Network attack detection using combined probabilities

US 9,450,972 B2
Filed: 07/23/2014
Issued: 09/20/2016
Est. Priority Date: 07/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, at a device in a network, a set of output label dependencies for a set of attack detectors that exploit dependencies between overlapping labels used by different attack detection classifiers;

identifying, by the device, applied labels that were applied by the attack detectors to input data regarding the network, wherein probabilities are associated with the applied labels;

determining, by the device, a combined probability for two or more of the applied labels based on the output label dependencies and the probabilities associated with the two or more labels; and

selecting, by the device, one of the applied labels as a finalized label for the input data based on the probabilities associated with the applied labels and on the combined probability for the two or more labels.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device in a network receives a set of output label dependencies for a set of attack detectors. The device identifies applied labels that were applied by the attack detectors to input data regarding a network, the applied labels being associated with probabilities. The device determines a combined probability for two or more of the applied labels based on the output label dependencies and the probabilities associated with the two or more labels. The device selects one of the applied labels as a finalized label for the input data based on the probabilities associated with the applied labels and on the combined probability for the two or more labels.

20 Citations

View as Search Results

26 Claims

1. A method, comprising:
- receiving, at a device in a network, a set of output label dependencies for a set of attack detectors that exploit dependencies between overlapping labels used by different attack detection classifiers;
  
  identifying, by the device, applied labels that were applied by the attack detectors to input data regarding the network, wherein probabilities are associated with the applied labels;
  
  determining, by the device, a combined probability for two or more of the applied labels based on the output label dependencies and the probabilities associated with the two or more labels; and
  
  selecting, by the device, one of the applied labels as a finalized label for the input data based on the probabilities associated with the applied labels and on the combined probability for the two or more labels.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as in claim 1, further comprising:
    - determining, by the device, that a probability associated with the finalized label for the input data is greater than a threshold value; and
      
      generating, by the device, an attack detection alert using the finalized label, in response to determining that a probability associated with the finalized label for the input data is greater than a threshold value.
  - 3. The method as in claim 1, further comprising:
    - generating, by the device, at least one of the applied labels by executing one or more of the attack detectors to label the input data regarding the network.
  - 4. The method as in claim 3, further comprising:
    - generating, by the device, all of the applied labels by executing each of the attack detectors to label the input data regarding the network.
  - 5. The method as in claim 1, wherein a particular label dependency in the set of output label dependencies corresponds to an inverse relationship between labels.
  - 6. The method as in claim 1, further comprising:
    - receiving, at the device, at least one of the applied labels from another device in the network that hosts at least one of the attack detectors.
  - 7. The method as in claim 1, wherein the attack detectors use differing sets of output labels.
  - 8. The method as in claim 1, wherein the input data regarding the network is a validation data set that has an associated ground truth label.

9. A method, comprising:
- identifying, by a device in a network and for each of a plurality of attack detectors, a set of output labels used by the attack detector, wherein the attack detector is configured to apply one of the set of output labels to an input data set regarding the network;
  
  determining, by the device, a set of output label dependencies between the sets of output labels for the attack detectors that exploit dependencies between overlapping labels used by different attack detection classifiers;
  
  providing, by the device, the attack detectors to one or more nodes in the network; and
  
  providing, by the device, the set of output label dependencies to the one or more nodes in the network, wherein the one or more nodes use the set of output label dependencies to select a finalized label from among output labels applied by the attack detectors.
- View Dependent Claims (10, 11, 12)
- - 10. The method as in claim 9, wherein a particular label dependency in the set of output label dependencies corresponds to an inverse relationship between labels.
  - 11. The method as in claim 9, wherein the attack detectors use differing sets of output labels.
  - 12. The method as in claim 9, further comprising:
    - providing, by the device, a validation data set to the one or more nodes, wherein the one or more nodes use the attack detectors and the set of output label dependencies to label the validation data set;
      
      receiving, at the device, an indication of the labeled validation set; and
      
      providing a different set of attack detectors and output label dependencies to the one or more nodes based on a determination that the labeled validation set does not satisfy a performance metric.

13. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  receive a set of output label dependencies for a set of attack detectors that exploit dependencies between overlapping labels used by different attack detection classifiers;
  
  identify applied labels that were applied by the attack detectors to input data regarding the network, wherein probabilities are associated with the applied labels;
  
  determine a combined probability for two or more of the applied labels based on the output label dependencies and the probabilities associated with the two or more labels; and
  
  select one of the applied labels as a finalized label for the input data based on the probabilities associated with the applied labels and on the combined probability for the two or more labels.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The apparatus as in claim 13, wherein the process when executed is further operable to:
    - determine that a probability associated with the finalized label for the input data is greater than a threshold value; and
      
      generate an attack detection alert using the finalized label, in response to determining that a probability associated with the finalized label for the input data is greater than a threshold value.
  - 15. The apparatus as in claim 13, wherein the process when executed is further operable to:
    - generate at least one of the applied labels by executing one or more of the attack detectors to label the input data regarding the network.
  - 16. The apparatus as in claim 15, wherein the process when executed is further operable to:
    - generate all of the applied labels by executing each of the attack detectors to label the input data regarding the network.
  - 17. The apparatus as in claim 13, wherein a particular label dependency in the set of output label dependencies corresponds to an inverse relationship between labels.
  - 18. The apparatus as in claim 13, wherein the process when executed is further operable to:
    - receive at least one of the applied labels from another device in the network that hosts at least one of the attack detectors.
  - 19. The apparatus as in claim 13, wherein the attack detectors use differing sets of output labels.
  - 20. The apparatus as in claim 13, wherein the input data regarding the network is a validation data set that has an associated ground truth label.

21. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  identify, for each of a plurality of attack detectors, a set of output labels used by the attack detector, wherein the attack detector is configured to apply one of the set of output labels to an input data set regarding the network;
  
  determine a set of output label dependencies between the sets of output labels for the attack detectors that exploit dependencies between overlapping labels used by different attack detection classifiers;
  
  provide the attack detectors to one or more nodes in the network; and
  
  provide the set of output label dependencies to the one or more nodes in the network, wherein the one or more nodes use the set of output label dependencies to select a finalized label from among output labels applied by the attack detectors.
- View Dependent Claims (22, 23, 24)
- - 22. The apparatus as in claim 21, wherein a particular label dependency in the set of output label dependencies corresponds to an inverse relationship between labels.
  - 23. The apparatus as in claim 21, wherein the attack detectors use differing sets of output labels.
  - 24. The apparatus as in claim 21, wherein the process when executed is further operable to:
    - provide a validation data set to the one or more nodes, wherein the one or more nodes use the attack detectors and the set of output label dependencies to label the validation data set;
      
      receive an indication of the labeled validation set; and
      
      provide a different set of attack detectors and output label dependencies to the one or more nodes based on a determination that the labeled validation set does not satisfy a performance metric.

25. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
- identify, for each of a plurality of attack detectors, a set of output labels used by an attack detector, wherein the attack detector is configured to apply one of the set of output labels to an input data set regarding a network;
  
  determine a set of output label dependencies between the sets of output labels for the attack detectors that exploit dependencies between overlapping labels used by different attack detection classifiers;
  
  provide the attack detectors to one or more nodes in the network; and
  
  provide the set of output label dependencies to the one or more nodes in the network, wherein the one or more nodes use the set of output label dependencies to select a finalized label from among output labels applied by the attack detectors.

26. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
- receive a set of output label dependencies for a set of attack detectors that exploit dependencies between overlapping labels used by different attack detection classifiers;
  
  identify applied labels that were applied by the attack detectors to input data regarding a network, wherein probabilities are associated with the applied labels;
  
  determine a combined probability for two or more of the applied labels based on the output label dependencies and the probabilities associated with the two or more labels; and
  
  select one of the applied labels as a finalized label for the input data based on the probabilities associated with the applied labels and on the combined probability for the two or more labels.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cruz Mota, Javier, Di Pietro, Andrea, Vasseur, Jean-Philippe
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US14/338,751
Publication Number

US 20160028751A1
Time in Patent Office

790 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04W 12/126   Anti-theft arrangements, e....

H04W 4/70   Services for machine-to-mac...

Network attack detection using combined probabilities

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Network attack detection using combined probabilities

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links