Connection based denial of service detection
First Claim
Patent Images
1. A method, comprising:
- examining packet count and byte count to determine whether a host is a potential DoS victim; and
, if a host is determined to be a potential victim, iterating over all connected hosts to determine which hosts are possible attackers.
21 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.
147 Citations
32 Claims
-
1. A method, comprising:
-
examining packet count and byte count to determine whether a host is a potential DoS victim; and
, if a host is determined to be a potential victim,iterating over all connected hosts to determine which hosts are possible attackers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer program product residing on a computer readable medium for detecting denial of service attacks, comprising instructions for causing a computer to:
-
examine packet count and byte count to determine whether a host is a potential DoS victim; and
, if a host is determined to be a potential victim,iterate over connected hosts to determine which hosts are possible attackers. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. Apparatus comprising:
-
a processing device;
a memory;
a computer readable medium for executing a computer program product for detecting denial of service attacks, comprising instructions for causing the processing device to;
examine packet count and byte count to determine whether a host is a potential DoS victim; and
, if a host is determined to be a potential victim,iterate over connected hosts to determine which hosts are possible attackers. - View Dependent Claims (28, 29, 30, 31, 32)
-
Specification