DENIAL OF SERVICE (DOS) ATTACK DETECTION SYSTEMS AND METHODS
First Claim
1. A method comprising:
- monitoring packets received for delivery to devices on a network;
developing a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period;
developing an instant packet profile by examining the monitored packets during the instant time period;
comparing, by a processor, the instant packet profile to the historic packet profile to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant packet profile and the historic packet profile is present; and
identifying, by the processor, existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus that enable identification of network attacks such as denial of service attacks are disclosed. A network attack may be identified by monitoring packets received for delivery to devices on a network, and developing a historic packet profile by examining the monitored packets received during a number of time periods preceding an instant time period. An instant packet profile is developed by examining the monitored packets during the instant time period. The instant packet profile is compared to the historic packet profile to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant packet profile and the historic packet profile is present. The existence of a network attack is identified in response to determining that the deviation exceeds the predetermined statistical threshold deviation.
-
Citations
20 Claims
-
1. A method comprising:
-
monitoring packets received for delivery to devices on a network; developing a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period; developing an instant packet profile by examining the monitored packets during the instant time period; comparing, by a processor, the instant packet profile to the historic packet profile to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant packet profile and the historic packet profile is present; and identifying, by the processor, existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a packet extractor configured to monitor packets received at a network protection device for delivery to devices on a network; a packet processor coupled to the packet extractor, the packet processor configured to; develop a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period; develop an instant packet profile by examining the monitored packets during the instant time period; compare the instant packet profile to the historic packet profile to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant packet profile and the historic packet profile is present; and identify existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A program embodied on a computer readable medium for causing a computer to execute processing including:
-
monitoring packets received for delivery to devices on a network; developing a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period; developing an instant packet profile by examining the monitored packets during the instant time period; comparing the instant packet profile to the historic packet profile to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant packet profile and the historic packet profile is present; and identifying the existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation. - View Dependent Claims (19, 20)
-
Specification