Detecting traffic anomalies based on application-aware rolling baseline aggregates
US-2015039749-A1 · Feb 5, 2015 · US
Detection of denial of service attacks
US10587638B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10587638-B2 |
| Application number | US-201916391216-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 22, 2019 |
| Priority date | Feb 9, 2018 |
| Publication date | Mar 10, 2020 |
| Grant date | Mar 10, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments are directed to monitoring network traffic over a network using one or more network monitoring computers. A monitoring engine may be instantiated to perform actions, including: monitoring network traffic to identify client requests provided by clients and server responses provided by servers in response to the client requests; determining request metrics associated with the client requests; and determining response metrics associated with the server responses. An analysis engine may be instantiated that performs actions, including: comparing the request metrics with the response metrics; determining atypical behavior associated with the clients based on the comparison such that the atypical behavior includes an absence of adaption by the clients to changes in the server responses; and providing alerts that may identify the clients be associated with the atypical behavior.
First claim
Opening claim text (preview).
What is claimed as new and desired to be protected by Letters Patent of the United States is: 1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more networking computers perform the method comprising: determining one or more clients providing a plurality of requests and determining one or more servers providing a plurality of responses to the plurality of requests; determining one or more request metrics associated with the plurality of requests; comparing the one or more request metrics to one or more previously determined request metrics for other clients, wherein the comparison is employed to identify each client associated with at least one request metric that is non-equivalent to the one or more previously determined request metrics; providing one or more prearranged modifications to at least a portion of the plurality of responses that are provided by the one or more servers to at least a portion of the plurality of requests provided by each identified client; and in response to determining atypical adaptation to the one or more prearranged modifications by one or more of the identified clients, performing further actions including: providing a risk score for each identified client that provides atypical adaptation to the one or more prearranged modifications, wherein the risk score is increased based on an increase in an amount of atypical adaptation over time, and wherein the risk score is decreased based on a decrease in the amount of atypical adaptation over time; and providing a notification of the atypical adaptation to a user. 2. The method of claim 1 , wherein the determining the atypical adaptation, further comprises: comparing one or more request send rates associated with the one or more identified clients to one or more response send rates for the one or more servers; and determining the one or more atypical behavior of the one or more identified clients based on the comparison, wherein the one or more request send rates associated with the one or more identified clients increases or remains constant as the one or more response send rates for the one or more servers decreases. 3. The method of claim 1 , further comprising: employing client-side code to determine when the one or more of the identified clients are typically adapting to interaction with one or more features of one or more applications instead of atypically adapting to the one or more prearranged modifications. 4. The method of claim 1 , wherein the identification of each client, further comprises identifying each client that is communicating with one or more of an application protocol or a previously determined application. 5. The method of claim 1 , wherein the identification of each client, further comprises identifying each client based on a high disparity in computational resources employed to provide one or more of the plurality of server responses correlated to one or more of the plurality of client requests. 6. The method of claim 1 , wherein the monitored network traffic further comprises monitoring network traffic that is internally communicated within one or more of a network or a portion of the network. 7. A processor readable non-transitory storage media that includes instructions for monitoring network traffic, wherein execution of the instructions by one or more networking monitoring computers perform the method comprising: determining one or more clients providing a plurality of requests and determining one or more servers providing a plurality of responses to the plurality of requests; determining one or more request metrics associated with the plurality of requests; comparing the one or more request metrics to one or more previously determined request metrics for other clients, wherein the comparison is employed to identify each client associated with at least one request metric that is non-equivalent to the one or more previously determined request metrics; providing one or more prearranged modifications to at least a portion of the plurality of responses that are provided by the one or more servers to at least a portion of the plurality of requests provided by each identified client; and in response to determining atypical adaptation to the one or more prearranged modifications by one or more of the identified clients, performing further actions including: providing a risk score for each identified client that provides atypical adaptation to the one or more prearranged modifications, wherein the risk score is increased based on an increase in an amount of atypical adaptation over time, and wherein the risk score is decreased based on a decrease in the amount of atypical adaptation over time; and providing a notification of the atypical adaptation to a user. 8. The media of claim 7 , wherein the determining the atypical adaptation, further comprises: comparing one or more request send rates associated with the one or more identified clients to one or more response send rates for the one or more servers; and determining the one or more atypical behavior of the one or more identified clients based on the comparison, wherein the one or more request send rates associated with the one or more identified clients increases or remains constant as the one or more response send rates for the one or more servers decreases. 9. The media of claim 7 , further comprising: employing client-side code to determine when the one or more of the identified clients are typically adapting to interaction with one or more features of one or more applications instead of atypically adapting to the one or more prearranged modifications. 10. A network monitoring computer (NMC) for monitoring network traffic, comprising: a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including: determining one or more clients providing a plurality of requests and determining one or more servers providing a plurality of responses to the plurality of requests; determining one or more request metrics associated with the plurality of requests; comparing the one or more request metrics to one or more previously determined request metrics for other clients, wherein the comparison is employed to identify each client associated with at least one request metric that is non-equivalent to the one or more previously determined request metrics; providing one or more prearranged modifications to at least a portion of the plurality of responses that are provided by the one or more servers to at least a portion of the plurality of requests provided by each identified client; and in response to determining atypical adaptation to the one or more prearranged modifications by one or more of the identified clients, performing further actions including: providing a risk score for each identified client that provides atypical adaptation to the one or more prearranged modifications, wherein the risk score is increased based on an increase in an amount of atypical adaptation over time, and wherein the risk score is decreased based on a decrease in the amount of atypical adaptation over time; and providing a notification of the atypical adaptation to a user. 11. The NMC of claim 10 , wherein the determining the atypical adaptation, further comprises: comparing one or more request send rates associated with the one or more identified clients to one or more response send rates for the one or more servers; and determining the one or more atypical behavior of the one or more identified clients based on the comparison, wherein the one or more request send rates associated with the one or more
Assignees
Inventors
Classifications
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Denial of service attacks against endpoints in a network · CPC title
Denial of Service · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10587638B2 cover?
- Embodiments are directed to monitoring network traffic over a network using one or more network monitoring computers. A monitoring engine may be instantiated to perform actions, including: monitoring network traffic to identify client requests provided by clients and server responses provided by servers in response to the client requests; determining request metrics associated with the client r…
- Who is the assignee on this patent?
- Extrahop Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 10 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).