Automatic detection of malicious packets in DDoS attacks using an encoding scheme

摘要

A method of detecting patterns in network traffic is provided. The method includes receiving packets of network traffic, performing a frequency analysis per field of the packets as a function of frequency of the occurrence of the same data in the corresponding field, and selecting top values which are values associated with each field of the set of fields that satisfy a criterion as having occurred most frequently in the packets as a function of a result of the frequency analysis. The method further includes assigning a bit encoding scheme that uses variable bit encoding to encode each of the top values for each field that has a top value, encoding into a single value each packet of the packets based on a bitfield representation that uses the encoding scheme for values associated with each field that has a top value, storing each potential combination of fields of the set of fields being processed, with all bits set per field when the field is an active field and no bits set when the field is inactive, performing a bitwise operation on each encoded packet with the stored potential combinations, sorting the results of the bitwise operation based on a number of the active fields and a number of occurrences of each same result of the bitwise operation, and providing the results of the sorting to a mitigation device for determining whether an attack is underway and/or for filtering network traffic for mitigating an attack.