System and method for distributed denial of service identification and prevention

US 8,504,504 B2
Filed: 09/26/2008
Issued: 08/06/2013
Est. Priority Date: 09/26/2008
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

performing, by one or more computers;

receiving a message comprising information indicative of an event detected on one of a plurality of nodes in a distributed computing system, wherein the information comprises an indication of a resource-related, performance-related, or workload-related run-time behavior of the one of the plurality of nodes;

accessing a knowledge base comprising information about run-time behaviors associated with known computing system attack patterns, wherein said run-time behaviors are indicative of known attack patterns that lead to removal or degradation of one or more nodes of a computing system by external requests to said one or more nodes;

classifying the event detected on the one node as being representative of one of the known computing system attack patterns or as being representative of an unknown attack pattern, dependent, at least in part, on the knowledge base and on the information in the received message, wherein said classifying indicates a current or near-term attack on the one node by external requests to the one node; and

initiating a response to the event, dependent on said classifying.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for discovery and classification of denial of service attacks in a distributed computing system may employ local agents on nodes thereof to detect resource-related events. An information later agent may determine if events indicate attacks, perform clustering analysis to determine if they represent known or unknown attack patterns, classify the attacks, and initiate appropriate responses to prevent and/or mitigate the attack, including sending warnings and/or modifying resource pool(s). The information layer agent may consult a knowledge base comprising information associated with known attack patterns, including state-action mappings. An attack tree model and an overlay network (over which detection and/or response messages may be sent) may be constructed for the distributed system. They may be dynamically modified in response to changes in system configuration, state, and/or workload. Reinforcement learning may be applied to the tuning of attack detection and classification techniques and to the identification of appropriate responses.

58 Citations

View as Search Results

20 Claims

1. A method, comprising:
- performing, by one or more computers;
  
  receiving a message comprising information indicative of an event detected on one of a plurality of nodes in a distributed computing system, wherein the information comprises an indication of a resource-related, performance-related, or workload-related run-time behavior of the one of the plurality of nodes;
  
  accessing a knowledge base comprising information about run-time behaviors associated with known computing system attack patterns, wherein said run-time behaviors are indicative of known attack patterns that lead to removal or degradation of one or more nodes of a computing system by external requests to said one or more nodes;
  
  classifying the event detected on the one node as being representative of one of the known computing system attack patterns or as being representative of an unknown attack pattern, dependent, at least in part, on the knowledge base and on the information in the received message, wherein said classifying indicates a current or near-term attack on the one node by external requests to the one node; and
  
  initiating a response to the event, dependent on said classifying.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - updating the knowledge base using reinforcement learning, dependent on said response.
  - 3. The method of claim 2,wherein said classifying comprises applying an attack detection and classification technique;
    - andwherein said updating comprises tuning the attack detection and classification technique using reinforcement learning.
  - 4. The method of claim 3, wherein said tuning comprises one or more of:
    - modifying a number of input nodes, output nodes or hidden nodes of a model of the distributed computing system;
      
      selecting a different attack detection and classification technique;
      
      adding, removing or modifying a state-action value pair used by the attack detection and classification technique;
      
      or modifying a number of layers of an overlay network over which messages are sent during said applying.
  - 5. The method of claim 1, further comprising:
    - dynamically modifying an attack tree model of the distributed computing system, dependent on a change in configuration of the distributed computing system, a change in a pattern of received event messages, or a change in workload in the distributed computing system.
  - 6. The method of claim 1, further comprising:
    - dynamically modifying an overlay network of the distributed computing system over which event detection messages or attack response messages are sent dependent on a change in configuration of the distributed computing system, a change in a pattern of received event messages, or a change in a workload in the distributed computing system.
  - 7. The method of claim 1, further comprising:
    - determining a probability that the event signifies an attack on the distributed computing system;
      
      wherein said determining comprises applying one or more rules or policies to the information indicative of the event; and
      
      wherein the one or more rules or policies are workload-dependent, node-dependent, dependent on a previous state, or dependent on an attack domain.
  - 8. The method of claim 1, wherein said initiating a response comprises one or more of:
    - constructing an attack tree model for the distributed computing system, constructing an overlay network for the distributed computing system over which event detection messages or attack response messages are to be sent, sending an attack notification message to one or more of the plurality of nodes, modifying a resource allocation associated with one or more of the plurality of nodes, or removing a resource associated with one or more of the plurality of nodes from a resource pool in the distributed computing system.
  - 9. The method of claim 1, wherein in response to classifying the event as being representative of an unknown attack pattern, said initiating a response comprises one or more of:
    - performing a clustering analysis to identify a known attack pattern sharing at least some characteristics with the unknown attack pattern, randomly selecting a response action, or simulating the unknown attack pattern.
  - 10. The method of claim 1, wherein the observed behavior comprises one or more of:
    - a resource-related, performance-related, or workload-related parameter value crossing a threshold value;
      
      a parameter value change rate for a resource-related, performance-related, or workload-related parameter exceeding a change rate threshold;
      
      a resource-related, performance-related, or workload-related parameter value becoming out of range;
      
      a resource-related, performance-related, or workload-related parameter value becoming in range;
      
      or a change in a parameter value trend for a resource-related, performance-related, or workload-related parameter.
  - 11. The method of claim 1, wherein the event is representative of a distributed denial of service attack on the distributed computing system.

12. A non-transitory, computer-readable storage medium storing program instructions computer-executable to implement:
- receiving a message comprising information indicative of an event detected on one of a plurality of nodes in a distributed computing system, wherein the information comprises an indication of a resource-related, performance-related, or workload-related run-time behavior of the one of the plurality of nodes;
  
  accessing a knowledge base comprising information about run-time behaviors associated with known computing system attack patterns, wherein said run-time behaviors are indicative of known attack patterns that lead to removal or degradation of one or more nodes of a computing system by external requests to said one or more nodes;
  
  classifying the event detected on the one node as being representative of one of the known computing system attack patterns or as being representative of an unknown attack pattern, dependent, at least in part, on the knowledge base and on the information in the received message, wherein said classifying indicates a current or near-term attack on the one node by external requests to the one node; and
  
  initiating a response to the event, dependent on said classifying.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The storage medium of claim 12, wherein the program instructions are further executable to implement:
    - updating the knowledge base using reinforcement learning, dependent on said response;
      
      wherein said classifying comprises applying an attack detection and classification technique; and
      
      wherein said updating comprises tuning the attack detection and classification technique using reinforcement learning.
  - 14. The storage medium of claim 12, wherein the program instructions are further executable to implement:
    - determining a probability that the event signifies an attack on the distributed computing system;
      
      wherein said determining comprises applying one or more rules or policies to the information indicative of the event; and
      
      wherein the one or more rules or policies are workload-dependent, node-dependent, dependent on a previous state, or dependent on an attack domain.
  - 15. The storage medium of claim 12, wherein said initiating a response comprises one or more of:
    - constructing an attack tree model for the distributed computing system, constructing an overlay network for the distributed computing system over which event detection messages or attack response messages are to be sent, sending an attack notification message to one or more of the plurality of nodes, modifying a resource allocation associated with one or more of the plurality of nodes, removing a resource associated with one or more of the plurality of nodes from a resource pool in the distributed computing system, dynamically modifying an attack tree model of the distributed computing system, dynamically modifying an overlay network of the distributed computing system over which event detection messages or attack response messages are sent, performing a clustering analysis to identify a known attack pattern sharing at least some characteristics with an unknown attack pattern, randomly selecting a response action for an unknown attack pattern, or simulating an unknown attack pattern.
  - 16. The storage medium of claim 12,wherein the observed behavior comprises one or more of:
    - a resource-related, performance-related, or workload-related parameter value crossing a threshold value;
      
      a parameter value change rate for a resource-related, performance-related, or workload-related parameter exceeding a change rate threshold;
      
      a resource-related, performance-related, or workload-related parameter value becoming out of range;
      
      a resource-related, performance-related, or workload-related parameter value becoming in range;
      
      or a change in a parameter value trend for a resource-related, performance-related, or workload-related parameter; and
      
      wherein the event is representative of a distributed denial of service attack on the distributed computing system.

17. A distributed computing system comprising plurality of nodes, wherein one of the plurality of nodes comprises:
- one or more processors; and
  
  a memory coupled to the one or more processors and storing program instructions executable by the one or more processors to implement;
  
  receiving a message comprising information indicative of an event detected on one of a plurality of nodes in a distributed computing system, wherein the information comprises an indication of a resource-related, performance-related, or workload-related run-time behavior of the one of the plurality of nodes;
  
  accessing a knowledge base comprising information about run-time behaviors associated with known computing system attack patterns, wherein said run-time behaviors are indicative of known attack patterns that lead to removal or degradation of one or more nodes of a computing system by external requests to said one or more nodes;
  
  classifying the event detected on the one node as being representative of one of the known computing system attack patterns or as being representative of an unknown attack pattern, dependent, at least in part, on the knowledge base and on the information in the received message, wherein said classifying indicates a current or near-term attack on the one node by external requests to the one node; and
  
  initiating a response to the event, dependent on said classifying.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the program instructions are further executable to implement:
    - updating the knowledge base using reinforcement learning, dependent on said response;
      
      wherein said classifying comprises applying an attack detection and classification technique; and
      
      wherein said updating comprises tuning the attack detection and classification technique using reinforcement learning.
  - 19. The system of claim 17, wherein the program instructions are further executable to implement:
    - determining a probability that the event signifies an attack on the distributed computing system;
      
      wherein said determining comprises applying one or more rules or policies to the information indicative of the event; and
      
      wherein the one or more rules or policies are workload-dependent, node-dependent, dependent on a previous state, or dependent on an attack domain.
  - 20. The system of claim 17, wherein said initiating a response comprises one or more of:
    - constructing an attack tree model for the distributed computing system, constructing an overlay network for the distributed computing system over which event detection messages or attack response messages are to be sent, sending an attack notification message to one or more of the plurality of nodes, modifying a resource allocation associated with one or more of the plurality of nodes, removing a resource associated with one or more of the plurality of nodes from a resource pool in the distributed computing system, dynamically modifying an attack tree model of the distributed computing system, dynamically modifying an overlay network of the distributed computing system over which event detection messages or attack response messages are sent, performing a clustering analysis to identify a known attack pattern sharing at least some characteristics with an unknown attack pattern, randomly selecting a response action for an unknown attack pattern, or simulating an unknown attack pattern.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Oracle America, Inc. (Oracle Corporation)
Inventors
Liu, Lei
Primary Examiner(s)
Chaki, Kakali
Assistant Examiner(s)
COUGHLAN, PETER D

Application Number

US12/239,521
Publication Number

US 20100082513A1
Time in Patent Office

1,775 Days
Field of Search

None
US Class Current

706/46
CPC Class Codes

G06N 20/00   Machine learning

G06N 3/006   based on simulated virtual ...

G06N 3/084   Backpropagation, e.g. using...

G06N 5/01   Dynamic search techniques; ...

G06N 7/01   Probabilistic graphical mod...

H04L 63/1458   Denial of Service

System and method for distributed denial of service identification and prevention

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for distributed denial of service identification and prevention

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links