Applying a mitigation specific attack detector using machine learning

US 9,407,646 B2
Filed: 07/23/2014
Issued: 08/02/2016
Est. Priority Date: 07/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

detecting, at a device in a network, a network attack using aggregated metrics for a set of traffic data;

causing, by the device, the traffic data to be clustered into a set of traffic data clusters, in response to detecting the network attack, wherein the traffic is clustered by providing the traffic data to a clustering device in the network, and the clustering device uses the set of traffic data as input to a clustering process to generate the set of traffic data clusters;

providing, by the device, an indication of an attack type for the detected attack and a description for the set of traffic data to a clustering search engine;

receiving, from the clustering search engine, an availability notification that identifies the clustering device, in response to providing the indication of the attack type for the detected attack and the description for the set of traffic data to the clustering search engine, wherein the clustering search engine selects the clustering device based on the attack type and the description for the set of traffic data;

causing, by the device, the clustering device to analyze the traffic data clusters; and

causing, by the device, the traffic data clusters to be segregated into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the clustering device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device in a network detects a network attack using aggregated metrics for a set of traffic data. In response to detecting the network attack, the device causes the traffic data to be clustered into a set of traffic data clusters. The device causes one or more attack detectors to analyze the traffic data clusters. The device causes the traffic data clusters to be segregated into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the one or more attack detectors.

35 Citations

View as Search Results

19 Claims

1. A method, comprising:
- detecting, at a device in a network, a network attack using aggregated metrics for a set of traffic data;
  
  causing, by the device, the traffic data to be clustered into a set of traffic data clusters, in response to detecting the network attack, wherein the traffic is clustered by providing the traffic data to a clustering device in the network, and the clustering device uses the set of traffic data as input to a clustering process to generate the set of traffic data clusters;
  
  providing, by the device, an indication of an attack type for the detected attack and a description for the set of traffic data to a clustering search engine;
  
  receiving, from the clustering search engine, an availability notification that identifies the clustering device, in response to providing the indication of the attack type for the detected attack and the description for the set of traffic data to the clustering search engine, wherein the clustering search engine selects the clustering device based on the attack type and the description for the set of traffic data;
  
  causing, by the device, the clustering device to analyze the traffic data clusters; and
  
  causing, by the device, the traffic data clusters to be segregated into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the clustering device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as in claim 1, wherein causing the traffic to be clustered comprises:
    - using the set of traffic data as input to a clustering process executed by the device.
  - 3. The method as in claim 1, wherein the availability notification identifies the clustering device as an attack detection device that hosts one or more attack detectors.
  - 4. The method as in claim 1, wherein causing the one or more attack detectors to analyze the traffic data clusters comprises:
    - executing, by the device, the one or more attack detectors using the traffic data clusters as input to the clustering device.
  - 5. The method as in claim 1, wherein causing the one or more attack detectors to analyze the traffic data clusters comprises:
    - providing, by the device, the set of traffic data or the traffic data clusters to another device in the network, wherein the other device causes the clustering device to analyze the traffic data clusters.
  - 6. The method as in claim 1, wherein causing the traffic data clusters to be segregated comprises:
    - receiving labels that were applied to the traffic data clusters by the clustering device, wherein the labels identify a particular traffic data clusters as attack-related or related to normal traffic; and
      
      using the labels to group the traffic data clusters into the set of one or more attack-related clusters and into the set of one or more clusters related to normal traffic.
  - 7. The method as in claim 1, further comprising:
    - preventing traffic related to the one or more attack-related clusters from being forwarded in the network.
  - 8. The method as in claim 1, wherein the set of traffic data identifies traffic flows in the network, and wherein the set of traffic data is clustered based on one or more of:
    - sizes, durations, applications, or statistical properties associated with the traffic flows.
  - 9. The method as in claim 1, wherein the clustering device is trained using individual clusters of a set of training data, and wherein the attack is detected by an attack detector that was trained using a non-clustered set of the training data.

10. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  detect a network attack using aggregated metrics for a set of traffic data;
  
  cause the traffic data to be clustered into a set of traffic data clusters, in response to detecting the network attack;
  
  provide an indication of an attack type for the detected attack and a description for the set of traffic data to a clustering search engine;
  
  receive, from the clustering search engine, an availability notification that identifies the clustering device, in response to providing the indication of the attack type for the detected attack and the description for the set of traffic data to the clustering search engine, wherein the clustering search engine selects the clustering device based on the attack type and the description for the set of traffic data;
  
  cause the clustering device to analyze the traffic data clusters; and
  
  cause the traffic data clusters to be segregated into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the clustering device.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus as in claim 10, wherein the process when executed is further operable to:
    - use the set of traffic data as input to a clustering process executed by the device, to cause the traffic data to be clustered.
  - 12. The apparatus as in claim 10, wherein the availability notification identifies the clustering device as an attack detection device that hosts one or more attack detectors.
  - 13. The apparatus as in claim 10, wherein the process when executed is further operable to:
    - execute the one or more attack detectors using the traffic data clusters as input to the clustering device.
  - 14. The apparatus as in claim 10, wherein the process when executed is further operable to:
    - provide the set of traffic data or the traffic data clusters to another device in the network, wherein the other device causes the clustering device to analyze the traffic data clusters.
  - 15. The apparatus as in claim 10, wherein the process when executed is further operable to:
    - receive labels that were applied to the traffic data clusters by the clustering device, wherein the labels identify a particular traffic data clusters as attack-related or related to normal traffic; and
      
      use the labels to group the traffic data clusters into the set of one or more attack-related clusters and into the set of one or more clusters related to normal traffic.
  - 16. The apparatus as in claim 10, wherein the process when executed is further operable to:
    - prevent traffic related to the one or more attack-related clusters from being forwarded in the network.
  - 17. The apparatus as in claim 10, wherein the set of traffic data identifies traffic flows in the network, and wherein the set of traffic data is clustered based on one or more of:
    - sizes, durations, applications, or statistical properties associated with the traffic flows.
  - 18. The apparatus as in claim 10, wherein the clustering device is trained using individual clusters of a set of training data, and wherein the attack is detected by an attack detector that was trained using a non-clustered set of the training data.

19. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
- detect a network attack using aggregated metrics for a set of traffic data;
  
  cause the traffic data to be clustered into a set of traffic data clusters, in response to detecting the network attack, wherein the traffic is clustered by providing the traffic data to a clustering device in the network, and the clustering device uses the set of traffic data as input to a clustering process to generate the set of traffic data clusters;
  
  provide an indication of an attack type for the detected attack and a description for the set of traffic data to a clustering search engine;
  
  receive, from the clustering search engine, an availability notification that identifies the clustering device, in response to providing the indication of the attack type for the detected attack and the description for the set of traffic data to the clustering search engine, wherein the clustering search engine selects the clustering device based on the attack type and the description for the set of traffic data;
  
  cause the clustering device to analyze the traffic data clusters; and
  
  cause the traffic data clusters to be segregated into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the clustering device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cruz Mota, Javier, Di Pietro, Andrea, Vasseur, Jean-Philippe
Primary Examiner(s)
GOODCHILD, WILLIAM J

Application Number

US14/338,909
Publication Number

US 20160028754A1
Time in Patent Office

741 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

Applying a mitigation specific attack detector using machine learning

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Applying a mitigation specific attack detector using machine learning

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links