Techniques for detecting attacks in a publish-subscribe network

US 10,333,968 B2
Filed: 02/10/2016
Issued: 06/25/2019
Est. Priority Date: 02/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting a network attack in a publish-subscribe network, the method comprising:

generating a current system model that represents a current state of the publish-subscribe network, the current system model including;

a set of state-related indicators representing an operational state of the publish-subscribe network, wherein the set of state-related indicators includes at least one of a topic fan-in or a topic fan-out, anda set of flow-related indicators representing an overall traffic flow through the publish-subscribe network;

generating a first probability that the publish-subscribe network is subject to attack, based on a first indicator included in the set of state-related indicators;

generating a second probability that the publish-subscribe network is subject to attack, based on a second indicator in the set of flow-related indicators;

combining the first probability with the second probability to generate a third probability;

determining that the third probability exceeds a first threshold value; and

in response, dispatching a first handler configured to address the network attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A publish-subscribe network includes a network infrastructure configured to support the exchange of data. An intrusion detection system is coupled to the network infrastructure and configured to process signals received from that infrastructure in order to detect malicious attacks on the network infrastructure. The intrusion detection system includes an evaluator that generates a set of indicators based on the received signals. The evaluator models these indicators as stochastic processes, and then predicts an attack probability for each indicator based on a predicted future state of each such indicator. The evaluator combines the various attack probabilities and determines an overall attack level for the network infrastructure. Based on the attack level, the intrusion detection system dispatches a specific handler to prevent or mitigate attacks.

Citations

18 Claims

1. A computer-implemented method for detecting a network attack in a publish-subscribe network, the method comprising:
- generating a current system model that represents a current state of the publish-subscribe network, the current system model including;
  
  a set of state-related indicators representing an operational state of the publish-subscribe network, wherein the set of state-related indicators includes at least one of a topic fan-in or a topic fan-out, anda set of flow-related indicators representing an overall traffic flow through the publish-subscribe network;
  
  generating a first probability that the publish-subscribe network is subject to attack, based on a first indicator included in the set of state-related indicators;
  
  generating a second probability that the publish-subscribe network is subject to attack, based on a second indicator in the set of flow-related indicators;
  
  combining the first probability with the second probability to generate a third probability;
  
  determining that the third probability exceeds a first threshold value; and
  
  in response, dispatching a first handler configured to address the network attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving a set of signals from the publish-subscribe network; and
      
      parsing the set of signals to identify one or more subsets of signals in the set of signals, wherein each subset of signals corresponds to a different indicator in one of the set of state-related indicators or the set of flow-related indicators.
  - 3. The computer-implemented method of claim 1, wherein generating a first probability that the publish-subscribe network is subject to attack comprises:
    - mapping the first indicator to an initial state vector;
      
      initializing a stochastic model of the first indicator based on the initial state vector;
      
      computing one or more transitions of the stochastic model to determine a final set of states of the stochastic model; and
      
      determining a final state in the final set of states of the stochastic model based on a final probability of the final state.
  - 4. The computer-implemented method of claim 3, wherein the stochastic model of the first indicator includes a Markov chain comprising:
    - a set of states initialized to represent the initial state vector; and
      
      a set of transition probabilities for transitioning between each state in the set of states.
  - 5. The computer-implemented method of claim 3, wherein computing a transition of the stochastic model comprises multiplying a state vector associated with the stochastic model by a transition matrix to generate a subsequent state vector for the stochastic model.
  - 6. The computer-implemented method of claim 1, wherein combining the first probability with the second probability comprises computing a weighted sum of the first probability and the second probability to generate the third probability.
  - 7. The computer-implemented method of claim 1, wherein the third probability represents an overall likelihood that the publish-subscribe network is subject to attack.
  - 8. The computer-implemented method of claim 1, further comprising:
    - comparing the third probability to a second threshold value; and
      
      determining that the third probability does not exceed the second threshold value, indicating that the publish-subscribe network has a first pre-defined probability of being subject to attack, wherein the first handler is configured to address the network attack by preventing a denial of service from occurring.
  - 9. The computer-implemented method of claim 1, further comprising:
    - comparing the third probability to a second threshold value; and
      
      determining that the third probability exceeds the second threshold value, indicating that the publish-subscribe network has a first pre-defined probability of being subject to attack, wherein the first handler is configured to address the network attack by mitigating a denial of service that is currently underway.

10. One or more non-transitory computer-readable media including instructions that, when executed by one or more processors, cause the one or more processors to detect a network attack in a publish-subscribe network, by performing the steps of:
- generating a current system model that represents a current state of the publish-subscribe network, the current system model including;
  
  a set of state-related indicators representing an operational state of the publish-subscribe network, anda set of flow-related indicators representing an overall traffic flow through the publish-subscribe network, wherein the set of flow-related indicators includes at least one of an inter-arrival rate, a scheme, and an addressing generality;
  
  generating a first probability that the publish-subscribe network is subject to attack based on a first indicator included in the set of state-related indicators;
  
  generating a second probability that the publish-subscribe network is subject to attack based on a second indicator in the set of flow-related indicators;
  
  combining the first probability with the second probability to generate a third probability;
  
  determining that the third probability exceeds a first threshold value; and
  
  in response, dispatching a first handler configured to address the network attack.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The one or more non-transitory computer-readable media of claim 10, wherein generating the set of indicators comprises:
    - receiving a set of signals from the publish-subscribe network; and
      
      parsing the set of signals to identify one or more subsets of signals in the set of signals, wherein each subset of signals corresponds to a different indicator in one of the set of state-related indicators or the set of flow-related indicators.
  - 12. The one or more non-transitory computer-readable media of claim 10, wherein generating a first probability that the publish-subscribe network is subject to attack comprises:
    - mapping the first indicator to an initial state vector;
      
      initializing a stochastic model of the first indicator based on the initial state vector;
      
      computing one or more transitions of the stochastic model to determine a final set of states of the stochastic model; and
      
      determining a final state in the final set of states of the stochastic model based on a final probability of the final state.
  - 13. The one or more non-transitory computer-readable media of claim 12, wherein mapping the first indicator to the initial state vector comprises converting one or more values associated with the first indicator into one or more initial states associated with the initial state vector via a transformation function.
  - 14. The one or more non-transitory computer-readable media of claim 13, wherein the transformation function is determined based on:
    - a supervised learning process;
      
      or an empirical analysis of the publish-subscribe network.
  - 15. The one or more non-transitory computer-readable media of claim 12, wherein computing a transition of the stochastic model comprises multiplying a state vector associated with the stochastic model by a transition matrix to generate a subsequent state vector for the stochastic model.
  - 16. The one or more non-transitory computer-readable media of claim 10, wherein combining the first probability with the second probability comprises computing a weighted sum of the first probability and the second probability to generate the third probability.

17. A system for detecting a network attack in a publish-subscribe network, comprising:
- a memory that includes an intrusion detection application; and
  
  a processor that is coupled to the memory and, when executing the intrusion detection application, is configured to;
  
  generate a current system model that represents a current state of the publish-subscribe network, the current system model including;
  
  a set of state-related indicators representing an operational state of the publish-subscribe network, anda set of flow-related indicators representing an overall traffic flow through the publish-subscribe network, wherein the set of flow-related indicators includes at least one of an inter-arrival rate, a scheme, and an addressing generality,generate a first probability that the publish-subscribe network is subject to attack based on a first indicator included in the set of state-related indicators,generate a second probability that the publish-subscribe network is subject to attack based on a second indicator in the set of flow-related indicators,combine the first probability with the second probability to generate a third probability,determine that the third probability exceeds a first threshold value, andin response, dispatch a first handler configured to address the network attack.
- View Dependent Claims (18)
- - 18. The system of claim 17, wherein the third probability represents an overall likelihood that the publish-subscribe network is subject to attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Maresca, Paolo
Primary Examiner(s)
Pearson, David J

Application Number

US15/040,728
Publication Number

US 20170230413A1
Time in Patent Office

1,231 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06N 7/01   Probabilistic graphical mod...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

Techniques for detecting attacks in a publish-subscribe network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for detecting attacks in a publish-subscribe network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links