System and method for detecting and preventing denial of service attacks in a communications system
First Claim
Patent Images
1. A method for detecting attacks in a communications network, the method comprising:
- calculating first and second traffic volumes based on a plurality of messages received at a first time and a second time, respectively;
calculating an average acceleration based on the first and second traffic volumes;
identifying whether the average acceleration has crossed a threshold; and
servicing the plurality of messages only if the average acceleration has not crossed the threshold.
19 Assignments
0 Petitions
Accused Products
Abstract
A method and system are provided for use in detecting and preventing attacks in a communications network. In one example, the method includes calculating first and second traffic volumes based on messages received at a first time and a second time, respectively. An average acceleration is calculated based on the first and second traffic volumes, and the method identifies whether the average acceleration has crossed a threshold. The messages are serviced only if the average acceleration has not crossed the threshold.
-
Citations
34 Claims
-
1. A method for detecting attacks in a communications network, the method comprising:
-
calculating first and second traffic volumes based on a plurality of messages received at a first time and a second time, respectively;
calculating an average acceleration based on the first and second traffic volumes;
identifying whether the average acceleration has crossed a threshold; and
servicing the plurality of messages only if the average acceleration has not crossed the threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for detecting denial of service attacks against one of a plurality of network devices, the method comprising:
-
sampling a current traffic volume Vn for a network device at each of a plurality of times “
n”
;
calculating an acceleration for each of the plurality of times, wherein each acceleration An is based on a previous acceleration An-1, the current traffic volume Vn, and a previous traffic volume Vn-1;
calculating an average acceleration Aavg based on each of the calculated accelerations An; and
determining whether Aavg has crossed a threshold. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A communications system comprising:
-
a network device;
a processor;
a memory accessible to the processor for storing instructions for processing by the processor; and
a plurality of instructions, including;
instructions for calculating first and second traffic volumes based on a plurality of messages destined for the network device and received at a first time and a second time, respectively;
instructions for calculating an average acceleration based on the first and second traffic volumes;
instructions for identifying whether the average acceleration has crossed a threshold; and
instructions for permitting the plurality of messages to reach the network device only if the average acceleration has not crossed the threshold. - View Dependent Claims (20)
-
-
21. A system for detecting denial of service attacks against one of a plurality of communication devices, the system comprising:
-
a communications channel configured to carry traffic to the device;
a processor accessible to the communications channel;
means for sampling a current traffic volume Vn for the device at each of a plurality of times “
n”
;
means for calculating an acceleration for each of the plurality of times, wherein each acceleration An is based on a previous acceleration An-1, the current traffic volume Vn, and a previous traffic volume Vn-1;
means for calculating an average acceleration Aavg based on each of the calculated accelerations An; and
means for determining whether Aavg has crossed a threshold. - View Dependent Claims (22, 23, 24, 25)
-
-
26. An architecture for preventing denial of service attacks, the architecture comprising:
-
a traffic velocity monitor (TVM) configured to calculate a traffic velocity based on at least one of a source and a destination;
a traffic acceleration monitor (TAM) accessible to the TVM and configured to calculate an average traffic acceleration based on the velocity calculated by the TVM; and
a source filter accessible to at least the TVM, wherein the source filter is configured to block traffic from a source or to a destination identified by the TVM. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
-
Specification