Connection based denial of service detection
First Claim
Patent Images
1. A computer implemented method, the method comprising:
- examining packet count and byte count statistics to determine whether a host is a potential victim host of a denial of service (DoS) attack;
in response to determining that the host is a potential victim host of a DoS attack, determining whether the host previously experienced a variance in inbound packet rate that exceeded a variance threshold;
in response to determining that the host previously did not experience a variance in inbound traffic that exceeded the variance threshold, indicating that a neighboring host is a possible DoS attacker when a current traffic rate from the neighboring host to the host exceeds an average traffic rate from the neighboring host to the host;
in response to determining that the host previously experienced a variance in inbound packet rate that exceeded the variance threshold,determining a first threshold based on a historical variance of a byte rate from a neighboring host to the host,determining a second threshold based on a historical variance of a packet rate from the neighboring host to the host,determining whether a current outbound byte rate from the neighboring host to the host exceeds the first threshold, anddetermining whether a current outbound packet rate from the neighboring host to the host exceeds the second threshold; and
in response to determining that the current outbound byte rate from the neighboring host to the host exceeds the first threshold or the current outbound packet rate from the neighboring host to the host exceeds the second threshold, indicating that the neighboring host is a possible attacker.
21 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.
-
Citations
28 Claims
-
1. A computer implemented method, the method comprising:
-
examining packet count and byte count statistics to determine whether a host is a potential victim host of a denial of service (DoS) attack; in response to determining that the host is a potential victim host of a DoS attack, determining whether the host previously experienced a variance in inbound packet rate that exceeded a variance threshold; in response to determining that the host previously did not experience a variance in inbound traffic that exceeded the variance threshold, indicating that a neighboring host is a possible DoS attacker when a current traffic rate from the neighboring host to the host exceeds an average traffic rate from the neighboring host to the host; in response to determining that the host previously experienced a variance in inbound packet rate that exceeded the variance threshold, determining a first threshold based on a historical variance of a byte rate from a neighboring host to the host, determining a second threshold based on a historical variance of a packet rate from the neighboring host to the host, determining whether a current outbound byte rate from the neighboring host to the host exceeds the first threshold, and determining whether a current outbound packet rate from the neighboring host to the host exceeds the second threshold; and in response to determining that the current outbound byte rate from the neighboring host to the host exceeds the first threshold or the current outbound packet rate from the neighboring host to the host exceeds the second threshold, indicating that the neighboring host is a possible attacker. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer program product residing on a non-transitory computer readable medium for detecting denial of service attacks, comprising instructions for causing a computer to:
-
examine packet count and byte count to determine whether a host is a potential victim host of a denial of service (DoS) attack; in response to determining that the host is a potential victim host of a DoS attack, determining whether the host previously experienced a variance in inbound packet rate that exceeded a variance threshold; in response to determining that the host previously did not experience a variance in inbound traffic that exceeded the variance threshold, indicating that a neighboring host is a possible DoS attacker when a current traffic rate from the neighboring host to the host exceeds an average traffic rate from the neighboring host to the host; in response to determining that the host previously experienced a variance in inbound packet rate that exceeded a variance threshold, determining a first threshold based on a historical variance of a byte rate from a neighboring host to the host, determining a second threshold based on a historical variance of a packet rate from the neighboring host to the host, determining whether a current outbound byte rate from the neighboring host to the host exceeds the first threshold, and determining whether a current outbound packet rate from the neighboring host to the host exceeds the second threshold; and in response to determining that the current outbound byte rate from the neighboring host to the host exceeds the first threshold or the current outbound packet rate from the neighboring host to the host exceeds the second threshold, indicating that the neighboring host is a possible attacker. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. Apparatus comprising:
-
a processing device; a memory; a computer readable medium for storing a computer program product for detecting denial of service attacks, the computer program product comprising instructions for causing the processing device to; examine packet count and byte count to determine whether a host is a potential victim host of a denial of service (DoS) attack; in response to determining that the host is a potential victim host of a DoS attack, determine whether the host previously experienced a variance in inbound packet rate that exceeded a variance threshold; in response to determining that the host previously did not experience a variance in inbound traffic that exceeded the variance threshold, indicate that a neighboring host is a possible DoS attacker when a current traffic rate from the neighboring host to the host exceeds an average traffic rate from the neighboring host to the host; in response to determining that the host previously experienced a variance in inbound packet rate that exceeded a variance threshold, determine a first threshold based on a historical variance of a byte rate from a neighboring host to the host, determine a second threshold based on a historical variance of a packet rate from the neighboring host to the host, determine whether a current outbound byte rate from the neighboring host to the host exceeds the first threshold, and determine whether a current outbound packet rate from the neighboring host to the host exceeds the second threshold; and in response to determining that the current outbound byte rate from the neighboring host to the host exceeds the first threshold or the current outbound packet rate from the neighboring host to the host exceeds the second threshold, indicate that the neighboring host is a possible attacker. - View Dependent Claims (24, 25, 26, 27, 28)
-
Specification