Connection based denial of service detection

US 8,191,136 B2
Filed: 11/03/2003
Issued: 05/29/2012
Est. Priority Date: 11/04/2002
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method, the method comprising:

examining packet count and byte count statistics to determine whether a host is a potential victim host of a denial of service (DoS) attack;

in response to determining that the host is a potential victim host of a DoS attack, determining whether the host previously experienced a variance in inbound packet rate that exceeded a variance threshold;

in response to determining that the host previously did not experience a variance in inbound traffic that exceeded the variance threshold, indicating that a neighboring host is a possible DoS attacker when a current traffic rate from the neighboring host to the host exceeds an average traffic rate from the neighboring host to the host;

in response to determining that the host previously experienced a variance in inbound packet rate that exceeded the variance threshold,determining a first threshold based on a historical variance of a byte rate from a neighboring host to the host,determining a second threshold based on a historical variance of a packet rate from the neighboring host to the host,determining whether a current outbound byte rate from the neighboring host to the host exceeds the first threshold, anddetermining whether a current outbound packet rate from the neighboring host to the host exceeds the second threshold; and

in response to determining that the current outbound byte rate from the neighboring host to the host exceeds the first threshold or the current outbound packet rate from the neighboring host to the host exceeds the second threshold, indicating that the neighboring host is a possible attacker.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

Citations

28 Claims

1. A computer implemented method, the method comprising:
- examining packet count and byte count statistics to determine whether a host is a potential victim host of a denial of service (DoS) attack;
  
  in response to determining that the host is a potential victim host of a DoS attack, determining whether the host previously experienced a variance in inbound packet rate that exceeded a variance threshold;
  
  in response to determining that the host previously did not experience a variance in inbound traffic that exceeded the variance threshold, indicating that a neighboring host is a possible DoS attacker when a current traffic rate from the neighboring host to the host exceeds an average traffic rate from the neighboring host to the host;
  
  in response to determining that the host previously experienced a variance in inbound packet rate that exceeded the variance threshold,determining a first threshold based on a historical variance of a byte rate from a neighboring host to the host,determining a second threshold based on a historical variance of a packet rate from the neighboring host to the host,determining whether a current outbound byte rate from the neighboring host to the host exceeds the first threshold, anddetermining whether a current outbound packet rate from the neighboring host to the host exceeds the second threshold; and
  
  in response to determining that the current outbound byte rate from the neighboring host to the host exceeds the first threshold or the current outbound packet rate from the neighboring host to the host exceeds the second threshold, indicating that the neighboring host is a possible attacker.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein determining whether the host is a victim of a DoS attack, further comprises:
    - comparing current measured inbound byte rate with historical average inbound byte rate for a current profiled time period and the corresponding historical profiled time period.
  - 3. The method of claim 1 further comprising:
    - determining if a host of the connected hosts has a large variance in inbound packet and byte rate; and
      
      if the host has a large variance,calculating a variance to provide an appropriate margin of error before raising an alert of a DOS attack.
  - 4. The method of claim 3 wherein calculating the margin of error, includes evaluating
    (c>
    - (h+C1*σ
      
      )*C2)wherein “
      
      σ
      
      ²”
      
      is the variance of the host'"'"'s inbound byte rate, “
      
      c”
      
      the host'"'"'s current incoming byte rate, with “
      
      C1” and
      
      “
      
      C2”
      
      being selectable constants and “
      
      h”
      
      being the host'"'"'s historical average incoming byte rate;
      
      wherein if the inequality is true, then the host H is considered under a possible DoS attack.
  - 5. The method of claim 3 further comprising:
    - determining if the incoming packet count is above a threshold to filter out new or low-traffic hosts that suddenly receive a low but still larger than normal amount of traffic.
  - 6. The method of claim 1 determining if conditions of a possible attack have been determined and increasing the severity of the reported event to reflect a corresponding degree of certainty that the event is a DOS attack.
  - 7. The method of claim 1 wherein conditions that influence whether an event is an attack include determining if the suspected victim is receiving traffic from a large number of other hosts relative to historical profile large number of other hosts.
  - 8. The method of claim 7 wherein conditions that influence whether an event is an attack include determining whether most of the hosts connecting to the suspected victim do not exist in the profile connection table.
  - 9. The method of claim 8 wherein conditions that influence whether an event is an attack include determining if most of the new traffic to the host is UDP, ICMP, or unknown protocols.
  - 10. The method of claim 8 further comprising:
    - using conditions of a possible attack to elevate the severity of the reported event.
  - 11. The method of claim 8 wherein if a host is determined to be a DoS victim, further comprising:
    - examining the host'"'"'s neighbors to determine which hosts are possible attackers.
  - 12. The method of claim 11 wherein examining comprisesfor each neighbor “
    - H_—{0}”
      
      of the host determining the byte rate from “
      
      H_—{0}”
      
      to the host, according to
      c_—{0}>
      
      (h_—{0}+C1*σ
      
      ²_—{0})*C2,
      
      wherein “
      
      c_—{0}”
      
      is the current byte rate from “
      
      H_—{0}”
      
      to “
      
      H”
      
      , “
      
      h_—{0}”
      
      is the historical average byte rate from “
      
      H_—{0}”
      
      to “
      
      H”
      
      , “
      
      C1” and
      
      “
      
      C2”
      
      are constants, and “
      
      σ
      
      ²_—{0}”
      
      is the variance of the byte rate from “
      
      H”
      
      to “
      
      H_—{0}”
      
      ; and
      
      indicating that “
      
      H_—{0}”
      
      is a suspected attacker of “
      
      H”
      
      if the inequality is satisfied.
  - 13. The method of claim 11 wherein examining comprisesfor each neighbor “
    - H_—{0}”
      
      of the host determining the byte rate from the host to “
      
      H_—{0}”
      
      , according to
      c_—{0}>
      
      (h_—{0}+C1*σ
      
      ²_—{0})*C2wherein “
      
      c_—{0}”
      
      is the current byte rate to “
      
      H_—{0}”
      
      from “
      
      H”
      
      , “
      
      h_—{0}”
      
      the historical average byte rate to “
      
      H_—{0}”
      
      from “
      
      H”
      
      , “
      
      C1” and
      
      “
      
      C2”
      
      are constants, and “
      
      σ
      
      ²_—{0}”
      
      is the variance of the byte rate to “
      
      H”
      
      from “
      
      H_—{0}”
      
      ; and
      
      indicating that “
      
      H_—{0}”
      
      is a suspected attacker of “
      
      H”
      
      if the inequality is satisfied.

14. A computer program product residing on a non-transitory computer readable medium for detecting denial of service attacks, comprising instructions for causing a computer to:
- examine packet count and byte count to determine whether a host is a potential victim host of a denial of service (DoS) attack;
  
  in response to determining that the host is a potential victim host of a DoS attack, determining whether the host previously experienced a variance in inbound packet rate that exceeded a variance threshold;
  
  in response to determining that the host previously did not experience a variance in inbound traffic that exceeded the variance threshold, indicating that a neighboring host is a possible DoS attacker when a current traffic rate from the neighboring host to the host exceeds an average traffic rate from the neighboring host to the host;
  
  in response to determining that the host previously experienced a variance in inbound packet rate that exceeded a variance threshold,determining a first threshold based on a historical variance of a byte rate from a neighboring host to the host,determining a second threshold based on a historical variance of a packet rate from the neighboring host to the host,determining whether a current outbound byte rate from the neighboring host to the host exceeds the first threshold, anddetermining whether a current outbound packet rate from the neighboring host to the host exceeds the second threshold; and
  
  in response to determining that the current outbound byte rate from the neighboring host to the host exceeds the first threshold or the current outbound packet rate from the neighboring host to the host exceeds the second threshold, indicating that the neighboring host is a possible attacker.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The computer program product of claim 14 wherein instructions to determine whether the host is a victim of a DoS attack, further comprises instructions to:
    - compare current measured inbound byte rate with historical average inbound byte rate for a current profiled time period and the corresponding historical profiled time period.
  - 16. The computer program product of claim 14 further comprising instructions to:
    - determine if a host of the connected hosts has a large variance in inbound packet and byte rate; and
      
      if the host has a large variancecalculate a variance to provide an appropriate margin of error before raising an alert of a DOS attack.
  - 17. The computer program product of claim 14 wherein instructions to calculate the margin of error, includes evaluating
    (c>
    - (h+C1*σ
      
      )*C2)wherein “
      
      σ
      
      ²”
      
      is the variance of the host'"'"'s inbound byte rate, “
      
      c”
      
      the host'"'"'s current incoming byte rate, with “
      
      C1” and
      
      “
      
      C2”
      
      being selectable constants and “
      
      h”
      
      being the host'"'"'s historical average incoming byte rate;
      
      wherein if the inequality is true, then the host H is considered under a possible DoS attack.
  - 18. The computer program product of claim 14 further comprising instructions to:
    - determine if the incoming packet count is above a threshold to filter out new or low-traffic hosts that suddenly receive a low but still larger than normal amount of traffic.
  - 19. The computer program product of claim 14 wherein instructions to determine if conditions of a possible attack have been determined and increasing the severity of the reported event to reflect a corresponding degree of certainty that the event is a DOS attack.
  - 20. The computer program product of claim 14 wherein conditions that influence whether an event is an attack include determining if most of the new traffic to the host is UDP, ICMP, or unknown protocols.
  - 21. The computer program product of claim 14 further comprising instructions to:
    - use conditions of a possible attack to elevate the severity of the reported event.
  - 22. The computer program product of claim 14 wherein instructions to examine further comprise instructions to:
    - determine for each neighbor “
      
      H_—{0}”
      
      of the host the byte rate from the host to “
      
      H_—{0}”
      
      , according to
      c_—{0}>
      
      (h_—{0}+C1*σ
      
      ²_—{0})*C2wherein “
      
      c_—{0}”
      
      is the current byte rate to “
      
      H_—{0}”
      
      from “
      
      H”
      
      , “
      
      h_—{0}”
      
      the historical average byte rate to “
      
      H_—{0}”
      
      from “
      
      H”
      
      , “
      
      C1” and
      
      “
      
      C2”
      
      are constants, and “
      
      σ
      
      ²_—{0}”
      
      is the variance of the byte rate to “
      
      H”
      
      from “
      
      H_—{0}”
      
      ; and
      
      indicate that “
      
      H_—{0}”
      
      is a suspected attacker of “
      
      H”
      
      if the inequality is satisfied.

23. Apparatus comprising:
- a processing device;
  
  a memory;
  
  a computer readable medium for storing a computer program product for detecting denial of service attacks, the computer program product comprising instructions for causing the processing device to;
  
  examine packet count and byte count to determine whether a host is a potential victim host of a denial of service (DoS) attack;
  
  in response to determining that the host is a potential victim host of a DoS attack, determine whether the host previously experienced a variance in inbound packet rate that exceeded a variance threshold;
  
  in response to determining that the host previously did not experience a variance in inbound traffic that exceeded the variance threshold, indicate that a neighboring host is a possible DoS attacker when a current traffic rate from the neighboring host to the host exceeds an average traffic rate from the neighboring host to the host;
  
  in response to determining that the host previously experienced a variance in inbound packet rate that exceeded a variance threshold,determine a first threshold based on a historical variance of a byte rate from a neighboring host to the host,determine a second threshold based on a historical variance of a packet rate from the neighboring host to the host,determine whether a current outbound byte rate from the neighboring host to the host exceeds the first threshold, anddetermine whether a current outbound packet rate from the neighboring host to the host exceeds the second threshold; and
  
  in response to determining that the current outbound byte rate from the neighboring host to the host exceeds the first threshold or the current outbound packet rate from the neighboring host to the host exceeds the second threshold, indicate that the neighboring host is a possible attacker.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. The apparatus of claim 23 wherein instructions to determine whether the host is a victim of a DoS attack, further comprises instructions to:
    - compare current measured inbound byte rate with historical average inbound byte rate for a current profiled time period and the corresponding historical profiled time period.
  - 25. The apparatus of claim 23 wherein further comprising instructions to:
    - determine if a host of the connected hosts has a large variance in inbound packet and byte rate; and
      
      if the host has a large variancecalculate a variance to provide an appropriate margin of error before raising an alert of a DOS attack.
  - 26. The apparatus of claim 23 wherein instructions to calculate the margin of error, includes evaluating
    (c>
    - (h+C1*σ
      
      )*C2)wherein “
      
      σ
      
      ²”
      
      is the variance of the host'"'"'s inbound byte rate, “
      
      c”
      
      the host'"'"'s current incoming byte rate, with “
      
      C1” and
      
      “
      
      C2”
      
      being selectable constants and “
      
      h”
      
      being the host'"'"'s historical average incoming byte rate;
      
      wherein if the inequality is true, then the host H is considered under a possible DoS attack.
  - 27. The apparatus of claim 23 further comprising instructions to:
    - determine if the incoming packet count is above a threshold to filter out new or low-traffic hosts that suddenly receive a low but still larger than normal amount of traffic.
  - 28. The apparatus of claim 23 wherein instructions to determine if conditions of a possible attack have been determined and increasing the severity of the reported event to reflect a corresponding degree of certainty that the event is a DOS attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Dudfield, Anne Elizabeth, Poletto, Massimiliano Antonio
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
Truvan, Leynna T

Application Number

US10/701,381
Publication Number

US 20040220984A1
Time in Patent Office

3,130 Days
Field of Search

709/227, 709/229, 709201-204, 709223-225, 709232-235, 709/238, 370229-2351, 370/242, 726/18, 726 22- 27, 726 30- 31, 726 1- 6, 726 11- 14, 380229-2351, 380/242, 713188-190, 710 16- 21, 710 28- 29, 710/33, 710 60- 61
US Class Current

726/22
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/22   comprising specially adapte...

H04L 43/06   Generation of reports

H04L 43/0894   Packet rate

H04L 43/16   Threshold monitoring

H04L 63/1458   Denial of Service

Connection based denial of service detection

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Connection based denial of service detection

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links