VERIFYING NETWORK ATTACK DETECTOR EFFECTIVENESS

US 20160028753A1
Filed: 07/23/2014
Published: 01/28/2016
Est. Priority Date: 07/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, at a device in a network, a classifier tracking request from a coordinator device that specifies a classifier verification time period;

classifying, by the device and during the classifier verification time period, a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device;

generating, by the device, classification results based on the classified set of network traffic; and

providing, by the device, the classification results to the coordinator device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device receives a classifier tracking request from a coordinator device that specifies a classifier verification time period. During the classifier verification time period, the device classifies a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device. The device generates classification results based on the classified set of network traffic and provides the classification results to the coordinator device.

42 Citations

View as Search Results

30 Claims

1. A method, comprising:
- receiving, at a device in a network, a classifier tracking request from a coordinator device that specifies a classifier verification time period;
  
  classifying, by the device and during the classifier verification time period, a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device;
  
  generating, by the device, classification results based on the classified set of network traffic; and
  
  providing, by the device, the classification results to the coordinator device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as in claim 1, wherein classifying the set of network traffic comprises:
    - receiving an instruction from the coordinator device that specifies the attack traffic to be classified; and
      
      mixing the attack traffic with the traffic observed by the device to form the set of network traffic.
  - 3. The method as in claim 2, wherein the instruction from the coordinator device includes the attack traffic.
  - 4. The method as in claim 2, further comprising:
    - retrieving, from a local memory of the device, the attack traffic in response to receiving the instruction from the coordinator device.
  - 5. The method as in claim 2, further comprising:
    - classifying the traffic observed by the device as a separate process from classifying the set of network traffic that includes the traffic observed by the device and the attack traffic.
  - 6. The method as in claim 1, wherein the normal traffic and the observed traffic are received from one or more other devices in the network, and wherein the coordinator device instructs the one or more other devices to send the attack traffic at a low priority.
  - 7. The method as in claim 1, further comprising:
    - modeling, by the device, network traffic patterns of traffic flowing through the device;
      
      detecting, by the device, a traffic pattern change using the modeled network traffic patterns; and
      
      , in response,requesting, from the coordinator device, coordination of an attack classifier verification test.
  - 8. The method as in claim 1, wherein the coordinator device uses the classification results to determine performance indices for the device.

9. A method, comprising:
- identifying, by a coordinator device in a network, a type of network attack;
  
  determining, by the coordinator device, a verification schedule during which an attack classifier executed by a device in the network is to be tested;
  
  coordinating, by the coordinator device, an attack detection test for the attack classifier for execution during the verification schedule and for the identified type of network attack;
  
  receiving, at the coordinator device, results of the attack detection test from the device; and
  
  evaluating, by the coordinator device, a performance of the attack classifier based on the results of the attack detection test.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method as in claim 9, wherein coordinating the attack detection test comprises:
    - instructing the device to evaluate a particular set of attack traffic during the attack detection test by mixing the attack traffic with traffic observed by the device.
  - 11. The method as in claim 9, wherein coordinating the attack detection test comprises:
    - instructing a set of one or more network nodes to send attack traffic to the device during the attack detection test.
  - 12. The method as in claim 11, wherein the instruction causes the set of one or more network nodes to flag the attack traffic as testing traffic.
  - 13. The method as in claim 11, wherein the set of one or more network nodes deprioritize the attack traffic with respect to other network traffic.
  - 14. The method as in claim 9, wherein the set of one or more network nodes are instructed to use a different routing topology than a normal routing topology during the attack detection test.
  - 15. The method as in claim 9, wherein the verification schedule is authorized by a network policy engine.

16. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  receive a classifier tracking request from a coordinator device that specifies a classifier verification time period;
  
  classify, during the classifier verification time period, a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device;
  
  generate classification results based on the classified set of network traffic; and
  
  provide the classification results to the coordinator device.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The apparatus as in claim 16, wherein the set of network traffic is classified by:
    - receiving an instruction from the coordinator device that specifies the attack traffic to be classified; and
      
      mixing the attack traffic with the traffic observed by the device to form the set of network traffic.
  - 18. The apparatus as in claim 17, wherein the instruction from the coordinator device includes the attack traffic.
  - 19. The apparatus as in claim 17, wherein the process when executed is further operable to:
    - retrieve, from the memory, the attack traffic in response to receiving the instruction from the coordinator device.
  - 20. The apparatus as in claim 17, wherein the process when executed is further operable to:
    - classify the traffic observed by the device as a separate process from classifying the set of network traffic that includes the traffic observed by the device and the attack traffic.
  - 21. The apparatus as in claim 16, wherein the normal traffic and the observed traffic are received from one or more other devices in the network, and wherein the coordinator device instructs the one or more other devices to send the attack traffic at a low priority.
  - 22. The apparatus as in claim 16, wherein the process when executed is further operable to:
    - model network traffic patterns of traffic flowing through the device;
      
      detect a traffic pattern change using the modeled network traffic patterns; and
      
      , in response,request, from the coordinator device, coordination of an attack classifier verification test.
  - 23. The apparatus as in claim 16, wherein the coordinator device uses the classification results to determine performance indices for the device.

24. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  identify a type of network attack;
  
  determine a verification schedule during which an attack classifier executed by a device in the network is to be tested;
  
  coordinate an attack detection test for the attack classifier for execution during the verification schedule and for the identified type of network attack;
  
  receive results of the attack detection test from the device; and
  
  evaluate a performance of the attack classifier based on the results of the attack detection test.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The apparatus as in claim 24, wherein the attack detection test is coordinated by:
    - instructing the device to evaluate a particular set of attack traffic during the attack detection test by mixing the attack traffic with traffic observed by the device.
  - 26. The apparatus as in claim 24, wherein the attack detection test is coordinate by:
    - instructing a set of one or more network nodes to send attack traffic to the device during the attack detection test.
  - 27. The apparatus as in claim 26, wherein the instruction causes the set of one or more network nodes to flag the attack traffic as testing traffic.
  - 28. The apparatus as in claim 26, wherein the set of one or more network nodes deprioritize the attack traffic with respect to other network traffic.
  - 29. The apparatus as in claim 24, wherein the set of one or more network nodes are instructed to use a different routing topology than a normal routing topology during the attack detection test.
  - 30. The apparatus as in claim 24, wherein the verification schedule is authorized by a network policy engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Di Pietro, Andrea, Vasseur, Jean-Philippe, Cruz Mota, Javier

Granted Patent

US 9,686,312 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1458   Denial of Service

H04L 67/1001   for accessing one among a p...

VERIFYING NETWORK ATTACK DETECTOR EFFECTIVENESS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

42 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

VERIFYING NETWORK ATTACK DETECTOR EFFECTIVENESS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links