BEHAVIORAL WHITE LABELING
First Claim
Patent Images
1. A method, comprising:
- receiving a data flow at a traffic model manager node in a network;
determining, by the traffic model manager node, a degree to which the received data flow conforms to one or more traffic models classifying particular types of data flows as non-malicious;
if the degree to which the received data flow conforms to the one or more traffic models is sufficient, characterizing, by the traffic model manager node, the received data flow as non-malicious; and
if the degree to which the received data flow conforms to the one or more traffic models is not sufficient, providing, from the traffic model manager node, the received data flow to a denial of service (DoS) attack detector in the network to allow the received data flow to be scanned for potential attacks.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a traffic model manager node receives data flows in a network and determines a degree to which the received data flows conform to one or more traffic models classifying particular types of data flows as non-malicious. If the degree to which the received data flows conform to the one or more traffic models is sufficient, the traffic model manager node characterizes the received data flows as non-malicious. Otherwise, the traffic model manager node provides the received data flows to a denial of service (DoS) attack detector in the network to allow the received data flows to be scanned for potential attacks.
-
Citations
25 Claims
-
1. A method, comprising:
-
receiving a data flow at a traffic model manager node in a network; determining, by the traffic model manager node, a degree to which the received data flow conforms to one or more traffic models classifying particular types of data flows as non-malicious; if the degree to which the received data flow conforms to the one or more traffic models is sufficient, characterizing, by the traffic model manager node, the received data flow as non-malicious; and if the degree to which the received data flow conforms to the one or more traffic models is not sufficient, providing, from the traffic model manager node, the received data flow to a denial of service (DoS) attack detector in the network to allow the received data flow to be scanned for potential attacks. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus, comprising:
-
one or more network interfaces to communicate with a network as a traffic model manager node; a processor coupled to the one or more network interfaces and configured to execute a process; and a memory configured to store program instructions which include the process executable by the processor, the process comprising; receiving a data flow in the network; determining a degree to which the received data flow conforms to one or more traffic models classifying particular types of data flows as non-malicious; if the degree to which the received data flow conforms to the one or more traffic models is sufficient, characterizing the received data flow as non-malicious; and if the degree to which the received data flow conforms to the one or more traffic models is not sufficient, providing the received data flow to a denial of service (DoS) attack detector in the network to allow the received data flow to be scanned for potential attacks. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A tangible non-transitory computer readable medium storing program instructions that cause a computer to execute a process, the process comprising:
-
receiving a data flow at a traffic model manager node in a network; determining, by the traffic model manager node, a degree to which the received data flow conforms to one or more traffic models classifying particular types of data flows as non-malicious; if the degree to which the received data flow conforms to the one or more traffic models is sufficient, characterizing, by the traffic model manager node, the received data flow as non-malicious; and if the degree to which the received data flow conforms to the one or more traffic models is not sufficient, providing, from the traffic model manager node, the received data flow to a denial of service (DoS) attack detector in the network to allow the received data flows to be scanned for potential attacks.
-
Specification