Detecting network attacks

摘要

This disclosure generally relates to the generation of a packet signature for packets determined to correspond to a network attack, such as a denial of service (“DoS”) attack. Specifically, a set of data packets captured during normal system operations can be analyzed to determine a set of baseline attributes. Additional packets captured during an attack can be compared to the baseline attributes, to determine, for individual packets, a probability that the packet forms a part of the attack. A packet signature can then be generated to identify attributes that are characteristic of the attack. That signature can then be used to filter out packets and mitigate the attack.

主权项

1. A computer-implemented method comprising:
receiving a first set of network data packets transmitted to a target system when no attack on the target system has been detected; receiving a second set of network data packets transmitted to the target system during an attack on the target system; for individual network data packets of the second set of network data packets, assigning to the individual network data packet a probability that the individual data packet is associated with the attack, wherein the probabilities that individual data packets are associated with the attack are determined based at least in part on a comparison of the first and second sets of network data packets; and generating a packet signature for the attack based at least partly on analyzing attributes of individual network data packets of the second set of network data packets according to the probabilities that the individual data packets are associated with the attack.