Behavioral white labeling
First Claim
Patent Images
1. A method, comprising:
- receiving a data flow at a traffic model manager node in a network;
determining, by the traffic model manager node, a degree to which the received data flow conforms to one or more traffic models classifying particular types of data flows as non-malicious;
when the degree to which the received data flow conforms to the one or more traffic models is above a threshold,characterizing, by the traffic model manager node, the received data flow as non-malicious, andwhite labeling the received data flow that is characterized as non-malicious, wherein white labeled data flows cause the received data flow characterized as non-malicious to bypass a Denial of Service (DoS) attack detector executing on another network device in the network, and wherein the white labeled data flows are not scanned by the DoS attack detector; and
when the degree to which the received data flow conforms to the one or more traffic models is below the threshold, forwarding, from the traffic model manager node, the received data flow to the DoS attack detector on another network device in the network, wherein the DoS attack detector scans the received data flow for potential attacks.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a traffic model manager node receives data flows in a network and determines a degree to which the received data flows conform to one or more traffic models classifying particular types of data flows as non-malicious. If the degree to which the received data flows conform to the one or more traffic models is sufficient, the traffic model manager node characterizes the received data flows as non-malicious. Otherwise, the traffic model manager node provides the received data flows to a denial of service (DoS) attack detector in the network to allow the received data flows to be scanned for potential attacks.
35 Citations
25 Claims
-
1. A method, comprising:
-
receiving a data flow at a traffic model manager node in a network; determining, by the traffic model manager node, a degree to which the received data flow conforms to one or more traffic models classifying particular types of data flows as non-malicious; when the degree to which the received data flow conforms to the one or more traffic models is above a threshold, characterizing, by the traffic model manager node, the received data flow as non-malicious, and white labeling the received data flow that is characterized as non-malicious, wherein white labeled data flows cause the received data flow characterized as non-malicious to bypass a Denial of Service (DoS) attack detector executing on another network device in the network, and wherein the white labeled data flows are not scanned by the DoS attack detector; and when the degree to which the received data flow conforms to the one or more traffic models is below the threshold, forwarding, from the traffic model manager node, the received data flow to the DoS attack detector on another network device in the network, wherein the DoS attack detector scans the received data flow for potential attacks. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus, comprising:
-
one or more network interfaces to communicate with a network as a traffic model manager node; a processor coupled to the one or more network interfaces and configured to execute a process; and a memory configured to store program instructions which include the process executable by the processor, the process comprising; receiving a data flow in the network; determining a degree to which the received data flow conforms to one or more traffic models classifying particular types of data flows as non-malicious; when the degree to which the received data flow conforms to the one or more traffic models is above a threshold, characterizing the received data flow as non-malicious, and white labeling the received data flow that is characterized as non-malicious, wherein white labeled data flows cause the received data flow characterized as non-malicious to bypass a Denial of Service (DoS) attack detector executing on another network device in the network, and wherein the white labeled data flows are not scanned by the DoS attack detector; and when the degree to which the received data flow conforms to the one or more traffic models is below the threshold, forward the received data flow to the DoS attack detector on another network device in the network, wherein the DoS attack detector scans the received data flow for potential attacks. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A tangible non-transitory computer readable medium storing program instructions that cause a computer to execute a process, the process comprising:
-
receiving a data flow at a traffic model manager node in a network; determining, by the traffic model manager node, a degree to which the received data flow conforms to one or more traffic models classifying particular types of data flows as non-malicious; when the degree to which the received data flow conforms to the one or more traffic models is above a threshold, characterizing, by the traffic model manager node, the received data flow as non-malicious and white labeling the received data flow that is characterized as non-malicious, wherein white labeled data flows cause the received data flow characterized as non-malicious to bypass a Denial of Service (DoS) attack detector executing on another network device in the network, and wherein the white labeled data flows are not scanned by the DoS attack detector; and when the degree to which the received data flow conforms to the one or more traffic models is below the threshold, forwarding, from the traffic model manager node, the received data flow to the DoS attack detector on another network device in the network, wherein the DoS attack detector scans the received data flow for potential attacks.
-
Specification