Connection based denial of service detection

US 20040220984A1
Filed: 11/03/2003
Published: 11/04/2004
Est. Priority Date: 11/04/2002
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

examining packet count and byte count to determine whether a host is a potential DoS victim; and

, if a host is determined to be a potential victim, iterating over all connected hosts to determine which hosts are possible attackers.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

147 Citations

View as Search Results

32 Claims

1. A method, comprising:
- examining packet count and byte count to determine whether a host is a potential DoS victim; and
  
  , if a host is determined to be a potential victim, iterating over all connected hosts to determine which hosts are possible attackers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein determining whether the host is a victim of a DoS attack, comprises:
    - comparing current measured inbound byte rate with historical average inbound byte rate for a current profiled time period.
  - 3. The method of claim 2 further comprising:
    - determining if a host has a large variance in inbound packet and byte rate; and
      
      if the host has a large variance calculating a variance to provide an appropriate margin of error before raising an alert of a DOS attack.
  - 4. The method of claim 3 wherein calculating the margin of error, includes evaluating(c>
    - (h+C1*σ
      
      )*C2)with “
      
      σ
      
      ²”
      
      is the variance of the host'"'"'s inbound byte rate, “
      
      c”
      
      the host'"'"'s current incoming byte rate, with “
      
      C1” and
      
      “
      
      C2”
      
      being selectable constants and “
      
      h”
      
      being the host'"'"'s historical average incoming byte rate;
      
      wherein if the inequality is true, then the host H is considered under a possible DoS attack.
  - 5. The method of claim 3 further comprising:
    - determining if the incoming packet count is above a threshold to filter out new or low-traffic hosts that suddenly receive a low but still larger than normal amount of traffic.
  - 6. The method of claim 1 determining if conditions of a possible attack have been determined and increasing the severity of the reported event to reflect a corresponding degree of certainty that the event is a DOS attack.
  - 7. The method of claim 1 wherein conditions that influence whether an event is an attack include determining if the suspected victim is receiving traffic from an unusually relative to historical profile large number of other hosts.
  - 8. The method of claim 7 wherein conditions that influence whether an event is an attack include determining whether most of the hosts connecting to the suspected victim do not exist in the profile connection table.
  - 9. The method of claim 8 wherein conditions that influence whether an event is an attack include determining if most of the new traffic to the host is UDP, ICMP, or unknown protocols.
  - 10. The method of claim 8 further comprising:
    - using conditions of a possible attack to elevate the severity of the reported event.
  - 11. The method of claim 8 wherein if a host is determined to be a DoS victim, further comprising:
    - examining the host'"'"'s neighbors to determine which hosts are possible attackers.
  - 12. The method of claim 11 wherein examining comprises for each neighbor “
    - H_—{0}”
      
      of the host determining the byte rate from “
      
      H_—{0}”
      
      to the host, according toc_—{0}>
      
      (h_—{0}+C1*σ
      
      ²_—{0})*C2where “
      
      c_—{0}”
      
      be the current byte rate from “
      
      H_—{0}”
      
      to “
      
      H”
      
      , “
      
      h_—{0}”
      
      the historical average byte rate from “
      
      H_—{0}”
      
      to “
      
      H”
      
      , “
      
      C1” and
      
      “
      
      C2”
      
      are constants, and “
      
      σ
      
      ²_—{0}”
      
      is the variance of the byte rate from “
      
      H”
      
      to “
      
      H_—{0}”
      
      ; and
      
      indicating that “
      
      H_—{0}”
      
      is a suspected attacker of “
      
      H”
      
      if the inequality is satisfied.
  - 13. The method of claim 11 wherein examining comprises for each neighbor “
    - H_—{0}”
      
      of the host determining the byte rate from the host to “
      
      H_—{0}”
      
      , according toc_—{0}>
      
      (h_—{0}+C1*σ
      
      ²_—{0})*C2where “
      
      c_—{0}”
      
      be the current byte rate to “
      
      H_—{0}”
      
      from “
      
      H”
      
      , “
      
      h_—{0}”
      
      the historical average byte rate to “
      
      H_—{0}”
      
      from “
      
      H”
      
      , “
      
      C1” and
      
      “
      
      C2”
      
      are constants, and “
      
      σ
      
      ²_—{0}”
      
      is the variance of the byte rate to “
      
      H”
      
      from “
      
      H_—{0}”
      
      ; and
      
      indicating that “
      
      H_—{0}”
      
      is a suspected attacker of “
      
      H”
      
      if the inequality is satisfied.

14. A computer program product residing on a computer readable medium for detecting denial of service attacks, comprising instructions for causing a computer to:
- examine packet count and byte count to determine whether a host is a potential DoS victim; and
  
  , if a host is determined to be a potential victim, iterate over connected hosts to determine which hosts are possible attackers.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The computer program product of claim 14 wherein instructions to determine whether the host is a victim of a DoS attack, comprises instructions to:
    - compare current measured inbound byte rate with historical average inbound byte rate for a current profiled time period.
  - 16. The computer program product of claim 14 further comprising instructions to:
    - determine if a host has a large variance in inbound packet and byte rate; and
      
      if the host has a large variance calculate a variance to provide an appropriate margin of error before raising an alert of a DOS attack.
  - 17. The computer program product of claim 14 wherein instructions to calculate the margin of error, includes evaluating(c>
    - (h+C1*σ
      
      )* C2)with “
      
      σ
      
      ²”
      
      is the variance of the host'"'"'s inbound byte rate, “
      
      c”
      
      the host'"'"'s current incoming byte rate, with “
      
      C1” and
      
      “
      
      C2”
      
      being selectable constants and “
      
      h”
      
      being the host'"'"'s historical average incoming byte rate;
      
      wherein if the inequality is true, then the host H is considered under a possible DoS attack.
  - 18. The computer program product of claim 14 further comprising instructions to:
    - determine if the incoming packet count is above a threshold to filter out new or low-traffic hosts that suddenly receive a low but still larger than normal amount of traffic.
  - 19. The computer program product of claim 14 wherein instructions to determine if conditions of a possible attack have been determined and increasing the severity of the reported event to reflect a corresponding degree of certainty that the event is a DOS attack.
  - 20. The computer program product of claim 14 wherein conditions that influence whether an event is an attack include determining if the suspected victim is receiving traffic from an unusually relative to historical profile large number of other hosts.
  - 21. The computer program product of claim 14 wherein conditions that influence whether an event is an attack include determining whether most of the hosts connecting to the suspected victim do not exist in the profile connection table.
  - 22. The computer program product of claim 14 wherein conditions that influence whether an event is an attack include determining if most of the new traffic to the host is UDP, ICMP, or unknown protocols.
  - 23. The computer program product of claim 14 further comprising instructions to:
    - use conditions of a possible attack to elevate the severity of the reported event.
  - 24. The computer program product of claim 14 further comprises instructions to:
    - examine the host'"'"'s neighbors to determine which hosts are possible attackers, if a host is determined to be a DoS victim.
  - 25. computer program product of claim 24 wherein instructions to examine further comprise instructions to:
    - determine for each neighbor “
      
      H_—{0}”
      
      of the host the byte rate from “
      
      H_—{0}”
      
      to the host, according to;
      
      c_—{0}>
      
      (h_—{0}+C1*σ
      
      ²_—{0})*C2where “
      
      c_—{0}”
      
      be the current byte rate from “
      
      H_—{0}”
      
      to “
      
      H”
      
      , “
      
      h_—{0}”
      
      the historical average byte rate from “
      
      H_—{0}”
      
      to “
      
      H”
      
      , “
      
      C1” and
      
      “
      
      C2”
      
      are constants, and “
      
      σ
      
      ²_—{0}”
      
      is the variance of the byte rate from “
      
      H”
      
      to “
      
      H_—{0}”
      
      ; and
      
      indicating that “
      
      H_—{0}”
      
      is a suspected attacker of “
      
      H”
      
      if the inequality is satisfied.
  - 26. The computer program product of claim 25 wherein instructions to examine further comprise instructions to:
    - determine for each neighbor “
      
      H_—{0}”
      
      of the host the byte rate from the host to “
      
      H_—{0}”
      
      , according toc_—{0}>
      
      (h_—{0}+C1*σ
      
      ²_—{0})*C2where “
      
      c_—{0}”
      
      be the current byte rate to “
      
      H_—{0}”
      
      from “
      
      H”
      
      , “
      
      h_—{0}”
      
      the historical average byte rate to “
      
      H_—{0}”
      
      from “
      
      H”
      
      , “
      
      C1” and
      
      “
      
      C2”
      
      are constants, and “
      
      σ
      
      ²_—{0}”
      
      is the variance of the byte rate to “
      
      H”
      
      from “
      
      H_—{0}”
      
      ; and
      
      indicate that “
      
      H_—{0}”
      
      is a suspected attacker of “
      
      H”
      
      if the inequality is satisfied.

27. Apparatus comprising:
- a processing device;
  
  a memory;
  
  a computer readable medium for executing a computer program product for detecting denial of service attacks, comprising instructions for causing the processing device to;
  
  examine packet count and byte count to determine whether a host is a potential DoS victim; and
  
  , if a host is determined to be a potential victim, iterate over connected hosts to determine which hosts are possible attackers.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The apparatus of claim 27 wherein instructions to determine whether the host is a victim of a DoS attack, comprises instructions to:
    - compare current measured inbound byte rate with historical average inbound byte rate for a current profiled time period.
  - 29. The apparatus of claim 27 wherein further comprising instructions to:
    - determine if a host has a large variance in inbound packet and byte rate; and
      
      if the host has a large variance calculate a variance to provide an appropriate margin of error before raising an alert of a DOS attack.
  - 30. The apparatus of claim 27 wherein instructions to calculate the margin of error, includes evaluating(c>
    - (h+C1*σ
      
      )*C2)with “
      
      σ
      
      ²”
      
      is the variance of the host'"'"'s inbound byte rate, “
      
      c”
      
      the host'"'"'s current incoming byte rate, with “
      
      C1” and
      
      “
      
      C2”
      
      being selectable constants and “
      
      h”
      
      being the host'"'"'s historical average incoming byte rate;
      
      wherein if the inequality is true, then the host H is considered under a possible DoS attack.
  - 31. The apparatus of claim 27 further comprising instructions to:
    - determine if the incoming packet count is above a threshold to filter out new or low-traffic hosts that suddenly receive a low but still larger than normal amount of traffic.
  - 32. The apparatus of claim 27 wherein instructions to determine if conditions of a possible attack have been determined and increasing the severity of the reported event to reflect a corresponding degree of certainty that the event is a DOS attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Poletto, Massimiliano Antonio, Dudfield, Anne Elizabeth

Granted Patent

US 8,191,136 B2
Time in Patent Office

Days
Field of Search
US Class Current

708/200
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/22   comprising specially adapte...

H04L 43/06   Generation of reports

H04L 43/0894   Packet rate

H04L 43/16   Threshold monitoring

H04L 63/1458   Denial of Service

Connection based denial of service detection

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

147 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Connection based denial of service detection

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

147 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links