Behavioral white labeling

US 9,900,342 B2
Filed: 07/23/2014
Issued: 02/20/2018
Est. Priority Date: 07/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a data flow at a traffic model manager node in a network;

determining, by the traffic model manager node, a degree to which the received data flow conforms to one or more traffic models classifying particular types of data flows as non-malicious;

when the degree to which the received data flow conforms to the one or more traffic models is above a threshold,characterizing, by the traffic model manager node, the received data flow as non-malicious, andwhite labeling the received data flow that is characterized as non-malicious, wherein white labeled data flows cause the received data flow characterized as non-malicious to bypass a Denial of Service (DoS) attack detector executing on another network device in the network, and wherein the white labeled data flows are not scanned by the DoS attack detector; and

when the degree to which the received data flow conforms to the one or more traffic models is below the threshold, forwarding, from the traffic model manager node, the received data flow to the DoS attack detector on another network device in the network, wherein the DoS attack detector scans the received data flow for potential attacks.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a traffic model manager node receives data flows in a network and determines a degree to which the received data flows conform to one or more traffic models classifying particular types of data flows as non-malicious. If the degree to which the received data flows conform to the one or more traffic models is sufficient, the traffic model manager node characterizes the received data flows as non-malicious. Otherwise, the traffic model manager node provides the received data flows to a denial of service (DoS) attack detector in the network to allow the received data flows to be scanned for potential attacks.

35 Citations

View as Search Results

25 Claims

1. A method, comprising:
- receiving a data flow at a traffic model manager node in a network;
  
  determining, by the traffic model manager node, a degree to which the received data flow conforms to one or more traffic models classifying particular types of data flows as non-malicious;
  
  when the degree to which the received data flow conforms to the one or more traffic models is above a threshold,characterizing, by the traffic model manager node, the received data flow as non-malicious, andwhite labeling the received data flow that is characterized as non-malicious, wherein white labeled data flows cause the received data flow characterized as non-malicious to bypass a Denial of Service (DoS) attack detector executing on another network device in the network, and wherein the white labeled data flows are not scanned by the DoS attack detector; and
  
  when the degree to which the received data flow conforms to the one or more traffic models is below the threshold, forwarding, from the traffic model manager node, the received data flow to the DoS attack detector on another network device in the network, wherein the DoS attack detector scans the received data flow for potential attacks.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method as in claim 1, wherein the degree to which the received data flow conforms to the one or more traffic models is sufficient when the degree exceeds a predetermined threshold amount.
  - 3. The method as in claim 1, wherein the degree to which the received data flow conforms to the one or more traffic models is sufficient when a source of the received data flow corresponds to a source from which previous data flows have been characterized as non-malicious.
  - 4. The method as in claim 1, wherein whether the degree to which the received data flow conforms to the one or more traffic models is sufficient is dependent on a determination made by a machine learning classifier.
  - 5. The method as in claim 1, further comprising:
    - when a particular data flow is characterized as non-malicious based on the one or more traffic models, characterizing, by the traffic model manager node, all future occurrences of the particular data flow as non-malicious.
  - 6. The method as in claim 1, further comprising:
    - when a particular data flow is characterized as non-malicious based on the one or more traffic models, characterizing, by the traffic model manager node, future occurrences of the particular data flow as non-malicious for a predetermined period of time.
  - 7. The method as in claim 1, further comprising:
    - receiving, at the traffic model manager node, an indication from a machine learning traffic modeler to install the one or more traffic models.
  - 8. The method as in claim 1, further comprising:
    - when characterizing the received data flow as non-malicious, sending, from the traffic model manager node, a message to a centralized management node indicating that the received data flow has been characterized as non-malicious.
  - 9. The method as in claim 8, wherein the message further indicates other sample data flows that have been characterized as non-malicious.
  - 10. The method as in claim 1, wherein the one or more traffic models classify particular types of data flows as non-malicious based on data flow attributes including one or more of:
    - a source address, a destination address, a source port, a destination port, a uniform resource identifier (URI), a payload field, a flow label field, or an application type.
  - 11. The method as in claim 1, wherein the one or more traffic models are computed according to external requests to classify data flows having a particular attribute as non-malicious.
  - 12. The method as in claim 1, wherein the one or more traffic models are computed by a machine learning traffic modeler.

13. An apparatus, comprising:
- one or more network interfaces to communicate with a network as a traffic model manager node;
  
  a processor coupled to the one or more network interfaces and configured to execute a process; and
  
  a memory configured to store program instructions which include the process executable by the processor, the process comprising;
  
  receiving a data flow in the network;
  
  determining a degree to which the received data flow conforms to one or more traffic models classifying particular types of data flows as non-malicious;
  
  when the degree to which the received data flow conforms to the one or more traffic models is above a threshold,characterizing the received data flow as non-malicious, andwhite labeling the received data flow that is characterized as non-malicious, wherein white labeled data flows cause the received data flow characterized as non-malicious to bypass a Denial of Service (DoS) attack detector executing on another network device in the network, and wherein the white labeled data flows are not scanned by the DoS attack detector; and
  
  when the degree to which the received data flow conforms to the one or more traffic models is below the threshold, forward the received data flow to the DoS attack detector on another network device in the network, wherein the DoS attack detector scans the received data flow for potential attacks.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The apparatus as in claim 13, wherein the degree to which the received data flow conforms to the one or more traffic models is sufficient when the degree exceeds a predetermined threshold amount.
  - 15. The apparatus as in claim 13, wherein the degree to which the received data flow conforms to the one or more traffic models is sufficient when a source of the received data flows corresponds to a source from which previous data flows have been characterized as non-malicious.
  - 16. The apparatus as in claim 13, wherein whether the degree to which the received data flow conforms to the one or more traffic models is sufficient is dependent on a determination made by a machine learning classifier.
  - 17. The apparatus as in claim 13, wherein the process further comprises:
    - when a particular data flow is characterized as non-malicious based on the one or more traffic models, characterizing all future occurrences of the particular data flow as non-malicious.
  - 18. The apparatus as in claim 13, wherein the process further comprises:
    - when a particular data flow is characterized as non-malicious based on the one or more traffic models, characterizing future occurrences of the particular data flow as non-malicious for a predetermined period of time.
  - 19. The apparatus as in claim 13, wherein the process further comprises:
    - receiving an indication from a machine learning traffic modeler to install the one or more traffic models.
  - 20. The apparatus as in claim 13, wherein the process further comprises:
    - when characterizing the received data flow as non-malicious, sending a message to a centralized management node indicating that the received data flow has been characterized as non-malicious.
  - 21. The apparatus as in claim 20, wherein the message further indicates other sample data flows that have been characterized as non-malicious.
  - 22. The apparatus as in claim 13, wherein the one or more traffic models classify particular types of data flows as non-malicious based on data flow attributes including one or more of:
    - a source address, a destination address, a source port, a destination port, a uniform resource identifier (URI), a payload field, a flow label field, or an application type.
  - 23. The apparatus as in claim 13, wherein the one or more traffic models are computed according to external requests to classify data flows having a particular attribute as non-malicious.
  - 24. The apparatus as in claim 13, wherein the one or more traffic models are computed by a machine learning traffic modeler.

25. A tangible non-transitory computer readable medium storing program instructions that cause a computer to execute a process, the process comprising:
- receiving a data flow at a traffic model manager node in a network;
  
  determining, by the traffic model manager node, a degree to which the received data flow conforms to one or more traffic models classifying particular types of data flows as non-malicious;
  
  when the degree to which the received data flow conforms to the one or more traffic models is above a threshold,characterizing, by the traffic model manager node, the received data flow as non-malicious andwhite labeling the received data flow that is characterized as non-malicious, wherein white labeled data flows cause the received data flow characterized as non-malicious to bypass a Denial of Service (DoS) attack detector executing on another network device in the network, and wherein the white labeled data flows are not scanned by the DoS attack detector; and
  
  when the degree to which the received data flow conforms to the one or more traffic models is below the threshold, forwarding, from the traffic model manager node, the received data flow to the DoS attack detector on another network device in the network, wherein the DoS attack detector scans the received data flow for potential attacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cruz Mota, Javier, Vasseur, Jean-Philippe, Di Pietro, Andrea
Primary Examiner(s)
DOAN, TRANG T

Application Number

US14/338,582
Publication Number

US 20160028763A1
Time in Patent Office

1,308 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1458 Denial of Service

Behavioral white labeling

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Behavioral white labeling

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links