Distributed voting mechanism for attack detection

US 9,230,104 B2
Filed: 05/09/2014
Issued: 01/05/2016
Est. Priority Date: 05/09/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

detecting, at a first network device, a potential network attack by executing a classifier, wherein the classifier is configured to select a label from among a plurality of labels based on a set of input features;

sending voting requests that identify the potential network attack to a plurality of neighboring network devices, wherein the voting requests include a set of values for the set of input features that were used to detect the potential attack at the first network device, and wherein a particular neighboring network device determines input features for a local classifier and uses the local classifier to generate a vote regarding the potential network attack;

receiving, from each of the one or more of the neighboring network devices, a vote regarding the potential network attack;

confirming, by the first network device, that the network attack is present based on the received votes; and

generating, by the first network device, an alert that an attack has been detected.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a network node receives a voting request from a neighboring node that indicates a potential network attack. The network node determines a set of feature values to be used as input to a classifier based on the voting request. The network node also determines whether the potential network attack is present by using the set of feature values as input to the classifier. The network node further sends a vote to the neighboring node that indicates whether the potential network attack was determined to be present.

22 Citations

View as Search Results

22 Claims

1. A method, comprising:
- detecting, at a first network device, a potential network attack by executing a classifier, wherein the classifier is configured to select a label from among a plurality of labels based on a set of input features;
  
  sending voting requests that identify the potential network attack to a plurality of neighboring network devices, wherein the voting requests include a set of values for the set of input features that were used to detect the potential attack at the first network device, and wherein a particular neighboring network device determines input features for a local classifier and uses the local classifier to generate a vote regarding the potential network attack;
  
  receiving, from each of the one or more of the neighboring network devices, a vote regarding the potential network attack;
  
  confirming, by the first network device, that the network attack is present based on the received votes; and
  
  generating, by the first network device, an alert that an attack has been detected.
- View Dependent Claims (2, 3, 4)
- - 2. The method as in claim 1, wherein a particular vote is generated by a particular neighboring network device using values for the set of input features that were observed by the neighboring network node.
  - 3. The method as in claim 1, wherein a particular vote is generated by a particular neighboring network device using the set of values for the input features included in the voting requests.
  - 4. The method as in claim 1, wherein the network attack is confirmed after expiration of a timer.

5. A method, comprising:
- receiving, at a network node, a voting request from a neighboring node that indicates a potential network attack;
  
  determining a set of feature values to be used as input to a local classifier based on the voting request, wherein the voting request includes the set of one or more feature values;
  
  determining, by the network node, whether the potential network attack is present by using the determined set of feature values as input to the local classifier; and
  
  sending, by the network node, a vote to the neighboring node that indicates whether the potential network attack was determined to be present.
- View Dependent Claims (6, 7, 8)
- - 6. The method as in claim 5, further comprising:
    - determining that the classifier matches a type of classifier indicated by the voting request.
  - 7. The method as in claim 5, further comprising:
    - generating a particular feature value by observing a communication link to the neighboring node.
  - 8. The method as in claim 5, wherein the vote indicates whether the vote was based on feature values observed by the network node or was based on feature values included in the voting request.

9. An apparatus, comprising:
- one or more network interfaces to communicate with a low power and lossy network (LLN);
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  detect a potential network attack by executing a classifier, wherein the classifier is configured to select a label from among a plurality of labels based on a set of input features;
  
  send voting requests that identify the potential network attack to a plurality of neighboring network devices, wherein the voting requests include a set of values for the set of input features that were used to detect the potential attack at the first network device, and wherein a particular neighboring network device determines input features for a local classifier and uses the local classifier to generate a vote regarding the potential network attack;
  
  receive, from each of the one or more of the neighboring network devices, a vote regarding the potential network attack;
  
  confirm that the network attack is present based on the received votes; and
  
  generate an alert that an attack has been detected.
- View Dependent Claims (10, 11, 12)
- - 10. The apparatus as in claim 9, wherein a particular vote is generated by a particular neighboring network device using values for the set of input features that were observed by the neighboring network node.
  - 11. The apparatus as in claim 9, wherein a particular vote is generated by a particular neighboring network device using the set of values for the input features included in the voting requests.
  - 12. The apparatus as in claim 9, wherein the network attack is confirmed after expiration of a timer.

13. An apparatus, comprising:
- one or more network interfaces to communicate with a low power and lossy network (LLN);
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  receive a voting request from a neighboring node that indicates a potential network attack;
  
  determine a set of feature values to be used as input to a local classifier based on the voting request, wherein the voting request includes the set of one or more feature values;
  
  determine whether the potential network attack is present by using the determined set of feature values as input to the local classifier; and
  
  send a vote to the neighboring node that indicates whether the potential network attack was determined to be present.
- View Dependent Claims (14, 15, 16)
- - 14. The apparatus as in claim 13, wherein the process when executed is further operable to:
    - determine that the classifier matches a type of classifier indicated by the voting request.
  - 15. The apparatus as in claim 13, wherein the process when executed is further operable to:
    - generate a particular feature value by observing a communication link to the neighboring node.
  - 16. The apparatus as in claim 13, wherein the vote indicates whether the vote was based on feature values observed by the network node or was based on feature values included in the voting request.

17. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
- receive a voting request from a neighboring node that indicates a potential network attack;
  
  determine a set of feature values to be used as input to a local classifier based on the voting request, wherein the voting request includes the set of one or more feature values;
  
  determine whether the potential network attack is present by using the determined set of feature values as input to the local classifier; and
  
  send a vote to the neighboring node that indicates whether the potential network attack was determined to be present.
- View Dependent Claims (18, 19)
- - 18. The tangible, non-transitory, computer-readable media as in claim 17, wherein the software when executed by the processor is further operable to:
    - determine that the classifier matches a type of classifier indicated by the voting request.
  - 19. The tangible, non-transitory, computer-readable media as in claim 17, wherein the vote indicates whether the vote was based on feature values observed by the network node or was based on feature values included in the voting request.

20. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
- detect a potential network attack by executing a classifier, wherein the classifier is configured to select a label from among a plurality of labels based on a set of input features;
  
  send voting requests that identify the potential network attack to a plurality of neighboring network devices, wherein the voting requests include a set of values for the set of input features that were used to detect the potential attack at the first network device, and wherein a particular neighboring network device determines input features for a local classifier and uses the local classifier to generate a vote regarding the potential network attack;
  
  receive, from each of the one or more of the neighboring network devices, a vote regarding the potential network attack;
  
  confirm that the network attack is present based on the received votes; and
  
  generate an alert that an attack has been detected.
- View Dependent Claims (21, 22)
- - 21. The tangible, non-transitory, computer-readable media as in claim 20, wherein a particular vote is generated by a particular neighboring network device using values for the set of input features that were observed by the neighboring network node.
  - 22. The tangible, non-transitory, computer-readable media as in claim 20, wherein a particular vote is generated by a particular neighboring network device using the set of values for the input features included in the voting requests.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Vasseur, Jean-Philippe, Di Pietro, Andrea, Cruz Mota, Javier
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US14/273,676
Publication Number

US 20150324582A1
Time in Patent Office

606 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/1408   by monitoring network traff...

H04W 12/121   Wireless intrusion detectio...

H04W 12/122   Counter-measures against at...

H04W 84/18   Self-organising networks, e...

Distributed voting mechanism for attack detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed voting mechanism for attack detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links