Traffic segregation in DDoS attack architecture

US 9,231,965 B1
Filed: 07/23/2014
Issued: 01/05/2016
Est. Priority Date: 07/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

determining, by a particular node in a network, information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system;

sending, from the particular node, a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information;

in response to the sent message, receiving, at the particular node, an indication that the node is a member of a collaborative group of nodes along with one or more other nodes in the network based on the capabilities of the local machine learning attack detection and mitigation system being complementary to capabilities of one or more other machine learning attack detection and mitigation systems local to the one or more other nodes; and

in response to an attack being detected by the local machine learning attack detection and mitigation system, providing, by the particular node to the collaborative group of nodes, an indication of attack data flows identified as corresponding to the attack, thereby enabling the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes to assist the particular node in mitigating the attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a particular node in a network determines information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system. The particular node sends a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information. In response to the sent message, the particular node receives an indication that it is a member of a collaborative group of nodes based on the capabilities of the local machine learning attack detection and mitigation system being complementary to capabilities of other machine learning attack detection and mitigation systems. Then, in response to an attack being detected by the local machine learning attack detection and mitigation system, the particular node provides to the collaborative group of nodes an indication of attack data flows identified as corresponding to the attack.

Citations

24 Claims

1. A method, comprising:
- determining, by a particular node in a network, information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system;
  
  sending, from the particular node, a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information;
  
  in response to the sent message, receiving, at the particular node, an indication that the node is a member of a collaborative group of nodes along with one or more other nodes in the network based on the capabilities of the local machine learning attack detection and mitigation system being complementary to capabilities of one or more other machine learning attack detection and mitigation systems local to the one or more other nodes; and
  
  in response to an attack being detected by the local machine learning attack detection and mitigation system, providing, by the particular node to the collaborative group of nodes, an indication of attack data flows identified as corresponding to the attack, thereby enabling the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes to assist the particular node in mitigating the attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as in claim 1, wherein the capabilities of the local machine learning attack detection and mitigation system involve one or more of:
    - i) an attack traffic segregation technique used by the local machine learning attack detection and mitigation system, ii) a list of attacks that are detectable by the local machine learning attack detection and mitigation system, iii) a connectivity range of the local machine learning attack detection and mitigation system in the network, and iv) an average convergence time when the local machine learning attack detection and mitigation system performs attack traffic segregation.
  - 3. The method as in claim 1, wherein the sending of the message indicating capabilities of the local machine learning attack detection and mitigation system comprises:
    - sending, from the particular node, the message to a centralized entity node in the network that is configured to compute the collaborative group of nodes based on a determination that the capabilities of the local machine learning attack detection and mitigation system are complementary to the capabilities of the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes.
  - 4. The method as in claim 1, wherein the sending of the message indicating capabilities of the local machine learning attack detection and mitigation system comprises:
    - sending, from the particular node, the message to an address in the network that is within communication range of other nodes in the network,wherein the node and the other nodes are configured to compute the collaborative group of nodes based on a determination that the capabilities of the local machine learning attack detection and mitigation system are complementary to the capabilities of the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes.
  - 5. The method as in claim 1, wherein the providing of the indication of the attack data flows to the collaborative group comprises:
    - sending, from the particular node, a multicast message indicating the attack data flows to an address in the network that is within communication range of the collaborative group of nodes, thereby enabling the collaborative group of nodes to access the multicast message.
  - 6. The method as in claim 1, further comprising:
    - in response to the attack being detected by the local machine learning attack detection and mitigation system, providing, by the particular node to the collaborative group of nodes, an indication of one or more of i) a degree of confidence in the local machine learning attack detection and mitigation system'"'"'s ability to detect and mitigate the attack and ii) an origin of the attack.
  - 7. The method as in claim 1, further comprising:
    - sending, from the particular node, a feedback message indicating a degree to which the detecting and mitigating of the attack has been enhanced due to the collaborative group of nodes.
  - 8. The method as in claim 1, further comprising:
    - receiving an indication of attack data flows identified as corresponding to a detected attack from a node of the collaborative group of nodes; and
      
      assisting the node in mitigating the attack data flows using a local machine learning attack detection and mitigation system.

9. A method, comprising:
- receiving, at a centralized entity node in a network, messages from a plurality of nodes in the network indicating capabilities of a machine learning attack detection and mitigation system local to each respective node;
  
  in response to the received messages, computing, by the centralized entity node, a collaborative group of nodes based on a determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another, wherein the machine learning attack detection and mitigation systems local to the collaborative group of nodes are enabled to assist one another in mitigating attacks in the network; and
  
  sending, from the centralized entity node, a message to the collaborative group of nodes identifying each node that is a member within the collaborative group of nodes.
- View Dependent Claims (10, 11, 12)
- - 10. The method as in claim 9, wherein the capabilities of the machine learning attack detection and mitigation system involve one or more of:
    - i) an attack traffic segregation technique used by the machine learning attack detection and mitigation system, ii) a list of attacks that are detectable by the machine learning attack detection and mitigation system, iii) a connectivity range of the machine learning attack detection and mitigation system in the network, and iv) an average convergence time when the machine learning attack detection and mitigation system performs attack traffic segregation.
  - 11. The method as in claim 9, further comprising:
    - receiving, at the centralized entity node, a feedback message indicating a degree to which the detecting and mitigating of an attack in the network has been enhanced due to the collaborative group of nodes; and
      
      re-computing, by the centralized entity node, the collaborative group of nodes based on the received feedback message.
  - 12. The method as in claim 9, wherein the determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another is based on one or more of the following factors:
    - i) a relationship between attack traffic segregation techniques used by the machine learning attack detection and mitigation systems, ii) a relationship between attacks that are detectable by the machine learning attack detection and mitigation systems, iii) a relationship between connectivity ranges of the machine learning attack detection and mitigation systems in the network, and iv) a relationship between average convergence times when the machine learning attack detection and mitigation systems perform attack traffic segregation.

13. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the one or more network interfaces and configured to execute a process; and
  
  a memory configured to store program instructions which include the process executable by the processor, the process comprising;
  
  determining, as a particular node in the network, information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system;
  
  sending, from the particular node, a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information;
  
  in response to the sent message, receiving, at the particular node, an indication that the node is a member of a collaborative group of nodes along with one or more other nodes in the network based on the capabilities of the local machine learning attack detection and mitigation system being complementary to capabilities of one or more other machine learning attack detection and mitigation systems local to the one or more other nodes; and
  
  in response to an attack being detected by the local machine learning attack detection and mitigation system, providing, by the particular node to the collaborative group of nodes, an indication of attack data flows identified as corresponding to the attack, thereby enabling the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes to assist the particular node in mitigating the attack.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The apparatus as in claim 13, wherein the capabilities of the local machine learning attack detection and mitigation system involve one or more of:
    - i) an attack traffic segregation technique used by the local machine learning attack detection and mitigation system, ii) a list of attacks that are detectable by the local machine learning attack detection and mitigation system, iii) a connectivity range of the local machine learning attack detection and mitigation system in the network, and iv) an average convergence time when the local machine learning attack detection and mitigation system performs attack traffic segregation.
  - 15. The apparatus as in claim 13, wherein the sending of the message indicating capabilities of the local machine learning attack detection and mitigation system comprises:
    - sending, from the particular node, the message to a centralized entity node in the network that is configured to compute the collaborative group of nodes based on a determination that the capabilities of the local machine learning attack detection and mitigation system are complementary to the capabilities of the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes.
  - 16. The apparatus as in claim 13, wherein the sending of the message indicating capabilities of the local machine learning attack detection and mitigation system comprises:
    - sending, from the particular node, the message to an address in the network that is within communication range of other nodes in the network,wherein the node and the other nodes are configured to compute the collaborative group of nodes based on a determination that the capabilities of the local machine learning attack detection and mitigation system are complementary to the capabilities of the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes.
  - 17. The apparatus as in claim 13, wherein the providing of the indication of the attack data flows to the collaborative group comprises:
    - sending, from the particular node, a multicast message indicating the attack data flows to an address in the network that is within communication range of the collaborative group of nodes, thereby enabling the collaborative group of nodes to access the multicast message.
  - 18. The apparatus as in claim 13, wherein the process further comprises:
    - in response to the attack being detected by the local machine learning attack detection and mitigation system, providing, by the particular node to the collaborative group of nodes, an indication of one or more of i) a degree of confidence in the local machine learning attack detection and mitigation system'"'"'s ability to detect and mitigate the attack and ii) an origin of the attack.
  - 19. The apparatus as in claim 13, wherein the process further comprises:
    - sending, from the particular node, a feedback message indicating a degree to which the detecting and mitigating of the attack has been enhanced due to the collaborative group of nodes.
  - 20. The apparatus as in claim 19, wherein the process further comprises:
    - receiving an indication of attack data flows identified as corresponding to a detected attack from a node of the collaborative group of nodes; and
      
      assisting the node in mitigating the attack data flows using a local machine learning attack detection and mitigation system.

21. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the one or more network interfaces and configured to execute a process; and
  
  a memory configured to store program instructions which include the process executable by the processor, the process comprising;
  
  receiving, as a centralized entity node in the network, messages from a plurality of nodes in the network indicating capabilities of a machine learning attack detection and mitigation system local to each respective node;
  
  in response to the received messages, computing, by the centralized entity node, a collaborative group of nodes based on a determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another, wherein the machine learning attack detection and mitigation systems local to the collaborative group of nodes are enabled to assist one another in mitigating attacks in the network; and
  
  sending, from the centralized entity node, a message to the collaborative group of nodes identifying each node that is a member within the collaborative group of nodes.
- View Dependent Claims (22, 23, 24)
- - 22. The apparatus as in claim 21, wherein the capabilities of the machine learning attack detection and mitigation system involve one or more of:
    - i) an attack traffic segregation technique used by the machine learning attack detection and mitigation system, ii) a list of attacks that are detectable by the machine learning attack detection and mitigation system, iii) a connectivity range of the machine learning attack detection and mitigation system in the network, and iv) an average convergence time when the machine learning attack detection and mitigation system performs attack traffic segregation.
  - 23. The apparatus as in claim 21, wherein the process further comprises:
    - receiving, at the centralized entity node, a feedback message indicating a degree to which the detecting and mitigating of an attack in the network has been enhanced due to the collaborative group of nodes; and
      
      re-computing, by the centralized entity node, the collaborative group of nodes based on the received feedback message.
  - 24. The apparatus as in claim 21, wherein the determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another is based on one or more of the following factors:
    - i) a relationship between attack traffic segregation techniques used by the machine learning attack detection and mitigation systems, ii) a relationship between attacks that are detectable by the machine learning attack detection and mitigation systems, iii) a relationship between connectivity ranges of the machine learning attack detection and mitigation systems in the network, and iv) a relationship between average convergence times when the machine learning attack detection and mitigation systems perform attack traffic segregation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Vasseur, Jean-Philippe, Cruz Mota, Javier, di Pietro, Andrea
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Doan, Trang

Application Number

US14/339,255
Publication Number

US 20160028755A1
Time in Patent Office

531 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06N 3/045   Combinations of networks

G06N 3/08   Learning methods

H04L 2463/146   Tracing the source of attacks

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Traffic segregation in DDoS attack architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Traffic segregation in DDoS attack architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links