Domain Classification And Routing Using Lexical and Semantic Processing
US-2016352772-A1 · Dec 1, 2016 · US
Network firewall for mitigating against persistent low volume attacks
US11405359B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11405359-B2 |
| Application number | US-202017129170-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 21, 2020 |
| Priority date | Feb 28, 2018 |
| Publication date | Aug 2, 2022 |
| Grant date | Aug 2, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A network firewall detects and protects against persistent low volume attacks based on a sequence of network data having a pattern that matches by some threshold or percentage a sequence of network data from an earlier iteration of the same persistent low volume attack. The attack patterns are derived from tokenizing one or more elements from a captured sequence of network data that is representative of an attack iteration. Counts for different resulting tokens may be stored in a feature vector that represents the attack pattern. If subsequent sequences of network data have a sufficient number of similar token, a pattern match can be identified and the firewall can take protective action including blacklisting the sending clients, blocking the traffic, redirecting the traffic, sending a problem to verify the sender is an actual user, or other actions.
First claim
Opening claim text (preview).
We claim: 1. A method comprising: receiving a first plurality of data packets; detecting a pattern based on a different count with which each feature from a first set of features is present in a subset of the first plurality of data packets, wherein the subset of the first plurality of data packets comprises two or more data packets; receiving a second plurality of data packets with a plurality of source network addresses; tracking a different count by which each feature from a second set of features is present in the second plurality of data packets; determining that the second set of features reproduces the pattern based on the different count for each feature of the first set of features matching the different count for each feature of the second set of features by a threshold amount; and performing an attack protection against a third plurality of data packets from the plurality of source network addresses in response to determining that the second set of features reproduces the pattern. 2. The method of claim 1 further comprising: determining that the second plurality of data packets do not contain malicious payloads and are sent at a rate that satisfies a threshold for valid traffic; and determining that the third plurality of data packets do not contain malicious payloads and are sent at a rate that satisfies a threshold for valid traffic. 3. The method of claim 1 further comprising: distributing the second plurality of data packets from a firewall device to a set of servers specified as recipients for the second plurality of data packets after determining the second set of features; and wherein performing the attack protection comprises blocking the third plurality of data packets at the firewall device and preventing distribution of the third plurality of data packets from the firewall device to the set of servers. 4. The method of claim 1 further comprising: activating the attack protection across a distributed platform by providing the plurality of source network addresses from a first firewall device at a first site of the distributed platform to at least a second firewall device at a second site of the distributed platform in response determining that the second set of features reproduces the pattern at the first firewall device. 5. The method of claim 1 further comprising: activating the attack protection across a distributed platform by providing the pattern from a first firewall device at a first site of the distributed platform to at least a second firewall device at a second site of the distributed platform in response determining that the second set of features reproduces the pattern at the first firewall device. 6. The method of claim 1 further comprising: detecting anomalies in data packets from a set of client devices, wherein detecting the anomalies comprises detecting one or more of static values or erratically changing values in the data packets from the set of client devices that differ from an expected set of values; and wherein receiving the first plurality of data packets comprises monitoring subsequent data packets from the set of client devices, and filtering from said monitoring, data packets of other client devices. 7. The method of claim 1 , wherein detecting the pattern comprises: tokenizing different length segments from the first plurality of data packets into a set of tokens; and determining a first sequence with which a particular subset of the set of tokens repeats in the subset of the first plurality of data packets. 8. The method of claim 7 , wherein tokenizing the different length segments comprises: hashing each different length segments from the first plurality of data packets; and generating a feature vector from a result of hashing the different length segments in one or more data packets. 9. The method of claim 1 , wherein detecting the pattern comprises: tokenizing different length segments from the first plurality of data packets into the first set of features; and generating a feature vector comprising a canonical representation for the different count that each feature in the first set of features appears in the subset of the first plurality of data packets. 10. The method of claim 1 , wherein each feature of the first set of features comprises a different length segment that is extracted from one or more of a data packet header and Uniform Resource Locator (“URL”) path. 11. The method of claim 1 , wherein determining that the second set of features reproduce the pattern comprises: detecting that a sequence of two or more data packets in the second plurality of data packets from different client devices include a sequence of features that matches the pattern, and wherein the pattern comprises a corresponding sequence of features from two or more data packets of the first plurality of data packets; and adding the plurality of source network addresses to a blocking list. 12. The method of claim 11 further comprising: receiving a fourth plurality of data packets; detecting that different sequences of features from different sequences of two or more data packets in the fourth plurality of data packets do not match the pattern; and distributing the fourth plurality of data packets without adding source network addresses from the fourth plurality of data packets to the blocking list. 13. The method of claim 1 , wherein determining that the second set of features reproduce the pattern comprises: detecting a repeat of a particular percentage of features in the second plurality of data packets and the subset of the first plurality of data packets. 14. The method of claim 1 , wherein determining that the second set of features reproduce the pattern comprises: determining that the second set of features from the second plurality of data packets include values that are within a threshold amount of values from the first set of features. 15. The method of claim 1 , wherein the second plurality of data packets and the third plurality of data packets are part of a same persistent low volume attack occurring over a particular duration of time, and wherein performing the attack protection comprises stopping the persistent low volume attack after detecting the pattern in the second plurality of data packets. 16. The method of claim 1 , wherein detecting the pattern comprises: generating a feature vector as a signature of a particular low volume attack based on a specific sequencing of two or more features from the first set of features in two or more different data packets of the subset of the first plurality of data packets. 17. The method of claim 1 , wherein detecting the pattern comprises: parsing a URL from each data packet of the first plurality of data packets into different length sub strings; and defining the pattern based on a number of times each different length substring is found in the subset of the first plurality of data packets. 18. The method of claim 17 , wherein determining that the second set of features reproduce the pattern comprises: detecting that the second plurality of data packets include a threshold number of same different length substrings as the pattern; and detecting that other data packets from other source network addresses do not include the threshold number of the same different length substrings as the pattern. 19. A network firewall device comprising: one or more processors configured to: receive a first plurality of data packets; detect a pattern based on a different count with which each feature fro
Assignees
Inventors
Classifications
Denial of Service · CPC title
- H04L63/0245Primary
Filtering by information in the payload · CPC title
Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks · CPC title
Traffic logging, e.g. anomaly detection · CPC title
service impersonation, e.g. phishing, pharming or web spoofing (detection of rogue wireless access points H04W12/12) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11405359B2 cover?
- A network firewall detects and protects against persistent low volume attacks based on a sequence of network data having a pattern that matches by some threshold or percentage a sequence of network data from an earlier iteration of the same persistent low volume attack. The attack patterns are derived from tokenizing one or more elements from a captured sequence of network data that is represen…
- Who is the assignee on this patent?
- Verizon Digital Media Services Inc, Edgecast Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0245. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 02 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).