	US 11,991,205 B2
	Detection and mitigation of slow application layer DDoS attacks
Ehud Doron, Moddiin (IL); Nir Ilani, Givat Brenner (IL); David Aviv, Tel Aviv (IL); Yotam Ben Ezra, Raanana (IL); Amit Bismut, Kiryat Motzkin (IL); and Yuriy Arbitman, Raanana (IL)
Assigned to RADWARE, LTD., Tel Aviv (IL)
Filed by RADWARE, LTD., Tel Aviv (IL)
Filed on Dec. 23, 2020, as Appl. No. 17/132,677.
Application 17/132,677 is a continuation of application No. 15/657,499, filed on Jul. 24, 2017, granted, now 10,887,341.
Claims priority of provisional application 62/467,534, filed on Mar. 6, 2017.
Prior Publication US 2021/0152594 A1, May 20, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); H04L 9/40 (2022.01); H04L 67/02 (2022.01)

CPC H04L 63/1458 (2013.01) [H04L 63/0209 (2013.01); H04L 63/101 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/20 (2013.01); H04L 67/02 (2013.01); H04L 2463/141 (2013.01)]

22 Claims

1. A method for protecting cloud-hosted applications against application-layer slow distributed denial-of-service (DDoS) attacks, comprising:

collecting telemetries from a plurality of sources deployed in a plurality of public cloud computing platforms, wherein each of the plurality of public cloud computing platforms hosts an instance of a protected cloud-hosted application, wherein the telemetries are collected out-of-path of traffic to and from each instance of the protected cloud-hosted application;

providing a set of rate-based and rate-invariant features based on the collected telemetries;

evaluating each feature in the set of rate-based and rate-invariant features to determine whether a behavior of each feature and a behavior of the set of rate-based and rate-invariant features indicate a potential application-layer slow DDoS attack; and

causing execution of a mitigation action, when an indication of a potential application-layer slow DDoS attack is determined.