Method of detecting distributed denial of service based on grey theory

US 20050135266A1
Filed: 06/10/2004
Published: 06/23/2005
Est. Priority Date: 12/22/2003
Status: Active Grant

First Claim

Patent Images

1. A method of network activity detection, comprising the following steps:

receiving network flow and generating a first sequence and a second sequence therefrom, each comprising a plurality of consecutive traffic data elements, with at least one traffic data element in the second sequence a succession of the first sequence;

creating a first model according to the first sequence, comprising a first development coefficient and a first random factor;

generating a first predictive sequence corresponding to the second sequence by substituting the first sequence and the first model into the equation $y_{k + 1} = (x_{0} - \frac{b}{a}) \cdot ⅇ^{- ak} + \frac{b}{a},$

wherein;

X₀represents the first traffic data element in the first sequence; and

y_krepresents traffic data in predictive sequence;

k is a natural number indexing traffic data in predictive sequence;

analyzing malicious network activities by comparing the first predictive sequence and the second sequence; and

implementing a defense procedure when an analyzing result meets a predetermined condition.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of malicious network activity detection. An intrusion detection system provides defense against distributed denial of service (DDOS) attacks through an efficient modeling process based on grey theory.

Citations

18 Claims

1. A method of network activity detection, comprising the following steps:
- receiving network flow and generating a first sequence and a second sequence therefrom, each comprising a plurality of consecutive traffic data elements, with at least one traffic data element in the second sequence a succession of the first sequence;
  
  creating a first model according to the first sequence, comprising a first development coefficient and a first random factor;
  
  generating a first predictive sequence corresponding to the second sequence by substituting the first sequence and the first model into the equation $y_{k + 1} = (x_{0} - \frac{b}{a}) \cdot ⅇ^{- ak} + \frac{b}{a},$
  
  wherein;
  
  X₀represents the first traffic data element in the first sequence; and
  
  y_krepresents traffic data in predictive sequence;
  
  k is a natural number indexing traffic data in predictive sequence;
  
  analyzing malicious network activities by comparing the first predictive sequence and the second sequence; and
  
  implementing a defense procedure when an analyzing result meets a predetermined condition.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as claimed in claim 1, wherein the network flow is received through a network node, and the receiving step further comprises categorizing the network flow into classes.
  - 3. The method as claimed in claim 1, wherein:
    - the first sequence comprises traffic data elements X₁to X_N;
      
      the second sequence comprises traffic data elements X_M+1to X_M+N; and
      
      M is a natural number between 1 and N.
  - 4. The method as claimed in claim 3, further comprising, after creation of the first model, creating a second model according to the second sequence, comprising a second development coefficient and a second random factor.
  - 5. The method as claimed in claim 4, further comprising, after creation of the second model, generating a second predictive sequence corresponding to the second sequence by substituting the second sequence and the second model into the equation.
  - 6. The method as claimed in claim 5, wherein the analyzing step comprises:
    - calculating a first inaccuracy between the second sequence and the first predictive sequence;
      
      calculating a second inaccuracy between the second sequence and the second predictive sequence; and
      
      comparing the first and second inaccuracies.
  - 7. The method as claimed in claim 1, wherein the defense procedure comprises:
    - sending an alert to at least one network node; and
      
      restricting bandwidth serving the attacked network flow.
  - 8. The method as claimed in claim 1, in which the defense procedure is also implemented upon receipt of an alert from at least one network node.
  - 9. The method as claimed in claim 1, in which the defense procedure is also implemented when the traffic data element exceeds a predetermined tolerable threshold.
  - 10. The method as claimed in claim 9, wherein a rule database is provided for recording the models corresponding to each sequence, comprising:
    - value of N and M; and
      
      value of the predetermined tolerable threshold.

11. A network device providing network activity detection, comprising:
- a network flow collector for generating a first sequence by receiving network flow comprising a plurality of traffic data element;
  
  a grey analyzer for creating a first model comprising a first development coefficient and a first random factor according to the first sequence, generating a first predictive corresponding to the first sequence by substituting the first model and the first sequence into a formula of $y_{k + 1} = (x_{0} - \frac{b}{a}) \cdot ⅇ^{- ak} + \frac{b}{a},$
  
  and assessing an intrusion by analyzing the first sequence and the first predictive sequence, wherein;
  
  X₀represents the first traffic data element in the substituted sequence;
  
  y represents traffic data element of the predictive sequence; and
  
  k is a natural number indexing traffic data element in sequence; and
  
  a security trigger for implementing a defense procedure when an analysis result meets a predetermined condition.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The device as claimed in claim 11, wherein:
    - the first sequence comprises traffic data element X₁to X_N; and
      
      the network flow collector further generates a second sequence comprising traffic data elements X_M+1to X_M+N, wherein M is a value between 1 and N.
  - 13. The device as claimed in claim 12, wherein the grey analyzer further creates a second model according to the second sequence, comprising a second development coefficient and a second random factor.
  - 14. The device as claimed in claim 13, wherein the grey analyzer further generates a second predictive sequence by substituting the second sequence and the second model into the equation.
  - 15. The device as claimed in claim 14, wherein the grey analyzer further calculates a first inaccuracy between the second sequence and the first predictive sequence, a second inaccuracy between the second sequence and the second predictive sequence, and obtaining a result by comparing the first and second inaccuracies.
  - 16. The device as claimed in claim 15, wherein the security trigger implements a defense procedure upon receipt of the alert from at least one network node or when the traffic data element exceeds a predetermined tolerable threshold, wherein the defense procedure comprises the steps of:
    - sending an alert to at least one network node; and
      
      restricting bandwidth serving the network flow.
  - 17. The device as claimed in claim 16, further comprising a rule database for recording the models corresponding to each sequence, wherein the rule database further comprises:
    - value of N and M; and
      
      value of the predetermined tolerable threshold.

18. A storage device, comprising a program for making a computer to process steps as follows:
- receiving network flow to generate a first sequence and a second sequence, each of which comprises a plurality of consecutive traffic data elements, with at least one traffic data element in the second sequence a succession of the first sequence;
  
  creating a first model according to the first sequence, comprising a first development coefficient and a first random factor;
  
  generating a first predictive sequence corresponding to the second sequence by substituting the first sequence and the first model into the equation $y_{k + 1} = (x_{0} - \frac{b}{a}) \cdot ⅇ^{- ak} + \frac{b}{a},$
  
  wherein;
  
  X₀represents the first traffic data element in the substituted sequence; and
  
  y_krepresents traffic data element in predictive sequence;
  
  k is a natural number indexing traffic data element in sequence;
  
  analyzing the network flow by comparing the first predictive sequence and the second sequence; and
  
  implementing a defense procedure when an analysis result meets a predetermined condition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Transpacific IP Group Limited
Original Assignee
Institute For Information Industry
Inventors
Wang, Chan-Lon, Horng, Gwoboa, Lin, Chern-Tang

Granted Patent

US 7,376,090 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/252
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

Method of detecting distributed denial of service based on grey theory

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method of detecting distributed denial of service based on grey theory

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links