Clustering approach for detecting DDoS botnets on the cloud from IPFix data
First Claim
1. A system configured to train and use a classifier to classify entities to determine whether the entities are part of a distributed denial of service (DDoS) attack, the system comprising:
- one or more hardware processors; and
one or more computer-readable storage devices having stored thereon instructions that are executable by the one or more hardware processors to configure the system to perform at least the following;
train a classifier to use a first classification method to identify probabilities that entities are performing denial of service attacks, the training comprising applying a captured dataset including data flow protocol information associated with known DDoS attacks;
using the trained classifier, identify a subset of entities from a set of candidate entities that meet or exceed a threshold probability of performing a denial of service attack;
using a second classification method, identify similarity of entities in the identified subset of entities; and
based on the similarity, classify individual entities of the subset of entities as belonging to one or more similarity subgroups, each similarity subgroup comprising entities having a probability of participating in a same DDoS.
1 Assignment
0 Petitions
Accused Products
Abstract
Use machine learning to train a classifier to classify entities to increase confidence with respect to an entity being part of a distributed denial of service attack. The method includes training a classifier to use a first classification method, to identify probabilities that entities from a set of entities are performing denial of service attacks. The method further includes identifying a subset of entities meeting a threshold probability of performing a denial of service attack. The method further includes using a second classification method, identifying similarity of entities in the subset of entities. The method further includes based on the similarity, classifying individual entities.
11 Citations
20 Claims
-
1. A system configured to train and use a classifier to classify entities to determine whether the entities are part of a distributed denial of service (DDoS) attack, the system comprising:
-
one or more hardware processors; and one or more computer-readable storage devices having stored thereon instructions that are executable by the one or more hardware processors to configure the system to perform at least the following; train a classifier to use a first classification method to identify probabilities that entities are performing denial of service attacks, the training comprising applying a captured dataset including data flow protocol information associated with known DDoS attacks; using the trained classifier, identify a subset of entities from a set of candidate entities that meet or exceed a threshold probability of performing a denial of service attack; using a second classification method, identify similarity of entities in the identified subset of entities; and based on the similarity, classify individual entities of the subset of entities as belonging to one or more similarity subgroups, each similarity subgroup comprising entities having a probability of participating in a same DDoS. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer implemented method for training a classifier for classifying entities to determine whether the entities are part of a distributed denial of service (DDoS) attack, the method comprising:
-
training a classifier to use a first classification method to identify probabilities that entities are performing denial of service attacks, the training comprising applying a captured dataset including data flow protocol information associated with known DDoS attacks; using the trained classifier, identifying a subset of entities from a set of candidate entities that meet or exceed a threshold probability of performing a denial of service attack; using a second classification method, identifying similarity of entities in the subset of identified entities; and based on the similarity, classifying individual entities of the subset of entities as belonging to one or more similarity subgroups, each similarity subgroup comprising entities having a probability of participating in a same DDoS. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A computer system configured to use a trained classifier to classify entities to determine whether the entities are part of a distributed denial of service (DDoS) attack, the system comprising:
a botnet classifier coupled to a plurality of computing entities, the botnet classifier comprising one or more computer processors, wherein the botnet classifier is configured to; capture data flow protocol information from the entities in the plurality of entities; provide the captured data flow protocol information from the entities to a trained classifier, the trained classifier having been trained by applying previously captured data including data flow protocol information associated with known DDoS attacks; the trained classifier implementing a first classification method to identify probabilities that entities are performing denial of service attacks based on the captured data flow protocol information; identify a subset of entities from a set of candidate entities that meet or exceed a threshold probability of performing a denial of service attack; use a second classification method, identify similarity of entities in the identified subset of entities; and based on the similarity, classify individual entities of the subset of entities as belonging to one or more similarity subgroups, each similarity subgroup comprising entities having a probability of participating in a same DDoS.
Specification