Attack traffic signature generation using statistical pattern recognition
First Claim
1. A method for generating attack packet signatures, the method comprising:
- by a signature generating system comprising computing hardware;
determining baseline values for attributes of a second set of data packets captured during normal operations;
obtaining data packets corresponding to a network attack on a target system;
determining packet probabilities for the obtained data packets, wherein each packet probability indicates a probability that an individual data packet of the obtained data packets corresponds to a network attack, and wherein each packet probability is based at least partly on the determined baseline values for the attributes of the second set of data packets;
designating at least a portion of the data packets as attack packets based at least partly on the determined packet probabilities that individual data packets of the obtained data packets correspond to a network attack;
generating a training data set including the attack packets designated based at least partly on the determined probabilities; and
generating a packet signature for attack packets based at least partly on the training data set including the attack packets designated based at least partly on the determined packet probabilities.
1 Assignment
0 Petitions
Accused Products
Abstract
A pattern recognition security system (“PRSS”) generates a packet signature from network traffic, including attack packets. The PRSS can utilize a statistical pattern recognition based approach to generate attack traffic signatures, such as for DDoS or DoS attacks. In some embodiments, the PRSS dynamically creates training sets from actual captured data, allowing the PRSS to adapt to changes in network attacks. For example, more sophisticated DDoS attacks commonly rotate through different attacking computers to vary the packet attributes of attack packets sent to a target system. However, as the PRSS can determine packet signatures based on the actual captured data packets, the PRSS can adapt to the changes in the attack. In some embodiments, the PRSS may determine packet signatures in real-time or near real time during an attack, allowing the PRSS to quickly react to changes in attack traffic.
-
Citations
28 Claims
-
1. A method for generating attack packet signatures, the method comprising:
by a signature generating system comprising computing hardware; determining baseline values for attributes of a second set of data packets captured during normal operations; obtaining data packets corresponding to a network attack on a target system; determining packet probabilities for the obtained data packets, wherein each packet probability indicates a probability that an individual data packet of the obtained data packets corresponds to a network attack, and wherein each packet probability is based at least partly on the determined baseline values for the attributes of the second set of data packets; designating at least a portion of the data packets as attack packets based at least partly on the determined packet probabilities that individual data packets of the obtained data packets correspond to a network attack; generating a training data set including the attack packets designated based at least partly on the determined probabilities; and generating a packet signature for attack packets based at least partly on the training data set including the attack packets designated based at least partly on the determined packet probabilities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
12. A system for generating packet signatures, the system comprising:
-
a packet capture module configured to capture data packets during a network attack on a target computing system; a training data generator configured to generate a training data set from the captured data packets, wherein the training data set includes attack packets selected from the captured data packets based at least in part on a set of determined packet probabilities, each packet probability indicating a probability that an individual data packet of the captured data packets corresponds to a network attack; and a signature generator configured to generate a packet signature for attack packets based at least partly on the training data including the attack packets selected based at least partly on the determined packet probabilities that individual packets correspond to a network attack. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. Non-transitory computer storage having stored thereon instructions that, when executed by a computer system, cause the computer system to:
-
compare a first set of data packets captured during a network attack on a target system with a second set of data packets captured during a different time period than the network attack to determine a set of packet probabilities, each packet probability indicating a probability that an individual data packet of the first set of data packets corresponds to a network attack; designate at least a portion of the data packets as attack packets based at least partly on the determined packet probabilities that individual packets of the first set of data packets correspond to a network attack; and generate a packet signature for attack packets based at least partly on the identified attack packets designated based at least partly on the determined packet probabilities. - View Dependent Claims (24, 25, 26, 27, 28)
-
Specification