Method to detect SYN flood attack

US 7,865,954 B1
Filed: 08/24/2007
Issued: 01/04/2011
Est. Priority Date: 08/24/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A method of detecting a SYN flooding attack at a server having a communication port comprising the steps of:

(a) determining the number of SYN signals received or SYN+ACK signals sent over said communication port within a predetermined time length arrival estimation window at predetermined time intervals within said arrival estimation window;

(b) predicting the number of ACK signals to be received over said communication port in a predetermined time length prediction window at predetermined time intervals within said prediction window, said prediction window being offset in time from said arrival estimation window, where said prediction of the number of ACK signals to be received is based upon the number of SYN signals received or SYN+ACK signals sent in said arrival estimation window;

(c) determining the number of ACK signals received over said port in said prediction window at predetermined time intervals within said prediction window;

(d) comparing said predicted number of ACK signals at predetermined time intervals within said prediction window with said determined number of ACK signals received at predetermined intervals within said prediction time window to produce a compared value;

(e) predicting a SYN flood attack if said compared value exceeds a predetermined threshold value;

(f) advancing in time said arrival estimation window and said prediction window and repeat steps (a)-(e) with said advanced arrival estimation window and advanced prediction window;

(g) if a SYN flood attack is predicted, providing notification of such to a user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention is a method of predicting a SYN flooding attack on a server. The method tracks the number of SYN signals received (or SYN+ACK signals sent) over the communications port of the server in a specified time interval, the arrival estimation window. The invention then predicts the number of anticipated ACK signals to be received over the communication port within a predetermined time length prediction window. The prediction may be made at multiple points within the prediction window. The prediction window is offset in time from the arrival estimation window. The prediction of ACK signals to be received is based upon the number of SYN signals received or SYN+ACK signals sent in the arrival estimation window. In one embodiment, a polynomial is fit to the data in the Arrival estimation window and extrapolated to the prediction window. The predicted number of ACK signals is compared to the actual number received in the prediction window, and if the difference is in excess of a threshold value, and attack is indicated.

Citations

13 Claims

1. A method of detecting a SYN flooding attack at a server having a communication port comprising the steps of:
- (a) determining the number of SYN signals received or SYN+ACK signals sent over said communication port within a predetermined time length arrival estimation window at predetermined time intervals within said arrival estimation window;
  
  (b) predicting the number of ACK signals to be received over said communication port in a predetermined time length prediction window at predetermined time intervals within said prediction window, said prediction window being offset in time from said arrival estimation window, where said prediction of the number of ACK signals to be received is based upon the number of SYN signals received or SYN+ACK signals sent in said arrival estimation window;
  
  (c) determining the number of ACK signals received over said port in said prediction window at predetermined time intervals within said prediction window;
  
  (d) comparing said predicted number of ACK signals at predetermined time intervals within said prediction window with said determined number of ACK signals received at predetermined intervals within said prediction time window to produce a compared value;
  
  (e) predicting a SYN flood attack if said compared value exceeds a predetermined threshold value;
  
  (f) advancing in time said arrival estimation window and said prediction window and repeat steps (a)-(e) with said advanced arrival estimation window and advanced prediction window;
  
  (g) if a SYN flood attack is predicted, providing notification of such to a user.
- View Dependent Claims (2)
- - 2. The method of claim 1 where said predetermined time length estimation window is of length N time samples, and said predetermined time length prediction window is of length P time samples, and said step (b) of predicting the number of ACK signals is undertaken by the steps of(b1) fitting a polynomial of degree less then N to the number of SYN or SYN+ACK signals at said N time samples of said estimation window(b2) extrapolating said fitted polynomial to said time samples P of said prediction window.

3. A method of detecting a SYN flooding attack at a server having a communication port comprising the steps of:
- (a) determining the number of ACK signals received over said communication port within a predetermined time length departure estimation window at predetermined time intervals within said departure estimation window;
  
  (b) predicting the number of SYN signals to be received or SYN+ACK signals to be sent over said communication port in a predetermined time length reconstruction window at predetermined time intervals within said reconstruction window, said reconstruction window being offset in time from said departure estimation window, where said prediction of the number of SYN signals or SYN+ACK signals is based upon the number of ACK signals received in said departure estimation window;
  
  (c) determining the number of SYN signals received or SYN+ACK signals sent over said port in said reconstruction window at predetermined time intervals within said reconstruction window;
  
  (d) comparing said predicted number of SYN or SYN+ACK signals at predetermined time intervals within said reconstruction window with said determined number of SYN or SYN+ACK signals at predetermined intervals within said reconstruction window to produce a compared value;
  
  (e) predicting a SYN flood attack if said compared value exceeds a predetermined threshold value;
  
  (f) advancing in time said departure estimation window and said reconstruction window and repeat steps (a)-(e) with said advanced departure estimation window and advanced reconstruction window;
  
  (g) if a SYN flood attack is predicted, providing notification of such to a user.

4. A method of detecting a SYN flooding attack at a server having a communication port comprising the steps of:
- (a) determining the number of SYN signals received or SYN+ACK signals sent over said communication port within a predetermined time length arrival estimation window at predetermined time intervals within said arrival estimation window;
  
  (b) predicting the number of ACK signals to be received over said communication port in a predetermined time length prediction window at predetermined time intervals within said prediction window, said prediction window being offset in time from said arrival estimation window, where said prediction of the number of ACK signals to be received is based upon the number of SYN signals received or SYN+ACK signals sent in said arrival estimation window;
  
  (c) determining the number of ACK signals received over said port in said prediction window at predetermined time intervals within said prediction window;
  
  (d) comparing said predicted number of ACK signals at predetermined time intervals within said prediction window with said determined number of ACK signals received at predetermined intervals within said prediction window to produce a compared first value;
  
  (e) determining the number of ACK signals received over said communication port within a predetermined time length departure estimation window at predetermined time intervals within said departure estimation window;
  
  (f) predicting the number of SYN signals to be received or SYN+ACK signals to be sent over said communication port in a predetermined time length reconstruction window at predetermined time intervals within said reconstruction window, said reconstruction window being offset in time from said departure estimation window, where said prediction of the number of SYN signals or SYN+ACK signals is based upon the number of ACK signals received in said departure estimation window;
  
  (g) determining the number of SYN signals received or SYN+ACK signals sent over said port in said reconstruction window at predetermined time intervals within said reconstruction window;
  
  (h) comparing said predicted number of SYN or SYN+ACK signals at predetermined time intervals within said reconstruction window with said determined number of SYN or SYN+ACK signals at predetermined intervals within said reconstruction window to produce a compared second value;
  
  (i) combining the compared first value with the compared second value;
  
  (j) predicting a SYN flood attack if said combined value from step (i) exceeds a predetermined threshold value;
  
  (k) advancing in time said departure estimation window, said arrival estimation window, said prediction window and said reconstruction window and repeat steps (a)-(j) with said advanced arrival estimation window, said advanced departure estimation window, said advanced reconstruction window and said advanced prediction window;
  
  (l) if a SYN flood attack is predicted, providing notification of such to a use.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 13)
- - 5. The method of claim 4 wherein said predetermined time length arrival estimation window is of length N time samples, and said predetermined time length departure estimation window is of length M time samples, said prediction window is of length P time samples, said reconstruction window is of length R time samples, and said step of predicting the number of ACK signals is undertaken by the steps offitting a polynomial of degree less then N to the number of SYN or SYN+ACK signals at said N time samples of said arrival estimation window, andextrapolating said fitted polynomial to said time samples P of said prediction window;
    - and said step of predicting the number of SYN or SYN+ACK signals is undertaken by the steps offitting a polynomial of degree less then M to the number of ACK signals at said M time samples of said departure estimation window andextrapolating said fitted polynomial to said time samples R of said reconstruction window.
  - 6. The method of claim 4 wherein said step of combining the compared value of step (h) with the compared value of step (d) is undertaken by adding the absolute values of the two compared values.
  - 7. The method of claim 4 wherein said step of combining the compared value of step (h) with the compared value of step (d) is undertaken by subtracting said compared value from step (h) from said compared value from step (d).
  - 8. The method of claim 4 wherein said step of comparing said predicted number of SYN or SYN+ACK signals at predetermined time intervals within said reconstruction window with said determined number of SYN or SYN+ACK signals at predetermined intervals within said reconstruction window to produce a compared second value comprises finding the maximum absolute value of the difference between said predicted number of SYN or SYN+ACK signals with said determined number of SYN or SYN+ACK signals at each predetermined interval within said reconstruction window.
  - 9. The method of claim 8 further comprising assigning to said second compared value the value of said maximum absolute value found in claim 8, and assigning to said second compared value of the sign of the number from which the maximum absolute value was determined.
  - 10. The method of claim 4 wherein said reconstruction window overlaps said prediction window.
  - 11. The method of claim 10 wherein said overlap is complete overlap.
  - 13. The method of claim 4 wherein said step of comparing said predicted number of ACK signals at predetermined time intervals within said prediction window with said determined number of ACK signals at predetermined intervals within said prediction window to produce a compared first value comprises finding the maximum absolute value of the difference between said predicted number of ACK signals with said determined number of ACK signals at each predetermined interval within said prediction time window.

12. A computer readable non-transitory medium having encoded thereon a series of machine executable instructions for executing the steps of(a) determining the number of SYN signals received or SYN+ACK signals sent over said communication port within a predetermined time length arrival estimation window at predetermined time intervals within said arrival estimation window;
- (b) predicting the number of ACK signals to be received over said communication port in a predetermined time length prediction window at predetermined time intervals within said prediction window, said prediction window being offset in time from said arrival estimation window, where said prediction of the number of ACK signals to be received is based upon the number of SYN signals received or SYN+ACK signals sent in said arrival estimation window;
  
  (c) determining the number of ACK signals received over said port in said prediction window at predetermined time intervals within said prediction window;
  
  (d) comparing said predicted number of ACK signals at predetermined time intervals within said prediction window with said determined number of ACK signals received at predetermined intervals within said prediction time window to produce a compared value;
  
  (e) predicting a SYN flood attack if said compared value exceeds a predetermined threshold value;
  
  (f) advancing in time said arrival estimation window and said prediction window and repeat steps (a)-(e) with said advanced arrival estimation window and advanced prediction window;
  
  (g) if a SYN flood attack is predicted, providing notification of such to a user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Louisiana Tech Research Corporation
Original Assignee
Louisiana Tech Research Foundation; A Division Of Louisiana Tech University Foundation, Inc.
Inventors
Phoha, Vir V., Balagani, Kiran S.
Primary Examiner(s)
Revak; Christopher A

Application Number

US11/844,841
Time in Patent Office

1,229 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1466 Active attacks involving in...

Method to detect SYN flood attack

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method to detect SYN flood attack

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links