Private-learned IDS
First Claim
Patent Images
1. A method comprising:
- maintaining, by a device in a network, a plurality of machine learning-based detectors for an intrusion detection system, wherein each detector analyzes for intrusions a different portion of a feature space of traffic characteristics assessed by the intrusion detection system, and wherein each portion of the feature space is separated from an adjacent portion of the feature space by one or more detection boundaries;
providing, by the device, data regarding the plurality of detectors to a user interface;
receiving, at the device, an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors; and
adjusting, by the device, the portions of the feature space associated with the plurality of detectors by modifying the one or more detection boundaries based on the adjustment instruction received from the user interface,wherein receiving the adjustment instruction from the user interface comprises;
receiving, at the device, a first parameter for a particular one of the detectors that controls a distance from a point in the features space associated with the particular detector, wherein the distance in the feature space controls a range of the traffic characteristics in the feature space that trigger the particular detector; and
receiving, at the device, a second parameter for the particular detector that controls a tradeoff between recall and precision of the particular detector by controlling a bound for the portion of the features space associated with the particular detector.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a device in a network maintains a plurality of machine learning-based detectors for an intrusion detection system. Each detector is associated with a different portion of a feature space of traffic characteristics assessed by the intrusion detection system. The device provides data regarding the plurality of detectors to a user interface. The device receives an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors. The device adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface.
22 Citations
16 Claims
-
1. A method comprising:
-
maintaining, by a device in a network, a plurality of machine learning-based detectors for an intrusion detection system, wherein each detector analyzes for intrusions a different portion of a feature space of traffic characteristics assessed by the intrusion detection system, and wherein each portion of the feature space is separated from an adjacent portion of the feature space by one or more detection boundaries; providing, by the device, data regarding the plurality of detectors to a user interface; receiving, at the device, an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors; and adjusting, by the device, the portions of the feature space associated with the plurality of detectors by modifying the one or more detection boundaries based on the adjustment instruction received from the user interface, wherein receiving the adjustment instruction from the user interface comprises; receiving, at the device, a first parameter for a particular one of the detectors that controls a distance from a point in the features space associated with the particular detector, wherein the distance in the feature space controls a range of the traffic characteristics in the feature space that trigger the particular detector; and receiving, at the device, a second parameter for the particular detector that controls a tradeoff between recall and precision of the particular detector by controlling a bound for the portion of the features space associated with the particular detector. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to; maintain a plurality of machine learning-based detectors for an intrusion detection system, wherein each detector analyzes for intrusions a different portion of a feature space of traffic characteristics assessed by the intrusion detection system, and wherein each portion of the feature space is separated from an adjacent portion of the feature space by one or more detection boundaries; provide data regarding the plurality of detectors to a user interface; receive an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors; and adjust the portions of the feature space associated with the plurality of detectors by modifying the one or more detection boundaries based on the adjustment instruction received from the user interface, wherein the apparatus receives the adjustment instruction from the user interface by; receiving a first parameter for a particular one of the detectors that controls a distance from a point in the features space associated with the particular detector, wherein the distance in the feature space controls a range of the traffic characteristics in the feature space that trigger the particular detector; and receiving a second parameter for the particular detector that controls a tradeoff between recall and precision of the particular detector by controlling a bound for the portion of the features space associated with the particular detector. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A tangible, non-transitory, computer-readable medium having software encoded thereon, the software when executed by a device in a network configured to:
-
maintaining, by the device in the network, a plurality of machine learning-based detectors for an intrusion detection system, wherein each detector analyzes for intrusions a different portion of a feature space of traffic characteristics assessed by the intrusion detection system, and wherein each portion of the feature space is separated from an adjacent portion of the feature space by one or more detection boundaries; providing, by the device, data regarding the plurality of detectors to a user interface; receiving, at the device, an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors; and adjusting, by the device, the portions of the feature space associated with the plurality of detectors by modifying the one or more detection boundaries based on the adjustment instruction received from the user interface, wherein receiving the adjustment instruction from the user interface comprises; receiving, at the device, a first parameter for a particular one of the detectors that controls a distance from a point in the features space associated with the particular detector, wherein the distance in the feature space controls a range of the traffic characteristics in the feature space that trigger the particular detector; and receiving, at the device, a second parameter for the particular detector that controls a tradeoff between recall and precision of the particular detector by controlling a bound for the portion of the features space associated with the particular detector.
-
Specification