Risk information output device, information output system, risk information output method, and recording medium
US-2024414180-A1 · Dec 12, 2024 · US
Detection of denial of service attacks
US10270794B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-10270794-B1 |
| Application number | US-201815893519-A |
| Country | US |
| Kind code | B1 |
| Filing date | Feb 9, 2018 |
| Priority date | Feb 9, 2018 |
| Publication date | Apr 23, 2019 |
| Grant date | Apr 23, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments are directed to monitoring network traffic over a network using one or more network monitoring computers. A monitoring engine may be instantiated to perform actions, including: monitoring network traffic to identify client requests provided by clients and server responses provided by servers in response to the client requests; determining request metrics associated with the client requests; and determining response metrics associated with the server responses. An analysis engine may be instantiated that performs actions, including: comparing the request metrics with the response metrics; determining atypical behavior associated with the clients based on the comparison such that the atypical behavior includes an absence of adaption by the clients to changes in the server responses; and providing alerts that may identify the clients be associated with the atypical behavior.
First claim
Opening claim text (preview).
What is claimed as new and desired to be protected by Letters Patent of the United States is: 1. A method for monitoring network traffic between two or more network computers using one or more network monitoring computers, wherein execution of instructions by the one or more networking monitoring computers perform the method comprising: instantiating a monitoring engine to perform actions, including: monitoring network traffic to identify one or more client requests provided by one or more clients and one or more server responses provided by one or more servers to the one or more client requests; determining one or more request metrics that are associated with baseline behavior for the one or more client requests; determining one or more response metrics that are associated with baseline behavior for the one or more server responses; and instantiating an analysis engine that performs actions, comprising: comparing the one or more request metrics for the identified one or more clients to previously determined one or more request metrics for a class of other clients; determining atypical behavior associated with the one or more identified clients based on the comparison, wherein the atypical behavior includes an absence of adaption by the one or more identified clients to one or more synthetic modifications that increase one or more of an apparent latency or delay in the one or more server responses; and providing one or more alerts that identify the one or more identified clients associated with the atypical behavior. 2. The method of claim 1 , wherein the comparison of the one or more request metrics and the one or more response metrics, further comprises: comparing one or more transaction rates associated with the one or more identified clients and the one or more servers to one or more client request send rates; determining one or more atypical behavior clients based on the comparison, wherein the one or more client request send rates associated with the one or more atypical behavior clients increases or remains constant as the one or more transaction rates decrease. 3. The method of claim 1 , wherein the analysis engine performs further actions, comprising: comparing the one or more client requests to one or more expected client requests that are based on an application provided by the one or more servers; and determining one or more atypical behavior clients based on the comparison, wherein the one or more atypical behavior clients send one or more of the one or more client requests that include atypical communication with the application. 4. The method of claim 1 , wherein the analysis engine performs further actions, comprising: correlating the one or more client requests with the one or more server responses based on one or more characteristics of the one or more client requests and the one or more server responses; comparing the one or more correlated client requests with the one or more correlated server responses; determining one or more atypical behavior clients based on a result of the correlated comparison. 5. The method of claim 1 , wherein the analysis engine performs further actions, comprising: assigning a weight value to the one or more client requests based on a payload size or a performance load associated with the one or more server responses; and determining one or more atypical behavior clients based on the one or more weighted client requests, wherein the one or more atypical behavior clients send the one or more client requests that are weighted more than the one or more weighted client requests associated with one or more other clients that perform typical behavior. 6. The method of claim 1 , wherein the analysis engine performs further actions, including modifying one or more network characteristics of the one or more server responses to the one or more identified clients, wherein the modification increases the apparent latency or transaction rate of the one or more servers to reduce a rate of the one or more server responses. 7. The method of claim 1 , wherein the monitoring engine performs further actions, comprising: monitoring network traffic that occurs inside a trusted network; and collecting the one or more request metrics and the one or more response metrics based on the network traffic that occurs inside the trusted network. 8. A processor readable non-transitory storage media that includes instructions for monitoring network traffic between two or more network computers using one or more network monitoring computers, wherein execution of the instructions by the one or more networking monitoring computers perform the method comprising: instantiating a monitoring engine to perform actions, including: monitoring network traffic to identify one or more client requests provided by one or more clients and one or more server responses provided by one or more servers to the one or more client requests; determining one or more request metrics that are associated with baseline behavior for the one or more client requests; determining one or more response metrics that are associated with baseline behavior for the one or more server responses; and instantiating an analysis engine that performs actions, comprising: comparing the one or more request metrics for the identified one or more clients to previously determined one or more request metrics for a class of other clients; determining atypical behavior associated with the one or more identified clients based on the comparison, wherein the atypical behavior includes an absence of adaption by the one or more identified clients to one or more synthetic modifications that increase one or more of an apparent latency or delay in the one or more server responses; and providing one or more alerts that identify the one or more identified clients associated with the atypical behavior. 9. The media of claim 8 , wherein the comparison of the one or more request metrics and the one or more response metrics, further comprises: comparing one or more transaction rates associated with the one or more identified clients and the one or more servers to one or more client request sent rates; determining one or more atypical behavior clients based on the comparison, wherein the one or more client request send rates associated with the one or more atypical behavior clients increases or remains constant as the one or more transaction rates decrease. 10. The media of claim 8 , wherein the analysis engine performs further actions, comprising: comparing the one or more client requests to one or more expected client requests that are based on an application provided by the one or more servers; and determining one or more atypical behavior clients based on the comparison, wherein the one or more atypical behavior clients send one or more of the one or more client requests that include atypical communication with the application. 11. The media of claim 8 , wherein the analysis engine performs further actions, comprising: correlating the one or more client requests with the one or more server responses based on one or more characteristics of the one or more client requests and the one or more server responses; comparing the one or more correlated client requests with the one or more correlated server responses; determining one or more atypical behavior clients based on a result of the correlated comparison. 12. The media of claim 8 , wherein the analysis engine performs further actions, comprising: assigning a weight value to the one or more client requests based on a payload size or a performance load associated with the one or more server responses; and determining one or more
Assignees
Inventors
Classifications
Denial of service attacks against endpoints in a network · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Denial of Service · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10270794B1 cover?
- Embodiments are directed to monitoring network traffic over a network using one or more network monitoring computers. A monitoring engine may be instantiated to perform actions, including: monitoring network traffic to identify client requests provided by clients and server responses provided by servers in response to the client requests; determining request metrics associated with the client r…
- Who is the assignee on this patent?
- Extrahop Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 23 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).