METHOD FOR THWARTING APPLICATION LAYER HYPERTEXT TRANSPORT PROTOCOL FLOOD ATTACKS FOCUSED ON CONSECUTIVELY SIMILAR APPLICATION-SPECIFIC DATA PACKETS
First Claim
Patent Images
1. A method to thwart hypertext transport protocol (HTTP) attacks, the method implemented on a processor and comprising the steps of:
- receiving a plurality of HTTP packets, the plurality of HTTP packets comprising a first HTTP packet and a second HTTP packet, wherein the second HTTP packet was received prior to the first HTTP packet;
creating a hash of the first HTTP packet using a hash function, wherein the first HTTP packet is a GET request or POST request;
determining if the hash is in a list of previously known hashes, wherein each previously known hash in the list of previously known hashes is associated with a state, wherein the state is either blacklist or other;
if the hash is a previously known hash and the state is blacklist, then blocking a request associated with the first HTTP packet, orif the hash is a previously known hash and the state is other, or the hash is not is not in the list of previously known hashes, thencalculating a difference between a payload of the first HTTP packet and a payload of the second HTTP packet, andcalculating a length of the payload of the first HTTP packet;
incrementing a counter of total payload length by the calculated length of the payload of the first HTTP packet;
incrementing a counter of total difference by calculated difference;
calculating a payload similarity percentage based on the total payload difference and total payload length; and
if the calculated payload similarity percentage is outside a predetermined acceptable range of acceptable percentages, thensetting the state to blacklist if the hash is a previously known hash, orstoring the hash in the list of previously known hashes with its associated state set to blacklist.
0 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a methodology to thwart attacks that utilize consecutive hypertext transport protocol packets with similar structures, arriving from a plurality of computer systems on a network, such as the Internet, destined for a single or more computer systems on a secondary network, at such a rate with sufficient complexity to produce an effect on the target computer system or systems such that legitimate clients are denied access to requested services, thus creating a “denial of service” situation. The methodology focuses on the dynamic and proactive reassessment of data packet payload content to maintain a running value of similarity or dissimilarity, thus permitting intermediary apparatuses that are performing this computation to create distinction between legitimate clients and illegitimate clients.
162 Citations
7 Claims
-
1. A method to thwart hypertext transport protocol (HTTP) attacks, the method implemented on a processor and comprising the steps of:
-
receiving a plurality of HTTP packets, the plurality of HTTP packets comprising a first HTTP packet and a second HTTP packet, wherein the second HTTP packet was received prior to the first HTTP packet; creating a hash of the first HTTP packet using a hash function, wherein the first HTTP packet is a GET request or POST request; determining if the hash is in a list of previously known hashes, wherein each previously known hash in the list of previously known hashes is associated with a state, wherein the state is either blacklist or other; if the hash is a previously known hash and the state is blacklist, then blocking a request associated with the first HTTP packet, or if the hash is a previously known hash and the state is other, or the hash is not is not in the list of previously known hashes, then calculating a difference between a payload of the first HTTP packet and a payload of the second HTTP packet, and calculating a length of the payload of the first HTTP packet; incrementing a counter of total payload length by the calculated length of the payload of the first HTTP packet; incrementing a counter of total difference by calculated difference; calculating a payload similarity percentage based on the total payload difference and total payload length; and if the calculated payload similarity percentage is outside a predetermined acceptable range of acceptable percentages, then setting the state to blacklist if the hash is a previously known hash, or storing the hash in the list of previously known hashes with its associated state set to blacklist. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeMehdi Mahvi
-
Original AssigneeMehdi Mahvi
-
InventorsMahvi, Mehdi
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current726/23
-
CPC Class CodesH04L 63/1416 Event detection, e.g. attac...H04L 63/1458 Denial of Service
