Verifying network attack detector effectiveness
First Claim
Patent Images
1. A method, comprising:
- receiving, at a device in a network, a classifier tracking request from a coordinator device that specifies a classifier verification time period, wherein the classifier verification time period is a scheduled time period at which a validation test is performed;
performing the validation test by;
classifying, by the device and during the classifier verification time period, a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device;
generating, by the device, classification results based on the classified set of network traffic; and
providing, by the device, the classification results to the coordinator device, the classification results used by the coordinator device to identify whether or not performance of an attack detector of the device is above a specified performance threshold for detecting an attack,wherein the attack traffic and the observed traffic are received from one or more other devices in the network, and wherein the coordinator device instructs the one or more other devices to send the attack traffic at a low priority.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a device receives a classifier tracking request from a coordinator device that specifies a classifier verification time period. During the classifier verification time period, the device classifies a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device. The device generates classification results based on the classified set of network traffic and provides the classification results to the coordinator device.
-
Citations
14 Claims
-
1. A method, comprising:
-
receiving, at a device in a network, a classifier tracking request from a coordinator device that specifies a classifier verification time period, wherein the classifier verification time period is a scheduled time period at which a validation test is performed; performing the validation test by; classifying, by the device and during the classifier verification time period, a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device; generating, by the device, classification results based on the classified set of network traffic; and providing, by the device, the classification results to the coordinator device, the classification results used by the coordinator device to identify whether or not performance of an attack detector of the device is above a specified performance threshold for detecting an attack, wherein the attack traffic and the observed traffic are received from one or more other devices in the network, and wherein the coordinator device instructs the one or more other devices to send the attack traffic at a low priority. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to; receive a classifier tracking request from a coordinator device that specifies a classifier verification time period, wherein the classifier verification time period is a scheduled time period at which a validation test is performed; classify, during the classifier verification time period, a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device; generate classification results based on the classified set of network traffic; and provide the classification results to the coordinator device, the classification results used by the coordinator device to identify whether or not performance of an attack detector of the apparatus is above a specified performance threshold for detecting an attack, wherein the attack traffic and the observed traffic are received from one or more other devices in the network, and wherein the coordinator device instructs the one or more other devices to send the attack traffic at a low priority. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification