Denial of service (DoS) attack detection systems and methods

US 9,282,113 B2
Filed: 06/27/2013
Issued: 03/08/2016
Est. Priority Date: 06/27/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

monitoring packets received for delivery to devices on a network;

developing a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period, the historic packet profile including a historic ratio of number of packets of at least one packet protocol to number of packets of two or more different packet protocols for the plurality of time periods preceding the instant time period;

developing an instant packet profile by examining the monitored packets during the instant time period, the instant packet profile including an instant ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the instant time period;

comparing, by a processor, the instant ratio to the historic ratio to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant ratio and the historic ratio is present;

identifying, by the processor, existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation;

applying a filter at a network protection device to block malicious traffic of the identified network attack;

developing a post attack packet profile by examining the monitored packets subsequent to identification of the network attack, the post attack packet profile including a post attack ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the monitored packets subsequent to identification of the network attack;

comparing the post attack ratio to the historic ratio to determine whether a new deviation is below a second statistical predetermined threshold deviation that is smaller than the predetermined statistical threshold deviation; and

identifying an end of the network attack in response to determining that the new deviation is less than the second statistical predetermined threshold deviation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus that enable identification of network attacks such as denial of service attacks are disclosed. A network attack may be identified by monitoring packets received for delivery to devices on a network, and developing a historic packet profile by examining the monitored packets received during a number of time periods preceding an instant time period. An instant packet profile is developed by examining the monitored packets during the instant time period. The instant packet profile is compared to the historic packet profile to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant packet profile and the historic packet profile is present. The existence of a network attack is identified in response to determining that the deviation exceeds the predetermined statistical threshold deviation.

Citations

20 Claims

1. A method comprising:
- monitoring packets received for delivery to devices on a network;
  
  developing a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period, the historic packet profile including a historic ratio of number of packets of at least one packet protocol to number of packets of two or more different packet protocols for the plurality of time periods preceding the instant time period;
  
  developing an instant packet profile by examining the monitored packets during the instant time period, the instant packet profile including an instant ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the instant time period;
  
  comparing, by a processor, the instant ratio to the historic ratio to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant ratio and the historic ratio is present;
  
  identifying, by the processor, existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation;
  
  applying a filter at a network protection device to block malicious traffic of the identified network attack;
  
  developing a post attack packet profile by examining the monitored packets subsequent to identification of the network attack, the post attack packet profile including a post attack ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the monitored packets subsequent to identification of the network attack;
  
  comparing the post attack ratio to the historic ratio to determine whether a new deviation is below a second statistical predetermined threshold deviation that is smaller than the predetermined statistical threshold deviation; and
  
  identifying an end of the network attack in response to determining that the new deviation is less than the second statistical predetermined threshold deviation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, the method further comprising in response to identifying the existence of a network attack:
    - investigating the monitored packets in the instant time period to identify malicious traffic in response to the identified network attack.
  - 3. The method of claim 2, further comprising:
    - removing the filter in response to the identified end of the identified network attack.
  - 4. The method of claim 1, wherein the at least one packet protocol consists of Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) and the one or more different packet protocols comprises TCP and UDP.
  - 5. The method of claim 1, wherein the monitoring comprises:
    - monitoring packets in at least one of the Internet Protocol (IP) layer or the Transmission Control Protocol (TCP) layer.
  - 6. The method of claim 1, wherein the monitoring step comprises:
    - monitoring packets received from outside the network to transport to a device inside the network.
  - 7. The method of claim 6, wherein the monitoring step further comprises:
    - monitoring packets received from within the network.
  - 8. The method of claim 1, wherein the packets are messaging packets and the monitoring step comprises:
    - monitoring the messaging packets passing from a services network to a mobiles network.
  - 9. The method of claim 8, further comprising the steps of:
    - applying another filter at a router positioned between the Internet and the services network to block the malicious traffic; and
      
      removing the filter at the network protection device and the another filter at the router in response to the identified end of the identified network attack.

10. A system comprising:
- a network protection hardware device;
  
  packet extractor logic configured to monitor packets received at the network protection hardware device for delivery to devices on a network;
  
  a packet processor coupled to the packet extractor logic, the packet processor configured to;
  
  develop a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period, the historic packet profile including a historic ratio of number of packets of at least one packet protocol to number of packets of two or more different packet protocols for the plurality of time periods preceding the instant time period;
  
  develop an instant packet profile by examining the monitored packets during the instant time period, the instant packet profile including an instant ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the instant time period;
  
  compare the instant ratio to the historic ratio to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant ratio and the historic ratio is present;
  
  identify existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation;
  
  instruct the network protection hardware device to apply a filter to block malicious traffic of the network attack;
  
  develop a post attack packet profile by examining the monitored packets subsequent to identification of the network attack, the post attack packet profile including a post attack ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the monitored packets subsequent to identification of the network attack;
  
  compare the post attack ratio to the historic ratio to determine whether a new deviation is below a second statistical predetermined threshold deviation that is smaller than the predetermined statistical threshold deviation; and
  
  identify an end of the network attack in response to determining that the new deviation is less than the second statistical predetermined threshold deviation.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10, wherein the packet processor is further configured to:
    - investigate the monitored packets in the instant time period to identify the malicious traffic.
  - 12. The system of claim 11, wherein the packet processor is further configured to:
    - instruct the network protection hardware device to remove the filter in response to the identified end of the identified network attack.
  - 13. The system of claim 10, wherein:
    - the historic packet profile further includes a sample standard deviation of the ratio of the number of packets of the at least one packet protocol to the number of packets of the two or more different packet protocols, for the plurality of time periods preceding the instant time period.
  - 14. The method of claim 10, wherein the at least one packet protocol consists of Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) and the two or more different packet protocols comprises TCP and UDP.
  - 15. The system of claim 10, wherein the packets are messaging packets, the network protection hardware device is positioned between a services network side and a mobiles network side, and the packet extractor logic includes a services tap on the services network side and a mobiles tap on the mobiles network side to extract messaging packets following between the services network and the mobiles network.
  - 16. The system of claim 15, further comprising:
    - a router positioned between the Internet and the services network;
      
      wherein the packet processor is further configured to instruct the router to apply another filer to block malicious traffic of the network attack, instruct the network protection hardware device to remove the filter in response to the identified end of the identified network attack, and instruct the router to remove the other filter in response to the identified end of the identified network attack.

17. A non-transient computer readable medium including instructions for execution by a computer, the instructions including:
- monitoring packets received for delivery to devices on a network;
  
  developing a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period, the historic packet profile including a historic ratio of number of packets of at least one packet protocol to number of packets of two or more different packet protocols for the plurality of time periods preceding the instant time period;
  
  developing an instant packet profile by examining the monitored packets during the instant time period, the instant packet profile including an instant ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the instant time period;
  
  comparing the instant ratio to the historic ratio to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant ratio and the historic ratio is present;
  
  identifying the existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation;
  
  applying a filter at a network protection device to block malicious traffic of the network attack;
  
  developing a post attack packet profile by examining the monitored packets subsequent to identification of the network attack, the post attack packet profile including a post attack ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the monitored packets subsequent to identification of the network attack;
  
  comparing the post attack ratio to the historic ratio to determine whether a new deviation is below a second statistical predetermined threshold deviation that is smaller than the predetermined statistical threshold deviation; and
  
  identifying an end of the network attack in response to determining that the new deviation is less than the second statistical predetermined threshold deviation.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transient computer readable medium of claim 17, wherein:
    - the historic packet profile further includes a sample standard deviation of the ratio of the number of packets of the at least one packet protocol to the number of packets of the two or more different packet protocols, for the plurality of time periods preceding the instant time period.
  - 19. The non-transient computer readable medium of claim 17, wherein the packets are messaging packets and the monitoring step comprises:
    - monitoring the messaging packets passing from a services network to a mobiles network.
  - 20. The non-transient computer readable medium of claim 19, wherein the method further comprises the steps of:
    - applying another filter at a router positioned between the Internet and the services network to block the malicious traffic; and
      
      removing the filter at the network protection device and the another filter at the router in response to the identified end of the identified network attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cellco Partnership, Inc. (Verizon Communications Inc.)
Original Assignee
Cellco Partnership, Inc. (Verizon Communications Inc.)
Inventors
Vaughan, John F.
Primary Examiner(s)
TURCHEN, JAMES R

Application Number

US13/929,020
Publication Number

US 20150007314A1
Time in Patent Office

985 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Denial of service (DoS) attack detection systems and methods

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Denial of service (DoS) attack detection systems and methods

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links