Anomaly detection in software defined networking
First Claim
1. A method comprising performing, in a network apparatus, the steps ofclassifying traffic flows containing packets based on packet features;
- providing a copy of a packet contained in a traffic flow to a cluster node;
controlling the cluster node to select at least one detector node based on the features of the packet and to forward said copy to the selected detector node to find out based on said copy whether the packet is malicious or not; and
in response to receiving from the detector node a flow indication on the traffic flow, controlling a switch node to perform at least one flow control action on the traffic flow, the action including one or more of flow removal, flow modification and flow installation.
1 Assignment
0 Petitions
Accused Products
Abstract
A network apparatus of a communication system classifies traffic flows containing packets based on packet features. The network apparatus provides a copy of a packet contained in a traffic flow to a cluster node, and controls the cluster node to select at least one detector node based on the features of the packet and to forward said copy to the selected detector node to find out based on said copy whether the packet is malicious or not. In response to receiving from the detector node a flow indication on the traffic flow, the network apparatus controls a switch node to perform at least one flow control action on the traffic flow, the action including one or more of flow removal, flow modification and flow installation.
6 Citations
16 Claims
-
1. A method comprising performing, in a network apparatus, the steps of
classifying traffic flows containing packets based on packet features; - providing a copy of a packet contained in a traffic flow to a cluster node;
controlling the cluster node to select at least one detector node based on the features of the packet and to forward said copy to the selected detector node to find out based on said copy whether the packet is malicious or not; and in response to receiving from the detector node a flow indication on the traffic flow, controlling a switch node to perform at least one flow control action on the traffic flow, the action including one or more of flow removal, flow modification and flow installation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- providing a copy of a packet contained in a traffic flow to a cluster node;
-
9. A method comprising performing, in a network apparatus, the steps of
obtaining a copy of a packet contained in a traffic flow from a switch node; -
checking packet features; selecting, based on the packet features, at least one detector node among one or more detector nodes capable of checking based on said copy whether the packet is malicious or not; and forwarding said copy to the selected detector node for checking whether the packet is malicious or not. - View Dependent Claims (10)
-
-
11. A method comprising performing, in a network apparatus, the steps of
classifying traffic flows containing packets based on packet features; -
providing a sample of a traffic flow to a cluster node; receiving, from the cluster node, information on one or more detector nodes selected in the cluster node for features of the sample; controlling a switch node to forward the traffic flow based on rules extracted from the cluster node to the selected detector node to find out whether a packet contained in said traffic flow is malicious or not; and in response to receiving, from the detector node, a flow indication on the traffic flow, controlling the switch node to perform at least one flow control action on the traffic flow, the action including one or more of flow removal, flow modification and flow installation. - View Dependent Claims (12, 13, 14)
-
-
15. A method comprising performing, in a network apparatus, the steps of
obtaining a sample of a traffic flow from a switch node; -
checking features of the sample; based on the checking, selecting at least one detector node among one or more detector nodes capable of checking whether a packet is malicious or not; and indicating to a control node the at least one detector node selected for traffic flow anomaly detection. - View Dependent Claims (16)
-
Specification