Statistical automatic detection of malicious packets in DDoS attacks using an encoding scheme associated with payload content

摘要

A method of detecting patterns in network traffic is provided. The method includes receiving a plurality of packets of network traffic, each packet having a payload populated with payload data and selecting payload lengths that occurred most frequently. For each of the selected payload lengths, a pattern template is generated using characters per position of the payload that satisfy a frequency criterion. A bit encoding scheme is assigned for each of the selected payload lengths and its associated pattern template. Each packet of the plurality of packets that has a payload length equal to any of the selected payload lengths and payload content that matches a pattern template generated for the payload is encoded into a single value. The single value uses the bit encoding scheme for the payload length and the pattern template matched. Each potential combination of fields representing the respective payload length and the pattern template is stored, with either all bits set per field when the field is active or no bits set per field when the field is inactive. A bitwise operation is performed on each encoded packet with the stored potential combinations. Results of the bitwise operation are stored in a sparse memory array. The results of the sparse array are sorted based on a number of the active fields and a number of occurrences of the respective results of the bitwise operation. The results of the sorting are provided to a mitigation device as an indication of whether an attack is underway and/or what type of attack is underway.