METHOD AND SYSTEM FOR PROTECTION AGAINST DISTRIBUTED DENIAL OF SERVICE ATTACKS

US 20170118242A1
Filed: 03/27/2014
Published: 04/27/2017
Est. Priority Date: 03/27/2014
Status: Active Application

First Claim

Patent Images

1-9. -9. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A denial-of-service protection system may include a memory operable to store a behavior model and a processor communicatively coupled to the memory. The processor is capable of detecting a potential attack on the system, and receiving a first request from an endpoint. In response to receiving the first request from the endpoint, the processor may communicate an error to the endpoint. The processor may also receive a second request, from the endpoint and determine whether the second request from the endpoint deviates from the behavior model. If the second request from the endpoint deviates from the behavior model, the processor may deny traffic from the endpoint. If the second request from the endpoint does not deviate from the behavior model, then the processor may allow traffic from the endpoint.

15 Citations

View as Search Results

29 Claims

1-9. -9. (canceled)

10. A method for protecting a system from a denial-of-service attack comprising:
- storing a behavior model;
  
  detecting a potential attack on the system;
  
  receiving a first request from an endpoint;
  
  in response to receiving the first request from the endpoint, communicating an error to the endpoint;
  
  receiving a second request from the endpoint;
  
  determining whether the second request from the endpoint deviates from the behavior model;
  
  if the second request from the endpoint deviates from the behavior model, denying traffic from the endpoint; and
  
  if the second request from the endpoint does not deviate from the behavior model, allowing traffic from the endpoint.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 28)
- - 11. The method of claim 10, further comprising:
    - receiving a first baseline request from a friendly endpoint during a baseline period;
      
      determining a baseline error message based at least in part upon the first baseline request;
      
      communicating the baseline error message to the friendly endpoint;
      
      receiving a second baseline request from the friendly endpoint during the baseline period;
      
      determining a response characteristic associated with the second baseline request received during the baseline period; and
      
      generating the behavior model based in part upon the response characteristic.
  - 12. The method of claim 11, wherein determining the baseline error comprises randomly selecting a first error message from a plurality of error messages associated with the first baseline request.
  - 13. The method of claim 11, wherein determining the baseline error comprises determining a delay period associated with the baseline error message.
  - 14. The method of claim 11, wherein determining the response characteristic associated with the second baseline request comprises determining a time period of delay before receiving the second baseline request.
  - 15. The method of claim 11, wherein generating the behavior model comprises:
    - generating an input vector for a clustering algorithm based at least in part upon the response characteristic associated with the second baseline request received during the baseline period; and
      
      applying the clustering algorithm to the input vector.
  - 16. The method of claim 15, wherein the clustering algorithm is based at least in part upon adaptive resonance theory.
  - 17. The method of claim 11, wherein determining system characteristics during the baseline period comprises:
    - determining processor load during the baseline period;
      
      determining memory usage during the baseline period; and
      
      determining processing time during the baseline period.
  - 18. The method of claim 10, wherein denying traffic from the endpoint comprises denying traffic from an IP address associated with the endpoint.
  - 28. The method of claim 12, wherein determining the baseline error comprises determining a delay period associated with the baseline error message.

19. A server comprising:
- a memory; and
  
  a processor communicatively coupled to the memory, the processor operable to;
  
  detect a potential attack on the system;
  
  receive a first request from an endpoint;
  
  in response to receiving the first request from the endpoint, communicate an error to the endpoint;
  
  receive a second request from the endpoint;
  
  determine whether the second request from the endpoint deviates from a behavior model;
  
  if the second request from the endpoint deviates from the behavior model, deny traffic from the endpoint; and
  
  if the second request from the endpoint does not deviate from the behavior model, allow traffic from the endpoint.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 29)
- - 20. The server of claim 19, wherein the processor is further operable to:
    - receive a first baseline request from a friendly endpoint during a baseline period;
      
      determine a baseline error message based at least in part upon the first baseline request;
      
      communicate the baseline error message to the friendly endpoint;
      
      receive a second baseline request from the friendly endpoint during the baseline period;
      
      determine a response characteristic associated with the second baseline request received during the baseline period; and
      
      generate the behavior model based in part upon the response characteristic.
  - 21. The server of claim 20, wherein the processor operable to determine the baseline error message comprises the processor operable to randomly select a first error message from a plurality of error messages associated with the first baseline request.
  - 22. The server of claim 20, wherein the processor operable to determine the baseline error message comprises the processor operable to determine a delay period associated with the baseline error message.
  - 23. The server of claim 20, wherein the processor operable to determine the response characteristic associated with the second baseline request comprises the processor operable to determine a time period of delay before receiving the second baseline request.
  - 24. The server of claim 20, wherein the processor operable to generate the behavior model comprises the processor operable to:
    - generate an input vector for a clustering algorithm based at least in part upon the response characteristic associated with the second baseline request received during the baseline period; and
      
      apply the clustering algorithm to the input vector.
  - 25. The server of claim 24, wherein the clustering algorithm is based at least in part upon adaptive resonance theory.
  - 26. The server of claim 20, wherein the processor is further operable to determine system characteristics during the baseline period by:
    - determining processor load during the baseline period;
      
      determining memory usage during the baseline period; and
      
      determining processing time during the baseline period.
  - 27. The server of claim 19, wherein the processor operable to deny traffic from the endpoint comprises the processor operable to deny traffic from an IP address associated with the endpoint.
  - 29. The server of claim 21, wherein the processor operable to determine the baseline error message comprises the processor operable to determine a delay period associated with the baseline error message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Georgescu, Sorin-Marian

Application Number

US15/129,179
Publication Number

US 20170118242A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

METHOD AND SYSTEM FOR PROTECTION AGAINST DISTRIBUTED DENIAL OF SERVICE ATTACKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR PROTECTION AGAINST DISTRIBUTED DENIAL OF SERVICE ATTACKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links