DENIAL OF SERVICE AND OTHER RESOURCE EXHAUSTION DEFENSE AND MITIGATION USING TRANSITION TRACKING
First Claim
Patent Images
1. A method of determining a first suspect in a resource exhaustion attack against a target automated processor communicatively connected to a data communication network, the method comprising:
- monitoring a plurality of data processing requests received over the data communication network from a remote sender;
identifying a first transition, dependent on a first sequence of data processing requests comprising a first data processing request of the plurality of data processing requests and a second data processing request of the plurality of data processing requests;
determining, with an automated processor, a first anomaly profile for the remote sender based on a first anomaly representation assigned to the first transition and a second anomaly representation determined for the remote sender;
determining, with the automated processor, based on the first anomaly profile, that the remote sender is the first suspect in the resource exhaustion attack; and
based on the determining of the first suspect, taking action with the automated processor of at least one of;
communicating a message dependent on the determining, and modifying at least one data processing request of the plurality of data processing requests.
0 Assignments
0 Petitions
Accused Products
Abstract
Described is a method and system for determining a suspect in a resource exhaustion attack, for example DDoS (Distributed Denial of Service Attack), against a target processor using transitions between data processing requests. For example, a first website request followed by a second website request received from a remote sender at a server is determined to be statistically unusual transition and thus may raise suspicion about the remote sender. Such transitions for the remote sender can be cumulatively evaluated.
172 Citations
27 Claims
-
1. A method of determining a first suspect in a resource exhaustion attack against a target automated processor communicatively connected to a data communication network, the method comprising:
-
monitoring a plurality of data processing requests received over the data communication network from a remote sender; identifying a first transition, dependent on a first sequence of data processing requests comprising a first data processing request of the plurality of data processing requests and a second data processing request of the plurality of data processing requests; determining, with an automated processor, a first anomaly profile for the remote sender based on a first anomaly representation assigned to the first transition and a second anomaly representation determined for the remote sender; determining, with the automated processor, based on the first anomaly profile, that the remote sender is the first suspect in the resource exhaustion attack; and based on the determining of the first suspect, taking action with the automated processor of at least one of;
communicating a message dependent on the determining, and modifying at least one data processing request of the plurality of data processing requests. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computing device comprising an automated processor for determining a first suspect in a resource exhaustion attack against a target automated processor connected to a data communication network, the computing device comprising:
-
a network interface configured to monitor a plurality of data processing requests received over the data communication network from a remote sender; a transition identifier configured to identify, as a first transition, a first sequence of data processing requests comprising a first data processing request of the plurality of data processing requests and a second data processing request of the plurality of data processing requests; an anomaly profiler configured to determine a first anomaly profile for the remote sender based on a first anomaly representation assigned to the first transition and a second anomaly representation determined for the remote sender; a suspect determiner configured to determine, based on the first anomaly profile, and an anomaly threshold, that the remote sender is the first suspect in the resource exhaustion attack; and a suspect response generator configured to take action, when the first suspect is determined, of at least one of;
communicating a message in dependence on the determination of the first suspect, and modifying at least one data processing request of the plurality of data processing requests. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
Specification