公开(公告)号：US11985162B2

公开(公告)日：2024-05-14

申请号：US17678662

申请日：2022-02-23

申请人： Arbor Networks, Inc.

发明人： Steinthor Bjarnason

IPC分类号： H04L9/40 ,  H04L61/4511

CPC分类号： H04L63/1458 ,  H04L61/4511 ,  H04L63/1425

摘要： A computer method and system for determining patterns in network traffic packets having structured subfields for generating filter candidate regular expressions for DDoS attack mitigation. Stored packets are analyzed to extract a query name for each stored packet. Each query name is segregated into subfields. A Results-table is generated utilizing the segregated subfields of the query names. A Field-length table is generated that contains the length of the Field Values (Field-length) for each Field Name and an associated counter indicating how many instances the Field-length for a Field Name is present in the extracted query names. The Field-length table is analyzed to determine patterns of equal length in the “Results” table. Utilizing the Patterns table, unique combinations of the Field Values are generated as a filter candidate regular expression for DDoS attack mitigation purposes.

公开(公告)号：US11876808B2

公开(公告)日：2024-01-16

申请号：US16790461

申请日：2020-02-13

申请人： Arbor Networks, Inc.

发明人： Bhargav Pendse

IPC分类号： H04L9/00 ,  H04L9/40

CPC分类号： H04L63/1416 ,  H04L63/1483

摘要： A method, system, and computer-implemented method to manage threats to a protected network having a plurality of internal production systems is provided. The method includes monitoring network traffic from the plurality of internal production systems of a protected network for domain names. For each internal production system, a first collection of each unique domain name that is output by the internal production system is determined over the course of a long time interval. For each internal production system, a second collection of each unique domain name that is output by the internal production system is determined over the course of a short time interval. Domain names in the first and second collections associated with the plurality of internal production systems are compared to determine suspicious domain names that meet a predetermined condition. A request is output to treat the suspicious the suspicious domain names as being suspicious.

公开(公告)号：US20230269269A1

公开(公告)日：2023-08-24

申请号：US17678662

申请日：2022-02-23

申请人： Arbor Networks, Inc.

发明人： Steinthor Bjarnason

IPC分类号： H04L9/40 ,  H04L61/4511

CPC分类号： H04L63/1458 ,  H04L63/1425 ,  H04L61/1511

摘要： A computer method and system for determining patterns in network traffic packets having structured subfields for generating filter candidate regular expressions for DDoS attack mitigation. Stored packets are analyzed to extract a query name for each stored packet. Each query name is segregated into subfields. A Results-table is generated utilizing the segregated subfields of the query names. A Field-length table is generated that contains the length of the Field Values (Field-length) for each Field Name and an associated counter indicating how many instances the Field-length for a Field Name is present in the extracted query names. The Field-length table is analyzed to determine patterns of equal length in the “Results” table. Utilizing the Patterns table, unique combinations of the Field Values are generated as a filter candidate regular expression for DDoS attack mitigation purposes.

公开(公告)号：US11601456B2

公开(公告)日：2023-03-07

申请号：US16990098

申请日：2020-08-11

申请人： Arbor Networks, Inc.

发明人： Sean O'Hara ,  Archana A. Rajaram

IPC分类号： H04L29/06 ,  H04L9/40

摘要： A method is provided for inspecting network traffic. The method, performed in a single contained device, includes receiving network traffic inbound from an external host that is external to the protected network flowing to a protected host of the protected network, wherein the network traffic is transported by a secure protocol that implements ephemeral keys that endure for a limited time. The method further includes performing a first transmission control protocol (TCP) handshake with the external host, obtaining source and destination data during the first TCP handshake, the source and destination data including source and destination link and internet addresses obtained, caching the source and destination data, and using the cached source and destination data to obtain a Layer-7 request from the external host to the protected host and to pass a Layer-7 response from the protected host to the external host.

公开(公告)号：US11601369B1

公开(公告)日：2023-03-07

申请号：US17464177

申请日：2021-09-01

申请人： Arbor Networks, Inc.

发明人： Brian St. Pierre

IPC分类号： G06F15/16 ,  H04L47/2441 ,  H04L47/2483 ,  H04L47/215 ,  H04L47/122 ,  H04L47/2425

摘要： A computer method and system for prioritizing network traffic flow to a protected computer network. Network traffic flowing from one or more external hosts to the protected computer network is intercepted and intercepted data packets are dropped if forwarding the intercepted data packet to the protected network would cause the value of the bandwidth of network traffic flow to the protected network to exceed a configured overall traffic bandwidth threshold value associated with the protected network. If not dropped, the intercepted data packet is analyzed to determine a classification type for the intercepted data packet based upon prescribed criteria wherein each classification type has an assigned classification bandwidth threshold value, wherein the classification bandwidth threshold value is less than the overall traffic bandwidth threshold value for the protected network. The intercepted data packet is dropped if forwarding the intercepted data packet would cause the value of the bandwidth of traffic flow to the protected network to exceed the bandwidth threshold value assigned to the determined classification type of the intercepted packets.

公开(公告)号：US20230063243A1

公开(公告)日：2023-03-02

申请号：US17464177

申请日：2021-09-01

申请人： Arbor Networks, Inc.

发明人： Brian St. Pierre

IPC分类号： H04L12/851 ,  H04L12/803 ,  H04L12/819

摘要： A computer method and system for prioritizing network traffic flow to a protected computer network. Network traffic flowing from one or more external hosts to the protected computer network is intercepted and intercepted data packets are dropped if forwarding the intercepted data packet to the protected network would cause the value of the bandwidth of network traffic flow to the protected network to exceed a configured overall traffic bandwidth threshold value associated with the protected network. If not dropped, the intercepted data packet is analyzed to determine a classification type for the intercepted data packet based upon prescribed criteria wherein each classification type has an assigned classification bandwidth threshold value, wherein the classification bandwidth threshold value is less than the overall traffic bandwidth threshold value for the protected network. The intercepted data packet is dropped if forwarding the intercepted data packet would cause the value of the bandwidth of traffic flow to the protected network to exceed the bandwidth threshold value assigned to the determined classification type of the intercepted packets.

公开(公告)号：US11431589B2

公开(公告)日：2022-08-30

申请号：US16663056

申请日：2019-10-24

申请人： Arbor Networks, Inc.

发明人： Brian St. Pierre ,  Peter Allen Jensen ,  Timothy David Dodd

IPC分类号： H04L43/028 ,  G06F17/18 ,  H04L43/045 ,  G06F9/455 ,  G06F8/41

摘要： A logical expression engine and computer-implemented method for optimizing evaluation of a logical expression is provided. The method includes receiving an original logical expression to be applied by a computer program for processing input information, the original logical expression having at least one operator and a subexpression disposed on each side of a related operator of the at least one related operator. The method further includes receiving statistics accumulated about how the computer program applies the subexpressions of the original logical expression for processing the input information received by the computer program, using the accumulated statistics to optimize the order in which the subexpressions would be applied by the computer program, and outputting for application by the computer program an optimized logical expression having the subexpressions ordered in accordance with the optimized order.

公开(公告)号：US20220078205A1

公开(公告)日：2022-03-10

申请号：US17017379

申请日：2020-09-10

申请人： Arbor Networks, Inc.

发明人： Steinthor Bjarnason ,  Brian St. Pierre

IPC分类号： H04L29/06 ,  H04L12/24 ,  G06K9/62

摘要： A method of automated filtering includes receiving a network traffic snapshot having packets with data stored in respective fields, generating a statistical data structure storing each potential unique combination of data stored in respective fields with an associated counter that is incremented for each occurrence that the combination matches one of the packets of the network traffic snapshot and one or more observation timestamps. Determining an observed vector from the statistical data structure, wherein the observed vector has associated attribute/value pairs and counters that satisfy a predetermined criterion. The observed vector's attribute/value pairs are compared to known attribute/value pairs associated with known DDoS attack vectors of an attack vector database. In response to finding a matching known attack vector as a result of the comparison, mitigation parameters associated with the known attack vector are selected and used for applying a countermeasure to the network traffic for mitigating an attack.

公开(公告)号：US11153342B2

公开(公告)日：2021-10-19

申请号：US16565149

申请日：2019-09-09

申请人： Arbor Networks, Inc.

发明人： Andrew Lee Adams ,  Cameron Hanover ,  Dagan Harrington ,  Jiasi Li ,  Joachim Wright

IPC分类号： H04L29/06

摘要： A computer implemented method and system for protecting against denial of service attacks by detecting changes in a preferred set of hierarchically-structured items in a network data stream in which a set of network destination prefixes is identified that account for a user specified target of the attack traffic. Changes in the attack traffic profile are detected and new sets of network destination prefixes are generated when the attack has shifted by a predetermined threshold. sets of identified destination prefixes are then translated into route announcements to divert attack traffic to mitigation devices.

公开(公告)号：US11153334B2

公开(公告)日：2021-10-19

申请号：US16379240

申请日：2019-04-09

申请人： Arbor Networks, Inc.

发明人： Steinthor Bjarnason ,  Andrew Ralph Beard ,  David Turnbull

IPC分类号： G06F11/00 ,  H04L29/06

摘要： A method of detecting patterns in network traffic is provided. The method includes receiving packets of network traffic, performing a frequency analysis per field of the packets as a function of frequency of the occurrence of the same data in the corresponding field, and selecting top values which are values associated with each field of the set of fields that satisfy a criterion as having occurred most frequently in the packets as a function of a result of the frequency analysis. The method further includes assigning a bit encoding scheme that uses variable bit encoding to encode each of the top values for each field that has a top value, encoding into a single value each packet of the packets based on a bitfield representation that uses the encoding scheme for values associated with each field that has a top value, storing each potential combination of fields of the set of fields being processed, with all bits set per field when the field is an active field and no bits set when the field is inactive, performing a bitwise operation on each encoded packet with the stored potential combinations, sorting the results of the bitwise operation based on a number of the active fields and a number of occurrences of each same result of the bitwise operation, and providing the results of the sorting to a mitigation device for determining whether an attack is underway and/or for filtering network traffic for mitigating an attack.