TECHNIQUES FOR DETECTING ATTACKS IN A PUBLISH-SUBSCRIBE NETWORK

US 20170230413A1
Filed: 02/10/2016
Published: 08/10/2017
Est. Priority Date: 02/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting a network attack, the method comprising:

generating a set of indicators that represents a current state of a network;

generating a first probability that the network is subject to attack based on a first indicator included in the set of indicators;

generating a second probability that the network is subject to attack based on a second indicator in the set of indicators;

combining the first probability with the second probability to generate a third probability;

determining that the third probability exceeds a first threshold value; and

in response, dispatching a first handler configured to address the network attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A publish-subscribe network includes a network infrastructure configured to support the exchange of data. An intrusion detection system is coupled to the network infrastructure and configured to process signals received from that infrastructure in order to detect malicious attacks on the network infrastructure. The intrusion detection system includes an evaluator that generates a set of indicators based on the received signals. The evaluator models these indicators as stochastic processes, and then predicts an attack probability for each indicator based on a predicted future state of each such indicator. The evaluator combines the various attack probabilities and determines an overall attack level for the network infrastructure. Based on the attack level, the intrusion detection system dispatches a specific handler to prevent or mitigate attacks.

5 Citations

View as Search Results

20 Claims

1. A computer-implemented method for detecting a network attack, the method comprising:
- generating a set of indicators that represents a current state of a network;
  
  generating a first probability that the network is subject to attack based on a first indicator included in the set of indicators;
  
  generating a second probability that the network is subject to attack based on a second indicator in the set of indicators;
  
  combining the first probability with the second probability to generate a third probability;
  
  determining that the third probability exceeds a first threshold value; and
  
  in response, dispatching a first handler configured to address the network attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving a set of signals from the network; and
      
      parsing the set of signals to identify one or more subsets of signals in the set of signals, wherein each subset of signals corresponds to a different indicator in the set of indicators.
  - 3. The computer-implemented method of claim 1, wherein generating a first probability that the network is subject to attack comprises:
    - mapping the indicator to an initial state vector;
      
      initializing a stochastic model of the indicator based on the initial state vector;
      
      computing one or more transitions of the stochastic model to determine a final set of states of the stochastic model; and
      
      determining a final state in the set of states of the stochastic model based on a final probability of the final state.
  - 4. The computer-implemented method of claim 3, wherein the stochastic model of the indicator includes a Markov chain comprising a set of states initialized to represent the initial state vector and a set of transition probabilities for transitioning between each state in the set of states.
  - 5. The computer-implemented method of claim 3, wherein computing a transition of the stochastic model comprises multiplying a state vector associated with the stochastic model by a transition matrix to generate a subsequent state vector for the stochastic model.
  - 6. The computer-implemented method of claim 1, wherein combining the first probability with the second probability comprises computing a weighted sum of the first probability and the second probability to generate the third probability,
  - 7. The computer-implemented method of claim 1, wherein the third probability represents an overall likelihood that the network is subject to attack.
  - 8. The computer-implemented method of claim 1, further comprising:
    - comparing the third probability to a second threshold value; and
      
      determining that the third probability does not exceed the second threshold value, indicating that the network has a first probability of being subject to attack,wherein the handler is configured address the network attack by preventing a denial of service from occurring.
  - 9. The computer-implemented method of claim 1, further comprising:
    - comparing the third probability to a second threshold value; and
      
      determining that the third probability exceeds the second threshold value, indicating that the network has a first probability of being subject to attack,wherein the handler is configured to address the network attack by mitigating a denial of service that is currently underway.

10. A non-transitory computer-readable medium including instructions that, when executed by a processor, cause the processor to detect a network attack, by performing the steps of:
- generating a set of indicators that represents a current state of a network;
  
  generating a first probability that the network is subject to attack based on a first indicator included in the set of indicators;
  
  generating a second probability that the network is subject to attack based on a second indicator in the set of indicators;
  
  combining the first probability with the second probability to generate a third probability;
  
  determining that the third probability exceeds a first threshold value; and
  
  in response, dispatching a first handler configured to address the network attack.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The non-transitory computer-readable medium of claim 10, wherein generating the set of indicators comprises:
    - receiving a set of signals from the network; and
      
      parsing the set of signals to identify one or more subsets of signals in the set of signals, wherein each subset of signals corresponds to a different indicator in the set of indicators.
  - 12. The non-transitory computer-readable medium of claim 10, wherein generating a first probability that the network is subject to attack comprises:
    - mapping the indicator to an initial state vector;
      
      initializing a stochastic model of the indicator based on the initial state vector;
      
      computing one or more transitions of the stochastic model to determine a final set of states of the stochastic model; and
      
      determining a final state in the set of states of the stochastic model based on a final probability of the final state.
  - 13. The non-transitory computer-readable medium of claim 12, wherein mapping the indicator to the initial state vector comprises converting one or more values associated with the indicator into one or more initial states associated with the initial state vector via a transformation function.
  - 14. The non-transitory computer-readable medium of claim 13, wherein the transformation function is determined based on a supervised learning process or based on an empirical analysis of the network.
  - 15. The non-transitory computer-readable medium of claim 12, wherein the stochastic model of the indicator includes a Markov chain comprising a set of states initialized to represent the initial state vector and a set of transition probabilities for transitioning between each state in the set of states.
  - 16. The non-transitory computer-readable medium of claim 12, wherein computing a transition of the stochastic model comprises multiplying a state vector associated with the stochastic model by a transition matrix to generate a subsequent state vector for the stochastic model.
  - 17. The non-transitory computer-readable medium of claim 16, wherein the transition matrix is determined based on a supervised learning process or based on an empirical analysis of the network.
  - 18. The non-transitory computer-readable medium of claim 10, wherein combining the first probability with the second probability comprises computing a weighted sum of the first probability and the second probability to generate the third probability,

19. A system for detecting network attacks, comprising:
- a memory that includes an intrusion detection application; and
  
  a processor that is coupled to the memory and, when executing the intrusion detection application, is configured to to;
  
  generate a set of indicators that represents a current state of a network,generate a first probability that the network is subject to attack based on a first indicator included in the set of indicators,generate a second probability that the network is subject to attack based on a second indicator in the set of indicators,combine the first probability with the second probability to generate a third probability,determine that the third probability exceeds a first threshold value, andin response, dispatch a first handler configured to address the network attack.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the third probability represents an overall likelihood that the network is subject to attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
MARESCA, Paolo

Granted Patent

US 10,333,968 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06N 7/01   Probabilistic graphical mod...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

TECHNIQUES FOR DETECTING ATTACKS IN A PUBLISH-SUBSCRIBE NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

5 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUES FOR DETECTING ATTACKS IN A PUBLISH-SUBSCRIBE NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links