Applying a mitigation specific attack detector using machine learning
First Claim
Patent Images
1. A method, comprising:
- detecting, at a device in a network, a network attack using aggregated metrics for a set of traffic data;
causing, by the device, the traffic data to be clustered into a set of traffic data clusters, in response to detecting the network attack, wherein the traffic is clustered by providing the traffic data to a clustering device in the network, and the clustering device uses the set of traffic data as input to a clustering process to generate the set of traffic data clusters;
providing, by the device, an indication of an attack type for the detected attack and a description for the set of traffic data to a clustering search engine;
receiving, from the clustering search engine, an availability notification that identifies the clustering device, in response to providing the indication of the attack type for the detected attack and the description for the set of traffic data to the clustering search engine, wherein the clustering search engine selects the clustering device based on the attack type and the description for the set of traffic data;
causing, by the device, the clustering device to analyze the traffic data clusters; and
causing, by the device, the traffic data clusters to be segregated into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the clustering device.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a device in a network detects a network attack using aggregated metrics for a set of traffic data. In response to detecting the network attack, the device causes the traffic data to be clustered into a set of traffic data clusters. The device causes one or more attack detectors to analyze the traffic data clusters. The device causes the traffic data clusters to be segregated into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the one or more attack detectors.
35 Citations
19 Claims
-
1. A method, comprising:
-
detecting, at a device in a network, a network attack using aggregated metrics for a set of traffic data; causing, by the device, the traffic data to be clustered into a set of traffic data clusters, in response to detecting the network attack, wherein the traffic is clustered by providing the traffic data to a clustering device in the network, and the clustering device uses the set of traffic data as input to a clustering process to generate the set of traffic data clusters; providing, by the device, an indication of an attack type for the detected attack and a description for the set of traffic data to a clustering search engine; receiving, from the clustering search engine, an availability notification that identifies the clustering device, in response to providing the indication of the attack type for the detected attack and the description for the set of traffic data to the clustering search engine, wherein the clustering search engine selects the clustering device based on the attack type and the description for the set of traffic data; causing, by the device, the clustering device to analyze the traffic data clusters; and causing, by the device, the traffic data clusters to be segregated into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the clustering device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to; detect a network attack using aggregated metrics for a set of traffic data; cause the traffic data to be clustered into a set of traffic data clusters, in response to detecting the network attack; provide an indication of an attack type for the detected attack and a description for the set of traffic data to a clustering search engine; receive, from the clustering search engine, an availability notification that identifies the clustering device, in response to providing the indication of the attack type for the detected attack and the description for the set of traffic data to the clustering search engine, wherein the clustering search engine selects the clustering device based on the attack type and the description for the set of traffic data; cause the clustering device to analyze the traffic data clusters; and cause the traffic data clusters to be segregated into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the clustering device. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
-
detect a network attack using aggregated metrics for a set of traffic data; cause the traffic data to be clustered into a set of traffic data clusters, in response to detecting the network attack, wherein the traffic is clustered by providing the traffic data to a clustering device in the network, and the clustering device uses the set of traffic data as input to a clustering process to generate the set of traffic data clusters; provide an indication of an attack type for the detected attack and a description for the set of traffic data to a clustering search engine; receive, from the clustering search engine, an availability notification that identifies the clustering device, in response to providing the indication of the attack type for the detected attack and the description for the set of traffic data to the clustering search engine, wherein the clustering search engine selects the clustering device based on the attack type and the description for the set of traffic data; cause the clustering device to analyze the traffic data clusters; and cause the traffic data clusters to be segregated into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the clustering device.
-
Specification