US Patent 10027694 Detecting denial of service attacks on communication networks

Systems and methods are described to enable detection of network attacks in communication networks. An attack detection system receives information regarding network traffic occurring at nodes of a communication network, and analyzes the information for anomalous traffic patterns. The attack detection system can use multiple, parallel metric evaluation units programmed to detect specific types of anomalies within traffic patterns. In one instance, a metric evaluation unit is programmed to detect changes in entropy for the traffic, as distributed according to a characteristic such as source address, protocol, or country of origin. Where the entropy of a set of traffic differs from historical averages by a large amount, such as by many standard deviations, the attack detection system may flag the traffic as indicative of an attack, even when the absolute volume of traffic has not changed.