Stateful attack protection
First Claim
Patent Images
1. A method for detecting an attack in a computer network, comprising:
- monitoring communication traffic transmitted over connections on the network that are associated with a stateful application protocol so as to detect respective states of the connections; and
analyzing a distribution of the states so as to detect the attack.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting an attack in a computer network includes monitoring communication traffic transmitted over connections on the network that are associated with a stateful application protocol so as to detect respective states of the connections, and analyzing a distribution of the states so as to detect the attack.
-
Citations
102 Claims
-
1. A method for detecting an attack in a computer network, comprising:
-
monitoring communication traffic transmitted over connections on the network that are associated with a stateful application protocol so as to detect respective states of the connections; and
analyzing a distribution of the states so as to detect the attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method for protecting a server on a communication network, the method comprising:
-
monitoring messages transmitted over the communication network for forwarding by the server so as to determine a respective number of recipients specified by each of the messages;
identifying a source address of one of the messages for which the number of recipients is equal at least to a threshold;
tracking a cumulative number of the recipients specified in a plurality of the messages from the identified source address; and
determining the source address to be malicious responsively to the cumulative number. - View Dependent Claims (21, 22, 23, 24, 25, 26)
-
-
27. A method for protecting a server on a communication network, the method comprising:
-
monitoring messages transmitted over the communication network for forwarding by the server so as to determine respective numbers of recipients specified by the messages;
adaptively setting an attack threshold responsively to the numbers of the recipients specified by a plurality of the messages; and
identifying as malicious one of the messages that specifies a number of recipients that is equal at least to the attack threshold. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
- 39. Apparatus for detecting an attack in a computer network, the apparatus comprising a network security processor, which is adapted to monitor communication traffic transmitted over connections on the network that are associated with a stateful application protocol so as to detect respective states of the connections, and analyze a distribution of the states so as to detect the attack.
-
58. Apparatus for protecting a server on a communication network, the apparatus comprising a network security processor, which is adapted to:
-
monitor messages transmitted over the communication network for forwarding by the server so as to determine a respective number of recipients specified by each of the messages, identify a source address of one of the messages for which the number of recipients is equal at least to a threshold, track a cumulative number of the recipients specified in a plurality of the messages from the identified source address, and determine the source address to be malicious responsively to the cumulative number.
-
-
59. Apparatus for protecting a server on a communication network, the apparatus comprising a network security processor, which is adapted to:
-
monitor messages transmitted over the communication network for forwarding by the server so as to determine respective numbers of recipients specified by the messages, adaptively set an attack threshold responsively to the numbers of the recipients specified by a plurality of the messages, and identify as malicious one of the messages that specifies a number of recipients that is equal at least to the attack threshold. - View Dependent Claims (60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
-
- 71. A computer software product for detecting an attack in a computer network, the product comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to monitor communication traffic transmitted over connections on the network that are associated with a stateful application protocol so as to detect respective states of the connections, and analyze a distribution of the states so as to detect the attack.
-
90. A computer software product for protecting a server on a communication network, the product comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to monitor messages transmitted over the communication network for forwarding by the server so as to determine a respective number of recipients specified by each of the messages, identify a source address of one of the messages for which the number of recipients is equal at least to a threshold, track a cumulative number of the recipients specified in a plurality of the messages from the identified source address, and determine the source address to be malicious responsively to the cumulative number.
- 91. A computer software product for protecting a server on a communication network, the product comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to monitor messages transmitted over the communication network for forwarding by the server so as to determine respective numbers of recipients specified the messages, adaptively set an attack threshold responsively to the numbers of the recipients specified by a plurality of the messages, and identify as malicious one of the messages that specifies a number of recipients that is equal at least to the attack threshold.
Specification