Denial of service attacks characterization
First Claim
1. A process that monitors network traffic through a monitoring device disposed between a data center and a network for thwarting denial of service attacks on the data center comprises:
- a detection process to determine if the values of a parameter exceed normal values for the parameter to indicate an attack on the site;
a characterization process to build a histogram for the parameter to compute significant outliers in a parameter and classify the attack; and
a filtering process that provides filtering of network packets based on characteristics of the attack.
21 Assignments
0 Petitions
Accused Products
Abstract
A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of data monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. In one embodiment, a gateway device is disposed to pass network packets between the network and the victim site. The gateway includes a computing device executing a process to build a histogram for any attribute or function of an attribute of network packets and a process to determine if the values of the attribute exceed normal, threshold values expected for the attribute to indicate an attack on the site.
455 Citations
40 Claims
-
1. A process that monitors network traffic through a monitoring device disposed between a data center and a network for thwarting denial of service attacks on the data center comprises:
-
a detection process to determine if the values of a parameter exceed normal values for the parameter to indicate an attack on the site;
a characterization process to build a histogram for the parameter to compute significant outliers in a parameter and classify the attack; and
a filtering process that provides filtering of network packets based on characteristics of the attack. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for thwarting denial of service attacks on a data center, the method comprising:
-
producing a histogram of received network traffic for at least one parameter of network packets; and
characterizing an attack based on comparison of historical histograms with the produced histogram data for one or more parameters. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A monitoring device for thwarting denial of service attacks on a data center, the monitoring device comprises:
a computing device executing;
a process to build at least one histogram for at least one parameter of network traffic; and
a process to characterize an attack based on a comparison of a historical histogram of the at least one parameter to the built at least one histogram for the at least one parameter. - View Dependent Claims (22, 23, 24, 25, 26, 27)
-
28. A computer program product residing on a computer readable medium comprising instructions for causing a processor to:
-
build a histogram for any attribute or function of a parameter of network traffic; and
use the histogram data for the parameter to characterize an attack on the site. - View Dependent Claims (29, 30, 31)
-
-
32. A method of protecting a victim site during a denial of service attack, comprises:
-
disposing a gateway device between the victim site and a network;
monitoring network traffic through the gateway and determining if values of at least one parameter exceed normal, threshold values expected for the parameter to indicate an attack on the site;
producing a histogram for the at least one parameter of network traffic to characterize the attack by comparing the histogram to at least one historical histogram for that parameter; and
filtering out traffic based on characterizing the traffic, which the gateway deems to be part of an attack. - View Dependent Claims (33, 34, 35, 36)
-
-
37. A method to reduce blocking of legitimate traffic in a process to protect a victim site during a denial of service attack, comprises:
-
producing a histogram of network traffic to characterize an attack; and
filtering out traffic deemed part of an attack with filtering comprising;
constructing a master correlation vector having asserted bits corresponding to the most important parameter correlations;
initializing a packet'"'"'s correlation bit vector to 0, and for every parameter;
retrieving the parameter in a parameter suspicious vector to construct the packet'"'"' correlation bit vector; and
using the value of the packet'"'"'s correlation bit vector to index into the master correlation bit vector. - View Dependent Claims (38, 39, 40)
-
Specification