Interactive infection visualization for improved exploit detection and signature generation for malware and malware families
US-10027689-B1 · Jul 17, 2018 · US
Hierarchical activation of behavioral modules on a data plane for behavioral analytics
US10659484B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10659484-B2 |
| Application number | US-201815898915-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 19, 2018 |
| Priority date | Feb 19, 2018 |
| Publication date | May 19, 2020 |
| Grant date | May 19, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In one embodiment, a centralized controller maintains a plurality of hierarchical behavioral modules of a behavioral model, and distributes initial behavioral modules to data plane entities to cause them to apply the initial behavioral modules to data plane traffic. The centralized controller may then receive data from a particular data plane entity based on its having applied the initial behavioral modules to its data plane traffic. The centralized controller then distributes subsequent behavioral modules to the particular data plane entity to cause it to apply the subsequent behavioral modules to the data plane traffic, the subsequent behavioral modules selected based on the previously received data from the particular data plane entity. The centralized controller may then iteratively receive data from the particular data plane entity and distribute subsequently selected behavioral modules until an attack determination is made on the data plane traffic of the particular data plane entity.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: maintaining, by a centralized controller in a computer network, a plurality of hierarchical behavioral modules of a behavioral model; distributing, by the centralized controller, one or more initial behavioral modules of the plurality of hierarchical behavioral modules to one or more data plane entities to cause the one or more data plane entities to apply the one or more initial behavioral modules to data plane traffic at the respective data plane entities; receiving, by the centralized controller, data from a particular data plane entity of the one or more data plane entities based on the particular data plane entity applying the initial behavioral modules to data plane traffic at the particular data plane entity; distributing, by the centralized controller, one or more subsequent behavioral modules of the plurality of hierarchical behavioral modules to the particular data plane entity to cause the particular data plane entity to apply the one or more subsequent behavioral modules to the data plane traffic, the one or more subsequent behavioral modules selected based on the previously received data from the particular data plane entity; and iteratively receiving data from the particular data plane entity based on the particular data plane entity applying the subsequent behavioral modules to the data plane traffic and distributing subsequently selected behavioral modules of the plurality of hierarchical behavioral modules to the particular data plane entity, by the centralized controller, until an attack determination is made on the data plane traffic of the particular data plane entity. 2. The method as in claim 1 , wherein subsequent behavioral modules are increasingly more complex than previous behavioral modules. 3. The method as in claim 1 , wherein the received data is selected from a group consisting of: raw traffic data; filtered traffic data; and pre-processed data. 4. The method as in claim 1 , further comprising: making the attack determination by the centralized controller. 5. The method as in claim 1 , wherein the particular data plane entity deactivates all behavioral modules except the initial behavioral modules in response to the attack determination being made. 6. The method as in claim 1 , wherein the one or more initial behavioral modules comprise a traffic volume module. 7. The method as in claim 1 , further comprising: receiving input from a behavioral learning backend. 8. A tangible, non-transitory, computer-readable medium storing program instructions that cause a computer to execute a process comprising: maintaining a plurality of hierarchical behavioral modules of a behavioral model; distributing one or more initial behavioral modules of the plurality of hierarchical behavioral modules to one or more data plane entities to cause the one or more data plane entities to apply the one or more initial behavioral modules to data plane traffic at the respective data plane entities; receiving data from a particular data plane entity of the one or more data plane entities based on the particular data plane entity applying the initial behavioral modules to data plane traffic at the particular data plane entity; distributing one or more subsequent behavioral modules of the plurality of hierarchical behavioral modules to the particular data plane entity to cause the particular data plane entity to apply the one or more subsequent behavioral modules to the data plane traffic, the one or more subsequent behavioral modules selected based on the previously received data from the particular data plane entity; and iteratively receiving data from the particular data plane entity based on the particular data plane entity applying the subsequent behavioral modules to the data plane traffic and distributing subsequently selected behavioral modules of the plurality of hierarchical behavioral modules to the particular data plane entity until an attack determination is made on the data plane traffic of the particular data plane entity. 9. The computer-readable medium as in claim 8 , wherein subsequent behavioral modules are increasingly more complex than previous behavioral modules. 10. The computer-readable medium as in claim 8 , wherein the received data is selected from a group consisting of: raw traffic data; filtered traffic data; and pre-processed data. 11. The computer-readable medium as in claim 8 , wherein the process further comprises: making the attack determination. 12. The computer-readable medium as in claim 8 , wherein the particular data plane entity deactivates all behavioral modules except the initial behavioral modules in response to the attack determination being made. 13. The computer-readable medium as in claim 8 , wherein the one or more initial behavioral modules comprise a traffic volume module. 14. The computer-readable medium as in claim 8 , wherein the process further comprises: receiving input from a behavioral learning backend. 15. A method, comprising: receiving, by a data plane entity in a computer network, one or more initial behavioral modules of a plurality of hierarchical behavioral modules of a behavioral model from a centralized controller; applying, by the data plane entity, the one or more initial behavioral modules to data plane traffic at the data plane entity; sending, by the data plane entity, data to the centralized controller based on applying the one or more initial behavioral modules to the data plane traffic at the data plane entity to cause the centralized controller to distribute one or more subsequent behavioral modules of the plurality of hierarchical behavioral modules to the data plane entity, the one or more subsequent behavioral modules selected based on received data from the data plane entity; and iteratively receiving the one or more subsequent behavioral modules, applying the one or more subsequent behavioral modules to the data plane traffic, and sending data to the centralized controller based on applying the one or more subsequent behavioral modules to the data plane traffic, by the data plane entity, until an attack determination is made on the data plane traffic of the particular data plane entity. 16. The method as in claim 15 , wherein subsequent behavioral modules are increasingly more complex than previous behavioral modules. 17. The method as in claim 15 , wherein the sent data is selected from a group consisting of: raw traffic data; filtered traffic data; and pre-processed data. 18. The method as in claim 15 , further comprising: making the attack determination by the data plane entity. 19. The method as in claim 15 , further comprising: deactivating all behavioral modules except the initial behavioral modules in response to the attack determination being made. 20. The method as in claim 15 , wherein the data plane entity is selected from a group consisting of: a router; a switch; an access point; a firewall; a server; and a host computer.
Assignees
Inventors
Classifications
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
involving simulating, designing, planning or modelling of a network · CPC title
Denial of service attacks against network infrastructure · CPC title
Machine learning · CPC title
Detection or countermeasures against botnets · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10659484B2 cover?
- In one embodiment, a centralized controller maintains a plurality of hierarchical behavioral modules of a behavioral model, and distributes initial behavioral modules to data plane entities to cause them to apply the initial behavioral modules to data plane traffic. The centralized controller may then receive data from a particular data plane entity based on its having applied the initial behav…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 19 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).