Dynamic tuning of attack detector performance
First Claim
Patent Images
1. A method, comprising:
- receiving, at a device in a network, information regarding one or more attack detection service level agreements for a voting mechanism between attack detection classifiers and used to detect a network attack, wherein the one or more attack detection service level agreements comprise at least one of;
a recall threshold for the voting mechanism, a precision threshold for the voting mechanism, or a false positive rate for the voting mechanism;
identifying, by the device, a set of attack detection classifiers executed by one or more nodes in the network as potential voters in the voting mechanism used to detect a network attack;
determining, by the device, one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements;
adjusting, by the device, the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism; and
determining, by the device, whether the one or more attack detection service level agreements have been met by the adjusted voting mechanism.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a device in a network receives information regarding one or more attack detection service level agreements. The device identifies a set of attack detection classifiers as potential voters in a voting mechanism used to detect a network attack. The device determines one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements. The device adjusts the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism.
22 Citations
19 Claims
-
1. A method, comprising:
-
receiving, at a device in a network, information regarding one or more attack detection service level agreements for a voting mechanism between attack detection classifiers and used to detect a network attack, wherein the one or more attack detection service level agreements comprise at least one of;
a recall threshold for the voting mechanism, a precision threshold for the voting mechanism, or a false positive rate for the voting mechanism;identifying, by the device, a set of attack detection classifiers executed by one or more nodes in the network as potential voters in the voting mechanism used to detect a network attack; determining, by the device, one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements; adjusting, by the device, the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism; and determining, by the device, whether the one or more attack detection service level agreements have been met by the adjusted voting mechanism. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to; receive information regarding one or more attack detection service level agreements for a voting mechanism between attack detection classifiers and used to detect a network attack, wherein the one or more attack detection service level agreements comprise at least one of;
a recall threshold for the voting mechanism, a precision threshold for the voting mechanism, or a false positive rate for the voting mechanism;identify a set of attack detection classifiers executed by one or more nodes in the network as potential voters in the voting mechanism used to detect a network attack; determine one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements; adjust the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism; and determine whether the one or more attack detection service level agreements have been met by the adjusted voting mechanism. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
-
receive information regarding one or more attack detection service level agreements for a voting mechanism between attack detection classifiers and used to detect a network attack, wherein the one or more attack detection service level agreements comprise at least one of;
a recall threshold for the voting mechanism, a precision threshold for the voting mechanism, or a false positive rate for the voting mechanism;identify a set of attack detection classifiers executed by one or more nodes in the network as potential voters in the voting mechanism used to detect a network attack; determine one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements; adjust the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism; and determine whether the one or more attack detection service level agreements have been met by the adjusted voting mechanism. - View Dependent Claims (18, 19)
-
Specification