IP prioritization and scoring system for DDoS detection and mitigation
First Claim
1. A method for controlling network traffic, comprising:
- receiving, at a network server, client machine data for a plurality of client machines, the client machine data relating to a confidence score for each of the plurality of client machines, the client machine data comprising network traffic information, blacklist information, IP address to location mapping information, a number of connections information, and a time of connections information;
determining a plurality of threshold values;
relating each of the plurality of threshold values to an action to be taken for request network traffic;
receiving a request associated with a client machine, wherein the association is determined using identification data found in the request;
determining a confidence score associated with the client machine based on the client machine data; and
acting on the request based on comparing the confidence score to the threshold values and related actions to be taken.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system to mitigate an attack over the Internet includes collecting information related to a plurality of client IP addresses from a plurality of sources and analyzing the collected information to determine confidence scores for the plurality of client IP addresses. The method and system also include receiving network traffic from the Internet and limiting network traffic from a first subset of the plurality of client IP addresses characterized by a confidence score less than a first threshold. The method, and system further include determining a level of the network traffic and limiting network traffic from a second subset of the plurality of client IP addresses characterized by a confidence score less than a second threshold greater than the first threshold.
102 Citations
24 Claims
-
1. A method for controlling network traffic, comprising:
-
receiving, at a network server, client machine data for a plurality of client machines, the client machine data relating to a confidence score for each of the plurality of client machines, the client machine data comprising network traffic information, blacklist information, IP address to location mapping information, a number of connections information, and a time of connections information; determining a plurality of threshold values; relating each of the plurality of threshold values to an action to be taken for request network traffic; receiving a request associated with a client machine, wherein the association is determined using identification data found in the request; determining a confidence score associated with the client machine based on the client machine data; and acting on the request based on comparing the confidence score to the threshold values and related actions to be taken. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for computing a confidence score for an IP address, the method comprising:
-
storing information about a plurality of client IP addresses, the information comprising network traffic information, blacklist information, IP address to location mapping information, a number of connections information, and a time of connections information; analyzing the stored information about the client IP addresses, computing a confidence score for each of the plurality of client IP addresses based on the analysis of the stored information, wherein the confidence score is granular. - View Dependent Claims (9)
-
-
10. A method of mitigating an attack over the Internet, the method comprising:
-
collecting information related to a plurality of client IP addresses from a plurality of sources, the information comprising network traffic information, blacklist information, IP address to location mapping information, a number of connections information, and a time of connections information; analyzing the collected information to determine confidence scores for the plurality of client IP addresses; receiving network traffic from the Internet; limiting network traffic from a first subset of the plurality of client IP addresses characterized by a confidence score less than a first threshold; determining a level of the network traffic; and in response to determining the level of network traffic, limiting network traffic from a second subset of the plurality of client IP addresses characterized by a confidence score less than a second threshold greater than the first threshold. - View Dependent Claims (11, 12, 13)
-
-
14. A system for controlling network traffic, comprising:
-
a central server containing data for a plurality of client machines, the data comprising network traffic information, blacklist information, IP address to location mapping information, a number of connections information, and a time of connections information, the data relating to a confidence score of each of the plurality of client machine; a network server including a processor and non-transitory computer-readable memory containing instructions which, when executed on the processor, perform a method comprising; receiving, at the network server, client machine data for a plurality of client machines; determining a plurality of threshold values; relating each of the plurality of threshold values to an action to be taken for request network traffic; receiving a request associated with a client machine, wherein the association is determined using identification data found in the request; determining, based on the data, a confidence score associated with the client machine; and acting on the request based on the confidence score in relation to the threshold values and related actions to be taken. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
-
21. A system of mitigating an attack over the Internet, comprising:
-
a processor; and memory storing instructions, which when executed on a processor, perform a method comprising; collecting information related to a plurality of client IP addresses from a plurality of sources, the information comprising network traffic information, blacklist information, IP address to location mapping information, a number of connections information, and a time of connections information; analyzing the collected information to determine confidence scores for the plurality of client IP addresses; receiving network traffic from the Internet; limiting network traffic from a first subset of the plurality of client IP addresses characterized by a confidence score less than a first threshold; determining a level of the network traffic; and in response to determining the level of network traffic, limiting network traffic from a second subset of the plurality of client IP addresses characterized by a confidence score less than a second threshold greater than the first threshold. - View Dependent Claims (22, 23, 24)
-
Specification