System and method for real-time reporting of anomalous internet protocol attacks

US 9,130,982 B2
Filed: 06/13/2013
Issued: 09/08/2015
Est. Priority Date: 06/14/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A computer system for monitoring security of a destination subnet, the computer system comprising:

a memory; and

a processor in communications with the memory, wherein the computer system is configured to perform a method, the method comprising;

detecting, by the processor, Internet traffic messages that are recognized as anomalous attacks;

counting by the processor, a number of the Internet traffic messages that are recognized as the anomalous attacks seen by a destination subnet within a current interval to provide a count;

computing by the processor, over a plurality of intervals, a running average, wherein the running average comprises an average number of Internet traffic messages that are recognized as anomalous attacks per interval of the plurality of intervals;

comparing the count to the running average;

based on determining that the count is greater than a first multiple of the running average, providing an anomalous attack alarm for the destination subnet; and

based on determining that the count is smaller than a second multiple of the running average, checking the memory for an anomalous attack alarm for the destination subnet, and clearing any anomalous attack alarm for the subnet located in the memory, wherein the second multiple is a smaller multiple than the first multiple.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and a method for detecting anomalous attacks in Internet network flow operate by counting a number of Internet traffic messages that are detected as anomalous attacks to provide a count; computing a running average of the number of messages that are detected as anomalous attacks; and comparing the count to the running average to provide an anomalous attack alarm if the count is greater than a multiple of the running average. The attacks can include at least one of spoofing attacks or denial of service attacks. A computer readable storage medium stores instructions of a computer program, which when executed by a computer system, results in performance of steps of the method.

16 Citations

View as Search Results

26 Claims

1. A computer system for monitoring security of a destination subnet, the computer system comprising:
- a memory; and
  
  a processor in communications with the memory, wherein the computer system is configured to perform a method, the method comprising;
  
  detecting, by the processor, Internet traffic messages that are recognized as anomalous attacks;
  
  counting by the processor, a number of the Internet traffic messages that are recognized as the anomalous attacks seen by a destination subnet within a current interval to provide a count;
  
  computing by the processor, over a plurality of intervals, a running average, wherein the running average comprises an average number of Internet traffic messages that are recognized as anomalous attacks per interval of the plurality of intervals;
  
  comparing the count to the running average;
  
  based on determining that the count is greater than a first multiple of the running average, providing an anomalous attack alarm for the destination subnet; and
  
  based on determining that the count is smaller than a second multiple of the running average, checking the memory for an anomalous attack alarm for the destination subnet, and clearing any anomalous attack alarm for the subnet located in the memory, wherein the second multiple is a smaller multiple than the first multiple.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, further comprising updating the running average by smoothing, if the count is below the first multiple.
  - 3. The system of claim 1, further comprising:
    - storing records of anomalous attacks; and
      
      determining, by the processor, whether a record of an anomalous attack has been in the database for a predetermined period of time.
  - 4. The system of claim 1, wherein the running average is a positive number.
  - 5. The system of claim 1, wherein each of the anomalous attacks comprises at least one of:
    - source spoofing or denial of service attacks.
  - 6. The system of claim 1, wherein the running average is updated no more frequently than at a predefined interval.
  - 7. The system of claim 2, wherein the smoothing is exponential smoothing.
  - 8. The system of claim 3, wherein the running average is computed in a current time window, and when a record has been in the database for a time greater than predetermined period of time, that record is removed from the time window for purposes of computing the running average.

9. A system for monitoring Internet traffic, comprising:
- a memory comprising a database; and
  
  a processor in communications with the memory, wherein the computer system is configured to perform a method, the method comprising;
  
  detecting, by the processor, Internet traffic messages as anomalous attacks in a network flow;
  
  counting, by the processor, a number of Internet traffic messages that are detected as anomalous attacks seen by a destination subnet within a current interval to provide a count;
  
  computing, by the processor over a plurality of intervals, a running average, wherein the running average comprises an average number of Internet traffic messages that are detected as the anomalous attacks per interval of the plurality of intervals;
  
  comparing the count to the running average;
  
  based on determining that the count is greater than a first multiple of the running average, sending an anomalous attack alarm for the destination subnet to the database; and
  
  based on determining that count is smaller than a second multiple of the running average, checking the database for an anomalous attack alarm for the destination subnet, and based on locating the anomalous attack alarm for the destination subnet in the database, clearing the located anomalous attack alarm for the destination subnet from the database, wherein the second multiple is a smaller multiple than the first multiple.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, further comprising:
    - updating the running average by smoothing, if the count is a third multiple, wherein the third multiple is less than the first multiple of the running average.
  - 11. The system of claim 9, wherein each of the anomalous attacks comprises at least one of source spoofing or denial of service attacks.
  - 12. The system of claim 9, wherein the running average is updated no more frequently than at a predefined interval.
  - 13. The system of claim 9, wherein the running average is a positive number.
  - 14. The system of claim 10, wherein the smoothing is exponential smoothing.
  - 15. The system of claim 10, wherein the detecting further comprises storing records in the database for Internet traffic message as anomalous attacks in the network flow.
  - 16. The system of claim 15, further comprising:
    - determining, by the processor, that a record of the records in the database has been in the database for a predetermined period of time andbased on the determining, removing, by the processor, the record from a window used to compute the running average.

17. A method for monitoring Internet traffic comprising:
- obtaining, by a processor, a network flow and detecting anomalous attacks in the network flow;
  
  counting, by the processor, a number of Internet traffic messages in the network flow that are detected as anomalous attacks seen by a destination subnet within a current interval and providing a count;
  
  computing, by the processor, over a plurality of intervals, a running average, wherein the running average comprises an average number of messages that are detected as anomalous attacks per interval of the plurality of intervals;
  
  comparing the count to the running average;
  
  based on determining that the count is greater than a first multiple of the running average, providing an anomalous attack alarm for the destination subnet; and
  
  based on determining that the count is smaller than a second multiple of the running average, checking the memory for an anomalous attack alarm for the destination subnet, and clearing any anomalous attack alarm for the subnet located in the memory, wherein the second multiple is a smaller multiple than the first multiple.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The method of claim 17, wherein if the count is a less than the first multiple of the running average, updating the running average using smoothing.
  - 19. The method of claim 17, wherein the running average is updated no more frequently than at a predefined interval.
  - 20. The method of claim 17, further comprising setting the running average to be a positive number.
  - 21. The method of claim 17, further comprising:
    - storing in a database records of anomalous attacks, and determining whether a record of an anomalous attack has been in the database for a predetermined period of time.
  - 22. The method of claim 17, wherein each of the anomalous attacks comprises at least one of:
    - source spoofing or denial of service attacks.
  - 23. The method of claim 18, wherein the smoothing is exponential smoothing.
  - 24. The method of claim 21, further comprising removing a record from a window used to compute the running average when the record has been in the database for a time greater than the predetermined period of time.

25. A computer readable non-transitory storage medium storing instructions of a computer program which when executed by a computer system results in performance of a method, comprising:
- obtaining, by a processor, a network flow and detecting anomalous attacks in the network flow;
  
  counting, by the processor, a number of Internet traffic messages in the network flow that are detected as anomalous attacks seen by a destination subnet within a current interval and providing a count;
  
  computing, by the processor, over a plurality of intervals, a running average, wherein the running average comprises an average number of messages that are detected as anomalous attacks per interval of the plurality of intervals;
  
  comparing the count to the running average;
  
  based on determining that the count is greater than a first multiple of the running average, providing an anomalous attack alarm for the destination subnet; and
  
  based on determining that the count is smaller than a second multiple of the running average, checking the memory for an anomalous attack alarm for the destination subnet, and clearing any anomalous attack alarm for the subnet located in the memory, wherein the second multiple is a smaller multiple than the first multiple.
- View Dependent Claims (26)
- - 26. The computer readable non-transitory storage medium of claim 25, wherein each of the anomalous attacks comprises at least one of:
    - source spoofing or denial of service attacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KDDI Corporation, Perspecta Labs Inc. (Perspecta, Inc.)
Original Assignee
Vencore Labs, Inc.
Inventors
Sawaya, Yukiko, Yamada, Akira, Ghosh, Abhrajit, Naidu, Aditya, Gottlieb, Yitzchak, Kubota, Ayumu
Primary Examiner(s)
Pwu, Jeff
Assistant Examiner(s)
Salehi, Helai

Application Number

US13/916,693
Publication Number

US 20130340079A1
Time in Patent Office

817 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1458 Denial of Service

System and method for real-time reporting of anomalous internet protocol attacks

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for real-time reporting of anomalous internet protocol attacks

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links