System and method for distributed denial of service identification and prevention
First Claim
1. A method, comprising:
- performing, by one or more computers;
receiving a message comprising information indicative of an event detected on one of a plurality of nodes in a distributed computing system, wherein the information comprises an indication of a resource-related, performance-related, or workload-related run-time behavior of the one of the plurality of nodes;
accessing a knowledge base comprising information about run-time behaviors associated with known computing system attack patterns, wherein said run-time behaviors are indicative of known attack patterns that lead to removal or degradation of one or more nodes of a computing system by external requests to said one or more nodes;
classifying the event detected on the one node as being representative of one of the known computing system attack patterns or as being representative of an unknown attack pattern, dependent, at least in part, on the knowledge base and on the information in the received message, wherein said classifying indicates a current or near-term attack on the one node by external requests to the one node; and
initiating a response to the event, dependent on said classifying.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for discovery and classification of denial of service attacks in a distributed computing system may employ local agents on nodes thereof to detect resource-related events. An information later agent may determine if events indicate attacks, perform clustering analysis to determine if they represent known or unknown attack patterns, classify the attacks, and initiate appropriate responses to prevent and/or mitigate the attack, including sending warnings and/or modifying resource pool(s). The information layer agent may consult a knowledge base comprising information associated with known attack patterns, including state-action mappings. An attack tree model and an overlay network (over which detection and/or response messages may be sent) may be constructed for the distributed system. They may be dynamically modified in response to changes in system configuration, state, and/or workload. Reinforcement learning may be applied to the tuning of attack detection and classification techniques and to the identification of appropriate responses.
58 Citations
20 Claims
-
1. A method, comprising:
performing, by one or more computers; receiving a message comprising information indicative of an event detected on one of a plurality of nodes in a distributed computing system, wherein the information comprises an indication of a resource-related, performance-related, or workload-related run-time behavior of the one of the plurality of nodes; accessing a knowledge base comprising information about run-time behaviors associated with known computing system attack patterns, wherein said run-time behaviors are indicative of known attack patterns that lead to removal or degradation of one or more nodes of a computing system by external requests to said one or more nodes; classifying the event detected on the one node as being representative of one of the known computing system attack patterns or as being representative of an unknown attack pattern, dependent, at least in part, on the knowledge base and on the information in the received message, wherein said classifying indicates a current or near-term attack on the one node by external requests to the one node; and initiating a response to the event, dependent on said classifying. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
12. A non-transitory, computer-readable storage medium storing program instructions computer-executable to implement:
-
receiving a message comprising information indicative of an event detected on one of a plurality of nodes in a distributed computing system, wherein the information comprises an indication of a resource-related, performance-related, or workload-related run-time behavior of the one of the plurality of nodes; accessing a knowledge base comprising information about run-time behaviors associated with known computing system attack patterns, wherein said run-time behaviors are indicative of known attack patterns that lead to removal or degradation of one or more nodes of a computing system by external requests to said one or more nodes; classifying the event detected on the one node as being representative of one of the known computing system attack patterns or as being representative of an unknown attack pattern, dependent, at least in part, on the knowledge base and on the information in the received message, wherein said classifying indicates a current or near-term attack on the one node by external requests to the one node; and initiating a response to the event, dependent on said classifying. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A distributed computing system comprising plurality of nodes, wherein one of the plurality of nodes comprises:
-
one or more processors; and a memory coupled to the one or more processors and storing program instructions executable by the one or more processors to implement; receiving a message comprising information indicative of an event detected on one of a plurality of nodes in a distributed computing system, wherein the information comprises an indication of a resource-related, performance-related, or workload-related run-time behavior of the one of the plurality of nodes; accessing a knowledge base comprising information about run-time behaviors associated with known computing system attack patterns, wherein said run-time behaviors are indicative of known attack patterns that lead to removal or degradation of one or more nodes of a computing system by external requests to said one or more nodes; classifying the event detected on the one node as being representative of one of the known computing system attack patterns or as being representative of an unknown attack pattern, dependent, at least in part, on the knowledge base and on the information in the received message, wherein said classifying indicates a current or near-term attack on the one node by external requests to the one node; and initiating a response to the event, dependent on said classifying. - View Dependent Claims (18, 19, 20)
-
Specification