CPC H04L 63/1458 (2013.01) [H04L 63/0263 (2013.01); H04L 63/1425 (2013.01); H04L 63/20 (2013.01)] | 20 Claims |
1. A system, comprising:
at least one processor; and
memory that stores computer-executable instructions that, in response to execution by the at least one processor, cause the system to:
determine that one or more web applications are targets of a distributed denial of service attack;
analyze application layer properties of network traffic associated with the one or more web applications;
identify one or more changes to distributions of the application layer properties of the network traffic associated with the one or more web applications, the one or more changes identified based at least in part on comparing pre-onset distributions from before the distributed denial of service attack is determined to post-onset distributions from after the distributed denial of service attack is determined;
generate a signature of network traffic associated with the distributed denial of service attack, the signature comprising one or more of the application layer properties whose distributions changed; and
generate a new attack mitigation rule based at least in part on the generated signature of network traffic associated with the distributed denial of service attack and the one or more of the application layer properties whose distributions changed, that when applied by a web application firewall, limits network traffic that conforms to the signature.
|