US20020032793A1 - Method and system for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic - Google Patents

Method and system for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic Download PDF

Info

Publication number
US20020032793A1
US20020032793A1 US09/855,810 US85581001A US2002032793A1 US 20020032793 A1 US20020032793 A1 US 20020032793A1 US 85581001 A US85581001 A US 85581001A US 2002032793 A1 US2002032793 A1 US 2002032793A1
Authority
US
United States
Prior art keywords
network
statistics
traffic
undesirable
computer network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US09/855,810
Inventor
Gerald Malan
Farnam Jahanian
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Michigan
Original Assignee
University of Michigan
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Michigan filed Critical University of Michigan
Priority to US09/855,810 priority Critical patent/US20020032793A1/en
Assigned to REGENTS OF THE UNIVERSITY OF MICHIGAN, THE reassignment REGENTS OF THE UNIVERSITY OF MICHIGAN, THE ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JAHANIAN, FARNAM, MALAN, GERALD R.
Assigned to AIR FORCE, UNITED STATES reassignment AIR FORCE, UNITED STATES CONFIRMATORY LICENSE (SEE DOCUMENT FOR DETAILS). Assignors: MICHIGAN, UNIVERSITY OF
Publication of US20020032793A1 publication Critical patent/US20020032793A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/22Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/022Capturing of monitoring data by sampling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • H04L43/062Generation of reports related to network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Definitions

  • This invention relates to methods and systems for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic.
  • the Internet security software market consists of applications and tools in four submarkets: firewall software; encryption software; antivirus software; and authentication, authorization and administration software.
  • firewall software There are also a number of emerging security submarkets such as virtual private networks (VPNs), intrusion detection, public key infrastructure and certificate authority (PKI/CA), and firewall appliances.
  • VPNs virtual private networks
  • PKI/CA public key infrastructure and certificate authority
  • Network-based, intrusion detection systems are based on passive packet capture technology at a single point in the network. Such systems do not provide any information as to the source of the attack.
  • a firewall is a system for keeping a network secure. It can be implemented in a single router that filters out unwanted packets, or it may use a combination of technologies in routers and hosts. Firewalls are widely used to give users access to the Internet in a secure fashion as well as to separate a company's public Web server from its internal network. They are also used to keep internal network segments secure. For example, a research or accounting subnet might be vulnerable to snooping from within.
  • Packet Filter Blocks traffic based on IP address and/or port numbers. Also known as a “screening router.”
  • Proxy Server Serves as a relay between two networks, breaking the connection between the two. Also typically caches Web pages.
  • NAT Network Address Translation
  • a denial of service attack is an assault on a network that floods it with so many additional service requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts service for some period.
  • An example includes a client fetching pages from an HTTP server for the sole purpose of utilizing the server's inbound or outbound bandwidth.
  • Another example is a malicious client setting up streaming media connections for the purpose of exhausting a server's connections and bandwidth.
  • U.S. Pat. No. 4,817,080 to Soha discloses a system that measures traffic statistics by looking at packet contents. The system collects distributed measurements and forwards them to a centralized point.
  • U.S. Pat. No. 5,781,534 to Perlman et al. discloses apparatus for determining characteristics of a path by utilizing active probing along a network path to determine its characteristics. These characteristics are added to the packet as it traverses the network.
  • U.S. Pat. No. 5,968,176 to Nessett et al. discloses a system that utilizes many network elements to provide an umbrella countermeasure.
  • U.S. Pat. No. 5,991,881 to Conklin et al. discloses a system which flags intrusions and updates the status of the intruder's progress. This system only stores the packets with the source address of the attacker.
  • U.S. Pat. No. 6,078,953 to Vaid et al. discloses a system which classifies packets at the border of the network to provide quality of service. It polices traffic at the edge of the network.
  • U.S. Pat. No. 6,088,804 to Hill et al. discloses a system which correlates distributed attacks to build a path of the attack through the network.
  • the system uses a training signature for attack identification. That is, the system is trained on attacks, and then compares current activity to this known misuse.
  • U.S. Pat. No. 6,134,662 to Levy et al. discloses a physical layer security manager for memory-mapped serial communications interface.
  • An object of the present invention is to provide a method and system for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic.
  • a method for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic includes collecting statistics at a plurality of measurement points located within forwarding infrastructure of the computer network. The method also includes analyzing the statistics to reconstruct the path taken by the undesirable network traffic through the network from the source of the traffic.
  • the method may further include blocking undesirable network traffic within the computer network upstream of the points based on the reconstructed path.
  • the forwarding infrastructure may include at least one router.
  • the statistics may include flow-based statistics which provide information related to the same logical traffic flow.
  • the statistics may also include packet statistics which provide information about a set of packets entering the forwarding infrastructure.
  • the method may further include requesting and receiving upstream statistics from forwarding infrastructure of the computer network upstream the measurement points and wherein the step of analyzing includes the step of analyzing the upstream statistics to reconstruct the path taken by the undesirable network traffic.
  • the step of analyzing may include the step of extracting profiles from the statistics collected at the plurality of measurement points and comparing the profiles to reconstruct the path taken by the undesirable network traffic.
  • the computer network may be the Internet.
  • a system for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic includes collectors for collecting statistics at a plurality of measurement points located within forwarding infrastructure of the computer network.
  • the system also includes at least one controller in communication with the collectors for analyzing the statistics to reconstruct the path taken by the undesirable network traffic through the network from the source of the traffic.
  • the system may further include means in communication with the at least one controller for blocking undesirable network traffic within the computer network upstream of the points based on the reconstructed path.
  • the system may further include means for requesting and receiving upstream statistics from forwarding infrastructure of the computer network upstream the measurement points and wherein the at least one controller analyzes the upstream statistics to reconstruct the path taken by the undesirable network traffic.
  • the controller may extract profiles from the statistics collected at the plurality of measurement points and compares the profiles to reconstruct the path taken by the undesirable network traffic.
  • the undesirable network traffic may include denial of service attacks and the computer network may include a plurality of service provider networks.
  • FIG. 1 is a schematic view of a denial of service scrubber (DoS scrubber) positioned to protect publicly accessible network computer services such as an Internet service;
  • DoS scrubber denial of service scrubber
  • FIG. 2 is a schematic view of the DoS scrubber architecture
  • FIG. 3 a is a schematic view illustrating single link flow measurements as a type of flow statistic extraction
  • FIG. 3 b is a schematic view illustrating switching point measurements as a type of flow statistic extraction
  • FIG. 4 is a schematic view illustrating a cross-product space for a hierarchical network profiler with incoming flows on the left and outgoing flows on the right;
  • FIG. 5 is a schematic block diagram flow chart which provides an operational description of the hierarchical network profiler
  • FIG. 6 is a schematic view illustrating an example use of a denial of service tracker
  • FIG. 7 is a schematic view of the architecture of a denial of service tracker
  • FIG. 8 is a schematic view of distributed architecture for global detection and trace back of denial of service attacks
  • FIG. 9 is a schematic block diagram flow chart illustrating an intra-zone denial of service anomaly detector
  • FIG. 10 is a schematic view illustrating back-tracking a forged packet source
  • FIG. 11 is a schematic view illustrating a storm tracker which backtracks an attack to its source
  • FIG. 12 is a schematic view illustrating storm breaker blocking an attack
  • FIG. 13 is a schematic view illustrating attack and anomaly detection
  • FIG. 14 is a schematic view illustrating backtracking a forged traffic source.
  • FIG. 15 is a schematic view illustrating blocking DoS traffic.
  • the present invention provides a method and system for protecting publicly accessible network computer services from undesirable network traffic in real-time and is useful within a larger system which combats denial of service attacks without requiring any changes to the existing Internet routing infrastructure.
  • This larger system in general, combines network topology information and coarse-grained traffic statistics from routers to detect, backtrack, and filter distributed attacks on enterprise networks and websites. This larger system exploits information from routers without requiring any changes to the existing Internet routing infrastructure.
  • the larger system as well as the present invention works with the existing routing infrastructure deployed at Internet service providers, application service providers, and enterprise networks.
  • the method and system is enabled by functionality that the major routing vendors have put into their latest products.
  • the larger system includes a number of complementary components as follows:
  • StormProfiler A set of data mining and network profiling techniques that are used to define “normal” traffic patterns and set dynamic thresholds that are continually monitored for early detection and notification.
  • StormDetector A new process for real-time monitoring, detection, and notification of denial of service attacks and network anomalies. Continuous or periodic sampling is employed for collecting network statistics and extracting network topology information from routers.
  • StormTracker A new protocol for correlating anomalous distributed events that enables tracking a denial of service attack back to its source.
  • the method and system of the invention use Internet routing data in conjunction with passive traffic data to identify application-level denial of service attacks.
  • An example includes a client fetching pages from an HTTP server for the sole purpose of utilizing the server's inbound or outbound bandwidth.
  • Another example is a malicious client setting up streaming media connections for the purpose of exhausting a server's connections and bandwidth.
  • a server's request stream such as a web server's web logs—are monitored to build a profile of requests from a topologically clustered set of machines in the Internet. These clusters are identified by their administrative domain. These administrative domains are inferred by examining the Internet's BGP routing tables from several points in the Internet. By generating the server's request profiles for sets of clusters in the Internet, malicious hosts that are launching application-level denial of service attacks can be detected. While this clustering technique has been used in the past for identifying appropriate web caches for minimizing web fetch latency, they have not been applied to detecting denial of service attacks.
  • a denial of service scrubber (DoS scrubber) is an actively interposed network element or system that removes denial of service attacks from legitimate network traffic in real-time.
  • the denial of service scrubber removes a new type of denial of service traffic from publicly accessible Internet services.
  • the DoS scrubber removes denial of service attacks on publicly accessible Internet service. Moreover, it uses data mining techniques to remove a class of previously unidentifiable denial of service attacks. This new class of attacks appear to the service as legitimate service requests; however, these requests are generated by a malicious agent with the sole purpose of denying resources to servicing legitimate requests.
  • FIG. 1 shows an example use of the DoS scrubber. It depicts a network server providing a publicly accessible service—a public Web server for example.
  • the DoS scrubber is interposed between the server and the Internet. As such, it sees all the traffic that passes between the server and its remote clients.
  • a public server both legitimate and malicious users gave equal access to its resources.
  • the DoS scrubber can identify malicious users of the service and either filter completely or throttle back their access.
  • Protecting Web (Hypertext Transfer Protocol, or HTTP) services is one specific application of the DoS scrubber.
  • HTTP Hypertext Transfer Protocol
  • the scrubber leverages the fact that HTTP is layered on top of the TCP transport protocol. Because TCP sessions cannot be spoofed—that is the source address cannot be forged, due to shared random initial sequence numbers—the client-end of service requests are clearly and uniquely identified.
  • a profile can be constructed through data mining. This profile can be compared to the normal profile that is obtained through data mining techniques by the scrubber during a training session. This training can also be updated on-line as the system runs. Clients with profiles that are flagged as anomalous are then candidates for their subsequent requests to be attenuated or completely filtered.
  • FIG. 2 denotes the denial of service scrubber's high-level architecture. It is comprised of two primary components: the forwarding and the analysis engines.
  • the forwarding engine (FE) has two main responsibilities: applying filtering and rate limiting to sets of Internet hosts, and generating request statistics.
  • the analysis engine (AE) is responsible for the collection and subsequent data mining of the forwarding engine's statistics. Upon detection of malicious hosts, appropriate actions are fed back from the analysis engine to the forwarding engine for filtering or rate limiting the host's requests.
  • the DoS scrubber's forwarding engine serves both as an enforcement mechanism and statistics generator.
  • IP Internet Protocol
  • the FE determines if the packets belong to an old request, or are part of a new request. If the request is new, a variety of safeguards remove many of the common types of denial of service—such as TCP SYN floods. However, the safeguards also include checking to see if requesting client has been determined malicious by the analysis engine. If so, the request is dealt with in a policy configured manner. For example, if the service is not overwhelmed, it may allow the request to happen; however it can be throttled back using a custom rate limiter. When packets arrive that are not discarded, statistics are collected that are later sent to the analysis engine. Examples of these statistics include:
  • Size the request and subsequent reply's size, both in bytes and packets.
  • Request payload content of the request at the application layer (e.g., HTTP GET string).
  • Number of fragments the number of fragments in the request can be used to detect some types of malicious use.
  • Number of protocol anomalies the number of errors in the request's protocols.
  • the analysis engine uses the stream of request statistics as a feed into a data mining system.
  • the system compares the various client request statistics to sets of profiles.
  • the canned profiles represent anomalous behavior at the service level. These canned profiles can be changed through a control interface to match an administrator's specifications.
  • the trained profiles are generated by training on the server's genuine request statistics. Sophisticated denial of service attacks that were previously unidentifiable can be detected by comparing a client's request distribution to those of the profiles.
  • the system differs from firewalls in that it protects publicly accessible services from attack.
  • the system recognizes attacks on edge services and adapts the forwarding rules to remove them from the network.
  • Statistics and data from service requests are sent from the forwarding engine to the analysis engine. These data are then analyzed using data mining techniques to find malicious or anomalous service request patterns.
  • the analysis engine then feeds this information back into the forwarding engine to filter or attenuate access to the public service from these inappropriate sites.
  • the scrubber does not proxy the connections or authenticate access to a service; it forwards statistics from a series of client service requests to be analyzed for attack behavior.
  • HNP Hierarchical Network Profiler
  • the hierarchical network profiler is a new approach to network traffic profiling. It aggregates network statistics using a novel cross-product of hosts, network and router interfaces to profile network traffic at a measurement point.
  • the hierarchical network profiler represents a quantum leap forward in the area of network traffic profiling. This technology identifies gross bandwidth anomalies automatically at any point in a network's routing infrastructure.
  • the goal of network profiling is to construct a model of network traffic.
  • the approach the HNP takes is to model the network at the granularity of network flows.
  • a network flow is defined as “a unidirectional sequence of packets that are collocated within time that have invariant feature across all the packets.” These features may include the source and destination addresses, a protocol type, and any application layer port information.
  • An example of an Internet flow is a sequence of packets that all have the same IP source and destination addresses, IP protocol value, and UDP or TCP source and destination ports.
  • FIGS. 3 a and 3 b show two ways to measure flow statistics in a networking environment: at a single networking link of FIG. 3 a , and at a multi-link switching point of FIG. 3 b .
  • a measurement device sits on a single networking link and constructs flow statistics for the underlying network traffic.
  • Switchpoint statistics generally require measurement support in the hardware, such as Cisco System's Netflow technology, or Juniper Network's Internet Processor II's packet sampling technology and Cflowd.
  • This hardware support typically provides the standard flow invariants described above in addition to information about the incoming and possibly outgoing interfaces.
  • the HNP can profile the traffic flows gathered in either of these manners.
  • the HNP automatically adjusts to its position in the network by identifying the typical traffic source and destination pairs for flows that transit the measurement point—e.g., router.
  • the diagram in FIG. 4 illustrates the possibilities for cross-products of incoming and outgoing endpoints for transit flows.
  • hosts are aggregated into network blocks—such as CIDR blocks—fewer endpoint statistics are required. These are represented by the middle block of endpoints in FIG. 4.
  • the router's interfaces are the highest level of aggregation—and the least specific.
  • the HNP adjusts the amount of aggregation that it keeps on each interface depending on the level of diversity the flow endpoints exhibit along that interface.
  • This diversity is directly proportional to the distance from the measurement interface to the endpoints. For example, a router close to a set of enterprise hosts will be able to maintain flow statistics about each host—a host corresponds to a flow's endpoint when their number will not be prohibitive. However, in this example, the other endpoint of the flow may be very far from this router. Therefore, the HNP may only keep a profile of its measurement interface.
  • This example illustrates the general application of the HNP: the HNP keeps a profile for the cross-product of the flows that traverse it. In this example, it may keep the cross product A ⁇ D for flows destined for the Internet from this set of hosts.
  • FIG. 5 represents the algorithm for the Hierarchical Network Profiler (HNP).
  • HNP Hierarchical Network Profiler
  • the HNP receives network flow statistics from the network-forwarding infrastructure. These statistics represent summaries of network traffic that the HNP uses to build its profile.
  • the HNP After receiving a set of flow summaries (or records), the HNP iterates over each specific flow record. It determines if it is interested in the record; that is, a profile is maintained for either the flow's source or destination aggregate. If not, the HNP updates the source and destination profile with the flow's statistics.
  • the HNP then checks to see if the memory and user-defined requirements continue to be met. If not, the aggregation level for the profiles is adjusted so that the requirements are met. When the aggregation level is met, the HNP inserts the statistics into the sample profile. The system then checks to see if a sampling window has been crossed. When this occurs, the HNP writes the oldest profile to persistent storage, and initializes a new profile. If the sampling window has not been crossed, the new samples are added to the existing profiles. After the iteration over the flow statistics has completed, the system then goes back to query for further flow statistics, and begins the process over again.
  • the HNP takes many available parameters into consideration when constructing a traffic profile based on temporal parameters, static network parameters, and dynamic routing parameters.
  • Temporal parameters are important to discern important differences in traffic behavior. The most important temporal properties are: time of day, day of the week, day of the month, and holidays.
  • the HNP uses static network parameters to gauge the importance of downstream hosts and networks for aggregation purposes.
  • dynamic routing information can be used as an input parameter to the HNP. Together dynamic routing and topology information form a powerful mechanism for identifying salient network flow characteristics.
  • the HNP is very good at detecting gross anomalies in network behavior between network endpoints. These types of anomalies are the exact signatures left in the wake of denial of service attacks. As such, the HNP provides a basis for detecting denial of service attacks.
  • the HNP can be used for capacity planning and traffic characterization.
  • the Hierarchical Network Profile differs from past attempts to profile network traffic in two ways. First, is uses the network flow statistics available both from the routing infrastructure and single link measurement infrastructure. Second, it profiles network traffic in proportion to its distance from either the source or destination. HNP can profile the network with more accuracy than traditional approaches by leveraging flow statistics collected directly at the router.
  • the second innovation in the HNP is its notion of hierarchy—or distance from a packet's source or destination—when constructing a profile.
  • the HNP constructs traffic profiles differently, depending on where the measurements are collected. Specifically, it keeps track of more information about the flows, the closer the measurements are collected to the underlying flows' endpoints. This novel approach to profiling allows the HNP to generate useful network profiles at any point in the Internet.
  • StormProfiler represents a quantum leap forward in the area of network traffic profiling. This technology allows network provider and enterprise managers to identify gross bandwidth anomalies automatically at any point in their routing infrastructure. Not coincidentally, these types of anomalies are the exact signatures left in the wake of denial of service attacks.
  • the StormProfiler differs from past attempts to profile network traffic in two ways. First, it uses the network flow statistics available from the routing infrastructure. Second, it profiles network traffic at a router in proportion to its distance from either the source or destination.
  • StormProfiler can profile the network with more accuracy than traditional approaches by leveraging flow statistics collected directly at the router. Past profiling attempts have focused on placing passive measurement devices at points in the network. These only allow for measuring the traffic on a specific link between two routers. In contrast, by profiling directly at the routers, StormProfiler can determine how specific traffic is typically routed. An analogy would be hiring someone to sit by the side of a road and count how many cars are going in one direction—this is the old approach to profiling. In the same analogy, the StormProfiler sits instead at an intersection, and can tell you how many cars from each direction went down which fork. Clearly, you know much more about your traffic patterns from studying the behavior at the intersection (the router). In this manner, the StormProfiler builds a model over time of how much traffic is routed from one point to another at a specific Internet intersection. This profile has several uses: the foremost for our purpose is denial of service detection.
  • the second innovation in the StormProfiler is its notion of hierarchy—or distance from a packet's source or destination—when construction a profile.
  • the StormProfiler constructs traffic profiles differently, depending on where the router is in the network. Specifically, it keeps track of more information about the flows, the closer the router is to the source (or destination) it is. This novel approach to profiling allows StormProfiler to scale to any point in the Internet.
  • the denial of service detector and tracker is a system that detects and backtraces Internet denial of service attacks using packet and flow statistics gathered directly from the Internet routing and forwarding infrastructure.
  • the denial of service tracker is a system that detects, backtraces and blocks Internet denial of service attacks. It works by gathering packet and flow statistics directly from the Internet routing and forwarding infrastructure—hereafter called the forwarding infrastructure. By collecting flow statistics directly from the forwarding infrastructure, the DoS tracker is able to trace DoS attacks that are untraceable by prior art. Specifically, the DoS tracker can pinpoint the origin of Internet denial of service attacks that are launched with forged source addresses.
  • the DoS tracker specifically tracks flood-based denial of service attacks. These types of attacks attempt to overwhelm either network or end-host resources by generating a stream of packets either directly or indirectly destined for a target.
  • FIG. 6 shows an example denial of service attack that can be tracked through a sample network. The path of the attack traffic goes through Router-A, Router-B, and Router-C. The most insidious types of attacks hide their origin by forging the source Internet Protocol (IP) address on the attack packets. The problem this causes for administrators and security officers is that when the target discovers itself under attack, it cannot determine its origin; therefore making it impossible to shut the attack down.
  • IP Internet Protocol
  • FIG. 7 illustrates the DoS tracker's overall architecture. It is comprised of a two-stage hierarchy: collectors and controllers.
  • the collectors interface with the forwarding infrastructure; they collect the statistics and report those findings to the controllers.
  • the controllers analyze the statistics, looking for denial of service attacks and tracking them to their source.
  • the DoS tracker's collector takes samples of statistics from the forwarding infrastructure.
  • the DoS tracker utilizes two types of statistics that routers may collect on our behalf: single packet statistics, and flow-based statistics.
  • Single packet statistics are those that provide essential information about a set of packets entering a forwarding node—a router. Some of the statistics kept include: destination and source IP addresses, incoming interface, protocol, ports, and length. After collection, these single packet statistics can be collected from the router for analysis. Juniper Network's packet sampling technology is an example of single packet statistic support in the infrastructure.
  • Flow-based statistics are statistics that describe a set of packets that are related to the same logical traffic flow.
  • the concept of flow is generally defined as a stream of packets that all have the same characteristics: source address, destination address, protocol type, source port, and destination port. They may be either unidirectional or bidirectional.
  • Flow statistics aggregate a flow's individual packet statistics into a single statistic. Examples include a flow's duration, number of packets, mean bytes per packet, etc. Cisco System's Netflow and Juniper Network's Cflowd mechanism are widely deployed flow-based statistic packages.
  • directed tracing one utilizes the knowledge of network topology to work backward toward the source of the attack. With distributed correlation, the controller compares the attack signature with those discovered at other nodes in the topology. Attacks that correlate strongly are associated together and implicitly form the path from the source to the target. Directed tracing relies on the fact that one has both the router's incoming interface statistic for an attack and the knowledge of the topology to determine what routers are upstream on that link. With this knowledge, upstream routers can then be queried for their participation in transiting the attack. It is useful to note that since these upstream routers are looking for a specific attack signature, it is much easier to find the statistics of merit. This contrasts with the distributed correlation approach where a general attack profile is extracted from every router's statistics to uncover the global path for the attack.
  • the DoS tracker blocks denial of service attacks as close to their source as possible.
  • DoS tracker is able to coordinate both the routing infrastructure's ability to filter certain types of traffic in conjunction with custom filtering hardware that can be incrementally deployed in the network.
  • custom filtering hardware For example, Juniper's Internet Processor II and Cisco's ACL CAR can be utilized to download coarse-grained filters that will remove unwanted DoS attacks in realtime.
  • the DoS blocker can be used as a way to filter at a fine-grain at high speeds in any networking environment, regardless of the routing infrastructure's implementation.
  • the DoS blocker is simply a configurable network filter. The blocker, due to its simplicity of design, is very scalable.
  • the DoS tracker approach differs from conventional network-based intrusion detection (NID) in that it uses statistics from the networking infrastructure itself in contrast to prior art.
  • NID network-based intrusion detection
  • Prior art in NID systems uses passive measurement techniques at a single point in the network to acquire statistics. These point probes don't provide any information about the source of a forged attack and are therefore useless for tracing denial of service attacks back to their source.
  • NID systems are single point measurement systems that have very little support for multi-node measurement correlation or cooperation and are unable to scale to service provider networks.
  • Cisco System's Netflow flow statistics have not been used for tracking network attacks. They have only been used for access control and traffic billing. Moreover, we have automated a way of polling the Netflow cache in contrast to the continuous mode of Netflow operation used by most products.
  • Juniper's packet sampling technology and Cflowd mechanism have has not been used for tracing attacks.
  • Another novel feature of the present approach is the filtering of denial of service attacks upstream in the Internet.
  • Current practice is for a target of an attack to stop DoS attacks at their firewall or border router.
  • the present invention differs in that it communicates with the networks and routers along the path back toward the attacker. When this path is identified, the system can filter the attack as close to its source as possible.
  • FIG. 8 provides a graphical overview of how a portion of the Internet—consisting, in this example, of three Autonomous Systems (ASes)—could be organized.
  • the figure shows how the size of the autonomous system can be accommodated by increasing the corresponding number of zones.
  • a base zone is a zone that consists purely of a set of routers. These routers all reside within the same AS.
  • the local detection and tracing system described above corresponds to the detection and tracing system for a base zone.
  • Higher level zones, or aggregate zones can be constructed from sets of base and other aggregate zones. In general, a single zone will not span multiple autonomous systems, but this is not strict.
  • Zones within an autonomous system are configured—a local-AS configuration—to communicate with each other. Since they reside within the same administrative entity, their neighbor parameters can be set specifically. When crossing autonomous systems between AS peers, neighboring zones can also be set according to policy and topology constraints—a peer-AS configuration.
  • a resource discovery algorithm is used to determine the closest neighboring zones through the chain of non-participating peering ASes.
  • the zones operate autonomously, and share information about both local and remote attacks using the Anomaly Description Protocol.
  • a zone When attacks are detected locally, a zone will propagate the attack to its neighbors using the ADP. This propagation includes the attack's signature which can be used for both detection and blocking.
  • ADP messages are therefore constrained to their appropriate portion of the Internet, allowing for scalability.
  • the ADP attempts to aggregate attack information so that multiple attacks that are described with the same aggregate profile, resulting in a single ADP entry.
  • the StormDetector is a mechanism for identifying denial of service attacks within an ISP, a Web hosting service, or an enterprise network. It combines a network's dynamic profile—generated by the StormProfiler described hereinbelow—with internal static signatures of denial of service attacks to instantly identify malicious traffic. This technology utilizes custom algorithms to identify denial of service attacks in the reams of incoming traffic flow statistics gathered from the routing infrastructure.
  • FIG. 10 demonstrates the utility of the StormDetector system.
  • a host in ISP-A is bombarding a target server in the Web hosting service with a denial of service attack.
  • the attacker is forging the return address on the packets in the attack, making is impossible to determine their true origin.
  • the StormDetector's analysis engine receives flow statistics from the routers in the target's hosting service. From these statistics, it can detect the attack at some set of the affected routers along its path. This path leads directly from the target to ISP-A's border, where the attack originates.
  • This example demonstrates the utility of the StormDetector deployed within a Web hosting service's network. It can also be used in both source and transit networks.
  • StormDetector When employed at an attacker's originating network, StormDetector can pinpoint the location of the attacker. In this case, it will backtrack the attack directly to its source's first-hop router. It may be that the attacker is a zombie residing on a compromised machine in an enterprise network. In addition to uncovering those traditional launchpads, StormDetector will be instrumental in identifying attacks originating from home machines that connect to the Internet through persistent tier-2 ISP's ADSL or cable modem connections.
  • FIG. 9 represents the process for detecting anomalies in the network statistics within a single zone.
  • the system picks a measurement node at random.
  • a set of coarse flow statistics or packet header samples is collected.
  • This set of statistics is examined for anomalies. These anomalies include both clearly defined misuse of the network resources, and also significant differences between the profile of the various endpoints and the behavior measured in the sample. If any new anomalies are detected in the sample, they are added as conditional anomalies, and the collector is updated with these new conditional anomalies. Next, a refined sample is taken with respect to the pending conditional anomalies at the collector. The system then looks at the refined sample of the network statistics for the presence of both new conditional anomalies as well as old anomalies. For each anomaly found, its status is updated. The system then goes through the outstanding anomalies and prunes out any stale ones. Finally, the system updates the database with the latest summary statistics for each of the outstanding anomalies. The system then repeats, by beginning at the start node.
  • StormTracker includes a set of algorithms that provide the functionality for tracking anonymous denial of service attacks to their sources. These algorithms provide two main functions: directed searching and path reconstruction. Directed searching is an algorithm for quickly separating the attack traffic from the legitimate network traffic—essentially quickly finding needles in haystacks. By narrowing the scope of the upstream detection points, directed search provides the means for scalable tracking of large-scale attacks. Path reconstruction takes multiple measurements of distributed denial of service attacks and determines their global topology characteristics. Specifically, given a huge distributed denial of service attack, StormTracker allows many statistics collected from around the Internet to be quickly and robustly correlated to reconstruct the attack tree.
  • the StormTracker protocol binds these distributed detection points together. This protocol allows multiple autonomous StormDetectors to cooperate and exchange attack information, enabling a globally scoped solution. StormTracker needed a clear definition of denial of service attacks in order to communicate effectively. The StormTracker protocol codifies this definition as a standard for exchanging attack information between multiple StormDetector networks.
  • FIG. 11 shows an example of how two systems with StormDetectors can cooperate using the StormTracker protocol to trace the attack to its origin.
  • StormBreaker is another piece of the solution to denial of service attacks: stopping the attack. Specifically, once StormDetector and StormTracker trace an attack to its origin, the network uses StormBreaker to filter its effects. It protects the target by both guaranteeing it full connectivity to the Internet as well as ensuring its ability to provide legitimate clients with service.
  • the StormBreaker technology works with both standard network infrastructure and custom filtering technology. Specifically, it can use the filtering abilities of both Cisco and Juniper routers for removal denial of service attacks.
  • a custom filtering appliance has been developed that will remove attacks from an interposed link at high-speed line rates. This custom solution is based on the Intel IXP network processor.
  • FIG. 12 shows the use of StormBreaker to block a denial of service attack at its source.
  • the attack has comprised a machine in the enterprise network and has been attacking a host downstream in ISP-B.
  • StormBreaker determines the appropriate filtering response. Specifically, StormBreaker uses knowledge about the topology and infrastructure components in a network to make the best filtering decision. In this example, StormBreaker applies a filtering rule to the attacker's router to remove its traffic from the network.
  • the overall system solution to denial of service attacks is comprehensive, sophisticated, scalable, and effective.
  • the StormTools suite of solutions detect malicious attacks, as shown in FIG. 13, trace them back to their origin, as shown in FIG. 14, and remove their packets from the Internet, as shown in FIG. 15. Together they guarantee a host—such as a besieged Web server previously left incapacitated and unable to provide service to legitimate clients—sustained network connectivity to legitimate users.

Abstract

A method and system for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic is provided. The method includes collecting statistics at a plurality of measurement points located within forwarding infrastructure of the computer network. The method also includes analyzing the statistics to reconstruct the path taken by the undesirable network traffic through the network from the source of the traffic. The method and system use a combination of well-known misuse signatures of network resources in combination with modeling of normal network service behavior to identify bandwidth anomalies.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application claims the benefit of the following U.S. provisional applications: “Denial of Service Detection and Tracking”, filed Sep. 8, 2000 and having U.S. Ser. No. 60/231;480; “Hierarchical Network Profiling” also filed Sep. 8, 2000 and having U.S. Ser. No. 60/231,481; and “Denial of Service Scrubber” also filed Sep. 8, 2000 and having U.S. Ser. No. 60/231,479.[0001]
  • STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT
  • [0002] This invention was made with government support under Contract No. F30602-99-1-0527 awarded by DARPA. The government has certain rights to the invention.
  • BACKGROUND OF THE INVENTION
  • 1. Field of the Invention [0003]
  • This invention relates to methods and systems for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic. [0004]
  • 2. Background Art [0005]
  • Given the explosive growth of the Internet and increasing reliance on the Web for accessing information and conducting commerce, there is an accelerating demand for solutions to security problems as corporations and others launch e-commerce strategies and begin migrating mission critical applications to the Internet. Security is now a business requirement—the actual loss in revenue combined with intangible costs in reputation and customer confidence are only exacerbated by the fierce competition that the Internet environment fosters. [0006]
  • The Internet security software market consists of applications and tools in four submarkets: firewall software; encryption software; antivirus software; and authentication, authorization and administration software. There are also a number of emerging security submarkets such as virtual private networks (VPNs), intrusion detection, public key infrastructure and certificate authority (PKI/CA), and firewall appliances. [0007]
  • Network-based, intrusion detection systems are based on passive packet capture technology at a single point in the network. Such systems do not provide any information as to the source of the attack. [0008]
  • A firewall is a system for keeping a network secure. It can be implemented in a single router that filters out unwanted packets, or it may use a combination of technologies in routers and hosts. Firewalls are widely used to give users access to the Internet in a secure fashion as well as to separate a company's public Web server from its internal network. They are also used to keep internal network segments secure. For example, a research or accounting subnet might be vulnerable to snooping from within. [0009]
  • Following are the types of techniques used individually or in combination to provide firewall protection. [0010]
  • Packet Filter. Blocks traffic based on IP address and/or port numbers. Also known as a “screening router.”[0011]
  • Proxy Server. Serves as a relay between two networks, breaking the connection between the two. Also typically caches Web pages. [0012]
  • Network Address Translation (NAT). Hides the IP addresses of client stations in an internal network by presenting one IP address to the outside world. Performs the translation back and forth. [0013]
  • Stateful Inspection. Tracks the transaction in an order to verify that the destination of an inbound packet matches the source of a previous outbound request. Generally can examine multiple layers of the protocol stack, including the data, if required, so blocking can be made at any layer or depth. [0014]
  • A denial of service attack is an assault on a network that floods it with so many additional service requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts service for some period. [0015]
  • An example includes a client fetching pages from an HTTP server for the sole purpose of utilizing the server's inbound or outbound bandwidth. Another example is a malicious client setting up streaming media connections for the purpose of exhausting a server's connections and bandwidth. [0016]
  • U.S. Pat. No. 4,817,080 to Soha discloses a system that measures traffic statistics by looking at packet contents. The system collects distributed measurements and forwards them to a centralized point. [0017]
  • U.S. Pat. No. 5,781,534 to Perlman et al. discloses apparatus for determining characteristics of a path by utilizing active probing along a network path to determine its characteristics. These characteristics are added to the packet as it traverses the network. [0018]
  • U.S. Pat. No. 5,968,176 to Nessett et al. discloses a system that utilizes many network elements to provide an umbrella countermeasure. [0019]
  • U.S. Pat. No. 5,991,881 to Conklin et al. discloses a system which flags intrusions and updates the status of the intruder's progress. This system only stores the packets with the source address of the attacker. [0020]
  • U.S. Pat. No. 6,078,953 to Vaid et al. discloses a system which classifies packets at the border of the network to provide quality of service. It polices traffic at the edge of the network. [0021]
  • U.S. Pat. No. 6,088,804 to Hill et al. discloses a system which correlates distributed attacks to build a path of the attack through the network. The system uses a training signature for attack identification. That is, the system is trained on attacks, and then compares current activity to this known misuse. [0022]
  • U.S. Pat. No. 6,134,662 to Levy et al. discloses a physical layer security manager for memory-mapped serial communications interface. [0023]
  • SUMMARY OF THE INVENTION
  • An object of the present invention is to provide a method and system for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic. [0024]
  • In carrying out the above objects and other objects of the present invention, a method for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic is provided. The method includes collecting statistics at a plurality of measurement points located within forwarding infrastructure of the computer network. The method also includes analyzing the statistics to reconstruct the path taken by the undesirable network traffic through the network from the source of the traffic. [0025]
  • The method may further include blocking undesirable network traffic within the computer network upstream of the points based on the reconstructed path. [0026]
  • The forwarding infrastructure may include at least one router. [0027]
  • The statistics may include flow-based statistics which provide information related to the same logical traffic flow. [0028]
  • The statistics may also include packet statistics which provide information about a set of packets entering the forwarding infrastructure. [0029]
  • The method may further include requesting and receiving upstream statistics from forwarding infrastructure of the computer network upstream the measurement points and wherein the step of analyzing includes the step of analyzing the upstream statistics to reconstruct the path taken by the undesirable network traffic. [0030]
  • The step of analyzing may include the step of extracting profiles from the statistics collected at the plurality of measurement points and comparing the profiles to reconstruct the path taken by the undesirable network traffic. [0031]
  • The computer network may be the Internet. [0032]
  • In carrying out the above objects and other objects of the present invention, a system for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic is provided. The system includes collectors for collecting statistics at a plurality of measurement points located within forwarding infrastructure of the computer network. The system also includes at least one controller in communication with the collectors for analyzing the statistics to reconstruct the path taken by the undesirable network traffic through the network from the source of the traffic. [0033]
  • The system may further include means in communication with the at least one controller for blocking undesirable network traffic within the computer network upstream of the points based on the reconstructed path. [0034]
  • The system may further include means for requesting and receiving upstream statistics from forwarding infrastructure of the computer network upstream the measurement points and wherein the at least one controller analyzes the upstream statistics to reconstruct the path taken by the undesirable network traffic. [0035]
  • The controller may extract profiles from the statistics collected at the plurality of measurement points and compares the profiles to reconstruct the path taken by the undesirable network traffic. [0036]
  • The undesirable network traffic may include denial of service attacks and the computer network may include a plurality of service provider networks. [0037]
  • The above object and other objects, features, and advantages of the present invention are readily apparent from the following detailed description of the best mode for carrying out the invention when taken in connection with the accompanying drawings.[0038]
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a schematic view of a denial of service scrubber (DoS scrubber) positioned to protect publicly accessible network computer services such as an Internet service; [0039]
  • FIG. 2 is a schematic view of the DoS scrubber architecture; [0040]
  • FIG. 3[0041] a is a schematic view illustrating single link flow measurements as a type of flow statistic extraction;
  • FIG. 3[0042] b is a schematic view illustrating switching point measurements as a type of flow statistic extraction;
  • FIG. 4 is a schematic view illustrating a cross-product space for a hierarchical network profiler with incoming flows on the left and outgoing flows on the right; [0043]
  • FIG. 5 is a schematic block diagram flow chart which provides an operational description of the hierarchical network profiler; [0044]
  • FIG. 6 is a schematic view illustrating an example use of a denial of service tracker; [0045]
  • FIG. 7 is a schematic view of the architecture of a denial of service tracker; [0046]
  • FIG. 8 is a schematic view of distributed architecture for global detection and trace back of denial of service attacks; [0047]
  • FIG. 9 is a schematic block diagram flow chart illustrating an intra-zone denial of service anomaly detector; [0048]
  • FIG. 10 is a schematic view illustrating back-tracking a forged packet source; [0049]
  • FIG. 11 is a schematic view illustrating a storm tracker which backtracks an attack to its source; [0050]
  • FIG. 12 is a schematic view illustrating storm breaker blocking an attack; [0051]
  • FIG. 13 is a schematic view illustrating attack and anomaly detection; [0052]
  • FIG. 14 is a schematic view illustrating backtracking a forged traffic source; and [0053]
  • FIG. 15 is a schematic view illustrating blocking DoS traffic.[0054]
  • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • In general, the present invention provides a method and system for protecting publicly accessible network computer services from undesirable network traffic in real-time and is useful within a larger system which combats denial of service attacks without requiring any changes to the existing Internet routing infrastructure. This larger system, in general, combines network topology information and coarse-grained traffic statistics from routers to detect, backtrack, and filter distributed attacks on enterprise networks and websites. This larger system exploits information from routers without requiring any changes to the existing Internet routing infrastructure. The larger system as well as the present invention works with the existing routing infrastructure deployed at Internet service providers, application service providers, and enterprise networks. The method and system is enabled by functionality that the major routing vendors have put into their latest products. [0055]
  • The larger system includes a number of complementary components as follows: [0056]
  • StormProfiler. A set of data mining and network profiling techniques that are used to define “normal” traffic patterns and set dynamic thresholds that are continually monitored for early detection and notification. [0057]
  • StormDetector. A new process for real-time monitoring, detection, and notification of denial of service attacks and network anomalies. Continuous or periodic sampling is employed for collecting network statistics and extracting network topology information from routers. [0058]
  • StormTracker. A new protocol for correlating anomalous distributed events that enables tracking a denial of service attack back to its source. [0059]
  • StormBreaker. A unique solution for protecting and minimizing the impact of denial of service attacks on websites and Web hosting services. This solution is based on the unique protocol scrubber technology. [0060]
  • DoS Scrubber [0061]
  • In general, the method and system of the invention use Internet routing data in conjunction with passive traffic data to identify application-level denial of service attacks. An example includes a client fetching pages from an HTTP server for the sole purpose of utilizing the server's inbound or outbound bandwidth. Another example is a malicious client setting up streaming media connections for the purpose of exhausting a server's connections and bandwidth. [0062]
  • In the invention, a server's request stream—such as a web server's web logs—are monitored to build a profile of requests from a topologically clustered set of machines in the Internet. These clusters are identified by their administrative domain. These administrative domains are inferred by examining the Internet's BGP routing tables from several points in the Internet. By generating the server's request profiles for sets of clusters in the Internet, malicious hosts that are launching application-level denial of service attacks can be detected. While this clustering technique has been used in the past for identifying appropriate web caches for minimizing web fetch latency, they have not been applied to detecting denial of service attacks. [0063]
  • Once these malicious hosts are identified, their requests can be filtered either at the server or upstream in the network. [0064]
  • A denial of service scrubber (DoS scrubber) is an actively interposed network element or system that removes denial of service attacks from legitimate network traffic in real-time. The denial of service scrubber removes a new type of denial of service traffic from publicly accessible Internet services. [0065]
  • In particular, the DoS scrubber removes denial of service attacks on publicly accessible Internet service. Moreover, it uses data mining techniques to remove a class of previously unidentifiable denial of service attacks. This new class of attacks appear to the service as legitimate service requests; however, these requests are generated by a malicious agent with the sole purpose of denying resources to servicing legitimate requests. [0066]
  • FIG. 1 shows an example use of the DoS scrubber. It depicts a network server providing a publicly accessible service—a public Web server for example. The DoS scrubber is interposed between the server and the Internet. As such, it sees all the traffic that passes between the server and its remote clients. As a public server, both legitimate and malicious users gave equal access to its resources. However, by analyzing the service request distributions and packet statistics, the DoS scrubber can identify malicious users of the service and either filter completely or throttle back their access. [0067]
  • Protecting Web (Hypertext Transfer Protocol, or HTTP) services is one specific application of the DoS scrubber. When scrubbing HTTP traffic, the DoS scrubber separates legitimate from malicious Web requests. The scrubber leverages the fact that HTTP is layered on top of the TCP transport protocol. Because TCP sessions cannot be spoofed—that is the source address cannot be forged, due to shared random initial sequence numbers—the client-end of service requests are clearly and uniquely identified. By pairing a client's unique identity—its IP source address—with its connection statistics and request distribution, a profile can be constructed through data mining. This profile can be compared to the normal profile that is obtained through data mining techniques by the scrubber during a training session. This training can also be updated on-line as the system runs. Clients with profiles that are flagged as anomalous are then candidates for their subsequent requests to be attenuated or completely filtered. [0068]
  • FIG. 2 denotes the denial of service scrubber's high-level architecture. It is comprised of two primary components: the forwarding and the analysis engines. The forwarding engine (FE) has two main responsibilities: applying filtering and rate limiting to sets of Internet hosts, and generating request statistics. The analysis engine (AE) is responsible for the collection and subsequent data mining of the forwarding engine's statistics. Upon detection of malicious hosts, appropriate actions are fed back from the analysis engine to the forwarding engine for filtering or rate limiting the host's requests. [0069]
  • The DoS scrubber's forwarding engine serves both as an enforcement mechanism and statistics generator. When Internet Protocol (IP) packets enter the scrubber, they are given to the forwarding engine. Upon receipt, the FE determines if the packets belong to an old request, or are part of a new request. If the request is new, a variety of safeguards remove many of the common types of denial of service—such as TCP SYN floods. However, the safeguards also include checking to see if requesting client has been determined malicious by the analysis engine. If so, the request is dealt with in a policy configured manner. For example, if the service is not overwhelmed, it may allow the request to happen; however it can be throttled back using a custom rate limiter. When packets arrive that are not discarded, statistics are collected that are later sent to the analysis engine. Examples of these statistics include: [0070]
  • Size: the request and subsequent reply's size, both in bytes and packets. [0071]
  • Request payload: content of the request at the application layer (e.g., HTTP GET string). [0072]
  • Number of fragments: the number of fragments in the request can be used to detect some types of malicious use. [0073]
  • Number of protocol anomalies: the number of errors in the request's protocols. [0074]
  • The analysis engine uses the stream of request statistics as a feed into a data mining system. The system compares the various client request statistics to sets of profiles. There are two sets of profiles: canned and trained profiles. The canned profiles represent anomalous behavior at the service level. These canned profiles can be changed through a control interface to match an administrator's specifications. The trained profiles are generated by training on the server's genuine request statistics. Sophisticated denial of service attacks that were previously unidentifiable can be detected by comparing a client's request distribution to those of the profiles. [0075]
  • The system differs from firewalls in that it protects publicly accessible services from attack. The system recognizes attacks on edge services and adapts the forwarding rules to remove them from the network. Statistics and data from service requests are sent from the forwarding engine to the analysis engine. These data are then analyzed using data mining techniques to find malicious or anomalous service request patterns. The analysis engine then feeds this information back into the forwarding engine to filter or attenuate access to the public service from these inappropriate sites. [0076]
  • Unlike firewalls, the scrubber does not proxy the connections or authenticate access to a service; it forwards statistics from a series of client service requests to be analyzed for attack behavior. [0077]
  • Hierarchical Network Profiler (HNP) or StormProfiler [0078]
  • In general, the hierarchical network profiler (HNP) is a new approach to network traffic profiling. It aggregates network statistics using a novel cross-product of hosts, network and router interfaces to profile network traffic at a measurement point. [0079]
  • In particular, the hierarchical network profiler (HNP) represents a quantum leap forward in the area of network traffic profiling. This technology identifies gross bandwidth anomalies automatically at any point in a network's routing infrastructure. [0080]
  • The goal of network profiling is to construct a model of network traffic. The approach the HNP takes is to model the network at the granularity of network flows. A network flow is defined as “a unidirectional sequence of packets that are collocated within time that have invariant feature across all the packets.” These features may include the source and destination addresses, a protocol type, and any application layer port information. An example of an Internet flow is a sequence of packets that all have the same IP source and destination addresses, IP protocol value, and UDP or TCP source and destination ports. [0081]
  • FIGS. 3[0082] a and 3 b show two ways to measure flow statistics in a networking environment: at a single networking link of FIG. 3a, and at a multi-link switching point of FIG. 3b. In the single link case, a measurement device sits on a single networking link and constructs flow statistics for the underlying network traffic. Switchpoint statistics generally require measurement support in the hardware, such as Cisco System's Netflow technology, or Juniper Network's Internet Processor II's packet sampling technology and Cflowd. This hardware support typically provides the standard flow invariants described above in addition to information about the incoming and possibly outgoing interfaces. The HNP can profile the traffic flows gathered in either of these manners.
  • The HNP automatically adjusts to its position in the network by identifying the typical traffic source and destination pairs for flows that transit the measurement point—e.g., router. The diagram in FIG. 4 illustrates the possibilities for cross-products of incoming and outgoing endpoints for transit flows. The most specific endpoint—at the lowest aggregation level—is a host's IP address. When hosts are aggregated into network blocks—such as CIDR blocks—fewer endpoint statistics are required. These are represented by the middle block of endpoints in FIG. 4. Finally, the router's interfaces are the highest level of aggregation—and the least specific. The HNP adjusts the amount of aggregation that it keeps on each interface depending on the level of diversity the flow endpoints exhibit along that interface. This diversity is directly proportional to the distance from the measurement interface to the endpoints. For example, a router close to a set of enterprise hosts will be able to maintain flow statistics about each host—a host corresponds to a flow's endpoint when their number will not be prohibitive. However, in this example, the other endpoint of the flow may be very far from this router. Therefore, the HNP may only keep a profile of its measurement interface. This example illustrates the general application of the HNP: the HNP keeps a profile for the cross-product of the flows that traverse it. In this example, it may keep the cross product A×D for flows destined for the Internet from this set of hosts. [0083]
  • FIG. 5 represents the algorithm for the Hierarchical Network Profiler (HNP). At the beginning of the process iteration, the HNP receives network flow statistics from the network-forwarding infrastructure. These statistics represent summaries of network traffic that the HNP uses to build its profile. After receiving a set of flow summaries (or records), the HNP iterates over each specific flow record. It determines if it is interested in the record; that is, a profile is maintained for either the flow's source or destination aggregate. If not, the HNP updates the source and destination profile with the flow's statistics. [0084]
  • The HNP then checks to see if the memory and user-defined requirements continue to be met. If not, the aggregation level for the profiles is adjusted so that the requirements are met. When the aggregation level is met, the HNP inserts the statistics into the sample profile. The system then checks to see if a sampling window has been crossed. When this occurs, the HNP writes the oldest profile to persistent storage, and initializes a new profile. If the sampling window has not been crossed, the new samples are added to the existing profiles. After the iteration over the flow statistics has completed, the system then goes back to query for further flow statistics, and begins the process over again. [0085]
  • The HNP takes many available parameters into consideration when constructing a traffic profile based on temporal parameters, static network parameters, and dynamic routing parameters. Temporal parameters are important to discern important differences in traffic behavior. The most important temporal properties are: time of day, day of the week, day of the month, and holidays. Additionally, the HNP uses static network parameters to gauge the importance of downstream hosts and networks for aggregation purposes. Similarly, dynamic routing information can be used as an input parameter to the HNP. Together dynamic routing and topology information form a powerful mechanism for identifying salient network flow characteristics. [0086]
  • The following list describes several applications of the HNP: [0087]
  • 1. Detecting Denial of Service Attacks: The HNP is very good at detecting gross anomalies in network behavior between network endpoints. These types of anomalies are the exact signatures left in the wake of denial of service attacks. As such, the HNP provides a basis for detecting denial of service attacks. [0088]
  • 2. Traffic Characterization: The HNP can be used for capacity planning and traffic characterization. [0089]
  • 3. Configuration Management: Bugs in network configurations often manifest themselves as a change in the network's end-to-end behavior. The HNP can easily detect these types of configuration problems. [0090]
  • The Hierarchical Network Profile (HNP) differs from past attempts to profile network traffic in two ways. First, is uses the network flow statistics available both from the routing infrastructure and single link measurement infrastructure. Second, it profiles network traffic in proportion to its distance from either the source or destination. HNP can profile the network with more accuracy than traditional approaches by leveraging flow statistics collected directly at the router. The second innovation in the HNP is its notion of hierarchy—or distance from a packet's source or destination—when constructing a profile. The HNP constructs traffic profiles differently, depending on where the measurements are collected. Specifically, it keeps track of more information about the flows, the closer the measurements are collected to the underlying flows' endpoints. This novel approach to profiling allows the HNP to generate useful network profiles at any point in the Internet. [0091]
  • As previously mentioned, StormProfiler represents a quantum leap forward in the area of network traffic profiling. This technology allows network provider and enterprise managers to identify gross bandwidth anomalies automatically at any point in their routing infrastructure. Not coincidentally, these types of anomalies are the exact signatures left in the wake of denial of service attacks. The StormProfiler differs from past attempts to profile network traffic in two ways. First, it uses the network flow statistics available from the routing infrastructure. Second, it profiles network traffic at a router in proportion to its distance from either the source or destination. [0092]
  • StormProfiler can profile the network with more accuracy than traditional approaches by leveraging flow statistics collected directly at the router. Past profiling attempts have focused on placing passive measurement devices at points in the network. These only allow for measuring the traffic on a specific link between two routers. In contrast, by profiling directly at the routers, StormProfiler can determine how specific traffic is typically routed. An analogy would be hiring someone to sit by the side of a road and count how many cars are going in one direction—this is the old approach to profiling. In the same analogy, the StormProfiler sits instead at an intersection, and can tell you how many cars from each direction went down which fork. Clearly, you know much more about your traffic patterns from studying the behavior at the intersection (the router). In this manner, the StormProfiler builds a model over time of how much traffic is routed from one point to another at a specific Internet intersection. This profile has several uses: the foremost for our purpose is denial of service detection. [0093]
  • The second innovation in the StormProfiler is its notion of hierarchy—or distance from a packet's source or destination—when construction a profile. The StormProfiler constructs traffic profiles differently, depending on where the router is in the network. Specifically, it keeps track of more information about the flows, the closer the router is to the source (or destination) it is. This novel approach to profiling allows StormProfiler to scale to any point in the Internet. [0094]
  • StormTracker and StormBreaker [0095]
  • In general, the denial of service detector and tracker is a system that detects and backtraces Internet denial of service attacks using packet and flow statistics gathered directly from the Internet routing and forwarding infrastructure. [0096]
  • In particular, the denial of service tracker (DoS tracker) is a system that detects, backtraces and blocks Internet denial of service attacks. It works by gathering packet and flow statistics directly from the Internet routing and forwarding infrastructure—hereafter called the forwarding infrastructure. By collecting flow statistics directly from the forwarding infrastructure, the DoS tracker is able to trace DoS attacks that are untraceable by prior art. Specifically, the DoS tracker can pinpoint the origin of Internet denial of service attacks that are launched with forged source addresses. [0097]
  • The DoS tracker specifically tracks flood-based denial of service attacks. These types of attacks attempt to overwhelm either network or end-host resources by generating a stream of packets either directly or indirectly destined for a target. FIG. 6 shows an example denial of service attack that can be tracked through a sample network. The path of the attack traffic goes through Router-A, Router-B, and Router-C. The most insidious types of attacks hide their origin by forging the source Internet Protocol (IP) address on the attack packets. The problem this causes for administrators and security officers is that when the target discovers itself under attack, it cannot determine its origin; therefore making it impossible to shut the attack down. Our key observation is that we can take statistics directly from the forwarding infrastructure itself to determine the path and origin of the attack traffic—even when it is forged. For example, on some types of forwarding infrastructure—such as Cisco and Juniper routers—one can interface directly with the infrastructure to find out which interfaces are affected by an attack. In the example of FIG. 6, the inbound and outbound interfaces that the attack travels across can be ascertained. When pairing this information with knowledge of the physical and logical topology, it is possible to trace the attack through the network to its source. [0098]
  • FIG. 7 illustrates the DoS tracker's overall architecture. It is comprised of a two-stage hierarchy: collectors and controllers. The collectors interface with the forwarding infrastructure; they collect the statistics and report those findings to the controllers. The controllers analyze the statistics, looking for denial of service attacks and tracking them to their source. [0099]
  • The DoS tracker's collector takes samples of statistics from the forwarding infrastructure. The DoS tracker utilizes two types of statistics that routers may collect on our behalf: single packet statistics, and flow-based statistics. Single packet statistics are those that provide essential information about a set of packets entering a forwarding node—a router. Some of the statistics kept include: destination and source IP addresses, incoming interface, protocol, ports, and length. After collection, these single packet statistics can be collected from the router for analysis. Juniper Network's packet sampling technology is an example of single packet statistic support in the infrastructure. Flow-based statistics are statistics that describe a set of packets that are related to the same logical traffic flow. The concept of flow is generally defined as a stream of packets that all have the same characteristics: source address, destination address, protocol type, source port, and destination port. They may be either unidirectional or bidirectional. Flow statistics aggregate a flow's individual packet statistics into a single statistic. Examples include a flow's duration, number of packets, mean bytes per packet, etc. Cisco System's Netflow and Juniper Network's Cflowd mechanism are widely deployed flow-based statistic packages. [0100]
  • Once the controller has received the statistics from the collector, it takes one of two approaches to trace the DoS attacks: directed tracing and distribution correlation. In directed tracing, one utilizes the knowledge of network topology to work backward toward the source of the attack. With distributed correlation, the controller compares the attack signature with those discovered at other nodes in the topology. Attacks that correlate strongly are associated together and implicitly form the path from the source to the target. Directed tracing relies on the fact that one has both the router's incoming interface statistic for an attack and the knowledge of the topology to determine what routers are upstream on that link. With this knowledge, upstream routers can then be queried for their participation in transiting the attack. It is useful to note that since these upstream routers are looking for a specific attack signature, it is much easier to find the statistics of merit. This contrasts with the distributed correlation approach where a general attack profile is extracted from every router's statistics to uncover the global path for the attack. [0101]
  • After detection and tracing, the DoS tracker blocks denial of service attacks as close to their source as possible. By taking a global view of the Internet—across service providers and network—DoS tracker is able to coordinate both the routing infrastructure's ability to filter certain types of traffic in conjunction with custom filtering hardware that can be incrementally deployed in the network. For example, Juniper's Internet Processor II and Cisco's ACL CAR can be utilized to download coarse-grained filters that will remove unwanted DoS attacks in realtime. Furthermore, the DoS blocker can be used as a way to filter at a fine-grain at high speeds in any networking environment, regardless of the routing infrastructure's implementation. As a custom hardware solution to blocking DoS attacks, the DoS blocker is simply a configurable network filter. The blocker, due to its simplicity of design, is very scalable. [0102]
  • The DoS tracker approach differs from conventional network-based intrusion detection (NID) in that it uses statistics from the networking infrastructure itself in contrast to prior art. Prior art in NID systems uses passive measurement techniques at a single point in the network to acquire statistics. These point probes don't provide any information about the source of a forged attack and are therefore useless for tracing denial of service attacks back to their source. Moreover, NID systems are single point measurement systems that have very little support for multi-node measurement correlation or cooperation and are unable to scale to service provider networks. [0103]
  • Cisco System's Netflow flow statistics have not been used for tracking network attacks. They have only been used for access control and traffic billing. Moreover, we have automated a way of polling the Netflow cache in contrast to the continuous mode of Netflow operation used by most products. [0104]
  • Juniper's packet sampling technology and Cflowd mechanism have has not been used for tracing attacks. [0105]
  • Another novel feature of the present approach is the filtering of denial of service attacks upstream in the Internet. Current practice is for a target of an attack to stop DoS attacks at their firewall or border router. The present invention differs in that it communicates with the networks and routers along the path back toward the attacker. When this path is identified, the system can filter the attack as close to its source as possible. [0106]
  • As previously mentioned, the distributed approach to global DoS attack detection is based on a notion of both hierarchical and neighboring zones. The philosophy behind this approach lies in the following observation: every detection/traceback node cannot know about all of the outgoing attacks in the Internet; instead, these points should only know about the attacks that are occurring in their neighborhood. To handle very large scale—Internet wide—DoS detection and traceback, the approach utilizes the natural hierarchy of the Internet addressing scheme. Specifically, the Internet is broken down into manageable portions called zones. These zones then communicate with their neighbors, sharing both specific and aggregated attack signatures and traceback information. The Internet scales because of hierarchy in addressing and routing. Routers and end hosts could not route packets if they had to know about all of the endpoints or routes. By aggregating this information through hierarchy, the Internet is possible. The same approach was taken when designing the algorithm for coordinating global denial of service detection and traceback. [0107]
  • FIG. 8 provides a graphical overview of how a portion of the Internet—consisting, in this example, of three Autonomous Systems (ASes)—could be organized. The figure shows how the size of the autonomous system can be accommodated by increasing the corresponding number of zones. There are two types of zones: base zones and aggregate zones. A base zone is a zone that consists purely of a set of routers. These routers all reside within the same AS. The local detection and tracing system described above corresponds to the detection and tracing system for a base zone. Higher level zones, or aggregate zones, can be constructed from sets of base and other aggregate zones. In general, a single zone will not span multiple autonomous systems, but this is not strict. [0108]
  • The zones communicate with each other in a decentralized, distributed manner using the Anomaly Description Protocol (ADP), similar to the way global routing peers communicate using the Border Gateway Protocol. The global zone topology is constructed in three ways: local-AS configuration, peer-AS configuration, and remote-AS configuration. Zones within an autonomous system are configured—a local-AS configuration—to communicate with each other. Since they reside within the same administrative entity, their neighbor parameters can be set specifically. When crossing autonomous systems between AS peers, neighboring zones can also be set according to policy and topology constraints—a peer-AS configuration. When connecting zones to a non-ADP enabled AS, a resource discovery algorithm is used to determine the closest neighboring zones through the chain of non-participating peering ASes. [0109]
  • The zones operate autonomously, and share information about both local and remote attacks using the Anomaly Description Protocol. When attacks are detected locally, a zone will propagate the attack to its neighbors using the ADP. This propagation includes the attack's signature which can be used for both detection and blocking. When a zone receives an ADP message from one of its neighbors, it adds this attack to those the local zone looks for. It is then further propagated to other neighboring zones when it is detected locally. ADP messages are therefore constrained to their appropriate portion of the Internet, allowing for scalability. Moreover, when passing attack information to neighbors, the ADP attempts to aggregate attack information so that multiple attacks that are described with the same aggregate profile, resulting in a single ADP entry. [0110]
  • The StormDetector is a mechanism for identifying denial of service attacks within an ISP, a Web hosting service, or an enterprise network. It combines a network's dynamic profile—generated by the StormProfiler described hereinbelow—with internal static signatures of denial of service attacks to instantly identify malicious traffic. This technology utilizes custom algorithms to identify denial of service attacks in the reams of incoming traffic flow statistics gathered from the routing infrastructure. [0111]
  • FIG. 10 demonstrates the utility of the StormDetector system. A host in ISP-A is bombarding a target server in the Web hosting service with a denial of service attack. However, the attacker is forging the return address on the packets in the attack, making is impossible to determine their true origin. The StormDetector's analysis engine receives flow statistics from the routers in the target's hosting service. From these statistics, it can detect the attack at some set of the affected routers along its path. This path leads directly from the target to ISP-A's border, where the attack originates. This example demonstrates the utility of the StormDetector deployed within a Web hosting service's network. It can also be used in both source and transit networks. [0112]
  • When employed at an attacker's originating network, StormDetector can pinpoint the location of the attacker. In this case, it will backtrack the attack directly to its source's first-hop router. It may be that the attacker is a zombie residing on a compromised machine in an enterprise network. In addition to uncovering those traditional launchpads, StormDetector will be instrumental in identifying attacks originating from home machines that connect to the Internet through persistent tier-2 ISP's ADSL or cable modem connections. [0113]
  • FIG. 9 represents the process for detecting anomalies in the network statistics within a single zone. At the start, the system picks a measurement node at random. A set of coarse flow statistics or packet header samples is collected. [0114]
  • This set of statistics is examined for anomalies. These anomalies include both clearly defined misuse of the network resources, and also significant differences between the profile of the various endpoints and the behavior measured in the sample. If any new anomalies are detected in the sample, they are added as conditional anomalies, and the collector is updated with these new conditional anomalies. Next, a refined sample is taken with respect to the pending conditional anomalies at the collector. The system then looks at the refined sample of the network statistics for the presence of both new conditional anomalies as well as old anomalies. For each anomaly found, its status is updated. The system then goes through the outstanding anomalies and prunes out any stale ones. Finally, the system updates the database with the latest summary statistics for each of the outstanding anomalies. The system then repeats, by beginning at the start node. [0115]
  • As previously mentioned, StormTracker includes a set of algorithms that provide the functionality for tracking anonymous denial of service attacks to their sources. These algorithms provide two main functions: directed searching and path reconstruction. Directed searching is an algorithm for quickly separating the attack traffic from the legitimate network traffic—essentially quickly finding needles in haystacks. By narrowing the scope of the upstream detection points, directed search provides the means for scalable tracking of large-scale attacks. Path reconstruction takes multiple measurements of distributed denial of service attacks and determines their global topology characteristics. Specifically, given a huge distributed denial of service attack, StormTracker allows many statistics collected from around the Internet to be quickly and robustly correlated to reconstruct the attack tree. [0116]
  • The StormTracker protocol binds these distributed detection points together. This protocol allows multiple autonomous StormDetectors to cooperate and exchange attack information, enabling a globally scoped solution. StormTracker needed a clear definition of denial of service attacks in order to communicate effectively. The StormTracker protocol codifies this definition as a standard for exchanging attack information between multiple StormDetector networks. [0117]
  • FIG. 11 shows an example of how two systems with StormDetectors can cooperate using the StormTracker protocol to trace the attack to its origin. [0118]
  • StormBreaker is another piece of the solution to denial of service attacks: stopping the attack. Specifically, once StormDetector and StormTracker trace an attack to its origin, the network uses StormBreaker to filter its effects. It protects the target by both guaranteeing it full connectivity to the Internet as well as ensuring its ability to provide legitimate clients with service. The StormBreaker technology works with both standard network infrastructure and custom filtering technology. Specifically, it can use the filtering abilities of both Cisco and Juniper routers for removal denial of service attacks. In addition to standard networking solutions, a custom filtering appliance has been developed that will remove attacks from an interposed link at high-speed line rates. This custom solution is based on the Intel IXP network processor. [0119]
  • The example in FIG. 12 shows the use of StormBreaker to block a denial of service attack at its source. The attack has comprised a machine in the enterprise network and has been attacking a host downstream in ISP-B. Once the attack has been detected and tracked to its origin, StormBreaker determines the appropriate filtering response. Specifically, StormBreaker uses knowledge about the topology and infrastructure components in a network to make the best filtering decision. In this example, StormBreaker applies a filtering rule to the attacker's router to remove its traffic from the network. [0120]
  • The overall system solution to denial of service attacks is comprehensive, sophisticated, scalable, and effective. The StormTools suite of solutions detect malicious attacks, as shown in FIG. 13, trace them back to their origin, as shown in FIG. 14, and remove their packets from the Internet, as shown in FIG. 15. Together they guarantee a host—such as a besieged Web server previously left incapacitated and unable to provide service to legitimate clients—sustained network connectivity to legitimate users. [0121]
  • While the best mode for carrying out the invention has been described in detail, those familiar with the art to which this invention relates will recognize various alternative designs and embodiments for practicing the invention as defined by the following claims. [0122]

Claims (20)

What is claimed is:
1. A method for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic, the method comprising:
collecting statistics at a plurality of measurement points located within forwarding infrastructure of the computer network; and
analyzing the statistics to reconstruct the path taken by the undesirable network traffic through the network from the source of the traffic.
2. The method as claimed in claim 1 further comprising blocking undesirable network traffic within the computer network upstream of the points based on the reconstructed path.
3. The method as claimed in claim 1 wherein the forwarding infrastructure includes at least one router.
4. The method as claimed in claim 1 wherein the statistics include flow-based statistics which provide information related to the same logical traffic flow.
5. The method as claimed in claim 1 wherein the statistics include packet statistics which provide information about a set of packets entering the forwarding infrastructure.
6. The method as claimed in claim 1 further comprising requesting and receiving upstream statistics from forwarding infrastructure of the computer network upstream the measurement points and wherein the step of analyzing includes the step of analyzing the upstream statistics to reconstruct the path taken by the undesirable network traffic.
7. The method as claimed in claim 1 wherein the step of analyzing includes the step of extracting profiles from the statistics collected at the plurality of measurement points and comparing the profiles to reconstruct the path taken by the undesirable network traffic.
8. The method as claimed in claim 1 wherein the computer network is the Internet.
9. A system for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic, the system comprising:
collectors for collecting statistics at a plurality of measurement points located within forwarding infrastructure of the computer network; and
at least one controller in communication with the collectors for analyzing the statistics to reconstruct the path taken by the undesirable network traffic through the network from the source of the traffic.
10. The system as claimed in claim 9 further comprising means in communication with the at least one controller for blocking undesirable network traffic within the computer network upstream of the points based on the reconstructed path.
11. The system as claimed in claim 9 wherein the forwarding infrastructure includes at least one router.
12. The system as claimed in claim 9 wherein the statistics include flow-based statistics which provide information related to the same logical traffic flow.
13. The system as claimed in claim 9 wherein the statistics include packet statistics which provide information about a set of packets entering the forwarding infrastructure.
14. The system as claimed in claim 9 further comprising means for requesting and receiving upstream statistics from forwarding infrastructure of the computer network upstream the measurement points and wherein the at least one controller analyzes the upstream statistics to reconstruct the path taken by the undesirable network traffic.
15. The system as claimed in claim 9 wherein the controller extracts profiles from the statistics collected at the plurality of measurement points and compares the profiles to reconstruct the path taken by the undesirable network traffic.
16. The system as claimed in claim 9 wherein the computer network is the Internet.
17. The method as claimed in claim 1 wherein the undesirable network traffic includes denial of service attacks.
18. The method as claimed in claim 17 wherein the computer network includes a plurality of service provider networks.
19. The system as claimed in claim 9 wherein the undesirable network traffic includes denial of service attacks.
20. The system as claimed in claim 19 wherein the computer network includes a plurality of service provider networks.
US09/855,810 2000-09-08 2001-05-15 Method and system for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic Abandoned US20020032793A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US09/855,810 US20020032793A1 (en) 2000-09-08 2001-05-15 Method and system for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US23147900P 2000-09-08 2000-09-08
US23148000P 2000-09-08 2000-09-08
US23148100P 2000-09-08 2000-09-08
US09/855,810 US20020032793A1 (en) 2000-09-08 2001-05-15 Method and system for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic

Publications (1)

Publication Number Publication Date
US20020032793A1 true US20020032793A1 (en) 2002-03-14

Family

ID=27398191

Family Applications (3)

Application Number Title Priority Date Filing Date
US09/855,810 Abandoned US20020032793A1 (en) 2000-09-08 2001-05-15 Method and system for reconstructing a path taken by undesirable network traffic through a computer network from a source of the traffic
US09/855,818 Abandoned US20020035698A1 (en) 2000-09-08 2001-05-15 Method and system for protecting publicly accessible network computer services from undesirable network traffic in real-time
US09/855,809 Expired - Fee Related US6944673B2 (en) 2000-09-08 2001-05-15 Method and system for profiling network flows at a measurement point within a computer network

Family Applications After (2)

Application Number Title Priority Date Filing Date
US09/855,818 Abandoned US20020035698A1 (en) 2000-09-08 2001-05-15 Method and system for protecting publicly accessible network computer services from undesirable network traffic in real-time
US09/855,809 Expired - Fee Related US6944673B2 (en) 2000-09-08 2001-05-15 Method and system for profiling network flows at a measurement point within a computer network

Country Status (4)

Country Link
US (3) US20020032793A1 (en)
AU (3) AU2001274833A1 (en)
CA (3) CA2427291A1 (en)
WO (3) WO2002021802A1 (en)

Cited By (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020019945A1 (en) * 2000-04-28 2002-02-14 Internet Security System, Inc. System and method for managing security events on a network
US20020056076A1 (en) * 2000-10-24 2002-05-09 Vcis, Inc. Analytical virtual machine
US20020059078A1 (en) * 2000-09-01 2002-05-16 Valdes Alfonso De Jesus Probabilistic alert correlation
US20020078381A1 (en) * 2000-04-28 2002-06-20 Internet Security Systems, Inc. Method and System for Managing Computer Security Information
US20020104014A1 (en) * 2001-01-31 2002-08-01 Internet Security Systems, Inc. Method and system for configuring and scheduling security audits of a computer network
US20020114522A1 (en) * 2000-12-21 2002-08-22 Rene Seeber System and method for compiling images from a database and comparing the compiled images with known images
US20030009554A1 (en) * 2001-07-09 2003-01-09 Burch Hal Joseph Method and apparatus for tracing packets in a communications network
US20030120769A1 (en) * 2001-12-07 2003-06-26 Mccollom William Girard Method and system for determining autonomous system transit volumes
US20030159069A1 (en) * 2002-02-19 2003-08-21 Byeong Cheol Choi Network-based attack tracing system and method using distributed agent and manager system
US20030172289A1 (en) * 2000-06-30 2003-09-11 Andrea Soppera Packet data communications
US20030212902A1 (en) * 2002-05-13 2003-11-13 Van Der Made Peter A.J. Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine
US20040025015A1 (en) * 2002-01-04 2004-02-05 Internet Security Systems System and method for the managed security control of processes on a computer system
US6704874B1 (en) 1998-11-09 2004-03-09 Sri International, Inc. Network-based alert management
WO2004028107A2 (en) * 2002-09-11 2004-04-01 Kaemper Peter Monitoring of data transmissions
US20040148520A1 (en) * 2003-01-29 2004-07-29 Rajesh Talpade Mitigating denial of service attacks
US20050108551A1 (en) * 2003-11-18 2005-05-19 Toomey Christopher N. Method and apparatus for trust-based, fine-grained rate limiting of network requests
US20050120243A1 (en) * 2003-10-28 2005-06-02 Internet Security Systems, Inc. Method and system for protecting computer networks by altering unwanted network data traffic
US20060015943A1 (en) * 2002-11-14 2006-01-19 Michel Mahieu Method and device for analyzing an information sytem security
US7120931B1 (en) * 2000-08-31 2006-10-10 Cisco Technology, Inc. System and method for generating filters based on analyzed flow data
US20070030850A1 (en) * 2005-08-05 2007-02-08 Grosse Eric H Method and apparatus for defending against denial of service attacks in IP networks based on specified source/destination IP address pairs
US20070100936A1 (en) * 1999-12-07 2007-05-03 Internet Security Systems, Inc. Method and apparatus for remote installation of network drivers and software
US20070118350A1 (en) * 2001-06-19 2007-05-24 Vcis, Inc. Analytical virtual machine
US20070115850A1 (en) * 2005-10-20 2007-05-24 Kazuaki Tsuchiya Detection method for abnormal traffic and packet relay apparatus
US20080016569A1 (en) * 2000-10-10 2008-01-17 Internet Security Systems, Inc. Method and System for Creating a Record for One or More Computer Security Incidents
US20080103729A1 (en) * 2006-10-31 2008-05-01 Microsoft Corporation Distributed detection with diagnosis
US20080101352A1 (en) * 2006-10-31 2008-05-01 Microsoft Corporation Dynamic activity model of network services
US7382769B1 (en) * 2003-02-07 2008-06-03 Juniper Networks, Inc. Automatic filtering to prevent network attacks
US20080216173A1 (en) * 1999-07-29 2008-09-04 International Business Machines Corporation Method and Apparatus for Auditing Network Security
US20080267083A1 (en) * 2007-04-24 2008-10-30 Microsoft Corporation Automatic Discovery Of Service/Host Dependencies In Computer Networks
US20100212005A1 (en) * 2009-02-09 2010-08-19 Anand Eswaran Distributed denial-of-service signature transmission
US7913303B1 (en) 2003-01-21 2011-03-22 International Business Machines Corporation Method and system for dynamically protecting a computer system from attack
US7934254B2 (en) 1998-12-09 2011-04-26 International Business Machines Corporation Method and apparatus for providing network and computer system security
US8151341B1 (en) * 2011-05-23 2012-04-03 Kaspersky Lab Zao System and method for reducing false positives during detection of network attacks
US20130028259A1 (en) * 2005-04-05 2013-01-31 Cohen Donald N System for finding potential origins of spoofed internet protocol attack traffic
WO2013105991A3 (en) * 2011-02-17 2013-10-17 Sable Networks, Inc. Methods and systems for detecting and mitigating a high-rate distributed denial of service (ddos) attack
US9485164B2 (en) 2012-05-14 2016-11-01 Sable Networks, Inc. System and method for ensuring subscriber fairness using outlier detection
US10185830B1 (en) * 2014-12-31 2019-01-22 EMC IP Holding Company LLC Big data analytics in a converged infrastructure system
US10616270B2 (en) 2014-11-10 2020-04-07 Nippon Telegraph And Telephone Corporation Optimization apparatus, optimization method, and optimization program
US20220321588A1 (en) * 2021-04-05 2022-10-06 Marvell Israel (M.I.S.L) Ltd. Anomaly detection for networking

Families Citing this family (211)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7208225B2 (en) 1995-06-30 2007-04-24 Lafarge Platres Prefabricated plaster board
US20040073617A1 (en) 2000-06-19 2004-04-15 Milliken Walter Clark Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US7043759B2 (en) 2000-09-07 2006-05-09 Mazu Networks, Inc. Architecture to thwart denial of service attacks
US7278159B2 (en) * 2000-09-07 2007-10-02 Mazu Networks, Inc. Coordinated thwarting of denial of service attacks
US7251692B1 (en) * 2000-09-28 2007-07-31 Lucent Technologies Inc. Process to thwart denial of service attacks on the internet
US7054930B1 (en) * 2000-10-26 2006-05-30 Cisco Technology, Inc. System and method for propagating filters
US7389354B1 (en) * 2000-12-11 2008-06-17 Cisco Technology, Inc. Preventing HTTP server attacks
JP2002197051A (en) * 2000-12-11 2002-07-12 Internatl Business Mach Corp <Ibm> Selection method for communication adapter for determining communication destination, setting method for communication adapter, computer system, portable information device, and storage medium
JP3723076B2 (en) * 2000-12-15 2005-12-07 富士通株式会社 IP communication network system having illegal intrusion prevention function
US7562041B2 (en) * 2001-01-09 2009-07-14 International Business Machines Corporation Method and apparatus for facilitating business processes
US7536455B2 (en) * 2001-03-18 2009-05-19 At&T Corp. Optimal combination of sampled measurements
US6778498B2 (en) 2001-03-20 2004-08-17 Mci, Inc. Virtual private network (VPN)-aware customer premises equipment (CPE) edge router
US20030115480A1 (en) * 2001-12-17 2003-06-19 Worldcom, Inc. System, method and apparatus that employ virtual private networks to resist IP QoS denial of service attacks
US7289522B2 (en) 2001-03-20 2007-10-30 Verizon Business Global Llc Shared dedicated access line (DAL) gateway routing discrimination
US7308715B2 (en) * 2001-06-13 2007-12-11 Mcafee, Inc. Protocol-parsing state machine and method of using same
US7684317B2 (en) * 2001-06-14 2010-03-23 Nortel Networks Limited Protecting a network from unauthorized access
US20030009561A1 (en) * 2001-06-14 2003-01-09 Sollee Patrick N. Providing telephony services to terminals behind a firewall and /or network address translator
US7028179B2 (en) * 2001-07-03 2006-04-11 Intel Corporation Apparatus and method for secure, automated response to distributed denial of service attacks
US7047303B2 (en) * 2001-07-26 2006-05-16 International Business Machines Corporation Apparatus and method for using a network processor to guard against a “denial-of-service” attack on a server or server cluster
US7506046B2 (en) * 2001-07-31 2009-03-17 Hewlett-Packard Development Company, L.P. Network usage analysis system and method for updating statistical models
US20030028258A1 (en) * 2001-08-06 2003-02-06 Peterson Gregory A. Appliance control system with network accessible programmable memory
KR100422802B1 (en) * 2001-09-05 2004-03-12 한국전자통신연구원 Security System against intrusion among networks and the method
US7181765B2 (en) * 2001-10-12 2007-02-20 Motorola, Inc. Method and apparatus for providing node security in a router of a packet network
US7002960B1 (en) 2001-10-30 2006-02-21 At&T Corp. Traffic matrix computation for packet networks
US7743139B1 (en) 2001-10-30 2010-06-22 At&T Intellectual Property Ii, L.P. Method of provisioning a packet network for handling incoming traffic demands
EP1315066A1 (en) * 2001-11-21 2003-05-28 BRITISH TELECOMMUNICATIONS public limited company Computer security system
NZ516346A (en) * 2001-12-21 2004-09-24 Esphion Ltd A device for evaluating traffic on a computer network to detect traffic abnormalities such as a denial of service attack
KR100439177B1 (en) * 2002-01-16 2004-07-05 한국전자통신연구원 Method for representing, storing and editing network security policy
US8527620B2 (en) 2003-03-06 2013-09-03 International Business Machines Corporation E-business competitive measurements
US7412502B2 (en) * 2002-04-18 2008-08-12 International Business Machines Corporation Graphics for end to end component mapping and problem-solving in a network environment
US7043549B2 (en) * 2002-01-31 2006-05-09 International Business Machines Corporation Method and system for probing in a network environment
US7047291B2 (en) 2002-04-11 2006-05-16 International Business Machines Corporation System for correlating events generated by application and component probes when performance problems are identified
US7269651B2 (en) * 2002-09-26 2007-09-11 International Business Machines Corporation E-business operations measurements
US7213264B2 (en) * 2002-01-31 2007-05-01 Mazu Networks, Inc. Architecture to thwart denial of service attacks
US8086720B2 (en) * 2002-01-31 2011-12-27 International Business Machines Corporation Performance reporting in a network environment
US7379857B2 (en) * 2002-05-10 2008-05-27 Lockheed Martin Corporation Method and system for simulating computer networks to facilitate testing of computer network security
US7478233B2 (en) * 2002-05-30 2009-01-13 Microsoft Corporation Prevention of software tampering
US7114182B2 (en) * 2002-05-31 2006-09-26 Alcatel Canada Inc. Statistical methods for detecting TCP SYN flood attacks
US7260639B2 (en) * 2002-07-09 2007-08-21 Akamai Technologies, Inc. Method and system for protecting web sites from public internet threats
US7346057B2 (en) 2002-07-31 2008-03-18 Cisco Technology, Inc. Method and apparatus for inter-layer binding inspection to prevent spoofing
AU2012202410B2 (en) * 2002-07-31 2014-09-18 Cisco Technology, Inc. Method and apparatus for inspecting inter-layer address binding protocols
US7562156B2 (en) * 2002-08-16 2009-07-14 Symantec Operating Corporation System and method for decoding communications between nodes of a cluster server
US7774839B2 (en) * 2002-11-04 2010-08-10 Riverbed Technology, Inc. Feedback mechanism to minimize false assertions of a network intrusion
US8479057B2 (en) * 2002-11-04 2013-07-02 Riverbed Technology, Inc. Aggregator for connection based anomaly detection
US8504879B2 (en) * 2002-11-04 2013-08-06 Riverbed Technology, Inc. Connection based anomaly detection
US7363656B2 (en) * 2002-11-04 2008-04-22 Mazu Networks, Inc. Event detection/anomaly correlation heuristics
KR20050085604A (en) * 2002-12-13 2005-08-29 시터시아 네트웍스 코포레이션 Network bandwidth anomaly detector apparatus and method for detecting network attacks using correlation function
KR100523486B1 (en) * 2002-12-13 2005-10-24 한국전자통신연구원 Traffic measurement system and traffic analysis method thereof
US7269850B2 (en) * 2002-12-31 2007-09-11 Intel Corporation Systems and methods for detecting and tracing denial of service attacks
US7454494B1 (en) * 2003-01-07 2008-11-18 Exfo Service Assurance Inc. Apparatus and method for actively analyzing a data packet delivery path
US9137033B2 (en) 2003-03-18 2015-09-15 Dynamic Network Services, Inc. Methods and systems for monitoring network routing
FR2852754B1 (en) * 2003-03-20 2005-07-08 At & T Corp SYSTEM AND METHOD FOR PROTECTING AN IP TRANSMISSION NETWORK AGAINST SERVICE DENI ATTACKS
US7426634B2 (en) * 2003-04-22 2008-09-16 Intruguard Devices, Inc. Method and apparatus for rate based denial of service attack detection and prevention
GB2401281B (en) * 2003-04-29 2006-02-08 Hewlett Packard Development Co Propagation of viruses through an information technology network
US7796515B2 (en) * 2003-04-29 2010-09-14 Hewlett-Packard Development Company, L.P. Propagation of viruses through an information technology network
US7840664B2 (en) * 2003-05-21 2010-11-23 Ixia Automated characterization of network traffic
AU2004248608A1 (en) 2003-06-09 2004-12-23 Greenline Systems, Inc. A system and method for risk detection, reporting and infrastructure
US7565426B2 (en) * 2003-08-07 2009-07-21 Alcatel Lucent Mechanism for tracing back anonymous network flows in autonomous systems
US20050108415A1 (en) * 2003-11-04 2005-05-19 Turk Doughan A. System and method for traffic analysis
CA2545916C (en) * 2003-11-12 2015-03-17 The Trustees Of Columbia University In The City Of New York Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data
JP4596275B2 (en) 2004-01-09 2010-12-08 ペイパル イスラエル リミテッド. Method, system and software for detecting relay communication
US8660880B2 (en) * 2004-03-04 2014-02-25 International Business Machines Corporation System and method for workflow enabled link activation
WO2005093576A1 (en) * 2004-03-28 2005-10-06 Robert Iakobashvili Visualization of packet network performance, analysis and optimization for design
WO2005099214A1 (en) * 2004-03-30 2005-10-20 Telecom Italia S.P.A. Method and system for network intrusion detection, related network and computer program product
US20050234920A1 (en) * 2004-04-05 2005-10-20 Lee Rhodes System, computer-usable medium and method for monitoring network activity
US7571181B2 (en) * 2004-04-05 2009-08-04 Hewlett-Packard Development Company, L.P. Network usage analysis system and method for detecting network congestion
EP2272895B1 (en) * 2004-04-20 2013-09-18 Dow Corning Corporation Vesicles of high molecular weight silicone polyethers
GB2431316B (en) * 2005-10-12 2008-05-21 Hewlett Packard Development Co Propagation of malicious code through an information technology network
US7929534B2 (en) * 2004-06-28 2011-04-19 Riverbed Technology, Inc. Flow logging for connection-based anomaly detection
US20060031469A1 (en) * 2004-06-29 2006-02-09 International Business Machines Corporation Measurement, reporting, and management of quality of service for a real-time communication application in a network environment
US7669240B2 (en) * 2004-07-22 2010-02-23 International Business Machines Corporation Apparatus, method and program to detect and control deleterious code (virus) in computer network
WO2006040201A1 (en) * 2004-09-02 2006-04-20 Siemens Aktiengesellschaft Method and apparatus for denial of service defense
US20060075048A1 (en) * 2004-09-14 2006-04-06 Aladdin Knowledge Systems Ltd. Method and system for identifying and blocking spam email messages at an inspecting point
US8423645B2 (en) * 2004-09-14 2013-04-16 International Business Machines Corporation Detection of grid participation in a DDoS attack
US7760653B2 (en) * 2004-10-26 2010-07-20 Riverbed Technology, Inc. Stackable aggregation for connection based anomaly detection
US7552206B2 (en) * 2004-10-27 2009-06-23 Microsoft Corporation Throttling service connections based on network paths
EP1817888B1 (en) * 2004-11-29 2018-03-07 Telecom Italia S.p.A. Method and system for managing denial of service situations
US8243593B2 (en) * 2004-12-22 2012-08-14 Sable Networks, Inc. Mechanism for identifying and penalizing misbehaving flows in a network
US7610610B2 (en) 2005-01-10 2009-10-27 Mcafee, Inc. Integrated firewall, IPS, and virus scanner system and method
US8732293B2 (en) * 2005-02-15 2014-05-20 At&T Intellectual Property Ii, L.P. System and method for tracking individuals on a data network using communities of interest
US7627899B1 (en) * 2005-04-22 2009-12-01 Sun Microsystems, Inc. Method and apparatus for improving user experience for legitimate traffic of a service impacted by denial of service attack
US7751311B2 (en) * 2005-05-19 2010-07-06 Cisco Technology, Inc. High availability transport protocol method and apparatus
US20060294588A1 (en) 2005-06-24 2006-12-28 International Business Machines Corporation System, method and program for identifying and preventing malicious intrusions
US8091131B2 (en) * 2005-07-06 2012-01-03 At&T Intellectual Property Ii, L.P. Method and apparatus for communicating intrusion-related information between internet service providers
US7992208B2 (en) * 2005-09-19 2011-08-02 University Of Maryland Detection of nonconforming network traffic flow aggregates for mitigating distributed denial of service attacks
US7908357B2 (en) * 2005-09-21 2011-03-15 Battelle Memorial Institute Methods and systems for detecting abnormal digital traffic
EP1768314A1 (en) * 2005-09-22 2007-03-28 Alcatel Access nodes for giving a client device access to an internet network
DE102005049561A1 (en) * 2005-10-12 2007-04-19 Deutsche Telekom Ag Automatic recognition of anomalies in wide and local area networks involves filtering out, assessing anomalies using thresholds adapted depending on detection accuracy of real attacks and/or frequency of false alarms
US8713141B1 (en) * 2005-11-29 2014-04-29 AT & T Intellectual Property II, LP System and method for monitoring network activity
US8805993B2 (en) 2005-12-02 2014-08-12 At&T Intellectual Property I, L.P. System and method for bulk network data collection
US8510826B1 (en) 2005-12-06 2013-08-13 Sprint Communications Company L.P. Carrier-independent on-demand distributed denial of service (DDoS) mitigation
US20070130619A1 (en) * 2005-12-06 2007-06-07 Sprint Communications Company L.P. Distributed denial of service (DDoS) network-based detection
US7843827B2 (en) * 2005-12-22 2010-11-30 International Business Machines Corporation Method and device for configuring a network device
US9172629B1 (en) * 2005-12-29 2015-10-27 Alcatel Lucent Classifying packets
US8397284B2 (en) * 2006-01-17 2013-03-12 University Of Maryland Detection of distributed denial of service attacks in autonomous system domains
US8001601B2 (en) * 2006-06-02 2011-08-16 At&T Intellectual Property Ii, L.P. Method and apparatus for large-scale automated distributed denial of service attack detection
DE102007024720B4 (en) * 2006-06-03 2013-12-24 B. Braun Medizinelektronik Gmbh & Co. Kg Device and method for protecting a medical device and a patient treated by this device from hazardous influences from a communication network
ES2354632T3 (en) * 2006-06-03 2011-03-16 B. BRAUN MEDIZINELEKTRONIK GMBH &amp; CO. KG DEVICE AND PROCEDURE FOR THE PROTECTION OF A MEDICAL DEVICE AND A PATIENT TREATED WITH SUCH DEVICE, AGAINST HAZARDOUS INFLUENCES FROM A NETWORK OF COMMUNICATIONS.
US7739082B2 (en) 2006-06-08 2010-06-15 Battelle Memorial Institute System and method for anomaly detection
US9094257B2 (en) 2006-06-30 2015-07-28 Centurylink Intellectual Property Llc System and method for selecting a content delivery network
US8289965B2 (en) 2006-10-19 2012-10-16 Embarq Holdings Company, Llc System and method for establishing a communications session with an end-user based on the state of a network connection
US8488447B2 (en) 2006-06-30 2013-07-16 Centurylink Intellectual Property Llc System and method for adjusting code speed in a transmission path during call set-up due to reduced transmission performance
US8000318B2 (en) 2006-06-30 2011-08-16 Embarq Holdings Company, Llc System and method for call routing based on transmission performance of a packet network
US8184549B2 (en) 2006-06-30 2012-05-22 Embarq Holdings Company, LLP System and method for selecting network egress
US8194643B2 (en) 2006-10-19 2012-06-05 Embarq Holdings Company, Llc System and method for monitoring the connection of an end-user to a remote network
US7948909B2 (en) 2006-06-30 2011-05-24 Embarq Holdings Company, Llc System and method for resetting counters counting network performance information at network communications devices on a packet network
US8717911B2 (en) 2006-06-30 2014-05-06 Centurylink Intellectual Property Llc System and method for collecting network performance information
FI20060665A0 (en) * 2006-07-07 2006-07-07 Nokia Corp deviation detection
US8750158B2 (en) 2006-08-22 2014-06-10 Centurylink Intellectual Property Llc System and method for differentiated billing
WO2008024387A2 (en) 2006-08-22 2008-02-28 Embarq Holdings Company Llc System and method for synchronizing counters on an asynchronous packet communications network
US8144587B2 (en) 2006-08-22 2012-03-27 Embarq Holdings Company, Llc System and method for load balancing network resources using a connection admission control engine
US8040811B2 (en) 2006-08-22 2011-10-18 Embarq Holdings Company, Llc System and method for collecting and managing network performance information
US7843831B2 (en) 2006-08-22 2010-11-30 Embarq Holdings Company Llc System and method for routing data on a packet network
US8307065B2 (en) 2006-08-22 2012-11-06 Centurylink Intellectual Property Llc System and method for remotely controlling network operators
US8102770B2 (en) 2006-08-22 2012-01-24 Embarq Holdings Company, LP System and method for monitoring and optimizing network performance with vector performance tables and engines
US8130793B2 (en) 2006-08-22 2012-03-06 Embarq Holdings Company, Llc System and method for enabling reciprocal billing for different types of communications over a packet network
US8224255B2 (en) 2006-08-22 2012-07-17 Embarq Holdings Company, Llc System and method for managing radio frequency windows
US8144586B2 (en) 2006-08-22 2012-03-27 Embarq Holdings Company, Llc System and method for controlling network bandwidth with a connection admission control engine
US8576722B2 (en) 2006-08-22 2013-11-05 Centurylink Intellectual Property Llc System and method for modifying connectivity fault management packets
US8531954B2 (en) 2006-08-22 2013-09-10 Centurylink Intellectual Property Llc System and method for handling reservation requests with a connection admission control engine
US8407765B2 (en) 2006-08-22 2013-03-26 Centurylink Intellectual Property Llc System and method for restricting access to network performance information tables
US8537695B2 (en) 2006-08-22 2013-09-17 Centurylink Intellectual Property Llc System and method for establishing a call being received by a trunk on a packet network
US8064391B2 (en) 2006-08-22 2011-11-22 Embarq Holdings Company, Llc System and method for monitoring and optimizing network performance to a wireless device
US8238253B2 (en) 2006-08-22 2012-08-07 Embarq Holdings Company, Llc System and method for monitoring interlayer devices and optimizing network performance
US8107366B2 (en) 2006-08-22 2012-01-31 Embarq Holdings Company, LP System and method for using centralized network performance tables to manage network communications
US8098579B2 (en) 2006-08-22 2012-01-17 Embarq Holdings Company, LP System and method for adjusting the window size of a TCP packet through remote network elements
US8274905B2 (en) 2006-08-22 2012-09-25 Embarq Holdings Company, Llc System and method for displaying a graph representative of network performance over a time period
US8125897B2 (en) 2006-08-22 2012-02-28 Embarq Holdings Company Lp System and method for monitoring and optimizing network performance with user datagram protocol network performance information packets
US9479341B2 (en) 2006-08-22 2016-10-25 Centurylink Intellectual Property Llc System and method for initiating diagnostics on a packet network node
US8189468B2 (en) 2006-10-25 2012-05-29 Embarq Holdings, Company, LLC System and method for regulating messages between networks
US8228791B2 (en) 2006-08-22 2012-07-24 Embarq Holdings Company, Llc System and method for routing communications between packet networks based on intercarrier agreements
US7684332B2 (en) 2006-08-22 2010-03-23 Embarq Holdings Company, Llc System and method for adjusting the window size of a TCP packet through network elements
US8194555B2 (en) 2006-08-22 2012-06-05 Embarq Holdings Company, Llc System and method for using distributed network performance information tables to manage network communications
US7940735B2 (en) 2006-08-22 2011-05-10 Embarq Holdings Company, Llc System and method for selecting an access point
US8549405B2 (en) 2006-08-22 2013-10-01 Centurylink Intellectual Property Llc System and method for displaying a graphical representation of a network to identify nodes and node segments on the network that are not operating normally
US8743703B2 (en) 2006-08-22 2014-06-03 Centurylink Intellectual Property Llc System and method for tracking application resource usage
US8619600B2 (en) 2006-08-22 2013-12-31 Centurylink Intellectual Property Llc System and method for establishing calls over a call path having best path metrics
US8199653B2 (en) 2006-08-22 2012-06-12 Embarq Holdings Company, Llc System and method for communicating network performance information over a packet network
US7808918B2 (en) 2006-08-22 2010-10-05 Embarq Holdings Company, Llc System and method for dynamically shaping network traffic
US8223655B2 (en) 2006-08-22 2012-07-17 Embarq Holdings Company, Llc System and method for provisioning resources of a packet network based on collected network performance information
US8015294B2 (en) 2006-08-22 2011-09-06 Embarq Holdings Company, LP Pin-hole firewall for communicating data packets on a packet network
WO2008047141A1 (en) * 2006-10-18 2008-04-24 British Telecommunications Public Limited Company Method and apparatus for monitoring a digital network
JP4658098B2 (en) * 2006-11-21 2011-03-23 日本電信電話株式会社 Flow information limiting apparatus and method
KR20080061055A (en) * 2006-12-28 2008-07-02 한국정보통신대학교 산학협력단 System and method for identifying p2p application service
US7853680B2 (en) * 2007-03-23 2010-12-14 Phatak Dhananjay S Spread identity communications architecture
US7773510B2 (en) * 2007-05-25 2010-08-10 Zeugma Systems Inc. Application routing in a distributed compute environment
US20080298230A1 (en) * 2007-05-30 2008-12-04 Luft Siegfried J Scheduling of workloads in a distributed compute environment
US8111692B2 (en) 2007-05-31 2012-02-07 Embarq Holdings Company Llc System and method for modifying network traffic
US7706291B2 (en) * 2007-08-01 2010-04-27 Zeugma Systems Inc. Monitoring quality of experience on a per subscriber, per session basis
US8374102B2 (en) * 2007-10-02 2013-02-12 Tellabs Communications Canada, Ltd. Intelligent collection and management of flow statistics
US7912965B2 (en) * 2007-10-12 2011-03-22 Informed Control Inc. System and method for anomalous directory client activity detection
US8068425B2 (en) 2008-04-09 2011-11-29 Embarq Holdings Company, Llc System and method for using network performance information to determine improved measures of path states
US8400452B2 (en) * 2008-05-08 2013-03-19 Motorola Solutions, Inc. Method and system for segmented propagation visualization
FR2932043B1 (en) * 2008-06-03 2010-07-30 Groupe Ecoles Telecomm METHOD FOR TRACEABILITY AND RESURGENCE OF PUSH-STARTED FLOWS ON COMMUNICATION NETWORKS, AND METHOD FOR TRANSMITTING INFORMATION FLOW TO SECURE DATA TRAFFIC AND ITS RECIPIENTS
US8413250B1 (en) 2008-06-05 2013-04-02 A9.Com, Inc. Systems and methods of classifying sessions
US8416695B2 (en) * 2008-06-30 2013-04-09 Huawei Technologies Co., Ltd. Method, device and system for network interception
US20100034102A1 (en) * 2008-08-05 2010-02-11 At&T Intellectual Property I, Lp Measurement-Based Validation of a Simple Model for Panoramic Profiling of Subnet-Level Network Data Traffic
US8009559B1 (en) 2008-08-28 2011-08-30 Juniper Networks, Inc. Global flow tracking system
ES2496982T3 (en) * 2008-09-30 2014-09-22 Orange Entity characterization procedure at the beginning of variations in a network traffic
US7987255B2 (en) * 2008-11-07 2011-07-26 Oracle America, Inc. Distributed denial of service congestion recovery using split horizon DNS
US8677473B2 (en) * 2008-11-18 2014-03-18 International Business Machines Corporation Network intrusion protection
US7990982B2 (en) * 2008-12-15 2011-08-02 At&T Intellectual Property I, L.P. Methods and apparatus to bound network traffic estimation error for multistage measurement sampling and aggregation
US8284764B1 (en) * 2008-12-15 2012-10-09 Narus, Inc. VoIP traffic behavior profiling method
US8904530B2 (en) * 2008-12-22 2014-12-02 At&T Intellectual Property I, L.P. System and method for detecting remotely controlled E-mail spam hosts
EP2262172A1 (en) * 2009-06-10 2010-12-15 Alcatel Lucent Method and scout agent for building a source database
US8654655B2 (en) * 2009-12-17 2014-02-18 Thomson Licensing Detecting and classifying anomalies in communication networks
CN102111394B (en) * 2009-12-28 2015-03-11 华为数字技术(成都)有限公司 Network attack protection method, equipment and system
EP2341683A1 (en) * 2009-12-30 2011-07-06 France Telecom Method of and apparatus for controlling traffic in a communication network
CN101808021A (en) * 2010-04-16 2010-08-18 华为技术有限公司 Fault detection method, device and system, message statistical method and node equipment
CN102137282B (en) * 2010-12-15 2014-02-19 华为技术有限公司 Method, device, nodes and system for detecting faulted link
EP2592814A1 (en) * 2011-11-08 2013-05-15 VeriSign, Inc. System and method for detecting DNS traffic anomalies
US9215151B1 (en) 2011-12-14 2015-12-15 Google Inc. Dynamic sampling rate adjustment for rate-limited statistical data collection
US8997227B1 (en) 2012-02-27 2015-03-31 Amazon Technologies, Inc. Attack traffic signature generation using statistical pattern recognition
US9742732B2 (en) * 2012-03-12 2017-08-22 Varmour Networks, Inc. Distributed TCP SYN flood protection
US20130291107A1 (en) * 2012-04-27 2013-10-31 The Irc Company, Inc. System and Method for Mitigating Application Layer Distributed Denial of Service Attacks Using Human Behavior Analysis
US8831019B2 (en) 2012-05-18 2014-09-09 Renesys Path reconstruction and interconnection modeling (PRIM)
AU2013332237A1 (en) * 2012-10-18 2015-05-14 Iix Corp. Method and apparatus for a distributed internet architecture
US9141791B2 (en) * 2012-11-19 2015-09-22 Hewlett-Packard Development Company, L.P. Monitoring for anomalies in a computing environment
US9532302B2 (en) * 2013-03-20 2016-12-27 Broadcom Corporation Communication network having proximity service discovery and device self-organization
US9172721B2 (en) 2013-07-16 2015-10-27 Fortinet, Inc. Scalable inline behavioral DDOS attack mitigation
US9485262B1 (en) * 2014-03-28 2016-11-01 Juniper Networks, Inc. Detecting past intrusions and attacks based on historical network traffic information
US9674207B2 (en) * 2014-07-23 2017-06-06 Cisco Technology, Inc. Hierarchical attack detection in a network
US9497215B2 (en) 2014-07-23 2016-11-15 Cisco Technology, Inc. Stealth mitigation for simulating the success of an attack
US10397082B2 (en) * 2014-08-07 2019-08-27 Citrix Systems, Inc. Internet infrastructure measurement method and system adapted to session volume
US9591018B1 (en) 2014-11-20 2017-03-07 Amazon Technologies, Inc. Aggregation of network traffic source behavior data across network-based endpoints
US20160246813A1 (en) * 2015-02-25 2016-08-25 International Business Machines Corporation System and method for machine information life cycle
US9525697B2 (en) 2015-04-02 2016-12-20 Varmour Networks, Inc. Delivering security functions to distributed networks
US11102173B2 (en) * 2015-06-26 2021-08-24 Mcafee, Llc Systems and methods for routing data using software-defined networks
US10148537B2 (en) * 2015-09-16 2018-12-04 Cisco Technology, Inc. Detecting oscillation anomalies in a mesh network using machine learning
US10341185B2 (en) * 2015-10-02 2019-07-02 Arista Networks, Inc. Dynamic service insertion
US10291634B2 (en) 2015-12-09 2019-05-14 Checkpoint Software Technologies Ltd. System and method for determining summary events of an attack
US10880316B2 (en) 2015-12-09 2020-12-29 Check Point Software Technologies Ltd. Method and system for determining initial execution of an attack
US10440036B2 (en) * 2015-12-09 2019-10-08 Checkpoint Software Technologies Ltd Method and system for modeling all operations and executions of an attack and malicious process entry
US9973528B2 (en) 2015-12-21 2018-05-15 Fortinet, Inc. Two-stage hash based logic for application layer distributed denial of service (DDoS) attack attribution
US9942253B2 (en) * 2016-01-15 2018-04-10 Kentlik Technologies, Inc. Network monitoring, detection, and analysis system
US10432650B2 (en) 2016-03-31 2019-10-01 Stuart Staniford System and method to protect a webserver against application exploits and attacks
US10574691B2 (en) 2016-06-21 2020-02-25 Imperva, Inc. Infrastructure distributed denial of service (DDoS) protection
US20180077227A1 (en) * 2016-08-24 2018-03-15 Oleg Yeshaya RYABOY High Volume Traffic Handling for Ordering High Demand Products
US10601778B2 (en) * 2016-09-15 2020-03-24 Arbor Networks, Inc. Visualization of traffic flowing through a host
US10417415B2 (en) * 2016-12-06 2019-09-17 General Electric Company Automated attack localization and detection
US10523609B1 (en) * 2016-12-27 2019-12-31 Fireeye, Inc. Multi-vector malware detection and analysis
CN107154867A (en) * 2017-04-24 2017-09-12 北京星网锐捷网络技术有限公司 Network fault detecting method and device
RU2665919C1 (en) * 2017-07-17 2018-09-04 Акционерное общество "Лаборатория Касперского" System and method of determination of ddos-attacks under failure of service servers
RU2659735C1 (en) * 2017-07-17 2018-07-03 Акционерное общество "Лаборатория Касперского" System and method of setting security systems under ddos attacks
US10785237B2 (en) * 2018-01-19 2020-09-22 General Electric Company Learning method and system for separating independent and dependent attacks
US10958649B2 (en) 2018-03-21 2021-03-23 Akamai Technologies, Inc. Systems and methods for internet-wide monitoring and protection of user credentials
CN109120627B (en) * 2018-08-29 2021-07-13 重庆邮电大学 6LoWPAN network intrusion detection method based on improved KNN
US11038902B2 (en) * 2019-02-25 2021-06-15 Verizon Digital Media Services Inc. Systems and methods for providing shifting network security via multi-access edge computing
US11477163B2 (en) * 2019-08-26 2022-10-18 At&T Intellectual Property I, L.P. Scrubbed internet protocol domain for enhanced cloud security
US11790081B2 (en) 2021-04-14 2023-10-17 General Electric Company Systems and methods for controlling an industrial asset in the presence of a cyber-attack
CN115988243A (en) * 2021-10-14 2023-04-18 中兴通讯股份有限公司 Fault positioning method and system, computer readable storage medium

Citations (50)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4756019A (en) * 1986-08-27 1988-07-05 Edmund Szybicki Traffic routing and automatic network management system for telecommunication networks
US4817080A (en) * 1987-02-24 1989-03-28 Digital Equipment Corporation Distributed local-area-network monitoring system
US5179549A (en) * 1988-11-10 1993-01-12 Alcatel N.V. Statistical measurement equipment and telecommunication system using same
US5231593A (en) * 1991-01-11 1993-07-27 Hewlett-Packard Company Maintaining historical lan traffic statistics
US5243543A (en) * 1991-01-17 1993-09-07 Hewlett-Packard Company Remote LAN segment traffic monitor
US5315580A (en) * 1990-09-28 1994-05-24 Hewlett-Packard Company Network monitoring device and system
US5511122A (en) * 1994-06-03 1996-04-23 The United States Of America As Represented By The Secretary Of The Navy Intermediate network authentication
US5550984A (en) * 1994-12-07 1996-08-27 Matsushita Electric Corporation Of America Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information
US5559814A (en) * 1994-03-11 1996-09-24 France Telecom Verification of integrity of data exchanged between two telecommunication network stations
US5570346A (en) * 1994-12-08 1996-10-29 Lucent Technologies Inc. Packet network transit delay measurement system
US5606668A (en) * 1993-12-15 1997-02-25 Checkpoint Software Technologies Ltd. System for securing inbound and outbound data packet flow in a computer network
US5623601A (en) * 1994-11-18 1997-04-22 Milkway Networks Corporation Apparatus and method for providing a secure gateway for communication and data exchanges between networks
US5649107A (en) * 1993-11-29 1997-07-15 Electronics And Telecommunications Research Institute Traffic statistics processing apparatus using memory to increase speed and capacity by storing partially manipulated data
US5673322A (en) * 1996-03-22 1997-09-30 Bell Communications Research, Inc. System and method for providing protocol translation and filtering to access the world wide web from wireless or low-bandwidth networks
US5701484A (en) * 1990-05-18 1997-12-23 Digital Equipment Corporation Routing objects on action paths in a distributed computing system
US5744667A (en) * 1995-12-28 1998-04-28 Texaco Inc. Preparation of trimethyl pentanes by hydrogen transfer
US5761191A (en) * 1995-11-28 1998-06-02 Telecommunications Techniques Corporation Statistics collection for ATM networks
US5778174A (en) * 1996-12-10 1998-07-07 U S West, Inc. Method and system for providing secured access to a server connected to a private computer network
US5781534A (en) * 1995-10-31 1998-07-14 Novell, Inc. Method and apparatus for determining characteristics of a path
US5787143A (en) * 1994-07-22 1998-07-28 Siemens Aktiengesellchaft Nuclear reactor fuel assembly
US5805803A (en) * 1997-05-13 1998-09-08 Digital Equipment Corporation Secure web tunnel
US5828833A (en) * 1996-08-15 1998-10-27 Electronic Data Systems Corporation Method and system for allowing remote procedure calls through a network firewall
US5835726A (en) * 1993-12-15 1998-11-10 Check Point Software Technologies Ltd. System for securing the flow of and selectively modifying packets in a computer network
US5864666A (en) * 1996-12-23 1999-01-26 International Business Machines Corporation Web-based administration of IP tunneling on internet firewalls
US5864683A (en) * 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
US5884025A (en) * 1995-05-18 1999-03-16 Sun Microsystems, Inc. System for packet filtering of data packet at a computer network interface
US5898830A (en) * 1996-10-17 1999-04-27 Network Engineering Software Firewall providing enhanced network security and user transparency
US5958052A (en) * 1996-07-15 1999-09-28 At&T Corp Method and apparatus for restricting access to private information in domain name systems by filtering information
US5960177A (en) * 1995-05-19 1999-09-28 Fujitsu Limited System for performing remote operation between firewall-equipped networks or devices
US5961645A (en) * 1995-10-02 1999-10-05 At&T Corp. Filtering for public databases with naming ambiguities
US5968176A (en) * 1997-05-29 1999-10-19 3Com Corporation Multilayer firewall system
US5991881A (en) * 1996-11-08 1999-11-23 Harris Corporation Network surveillance system
US5996011A (en) * 1997-03-25 1999-11-30 Unified Research Laboratories, Inc. System and method for filtering data received by a computer system
US6003133A (en) * 1997-11-17 1999-12-14 Motorola, Inc. Data processor with a privileged state firewall and method therefore
US6032189A (en) * 1996-02-06 2000-02-29 Nippon Telegraph And Telephone Corp. Network data distribution system
US6061797A (en) * 1996-10-21 2000-05-09 International Business Machines Corporation Outside access to computer resources through a firewall
US6061331A (en) * 1998-07-28 2000-05-09 Gte Laboratories Incorporated Method and apparatus for estimating source-destination traffic in a packet-switched communications network
US6067545A (en) * 1997-08-01 2000-05-23 Hewlett-Packard Company Resource rebalancing in networked computer systems
US6067569A (en) * 1997-07-10 2000-05-23 Microsoft Corporation Fast-forwarding and filtering of network packets in a computer system
US6076168A (en) * 1997-10-03 2000-06-13 International Business Machines Corporation Simplified method of configuring internet protocol security tunnels
US6078953A (en) * 1997-12-29 2000-06-20 Ukiah Software, Inc. System and method for monitoring quality of service over network
US6088804A (en) * 1998-01-12 2000-07-11 Motorola, Inc. Adaptive system and method for responding to computer network security attacks
US6088796A (en) * 1998-08-06 2000-07-11 Cianfrocca; Francis Secure middleware and server control system for querying through a network firewall
US6134658A (en) * 1997-06-09 2000-10-17 Microsoft Corporation Multi-server location-independent authentication certificate management system
US6134662A (en) * 1998-06-26 2000-10-17 Vlsi Technology, Inc. Physical layer security manager for memory-mapped serial communications interface
US20030105976A1 (en) * 2000-11-30 2003-06-05 Copeland John A. Flow-based detection of network intrusions
US6597684B1 (en) * 1997-12-24 2003-07-22 Nortel Networks Ltd. Distributed architecture and associated protocols for efficient quality of service-based route computation
US6625156B2 (en) * 1998-06-29 2003-09-23 Nortel Networks Limited Method of implementing quality-of-service data communications over a short-cut path through a routed network
US6735702B1 (en) * 1999-08-31 2004-05-11 Intel Corporation Method and system for diagnosing network intrusion
US6789203B1 (en) * 2000-06-26 2004-09-07 Sun Microsystems, Inc. Method and apparatus for preventing a denial of service (DOS) attack by selectively throttling TCP/IP requests

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5448794A (en) * 1993-09-16 1995-09-12 Electrolux Corporation Corded handheld vacuum cleaner
US5774667A (en) 1996-03-27 1998-06-30 Bay Networks, Inc. Method and apparatus for managing parameter settings for multiple network devices
AU2935297A (en) * 1996-05-07 1997-11-26 Webline Communications Corporation Method and apparatus for coordinating internet multi-media content with telephone and audio communications
US6243667B1 (en) * 1996-05-28 2001-06-05 Cisco Systems, Inc. Network flow switching and flow data export
US5778184A (en) * 1996-06-28 1998-07-07 Mci Communications Corporation System method and computer program product for processing faults in a hierarchial network
US5878143A (en) * 1996-08-16 1999-03-02 Net 1, Inc. Secure transmission of sensitive information over a public/insecure communications medium
US6119236A (en) * 1996-10-07 2000-09-12 Shipley; Peter M. Intelligent network security device and method
US6574661B1 (en) * 1997-09-26 2003-06-03 Mci Communications Corporation Integrated proxy interface for web based telecommunication toll-free network management using a network manager for downloading a call routing tree to client
US6738814B1 (en) * 1998-03-18 2004-05-18 Cisco Technology, Inc. Method for blocking denial of service and address spoofing attacks on a private network
US6826694B1 (en) * 1998-10-22 2004-11-30 At&T Corp. High resolution access control
US6370648B1 (en) * 1998-12-08 2002-04-09 Visa International Service Association Computer network intrusion detection
US6446200B1 (en) * 1999-03-25 2002-09-03 Nortel Networks Limited Service management
US6625657B1 (en) * 1999-03-25 2003-09-23 Nortel Networks Limited System for requesting missing network accounting records if there is a break in sequence numbers while the records are transmitting from a source device
US6671811B1 (en) * 1999-10-25 2003-12-30 Visa Internation Service Association Features generation for use in computer network intrusion detection
US6772334B1 (en) * 2000-08-31 2004-08-03 Networks Associates, Inc. System and method for preventing a spoofed denial of service attack in a networked computing environment

Patent Citations (51)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4756019A (en) * 1986-08-27 1988-07-05 Edmund Szybicki Traffic routing and automatic network management system for telecommunication networks
US4817080A (en) * 1987-02-24 1989-03-28 Digital Equipment Corporation Distributed local-area-network monitoring system
US5179549A (en) * 1988-11-10 1993-01-12 Alcatel N.V. Statistical measurement equipment and telecommunication system using same
US5701484A (en) * 1990-05-18 1997-12-23 Digital Equipment Corporation Routing objects on action paths in a distributed computing system
US5315580A (en) * 1990-09-28 1994-05-24 Hewlett-Packard Company Network monitoring device and system
US5231593A (en) * 1991-01-11 1993-07-27 Hewlett-Packard Company Maintaining historical lan traffic statistics
US5243543A (en) * 1991-01-17 1993-09-07 Hewlett-Packard Company Remote LAN segment traffic monitor
US5649107A (en) * 1993-11-29 1997-07-15 Electronics And Telecommunications Research Institute Traffic statistics processing apparatus using memory to increase speed and capacity by storing partially manipulated data
US5606668A (en) * 1993-12-15 1997-02-25 Checkpoint Software Technologies Ltd. System for securing inbound and outbound data packet flow in a computer network
US5835726A (en) * 1993-12-15 1998-11-10 Check Point Software Technologies Ltd. System for securing the flow of and selectively modifying packets in a computer network
US5559814A (en) * 1994-03-11 1996-09-24 France Telecom Verification of integrity of data exchanged between two telecommunication network stations
US5511122A (en) * 1994-06-03 1996-04-23 The United States Of America As Represented By The Secretary Of The Navy Intermediate network authentication
US5787143A (en) * 1994-07-22 1998-07-28 Siemens Aktiengesellchaft Nuclear reactor fuel assembly
US5864683A (en) * 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
US5623601A (en) * 1994-11-18 1997-04-22 Milkway Networks Corporation Apparatus and method for providing a secure gateway for communication and data exchanges between networks
US5550984A (en) * 1994-12-07 1996-08-27 Matsushita Electric Corporation Of America Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information
US5570346A (en) * 1994-12-08 1996-10-29 Lucent Technologies Inc. Packet network transit delay measurement system
US5884025A (en) * 1995-05-18 1999-03-16 Sun Microsystems, Inc. System for packet filtering of data packet at a computer network interface
US5960177A (en) * 1995-05-19 1999-09-28 Fujitsu Limited System for performing remote operation between firewall-equipped networks or devices
US5961645A (en) * 1995-10-02 1999-10-05 At&T Corp. Filtering for public databases with naming ambiguities
US5781534A (en) * 1995-10-31 1998-07-14 Novell, Inc. Method and apparatus for determining characteristics of a path
US5761191A (en) * 1995-11-28 1998-06-02 Telecommunications Techniques Corporation Statistics collection for ATM networks
US5744667A (en) * 1995-12-28 1998-04-28 Texaco Inc. Preparation of trimethyl pentanes by hydrogen transfer
US6032189A (en) * 1996-02-06 2000-02-29 Nippon Telegraph And Telephone Corp. Network data distribution system
US5673322A (en) * 1996-03-22 1997-09-30 Bell Communications Research, Inc. System and method for providing protocol translation and filtering to access the world wide web from wireless or low-bandwidth networks
US5958052A (en) * 1996-07-15 1999-09-28 At&T Corp Method and apparatus for restricting access to private information in domain name systems by filtering information
US5828833A (en) * 1996-08-15 1998-10-27 Electronic Data Systems Corporation Method and system for allowing remote procedure calls through a network firewall
US5898830A (en) * 1996-10-17 1999-04-27 Network Engineering Software Firewall providing enhanced network security and user transparency
US6052788A (en) * 1996-10-17 2000-04-18 Network Engineering Software, Inc. Firewall providing enhanced network security and user transparency
US6061797A (en) * 1996-10-21 2000-05-09 International Business Machines Corporation Outside access to computer resources through a firewall
US5991881A (en) * 1996-11-08 1999-11-23 Harris Corporation Network surveillance system
US5778174A (en) * 1996-12-10 1998-07-07 U S West, Inc. Method and system for providing secured access to a server connected to a private computer network
US5864666A (en) * 1996-12-23 1999-01-26 International Business Machines Corporation Web-based administration of IP tunneling on internet firewalls
US5996011A (en) * 1997-03-25 1999-11-30 Unified Research Laboratories, Inc. System and method for filtering data received by a computer system
US5805803A (en) * 1997-05-13 1998-09-08 Digital Equipment Corporation Secure web tunnel
US5968176A (en) * 1997-05-29 1999-10-19 3Com Corporation Multilayer firewall system
US6134658A (en) * 1997-06-09 2000-10-17 Microsoft Corporation Multi-server location-independent authentication certificate management system
US6067569A (en) * 1997-07-10 2000-05-23 Microsoft Corporation Fast-forwarding and filtering of network packets in a computer system
US6067545A (en) * 1997-08-01 2000-05-23 Hewlett-Packard Company Resource rebalancing in networked computer systems
US6076168A (en) * 1997-10-03 2000-06-13 International Business Machines Corporation Simplified method of configuring internet protocol security tunnels
US6003133A (en) * 1997-11-17 1999-12-14 Motorola, Inc. Data processor with a privileged state firewall and method therefore
US6597684B1 (en) * 1997-12-24 2003-07-22 Nortel Networks Ltd. Distributed architecture and associated protocols for efficient quality of service-based route computation
US6078953A (en) * 1997-12-29 2000-06-20 Ukiah Software, Inc. System and method for monitoring quality of service over network
US6088804A (en) * 1998-01-12 2000-07-11 Motorola, Inc. Adaptive system and method for responding to computer network security attacks
US6134662A (en) * 1998-06-26 2000-10-17 Vlsi Technology, Inc. Physical layer security manager for memory-mapped serial communications interface
US6625156B2 (en) * 1998-06-29 2003-09-23 Nortel Networks Limited Method of implementing quality-of-service data communications over a short-cut path through a routed network
US6061331A (en) * 1998-07-28 2000-05-09 Gte Laboratories Incorporated Method and apparatus for estimating source-destination traffic in a packet-switched communications network
US6088796A (en) * 1998-08-06 2000-07-11 Cianfrocca; Francis Secure middleware and server control system for querying through a network firewall
US6735702B1 (en) * 1999-08-31 2004-05-11 Intel Corporation Method and system for diagnosing network intrusion
US6789203B1 (en) * 2000-06-26 2004-09-07 Sun Microsystems, Inc. Method and apparatus for preventing a denial of service (DOS) attack by selectively throttling TCP/IP requests
US20030105976A1 (en) * 2000-11-30 2003-06-05 Copeland John A. Flow-based detection of network intrusions

Cited By (75)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040221191A1 (en) * 1998-11-09 2004-11-04 Porras Phillip Andrew Network surveillance
US9407509B2 (en) 1998-11-09 2016-08-02 Sri International Network surveillance
US6708212B2 (en) 1998-11-09 2004-03-16 Sri International Network surveillance
US6704874B1 (en) 1998-11-09 2004-03-09 Sri International, Inc. Network-based alert management
US6711615B2 (en) 1998-11-09 2004-03-23 Sri International Network surveillance
US7694115B1 (en) 1998-11-09 2010-04-06 Sri International Network-based alert management system
US20100050248A1 (en) * 1998-11-09 2010-02-25 Sri International Network surveillance
US7594260B2 (en) 1998-11-09 2009-09-22 Sri International Network surveillance using long-term and short-term statistical profiles to determine suspicious network activity
US7934254B2 (en) 1998-12-09 2011-04-26 International Business Machines Corporation Method and apparatus for providing network and computer system security
US20080216173A1 (en) * 1999-07-29 2008-09-04 International Business Machines Corporation Method and Apparatus for Auditing Network Security
US7770225B2 (en) 1999-07-29 2010-08-03 International Business Machines Corporation Method and apparatus for auditing network security
US20070100936A1 (en) * 1999-12-07 2007-05-03 Internet Security Systems, Inc. Method and apparatus for remote installation of network drivers and software
US8006243B2 (en) 1999-12-07 2011-08-23 International Business Machines Corporation Method and apparatus for remote installation of network drivers and software
US7921459B2 (en) 2000-04-28 2011-04-05 International Business Machines Corporation System and method for managing security events on a network
US20020019945A1 (en) * 2000-04-28 2002-02-14 Internet Security System, Inc. System and method for managing security events on a network
US20020078381A1 (en) * 2000-04-28 2002-06-20 Internet Security Systems, Inc. Method and System for Managing Computer Security Information
US20030172289A1 (en) * 2000-06-30 2003-09-11 Andrea Soppera Packet data communications
US7367054B2 (en) * 2000-06-30 2008-04-29 British Telecommunications Public Limited Company Packet data communications
US7120931B1 (en) * 2000-08-31 2006-10-10 Cisco Technology, Inc. System and method for generating filters based on analyzed flow data
US20020059078A1 (en) * 2000-09-01 2002-05-16 Valdes Alfonso De Jesus Probabilistic alert correlation
US7917393B2 (en) 2000-09-01 2011-03-29 Sri International, Inc. Probabilistic alert correlation
US20080016569A1 (en) * 2000-10-10 2008-01-17 Internet Security Systems, Inc. Method and System for Creating a Record for One or More Computer Security Incidents
US9027121B2 (en) 2000-10-10 2015-05-05 International Business Machines Corporation Method and system for creating a record for one or more computer security incidents
US20020056076A1 (en) * 2000-10-24 2002-05-09 Vcis, Inc. Analytical virtual machine
US20020114522A1 (en) * 2000-12-21 2002-08-22 Rene Seeber System and method for compiling images from a database and comparing the compiled images with known images
US20020147803A1 (en) * 2001-01-31 2002-10-10 Dodd Timothy David Method and system for calculating risk in association with a security audit of a computer network
US20020104014A1 (en) * 2001-01-31 2002-08-01 Internet Security Systems, Inc. Method and system for configuring and scheduling security audits of a computer network
US7712138B2 (en) 2001-01-31 2010-05-04 International Business Machines Corporation Method and system for configuring and scheduling security audits of a computer network
US20070250935A1 (en) * 2001-01-31 2007-10-25 Zobel Robert D Method and system for configuring and scheduling security audits of a computer network
US20070118350A1 (en) * 2001-06-19 2007-05-24 Vcis, Inc. Analytical virtual machine
US7657419B2 (en) 2001-06-19 2010-02-02 International Business Machines Corporation Analytical virtual machine
US7356689B2 (en) * 2001-07-09 2008-04-08 Lucent Technologies Inc. Method and apparatus for tracing packets in a communications network
US20030009554A1 (en) * 2001-07-09 2003-01-09 Burch Hal Joseph Method and apparatus for tracing packets in a communications network
US20030120769A1 (en) * 2001-12-07 2003-06-26 Mccollom William Girard Method and system for determining autonomous system transit volumes
US7673137B2 (en) 2002-01-04 2010-03-02 International Business Machines Corporation System and method for the managed security control of processes on a computer system
US20040025015A1 (en) * 2002-01-04 2004-02-05 Internet Security Systems System and method for the managed security control of processes on a computer system
US20030159069A1 (en) * 2002-02-19 2003-08-21 Byeong Cheol Choi Network-based attack tracing system and method using distributed agent and manager system
US20030212902A1 (en) * 2002-05-13 2003-11-13 Van Der Made Peter A.J. Computer immune system and method for detecting unwanted code in a P-code or partially compiled native-code program executing within a virtual machine
WO2004028107A2 (en) * 2002-09-11 2004-04-01 Kaemper Peter Monitoring of data transmissions
WO2004028107A3 (en) * 2002-09-11 2004-06-17 Peter Kaemper Monitoring of data transmissions
US20060015943A1 (en) * 2002-11-14 2006-01-19 Michel Mahieu Method and device for analyzing an information sytem security
US7913303B1 (en) 2003-01-21 2011-03-22 International Business Machines Corporation Method and system for dynamically protecting a computer system from attack
US20040148520A1 (en) * 2003-01-29 2004-07-29 Rajesh Talpade Mitigating denial of service attacks
US7382769B1 (en) * 2003-02-07 2008-06-03 Juniper Networks, Inc. Automatic filtering to prevent network attacks
US8949458B1 (en) 2003-02-07 2015-02-03 Juniper Networks, Inc. Automatic filtering to prevent network attacks
US7657938B2 (en) 2003-10-28 2010-02-02 International Business Machines Corporation Method and system for protecting computer networks by altering unwanted network data traffic
US20050120243A1 (en) * 2003-10-28 2005-06-02 Internet Security Systems, Inc. Method and system for protecting computer networks by altering unwanted network data traffic
US7721329B2 (en) * 2003-11-18 2010-05-18 Aol Inc. Method and apparatus for trust-based, fine-grained rate limiting of network requests
US10164956B2 (en) 2003-11-18 2018-12-25 Facebook, Inc. Method and system for trust-based processing of network requests
US20100146612A1 (en) * 2003-11-18 2010-06-10 Aol Inc. Method and apparatus for trust-based, fine-grained rate limiting of network requests
US10021081B2 (en) 2003-11-18 2018-07-10 Facebook, Inc. Method and apparatus for trust-based, fine-grained rate limiting of network requests
US20050108551A1 (en) * 2003-11-18 2005-05-19 Toomey Christopher N. Method and apparatus for trust-based, fine-grained rate limiting of network requests
US20130028259A1 (en) * 2005-04-05 2013-01-31 Cohen Donald N System for finding potential origins of spoofed internet protocol attack traffic
US8806634B2 (en) * 2005-04-05 2014-08-12 Donald N. Cohen System for finding potential origins of spoofed internet protocol attack traffic
US7889735B2 (en) * 2005-08-05 2011-02-15 Alcatel-Lucent Usa Inc. Method and apparatus for defending against denial of service attacks in IP networks based on specified source/destination IP address pairs
US20070030850A1 (en) * 2005-08-05 2007-02-08 Grosse Eric H Method and apparatus for defending against denial of service attacks in IP networks based on specified source/destination IP address pairs
US7729271B2 (en) * 2005-10-20 2010-06-01 Alaxala Networks Corporation Detection method for abnormal traffic and packet relay apparatus
US20070115850A1 (en) * 2005-10-20 2007-05-24 Kazuaki Tsuchiya Detection method for abnormal traffic and packet relay apparatus
US20080101352A1 (en) * 2006-10-31 2008-05-01 Microsoft Corporation Dynamic activity model of network services
US20080103729A1 (en) * 2006-10-31 2008-05-01 Microsoft Corporation Distributed detection with diagnosis
US7949745B2 (en) 2006-10-31 2011-05-24 Microsoft Corporation Dynamic activity model of network services
US20080267083A1 (en) * 2007-04-24 2008-10-30 Microsoft Corporation Automatic Discovery Of Service/Host Dependencies In Computer Networks
US7821947B2 (en) 2007-04-24 2010-10-26 Microsoft Corporation Automatic discovery of service/host dependencies in computer networks
US9166990B2 (en) * 2009-02-09 2015-10-20 Hewlett-Packard Development Company, L.P. Distributed denial-of-service signature transmission
US20100212005A1 (en) * 2009-02-09 2010-08-19 Anand Eswaran Distributed denial-of-service signature transmission
WO2013105991A3 (en) * 2011-02-17 2013-10-17 Sable Networks, Inc. Methods and systems for detecting and mitigating a high-rate distributed denial of service (ddos) attack
US9167004B2 (en) 2011-02-17 2015-10-20 Sable Networks, Inc. Methods and systems for detecting and mitigating a high-rate distributed denial of service (DDoS) attack
US8151341B1 (en) * 2011-05-23 2012-04-03 Kaspersky Lab Zao System and method for reducing false positives during detection of network attacks
US8302180B1 (en) * 2011-05-23 2012-10-30 Kaspersky Lab Zao System and method for detection of network attacks
US9485164B2 (en) 2012-05-14 2016-11-01 Sable Networks, Inc. System and method for ensuring subscriber fairness using outlier detection
US9774501B2 (en) 2012-05-14 2017-09-26 Sable Networks, Inc. System and method for ensuring subscriber fairness using outlier detection
US10616270B2 (en) 2014-11-10 2020-04-07 Nippon Telegraph And Telephone Corporation Optimization apparatus, optimization method, and optimization program
US10185830B1 (en) * 2014-12-31 2019-01-22 EMC IP Holding Company LLC Big data analytics in a converged infrastructure system
US20220321588A1 (en) * 2021-04-05 2022-10-06 Marvell Israel (M.I.S.L) Ltd. Anomaly detection for networking
WO2022214875A1 (en) * 2021-04-05 2022-10-13 Marvell Israel (M.I.S.L) Ltd. Anomaly detection for networking

Also Published As

Publication number Publication date
WO2002021801A1 (en) 2002-03-14
WO2002021244A2 (en) 2002-03-14
CA2427238A1 (en) 2002-03-14
CA2427291A1 (en) 2002-03-14
US20020035698A1 (en) 2002-03-21
WO2002021244A3 (en) 2002-07-18
AU2001259781A1 (en) 2002-03-22
US6944673B2 (en) 2005-09-13
CA2427236A1 (en) 2002-03-14
AU2001263150A1 (en) 2002-03-22
AU2001274833A1 (en) 2002-03-22
WO2002021802A1 (en) 2002-03-14
US20020032717A1 (en) 2002-03-14

Similar Documents

Publication Publication Date Title
US6944673B2 (en) Method and system for profiling network flows at a measurement point within a computer network
Ghorbani et al. Network intrusion detection and prevention: concepts and techniques
Ballani et al. A study of prefix hijacking and interception in the Internet
Zheng et al. A light-weight distributed scheme for detecting IP prefix hijacks in real-time
Murdoch et al. Sampled traffic analysis by internet-exchange-level adversaries
Abliz Internet denial of service attacks and defense mechanisms
Meghanathan et al. Tools and techniques for network forensics
Gao et al. A dos resilient flow-level intrusion detection approach for high-speed networks
Alaidaros et al. An overview of flow-based and packet-based intrusion detection performance in high speed networks
Kumar et al. Traceback techniques against DDOS attacks: a comprehensive review
Fajana et al. Torbot stalker: Detecting tor botnets through intelligent circuit data analysis
Molina et al. Operational experiences with anomaly detection in backbone networks
Takahashi et al. Taxonomical approach to the deployment of traceback mechanisms
Suresh et al. A review on various DPM traceback schemes to detect DDoS attacks
Muraleedharan et al. ADRISYA: a flow based anomaly detection system for slow and fast scan
Onut et al. Toward a feature classification scheme for network intrusion detection
Liu et al. TAP: A Traffic-Aware Probabilistic Packet Marking for Collaborative DDoS Mitigation
Ramah Houerbi et al. Scan Surveillance in Internet Networks: (Work in Progress)
Ramachandran et al. Monitoring stealthy network conversations with sampled traffic
Dodopoulos DNS-based Detection of Malicious Activity
Murugesan et al. UDP based IP Traceback for Flooding DDoS Attack.
Tian et al. An incrementally deployable network traceback scheme
Priescu et al. Design of traceback methods for tracking DoS attacks
Lin et al. Speedily, efficient and adaptive streaming algorithms for real-time detection of flooding attacks
Liu A collaborative defense framework against DDoS attacks in networks

Legal Events

Date Code Title Description
AS Assignment

Owner name: REGENTS OF THE UNIVERSITY OF MICHIGAN, THE, MICHIG

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MALAN, GERALD R.;JAHANIAN, FARNAM;REEL/FRAME:011813/0370

Effective date: 20010511

AS Assignment

Owner name: AIR FORCE, UNITED STATES, NEW YORK

Free format text: CONFIRMATORY LICENSE;ASSIGNOR:MICHIGAN, UNIVERSITY OF;REEL/FRAME:012095/0106

Effective date: 20010810

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION