Many modern networked computers are vulnerable to DDOS attacks, in which an attacker employs a large number of remotely controlled computers to deluge a target computer with an excessive amount of information. This information usually takes the form of specially crafted Internet Protocol (IP) packets that trigger a flood of packets at the target. The sheer number of such requests overwhelms the target's ability to respond, effectively removing it from service by preventing it from doing anything else. Compounding this problem is the fact that damage from such DDOS attacks is not limited to the target itself. Rather, attacks are also capable of overwhelming any networked device in the path leading to the target. Although the target resource is referred to as a computer, the term computer as used herein includes any networked resource, including storage devices, switches, and routers.
A typical DDOS attack is characterized by a sudden increase, or burst, in traffic volume, i.e. an increase in the rate (often measured in packets per second or bytes per second) at which information is transferred across a network to the target computer. One method of detecting DDOS attacks relies upon detecting and measuring such a burst. However, one difficulty lies in differentiating between a DDOS burst and a legitimate increase in network traffic, say when a target computer receives a large file it is expecting.
It is therefore desirable to develop a method of detecting a DDOS attack that adapts to the typical traffic pattern, or profile, of the target computer. Armed with information on the target's typical traffic profile, such a method could then better discriminate between innocuous data bursts that tend to occur during periods of high traffic, and malicious DDOS attacks. It could also more accurately detect lower level DDOS attacks during periods of low traffic. In this manner, such a method would be more likely to avoid raising a false alarm for a legitimate burst, such as a file transfer during working hours. Likewise, the method would also be more likely to catch even small DDOS attacks at times when network traffic is typically light, such as weekends or late nights.