Claims
- 1. A method, comprising:
examining packet count and byte count to determine whether a host is a potential DoS victim; and, if a host is determined to be a potential victim, iterating over all connected hosts to determine which hosts are possible attackers.
- 2. The method of claim 1 wherein determining whether the host is a victim of a DoS attack, comprises:
comparing current measured inbound byte rate with historical average inbound byte rate for a current profiled time period.
- 3. The method of claim 2 further comprising:
determining if a host has a large variance in inbound packet and byte rate; and if the host has a large variance calculating a variance to provide an appropriate margin of error before raising an alert of a DOS attack.
- 4. The method of claim 3 wherein calculating the margin of error, includes evaluating
- 5. The method of claim 3 further comprising:
determining if the incoming packet count is above a threshold to filter out new or low-traffic hosts that suddenly receive a low but still larger than normal amount of traffic.
- 6. The method of claim 1 determining if conditions of a possible attack have been determined and increasing the severity of the reported event to reflect a corresponding degree of certainty that the event is a DOS attack.
- 7. The method of claim 1 wherein conditions that influence whether an event is an attack include determining if the suspected victim is receiving traffic from an unusually relative to historical profile large number of other hosts.
- 8. The method of claim 7 wherein conditions that influence whether an event is an attack include determining whether most of the hosts connecting to the suspected victim do not exist in the profile connection table.
- 9. The method of claim 8 wherein conditions that influence whether an event is an attack include determining if most of the new traffic to the host is UDP, ICMP, or unknown protocols.
- 10. The method of claim 8 further comprising:
using conditions of a possible attack to elevate the severity of the reported event.
- 11. The method of claim 8 wherein if a host is determined to be a DoS victim, further comprising:
examining the host's neighbors to determine which hosts are possible attackers.
- 12. The method of claim 11 wherein examining comprises for each neighbor “H—{0}” of the host determining the byte rate from “H—{0}” to the host, according to
- 13. The method of claim 11 wherein examining comprises for each neighbor “H—{0}” of the host determining the byte rate from the host to “H—{0}”, according to
- 14. A computer program product residing on a computer readable medium for detecting denial of service attacks, comprising instructions for causing a computer to:
examine packet count and byte count to determine whether a host is a potential DoS victim; and, if a host is determined to be a potential victim, iterate over connected hosts to determine which hosts are possible attackers.
- 15. The computer program product of claim 14 wherein instructions to determine whether the host is a victim of a DoS attack, comprises instructions to:
compare current measured inbound byte rate with historical average inbound byte rate for a current profiled time period.
- 16. The computer program product of claim 14 further comprising instructions to:
determine if a host has a large variance in inbound packet and byte rate; and if the host has a large variance calculate a variance to provide an appropriate margin of error before raising an alert of a DOS attack.
- 17. The computer program product of claim 14 wherein instructions to calculate the margin of error, includes evaluating
- 18. The computer program product of claim 14 further comprising instructions to:
determine if the incoming packet count is above a threshold to filter out new or low-traffic hosts that suddenly receive a low but still larger than normal amount of traffic.
- 19. The computer program product of claim 14 wherein instructions to determine if conditions of a possible attack have been determined and increasing the severity of the reported event to reflect a corresponding degree of certainty that the event is a DOS attack.
- 20. The computer program product of claim 14 wherein conditions that influence whether an event is an attack include determining if the suspected victim is receiving traffic from an unusually relative to historical profile large number of other hosts.
- 21. The computer program product of claim 14 wherein conditions that influence whether an event is an attack include determining whether most of the hosts connecting to the suspected victim do not exist in the profile connection table.
- 22. The computer program product of claim 14 wherein conditions that influence whether an event is an attack include determining if most of the new traffic to the host is UDP, ICMP, or unknown protocols.
- 23. The computer program product of claim 14 further comprising instructions to:
use conditions of a possible attack to elevate the severity of the reported event.
- 24. The computer program product of claim 14 further comprises instructions to:
examine the host's neighbors to determine which hosts are possible attackers, if a host is determined to be a DoS victim.
- 25. computer program product of claim 24 wherein instructions to examine further comprise instructions to:
determine for each neighbor “H—{0}” of the host the byte rate from “H—{0}” to the host, according to:c—{0}>(h—{0}+C1*σ2—{0})*C2where “c—{0}” be the current byte rate from “H—{0}” to “H”, “h—{0}” the historical average byte rate from “H—{0}” to “H”, “C1” and “C2” are constants, and “σ2—{0}” is the variance of the byte rate from “H” to “H—{0}”; and indicating that “H—{0}” is a suspected attacker of “H” if the inequality is satisfied.
- 26. The computer program product of claim 25 wherein instructions to examine further comprise instructions to:
determine for each neighbor “H—{0}” of the host the byte rate from the host to “H—{0}”, according toc—{0}>(h—{0}+C1*σ2—{0})*C2where “c—{0}” be the current byte rate to “H—{0}” from “H”, “h—{0}” the historical average byte rate to “H—{0}” from “H”, “C1” and “C2” are constants, and “σ2—{0}” is the variance of the byte rate to “H” from “H—{0}”; and indicate that “H—{0}” is a suspected attacker of “H” if the inequality is satisfied.
- 27. Apparatus comprising:
a processing device; a memory; a computer readable medium for executing a computer program product for detecting denial of service attacks, comprising instructions for causing the processing device to: examine packet count and byte count to determine whether a host is a potential DoS victim; and, if a host is determined to be a potential victim, iterate over connected hosts to determine which hosts are possible attackers.
- 28. The apparatus of claim 27 wherein instructions to determine whether the host is a victim of a DoS attack, comprises instructions to:
compare current measured inbound byte rate with historical average inbound byte rate for a current profiled time period.
- 29. The apparatus of claim 27 wherein further comprising instructions to:
determine if a host has a large variance in inbound packet and byte rate; and if the host has a large variance calculate a variance to provide an appropriate margin of error before raising an alert of a DOS attack.
- 30. The apparatus of claim 27 wherein instructions to calculate the margin of error, includes evaluating
- 31. The apparatus of claim 27 further comprising instructions to:
determine if the incoming packet count is above a threshold to filter out new or low-traffic hosts that suddenly receive a low but still larger than normal amount of traffic.
- 32. The apparatus of claim 27 wherein instructions to determine if conditions of a possible attack have been determined and increasing the severity of the reported event to reflect a corresponding degree of certainty that the event is a DOS attack.
Parent Case Info
[0001] This application claims the benefit of U.S. Provisional Application Serial No. 60/423,557, filed Nov. 04, 2002 entitled “ALGORITHMS FOR NETWORK ANOMALY DETECTION IN THE MAZU NETWORK PROFILER”; U.S. Provisional Application Serial No. 60/427,294, filed Nov. 18, 2002 entitled “ANOMALY DETECTION AND ROLE CLASSIFICATION IN A DISTRIBUTED COMPUTING NETWORK” and U.S. Provisional Application Serial No. 60/429,050, filed Nov. 25, 2002 entitled “ROLE CLASSIFICATION OF HOSTS WITHIN ENTERPRISE NETWORKS BASED ON CONNECTION PATTERNS.”
Provisional Applications (3)
|
Number |
Date |
Country |
|
60423557 |
Nov 2002 |
US |
|
60427294 |
Nov 2002 |
US |
|
60429050 |
Nov 2002 |
US |