Method and system for detecting and mitigating attacks performed using cryptographic protocols
First Claim
1. A security system for detecting and mitigating encrypted denial-of-service (DoS) attacks, the security system is connected in a secured database, comprising:
- a DoS defense (DoSD) module configured to detect an encrypted DoS attack in an inbound traffic by analyzing attributes only in the inbound traffic that relate to at least one of a network layer and an application layer, wherein the DoSD module is configured to initially analyze the network layer attributes in the inbound traffic, and analyze the application layer attributes when an encrypted DoS attack at the network layer has not been detected, wherein the DoSD module is further configured to mitigate a detected encrypted attack, the inbound traffic originates at a client and is addressed to a protected server; and
a cryptographic protocol engine (CPE) configured to establish a new encrypted session between the client and the security system, decrypt requests included in the inbound traffic, and send encrypted responses to the client over the new encrypted session between the client and the security system, wherein the CPE is further configured to establish a new network connection between the client and the protected server when an encrypted DoS attack at the application layer has not been detected, wherein the new network connection causes outbound traffic originating at the protected server to be directly routed to the client to eliminate reception and processing of the outbound traffic by the security system connected in the secured datacenter.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and security system for detecting and mitigating encrypted denial-of-service (DoS) attacks. The system includes a DoS defense (DoSD) module configured to detect an encrypted DoS attack in an inbound traffic by analyzing attributes only in the inbound traffic that relate to at least one of a network layer and an application layer, wherein the DoSD module is further configured to mitigate a detected encrypted attack, the inbound traffic originates at a client and is addressed to a protected server; and a cryptographic protocol engine (CPE) configured to establish a new encrypted session between the client and the security system, decrypt requests included in the inbound traffic, and send encrypted responses to the client over the new encrypted session between the client and the security system.
-
Citations
21 Claims
-
1. A security system for detecting and mitigating encrypted denial-of-service (DoS) attacks, the security system is connected in a secured database, comprising:
-
a DoS defense (DoSD) module configured to detect an encrypted DoS attack in an inbound traffic by analyzing attributes only in the inbound traffic that relate to at least one of a network layer and an application layer, wherein the DoSD module is configured to initially analyze the network layer attributes in the inbound traffic, and analyze the application layer attributes when an encrypted DoS attack at the network layer has not been detected, wherein the DoSD module is further configured to mitigate a detected encrypted attack, the inbound traffic originates at a client and is addressed to a protected server; and a cryptographic protocol engine (CPE) configured to establish a new encrypted session between the client and the security system, decrypt requests included in the inbound traffic, and send encrypted responses to the client over the new encrypted session between the client and the security system, wherein the CPE is further configured to establish a new network connection between the client and the protected server when an encrypted DoS attack at the application layer has not been detected, wherein the new network connection causes outbound traffic originating at the protected server to be directly routed to the client to eliminate reception and processing of the outbound traffic by the security system connected in the secured datacenter. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for detecting and mitigating encrypted denial-of-service (DoS) attacks, comprising:
-
detecting by a security system connected in a secured datacenter, an encrypted DoS attack in an inbound traffic by analyzing network layer attributes of only the inbound traffic, the inbound traffic originates at a client and is addressed to a protected server and the network layer attributes are not encrypted; dropping a network connection between the client and the protected server if an encrypted DoS attack at the network layer has been detected; terminating an encrypted connection with the client if an encrypted DoS attack at the network layer has not been detected; detecting, by the security system, an encrypted DoS attack in the inbound traffic by analyzing application layer attributes of only the inbound traffic, wherein the network layer attributes are encrypted; and causing to establish a new network connection between the client and the protected server, if an encrypted DoS attack at the application layer has not been detected, wherein the new network connection causes outbound traffic originating at the protected server to be directly routed to the client to eliminate reception and processing of the outbound traffic by the security system connected in the secured datacenter. - View Dependent Claims (11, 12, 13, 14, 15, 16, 18, 19, 20)
-
-
17. A method for detecting and mitigating encrypted denial-of-service (DoS) attacks, comprising:
-
terminating, by a security system connected in a secured datacenter, an encrypted connection between a client and a protected server, upon reception of only an inbound traffic diverted from the client, wherein the inbound traffic is suspected to include malicious threats; establishing a new encrypted session with the client; responding to a client'"'"'s request received over the new encrypted session with an encrypted client web challenge; determining, by the security system, if the client correctly responds to the encrypted client web challenge; dropping the new encrypted session with the client, if the client does not correctly respond to the encrypted client web challenge; and causing the client to establish a new network connection with the protected server, if the client does correctly respond to the encrypted client web challenge, wherein the new networkcauses outbound traffic originating at the protected server to be directly routed to the client to eliminate reception and processing of the outbound traffic by the security system connected in the secured datacenter. - View Dependent Claims (21)
-
Specification