Denial of service (DoS) attack detection systems and methods
First Claim
1. A method comprising:
- monitoring packets received for delivery to devices on a network;
developing a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period, the historic packet profile including a historic ratio of number of packets of at least one packet protocol to number of packets of two or more different packet protocols for the plurality of time periods preceding the instant time period;
developing an instant packet profile by examining the monitored packets during the instant time period, the instant packet profile including an instant ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the instant time period;
comparing, by a processor, the instant ratio to the historic ratio to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant ratio and the historic ratio is present;
identifying, by the processor, existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation;
applying a filter at a network protection device to block malicious traffic of the identified network attack;
developing a post attack packet profile by examining the monitored packets subsequent to identification of the network attack, the post attack packet profile including a post attack ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the monitored packets subsequent to identification of the network attack;
comparing the post attack ratio to the historic ratio to determine whether a new deviation is below a second statistical predetermined threshold deviation that is smaller than the predetermined statistical threshold deviation; and
identifying an end of the network attack in response to determining that the new deviation is less than the second statistical predetermined threshold deviation.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus that enable identification of network attacks such as denial of service attacks are disclosed. A network attack may be identified by monitoring packets received for delivery to devices on a network, and developing a historic packet profile by examining the monitored packets received during a number of time periods preceding an instant time period. An instant packet profile is developed by examining the monitored packets during the instant time period. The instant packet profile is compared to the historic packet profile to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant packet profile and the historic packet profile is present. The existence of a network attack is identified in response to determining that the deviation exceeds the predetermined statistical threshold deviation.
-
Citations
20 Claims
-
1. A method comprising:
-
monitoring packets received for delivery to devices on a network; developing a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period, the historic packet profile including a historic ratio of number of packets of at least one packet protocol to number of packets of two or more different packet protocols for the plurality of time periods preceding the instant time period; developing an instant packet profile by examining the monitored packets during the instant time period, the instant packet profile including an instant ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the instant time period; comparing, by a processor, the instant ratio to the historic ratio to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant ratio and the historic ratio is present; identifying, by the processor, existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation; applying a filter at a network protection device to block malicious traffic of the identified network attack; developing a post attack packet profile by examining the monitored packets subsequent to identification of the network attack, the post attack packet profile including a post attack ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the monitored packets subsequent to identification of the network attack; comparing the post attack ratio to the historic ratio to determine whether a new deviation is below a second statistical predetermined threshold deviation that is smaller than the predetermined statistical threshold deviation; and identifying an end of the network attack in response to determining that the new deviation is less than the second statistical predetermined threshold deviation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system comprising:
-
a network protection hardware device; packet extractor logic configured to monitor packets received at the network protection hardware device for delivery to devices on a network; a packet processor coupled to the packet extractor logic, the packet processor configured to; develop a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period, the historic packet profile including a historic ratio of number of packets of at least one packet protocol to number of packets of two or more different packet protocols for the plurality of time periods preceding the instant time period; develop an instant packet profile by examining the monitored packets during the instant time period, the instant packet profile including an instant ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the instant time period; compare the instant ratio to the historic ratio to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant ratio and the historic ratio is present; identify existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation; instruct the network protection hardware device to apply a filter to block malicious traffic of the network attack; develop a post attack packet profile by examining the monitored packets subsequent to identification of the network attack, the post attack packet profile including a post attack ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the monitored packets subsequent to identification of the network attack; compare the post attack ratio to the historic ratio to determine whether a new deviation is below a second statistical predetermined threshold deviation that is smaller than the predetermined statistical threshold deviation; and identify an end of the network attack in response to determining that the new deviation is less than the second statistical predetermined threshold deviation. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A non-transient computer readable medium including instructions for execution by a computer, the instructions including:
-
monitoring packets received for delivery to devices on a network; developing a historic packet profile by examining the monitored packets received during a plurality of time periods preceding an instant time period, the historic packet profile including a historic ratio of number of packets of at least one packet protocol to number of packets of two or more different packet protocols for the plurality of time periods preceding the instant time period; developing an instant packet profile by examining the monitored packets during the instant time period, the instant packet profile including an instant ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the instant time period; comparing the instant ratio to the historic ratio to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant ratio and the historic ratio is present; identifying the existence of a network attack in response to determining that the deviation exceeds the predetermined statistical threshold deviation; applying a filter at a network protection device to block malicious traffic of the network attack; developing a post attack packet profile by examining the monitored packets subsequent to identification of the network attack, the post attack packet profile including a post attack ratio of number of packets of the at least one packet protocol to number of packets of the two or more different packet protocols for the monitored packets within the monitored packets subsequent to identification of the network attack; comparing the post attack ratio to the historic ratio to determine whether a new deviation is below a second statistical predetermined threshold deviation that is smaller than the predetermined statistical threshold deviation; and identifying an end of the network attack in response to determining that the new deviation is less than the second statistical predetermined threshold deviation. - View Dependent Claims (18, 19, 20)
-
Specification