Description:FIELD OF THE INVENTION
[0001] The invention generally relates to the field of cybersecurity and network protection, and in particular, the present disclosure relates to the development of a multi-model contextual defense for detecting and mitigating application-level Distributed Denial of Service (DDoS) attacks through monitoring and analyzing user interaction patterns, request sequences, and timing behaviors.

DESCRIPTION OF THE RELATED ART
[0002] Distributed Denial of Service (DDoS) attacks represent a fundamental threat to internet applications. The history of DDoS attacks dates back to the beginning of the internet, and they can be broadly classified as network-level attacks and application-level attacks. Network-level attacks seek to overwhelm network bandwidth, routers, and switches, while application-level attacks target servers' computational resources such as CPU, memory, database, disk I/O, and socket broadcasting.
[0003] Decades of research on network-level DDoS attacks has helped network solution providers strengthen their systems. As a result, it is no longer easy for attackers to overwhelm networks, causing attackers to shift their focus to application-level attacks. Application-level DDoS attacks are particularly challenging to detect as they use legitimate HTTP protocol. They differ from legitimate requests only in intent, not content.
[0004] According to prior research, DDoS attackers can be classified into three categories, each more subtle than the previous: 1) attackers who compromise large numbers of computers to bombard the homepage, 2) attackers who randomly target premium pages with requests appearing as regular users, and 3) attackers who use fewer requests to target pages triggering heavy image downloads or database operations.
[0005] Several approaches have been proposed to address application-level DDoS attacks. Some systems detect whether clicks and/or traffic originated from bots and should not be allowed to reach the intended destination. These systems analyze click behavior to determine whether it exhibits human or machine characteristics, for example by examining time periods between clicks. Other approaches use signature detection for malicious traffic and implement rules and policies for detecting suspicious activity. When malicious traffic is detected, connections may be closed, preventing the traffic from proceeding to its intended destination.
[0006] Another approach involves analyzing the sequence of events compared to expected user behavior, which enables detection of events that cannot be normally performed by humans. For instance, if filling a form takes place with minimal delay between keyboard events, this may be classified as malicious behavior. Similarly, if navigation between text boxes occurs without tabbing or mouse clicks, this may indicate bot behavior.
[0007] Once malicious or bot behavior is detected, various actions may be taken. At the user machine, additional challenges may be provided, while at the server end, events may be flagged as malicious, blocked from processing, or the IP address may be blocked.
[0008] Some systems provide blocking forgiveness in DDoS mitigation by temporarily blocking addresses based on behavioral analysis but then automatically unblocking them if subsequent analysis identifies that the user should not have been blocked. These systems may track the number of infractions compared to a threshold, allowing forgiveness of a certain number of infractions.
[0009] Traditional approaches like CAPTCHA are widely used to prevent attacks by bots. However, they are often inconvenient and negatively impact user experience. Furthermore, CAPTCHA filters are increasingly bypassed with advanced AI-based algorithms.
[0010] Therefore, there is a requirement for developing an intelligent system using widely available resources that can serve as a cost-effective alternative.

OBJECTS OF THE PRESENT DISCLOSURE
[0011] An object of the present disclosure is to provide a deterministic framework for mitigating application-level DDoS attacks which evaluates user behavior patterns to distinguish between legitimate users and bots.
[0012] Another object of the present disclosure is to provide a system which implements User Action Paths (UAP) based on application screen flow, Minimum Human Time (MHT) between actions, and frequency limits to detect abnormal behavior patterns.
[0013] Another object of the present disclosure is to provide a system which tracks user activity in real-time using in-memory data structures including From-To UA Maps and Activity-Tracker Maps for efficient violation detection.
[0014] Another object of the present disclosure is to provide a system which identifies six types of violations: MHT violations, frequency violations, UAP violations, authentication violations, authorization violations, and invalid request violations.
[0015] Another object of the present disclosure is to provide a system which applies appropriate consequences based on violation criticality, ranging from delaying individual requests to completely blocking users, ensuring quality of service for legitimate users.
[0016] Another object of the present disclosure is to provide protection strategies for open pages including session tokens, caching, load balancing, and database sharding to mitigate DDoS attacks on unsecured endpoints.
[0017] Another object of the present disclosure is to provide a modular and configurable framework that can be easily integrated with different applications and customized according to specific application requirements.

SUMMARY
[0018] In an aspect, the present disclosure relates to a multi-model contextual defense system for mitigating application-level DDoS attacks. The system comprises at least one processor, a memory communicatively coupled to the processor, a central configuration server communicatively coupled to the processor storing at least one user action path template, at least one minimum human time threshold, and at least one frequency guideline. The system further includes at least one application server communicatively coupled to the processor implementing a path-frequency-time framework comprising a configuration component, a tracker component, a violation checker component, and an enforcer component, wherein the components communicate through a message-passing interface. A central monitoring system, communicatively coupled to both the processor and the application server, aggregates violation data from the application server and identifies coordinated attacks targeting applications.
[0019] The system executes instructions stored in memory to track user activity in an application using an in-memory tracking module that monitors request sequences, timing patterns, and navigation flows; compare activity against user action path templates, minimum human time thresholds, and frequency guidelines; detect violations based on the comparison; categorize detected violations into critical or non-critical violations based on certainty of malicious intent; and apply mitigation actions corresponding to the categorized violations to maintain quality of service for legitimate users while restricting access for potential attackers.
[0020] In an embodiment, the in-memory tracking module comprises a from-to user action map stored in the memory storing cumulative minimum human time between pairs of user actions, which updates as user behavior changes, and an activity-tracker map stored in the memory storing request sequences and timestamps for each user session, enabling measurement of intervals between consecutive actions.
[0021] In an embodiment, the detected violations include minimum human time violations when time intervals between consecutive requests are less than thresholds, frequency violations when request counts exceed guidelines within defined time windows, user action path violations when request sequences don't follow templates, authentication violations when requests lack valid tokens, authorization violations when requests attempt to access resources beyond permission levels, and invalid request violations when requests have missing parameters or attempt to modify non-existent records.
[0022] In an embodiment, user action path violations, authentication violations, authorization violations, and invalid request violations are categorized as critical violations because they cannot be generated through normal use of an application interface, while minimum human time violations and frequency violations are categorized as non-critical violations as they may be triggered by legitimate users with fast interaction patterns.
[0023] In an embodiment, the mitigation actions include deleting user accounts when multiple critical violations are detected within a configurable timeframe, temporarily blocking users when individual critical violations are detected with blocking duration increasing with each subsequent violation, logging out users when repeated non-critical violations are detected requiring re-authentication, terminating individual requests when infrequent non-critical violations are detected allowing subsequent valid requests to be processed, and slowing down individual requests when initial non-critical violations are detected by introducing calculated processing delays proportional to violation severity.
[0024] In an aspect, the present disclosure relates to a multi-model contextual defense method comprising tracking user activity in an application using an in-memory tracking module that records timestamps, request parameters, and navigation sequences; comparing tracked user activity against at least one user action path template, at least one minimum human time threshold, and at least one frequency guideline; detecting violations when tracked activity deviates from templates, thresholds, or guidelines; categorizing detected violations into critical or non-critical violations based on violation type and contextual factors; and applying mitigation actions corresponding to categorized violations, wherein mitigation actions range from request delays to account terminations based on violation severity.
[0025] In an embodiment, detecting violations includes checking for minimum human time violations by comparing timestamp differences, frequency violations by counting requests within time windows, user action path violations by verifying navigation sequences, authentication violations by validating token presence and integrity, authorization violations by comparing requested actions against permission matrices, and invalid request violations by validating parameters and resource existence.
[0026] In an embodiment, the method further comprises conducting controlled simulations in test environments employing the processor and application server to evaluate defense capabilities, wherein conducting the controlled simulation comprises employing at least one attack mode comprising: targeting only unsecured pages of the application server through unauthenticated requests in an open mode, simulating attacks against public endpoints; violating only minimum human time thresholds configured in the central configuration server through programmatically accelerated request sequences in a minimum human time mode; violating only frequency guidelines configured in the central configuration server through high-volume requests to specific application functions in a frequency mode; disregarding navigation constraints defined in user action path templates by accessing endpoints in impossible sequences in a user action path mode; and violating multiple constraints across the central configuration server and application server simultaneously in a combined mode to evaluate defense capability against sophisticated attacks.
[0027] In an embodiment, the system applies protection strategies to unsecured endpoints including generating cryptographically secure session tokens for requests lacking authentication tokens with tokens expiring after configurable periods of inactivity, implementing caching modules for frequently accessed data to reduce database load during high traffic periods, implementing load balancing to distribute incoming requests across multiple servers based on current server capacity, and implementing database sharding to distribute database operations across multiple database instances to prevent database resource exhaustion.

BRIEF DESCRIPTION OF DRAWINGS
[0028] The accompanying drawings, which are incorporated herein, and constitute a part of this invention, illustrate exemplary embodiments of the disclosed methods and systems which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present invention. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that the invention of such drawings includes the invention of electrical components, electronic components or circuitry commonly used to implement such components.
[0029] FIG. 1 illustrates an exemplary architecture of a multi-model contextual defense system for mitigating application-level DDoS attacks, establishing hardware layer, server architecture, Path-Frequency-Time framework components, and operational processes, in accordance with an embodiment of the present disclosure.
[0030] FIG. 2 illustrates an exemplary block diagram of the Path-Frequency-Time framework, establishing the configuration component with User Action Path (Path), Frequency Limits (Frequency), Minimum Human Time (Time), and Violations specifications, along with Tracker, Violation Checker, and Enforcer components, in accordance with an embodiment of the present disclosure.
[0031] FIG. 3 illustrates an exemplary User Action Path (UAP) for a crowdsourced application, establishing registration, login, home, user management, and landslide management nodes with their corresponding frequency limits and Minimum Human Time (MHT) thresholds between actions, in accordance with an embodiment of the present disclosure.
[0032] FIG. 4 illustrates an exemplary flowchart depicting the request processing workflow of the Path-Frequency-Time framework, in accordance with an embodiment of the present disclosure.
[0033] FIG. 5 illustrates performance evaluation graphs establishing successful request rate (SRR) and latency for regular users with and without the Path-Frequency-Time framework enabled, demonstrating minimal impact on SRR but increased latency, in accordance with an embodiment of the present disclosure.
[0034] FIG. 6 illustrates performance evaluation graphs comparing regular users and attackers with and without the Path-Frequency-Time framework enabled, establishing the framework's effectiveness in substantially reducing attacker SRR while maintaining performance for legitimate users, in accordance with an embodiment of the present disclosure.
[0035] FIG. 7 illustrates performance evaluation graphs establishing the impact of a fixed number of attackers on varying numbers of regular users with and without the Path-Frequency-Time framework enabled, demonstrating the framework's ability to maintain stable performance for legitimate users despite attack traffic, in accordance with an embodiment of the present disclosure.
[0036] FIG. 8 illustrates performance evaluation graphs establishing the relative performance of different attack modes (Open, MHT, Frequency, and UAP) with and without the Path-Frequency-Time framework enabled, highlighting the effectiveness of the framework in mitigating various attack strategies, in accordance with an embodiment of the present disclosure.
[0037] FIG. 9 illustrates a scatter plot establishing the relationship between latency and successful request rate (SRR) for regular users and different types of attackers with and without the Path-Frequency-Time framework enabled, demonstrating the framework's ability to selectively impact attackers while preserving quality of service for legitimate users, in accordance with an embodiment of the present disclosure.

DETAILED DESCRIPTION
[0038] While the present disclosure has been disclosed with reference to certain embodiments, it will be understood by those skilled in the art that various changes may be made, and equivalents may be substituted without departing from the scope of the invention. In addition, many modifications may be made to adapt to a particular situation or material to the teachings of the invention without departing from its scope.
[0039] Throughout the specification and claims, the following terms take the meanings explicitly associated herein unless the context clearly dictates otherwise. The meaning of "a", "an", and "the" include plural references. The meaning of "in" includes "in" and "on." Referring to the drawings, like numbers indicate like parts throughout the views. Additionally, a reference to the singular includes a reference to the plural unless otherwise stated or inconsistent with the disclosure herein.
[0040] The present disclosure discloses a multi-model contextual defense system for mitigating application-level DDoS attacks. The system employs a Path-Frequency-Time (PFT) framework that utilizes application context and behavioral patterns to distinguish between legitimate users and attackers, applying graduated response mechanisms to maintain quality of service for genuine users.
[0041] Various embodiments of the present disclosure are described using FIGs. 1 to 9.
[0042] FIG. 1 illustrates an exemplary architecture of a multi-model contextual defense system for mitigating application-level DDoS attacks, establishing hardware layer, server architecture, Path-Frequency-Time framework components, and operational processes, in accordance with an embodiment of the present disclosure.
[0043] As illustrated in FIG. 1, the system architecture (100) includes several layers of components, starting with a hardware layer having a processor (101), memory (102) communicatively coupled to the processor, and network interface (103). The server architecture layer includes a central configuration server (104) communicatively coupled to the processor storing user action path templates, minimum human time thresholds, and frequency guidelines, at least one application server (105) communicatively coupled to the processor implementing the Path-Frequency-Time framework, and a central monitoring system (106) communicatively coupled to both the processor and the application server for aggregating violation data across multiple servers. The PFT framework layer itself consists of four primary components: a configuration component (107), a tracker component (108), a violation checker component (109), and an enforcer component (110), which communicate through a message-passing interface.
[0044] In an embodiment, the system uses two specialized subsystems: an in-memory tracking system (116) that facilitates real-time monitoring without database overhead, and a graduated response system (117) that scales mitigation actions based on violation severity and certainty of malicious intent.
[0045] FIG. 2 illustrates an exemplary block diagram of the Path-Frequency-Time framework, establishing the configuration component with User Action Path (Path), Frequency Limits (Frequency), Minimum Human Time (Time), and Violations specifications, along with Tracker, Violation Checker, and Enforcer components, in accordance with an embodiment of the present disclosure.
[0046] As illustrated in FIG. 2, the configuration component (204) forms the foundation of the PFT framework, receiving inputs from several configuration elements: user action path (201), frequency limits (202), minimum human time (205), and violations (206) modules. The configuration component specifies the application flow and user interaction thresholds that determine whether an incoming request to the application server is generated by human activity through the designated client application or by bot traffic using sniffed API calls.
[0047] In an embodiment, the configuration component stores user-action-path (UAP) templates that define the legitimate navigation flows within the application. Each UAP contains nodes representing user actions that result in API calls to the server, and branches representing the connections between nodes, reflecting the paths a user may take in the user interface. The UAP follows the screen flow of the application and helps identify attackers when their requests do not follow the predefined paths.
[0048] In an embodiment, the configuration component also stores minimum human time (MHT) thresholds for transitions between user actions. The MHT represents the minimum time required for a human to trigger a server request following a previous user action. This limit is set such that no human can trigger actions faster than the limit, typically considering factors such as screen loading time and the time taken for the user to find and click navigation buttons, enter details, and submit forms. MHT thresholds are usually set in milliseconds, making them impossible for human users to violate but easily detectable when breached by automated bots.
[0049] In an embodiment, the configuration component defines frequency limits that specify the maximum number of times a user action can occur within a given period or since another user action. These limits are set liberally such that violation indicates potential malicious intent. For example, a genuine user would not typically update their password 10 times in an hour.
[0050] In an embodiment, the configuration component categorizes six types of violations that can occur during a DDoS attack: MHT violations when subsequent requests arrive faster than the MHT interval; frequency violations when the number of requests for a given user action exceeds the specified limit; UAP violations when subsequent requests from the same user do not follow the UAP; authentication violations when a request arrives without an authentication token; authorization violations when a request attempts to access resources beyond the user's permission level; and invalid request violations when incoming requests have missing parameters or attempt to modify non-existent records.
[0051] In an embodiment, the violations are further categorized based on their criticality. UAP violations, authentication violations, authorization violations, and invalid request violations are classified as critical violations because they indicate malicious intent with high certainty, as it is impossible to generate such requests with the designated client application. MHT violations and frequency violations are classified as non-critical violations as they may occasionally be triggered by legitimate users with fast interaction patterns.
[0052] In an embodiment, the configuration component defines consequences for each violation type. These consequences range from severe actions such as deleting the user account, blocking the user, or logging the user out, to more lenient measures such as terminating or slowing down individual requests. The system applies stricter consequences when the certainty of an attack is high based on the violations detected, while applying more lenient consequences for less certain violations.
[0053] In an embodiment, the tracker component (207) monitors and records the sequence and timestamp of each server request for every user. This component maintains two primary in-memory data structures stored in the memory (102): the from-to UA map and the activity-tracker map. The from-to UA map stores the cumulative MHT between any pair of user actions, with the key being a compound string denoting the from-to user actions and the value being the cumulative MHT. This map is generated during server startup and enables fast calculation of violations. The activity-tracker map stores each user's activity from the server side, particularly tracking the sequence and frequency of requests, facilitating rapid violation checking.
[0054] In an embodiment, the violation checker component (210) analyzes the request summary from the activity-tracker map to detect violations. It compares actual user behavior against the from-to UA map to check for MHT violations, verifies adherence to UAP to detect path violations, checks against defined frequency limits to identify frequency violations, uses access control policies to verify authorization, and applies application logic to detect invalid requests. When violations are detected, the violation checker notifies the enforcer component.
[0055] In an embodiment, the enforcer component (212) implements appropriate consequences based on the violations detected. It subjects user requests to consequences based on the criticality of the violation and the certainty of malicious intent. For multiple critical violations, the enforcer may delete the user account; for individual critical violations, it may temporarily block the user; for repeated non-critical violations, it may log the user out; for infrequent non-critical violations, it may terminate individual requests; and for initial non-critical violations, it may slow down requests by introducing calculated processing delays proportional to the violation severity.
[0056] In an embodiment, the PFT framework addresses the challenge of open pages—application pages accessible without authentication—where traditional user tracking is difficult. These include information and catalog pages, registration pages, and login pages. The framework implements specialized protection strategies for these open pages, including session tokens, caching, load balancing, and database sharding.
[0057] In an embodiment, for open pages, the system generates uniquely computed session tokens for requests lacking authentication tokens. These tokens are generated in memory, not stored in the database, and expire after a period of inactivity, providing a lightweight mechanism to track user activity effectively. To minimize overhead, session token generation can be restricted to key landing pages, with the client application responsible for retrieving and resending the token with subsequent requests.
[0058] In an embodiment, the system implements caching to reduce server computational and database read load by storing frequently used data in memory for reuse. This approach alleviates server CPU and disk I/O demands. User authentication caching allows credentials to be stored in memory for quick verification, while catalog data caching enables rapid responses to user queries. The system may employ eager fetching for small datasets, loading entire tables into memory during server startup, or lazy fetching for large datasets, retrieving data from the database only when requested.
[0059] In an embodiment, the system utilizes load balancing to distribute incoming requests across multiple servers, each with dedicated CPU and memory resources. This approach normalizes the load on individual servers and ensures uninterrupted availability, even if some servers experience downtime. The system may implement dynamic scaling, adding or removing servers based on load demands, and database load balancing, using read-only replica databases for operations such as user authentication or catalog searches.
[0060] In an embodiment, the system employs database sharding to distribute database read and write operations by segmenting data across multiple databases. For example, user data might be divided across several databases based on the first letter of users' first names. This technique ensures that no single database becomes a bottleneck, enhancing performance and scalability, particularly for applications with large datasets and high transaction volumes.
[0061] FIG. 3 illustrates an exemplary User Action Path (UAP) for a crowdsourced application, establishing registration, login, home, user management, and landslide management nodes with their corresponding frequency limits and Minimum Human Time (MHT) thresholds between actions, in accordance with an embodiment of the present disclosure.
[0062] As illustrated in FIG. 3, the PFT framework has been implemented in a crowdsourced Landslide Tracker application (300). The application allows users to report landslides, including location, images, and descriptions, which are then broadcast to other users. The application's screen flow includes registration (301), login (302), home (303), user management (304) with create user (305), update user (306), update password (307), and delete user (308) functionalities, and landslide management (309) with create landslide (310), update landslide (311), and delete landslide (312) functionalities.
[0063] In an embodiment, the UAP for the Landslide Tracker application defines various user actions connected by path arrows, with each user action indicating the server request name followed by a frequency limit in the format X/Measure, where the measure is either time-based or event-based. The paths include MHT thresholds specified in milliseconds. The UAP starts with either registration or login, with a required gap of at least 1 second between registration and login requests. After login, the user can initiate any other allowed request according to the defined paths.
[0064] FIG. 4 illustrates an exemplary flowchart depicting the request processing workflow of the Path-Frequency-Time framework, in accordance with an embodiment of the present disclosure.
[0065] As illustrated in FIG. 4, the operational flow (400) of the PFT framework begins with an incoming request (402), which initiates tracking user activity (404). The tracked activity is then subjected to comparing (406) against configured rules including user action paths (201), minimum human time thresholds (205), and frequency guidelines (202). The system performs detecting a violation (412) when the tracked activity deviates from templates, thresholds, or guidelines. If violations are identified, the system proceeds with applying a mitigation action (416); otherwise, the request proceeds to normal processing (414).
[0066] In an embodiment, the effectiveness of the PFT framework has been validated through extensive simulation testing, with results illustrated in FIGs. 5-9. The tests evaluated the framework's performance under various conditions, including its impact on regular users, its effectiveness against different types of attackers, and its scalability with increasing user loads.
[0067] FIG. 5 illustrates performance evaluation graphs establishing successful request rate (SRR) and latency for regular users with and without the Path-Frequency-Time framework enabled, demonstrating minimal impact on SRR but increased latency, in accordance with an embodiment of the present disclosure.
[0068] As illustrated in FIG. 5, enabling the PFT framework has minimal impact on the successful request rate (SRR) for regular users, which remains nearly identical to the SRR without PFT. However, latency increases from 14-48 ms without PFT to approximately 500 ms with PFT enabled, representing a fixed overhead that remains stable regardless of user load.
[0069] FIG. 6 illustrates performance evaluation graphs comparing regular users and attackers with and without the Path-Frequency-Time framework enabled, establishing the framework's effectiveness in substantially reducing attacker SRR while maintaining performance for legitimate users, in accordance with an embodiment of the present disclosure.
[0070] As illustrated in FIG. 6, the PFT framework demonstrates significant effectiveness in distinguishing between regular users and attackers. Without PFT, attackers achieve much higher SRR than regular users at all load levels. With PFT enabled, attacker SRR drops sharply while regular user performance remains stable. At high loads, regular users actually experience improved latency with PFT enabled compared to without PFT, as the system effectively prioritizes legitimate traffic.
[0071] FIG. 7 illustrates performance evaluation graphs establishing the impact of a fixed number of attackers on varying numbers of regular users with and without the Path-Frequency-Time framework enabled, demonstrating the framework's ability to maintain stable performance for legitimate users despite attack traffic, in accordance with an embodiment of the present disclosure.
[0072] As illustrated in FIG. 7, when tested with a fixed number of attackers and varying numbers of regular users, the PFT framework maintains stable performance for legitimate users while almost completely neutralizing attackers as regular user traffic increases. Without PFT, attacker SRR drops gradually as regular users increase, but with PFT, attacker SRR falls dramatically to near zero. Regular user latency remains stable with PFT regardless of load, while attackers experience consistently high delays.
[0073] FIG. 8 illustrates performance evaluation graphs establishing the relative performance of different attack modes (Open, MHT, Frequency, and UAP) with and without the Path-Frequency-Time framework enabled, highlighting the effectiveness of the framework in mitigating various attack strategies, in accordance with an embodiment of the present disclosure.
[0074] As illustrated in FIG. 8, the PFT framework responds differently to various attack modes. Without PFT, Open attackers (targeting login and registration pages) achieve the highest SRR, followed by Frequency attackers, MHT attackers, and UAP attackers. With PFT enabled, UAP attackers experience the most significant drop in SRR as they are identified with the highest certainty and suffer the most severe consequences. Open and MHT attackers experience significant latency increases as their requests are delayed until they meet MHT constraints.
[0075] FIG. 9 illustrates a scatter plot establishing the relationship between latency and successful request rate (SRR) for regular users and different types of attackers with and without the Path-Frequency-Time framework enabled, demonstrating the framework's ability to selectively impact attackers while preserving quality of service for legitimate users, in accordance with an embodiment of the present disclosure.
[0076] As illustrated in FIG. 9, the relationship between latency and SRR reveals that with PFT enabled, all attackers experience reduced SRR while regular users remain largely unaffected. The framework creates a fixed latency overhead for regular users, independent of load, ensuring stable production performance. Among attackers, UAP and Open attackers see the most significant drop in SRR, with UAP attackers registering the lowest success rate.
[0077] In an embodiment, the PFT framework relies on context awareness—the fact that the system knows the intimate details of the application that attackers do not. By expressing this application context through software best practices, configurable UAP, and appropriate enforcement mechanisms, the system can efficiently check each incoming request for violations and apply consequences based on violation criticality. The higher the certainty that a request comes from an attacker, the stronger the consequences applied.
[0078] In an embodiment, the central configuration server allows administrators to set specific thresholds and consequences based on application usage patterns. This adaptability ensures that the system can be tuned to maintain an optimal balance between security and user experience.
[0079] In an embodiment, the in-memory tracking module records detailed request sequences and timestamps for each active user session, enabling precise measurement of intervals between consecutive actions for real-time violation detection without database overhead. The from-to user action map stores cumulative minimum human time between any pair of user actions through a compound string key representing the from-to user actions, with the map updating dynamically as user behavior patterns change.
[0080] In an embodiment, the violation checker component performs real-time comparisons against initialized constraints, generating violation events when thresholds are exceeded. It applies specialized algorithms for each violation type: comparing consecutive timestamp differences against minimum human time thresholds; counting requests within defined time windows against frequency guidelines; verifying navigation sequences against path templates; validating authentication token presence and integrity; comparing requested actions against permission matrices; and validating request parameters and target resource existence.
[0081] In an embodiment, the enforcer component implements a graduated response system where the severity of action corresponds to violation criticality, from introducing calculated processing delays proportional to violation severity for initial non-critical violations to deleting user accounts when multiple critical violations occur within configurable timeframes.
[0082] In an embodiment, the system was tested through multiple controlled simulations that evaluated defense capabilities, wherein conducting the controlled simulation comprised employing various attack modes: targeting only unsecured pages through unauthenticated requests in an open mode; violating only timing thresholds through programmatically accelerated request sequences in a minimum human time mode; violating only volume guidelines through high-volume requests to specific functions in a frequency mode; disregarding navigation constraints by accessing endpoints in impossible sequences in a user action path mode; and violating multiple constraints simultaneously in a combined mode.
EXAMPLES
Example 1: Implementation in Landslide Tracker Application
[0083] The Path-Frequency-Time (PFT) framework was implemented in a crowdsourced Landslide Tracker application used in the western ghats of South India and the Himalayan regions of North India. The application allowed local people to report landslides with critical information such as location, event time, images, and descriptions. The implementation defined a complete User Action Path (UAP) that included registration, login, home, user management (create, update, delete user, password update), and landslide management (create, update, delete landslide) functionalities.
[0084] The configuration specified MHT thresholds between user actions, such as 1000 milliseconds between registration and login, and 500 milliseconds for password updates. Frequency limits were set liberally at 10 operations per hour for common actions and 5 operations per hour for sensitive actions like user deletion. These thresholds were deliberately set to values impossible for humans to violate while being easily detectable when breached by bots. When deployed in a production environment, the application successfully maintained service quality during high-traffic landslide events while effectively preventing automated attack traffic.
Example 2: PFT Performance Testing
[0085] A comprehensive test suite was developed to evaluate the PFT framework effectiveness against various attack scenarios. The testing environment used an Apple laptop with an M3 Pro chip and 32GB of memory hosting the server, database, and user agents. A custom user agent framework simulated both regular users and attackers sending concurrent requests to the server.
[0086] Tests were conducted with five distinct attack modes implemented through the controlled simulation: targeting only unsecured pages like login and registration in an open mode; violating only minimum human time thresholds in a minimum human time mode; violating only frequency guidelines by exceeding request rate limits in a frequency mode; disregarding navigation constraints in a user action path mode; and violating all constraints simultaneously in a combined mode.
[0087] A total of 140 test runs were executed with varying numbers of users (20-200) and attackers. Each test run lasted five minutes, with results measured by successful request rate (SRR) and request latency. Control tests without PFT enabled confirmed that without protection, attackers consistently outperformed regular users, achieving 1194 SRR at 15ms latency compared to regular users' 35 SRR at 32ms. With PFT enabled, attacker SRR dropped to 16 at 2.3 seconds latency, while regular users maintained 32 SRR at 462ms latency. This pattern held across all user loads, demonstrating the framework's effectiveness in selectively restricting malicious traffic.
Example 3: Protection of Open Pages
[0088] To evaluate the effectiveness of the PFT framework's protection strategies for unsecured endpoints, specialized tests were conducted targeting login, registration, and informational pages. The protection incorporated four complementary approaches: session tokens, caching, load balancing, and database sharding.
[0089] For session token testing, the system generated cryptographically secure tokens for unauthenticated requests, configured to expire after 30 minutes of inactivity. Token generation was restricted to the application's landing page to minimize overhead. During simulated attacks, the system successfully tracked and attributed 95% of requests to specific sessions even without formal authentication.
[0090] Caching tests demonstrated significant performance improvements, with user authentication verification time reduced from 350ms to 25ms through in-memory credential caching. Catalog data caching similarly reduced response times for informational pages from 420ms to 40ms under load.
[0091] Load balancing tests distributed traffic across three application servers, maintaining stable response times even when one server was deliberately taken offline during the test. Database sharding tests showed that distributing user data across three database instances based on username first letter prevented database bottlenecks during high-volume registration attacks. The combined protection strategies maintained application availability even under sustained attack conditions targeting open pages, with legitimate users experiencing only a 12% increase in latency compared to non-attack conditions.

ADVANTAGES OF THE PRESENT DISCLOSURE
[0092] The present disclosure offers a deterministic approach to DDoS mitigation that eliminates the interpretability limitations of statistical models, making troubleshooting and refinement significantly more straightforward for security administrators.
[0093] The present disclosure maintains consistent application performance during attack conditions, preventing the service degradation that typically accompanies DDoS events and preserving business continuity without expensive specialized hardware.
[0094] The present disclosure significantly reduces false positives compared to traditional IP-based detection methods, correctly distinguishing between legitimate users and attackers even when multiple users share a single public IP address, preventing legitimate traffic blockage that damages user experience and organizational reputation.
[0095] The present disclosure operates without requiring CAPTCHA or similar user-interactive verification methods, eliminating the friction and accessibility issues these solutions introduce to the user experience while maintaining robust protection.
[0096] The present disclosure provides real-time protection through in-memory processing that introduces minimal latency overhead, enabling immediate detection and mitigation of attacks before they can overwhelm server resources.
[0097] The present disclosure scales effectively with increasing legitimate user load, dynamically prioritizing genuine traffic over attack traffic and actually improving relative performance for legitimate users as load increases.
, Claims:1. A multi-model contextual defense system (100), comprising:
at least one processor (101);
a memory (102) communicatively coupled to the at least one processor (101);
a central configuration server (104) communicatively coupled to the at least one processor (101) storing at least one user action path template (201), at least one minimum human time threshold (205), and at least one frequency guideline (202);
at least one application server (105) communicatively coupled to the at least one processor (101) implementing a path-frequency-time framework comprising a configuration component (107, 204), a tracker component (108, 207), a violation checker component (109, 210), and an enforcer component (110, 212), wherein the components communicate through a message-passing interface; and
a central monitoring system (106) communicatively coupled to the at least one processor (101) and the at least one application server (105) aggregating violation data (211) from the at least one application server (105) and identifying a coordinated attack targeting at least one application;
wherein the memory (102) comprises instructions which, when executed by the at least one processor (101), cause the at least one processor (101) to:
track user activity (111) in an application using an in-memory tracking module (116) that monitors a request sequence, a timing pattern, and a navigation flow;
compare activity (112) against the at least one user action path template (201), the at least one minimum human time threshold (205), and the at least one frequency guideline (202);
detect a violation (113) based on the comparison;
categorize the detected violation (114) into a critical violation or a non-critical violation based on certainty of malicious intent; and
apply a mitigation action (115) corresponding to the categorized violation to maintain quality of service for a legitimate user while restricting access for a potential attacker.
2. The multi-model contextual defense system (100) as claimed in claim 1, wherein the in-memory tracking module (116) comprises:
a from-to user action map stored in the memory (102) storing a cumulative minimum human time between a pair of user actions, wherein the map updates as user behavior changes; and
an activity-tracker map (209) stored in the memory (102) storing a request sequence and a timestamp for each user session, wherein the timestamp enables measurement of an interval between consecutive actions.
3. The multi-model contextual defense system (100) as claimed in claim 1, wherein the detected violation (113) comprises:
a minimum human time violation detected when a time interval between consecutive requests is less than the at least one minimum human time threshold (205);
a frequency violation detected when a request count exceeds the at least one frequency guideline (202) within a defined time window;
a user action path violation detected when a request sequence does not follow the at least one user action path template (201);
an authentication violation detected when a request lacks a valid authentication token;
an authorization violation detected when a request attempts to access a resource beyond a user permission level; and
an invalid request violation detected when a request has a missing parameter or attempts to modify a non-existent record.
4. The multi-model contextual defense system (100) as claimed in claim 3, wherein:
the user action path violation, the authentication violation, the authorization violation, and the invalid request violation comprise the critical violation, wherein the critical violation is classified as such because it cannot be generated through normal use of an application interface; and
the minimum human time violation and the frequency violation comprise the non-critical violation, wherein the non-critical violation is classified as such because it may be triggered by a legitimate user with a fast interaction pattern.
5. The multi-model contextual defense system (100) as claimed in claim 1, wherein the mitigation action (115) comprises:
deleting a user account when multiple critical violations are detected within a configurable timeframe;
blocking the user temporarily when an individual critical violation is detected, wherein a blocking duration increases with each subsequent violation;
logging out the user when a repeated non-critical violation is detected, requiring re-authentication to continue using the application;
terminating an individual request when an infrequent non-critical violation is detected, allowing a subsequent valid request to be processed; and
slowing down an individual request when an initial non-critical violation is detected by introducing a calculated processing delay proportional to a severity of the violation.
6. The multi-model contextual defense system (100) as claimed in claim 1, wherein the instructions further cause the at least one processor (101) to:
apply a protection strategy to an unsecured endpoint of the application, wherein the unsecured endpoint comprises a login page (302), a registration interface (301), or an informational display (313) that does not require authentication, and wherein the protection strategy comprises:
generating a cryptographically secure session token for a request lacking an authentication token, wherein the session token expires after a configurable period of inactivity;
implementing a caching module for frequently accessed data to reduce database load during a high traffic period;
implementing load balancing to distribute incoming requests across multiple servers based on current server capacity; and
implementing database sharing to distribute database operations across multiple database instances to prevent database resource exhaustion.
7. The multi-model contextual defense system (100) as claimed in claim 1, wherein:
the configuration component (107, 204) initializes an operating constraint by transforming the at least one user action path template (201), the at least one minimum human time threshold (205), and the at least one frequency guideline (202) into an application-specific ruleset;
the tracker component (108, 207) implements the in-memory tracking module (116) and updates a user activity record in real-time;
the violation checker component (109, 210) performs the comparison against the initialized operating constraint and generates a violation event when the at least one minimum human time threshold (205), the at least one frequency guideline (202), or the at least one user action path template (201) is violated; and
the enforcer component (110, 212) receives the violation event and executes the mitigation action (115) according to a configurable severity matrix (117).
8. A multi-model contextual defense method (400), comprising:
tracking user activity (404) in an application using an in-memory tracking module (116) that records a timestamp, a request parameter, and a navigation sequence;
comparing (406) the tracked user activity against at least one user action path template (201), at least one minimum human time threshold (205), and at least one frequency guideline (202);
detecting a violation (412) when the tracked activity deviates from the at least one user action path template (201), the at least one minimum human time threshold (205), or the at least one frequency guideline (202);
categorizing the detected violation into a critical violation or a non-critical violation based on a violation type and a contextual factor; and
applying a mitigation action (416) corresponding to the categorized violation, wherein the mitigation action ranges from a request delay to an account termination based on violation severity.
9. The multi-model contextual defense method (400) as claimed in claim 8, wherein detecting the violation comprises:
detecting a minimum human time violation by comparing a time difference between consecutive timestamps against the at least one minimum human time threshold (205);
detecting a frequency violation by counting requests within a time window and comparing against the at least one frequency guideline (202);
detecting a user action path violation by verifying a navigation sequence against the at least one user action path template (201);
detecting an authentication violation by validating presence and integrity of an authentication token;
detecting an authorization violation by comparing a requested action against a permission matrix; and
detecting an invalid request violation by validating a request parameter and a target resource existence.
10. The multi-model contextual defense method (400) as claimed in claim 8, further comprising:
conducting a controlled simulation in a test environment employing the at least one processor (101) and the at least one application server (105) to evaluate defense capability, wherein conducting the controlled simulation comprises employing at least one attack mode comprising:
targeting only an unsecured page of the at least one application server (105) through an unauthenticated request in an open mode, simulating an attack against a public endpoint;
violating only the at least one minimum human time threshold (205) configured in the central configuration server (104) through a programmatically accelerated request sequence in a minimum human time mode;
violating only the at least one frequency guideline (202) configured in the central configuration server (104) through a high-volume request to a specific application function in a frequency mode;
disregarding a navigation constraint defined in the at least one user action path template (201) by accessing an endpoint in a sequence impossible through normal application usage in a user action path mode; and
violating multiple constraints across the central configuration server (104) and the at least one application server (105) simultaneously in a combined mode to evaluate defense capability against a sophisticated attack.