ALERTING AS TO DENIAL OF SERVICE ATTACKS

US 20080162679A1
Filed: 12/29/2006
Published: 07/03/2008
Est. Priority Date: 12/29/2006
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a first server operatively coupled to a router, to receive a copy of network traffic processed by the router;

a database operatively coupled to the first server, wherein the first server receives, parses and records network traffic information onto the database; and

a device operatively coupled to the first server to receive alerts regarding possible Denial Of Service (DOS) attacks, the alerts based upon network traffic falling outside a standard deviation range.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system, wherein the system comprises a first server operatively coupled to a router, to receive a copy of network traffic processed by the router, a database operatively coupled to the first server, wherein the server records parsed network traffic information onto the database, and a device operatively coupled to the first server to receive alerts regarding possible denial-of-service attacks, the alerts based upon network traffic falling outside a standard deviation range. A method that comprises receiving a data packet from a network, parsing the data packet, storing data in the fields of the data packet into a database, comparing observed data set values with a historical data set values, sending an alert to a device based upon network traffic falling outside a standard deviation range, and updating the historical data set values by averaging the observed data set values with an old historical data set values.

84 Citations

View as Search Results

22 Claims

1. A system comprising:
- a first server operatively coupled to a router, to receive a copy of network traffic processed by the router;
  
  a database operatively coupled to the first server, wherein the first server receives, parses and records network traffic information onto the database; and
  
  a device operatively coupled to the first server to receive alerts regarding possible Denial Of Service (DOS) attacks, the alerts based upon network traffic falling outside a standard deviation range.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, further comprising a second server operatively coupled to the router.
  - 3. The system of claim 2, wherein the second server is a web server.
  - 4. The system of claim 1, wherein a DOS attack includes an attack type selected from the group consisting of a Synchronize (SYN) flood, Internet Control Message Protocol (ICMP) flood, User Datagram Protocol (UDP) flood, distributed attack, and application level flood.
  - 5. The system of claim 1, wherein the device includes a device selected from the group consisting of a computer system, cell phone, and Personal Digital Assistant (PDA).

6. A method comprising:
- receiving a data packet from a network;
  
  parsing the data packet into its respective fields;
  
  storing data in the fields of the data packet into a database as an observed data set;
  
  comparing observed data set values with a historical data set values;
  
  sending an alert to a device based upon network traffic falling outside a standard deviation range; and
  
  updating the historical data set values by averaging the observed data set values with an old historical data set values.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 7. The method of claim 6, further comprising sending the alert where a difference between a value in the observed data set and a value in the historical data set exceeds a standard deviation threshold.
  - 8. The method of claim 6, further comprising sending the alert where a difference between a value in the observed data set and a value in the historical data set is below a standard deviation threshold.
  - 9. The method of claim 7, wherein the alert is sent where the value in the observed data set exceeds the value in the historical data set by a threshold of 25 standard deviations.
  - 10. The method of claim 8, wherein the alert is sent where the value in the observed data set is below the value in the historical data set by a threshold of 6 standard deviations.
  - 11. The method of claim 6, further comprising updating an existing historical standard deviation data set by applying a quantitative forecasting algorithm to the historical standard deviation data set and an observed deviations data set.
  - 12. The method of claim 11, wherein the quantitative forecasting algorithm is a Holt-Winters (HW) algorithm.
  - 13. The method of claim 6, wherein the data packet includes a data packet selected from the group consisting of a Transmission Control Protocol (TCP) packet, a User Datagram Protocol (UDP) packet, an Internet Protocol (IP) packet, and an Internet Control Message Protocol (ICMP) packet.
  - 14. The method of claim 6, wherein the fields of the data packets includes a field selected from the group consisting of a Transmission Control Protocol (TCP) flags field, a TCP flag combinations field, an Internet Protocol (IP) protocol number field, an IP Time-To-Live (TTL) field, an IP header checksum, an IP identification number field, an IP fragment bits, an IP fragment offset field, a source IP address field, a destination IP address field, an IP total length field, a TCP sequence number field, a TCP acknowledgement number filed, a TCP window size field, a TCP destination port field, a TCP source port field, a TCP checksum field, a TCP options field, a User Datagram Protocol (UDP) destination port field, a UDP source port field, a UDP length field, a UDP checksum field, a ICMP type field, a ICMP code field, and a ICMP checksum field.
  - 15. The method of claim 6, further comprising parsing the fields based upon values contained within the fields.
  - 16. The method of claim 6, further comprising parsing the fields based upon a random distribution of values contained within the fields.
  - 17. The method of claim 6, further comprising initializing a parser using an instruction set read from an instruction file.
  - 18. The method of claim 17, wherein the instruction file is an Extensible Mark-up Language (XML) file.
  - 19. The method of claim 6, further comprising displaying in a graphical format existing network traffic.
  - 20. The method of claim 6, further comprising displaying in a graphical format a portion of the existing network traffic that falls outside a standard deviation range.
  - 21. The method of claim 20, where the displaying is on a device that includes a device selected from the group consisting of a computer system, cell phone, and Personal Digital Assistant (PDA).

22. A computer-readable medium having instructions stored thereon for causing a suitably programmed computer to execute a method comprising:
- a first instruction set to receive a data packet from a network;
  
  a second instruction set to parse the data packet into its respective fields;
  
  a third instruction set to store the data in the fields of the data packet into a database as an observed data set;
  
  a fourth instruction set to compare the observed data set with a historical data set;
  
  a fifth instruction set to send an alert to a device; and
  
  a sixth instruction set to update the historical data set by averaging the observed data set with an old historical data set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
eBay Inc.
Original Assignee
eBay Inc.
Inventors
Brown, Andrew Millard, Maher, Kevin Edward

Granted Patent

US 7,992,192 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/223
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 43/0894   Packet rate

H04L 43/16   Threshold monitoring

H04L 63/1458   Denial of Service

ALERTING AS TO DENIAL OF SERVICE ATTACKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

84 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

ALERTING AS TO DENIAL OF SERVICE ATTACKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links