Detecting network attacks
First Claim
Patent Images
1. A computer-implemented method comprising:
- receiving a first set of network data packets transmitted to a target system when no attack on the target system has been detected;
receiving a second set of network data packets transmitted to the target system during an attack on the target system;
for individual network data packets of the second set of network data packets, assigning to the individual network data packet a probability that the individual data packet is associated with the attack, wherein the probabilities that individual data packets are associated with the attack are determined based at least in part on a comparison of the first and second sets of network data packets; and
generating a packet signature for the attack based at least partly on analyzing attributes of individual network data packets of the second set of network data packets according to the probabilities that the individual data packets are associated with the attack.
0 Assignments
0 Petitions
Accused Products
Abstract
This disclosure generally relates to the generation of a packet signature for packets determined to correspond to a network attack, such as a denial of service (“DoS”) attack. Specifically, a set of data packets captured during normal system operations can be analyzed to determine a set of baseline attributes. Additional packets captured during an attack can be compared to the baseline attributes, to determine, for individual packets, a probability that the packet forms a part of the attack. A packet signature can then be generated to identify attributes that are characteristic of the attack. That signature can then be used to filter out packets and mitigate the attack.
10 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
receiving a first set of network data packets transmitted to a target system when no attack on the target system has been detected; receiving a second set of network data packets transmitted to the target system during an attack on the target system; for individual network data packets of the second set of network data packets, assigning to the individual network data packet a probability that the individual data packet is associated with the attack, wherein the probabilities that individual data packets are associated with the attack are determined based at least in part on a comparison of the first and second sets of network data packets; and generating a packet signature for the attack based at least partly on analyzing attributes of individual network data packets of the second set of network data packets according to the probabilities that the individual data packets are associated with the attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for generating packet signatures, the system comprising:
-
a non-transitory data store including a set of packet characteristics representative of packets received at a target system when no attack on a target system has been detected; and a computing system comprising one or more computing devices, the computing system configured with specific computer-executable instructions that, when executed, cause the computing system to at least; identify a set of data packets transmitted to the target system during an attack on the target system; compare the set of data packets to the set of packet characteristics to assign to individual data packets of the set of data packets a probability that the individual data packet is associated with the attack; and generate a packet signature for the attack based at least partly on analyzing attributes of individual data packets of the set of data packets according to the probability that the individual data packet is associated with the attack. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. Non-transitory computer readable media including computer-executable instructions that, when executed by a computing system, cause the computing system to:
-
identify a first set of data packets transmitted to a target system during a time period in which no attack on the target system has been detected ; identify a second set of data packets transmitted to the target system during an attack on the target system; compare the first and second sets of data packets to assign to individual network data packets of the second set of data packets a probability that the individual data packet is associated with the attack; and generate a packet signature for the attack based at least partly on analyzing attributes of individual data packets of the second set of data packets according to the probability that the individual data packet is associated with the attack. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification