| CPC H04L 63/1425 (2013.01) [H04L 63/1458 (2013.01)] | 21 Claims |
|
1. A method for detecting and mitigating denial-of-service (DoS) attacks that are using an encrypted communication protocol, comprising:
estimating traffic telemetries of packets of at least ingress traffic passing over an insecure network that is directed to a protected entity by analyzing transmission control protocol (TCP) headers of the packets, the packets of the at least ingress traffic being secured using an encrypted version of a non-encrypted communication protocol, the packets of the at least ingress traffic being intended for the protected entity;
providing at least one rate-based feature and at least one rate-invariant feature based on the estimated traffic telemetries, wherein the rate-based feature and the rate-invariant feature demonstrate a normal behavior of the traffic using the encrypted protocol intended for the protected entity; and
executing a mitigation action when a potential flood DoS attack using the encrypted communication protocol is detected by an evaluation of the at least one rate-based feature and the at least one rate-invariant feature to determine whether the behavior of the ingress traffic intended for the protected entity indicates a potential flood DoS attack using the encrypted communication protocol, wherein the evaluation of the at least one rate-based feature is with respect to at least a first baseline and the evaluation of the at least one rate-invariant feature is with respect to at least a second baseline.
|