US Patent 11451563 Dynamic detection of HTTP-based DDoS attacks using estimated cardinality

A computer method and system for detecting a Denial of Service (DoS) attack by detecting changes in recent cardinality of a network traffic flow. Packet traffic flows are received from external device (networks), and a cardinality estimation is then performed on a received packet traffic flow. A series of cardinalities is maintained for prior packet traffic flows. Changes in cardinalities associated with prior packet traffic flows are detected when compared to cardinalities of a current packet traffic flow. An alert condition for the network traffic flow is generated regarding a suspected DoS attack based upon the detected changes in cardinalities regarding comparison of the cardinalities associated with prior packet traffic flows compared to cardinalities of a current packet traffic flow.