Method and apparatus for large-scale automated distributed denial of service attack detection Patent uri icon

abstract

  • A multi-staged framework for detecting and diagnosing Denial of Service attacks is disclosed in which a low-cost anomaly detection mechanism is first used to collect coarse data, such as may be obtained from Simple Network Management Protocol (SNMP) data flows. Such data is analyzed to detect volume anomalies that could possibly be indicative of a DDoS attack. If such an anomaly is suspected, incident reports are then generated and used to trigger the collection and analysis of fine grained data, such as that available in Netflow data flows. Both types of collection and analysis are illustratively conducted at edge routers within the service provider network that interface customers and customer networks to the service provider. Once records of the more detailed information have been retrieved, they are examined to determine whether the anomaly represents a distributed denial of service attack, at which point an alarm is generated.

author list (cited authors)

  • Duffield, N., Van Der Merwe, J., Sekar, V., & Spatscheck, O.

complete list of authors

  • Duffield, N||Van Der Merwe, J||Sekar, V||Spatscheck, O

publication date

  • December 2007