×

Connection based denial of service detection

  • US 8,191,136 B2
  • Filed: 11/03/2003
  • Issued: 05/29/2012
  • Est. Priority Date: 11/04/2002
  • Status: Active Grant
First Claim
Patent Images

1. A computer implemented method, the method comprising:

  • examining packet count and byte count statistics to determine whether a host is a potential victim host of a denial of service (DoS) attack;

    in response to determining that the host is a potential victim host of a DoS attack, determining whether the host previously experienced a variance in inbound packet rate that exceeded a variance threshold;

    in response to determining that the host previously did not experience a variance in inbound traffic that exceeded the variance threshold, indicating that a neighboring host is a possible DoS attacker when a current traffic rate from the neighboring host to the host exceeds an average traffic rate from the neighboring host to the host;

    in response to determining that the host previously experienced a variance in inbound packet rate that exceeded the variance threshold,determining a first threshold based on a historical variance of a byte rate from a neighboring host to the host,determining a second threshold based on a historical variance of a packet rate from the neighboring host to the host,determining whether a current outbound byte rate from the neighboring host to the host exceeds the first threshold, anddetermining whether a current outbound packet rate from the neighboring host to the host exceeds the second threshold; and

    in response to determining that the current outbound byte rate from the neighboring host to the host exceeds the first threshold or the current outbound packet rate from the neighboring host to the host exceeds the second threshold, indicating that the neighboring host is a possible attacker.

View all claims
  • 21 Assignments
Timeline View
Assignment View
    ×
    ×