Adaptive Behavioral HTTP Flood Protection
First Claim
1. An anomaly detection engine comprising:
- an interface to receive at least the following;
a plurality of real-time statistical parameters or a plurality of normal base line values, said plurality of real-time statistical parameters comprising at least one rate-based parameter and at least one rate-invariant parameter;
embedded correlation rules;
a degree of anomaly generator generating a degree of anomaly (DoA) based on said received plurality of real-time statistical parameters and said plurality of normal base line values; and
when said generated degree of anomaly indicates a network attack, said decision engine communicates with at least one “
trap”
buffer to characterize the anomaly.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method to detect and mitigate denial of service and distributed denial of service HTTP “page” flood attacks. Detection of attack/anomaly is made according to multiple traffic parameters including rate-based and rate-invariant parameters in both traffic directions. Prevention is done according to HTTP traffic parameters that are analyzed once a traffic anomaly is detected. This protection includes a differential adaptive mechanism that tunes the sensitivity of the anomaly detection engine. The decision engine is based on a combination between fuzzy logic inference systems and statistical thresholds. A “trap buffer” characterizes the attack to allow an accurate mitigation according to the source IP(s) and the HTTP request URL'"'"'s that are used as part of the attack. Mitigation is controlled through a feedback mechanism that tunes the level of rate limit factors that are needed in order to mitigate the attack effectively while letting legitimate traffic to pass.
157 Citations
23 Claims
-
1. An anomaly detection engine comprising:
-
an interface to receive at least the following;
a plurality of real-time statistical parameters or a plurality of normal base line values, said plurality of real-time statistical parameters comprising at least one rate-based parameter and at least one rate-invariant parameter;embedded correlation rules; a degree of anomaly generator generating a degree of anomaly (DoA) based on said received plurality of real-time statistical parameters and said plurality of normal base line values; and when said generated degree of anomaly indicates a network attack, said decision engine communicates with at least one “
trap”
buffer to characterize the anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. An article of manufacture comprising a computer user medium having computer readable program code embodied therein which implements a method to detect an anomaly, said medium comprising:
-
computer readable program code aiding in receiving at least the following;
a plurality of real-time statistical parameters or a plurality of normal base line values, said plurality of real-time statistical parameters comprising at least one rate-based parameter or at least one rate-invariant and rate-based parameter;computer readable program code maintaining a plurality of embedded correlation rules; computer readable program code generating a degree of anomaly (DoA) based on said received plurality of real-time statistical parameters and said plurality of normal base line values; and
when said generated degree of anomaly indicates a network attack, computer readable program code aiding in communicating with at least one buffer to characterize the anomaly. - View Dependent Claims (23)
-
Specification