Systems and methods for cyber-physical threat modeling
US-11444974-B1 · Sep 13, 2022 · US
Automatic retraining of machine learning models to detect DDoS attacks
US11665194B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11665194-B2 |
| Application number | US-202117395264-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 5, 2021 |
| Priority date | Jun 29, 2016 |
| Publication date | May 30, 2023 |
| Grant date | May 30, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: monitoring, at an attack detector, network traffic to detect a Distributed Denial of Service (DDoS) attack by applying a machine learning-based attack detection model against one or more attributes of the network traffic; responsive to detection by the attack detector of a potential DDOS attack, transmitting an attack mitigation request to a mitigation server; receiving an automated update message relating to the attack detection model, wherein the automated update message is automatically generated by a remote host in response to a determination that the attack detector incorrectly assessed the network traffic; and using, by the attack detector, data in the received update message to update the attack detection model. 2. The method of claim 1 , wherein the data comprises one or more labels associated with the network traffic; and wherein the attack detector uses the data to retrain the attack detection model. 3. The method of claim 1 , wherein the data comprises one or more updated parameters for the attack detection model; and wherein the attack detector uses the data to update one or more parameters of the attack detection model. 4. The method of claim 1 , wherein the data comprises an indication that the attack detector incorrectly assessed the network traffic. 5. The method of claim 4 , wherein the indication is a false positive or a false negative. 6. The method of claim 1 , further comprising performing one or more operations at the attack detector to locally mitigate the detected DDOS attack. 7. The method of claim 1 , wherein the attack detector is a Distributed Denial of Service (DDoS) Open Threat Signaling (DOTS) client. 8. The method of claim 1 , wherein the mitigation server is a Distributed Denial of Service (DDoS) Open Threat Signaling (DOTS) server. 9. A tangible, non-transitory computer-readable medium that stores program instructions configured to cause a device hosting an attack detector in a network to execute a process comprising: monitoring, at the attack detector, network traffic to detect a Distributed Denial of Service (DDoS) attack by applying a machine learning-based attack detection model against one or more attributes of the network traffic; responsive to detection by the attack detector of a potential DDOS attack, transmitting an attack mitigation request to a mitigation server; receiving an automated update message relating to the attack detection model, wherein the automated update message is automatically generated by a remote host in response to a determination that the attack detector incorrectly assessed the network traffic; and using, by the attack detector, data in the received update message to update the attack detection model. 10. The tangible, non-transitory computer-readable medium of claim 9 , wherein the data comprises one or more labels associated with the network traffic; and wherein the attack detector uses the data to retrain the attack detection model. 11. The tangible, non-transitory computer-readable medium of claim 9 , wherein the data comprises one or more updated parameters for the attack detection model; and wherein the attack detector uses the data to update one or more parameters of the attack detection model. 12. The tangible, non-transitory computer-readable medium of claim 9 , wherein the data comprises an indication that the attack detector incorrectly assessed the network traffic. 13. The tangible, non-transitory computer-readable medium of claim 12 , wherein the indication is a false positive or a false negative. 14. The tangible, non-transitory computer-readable medium of claim 9 , further comprising performing one or more operations at the attack detector to locally mitigate the detected DDOS attack. 15. The tangible, non-transitory computer-readable medium of claim 9 , wherein the attack detector is a Distributed Denial of Service (DDoS) Open Threat Signaling (DOTS) client. 16. The tangible, non-transitory computer-readable medium of claim 9 , wherein the mitigation server is a Distributed Denial of Service (DDoS) Open Threat Signaling (DOTS) server. 17. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the one or more network interfaces and configured to execute one or more processes; and a memory configured to store a process that is executable by the processor, the process when executed operable to: monitor network traffic to detect a Distributed Denial of Service (DDoS) attack by applying a machine learning-based attack detection model against one or more attributes of the network traffic; responsive to detection by the attack detector of a potential DDOS attack, transmit an attack mitigation request to a mitigation server; receive an automated update message relating to the attack detection model, wherein the automated update message is automatically generated by a remote host in response to a determination that the apparatus incorrectly assessed the network traffic; and use data in the received update message to update the attack detection model. 18. The apparatus of claim 17 , wherein the data comprises one or more labels associated with the network traffic; and wherein the process is further operative to use the data to retrain the attack detection model. 19. The apparatus of claim 17 , wherein the data comprises one or more updated parameters for the attack detection model; and wherein the process is further operative to use the data to update one or more parameters of the attack detection model. 20. The apparatus of claim 17 , wherein the data comprises an indication that the attack detector incorrectly assessed the network traffic. 21. The apparatus of claim 20 , wherein the indication is a false positive or a false negative. 22. The apparatus of claim 17 , wherein the process is further operative to perform one or more operations at the attack detector to locally mitigate the detected DDOS attack. 23. The apparatus of claim 17 , wherein the process is operative to implement a Distributed Denial of Service (DDoS) Open Threat Signaling (DOTS) client. 24. The apparatus of claim 17 , wherein the mitigation server is a Distributed Denial of Service (DDoS) Open Threat Signaling (DOTS) server.
Assignees
Inventors
Classifications
Detection or countermeasures against botnets · CPC title
- H04L63/1458Primary
Denial of Service · CPC title
Traffic logging, e.g. anomaly detection · CPC title
Machine learning · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11665194B2 cover?
- In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an upd…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1458. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 30 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).