Dynamic tuning of attack detector performance

US 9,641,542 B2
Filed: 07/21/2014
Issued: 05/02/2017
Est. Priority Date: 07/21/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, at a device in a network, information regarding one or more attack detection service level agreements for a voting mechanism between attack detection classifiers and used to detect a network attack, wherein the one or more attack detection service level agreements comprise at least one of;

a recall threshold for the voting mechanism, a precision threshold for the voting mechanism, or a false positive rate for the voting mechanism;

identifying, by the device, a set of attack detection classifiers executed by one or more nodes in the network as potential voters in the voting mechanism used to detect a network attack;

determining, by the device, one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements;

adjusting, by the device, the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism; and

determining, by the device, whether the one or more attack detection service level agreements have been met by the adjusted voting mechanism.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device in a network receives information regarding one or more attack detection service level agreements. The device identifies a set of attack detection classifiers as potential voters in a voting mechanism used to detect a network attack. The device determines one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements. The device adjusts the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism.

22 Citations

View as Search Results

19 Claims

1. A method, comprising:
- receiving, at a device in a network, information regarding one or more attack detection service level agreements for a voting mechanism between attack detection classifiers and used to detect a network attack, wherein the one or more attack detection service level agreements comprise at least one of;
  
  a recall threshold for the voting mechanism, a precision threshold for the voting mechanism, or a false positive rate for the voting mechanism;
  
  identifying, by the device, a set of attack detection classifiers executed by one or more nodes in the network as potential voters in the voting mechanism used to detect a network attack;
  
  determining, by the device, one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements;
  
  adjusting, by the device, the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism; and
  
  determining, by the device, whether the one or more attack detection service level agreements have been met by the adjusted voting mechanism.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as in claim 1, wherein the one or more parameters for the voting mechanism comprise the set of potential voters, and wherein adjusting the voting mechanism comprises:
    - instructing one or more of the potential voters to participate in the voting mechanism as actual voters.
  - 3. The method as in claim 2, wherein the one or more parameters for the voting mechanism comprises a consensus threshold for the actual voters, wherein a network attack is detected by the voting mechanism if a number of attack votes from the actual voters meets or exceeds the consensus threshold.
  - 4. The method as in claim 1, wherein the one or more parameters for the voting mechanism comprises a sampling period for a particular voter, wherein a vote generated by the particular voter is based on classification of network characteristics sampled by the particular voter during the sampling period.
  - 5. The method as in claim 4, wherein the one or more parameters for the voting mechanism comprises a number of samples of the network characteristics to be obtained by the particular voter during the sampling period.
  - 6. The method as in claim 1, wherein the one or more parameters for the voting mechanism comprises an attack threshold, wherein the particular voter votes that an attack is present when a number of samples from the sampling period that are labeled by the voter as indicative of an attack meets or exceeds the attack threshold.
  - 7. The method as in claim 1, further comprising:
    - in response to a determination that a service level agreement has not been met,determining one or more new parameters for the voting mechanism; and
      
      re-adjusting the voting mechanism using the one or more new parameters.
  - 8. The method as in claim 1, further comprising:
    - providing an alert to a network management system in response to a determination that the one or more attack detection service level agreements cannot be met.

9. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  receive information regarding one or more attack detection service level agreements for a voting mechanism between attack detection classifiers and used to detect a network attack, wherein the one or more attack detection service level agreements comprise at least one of;
  
  a recall threshold for the voting mechanism, a precision threshold for the voting mechanism, or a false positive rate for the voting mechanism;
  
  identify a set of attack detection classifiers executed by one or more nodes in the network as potential voters in the voting mechanism used to detect a network attack;
  
  determine one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements;
  
  adjust the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism; and
  
  determine whether the one or more attack detection service level agreements have been met by the adjusted voting mechanism.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus as in claim 9, wherein the one or more parameters for the voting mechanism comprise the set of potential voters, and wherein adjusting the voting mechanism comprises:
    - instructing one or more of the potential voters to participate in the voting mechanism as actual voters.
  - 11. The apparatus as in claim 10, wherein the one or more parameters for the voting mechanism comprises a consensus threshold for the actual voters, wherein a network attack is detected by the voting mechanism if a number of attack votes from the actual voters meets or exceeds the consensus threshold.
  - 12. The apparatus as in claim 9, wherein the one or more parameters for the voting mechanism comprises a sampling period for a particular voter, wherein a vote generated by the particular voter is based on classification of network characteristics sampled by the particular voter during the sampling period.
  - 13. The apparatus as in claim 12, wherein the one or more parameters for the voting mechanism comprises a number of samples of the network characteristics to be obtained by the particular voter during the sampling period.
  - 14. The apparatus as in claim 9, wherein the one or more parameters for the voting mechanism comprises an attack threshold, wherein the particular voter votes that an attack is present when a number of samples from the sampling period that are labeled by the voter as indicative of an attack meets or exceeds the attack threshold.
  - 15. The apparatus as in claim 9, wherein the process when executed is further operable to:
    - in response to a determination that a service level agreement has not been met,determine one or more new parameters for the voting mechanism; and
      
      re-adjust the voting mechanism using the one or more new parameters.
  - 16. The apparatus as in claim 9, wherein the process when executed is further operable to:
    - provide an alert to a network management system in response to a determination that the one or more attack detection service level agreements cannot be met.

17. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
- receive information regarding one or more attack detection service level agreements for a voting mechanism between attack detection classifiers and used to detect a network attack, wherein the one or more attack detection service level agreements comprise at least one of;
  
  a recall threshold for the voting mechanism, a precision threshold for the voting mechanism, or a false positive rate for the voting mechanism;
  
  identify a set of attack detection classifiers executed by one or more nodes in the network as potential voters in the voting mechanism used to detect a network attack;
  
  determine one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements;
  
  adjust the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism; and
  
  determine whether the one or more attack detection service level agreements have been met by the adjusted voting mechanism.
- View Dependent Claims (18, 19)
- - 18. The computer-readable media as in claim 17, wherein the software when executed by the processor is further operable to:
    - in response to a determination that a service level agreement has not been met,determine one or more new parameters for the voting mechanism; and
      
      re-adjust the voting mechanism using the one or more new parameters.
  - 19. The computer-readable media as in claim 17, wherein the software when executed by the processor is further operable to:
    - provide an alert to a network management system in response to a determination that the one or more attack detection service level agreements cannot be met.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Vasseur, Jean-Philippe, Di Pietro, Andrea, Cruz Mota, Javier
Primary Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US14/336,206
Publication Number

US 20160021126A1
Time in Patent Office

1,016 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1458 Denial of Service

Dynamic tuning of attack detector performance

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic tuning of attack detector performance

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links