Techniques for customer-derived training of intrusion management systems
First Claim
Patent Images
1. A system, comprising:
- one ormore processors; and
memory including instructions that, as a result of execution by the one or more processors, cause the system to;
generate a security model that characterizes network data by applying attack classifications;
determine that a security test is to be performed to a target endpoint by a client device associated with a customer of a computing resource service provider, the target endpoint being a virtual computer system hosted by the computing resource service provider;
obtain, from the customer via the client device, a plurality of attributes of the security test, wherein the plurality of attributes include a first identifier of the client device, second identifier of the target endpoint, and a length of time specified for performing the security test;
modify, based at least in part on the plurality of attributes of the security test, the security model to produce a modified security model to be usable in determining traffic profiles from ingestion of network traffic between the client device and the target endpoint;
determine, based at least in part on the plurality of attributes of the security test and the security model, a subset of the network traffic between the client device and the target endpoint in connection with the security test, the subset of the network traffic conforming to the plurality of attributes of the security test;
process, by at least utilizing the modified security model, the subset of the network traffic to determine a traffic profile;
process the traffic profile using the attack classifications to generate training data; and
update, based at least in part on the training data, the modified security model by at least generating a new attack classification that matches the traffic profile with a higher confidence level than the attack classifications used to generate the training data.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques described and suggested herein include various systems and methods for using customer-initiated security tests to generate training data for use in improving detection and mitigation capabilities related network intrusion and data security attacks. Such techniques may include implementing machine learning techniques to refine security models used therewith. For example, customers of a computing resource provider may notify the computing resource provider that a security test is scheduled to occur. In response, in some embodiments, information related to the security test may be used to improve an implemented security model.
30 Citations
20 Claims
-
1. A system, comprising:
- one or
more processors; and memory including instructions that, as a result of execution by the one or more processors, cause the system to; generate a security model that characterizes network data by applying attack classifications; determine that a security test is to be performed to a target endpoint by a client device associated with a customer of a computing resource service provider, the target endpoint being a virtual computer system hosted by the computing resource service provider; obtain, from the customer via the client device, a plurality of attributes of the security test, wherein the plurality of attributes include a first identifier of the client device, second identifier of the target endpoint, and a length of time specified for performing the security test; modify, based at least in part on the plurality of attributes of the security test, the security model to produce a modified security model to be usable in determining traffic profiles from ingestion of network traffic between the client device and the target endpoint; determine, based at least in part on the plurality of attributes of the security test and the security model, a subset of the network traffic between the client device and the target endpoint in connection with the security test, the subset of the network traffic conforming to the plurality of attributes of the security test; process, by at least utilizing the modified security model, the subset of the network traffic to determine a traffic profile; process the traffic profile using the attack classifications to generate training data; and update, based at least in part on the training data, the modified security model by at least generating a new attack classification that matches the traffic profile with a higher confidence level than the attack classifications used to generate the training data. - View Dependent Claims (2, 3, 4)
- one or
-
5. A computer-implemented method, comprising:
generating a security model that characterizes network data by applying attack classifications; obtaining, from a customer of a computing resource service provider via a client device, information relating to a security test between the client device and a virtual computer system, the information including a source identifier that identifies the client device, a target identifier that identifies the virtual computer system, and a duration of the security test, the security test being directed to the virtual computer system from the client device; configuring, based at least in part on the information relating to the security test, the security model to produce a configured security model to be usable in determining traffic profiles from ingestion of network traffic between the client and the virtual computer system; monitoring the network traffic between the client device and the virtual computer system in connection with the security test; using the configured security model to determine a traffic profile for the security test; comparing the traffic profile to the attack classifications to generate training data; and updating the configured security model using the training data by at least generating a new attack classification that matches the traffic profile with a higher confidence level than the attack classifications used to generate the training data. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
13. A non-transitory computer-readable storage medium storing thereon executable instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to at least:
-
generate a security model that characterizes network data by applying a plurality of attack classifications; obtain, from a customer of a computing resource service provider via a source client, information relating to a security test being performed to a destination client by the source client, the destination client being a virtual computer system of the computing resource service provider, the information including a first identifier corresponding to the source client, a second identifier corresponding to the destination client, and an amount of time for the security test; modify, based at least in part on the information, the security model to produce a modified security model to configure the modified security model to be usable in determining traffic profiles from ingestion of network traffic between the source client and the destination client; monitor the network traffic between the source client and the destination client in connection with the security test; use the modified security model to determine a traffic profile for a portion of time during which the security test between the source client and the destination client is monitored; generate training data by assessing the traffic profile against the plurality of attack classifications associated with the modified security model; and update the modified security model using the training data by at least generating a new attack classification that matches the traffic profile with a higher confidence level than the plurality of attack classifications used to generate the training data. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification