Distributed voting mechanism for attack detection
First Claim
Patent Images
1. A method, comprising:
- detecting, at a first network device, a potential network attack by executing a classifier, wherein the classifier is configured to select a label from among a plurality of labels based on a set of input features;
sending voting requests that identify the potential network attack to a plurality of neighboring network devices, wherein the voting requests include a set of values for the set of input features that were used to detect the potential attack at the first network device, and wherein a particular neighboring network device determines input features for a local classifier and uses the local classifier to generate a vote regarding the potential network attack;
receiving, from each of the one or more of the neighboring network devices, a vote regarding the potential network attack;
confirming, by the first network device, that the network attack is present based on the received votes; and
generating, by the first network device, an alert that an attack has been detected.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a network node receives a voting request from a neighboring node that indicates a potential network attack. The network node determines a set of feature values to be used as input to a classifier based on the voting request. The network node also determines whether the potential network attack is present by using the set of feature values as input to the classifier. The network node further sends a vote to the neighboring node that indicates whether the potential network attack was determined to be present.
-
Citations
22 Claims
-
1. A method, comprising:
-
detecting, at a first network device, a potential network attack by executing a classifier, wherein the classifier is configured to select a label from among a plurality of labels based on a set of input features; sending voting requests that identify the potential network attack to a plurality of neighboring network devices, wherein the voting requests include a set of values for the set of input features that were used to detect the potential attack at the first network device, and wherein a particular neighboring network device determines input features for a local classifier and uses the local classifier to generate a vote regarding the potential network attack; receiving, from each of the one or more of the neighboring network devices, a vote regarding the potential network attack; confirming, by the first network device, that the network attack is present based on the received votes; and generating, by the first network device, an alert that an attack has been detected. - View Dependent Claims (2, 3, 4)
-
-
5. A method, comprising:
-
receiving, at a network node, a voting request from a neighboring node that indicates a potential network attack; determining a set of feature values to be used as input to a local classifier based on the voting request, wherein the voting request includes the set of one or more feature values; determining, by the network node, whether the potential network attack is present by using the determined set of feature values as input to the local classifier; and sending, by the network node, a vote to the neighboring node that indicates whether the potential network attack was determined to be present. - View Dependent Claims (6, 7, 8)
-
-
9. An apparatus, comprising:
-
one or more network interfaces to communicate with a low power and lossy network (LLN); a processor coupled to the network interfaces and adapted to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to; detect a potential network attack by executing a classifier, wherein the classifier is configured to select a label from among a plurality of labels based on a set of input features; send voting requests that identify the potential network attack to a plurality of neighboring network devices, wherein the voting requests include a set of values for the set of input features that were used to detect the potential attack at the first network device, and wherein a particular neighboring network device determines input features for a local classifier and uses the local classifier to generate a vote regarding the potential network attack; receive, from each of the one or more of the neighboring network devices, a vote regarding the potential network attack; confirm that the network attack is present based on the received votes; and generate an alert that an attack has been detected. - View Dependent Claims (10, 11, 12)
-
-
13. An apparatus, comprising:
-
one or more network interfaces to communicate with a low power and lossy network (LLN); a processor coupled to the network interfaces and adapted to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to; receive a voting request from a neighboring node that indicates a potential network attack; determine a set of feature values to be used as input to a local classifier based on the voting request, wherein the voting request includes the set of one or more feature values; determine whether the potential network attack is present by using the determined set of feature values as input to the local classifier; and send a vote to the neighboring node that indicates whether the potential network attack was determined to be present. - View Dependent Claims (14, 15, 16)
-
-
17. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
-
receive a voting request from a neighboring node that indicates a potential network attack; determine a set of feature values to be used as input to a local classifier based on the voting request, wherein the voting request includes the set of one or more feature values; determine whether the potential network attack is present by using the determined set of feature values as input to the local classifier; and send a vote to the neighboring node that indicates whether the potential network attack was determined to be present. - View Dependent Claims (18, 19)
-
-
20. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
-
detect a potential network attack by executing a classifier, wherein the classifier is configured to select a label from among a plurality of labels based on a set of input features; send voting requests that identify the potential network attack to a plurality of neighboring network devices, wherein the voting requests include a set of values for the set of input features that were used to detect the potential attack at the first network device, and wherein a particular neighboring network device determines input features for a local classifier and uses the local classifier to generate a vote regarding the potential network attack; receive, from each of the one or more of the neighboring network devices, a vote regarding the potential network attack; confirm that the network attack is present based on the received votes; and generate an alert that an attack has been detected. - View Dependent Claims (21, 22)
-
Specification