×

Denial of service (DoS) attack detection systems and methods

  • US 9,282,113 B2
  • Filed: 06/27/2013
  • Issued: 03/08/2016
  • Est. Priority Date: 06/27/2013
  • Status: Active Grant
First Claim
Patent Images

1. A method comprising:

  • monitoring packets received for delivery to devices on a network;

    developing a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period, the historic packet profile including a historic ratio of number of packets of at least one packet protocol to number of packets of two or more different packet protocols for the plurality of time periods preceding the instant time period;

    developing an instant packet profile by examining the monitored packets during the instant time period, the instant packet profile including an instant ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the instant time period;

    comparing, by a processor, the instant ratio to the historic ratio to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant ratio and the historic ratio is present;

    identifying, by the processor, existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation;

    applying a filter at a network protection device to block malicious traffic of the identified network attack;

    developing a post attack packet profile by examining the monitored packets subsequent to identification of the network attack, the post attack packet profile including a post attack ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the monitored packets subsequent to identification of the network attack;

    comparing the post attack ratio to the historic ratio to determine whether a new deviation is below a second statistical predetermined threshold deviation that is smaller than the predetermined statistical threshold deviation; and

    identifying an end of the network attack in response to determining that the new deviation is less than the second statistical predetermined threshold deviation.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×