protection system configured to use the automatically labeled samples, to identify, and protect against amplification attacks.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment illustrated herein includes a computer implemented method. The method includes acts for training an amplification attack detection system. The method includes obtaining a plurality of samples of IPFIX data. The method further includes using the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds. The method further includes identifying a plurality of the server samples that are labeled positive for amplification attacks. The method further includes identifying a plurality of server samples that are labeled negative for amplification attacks. The method further includes automatically labeling at least some of the remaining server samples as positive or negative based on the previously identified labeled samples. The method further includes using the automatically labeled samples to train an amplification attack detection system.

4 Citations

View as Search Results

20 Claims

1. A system for protecting against amplification attacks, the system comprising:
- a data store;
  
  an appliance comprises one or more processors coupled to the data store, wherein the processors are configured to;
  
  collect a plurality of samples of IPFIX data;
  
  use the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each server sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds;
  
  identify a first plurality of the server samples that are labeled positive for amplification attacks indicating that the first plurality of the server samples are associated with amplification attacks;
  
  identify a second plurality of server samples that are labeled negative for amplification attacks indicating that the second plurality of the server samples are not associated with amplification attacks; and
  
  automatically label at least some of the remaining server samples as positive or negative based on the previously identified labeled samples, by using the previously identified labeled samples to predict, with confidence above a predetermined threshold, that the at least some of the remaining server samples should be labeled as positive or negative; and
  
  a protection system configured to use the automatically labeled samples, to identify, and protect against amplification attacks.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the appliance is configured to identify a plurality of the server samples that are labeled positive for amplification attacks by identifying manually labeled samples.
  - 3. The system of claim 1, wherein the appliance is configured to identify a plurality of server samples that are labeled negative for amplification attacks comprises applying automated rules to server samples to automatically label the server samples as negative for amplification attacks.
  - 4. The system of claim 3, wherein the appliance is configured to apply automated rules to server samples to automatically label the server samples as negative for amplification attacks by comparing incoming to outgoing packet size ratios with respect to a server.

5. A system comprising:
- one or more processors; and
  
  one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to train an amplification attack detection system, including instructions that are executable to configure the computer system to perform at least the following;
  
  obtain a plurality of samples of IPFIX data;
  
  use the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each server sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds;
  
  identify a first plurality of the server samples that are labeled positive for amplification attacks indicating that the first plurality of the server samples are associated with amplification attacks;
  
  identify a second plurality of server samples that are labeled negative for amplification attacks indicating that the second plurality of the server samples are not associated with amplification attacks;
  
  automatically label at least some of the remaining server samples as positive or negative based on the previously identified labeled samples, by using the previously identified labeled samples to predict, with confidence above a predetermined threshold, that the at least some of the remaining server samples should be labeled as positive or negative; and
  
  use the automatically labeled samples to train an amplification attack detection system to protect against amplification attacks.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein the one or more computer-readable media have stored thereon instructions that are executable by the one or more processors to configure the computer system to identify a plurality of the server samples that are labeled positive for amplification attacks by manually labeling samples as positive for amplification attacks.
  - 7. The system of claim 5, wherein the one or more computer-readable media have stored thereon instructions that are executable by the one or more processors to configure the computer system to identify a plurality of server samples that are labeled negative for amplification attacks by applying automated rules to server samples to automatically label the server samples as negative for amplification attacks.
  - 8. The system of claim 7, wherein the one or more computer-readable media have stored thereon instructions that are executable by the one or more processors to configure the computer system to apply automated rules to server samples to automatically label the server samples as negative for amplification attacks by comparing incoming to outgoing packet size ratios with respect to a server.
  - 9. The system of claim 7, wherein the one or more computer-readable media have stored thereon instructions that are executable by the one or more processors to configure the computer system to apply automated rules to server samples to automatically label the server samples as negative for amplification attacks by comparing a number of clients indicated in a sample.
  - 10. The system of claim 5, wherein the one or more computer-readable media have stored thereon instructions that are executable by the one or more processors to configure the computer system to automatically label at least some of the remaining server samples as positive or negative based on the previously identified labeled samples iteratively.
  - 11. The system of claim 10, wherein the one or more computer-readable media have stored thereon instructions that are executable by the one or more processors to configure the computer system automatically and iteratively label at least some of the remaining server samples as positive or negative based on the previously identified labeled samples until a steady state is reached where no more samples can be classified automatically.
  - 12. The system of claim 5, wherein the one or more computer-readable media have stored thereon instructions that are executable by the one or more processors to configure the computer system train the amplification attack detection system to protect against DNS amplification attacks.

13. A method of training an amplification attack detection system, the method comprising:
- obtaining a plurality of samples of IPFIX data;
  
  using the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each server sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds;
  
  identifying a first plurality of the server samples that are labeled positive for amplification attacks indicating that the first plurality of the server samples are associated with amplification attacks;
  
  identifying a second plurality of server samples that are labeled negative for amplification attacks indicating that the second plurality of the server samples are not associated with amplification attacks;
  
  automatically labeling at least some of the remaining server samples as positive or negative based on the previously identified labeled samples, by using the previously identified labeled samples to predict, with confidence above a predetermined threshold, that the at least some of the remaining server samples should be labeled as positive or negative; and
  
  using the automatically labeled samples to train an amplification attack detection system to protect against amplification attacks.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein identifying a plurality of the server samples that are labeled positive for amplification attacks comprises manually labeling samples as positive for amplification attacks.
  - 15. The method of claim 13, wherein identifying a plurality of server samples that are labeled negative for amplification attacks comprises applying automated rules to server samples to automatically label the server samples as negative for amplification attacks.
  - 16. The method of claim 15, wherein applying automated rules to server samples to automatically label the server samples as negative for amplification attacks comprises comparing incoming to outgoing packet size ratios with respect to a server.
  - 17. The method of claim 15, wherein applying automated rules to server samples to automatically label the server samples as negative for amplification attacks comprises comparing a number of clients indicated in a sample.
  - 18. The method of claim 13, wherein automatically labeling at least some of the remaining server samples as positive or negative based on the previously identified labeled samples is performed iteratively.
  - 19. The method of claim 18, wherein automatically and iteratively labeling at least some of the remaining server samples as positive or negative based on the previously identified labeled samples is performed until a steady state is reached where no more samples can be classified automatically.
  - 20. The method of claim 13, wherein the amplification attack detection system is configured to protect against DNS amplification attacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Scherman, Mathias, Teller, Tomer, Shteingart, Hanan, Ronen, Royi
Primary Examiner(s)
Ho, Dao Q

Application Number

US15/444,110
Publication Number

US 20180248906A1
Time in Patent Office

918 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 61/4511   using domain name system [DNS]

H04L 63/0245   Filtering by information in...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

IPFIX-based detection of amplification attacks on databases

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

4 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IPFIX-based detection of amplification attacks on databases

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links