DENIAL OF SERVICE (DOS) ATTACK DETECTION SYSTEMS AND METHODS

US 20150007314A1
Filed: 06/27/2013
Published: 01/01/2015
Est. Priority Date: 06/27/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

monitoring packets received for delivery to devices on a network;

developing a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period;

developing an instant packet profile by examining the monitored packets during the instant time period;

comparing, by a processor, the instant packet profile to the historic packet profile to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant packet profile and the historic packet profile is present; and

identifying, by the processor, existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus that enable identification of network attacks such as denial of service attacks are disclosed. A network attack may be identified by monitoring packets received for delivery to devices on a network, and developing a historic packet profile by examining the monitored packets received during a number of time periods preceding an instant time period. An instant packet profile is developed by examining the monitored packets during the instant time period. The instant packet profile is compared to the historic packet profile to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant packet profile and the historic packet profile is present. The existence of a network attack is identified in response to determining that the deviation exceeds the predetermined statistical threshold deviation.

Citations

20 Claims

1. A method comprising:
- monitoring packets received for delivery to devices on a network;
  
  developing a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period;
  
  developing an instant packet profile by examining the monitored packets during the instant time period;
  
  comparing, by a processor, the instant packet profile to the historic packet profile to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant packet profile and the historic packet profile is present; and
  
  identifying, by the processor, existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, the method further comprising in response to identifying the existence of a network attack:
    - investigating the monitored packets in the instant time period to identify malicious traffic in response to the identified network attack; and
      
      applying a filter to block the malicious traffic.
  - 3. The method of claim 2, further comprising:
    - identifying an end of the identified network attack; and
      
      removing the filter in response to the identified end of the identified network attack.
  - 4. The method of claim 1, further comprising:
    - developing a post attack packet profile by examining the monitored packets subsequent to identification of the network attack;
      
      comparing the post attack packet profile to the historic packet profile to determine whether a new deviation is below a second statistical predetermined threshold deviation; and
      
      identifying an end of the network attack in response to determining that the new deviation is less than the second statistical predetermined threshold deviation.
  - 5. The method of claim 4, wherein the second statistical predetermined threshold deviation is different from the statistical predetermined threshold deviation.
  - 6. The method of claim 1, wherein:
    - the instant packet profile is a ratio of number of packets of at least one packet protocol to number of packets of one or more packet protocols, for the monitored packets within the instant time period, andthe historic packet profile includes a sample standard deviation of the ratio of the number of packets of the at least one packet protocol to the number of packets of the one or more packet protocols, for the plurality of time periods preceding the instant time period.
  - 7. The method of claim 6, wherein the at least one packet protocol consists of Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) and the one or more packet protocols comprises TCP and UDP.
  - 8. The method of claim 1, wherein the monitoring comprises:
    - monitoring packets in at least one of the Internet Protocol (IP) layer or the Transmission Control Protocol (TCP) layer.
  - 9. The method of claim 1, wherein the monitoring step comprises:
    - monitoring packets received from outside the network to transport to a device inside the network.
  - 10. The method of claim 9, wherein the monitoring step further comprises:
    - monitoring packets received from within the network.

11. A system comprising:
- a packet extractor configured to monitor packets received at a network protection device for delivery to devices on a network;
  
  a packet processor coupled to the packet extractor, the packet processor configured to;
  
  develop a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period;
  
  develop an instant packet profile by examining the monitored packets during the instant time period;
  
  compare the instant packet profile to the historic packet profile to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant packet profile and the historic packet profile is present; and
  
  identify existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11, further comprising:
    - the network protection device.
  - 13. The system of claim 12, wherein the packet processor is further configured to:
    - investigate the monitored packets in the instant time period to identify the malicious traffic; and
      
      instruct the network protection device to apply a filter to block malicious traffic.
  - 14. The system of claim 13, wherein the packet processor is further configured to:
    - identify an end of the identified network attack; and
      
      instruct the network protection device to remove the filter in response to the identified end of the identified network attack.
  - 15. The system of claim 11, wherein the packet processor is further configured to:
    - develop a post attack packet profile by examining the monitored packets subsequent to identification of the network attack;
      
      compare the post attack packet profile to the historic packet profile to determine whether a new deviation is below a second statistical predetermined threshold deviation; and
      
      identify an end of the network attack in response to determining that the new deviation is less than the second statistical predetermined threshold deviation.
  - 16. The system of claim 11, wherein:
    - the instant packet profile is a ratio of number of packets of at least one packet protocol to number of packets of one or more packet protocols, for the monitored packets within the instant time period, andthe historic packet profile includes a sample standard deviation of the ratio of the number of packets of the at least one packet protocol to the number of packets of the one or more packet protocols, for the plurality of time periods preceding the instant time period.
  - 17. The method of claim 16, wherein the at least one packet protocol consists of Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) and the one or more packet protocols comprises TCP and UDP.

18. A program embodied on a computer readable medium for causing a computer to execute processing including:
- monitoring packets received for delivery to devices on a network;
  
  developing a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period;
  
  developing an instant packet profile by examining the monitored packets during the instant time period;
  
  comparing the instant packet profile to the historic packet profile to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant packet profile and the historic packet profile is present; and
  
  identifying the existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation.
- View Dependent Claims (19, 20)
- - 19. The program of claim 18, further including:
    - developing a post attack packet profile by examining the monitored packets subsequent to identification of the network attack;
      
      comparing the post attack packet profile to the historic packet profile to determine whether a new deviation is below a second statistical predetermined threshold deviation; and
      
      identifying an end of the network attack in response to determining that the new deviation is less than the second statistical predetermined threshold deviation.
  - 20. The program of claim 18, wherein:
    - the instant packet profile is a ratio of number of packets of at least one packet protocol to number of packets of one or more packet protocols, for the monitored packets within the instant time period, andthe historic packet profile includes a sample standard deviation of the ratio of the number of packets of the at least one packet protocol to the number of packets of the one or more packet protocols, for the plurality of time periods preceding the instant time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cellco Partnership, Inc. (Verizon Communications Inc.)
Original Assignee
Cellco Partnership, Inc. (Verizon Communications Inc.)
Inventors
Vaughan, John F.

Granted Patent

US 9,282,113 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

DENIAL OF SERVICE (DOS) ATTACK DETECTION SYSTEMS AND METHODS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DENIAL OF SERVICE (DOS) ATTACK DETECTION SYSTEMS AND METHODS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links