Private-learned IDS

US 10,708,284 B2
Filed: 07/07/2017
Issued: 07/07/2020
Est. Priority Date: 07/07/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

maintaining, by a device in a network, a plurality of machine learning-based detectors for an intrusion detection system, wherein each detector analyzes for intrusions a different portion of a feature space of traffic characteristics assessed by the intrusion detection system, and wherein each portion of the feature space is separated from an adjacent portion of the feature space by one or more detection boundaries;

providing, by the device, data regarding the plurality of detectors to a user interface;

receiving, at the device, an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors; and

adjusting, by the device, the portions of the feature space associated with the plurality of detectors by modifying the one or more detection boundaries based on the adjustment instruction received from the user interface,wherein receiving the adjustment instruction from the user interface comprises;

receiving, at the device, a first parameter for a particular one of the detectors that controls a distance from a point in the features space associated with the particular detector, wherein the distance in the feature space controls a range of the traffic characteristics in the feature space that trigger the particular detector; and

receiving, at the device, a second parameter for the particular detector that controls a tradeoff between recall and precision of the particular detector by controlling a bound for the portion of the features space associated with the particular detector.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device in a network maintains a plurality of machine learning-based detectors for an intrusion detection system. Each detector is associated with a different portion of a feature space of traffic characteristics assessed by the intrusion detection system. The device provides data regarding the plurality of detectors to a user interface. The device receives an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors. The device adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface.

22 Citations

16 Claims

1. A method comprising:
- maintaining, by a device in a network, a plurality of machine learning-based detectors for an intrusion detection system, wherein each detector analyzes for intrusions a different portion of a feature space of traffic characteristics assessed by the intrusion detection system, and wherein each portion of the feature space is separated from an adjacent portion of the feature space by one or more detection boundaries;
  
  providing, by the device, data regarding the plurality of detectors to a user interface;
  
  receiving, at the device, an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors; and
  
  adjusting, by the device, the portions of the feature space associated with the plurality of detectors by modifying the one or more detection boundaries based on the adjustment instruction received from the user interface,wherein receiving the adjustment instruction from the user interface comprises;
  
  receiving, at the device, a first parameter for a particular one of the detectors that controls a distance from a point in the features space associated with the particular detector, wherein the distance in the feature space controls a range of the traffic characteristics in the feature space that trigger the particular detector; and
  
  receiving, at the device, a second parameter for the particular detector that controls a tradeoff between recall and precision of the particular detector by controlling a bound for the portion of the features space associated with the particular detector.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as in claim 1, further comprising:
    - receiving, at the device, traffic characteristic data regarding traffic observed in the network;
      
      identifying, by the device, a particular one of the plurality of detectors that is associated with the portion of the feature space that corresponds to the received traffic characteristic data; and
      
      using, by the device, the particular detector to determine whether the traffic characteristic data is indicative of malware being present in the network.
  - 3. The method as in claim 1, further comprising:
    - generating, by the device, a new detector for the intrusion detection system based on a sample of traffic characteristics from the network by;
      
      determining, by the device, a mean of the sample as a point in the feature space;
      
      calculating, by the device, a direction in the feature space relative to the point in the feature space that points towards a region of the feature space associated with unlabeled background traffic characteristics observed in the network.
  - 4. The method as in claim 3, wherein generating the new detector comprises:
    - calculating a distance from the point in the feature space to the region of the feature space associated with the unlabeled background traffic characteristics as a covariance between the mean of the sample and a mean of the unlabeled background traffic characteristics observed in the network.
  - 5. The method as in claim 1, wherein adjusting the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface comprises:
    - training, by the device, a new detector for the feature space that whitelists traffic behaviors represented by the portion of the feature space associated with the new detector.
  - 6. The method as in claim 5, wherein the new detector reduces one or more portions of the feature space associated with one or more of the plurality of detectors.
  - 7. The method as in claim 1, wherein the portions of the feature space associated with two or more of the detectors are overlapping, and wherein the method further comprises:
    - identifying, by the device, the two or more detectors based on a sample of characteristics data observed in the network falling within the overlapping portions of the feature space associated with the two or more detectors; and
      
      determining, by the device, whether the sample is indicative of malware being present in the network by weighting results from the two or more detectors.

8. An apparatus comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed configured to;
  
  maintain a plurality of machine learning-based detectors for an intrusion detection system, wherein each detector analyzes for intrusions a different portion of a feature space of traffic characteristics assessed by the intrusion detection system, and wherein each portion of the feature space is separated from an adjacent portion of the feature space by one or more detection boundaries;
  
  provide data regarding the plurality of detectors to a user interface;
  
  receive an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors; and
  
  adjust the portions of the feature space associated with the plurality of detectors by modifying the one or more detection boundaries based on the adjustment instruction received from the user interface,wherein the apparatus receives the adjustment instruction from the user interface by;
  
  receiving a first parameter for a particular one of the detectors that controls a distance from a point in the features space associated with the particular detector, wherein the distance in the feature space controls a range of the traffic characteristics in the feature space that trigger the particular detector; and
  
  receiving a second parameter for the particular detector that controls a tradeoff between recall and precision of the particular detector by controlling a bound for the portion of the features space associated with the particular detector.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The apparatus as in claim 8, wherein the process when executed is further configured to:
    - receive traffic characteristic data regarding traffic observed in the network;
      
      identify a particular one of the plurality of detectors that is associated with the portion of the feature space that corresponds to the received traffic characteristic data; and
      
      use the particular detector to determine whether the traffic characteristic data is indicative of malware being present in the network.
  - 10. The apparatus as in claim 8, wherein the process when executed is further configured to:
    - generate a new detector for the intrusion detection system based on a sample of traffic characteristics from the network by;
      
      determining a mean of the sample as a point in the feature space;
      
      calculate a direction in the feature space relative to the point in the feature space that points towards a region of the feature space associated with unlabeled background traffic characteristics observed in the network.
  - 11. The apparatus as in claim 10, wherein the new detector is further generated by:
    - calculating a distance from the point in the feature space to the region of the feature space associated with the unlabeled background traffic characteristics as a covariance between the mean of the sample and a mean of the unlabeled background traffic characteristics observed in the network.
  - 12. The apparatus as in claim 8, wherein the apparatus adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface by:
    - training a new detector for the feature space that whitelists traffic behaviors represented by the portion of the feature space associated with the new detector.
  - 13. The apparatus as in claim 12, wherein the new detector reduces one or more portions of the feature space associated with one or more of the plurality of detectors.
  - 14. The apparatus as in claim 8, wherein the portions of the feature space associated with two or more of the detectors are overlapping, and wherein the process when executed further comprises:
    - identifying the two or more detectors based on a sample of characteristics data observed in the network falling within the overlapping portions of the feature space associated with the two or more detectors; and
      
      determining whether the sample is indicative of malware being present in the network by weighting results from the two or more detectors.
  - 15. The apparatus as in claim 14, wherein the apparatus weights the results from the two or more detectors based on distances between points in the feature space associated with the two or more detectors and the point in the feature space associated with the sample.

16. A tangible, non-transitory, computer-readable medium having software encoded thereon, the software when executed by a device in a network configured to:
- maintaining, by the device in the network, a plurality of machine learning-based detectors for an intrusion detection system, wherein each detector analyzes for intrusions a different portion of a feature space of traffic characteristics assessed by the intrusion detection system, and wherein each portion of the feature space is separated from an adjacent portion of the feature space by one or more detection boundaries;
  
  providing, by the device, data regarding the plurality of detectors to a user interface;
  
  receiving, at the device, an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors; and
  
  adjusting, by the device, the portions of the feature space associated with the plurality of detectors by modifying the one or more detection boundaries based on the adjustment instruction received from the user interface,wherein receiving the adjustment instruction from the user interface comprises;
  
  receiving, at the device, a first parameter for a particular one of the detectors that controls a distance from a point in the features space associated with the particular detector, wherein the distance in the feature space controls a range of the traffic characteristics in the feature space that trigger the particular detector; and
  
  receiving, at the device, a second parameter for the particular detector that controls a tradeoff between recall and precision of the particular detector by controlling a bound for the portion of the features space associated with the particular detector.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kopp, Martin, Somol, Petr, Pevny, Tomas, McGrew, David
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Almaghayreh, Khalid M

Application Number

US15/643,573
Publication Number

US 20190014134A1
Time in Patent Office

1,096 Days
Field of Search

726 22- 26, 709206, 709223, 713198, 713193-194
US Class Current
CPC Class Codes

G06F 3/01   Input arrangements or combi...

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/045   Explanation of inference; E...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Private-learned IDS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Private-learned IDS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links