METHODS AND SYSTEMS FOR DETECTING AND MITIGATING A HIGH-RATE DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK
Abstract
Methods and systems for detecting and mitigating high-rate Distributed Denial of Service (DDoS) attacks are herein described. The present invention contemplates a variety of improved techniques for using a flow-based statistical collection mechanism to monitor and detect deviations in server usage data. The method further includes combining multiple anomaly algorithms in a unique way to improve the accuracy of identifying a high-rate DDoS attack. The DDoS solution includes a two-phase approach of detection and mitigation, both of which operate on a local- and a global-basis. Moreover, the anomaly algorithms can be modified or extrapolated to obtain the traffic deviation parameters and therefore, the attack probabilities.
Claims
exact text as granted — not AI-modified1 - 20 . (canceled)
21 . A method performed by a flow-based system for detecting traffic anomaly at various nodes within a network, comprising:
based on a monitoring of a plurality of flows traversing through the flow-based system, generating a plurality of flow state records corresponding to the plurality of flows, wherein an individual flow of the plurality of flows is a stream of packets having a same protocol, wherein an individual flow state record of the plurality of flow state records includes flow state information associated with the individual flow; generate a plurality of aggregate records based on cumulative statistics associated with the plurality of flow state records; computing a net probability of attack based on an analysis of the plurality of aggregate records to detect the traffic anomaly; and in an event the net probability of attack is greater than a net probability threshold, initiating a mitigation action for mitigating the traffic anomaly.
22 . The method of claim 21 , wherein initiating the mitigation action comprises:
identifying, within the network, a candidate node having the traffic anomaly based on a particular aggregate record associated with the candidate node, the particular aggregate record exhibiting the net probability of attack being greater than the net probability threshold; identifying a source address (SA) sending traffic to the candidate node; applying the mitigation action to a respective individual flow associated with the SA, wherein the mitigation action is applied to all packets of the respective individual flow.
23 . The method of claim 22 , wherein applying the mitigation action comprises:
determining whether the SA is a legitimate or spoofed SA; and in an event the SA is the spoofed SA, transmitting an alert to an external server and recording details associated with the spoofed SA to trace origin.
24 . The method of claim 22 , wherein applying the mitigation action comprises:
determining whether the SA is a legitimate or spoofed SA; in an event the SA is the legitimate SA, forwarding traffic from the SA; in an event the SA is the spoofed SA, dropping the respective individual flow.
25 . The method of claim 22 , wherein the candidate node is identified by a Destination Address (DA).
26 . The method of claim 21 , wherein computing the net probability of attack comprises:
computing at least two individual probabilities of attack by applying at least two algorithms to the plurality of aggregate records; and computing the net probability of attack as a function of the at least two individual probabilities of attack.
27 . The method of claim 26 , wherein computing the at least two individual probabilities comprises assigning a weight to each algorithm of said at least two algorithms.
28 . The method of claim 27 , wherein the weight is based on a false positive rate associated with each algorithm of said at least two algorithms.
29 . The method of claim 21 , wherein the cumulative statistics are based on any of a Source Address (SA), a Destination Address (DA), a protocol, or a combination of fields from a packet header associated with each of plurality of flows.
30 . A system, comprising:
a processor; a memory operatively coupled to the processor; a packet processing module operatively coupled to the processor and the memory, and configured to: based on a monitoring of a plurality of flows traveling through a network, generate a plurality of flow state records corresponding to the plurality of flows, wherein an individual flow of the plurality of flows is a stream of packets having a same protocol, wherein an individual flow state record of the plurality of flow state records includes flow state information associated with the individual flow; and generate a plurality of aggregate records based on cumulative statistics associated with the plurality of flow state records; a bulk statistics record (BSR) module operatively coupled to the processor and the memory, and configured to: compute a net probability of attack based on an analysis of the plurality of aggregate records to detect traffic anomaly associated with the network; and in an event the net probability of attack is greater than a net probability threshold, initiating a mitigation action for mitigating the traffic anomaly.
31 . The system of claim 30 , wherein the memory is configured to store the plurality of flow state records and the plurality of aggregate records generated by the packet processing module.
32 . The system of claim 31 , wherein the packet processing module is further configured to update the plurality of flow state records and the plurality of aggregate records stored in the memory.
33 . The system of claim 30 ,
wherein the packet processing module is further configured to export a plurality of samples associated with each individual flow of the plurality of flows to the BSR module for use in detecting the anomaly traffic; wherein the plurality of samples includes a first sample, a second sample, and a third sample, the first sample including flow state information associated with a first packet of each individual flow, the second sample including flow state information associated with an Nth packet of each individual flow, and the third sample including flow state information associated with an ending packet of each individual flow.
34 . The system of claim 33 , wherein the plurality of samples are exported to the BSR module periodically.
35 . The system of claim 30 , wherein the BSR module is further configured to update the plurality of flow state records based on said monitoring of the plurality of flows.
36 . The system of claim 30 , wherein the flow state information comprises any of forwarding information, Quality of Service (QoS) information, application specific information, traffic type information, traffic rate information, application information, or service needs information.
37 . The system of claim 30 , wherein the mitigation action applied is based on whether the traffic anomaly is from a legitimate address or a spoofed address.
38 . The system of claim 30 , further comprising:
a global detection and mitigation module configured to: monitor flow data in a network, the network including a set of destination addresses (DAs); receive the plurality of aggregate records from the BSR module and other plurality of aggregate records from other BSR modules; correlate the plurality of aggregate records and said other plurality of aggregate records to a destination address; and applying a global mitigation action to the destination address without impeding activity to other destination addresses of the network.
39 . A non-transitory computer readable medium including instructions for executing a process, the instructions comprising:
instructions for, based on a monitoring of a plurality of flows traversing through a network, generating a plurality of flow state records corresponding to the plurality of flows, wherein an individual flow of the plurality of flows is a stream of packets having a same protocol, wherein an individual flow state record of the plurality of flow state records includes flow state information associated with the individual flow; instructions for generating a plurality of aggregate records based on cumulative statistics associated with the plurality of flow state records; instructions for analyzing the plurality of aggregate records to detect a traffic anomaly associated with the network; and instructions for, in an event the traffic anomaly is detected, identifying, within the network, a candidate node having the traffic anomaly based on a particular aggregate record associated with the candidate node, the particular aggregate record exhibiting the net probability of attack being greater than the net probability threshold; identifying a list of source addresses (SAs) sending traffic to the candidate node; and applying the mitigation action to a subset of flows, of the plurality of flows, that are associated with the list of SAs, wherein the mitigation action is applied to all packets of each individual flow of the subset of flows.
40 . The non-transitory computer readable medium of claim 39 , further comprising:
instructions for exporting a periodic report including the plurality of aggregate records and the plurality of flow records to a global detection and mitigation module for further analysis.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.