DENIAL OF SERVICE AND OTHER RESOURCE EXHAUSTION DEFENSE AND MITIGATION USING TRANSITION TRACKING

摘要

Described is a method and system for determining a suspect in a resource exhaustion attack, for example DDoS (Distributed Denial of Service Attack), against a target processor using transitions between data processing requests. For example, a first website request followed by a second website request received from a remote sender at a server is determined to be statistically unusual transition and thus may raise suspicion about the remote sender. Such transitions for the remote sender can be cumulatively evaluated.

主权项

1. A method of determining a first suspect in a resource exhaustion attack against a target automated processor communicatively connected to a data communication network, the method comprising:
monitoring a plurality of data processing requests received over the data communication network from a remote sender; identifying a first transition, dependent on a first sequence of data processing requests comprising a first data processing request of the plurality of data processing requests and a second data processing request of the plurality of data processing requests; determining, with an automated processor, a first anomaly profile for the remote sender based on a first anomaly representation assigned to the first transition and a second anomaly representation determined for the remote sender; determining, with the automated processor, based on the first anomaly profile, that the remote sender is the first suspect in the resource exhaustion attack; and based on the determining of the first suspect, taking action with the automated processor of at least one of: communicating a message dependent on the determining, and modifying at least one data processing request of the plurality of data processing requests.