Apparatus and method for an overload control procedure against denial of service attack
First Claim
1. A method of determining packets to be dropped in regard to a potential denial of service attack at a location within a packet network, said method comprising the steps of:
- receiving packets at said location within said network;
computing a conditional probability measure for each packet entering said location based on selected attributes included within said packet;
periodically updating a cumulative distribution function based on previously computed conditional probability measures;
determining a drop threshold based on access to said cumulative distribution function;
passing packets that exceed said determined drop threshold to said location.
3 Assignments
0 Petitions
Accused Products
Abstract
The present invention is a methodology to prioritize packets based on the conditional probability that given the values of attributes carried by packet, the packet is a legitimate one. We will call this the conditional legitimate probability of a packet from here onward. The conditional probability of each packet is evaluated based on Bayesian estimation technique. This is accomplished by comparing the attributes carried by an incoming packet against the “nominal” distribution of attributes of legitimate packet stream. Since an exact prioritization of packets based on their conditional legitimate probability would require offline, multiple-pass operations, e.g. sorting, we take the following alternative approach to realize an online, one-pass selectively dropping scheme. In particular, we maintain the cumulative distribution function (CDF) of the conditional legitimate probability of all incoming packets and apply a threshold-based selective dropping mechanism according to the conditional probability value computed for each incoming packet. To speed-up the computation of the conditional legitimate probability for each incoming packet, we may, as an alternative, use the logarithmic version of the equation to implement the Bayesian estimation process. Other features of the invention include: providing means to guarantee minimum throughput of particular (pre-configured) type(s) of packets; providing a. Filtering Mechanism to suppress the noise during estimation/maintenance of nominal attributes distribution; applying state-of-the-art efficient algorithm/data-structures for quantile and histogram building/updates; using the proven, industrial-strength load-shedding algorithms as a submodule in the overload control algorithm; and being amenable to practical implementation to support online, one-pass processing on high-speed communication links.
-
Citations
15 Claims
-
1. A method of determining packets to be dropped in regard to a potential denial of service attack at a location within a packet network, said method comprising the steps of:
-
receiving packets at said location within said network; computing a conditional probability measure for each packet entering said location based on selected attributes included within said packet; periodically updating a cumulative distribution function based on previously computed conditional probability measures; determining a drop threshold based on access to said cumulative distribution function; passing packets that exceed said determined drop threshold to said location. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of determining packets to be dropped in regard to a potential denial of service attack at a location within a packet network, said method comprising the steps of:
-
receiving packets at said location within said network; computing a probability measure of an incoming packet based on selected attributes included within said packet; adjusting a conditional legitimate probability value of said packet; updating a conditional probability function of conditional probabilities of incoming packets; and performing a throttling decision as to whether to drop or pass packets through said location. - View Dependent Claims (12, 13, 14)
-
-
15. An apparatus for determining packets to be dropped in regard to a potential denial or service attack at a location within a packet network, said apparatus comprising:
-
means for receiving packets at said location within said network; means for computing a probability measure of an incoming packet based on selected attributes included within said packet; means for adjusting a conditional legitimate probability value of said packet; means for updating a conditional probability function of conditional probabilities of incoming packets; and means for performing a throttling decision as to whether or not to pass packets through said location.
-
Specification