DENIAL OF SERVICE AND OTHER RESOURCE EXHAUSTION DEFENSE AND MITIGATION USING TRANSITION TRACKING

US 20160182542A1
Filed: 12/18/2015
Published: 06/23/2016
Est. Priority Date: 12/18/2014
Status: Abandoned Application

First Claim

Patent Images

1. A method of determining a first suspect in a resource exhaustion attack against a target automated processor communicatively connected to a data communication network, the method comprising:

monitoring a plurality of data processing requests received over the data communication network from a remote sender;

identifying a first transition, dependent on a first sequence of data processing requests comprising a first data processing request of the plurality of data processing requests and a second data processing request of the plurality of data processing requests;

determining, with an automated processor, a first anomaly profile for the remote sender based on a first anomaly representation assigned to the first transition and a second anomaly representation determined for the remote sender;

determining, with the automated processor, based on the first anomaly profile, that the remote sender is the first suspect in the resource exhaustion attack; and

based on the determining of the first suspect, taking action with the automated processor of at least one of;

communicating a message dependent on the determining, and modifying at least one data processing request of the plurality of data processing requests.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described is a method and system for determining a suspect in a resource exhaustion attack, for example DDoS (Distributed Denial of Service Attack), against a target processor using transitions between data processing requests. For example, a first website request followed by a second website request received from a remote sender at a server is determined to be statistically unusual transition and thus may raise suspicion about the remote sender. Such transitions for the remote sender can be cumulatively evaluated.

172 Citations

27 Claims

1. A method of determining a first suspect in a resource exhaustion attack against a target automated processor communicatively connected to a data communication network, the method comprising:
- monitoring a plurality of data processing requests received over the data communication network from a remote sender;
  
  identifying a first transition, dependent on a first sequence of data processing requests comprising a first data processing request of the plurality of data processing requests and a second data processing request of the plurality of data processing requests;
  
  determining, with an automated processor, a first anomaly profile for the remote sender based on a first anomaly representation assigned to the first transition and a second anomaly representation determined for the remote sender;
  
  determining, with the automated processor, based on the first anomaly profile, that the remote sender is the first suspect in the resource exhaustion attack; and
  
  based on the determining of the first suspect, taking action with the automated processor of at least one of;
  
  communicating a message dependent on the determining, and modifying at least one data processing request of the plurality of data processing requests.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising identifying, as a second transition, a second sequence of data processing requests of the plurality of data processing requests for the remote sender,wherein the second anomaly representation is an anomaly representation assigned to the second transition.
  - 3. The method of claim 1, wherein the resource exhaustion attack is a distributed denial of service attack.
  - 4. The method of claim 1, wherein the first anomaly representation and the second anomaly representation are anomaly values retrieved from a transition anomaly matrix in dependence on the first and second transitions, respectively, and the first anomaly profile for the remote sender is determined by combining the first anomaly representation and the second anomaly representation.
  - 5. The method of claim 1, wherein the taking of the action is performed only after a resource use determination that at least one resource of the first automated processor is at least one of exhausted or substantially exhausted.
  - 6. The method of claim 1, further comprising:
    - monitoring a period of time between a time of the first transition and a time of the determination of the second anomaly representation,wherein the taking of the action is performed only when the period of time is shorter than a predetermined period of time.
  - 7. The method of claim 1, further comprising comparing the first anomaly profile with a first threshold,wherein the remote sender is determined as the first suspect only when the first anomaly profile is greater than the first threshold.
  - 8. The method of claim 7, further comprising:
    - after the first suspect is determined, when at least one resource of the first automated processor is at least one of exhausted or substantially exhausted, adjusting the threshold; and
      
      determining a second suspect with a second anomaly profile by comparing the second anomaly profile with the adjusted threshold.
  - 9. The method of claim 1, further comprising assigning the second anomaly representation based on an overlapping range in packets received from the remote sender.
  - 10. The method of claim 1, wherein the automated processor is positioned at a web server, the data communication network is the Internet, and each data processing request of the plurality of data processing requests comprises a request for a webpage.
  - 11. The method of claim 1, wherein the taking the action comprises sending a signal to diminish a response to data processing requests of the first suspect.
  - 12. The method of claim 1, further comprising:
    - obtaining a plurality of sampling data processing requests received over the data communication network from a plurality of remote senders;
      
      identifying, as a first sampling transition, a first sequence of data processing requests comprising a first sampling data processing request of the plurality of sampling data processing requests and a second sampling data processing request of the plurality of data processing requests;
      
      identifying, as a second sampling transition, a second sequence of data processing requests comprising the second data processing request and a third data processing request of the plurality of sampling data processing requests; and
      
      assigning the first anomaly representation to the first sampling transition as a function of a frequency of the first sampling transition, and assigning the second anomaly representation to the second transition, as a function of a frequency of the second sampling transition.
  - 13. The method of claim 12, wherein the frequency of the first transition and the frequency of the second transition are calculated based on the frequency over a period of time of the first sampling transition and the second sampling transition with respect to a totality of the plurality of sampling data processing requests obtained.

14. A computing device comprising an automated processor for determining a first suspect in a resource exhaustion attack against a target automated processor connected to a data communication network, the computing device comprising:
- a network interface configured to monitor a plurality of data processing requests received over the data communication network from a remote sender;
  
  a transition identifier configured to identify, as a first transition, a first sequence of data processing requests comprising a first data processing request of the plurality of data processing requests and a second data processing request of the plurality of data processing requests;
  
  an anomaly profiler configured to determine a first anomaly profile for the remote sender based on a first anomaly representation assigned to the first transition and a second anomaly representation determined for the remote sender;
  
  a suspect determiner configured to determine, based on the first anomaly profile, and an anomaly threshold, that the remote sender is the first suspect in the resource exhaustion attack; and
  
  a suspect response generator configured to take action, when the first suspect is determined, of at least one of;
  
  communicating a message in dependence on the determination of the first suspect, and modifying at least one data processing request of the plurality of data processing requests.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 15. The computing device according to claim 14, further comprising a web server comprising the target automated processor.
  - 16. The computing device of claim 14, wherein the transition identifier is configured to identify a second transition, the second transition being a second sequence of data processing requests of the plurality of data processing requests for the remote sender,wherein the second anomaly representation is an anomaly representation assigned to the second transition.
  - 17. The computing device of claim 14, wherein the resource exhaustion attack is a distributed denial of service attack and the data communication network is the Internet.
  - 18. The computing device of claim 14, further comprising:
    - a transition anomaly processor configured to retrieve anomaly values corresponding to the first anomaly representation and the second anomaly representation,wherein the first anomaly profile for the remote sender is determined by combining the first anomaly representation and the second anomaly representation.
  - 19. The computing device of claim 14, wherein the taking of the action is performed only after a resource use determination that at least one resource of the target automated processor is at least one of exhausted or substantially exhausted.
  - 20. The computing device of claim 14, further comprising:
    - a timer configured to monitor a period of time between a time of the first transition and a time of the determination of the second anomaly representation; and
      
      an anomaly threshold processor configured to compare the first anomaly profile with a first threshold,wherein the taking of the action is performed only when the period of time is shorter than a predetermined period of time and the first anomaly profile is greater than the first threshold.
  - 21. The computing device of claim 20, further comprising a threshold manager configured to adjust the threshold after the first suspect is determined, only when at least one resource of the first automated processor is at least one of exhausted or substantially exhausted;
    - andthe suspect determiner is configured to determine a second suspect with a second anomaly profile by comparing the second anomaly profile with the adjusted threshold.
  - 22. The computing device of claim 14, wherein the anomaly profiler is configured to assign the second anomaly representation based on an overlapping range in sender fields of packets received from the remote sender.
  - 23. The computing device of claim 14, wherein the suspect response generator is further configured to take the action comprising sending a signal to a device to intercept data processing requests of the first suspect.
  - 24. The computing device of claim 14, further comprising:
    - a transition identifier configured to obtain a plurality of sampling data processing requests received over the data communication network from a plurality of remote senders, and to identify, as a first sampling transition, a first sequence of data processing requests comprising a first sampling data processing request of the plurality of sampling data processing requests and a second sampling data processing request of the plurality of data processing requests;
      
      the transition identifier configured to identify, as a second sampling transition, a second sequence of data processing requests comprising the second data processing request and a third data processing request of the plurality of sampling data processing requests; and
      
      an anomaly assigner configured to assign the first anomaly representation to the first sampling transition as a function of a frequency of the first sampling transition, and to assign the second anomaly representation to the second transition, as a function of a frequency of the second sampling transition.
  - 25. The computing device of claim 24, wherein the anomaly assigner is configured to calculate the frequency of the first transition and the frequency of the second transition based on the frequency over a period of time of the first sampling transition and the second sampling transition with respect to a totality of the plurality of sampling data processing requests obtained.
  - 26. The computing device of claim 14, further comprising:
    - the network interface configured to monitor a second plurality of data processing requests received over the data communication network from a second remote sender;
      
      the transition identifier configured to identify, as a first transition of the second remote sender, a first sequence of data processing requests from the second remote sender comprising a first data processing request of the second plurality of data processing requests and a second data processing request of the second plurality of data processing requests;
      
      the transition identifier configured to identify a similarity between the first transition of the first remote sender and the first transition of the second remote sender; and
      
      the anomaly profiler configured to determine a second anomaly profile for the second remote sender based on the similarity; and
      
      the suspect determiner configured to determine, based on the second anomaly profile and the anomaly threshold, that the remote sender is a second suspect in the resource exhaustion attack.
  - 27. The computing device of claim 14, further comprising:
    - the network interface configured to monitor a second plurality of data processing requests received over the data communication network from a second remote sender;
      
      the transition identifier configured to identify, as a first transition of the second remote sender, a first sequence of data processing requests from the second remote sender comprising a first data processing request of the second plurality of data processing requests and a second data processing request of the second plurality of data processing requests;
      
      the transition identifier configured to identify a similarity between the first transition of the first remote sender and the first transition of the second remote sender;
      
      the anomaly profiler configured to determine, based on the similarity, an aggregated anomaly profile for the first and second remote senders; and
      
      the suspect determiner configured to determine, based on the aggregated anomaly profile and the anomaly threshold, that the first and second remote senders are suspects in the resource exhaustion attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Stuart Staniford
Original Assignee
Stuart Staniford
Inventors
STANIFORD, Stuart

Application Number

US14/974,025
Publication Number

US 20160182542A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1458 Denial of Service

DENIAL OF SERVICE AND OTHER RESOURCE EXHAUSTION DEFENSE AND MITIGATION USING TRANSITION TRACKING

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

172 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

DENIAL OF SERVICE AND OTHER RESOURCE EXHAUSTION DEFENSE AND MITIGATION USING TRANSITION TRACKING

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

172 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others