Method and apparatus for detecting denial of service attacks

US 20060272018A1
Filed: 05/27/2005
Published: 11/30/2006
Est. Priority Date: 05/27/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for providing network security, the method comprising the steps of:

receiving a dataflow destined for an end user network;

sampling the dataflow according to a predetermined sampling rate;

generating flow information from the sampled dataflow; and

forwarding the flow information for remote behavioral analysis to determine a behavioral profile indicative of a denial of service attack of the end user network.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach is provided for supporting network security. A dataflow destined for an end user network is received. The dataflow is sampled according to a predetermined sampling rate. Flow information is generated from the sampled dataflow. The flow information is forwarded to a collector device for remote behavioral analysis to determine a behavioral profile indicative of a Denial of Service (DoS) attack (e.g., distributed Denial of Service (DDOS) attack) of the end user network.

Citations

23 Claims

1. A method for providing network security, the method comprising the steps of:
- receiving a dataflow destined for an end user network;
  
  sampling the dataflow according to a predetermined sampling rate;
  
  generating flow information from the sampled dataflow; and
  
  forwarding the flow information for remote behavioral analysis to determine a behavioral profile indicative of a denial of service attack of the end user network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, wherein the dataflow is assigned a label associated with a Layer 2 path within a transport network, the method further comprising the steps of:
    - removing the label from the dataflow;
      
      examining a Layer 3 address associated with the dataflow; and
      
      routing the dataflow over the transport network according to the end user network according to the Layer 3 address.
  - 3. A method according to claim 2, wherein the behavioral analysis is performed at a collector device, the collector device comparing the behavioral profile against a baseline profile.
  - 4. A method according to claim 3, wherein the collector device resides in a data center for serving a plurality of end user networks.
  - 5. A method according to claim 3, further comprising the step of:
    - initiating blocking, at a mitigation device, of a subsequent dataflow destined for the end user network in response to the determination of the behavioral profile by the collector device.
  - 6. A method according to claim 5, wherein the mitigation device is configured to receive filter parameters from the collector device for blocking of the subsequent dataflow.
  - 7. A method according to claim 2, wherein the routing step is executed according to an Interior Gateway Protocol (IGP) or Multiprotocol Label Switching (MPLS) protocol.
  - 8. A method according to claim 1, wherein the denial of service attack is a distributed attack.

9. A communication system for providing network security, comprising:
- a router configured to sample a dataflow destined for an end user network according to a predetermined sampling rate and to generate a flow record from the samples; and
  
  a collector device configured to receive the flow information from the router and to determine a behavioral profile indicative of a denial of service attack of the end user network.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. A system according to claim 9, wherein the collector device compares the behavioral profile with a baseline profile.
  - 11. A system according to claim 9, wherein the collector device resides in a data center for serving a plurality of end user networks.
  - 12. A system according to claim 9, further comprising:
    - a mitigation device configured to initiate blocking of a subsequent dataflow destined for the end user network in response to the behavioral profile determined by the collector device.
  - 13. A system according to claim 12, wherein the mitigation device is configured to receive filter parameters from the collector device for blocking of the subsequent dataflow.
  - 14. A system according to claim 11, wherein the router is configured to route according to an Interior Gateway Protocol (IGP) or Multiprotocol Label Switching (MPLS) protocol.
  - 15. A system according to claim 9, wherein the denial of service attack includes a distributed Denial of Service (DDoS) attack.

16. A networking apparatus for routing dataflows in a transport network, the apparatus comprising:
- a flow filter and selection logic configured to sample a dataflow destined for an end user host or network according to a predetermined sampling rate;
  
  a routing engine configured to route the dataflow over the transport network; and
  
  a flow record generator configured to generate flow information from the sampled dataflow for behavioral analysis to detect a denial of service attack of the end user host or network.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. An apparatus according to claim 16, wherein the dataflow is assigned a label associated with a Layer 2 path within the transport network, the apparatus further comprising:
    - means for removing the label from the dataflow, wherein the routing engine examines a Layer 3 address associated with the dataflow and routes the dataflow based on the Layer 3 address.
  - 18. An apparatus according to claim 17, wherein the behavioral analysis is performed at a collector device, the collector device determining a behavioral profile based on the sampled dataflow and comparing the behavioral profile against a baseline profile.
  - 19. An apparatus according to claim 18, wherein the collector device resides in a data center for serving a plurality of end user networks.
  - 20. An apparatus according to claim 18, wherein a mitigation device is configured to initiate blocking of a subsequent dataflow destined for the end user host or network in response to the behavioral analysis by the collector device.
  - 21. An apparatus according to claim 20, wherein the mitigation device is configured to receive filter parameters from the collector device for blocking of the subsequent dataflow.
  - 22. An apparatus according to claim 17, wherein the routing engine routes the dataflow according to an Interior Gateway Protocol (IGP) or Multiprotocol Label Switching (MPLS) protocol.
  - 23. An apparatus according to claim 16, wherein the denial of service attack is a distributed attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
MCI Incorporated (Verizon Communications Inc.)
Inventors
Fouant, Stefan A.

Application Number

US11/139,115
Publication Number

US 20060272018A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

Method and apparatus for detecting denial of service attacks

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting denial of service attacks

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links