SYSTEM AND METHOD FOR REAL-TIME REPORTING OF ANOMALOUS INTERNET PROTOCOL ATTACKS

US 20130340079A1
Filed: 06/13/2013
Published: 12/19/2013
Est. Priority Date: 06/14/2012
Status: Active Grant

First Claim

Patent Images

1. A system for monitoring Internet traffic, comprising:

a first apparatus for detecting Internet traffic messages that are recognized as anomalous attacks;

a counter for counting the Internet traffic messages that are recognized as the anomalous attacks to provide a count;

a second apparatus for computing a running average of the number of Internet traffic messages that are recognized as anomalous attacks; and

a comparator for comparing the count to the running average and to provide an anomalous attack alarm if the count is greater than a multiple of the running average.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and a method for detecting anomalous attacks in Internet network flow operate by counting a number of Internet traffic messages that are detected as anomalous attacks to provide a count; computing a running average of the number of messages that are detected as anomalous attacks; and comparing the count to the running average to provide an anomalous attack alarm if the count is greater than a multiple of the running average. The attacks can include at least one of spoofing attacks or denial of service attacks. A computer readable storage medium stores instructions of a computer program, which when executed by a computer system, results in performance of steps of the method.

Citations

30 Claims

1. A system for monitoring Internet traffic, comprising:
- a first apparatus for detecting Internet traffic messages that are recognized as anomalous attacks;
  
  a counter for counting the Internet traffic messages that are recognized as the anomalous attacks to provide a count;
  
  a second apparatus for computing a running average of the number of Internet traffic messages that are recognized as anomalous attacks; and
  
  a comparator for comparing the count to the running average and to provide an anomalous attack alarm if the count is greater than a multiple of the running average.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, further comprising terminating apparatus for terminating the anomalous attack alarm if the count is less than a second multiple of the running average, wherein the second multiple is a smaller multiple than the first multiple.
  - 3. The system of claim 2, further comprising updating apparatus for updating the running average by smoothing, if the count is below the multiple.
  - 4. The system of claim 3, wherein the smoothing is exponential smoothing.
  - 5. The system of claim 1, further comprising a database for storing records of anomalous attacks, wherein the processor further determines whether a record of an anomalous attack has been in the database for a predetermined period of time.
  - 6. The system of claim 5, wherein the running average is computed in a current time window, and when a record has been in the database for a time greater than predetermined period of time, that record is removed from the time window for purposes of computing the running average.
  - 7. The system of claim 1, wherein the running average is set to always be a positive number.
  - 8. The system of claim 1, wherein the anomalous attacks comprise at least one of source spoofing and denial of service attacks.
  - 9. The system of claim 1, wherein the running average is updated no more frequently than at a predefined interval.

10. A system for monitoring Internet traffic, comprising:
- a processor which performs the steps of;
  
  detecting anomalous attacks in a network flow;
  
  counting a number of Internet traffic messages that are detected as anomalous attacks to provide a count;
  
  computing a running average of the number of Internet traffic messages that are detected as the anomalous attacks;
  
  comparing the count to the running average; and
  
  providing an anomalous attack alarm if the count is greater than a multiple of the running average.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the processor further performs the step comprising terminating the anomalous attack alarm if the count is less than a second multiple of the running average, wherein the second multiple is a smaller multiple than the multiple of the running average.
  - 12. The system of claim 10, wherein the processor further performs the step comprising updating the running average by smoothing, if the count is a multiple less than the multiple of the running average.
  - 13. The system of claim 12, wherein the smoothing is exponential smoothing.
  - 14. The system of claim 12, further comprising storage for a database for storing records of anomalous attacks, wherein the processor further performs the step comprising determining whether a record of an anomalous attack has been in the database for a predetermined period of time.
  - 15. The system of claim 14, wherein when the processor determines that the record has been in the database for a time greater than the predetermined period of time, the processor removes that record from a window used to compute running average.
  - 16. The system of claim 10, wherein the anomalous attacks comprise at least one of source spoofing and denial of service attacks.
  - 17. The system of claim 10, wherein the running average is updated no more frequently than at a predefined interval.
  - 18. The system of claim 10, wherein the running average is set to always be a positive number.

19. A method for monitoring Internet traffic comprising:
- receiving a network flow and detecting anomalous attacks in the network flow;
  
  counting a number of Internet traffic messages that are detected as anomalous attacks to provide a count;
  
  computing a running average of the number of messages that are detected as anomalous attacks; and
  
  comparing the count to the running average to provide an anomalous attack alarm if the count is greater than a multiple of the running average.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The method of claim 19, further comprising:
    - terminating the alarm if the count is less than a second multiple of the running average, wherein the second multiple is a smaller multiple than the multiple of the running average.
  - 21. The method of claim 19, wherein if the count is a less than the multiple of the running average, updating the running average using smoothing.
  - 22. The method of claim 21, wherein the smoothing is exponential smoothing.
  - 23. The method of claim 19, implemented as a computer processor running a series of computer instructions.
  - 24. The method of claim 19, wherein the running average is updated no more frequently than at a predefined interval.
  - 25. The method of claim 19, further comprising setting the running average to always be a positive number.
  - 26. The method of claim 19, further comprising:
    - storing in a database records of anomalous attacks, anddetermining whether a record of an anomalous attack has been in the database for a predetermined period of time.
  - 27. The method of claim 26, further comprising removing a record from a window used to compute the running average when the record has been in the database for a time greater than a predetermined period of time.
  - 28. The method of claim 19, wherein the anomalous attacks comprise at least one of source spoofing and denial of service attacks.

29. A computer readable non-transitory storage medium storing instructions of a computer program which when executed by a computer system results in performance of steps of a method, comprising:
- receiving a network flow and detecting anomalous attacks in the network flow;
  
  counting a number of Internet traffic messages that are detected as anomalous attacks to provide a count;
  
  computing a running average of the number of messages that are detected as anomalous attacks; and
  
  comparing the count to the running average to provide an anomalous attack alarm if the count is greater than a multiple of the running average.
- View Dependent Claims (30)
- - 30. The computer readable non-transitory storage medium of claim 29, storing further instructions for determining the anomalous attacks as spoofing or denial of service attacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KDDI Corporation, Perspecta Labs Inc. (Perspecta, Inc.)
Original Assignee
KDDI Corporation, TT Government Solutions, Inc. (Perspecta, Inc.)
Inventors
GOTTLIEB, Yitzchak, NAIDU, Aditya, GHOSH, Abhrajit, YAMADA, Akira, SAWAYA, Yukiko, KUBOTA, Ayumu

Granted Patent

US 9,130,982 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1458 Denial of Service

SYSTEM AND METHOD FOR REAL-TIME REPORTING OF ANOMALOUS INTERNET PROTOCOL ATTACKS

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR REAL-TIME REPORTING OF ANOMALOUS INTERNET PROTOCOL ATTACKS

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links