公开(公告)号：EP1839160B1

公开(公告)日：2018-03-14

申请号：EP05853164.1

申请日：2005-12-05

申请人： Cisco Technology, Inc.

发明人： KUMAR, Sandeep ,  JIN, Yi ,  POTTI, Sunil ,  WIBORG, Christopher, R.

IPC分类号： G06F9/00 ,  G06F15/16 ,  G06F17/30

CPC分类号： H04L63/0245 ,  H04L63/123 ,  H04L63/1416 ,  H04L63/1458 ,  H04L2463/141

摘要： A method is disclosed for protecting a network against a denial-of-service attack by inspecting application layer messages at a network element. According to one aspect, when a network element intercepts data packets that contain an application layer message, the network element constructs the message from the payload portions of the packets. The network element determines whether the message satisfies specified criteria. The criteria may indicate characteristics of messages that are suspected to be involved in a denial-of-service attack, for example. If the message satisfies the specified criteria, then the network element prevents the data packets that contain the message from being received by the application for which the message was intended. The network element may accomplish this by dropping the packets, for example. As a result, the application's host does not waste processing resources on messages whose only purpose might be to deluge and overwhelm the application.

公开(公告)号：EP3252645A1

公开(公告)日：2017-12-06

申请号：EP16195897.0

申请日：2016-10-27

申请人： AO Kaspersky Lab

发明人： ANTONOV, Alexey E. ,  ROMANENKO, Alexey M.

IPC分类号： G06F21/51 ,  H04L29/06

CPC分类号： H04L63/1458 ,  G06F21/51 ,  H04L2463/141 ,  H04L2463/142

摘要： Disclosed are systems and method for detecting a malicious computer system. An exemplary method comprises: collecting, via a processor, characteristics of a computer system; determining relations between collected characteristics of the computer system; determining a time dependency of at least one state of the computer system based on determined relations; determining the at least one state of the computer system based at least on determined time dependency; and analyzing the at least one state of the computer system in connection with selected patterns representing a legal or malicious computer system to determine a degree of harmfulness of the computer system.

摘要翻译： 公开了用于检测恶意计算机系统的系统和方法。 示例性方法包括：经由处理器收集计算机系统的特性; 确定所收集的计算机系统的特征之间的关系; 基于确定的关系确定计算机系统的至少一个状态的时间依赖性; 至少基于确定的时间依赖性来确定计算机系统的至少一个状态; 以及结合代表合法或恶意计算机系统的选定模式分析计算机系统的至少一个状态，以确定计算机系统的危害程度。

公开(公告)号：EP3123685A1

公开(公告)日：2017-02-01

申请号：EP14716966.8

申请日：2014-03-27

申请人： Telefonaktiebolaget LM Ericsson (publ)

发明人： GEORGESCU, Sorin-Marian

IPC分类号： H04L29/06

CPC分类号： H04L63/1458 ,  H04L63/1425 ,  H04L2463/141

摘要： A denial-of-service protection system may include a memory operable to store a behavior model and a processor communicatively coupled to the memory. The processor is capable of detecting a potential attack on the system, and receiving a first request from an endpoint. In response to receiving the first request from the endpoint, the processor may communicate an error to the endpoint. The processor may also receive a second request, from the endpoint and determine whether the second request from the endpoint deviates from the behavior model. If the second request from the endpoint deviates from the behavior model, the processor may deny traffic from the endpoint. If the second request from the endpoint does not deviate from the behavior model, then the processor may allow traffic from the endpoint.

摘要翻译： 拒绝服务保护系统可以包括可操作以存储行为模型的存储器和通信地耦合到存储器的处理器。 处理器能够检测对系统的潜在攻击，并从端点接收第一个请求。 响应于从端点接收到第一请求，处理器可以向端点传送错误。 处理器还可以从端点接收第二请求，并确定来自端点的第二请求是否偏离行为模型。 如果来自端点的第二个请求偏离了行为模型，则处理器可以拒绝端点的流量。 如果来自端点的第二请求没有偏离行为模型，则处理器可以允许来自端点的流量。

公开(公告)号：EP3110103A1

公开(公告)日：2016-12-28

申请号：EP16176256.2

申请日：2016-06-24

申请人： Verisign, Inc.

发明人： ZHAO, Yujie ,  BHOGAVILLI, Suresh ,  KULKARNI, Anupam ,  SUBRAMANIAN, Sivasankar

IPC分类号： H04L29/06

CPC分类号： H04L63/1416 ,  H04L63/101 ,  H04L63/1458 ,  H04L63/168 ,  H04L2463/141

摘要： A method for mitigating a denial of service attack includes determining, for a client (105), a number of requests (115) being transmitted to a server (110) and determining, for the client, that the number of requests for a time period is greater than a top talker threshold. The method includes classifying the client as a top talker based on the number of requests being greater than the top talker threshold and identifying, for the client, additional requests being transmitted to the server. The method also includes determining whether a number of the additional requests matches one or more attack patterns and preventing one or more of the additional requests from being transmitted to the server if the number of additional requests that matches one or more attack patterns is greater than a first threshold.

摘要翻译： 一种用于减轻拒绝服务攻击的方法包括为客户端（105）确定发送到服务器（110）的多个请求（115），并为客户端确定一段时间段的请求数 大于顶级讲话人门槛。 该方法包括基于大于顶部讲话者阈值的请求数量将客户端分类为顶级讲话者，并为客户端识别发送到服务器的附加请求。 该方法还包括：如果与一个或多个攻击模式匹配的附加请求的数量大于一个或多个攻击模式，则确定附加请求的数量是否匹配一个或多个攻击模式，并且防止一个或多个附加请求被发送到服务器 第一个门槛。

公开(公告)号：EP2528005B1

公开(公告)日：2015-06-17

申请号：EP12151223.0

申请日：2012-01-16

申请人： Kaspersky Lab, ZAO

发明人： Gudov, Nikolay V. ,  Levashov, Dmitry A.

IPC分类号： G06F21/00 ,  H04L29/06

CPC分类号： H04L63/1408 ,  H04L63/0263 ,  H04L63/1458 ,  H04L2463/141

公开(公告)号：EP2227889A1

公开(公告)日：2010-09-15

申请号：EP07857165.0

申请日：2007-12-31

申请人： Telecom Italia S.p.A.

发明人： GOLIC, Jovan

IPC分类号： H04L29/06

CPC分类号： H04L63/1425 ,  H04L43/022 ,  H04L63/1458 ,  H04L2463/141

摘要： A method (200) of detecting anomalies in a communication system (100), the method comprising: providing (202) a first packet flow portion (PFPl) and a second packet flow portion (PFP2); extracting (203) samples of a symbolic packet feature (x) associated to a traffic status of the first and second packet flow portions; computing (204) from said extracted samples a first statistical concentration quantity (Cq1) and a second statistical concentration quantity (Cq2) of the symbolic feature associated with the first and second packet flow portions, respectively; computing (205) from said concentration quantities a variation quantity (Δ) representing a concentration change from the first packet flow portion to the second packet flow portion; comparing (206) the variation quantity (Δ) with a comparison value (Thr); detecting (207) an anomaly in the system in response to said comparison.

公开(公告)号：EP2180656A2

公开(公告)日：2010-04-28

申请号：EP09173615.7

申请日：2009-10-21

申请人： Lockheed Martin Corporation (Maryland Corp.)

发明人： Boren, Dale W.

IPC分类号： H04L29/06

CPC分类号： H04L63/1433 ,  H04L63/1441 ,  H04L2463/141

摘要： Systems (30), program product (91), and methods related to dynamic Internet security and risk assessment and management, are provided. For example, a system (30), program product (91), and method of identifying and servicing actual customer requests to a defended or protected computer or server (31) can include the steps/operations of receiving by the defended computer (31), a service request from each of a plurality of IP addresses associated with a separate one of a plurality of service requesting computers (71, 81), sending an inspection code adapted to perform a virtual attack on each existing service requesting computers (71, 81) at each respective associated IP address, and restricting provision of services from the defended computer (31) to a subset (81) of the service requesting computers (71, 81) identified for restriction when a security feature of the respective service requesting computer (71, 81) is determined to have been defeated by the virtual attack.

摘要翻译： 提供系统（30），程序产品（91）以及与动态互联网安全和风险评估与管理相关的方法。 例如，系统（30），程序产品（91）以及识别和维护对防御或受保护的计算机或服务器（31）的实际客户请求的方法可以包括被防御计算机（31）接收的步骤/操作， 来自与多个服务请求计算机（71,81）中的单独的一个服务请求计算机（71,81）相关联的多个IP地址中的每一个的服务请求，发送适于对请求计算机（71,81）的每个现有服务执行虚拟攻击的检查代码 ），并且将各个服务请求计算机（31）的安全特征限制在被保护的计算机（31）的服务提供给被识别用于限制的服务请求计算机（71,81）的子集（81） 71，81）被确定为被虚拟攻击击败。

公开(公告)号：EP2109282A1

公开(公告)日：2009-10-14

申请号：EP08154393.6

申请日：2008-04-11

申请人： Deutsche Telekom AG

发明人： Roshandel, Mehran ,  Goldstein, Markus ,  Reif, Matthias ,  Stahl, Armin ,  Breue, Thomas

IPC分类号： H04L29/06

CPC分类号： H04L63/0236 ,  H04L63/1425 ,  H04L63/1458 ,  H04L2463/141

摘要： The invention describes a method and system of protecting computer systems from attacks over a network to which the computer system is connected, the method comprising the steps of (a) establishing, during attack-free operation of the computer system, a database in the form of a source-IP-histogram storing all request received from all sender at the computer system; (b) calculating and storing a smoothed source-IP-histogram from the source-IP-histogram obtained in step a); (c) applying a probability threshold on the smoothed source-IP-histogram to differentiate between acceptable sender and sender to be rejected; (d) monitoring requests to the computer system; (e) accepting a new sender if its assumed probability value derived from the smoothed-IP-histogram exceeds the threshold.

摘要翻译： 本发明描述了保护计算机系统从通过网络攻击的方法和系统的计算机系统所连接，所述方法包括（a）建立的步骤，该计算机系统的自由攻击手术，在形式的数据库中 源-IP-直方图存储来自在所述计算机系统中的所有发送者接收到的所有请求的; （B），计算并存储经平滑的从步骤A中获得的源极 - IP-直方图）源-IP-直方图; （C）上的平滑源-IP-直方图上可接受的发送方和发送方之间进行区分施加概率阈值将被拒绝; （D）监控请求的计算机系统; （E）接受新的发送者如果从平滑-IP-直方图导出其假定的概率值超过阈值。

公开(公告)号：EP1739921A1

公开(公告)日：2007-01-03

申请号：EP06114563.7

申请日：2006-05-25

申请人： AT&T Corp.

发明人： Van Der Merwe, Jacobus ,  Spatscheck, Oliver

IPC分类号： H04L29/06

CPC分类号： H04L63/1408 ,  H04L63/1425 ,  H04L63/1458 ,  H04L2463/141 ,  H04L2463/144

摘要： Disclosed is a method and system for identifying a controller of a first computer transmitting a network attack to an attacked computer. To identify an attacker implementing the attack on the attacked computer, the present invention traces the attack back to the controller one hop at a time. The invention examines traces of the attacked computer to identify the first computer. Traffic transmitted to the first computer is redirected through a monitoring complex before being transmitted to the first computer. The controller is then detected from traffic monitoring by the monitoring complex.

摘要翻译： 公开了一种用于识别向受攻击的计算机发送网络攻击的第一计算机的控制器的方法和系统。 为了识别实施攻击的计算机的攻击的攻击者，本发明一次将攻击追溯到控制器一跳。 本发明检查受攻击的计算机的痕迹以识别第一台计算机。 传输到第一台计算机的流量在被传送到第一台计算机之前被重定向到一个监控中心。 然后通过监控综合体的流量监控来检测控制器。

公开(公告)号：EP2130350B1

公开(公告)日：2018-04-11

申请号：EP08718638.3

申请日：2008-03-07

申请人： British Telecommunications public limited company

发明人： EL-MOUSSA, Fadi ,  TAY, Hui Min June

IPC分类号： H04L29/06

CPC分类号： H04L63/1425 ,  H04L63/1458 ,  H04L2463/141 ,  H04L2463/144

摘要： A method of identifying traffic within a network representative of an abnormal network condition, including: monitoring a communications link for a high traffic volume level; identifying a domain being the source of the high traffic volume level; identifying within the domain, a sending entity transmitting traffic from the domain; using a detector located at or proximate to the domain to invoke a response from the sending entity; wherein a failure by the sending entity to provide an expected response to the message in accordance with a network protocol indicates that the traffic transmitted by the sending entity is traffic representative of an abnormal network condition.