Network attack detection using combined probabilities
First Claim
Patent Images
1. A method, comprising:
- receiving, at a device in a network, a set of output label dependencies for a set of attack detectors that exploit dependencies between overlapping labels used by different attack detection classifiers;
identifying, by the device, applied labels that were applied by the attack detectors to input data regarding the network, wherein probabilities are associated with the applied labels;
determining, by the device, a combined probability for two or more of the applied labels based on the output label dependencies and the probabilities associated with the two or more labels; and
selecting, by the device, one of the applied labels as a finalized label for the input data based on the probabilities associated with the applied labels and on the combined probability for the two or more labels.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a device in a network receives a set of output label dependencies for a set of attack detectors. The device identifies applied labels that were applied by the attack detectors to input data regarding a network, the applied labels being associated with probabilities. The device determines a combined probability for two or more of the applied labels based on the output label dependencies and the probabilities associated with the two or more labels. The device selects one of the applied labels as a finalized label for the input data based on the probabilities associated with the applied labels and on the combined probability for the two or more labels.
20 Citations
26 Claims
-
1. A method, comprising:
-
receiving, at a device in a network, a set of output label dependencies for a set of attack detectors that exploit dependencies between overlapping labels used by different attack detection classifiers; identifying, by the device, applied labels that were applied by the attack detectors to input data regarding the network, wherein probabilities are associated with the applied labels; determining, by the device, a combined probability for two or more of the applied labels based on the output label dependencies and the probabilities associated with the two or more labels; and selecting, by the device, one of the applied labels as a finalized label for the input data based on the probabilities associated with the applied labels and on the combined probability for the two or more labels. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method, comprising:
-
identifying, by a device in a network and for each of a plurality of attack detectors, a set of output labels used by the attack detector, wherein the attack detector is configured to apply one of the set of output labels to an input data set regarding the network; determining, by the device, a set of output label dependencies between the sets of output labels for the attack detectors that exploit dependencies between overlapping labels used by different attack detection classifiers; providing, by the device, the attack detectors to one or more nodes in the network; and providing, by the device, the set of output label dependencies to the one or more nodes in the network, wherein the one or more nodes use the set of output label dependencies to select a finalized label from among output labels applied by the attack detectors. - View Dependent Claims (10, 11, 12)
-
-
13. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to; receive a set of output label dependencies for a set of attack detectors that exploit dependencies between overlapping labels used by different attack detection classifiers; identify applied labels that were applied by the attack detectors to input data regarding the network, wherein probabilities are associated with the applied labels; determine a combined probability for two or more of the applied labels based on the output label dependencies and the probabilities associated with the two or more labels; and select one of the applied labels as a finalized label for the input data based on the probabilities associated with the applied labels and on the combined probability for the two or more labels. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to; identify, for each of a plurality of attack detectors, a set of output labels used by the attack detector, wherein the attack detector is configured to apply one of the set of output labels to an input data set regarding the network; determine a set of output label dependencies between the sets of output labels for the attack detectors that exploit dependencies between overlapping labels used by different attack detection classifiers; provide the attack detectors to one or more nodes in the network; and provide the set of output label dependencies to the one or more nodes in the network, wherein the one or more nodes use the set of output label dependencies to select a finalized label from among output labels applied by the attack detectors. - View Dependent Claims (22, 23, 24)
-
-
25. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
-
identify, for each of a plurality of attack detectors, a set of output labels used by an attack detector, wherein the attack detector is configured to apply one of the set of output labels to an input data set regarding a network; determine a set of output label dependencies between the sets of output labels for the attack detectors that exploit dependencies between overlapping labels used by different attack detection classifiers; provide the attack detectors to one or more nodes in the network; and provide the set of output label dependencies to the one or more nodes in the network, wherein the one or more nodes use the set of output label dependencies to select a finalized label from among output labels applied by the attack detectors.
-
-
26. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
-
receive a set of output label dependencies for a set of attack detectors that exploit dependencies between overlapping labels used by different attack detection classifiers; identify applied labels that were applied by the attack detectors to input data regarding a network, wherein probabilities are associated with the applied labels; determine a combined probability for two or more of the applied labels based on the output label dependencies and the probabilities associated with the two or more labels; and select one of the applied labels as a finalized label for the input data based on the probabilities associated with the applied labels and on the combined probability for the two or more labels.
-
Specification