Context aware network security monitoring for threat detection
US-9215244-B2 · Dec 15, 2015 · US
Network-based approach for training supervised learning classifiers
US10187413B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10187413-B2 |
| Application number | US-201615212597-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 18, 2016 |
| Priority date | Mar 25, 2016 |
| Publication date | Jan 22, 2019 |
| Grant date | Jan 22, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In one embodiment, a supervisory device in a network receives traffic data from a security device that uses traffic signatures to assess traffic in the network. The supervisory device receives traffic data from one or more distributed learning agents that use machine learning-based anomaly detection to assess traffic in the network. The supervisory device trains a traffic classifier using the received traffic data from the security device and from the one or more distributed learning agents. The supervisory device deploys the traffic classifier to a selected one of the one or more distributed learning agents.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: dynamically discovering, by a supervisory device in a network, a security device that uses traffic signatures to assess traffic in the network; generating, by the supervisory device, a given rule regarding when traffic data from the security device is sent to the supervisory device; receiving, at the supervisory device, the traffic data from the security device based on the given rule; receiving, at the supervisory device, traffic data from one or more distributed learning agents that use machine learning-based anomaly detection to assess traffic in the network; training, by the supervisory device, a traffic classifier using the received traffic data from the security device and from the one or more distributed learning agents; and deploying, by the supervisory device, the traffic classifier to a selected one of the one or more distributed learning agents. 2. The method as in claim 1 , wherein the security device comprises at least one of: a firewall, an intrusion detection device, or an intrusion prevention device. 3. The method as in claim 1 , further comprising: sending, by the supervisory device, a discovery request to the security device; and receiving, at the supervisory device, a discovery acknowledgement from the security device in response to the discovery request, wherein the discovery acknowledgement indicates one or more capabilities of the security device. 4. The method as in claim 1 , further comprising: sending, by the supervisory device, a traffic sample request to the security device for the traffic data received from the security device, wherein the traffic sample request indicates at least one of: a particular signature of which the requested traffic should or should not match, a traffic type, or a time at which the security device is to send the traffic data. 5. The method as in claim 1 , further comprising: scheduling, by the supervisory device, when the one or more distributed learning agents are to send the traffic data to the supervisory device based on a topology of the network or a bandwidth utilization. 6. The method as in claim 1 , further comprising: requesting, by the supervisory device, the traffic data received from the one or more distributed learning agents based on one or more traffic categories associated with the one or more distributed learning agents. 7. The method as in claim 1 , further comprising: receiving, by the supervisory device, traffic data from a first agent; generating, by the supervisory device, a statistical model using the traffic data from the first agent; and using, by the supervisory device, the statistical model to verify whether the traffic data from the first agent is representative of traffic from a second agent. 8. The method as in claim 7 , further comprising: requesting, by the supervisory device, the traffic data from the second agent, in response to a determination that the traffic data from the first agent is not representative of the traffic data from the second agent. 9. The method as in claim 1 , wherein the traffic classifier comprises a deep neural network. 10. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: dynamically discover a security device that uses traffic signatures to assess traffic in the network; generate a given rule regarding when traffic data from the security device is sent to the supervisory device; receive the traffic data from the security device based on the given rule; receive traffic data from one or more distributed learning agents that use machine learning-based anomaly detection to assess traffic in the network; train a traffic classifier using the received traffic data from the security device and from the one or more distributed learning agents; and deploy the traffic classifier to a selected one of the one or more distributed learning agents. 11. The apparatus as in claim 10 , wherein the security device comprises at least one of: a firewall, an intrusion detection device, or an intrusion prevention device. 12. The apparatus as in claim 10 , wherein the process when executed is further operable to: send a discovery request to the security device; and receive a discovery acknowledgement from the security device in response to the discovery request, wherein the discovery acknowledgement indicates one or more capabilities of the security device. 13. The apparatus as in claim 10 , wherein the process when executed is further operable to: send a traffic sample request to the security device for the traffic data received from the security device, wherein the traffic sample request indicates at least one of: a particular signature of which the requested traffic should or should not match, a traffic type, or a time at which the security device is to send the traffic data. 14. The apparatus as in claim 10 , wherein the process when executed is further operable to: schedule when the one or more distributed learning agents are to send the traffic data to the apparatus based on a topology of the network or a bandwidth utilization. 15. The apparatus as in claim 10 , wherein the process when executed is further operable to: request the traffic data received from the one or more distributed learning agents based on one or more traffic categories associated with the one or more distributed learning agents. 16. The apparatus as in claim 10 , wherein the process when executed is further operable to: receive traffic data from a first agent; generate a statistical model using the traffic data from the first agent; and use the statistical model to verify whether the traffic data from the first agent is representative of traffic from a second agent. 17. The apparatus as in claim 16 , wherein the process when executed is further operable to: request the traffic data from the second agent, in response to a determination that the traffic data from the first agent is not representative of the traffic data from the second agent. 18. The apparatus as in claim 10 , wherein the traffic classifier comprises a deep neural network. 19. A tangible, non-transitory, computer-readable medium storing program instructions that cause a supervisory device in a network to execute a process comprising: dynamically discovering, by a supervisory device in a network, a security device that uses traffic signatures to assess traffic in the network; generating, by the supervisory device, a given rule regarding when traffic data from the security device is sent to the supervisory device; receiving, at the supervisory device, the traffic data from the security device based on the given rule; receiving, at the supervisory device, traffic data from one or more distributed learning agents that use machine learning-based anomaly detection to assess traffic in the network; training, by the supervisory device, a traffic classifier using the received traffic data from the security device and from the one or more distributed learning agents; and deploying, by the supervisory device, the traffic classifier to a selected one of the one or more distributed learning agents. 20. The tangible, non-transitory, computer-readable medium as in claim 19 , wherein the security device comprises at least one of: a firewall, an intrusion detec
Assignees
Inventors
Classifications
for separating internal from external traffic, e.g. firewalls · CPC title
Event detection, e.g. attack signature detection · CPC title
for evaluating statistical data {, e.g. average values, frequency distributions, probability functions, regression analysis (forecasting specially adapted for a specific administrative, business or logistic context G06Q10/04)} · CPC title
Physics · mapped topic
Denial of Service · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10187413B2 cover?
- In one embodiment, a supervisory device in a network receives traffic data from a security device that uses traffic signatures to assess traffic in the network. The supervisory device receives traffic data from one or more distributed learning agents that use machine learning-based anomaly detection to assess traffic in the network. The supervisory device trains a traffic classifier using the r…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 22 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).