US Patent 11770405 Automated selection of DDoS countermeasures using statistical analysis

A method of automated filtering includes receiving a network traffic snapshot having packets with data stored in respective fields, generating a statistical data structure storing each potential unique combination of data stored in respective fields with an associated counter that is incremented for each occurrence that the combination matches one of the packets of the network traffic snapshot and one or more observation timestamps. Determining an observed vector from the statistical data structure, wherein the observed vector has associated attribute/value pairs and counters that satisfy a predetermined criterion. The observed vector's attribute/value pairs are compared to known attribute/value pairs associated with known DDoS attack vectors of an attack vector database. In response to finding a matching known attack vector as a result of the comparison, mitigation parameters associated with the known attack vector are selected and used for applying a countermeasure to the network traffic for mitigating an attack.