DETECTING AND MITIGATING DENIAL OF SERVICE ATTACKS
First Claim
1. A method for detecting an attack on a computer network comprising:
- generating a time series of data values derived from network traffic;
for each entry in the time series, calculating a difference-value, based upon a value in the entry and a number based upon other values in a time window, for a large time-window and a small time-window;
determining a deviation score for at least one entry in the time series by calculating the ratio of the difference-value for the small-window to the difference-value for the large window; and
for a point in the time series, determining that a network attack occurred within the small time-window by determining whether the respective deviation score is outside of a range of values.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments of this invention provide methods for detecting a denial of service attack (DoS) and isolating traffic that relates to the attack. The method may begin by collecting network traffic data by observing individual packets carried over the network. The data may then be compiled into a time series comprising network traffic data relating successive time-intervals. A difference value based upon the entry in the time series for a large time-window and for a small time-window. A deviation score may then be determined by calculating the ratio of the difference values. The deviation score may indicate whether an attack occurred. In an embodiment of the invention, an attack is deemed to occur if the deviation score is between 0.6 and 1.4.
118 Citations
32 Claims
-
1. A method for detecting an attack on a computer network comprising:
-
generating a time series of data values derived from network traffic; for each entry in the time series, calculating a difference-value, based upon a value in the entry and a number based upon other values in a time window, for a large time-window and a small time-window; determining a deviation score for at least one entry in the time series by calculating the ratio of the difference-value for the small-window to the difference-value for the large window; and for a point in the time series, determining that a network attack occurred within the small time-window by determining whether the respective deviation score is outside of a range of values. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
Specification