Application-level DDoS detection using service profiling

Assignee

• Narus, Inc. · US

Inventors

• Ali Zand · East Lansing, US
• Gaspar Modelo-Howard · Fremont, US
• Alok Tongaonkar · San Jose, US
• Sung-Ju Lee · Redwood City, US
• Christopher Kruegel · Lompoc, US
• Giovanni Vigna · Midland School, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/145
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A method for detecting a malicious network activity. The method includes extracting, based on a pre-determined criterion, a plurality of protection phase feature sequences extracted from a first plurality of network traffic sessions exchanged during a protection phase between a server device and a first plurality of client devices of a network, comparing the plurality of protection phase feature sequences and a plurality of profiling phase feature sequences to generate a comparison result, where the plurality of profiling phase feature sequences were extracted from a second plurality of network traffic sessions exchanged during a profiling phase prior to the protection phase between the server device and a second plurality of client devices of the network, and generating, in response to detecting a statistical measure of the comparison result exceeding a pre-determined threshold, an alert indicating the malicious network activity.