Network attack detection method

US 9,876,807 B2
Filed: 04/16/2015
Issued: 01/23/2018
Est. Priority Date: 10/10/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

at an electronic device having one or more processors, and a memory for storing program instructions that are executed by the one or more processors,conducting a topology analysis on network, and obtaining a probing path set containing at least one probing path according to the topology analysis;

probing a first probing path contained in the probing path set by using a probing pattern and obtaining a performance metric of the first probing path; and

determining whether the first probing path is subjected to network attack according to the performance metric and a control performance metric,wherein one end of the probing path is a probing node and another end of the probing path is a target node, a forward path of the probing path is from the probing node to the target node and a reverse path of the probing path is from the target node to the probing node,wherein the probing pattern is modified Recursive Packet Train (mRPT), wherein the performance metric of the first probing path comprises available bandwidth on the forward path,wherein the probing a first probing path by using a probing pattern and obtaining a performance metric of the first probing path comprises;

sending a mRPT probing packet train from the probing node to the target node, wherein the mRPT probing packet train contains a first sub-probing packet, N_Lload packets and a second sub-probing packet in sequence, wherein N_Lis an integer equal to or greater than 1;

receiving a first ACK packet in responsive to the first sub-probing packet and a second ACK packet in responsive to the second sub-probing packet from the target node;

determining a time gap G_Abetween an arrival time of the first ACK packet and an arrival time of the second ACK packet; and

calculating the available bandwidth on the forward path according to N_L, G_Aand S_L, where S_Lis the size of a load packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

It is described a network attack detection method. A topology analysis on network is conducted to obtain a probing path set containing at least one probing path. A first probing path contained in the probing path set is probed by using a probing pattern to obtain a performance metric of the first probing path. It is determined whether the first probing path is subjected to network attack according to the performance metric and a control performance metric.

Citations

8 Claims

1. A method, comprising:
- at an electronic device having one or more processors, and a memory for storing program instructions that are executed by the one or more processors,conducting a topology analysis on network, and obtaining a probing path set containing at least one probing path according to the topology analysis;
  
  probing a first probing path contained in the probing path set by using a probing pattern and obtaining a performance metric of the first probing path; and
  
  determining whether the first probing path is subjected to network attack according to the performance metric and a control performance metric,wherein one end of the probing path is a probing node and another end of the probing path is a target node, a forward path of the probing path is from the probing node to the target node and a reverse path of the probing path is from the target node to the probing node,wherein the probing pattern is modified Recursive Packet Train (mRPT), wherein the performance metric of the first probing path comprises available bandwidth on the forward path,wherein the probing a first probing path by using a probing pattern and obtaining a performance metric of the first probing path comprises;
  
  sending a mRPT probing packet train from the probing node to the target node, wherein the mRPT probing packet train contains a first sub-probing packet, N_Lload packets and a second sub-probing packet in sequence, wherein N_Lis an integer equal to or greater than 1;
  
  receiving a first ACK packet in responsive to the first sub-probing packet and a second ACK packet in responsive to the second sub-probing packet from the target node;
  
  determining a time gap G_Abetween an arrival time of the first ACK packet and an arrival time of the second ACK packet; and
  
  calculating the available bandwidth on the forward path according to N_L, G_Aand S_L, where S_Lis the size of a load packet.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, wherein the performance metric further comprises RTT and/or RTT jitter,wherein the RTT is determined according to a sending time of a sub-probing packet and an arrival time of a corresponding ACK packet,wherein the RTT jitter is determined according to multiple RTTs.
  - 3. The method according to claim 1, further comprising:
    - in the case it is determined the first probing path is subjected to the network attack, determining hop-by-hop a target link which is under the network attack on the first probing path.
  - 4. The method according to claim 1, further comprising:
    - after obtaining the performance metric of the first probing path, forming a metric vector according to the obtained performance metric,wherein the determining whether the first probing path is subjected to network attack according to the performance metric and a control performance metric comprises;
      
      calculating a Mahalanobis distance according the formed metric vector and a control metric vector formed based on the control performance metric; and
      
      determining whether the first probing path is subjected to the network attack according to the calculated Mahalanobis distance,wherein the metric vector is for the forward path or for the reverse path.
  - 5. The method according to claim 1, further comprising:
    - before probing the first probing path, setting up a connection between the probing node and the target node; and
      
      determining a connection failure rate between the probing node and the target node within a preset time.

6. A non-transitory computer-readable storage medium storing instructions thereon for execution by at least one processing circuit, the instructions comprising:
- conducting a topology analysis on network, and obtaining a probing path set containing at least one probing path according to the topology analysis;
  
  probing a first probing path contained in the probing path set by using a probing pattern and obtaining a performance metric of the first probing path; and
  
  determining whether the first probing path is subjected to network attack according to the performance metric and a control performance metric,wherein one end of the probing path is a probing node and another end of the probing path is a target node, a forward path of the probing path is from the probing node to the target node and a reverse path of the probing path is from the target node to the probing node,wherein the probing pattern is modified Recursive Packet Train (mRPT), wherein the performance metric of the first probing path comprises available bandwidth on the forward path,wherein the probing a first probing path by using a probing pattern and obtaining a performance metric of the first probing path comprises;
  
  sending a mRPT probing packet train from the probing node to the target node, wherein the mRPT probing packet train contains a first sub-probing packet, N_Lload packets and a second sub-probing packet in sequence, wherein N_Lis an integer equal to or greater than 1;
  
  receiving a first ACK packet in responsive to the first sub-probing packet and a second ACK packet in responsive to the second sub-probing packet from the target node;
  
  determining a time gap G_Abetween an arrival time of the first ACK packet and an arrival time of the second ACK packet; and
  
  calculating the available bandwidth on the forward path according to N_L, G_Aand S_L, where S_Lis the size of a load packet.
- View Dependent Claims (7)
- - 7. The non-transitory computer-readable storage medium according to claim 6, wherein the instructions further comprise:
    - in the case it is determined the first probing path is subjected to the network attack, determining hop-by-hop a target link which is under the network attack on the first probing path.

8. An apparatus, comprising:
- one or more processors; and
  
  a memory coupled to the one or more processors;
  
  instructions stored in the memory, the instructions being executable by the one or more processors to;
  
  conduct a topology analysis on network, and obtain a probing path set containing at least one probing path according to the topology analysis;
  
  probe a first probing path contained in the probing path set by using a probing pattern and obtain a performance metric of the first probing path; and
  
  determine whether the first probing path is subjected to network attack according to the performance metric and a control performance metric,wherein one end of the probing path is a probing node and another end of the probing path is a target node, a forward path of the probing path is from the probing node to the target node and a reverse path of the probing path is from the target node to the probing node,wherein the probing pattern is modified Recursive Packet Train (mRPT), wherein the performance metric of the first probing path comprises available bandwidth on the forward path,wherein probing a first probing path by using a probing pattern and obtaining a performance metric of the first probing path comprises;
  
  sending a mRPT probing packet train from the probing node to the target node, wherein the mRPT probing packet train contains a first sub-probing packet, N_Lload packets and a second sub-probing packet in sequence, wherein N_Lis an integer equal to or greater than 1;
  
  receiving a first ACK packet in responsive to the first sub-probing packet and a second ACK packet in responsive to the second sub-probing packet from the target node;
  
  determining a time gap G_Abetween an arrival time of the first ACK packet and an arrival time of the second ACK packet; and
  
  calculating the available bandwidth on the forward path according to N_L, G_Aand S_L, where S_Lis the size of a load packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hong Kong Polytechnic University, Tencent Technology Shenzhen Company Limited (Tencent Holdings Limited)
Original Assignee
Hong Kong Polytechnic University, Tencent Technology Shenzhen Company Limited (Tencent Holdings Limited)
Inventors
Xue, Lei, Liu, Zhiwei, Zou, Xianneng, Hou, Jingang, Luo, Xiapu, Chan, Edmond W. W, Tu, Pei, Shao, Yuru
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US14/688,554
Publication Number

US 20160105453A1
Time in Patent Office

1,013 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 41/12   Discovery or management of ...

H04L 41/142   using statistical or mathem...

H04L 43/0829   Packet loss

H04L 43/0864   Round trip delays

H04L 43/087   Jitter

H04L 43/0894   Packet rate

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/1416   Event detection, e.g. attac...

Network attack detection method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Network attack detection method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links