Patent document 1 has introduced the concept that Category Transform is effective in statistically analyzing network traffic by observing the volume of traffic, or the amount of information on a communication line. This technique is useful to detect the presence of illegal accesses such as DoS (Denial of Services) attacks and DDoS (Distributed Denial of Services) attacks.
A effective (D)DoS attack is achieved by sending a large number of packets with spoofed source address in the packet header. When the volume of incoming packets is more than the processing capacity of the target equipment, the equipment will not be able handle the regular communication packets from regular users. It is difficult to distinguish between (D)DoS attack packets and regular communication packets. Hence, high detection accuracy cannot be expected when traditional methods are employed.
In Category Transform, “category” of a field (or a combination of fields) is a property that characterizes a packet with a distinct value in the field (s). For example, “All packets whose protocol field has value TCP” is a category. Category Transform is the method for computing the distribution of the number of categories, from the distribution of the number of packets, based on the category that the detected packet belongs to.
Using Category Transform, the system will judge that a network attack is in progress if the number of distinct values observed in the pre-specified category crosses a pre-specified number-threshold within a pre specified time interval. The accuracy of detection of illegal access is improved by this way.
It is Patent Laid-Open No. WO 2005/074215 bulletin [patent document 1].