DYNAMIC NETWORK PROTECTION

US 20080052774A1
Filed: 10/24/2007
Published: 02/28/2008
Est. Priority Date: 05/19/2003
Status: Active Grant

First Claim

Patent Images

1-49. -49. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for protecting a network from an attack includes measuring a property of traffic entering the network, and analyzing the property using at least one fuzzy logic algorithm in order to detect the attack.

100 Citations

View as Search Results

197 Claims

1-49. -49. (canceled)

50. A method for protecting a network from an attack, the method comprising:
- measuring a time-related property of traffic entering the network;
  
  transforming the time-related property of the traffic into a frequency domain;
  
  analyzing the property in the frequency domain in order to detect the attack; and
  
  filtering the traffic entering the network in order to block traffic participating in the attack.
- View Dependent Claims (51, 52, 54, 55, 56, 57, 59, 60, 64, 67, 80)
- - 51. The method according to claim 50, wherein measuring the time-related property comprises measuring arrival times of packets, and wherein transforming the time-related property comprises determining a spectrum of packet arrival frequency.
  - 52. The method according to claim 50, wherein measuring the time-related property comprises measuring lengths of arriving data packets.
  - 54. The method according to claim 50, wherein measuring the time-related property comprises measuring rates of arriving data packets on each of a plurality of network connections, and wherein analyzing the property comprises determining a spectral distribution of packet frequencies among the plurality of network connections.
  - 55. The method according to claim 50, wherein analyzing the property comprises constructing and analyzing a matrix of packet arrival intensity in the frequency domain.
  - 56. The method according to claim 55, wherein constructing the matrix comprises expressing lengths of arriving data packets on a first axis of the matrix, and rates of arriving data packets on a second axis of the matrix.
  - 57. The method according to claim 55, wherein analyzing the property further comprises dividing the matrix into regions characterized by different degrees of packet arrival intensity, and selecting the packet arrival intensity of one of the regions to analyze as an indicator of the attack.
  - 59. The method according to claim 55, wherein analyzing the property further comprises dividing the matrix into regions characterized by different degrees of packet arrival intensity, and computing a ratio of (a) a first sum of the packet arrival intensities over a first portion of the regions to (b) a second sum of the packet arrival intensities over a second portion of the regions.
  - 60. The method according to claim 50, wherein analyzing the property comprises determining at least one frequency-domain characteristic of the traffic, and applying at least one fuzzy logic algorithm to the frequency-domain characteristic in order to detect the attack.
  - 64. The method according to claim 60, wherein analyzing the property comprises determining a level of noise of the traffic in the frequency domain, and adapting the at least one fuzzy logic algorithm responsively to the level of the noise.
  - 67. The method according to claim 50, wherein measuring the time-related property comprises observing packets arriving on connections of a stateful protocol, and wherein analyzing the property comprises constructing and analyzing a matrix of packet arrival intensity in the frequency domain, wherein the packet arrival intensity is expressed in terms of a number of the connections.
  - 80. The method according to claim 50, wherein filtering the traffic comprises determining one or more source Internet Protocol (IP) addresses of the traffic participating in the attack, and filtering the traffic by blocking traffic having the determined source IP addresses, and wherein measuring the time-related property comprises observing packets arriving on connections of a stateful protocol from a plurality of source Internet Protocol (IP) addresses, and wherein determining the one or more source IP addresses participating in the attack comprises:
    - determining that one or more of the connection are misused, by analyzing the property in the frequency domain; and
      
      identifying the one or more source IP addresses participating in the attack by counting the misused connections per each of the plurality of source IP addresses.

53. (canceled)

58. (canceled)

61-63. -63. (canceled)

65-66. -66. (canceled)

68-79. -79. (canceled)

81-114. -114. (canceled)

115. Apparatus for protecting a network from an attack, comprising:
- an interface; and
  
  a network security processor, which is adapted to monitor, via the interface, traffic entering the network, to measure a time-related property of the traffic, to transform the time-related property of the traffic into a frequency domain, to analyze the property in the frequency domain in order to detect the attack, and to filter the traffic entering the network in order to block traffic participating in the attack.
- View Dependent Claims (117, 118, 120, 121, 122, 126, 129, 137)
- - 117. The apparatus according to claim 115, wherein the network security processor is adapted to measure the time-related property by measuring arrival times of packets, and to transform the time-related property by determining a spectrum of packet arrival frequency.
  - 118. The apparatus according to claim 115, wherein the network security processor is adapted to measure the time-related property by measuring lengths of arriving data packets.
  - 120. The apparatus according to claim 115, wherein the network security processor is adapted to measure rates of arriving data packets on each of a plurality of network connections, and to analyze the property by determining a spectral distribution of packet frequencies among the plurality of network connections.
  - 121. The apparatus according to claim 115, wherein the network security processor is adapted to analyze the property by constructing and analyzing a matrix of packet arrival intensity in the frequency domain.
  - 122. The apparatus according to claim 121, wherein the network security processor is adapted to construct the matrix by expressing lengths of arriving data packets on a first axis of the matrix, and rates of arriving data packets on a second axis of the matrix.
  - 126. The apparatus according to claim 115, wherein the network security processor is adapted to analyze the property by determining at least one frequency-domain characteristic of the traffic, and applying at least one fuzzy logic algorithm to the frequency-domain characteristic in order to detect the attack.
  - 129. The apparatus according to claim 115, wherein the network security processor is adapted to observe packets arriving on connections of a stateful protocol, and to analyze the property by constructing and analyzing a matrix of packet arrival intensity in the frequency domain, wherein the packet arrival intensity is expressed in terms of a number of the connections.
  - 137. The apparatus according to claim 115, wherein the network security processor is adapted to determine one or more source Internet Protocol (IP) addresses of the traffic participating in the attack, to filter the traffic by blocking traffic having the determined source IP addresses, to observe packets arriving on connections of a stateful protocol from a plurality of source Internet Protocol (IP) addresses, and to determine the one or more source IP addresses participating in the attack by:
    - determining that one or more of the connection are misused, by analyzing the property in the frequency domain, and identifying the one or more source IP addresses participating in the attack by counting the misused connections per each of the plurality of source IP addresses.

116. (canceled)

119. (canceled)

123-125. -125. (canceled)

127-128. -128. (canceled)

130-136. -136. (canceled)

138-170. -170. (canceled)

171. A computer software product for protecting a network from an attack, the product comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to measure a time-related property of traffic entering the network, to transform the time-related property of the traffic into a frequency domain, to analyze the property in the frequency domain in order to detect the attack, and to filter the traffic entering the network in order to block traffic participating in the attack.
- View Dependent Claims (175)
- - 175. The product according to claim 171, wherein the instructions cause the computer to measure rates of arriving data packets on each of a plurality of network connections, and to analyze the property by determining a spectral distribution of packet frequencies among the plurality of network connections.

172-174. -174. (canceled)

176-194. -194. (canceled)

195. A computer network comprising:
- a plurality of nodes, which are coupled to receive communication traffic from sources outside the network; and
  
  a network security device, which is coupled to measure a time-related property of traffic entering the network, to transform the time-related property of the traffic into a frequency domain, to analyze the property in the frequency domain in order to detect the attack, and to filter the traffic entering the network in order to block traffic participating in the attack.
- View Dependent Claims (196)
- - 196. The network according to claim 195, wherein the network security device is coupled to measure rates of arriving data packets on each of a plurality of network connections, and to analyze the property by determining a spectral distribution of packet frequencies among the plurality of network connections.

197. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Radware Limited
Original Assignee
Radware Limited
Inventors
Elboim, Abraham, Chesla, Avi, Medvedovsky, Lev

Granted Patent

US 7,836,496 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

DYNAMIC NETWORK PROTECTION

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

197 Claims

Specification

Solutions

Use Cases

Quick Links

DYNAMIC NETWORK PROTECTION

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

197 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links