Method and system for detecting denial-of-service attack

US 20070067839A1
Filed: 08/19/2005
Published: 03/22/2007
Est. Priority Date: 10/28/2004
Status: Active Grant

First Claim

Patent Images

1-15. -15. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A monitoring device monitors a packet transmitted to a communication device that is a target of the denial-of-service attack, and detects traffic abnormality information indicating an abnormality of traffic due to the packet with respect to the communication device. A performance measuring device measures performance of the communication device, and detects performance abnormality information indicating an abnormality of throughput of the communication device. An attack determining device determines whether the communication device received the denial-of-service attack, based on the traffic abnormality information and the performance abnormality information.

61 Citations

View as Search Results

30 Claims

1-15. -15. (canceled)

16. A denial-of-service attack detecting system for detecting a denial-of-service attack on a communication device, the denial-of-service attack detecting system comprising:
- a monitoring device that monitors a packet transmitted to a communication device that is a target of the denial-of-service attack;
  
  a performance measuring device that measures performance of the communication device; and
  
  an attack determining device that performs communication with the monitoring device and the performance measuring device, wherein the monitoring device includes a traffic abnormality detecting unit that detects traffic abnormality information indicating an abnormality of traffic due to the packet with respect to the communication device, the performance measuring device includes a performance abnormality detecting unit that detects performance abnormality information indicating an abnormality of throughput of the communication device, and the attack determining device includes an effects determining unit that determines whether the communication device received the denial-of-service attack, based on the traffic abnormality information and the performance abnormality information.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. The denial-of-service attack detecting system according to claim 16, wherein the monitoring device further includes a traffic-abnormality-information transmitting unit that transmits the traffic abnormality information to the attack determining device.
  - 18. The denial-of-service attack detecting system according to claim 16, wherein the performance measuring device further includes a performance-abnormality-information transmitting unit that transmits the performance abnormality information to the attack determining device.
  - 19. The denial-of-service attack detecting system according to claim 16, wherein the traffic abnormality detecting unit detects the traffic abnormality information based on a predetermined attack detection condition that is set in advance.
  - 20. The denial-of-service attack detecting system according to claim 19, wherein the monitoring unit further includes a signature generating unit that generates a signature indicating a feature of the packet attacking the communication device, based on the attack detection condition, and the traffic abnormality information includes the signature.
  - 21. The denial-of-service attack detecting system according to claim 16, wherein the traffic abnormality detecting unit detects the traffic abnormality information based on a steady traffic indicating an average traffic of the packet transmitted to the communication device.
  - 22. The denial-of-service attack detecting system according to claim 16, wherein the performance abnormality detecting unit detects the performance abnormality information based on a predetermined performance abnormality detection condition that is set in advance.
  - 23. The denial-of-service attack detecting system according to claim 22, wherein the performance abnormality detection condition includes a response time from transmission of a response request message to the communication device to reception of a response message corresponding to the response request message, and number of times that the response time exceeds a predetermined threshold.
  - 24. The denial-of-service attack detecting system according to claim 16, wherein the performance abnormality detecting unit detects the performance abnormality information based on a steady performance indicating an average performance feature of the communication device.
  - 25. The denial-of-service attack detecting system according to claim 16, wherein the effects determining unit determines that the communication device received the denial-of-service attack, when it is determined that one of the traffic abnormality information and the performance abnormality information causes an occurrence of other of the traffic abnormality information and the performance abnormality information based on an abnormality occurrence time included in the traffic abnormality information and the performance abnormality information.
  - 26. The denial-of-service attack detecting system according to claim 16, wherein when the effects determining unit determines that the communication device received the denial-of-service attack, the attack determining device transmits the traffic abnormality information and the performance abnormality information used for the determination to a device for reporting to an operator.
  - 27. The denial-of-service attack detecting system according to claim 16, wherein each of the traffic abnormality information and the performance abnormality information includes a certificate, and the effects determining unit determines whether the communication device received the denial-of-service attack, after performing an authorization based on certificates.

28. A method of detecting a denial-of-service attack on a communication device by using a monitoring device that monitors a packet transmitted to a communication device that is a target of the denial-of-service attack, a performance measuring device that measures performance of the communication device, and an attack determining device that performs communication with the monitoring device and the performance measuring device, the method comprising:
- traffic abnormality detecting including the monitoring device detecting traffic abnormality information indicating an abnormality of traffic due to the packet with respect to the communication device;
  
  performance abnormality information detecting including the performance measuring device detecting performance abnormality information indicating an abnormality of throughput of the communication device; and
  
  effects determining including the attack determining device determining whether the communication device received the denial-of-service attack, based on the traffic abnormality information and the performance abnormality information.
- View Dependent Claims (29, 30)
- - 29. The method according to claim 28, further comprising:
    - traffic abnormality information transmitting including the monitoring device transmitting the traffic abnormality information to the attack determining device.
  - 30. The method according to claim 28, further comprising:
    - performance abnormality information transmitting including the performance measuring device transmitting the performance abnormality information to the attack determining device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nippon Telegraph and Telephone Corporation
Original Assignee
Nippon Telegraph and Telephone Corporation
Inventors
Iwamura, Makoto, Fuji, Hitoshi, Hamada, Masaki

Granted Patent

US 7,636,942 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 41/5009   Determining service level p...

H04L 43/0817   by checking functioning

H04L 43/0852   Delays

H04L 43/0888   Throughput

H04L 43/16   Threshold monitoring

H04L 63/1458   Denial of Service

Method and system for detecting denial-of-service attack

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting denial-of-service attack

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links