Techniques for detecting attacks in a publish-subscribe network
First Claim
1. A computer-implemented method for detecting a network attack in a publish-subscribe network, the method comprising:
- generating a current system model that represents a current state of the publish-subscribe network, the current system model including;
a set of state-related indicators representing an operational state of the publish-subscribe network, wherein the set of state-related indicators includes at least one of a topic fan-in or a topic fan-out, anda set of flow-related indicators representing an overall traffic flow through the publish-subscribe network;
generating a first probability that the publish-subscribe network is subject to attack, based on a first indicator included in the set of state-related indicators;
generating a second probability that the publish-subscribe network is subject to attack, based on a second indicator in the set of flow-related indicators;
combining the first probability with the second probability to generate a third probability;
determining that the third probability exceeds a first threshold value; and
in response, dispatching a first handler configured to address the network attack.
1 Assignment
0 Petitions
Accused Products
Abstract
A publish-subscribe network includes a network infrastructure configured to support the exchange of data. An intrusion detection system is coupled to the network infrastructure and configured to process signals received from that infrastructure in order to detect malicious attacks on the network infrastructure. The intrusion detection system includes an evaluator that generates a set of indicators based on the received signals. The evaluator models these indicators as stochastic processes, and then predicts an attack probability for each indicator based on a predicted future state of each such indicator. The evaluator combines the various attack probabilities and determines an overall attack level for the network infrastructure. Based on the attack level, the intrusion detection system dispatches a specific handler to prevent or mitigate attacks.
-
Citations
18 Claims
-
1. A computer-implemented method for detecting a network attack in a publish-subscribe network, the method comprising:
-
generating a current system model that represents a current state of the publish-subscribe network, the current system model including; a set of state-related indicators representing an operational state of the publish-subscribe network, wherein the set of state-related indicators includes at least one of a topic fan-in or a topic fan-out, and a set of flow-related indicators representing an overall traffic flow through the publish-subscribe network; generating a first probability that the publish-subscribe network is subject to attack, based on a first indicator included in the set of state-related indicators; generating a second probability that the publish-subscribe network is subject to attack, based on a second indicator in the set of flow-related indicators; combining the first probability with the second probability to generate a third probability; determining that the third probability exceeds a first threshold value; and in response, dispatching a first handler configured to address the network attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. One or more non-transitory computer-readable media including instructions that, when executed by one or more processors, cause the one or more processors to detect a network attack in a publish-subscribe network, by performing the steps of:
-
generating a current system model that represents a current state of the publish-subscribe network, the current system model including; a set of state-related indicators representing an operational state of the publish-subscribe network, and a set of flow-related indicators representing an overall traffic flow through the publish-subscribe network, wherein the set of flow-related indicators includes at least one of an inter-arrival rate, a scheme, and an addressing generality; generating a first probability that the publish-subscribe network is subject to attack based on a first indicator included in the set of state-related indicators; generating a second probability that the publish-subscribe network is subject to attack based on a second indicator in the set of flow-related indicators; combining the first probability with the second probability to generate a third probability; determining that the third probability exceeds a first threshold value; and in response, dispatching a first handler configured to address the network attack. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A system for detecting a network attack in a publish-subscribe network, comprising:
-
a memory that includes an intrusion detection application; and a processor that is coupled to the memory and, when executing the intrusion detection application, is configured to; generate a current system model that represents a current state of the publish-subscribe network, the current system model including; a set of state-related indicators representing an operational state of the publish-subscribe network, and a set of flow-related indicators representing an overall traffic flow through the publish-subscribe network, wherein the set of flow-related indicators includes at least one of an inter-arrival rate, a scheme, and an addressing generality, generate a first probability that the publish-subscribe network is subject to attack based on a first indicator included in the set of state-related indicators, generate a second probability that the publish-subscribe network is subject to attack based on a second indicator in the set of flow-related indicators, combine the first probability with the second probability to generate a third probability, determine that the third probability exceeds a first threshold value, and in response, dispatch a first handler configured to address the network attack. - View Dependent Claims (18)
-
Specification