IPFIX-based detection of amplification attacks on databases
First Claim
1. A system for protecting against amplification attacks, the system comprising:
- a data store;
an appliance comprises one or more processors coupled to the data store, wherein the processors are configured to;
collect a plurality of samples of IPFIX data;
use the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each server sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds;
identify a first plurality of the server samples that are labeled positive for amplification attacks indicating that the first plurality of the server samples are associated with amplification attacks;
identify a second plurality of server samples that are labeled negative for amplification attacks indicating that the second plurality of the server samples are not associated with amplification attacks; and
automatically label at least some of the remaining server samples as positive or negative based on the previously identified labeled samples, by using the previously identified labeled samples to predict, with confidence above a predetermined threshold, that the at least some of the remaining server samples should be labeled as positive or negative; and
a protection system configured to use the automatically labeled samples, to identify, and protect against amplification attacks.
1 Assignment
0 Petitions
Accused Products
Abstract
One embodiment illustrated herein includes a computer implemented method. The method includes acts for training an amplification attack detection system. The method includes obtaining a plurality of samples of IPFIX data. The method further includes using the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds. The method further includes identifying a plurality of the server samples that are labeled positive for amplification attacks. The method further includes identifying a plurality of server samples that are labeled negative for amplification attacks. The method further includes automatically labeling at least some of the remaining server samples as positive or negative based on the previously identified labeled samples. The method further includes using the automatically labeled samples to train an amplification attack detection system.
4 Citations
20 Claims
-
1. A system for protecting against amplification attacks, the system comprising:
-
a data store; an appliance comprises one or more processors coupled to the data store, wherein the processors are configured to; collect a plurality of samples of IPFIX data; use the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each server sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds; identify a first plurality of the server samples that are labeled positive for amplification attacks indicating that the first plurality of the server samples are associated with amplification attacks; identify a second plurality of server samples that are labeled negative for amplification attacks indicating that the second plurality of the server samples are not associated with amplification attacks; and automatically label at least some of the remaining server samples as positive or negative based on the previously identified labeled samples, by using the previously identified labeled samples to predict, with confidence above a predetermined threshold, that the at least some of the remaining server samples should be labeled as positive or negative; and a protection system configured to use the automatically labeled samples, to identify, and protect against amplification attacks. - View Dependent Claims (2, 3, 4)
-
-
5. A system comprising:
-
one or more processors; and one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to train an amplification attack detection system, including instructions that are executable to configure the computer system to perform at least the following; obtain a plurality of samples of IPFIX data; use the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each server sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds; identify a first plurality of the server samples that are labeled positive for amplification attacks indicating that the first plurality of the server samples are associated with amplification attacks; identify a second plurality of server samples that are labeled negative for amplification attacks indicating that the second plurality of the server samples are not associated with amplification attacks; automatically label at least some of the remaining server samples as positive or negative based on the previously identified labeled samples, by using the previously identified labeled samples to predict, with confidence above a predetermined threshold, that the at least some of the remaining server samples should be labeled as positive or negative; and use the automatically labeled samples to train an amplification attack detection system to protect against amplification attacks. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A method of training an amplification attack detection system, the method comprising:
-
obtaining a plurality of samples of IPFIX data; using the IPFIX data to create a plurality of time-based, server samples on a per server basis such that each server sample corresponds to a server and a period of time over which IPFIX data in the sample corresponds; identifying a first plurality of the server samples that are labeled positive for amplification attacks indicating that the first plurality of the server samples are associated with amplification attacks; identifying a second plurality of server samples that are labeled negative for amplification attacks indicating that the second plurality of the server samples are not associated with amplification attacks; automatically labeling at least some of the remaining server samples as positive or negative based on the previously identified labeled samples, by using the previously identified labeled samples to predict, with confidence above a predetermined threshold, that the at least some of the remaining server samples should be labeled as positive or negative; and using the automatically labeled samples to train an amplification attack detection system to protect against amplification attacks. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification