Session slicing of mirrored packets
US-12184680-B2 · Dec 31, 2024 · US
Dynamic tuning of attack detector performance
US9641542B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9641542-B2 |
| Application number | US-201414336206-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 21, 2014 |
| Priority date | Jul 21, 2014 |
| Publication date | May 2, 2017 |
| Grant date | May 2, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In one embodiment, a device in a network receives information regarding one or more attack detection service level agreements. The device identifies a set of attack detection classifiers as potential voters in a voting mechanism used to detect a network attack. The device determines one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements. The device adjusts the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: receiving, at a device in a network, information regarding one or more attack detection service level agreements for a voting mechanism between attack detection classifiers and used to detect a network attack, wherein the one or more attack detection service level agreements comprise at least one of: a recall threshold for the voting mechanism, a precision threshold for the voting mechanism, or a false positive rate for the voting mechanism; identifying, by the device, a set of attack detection classifiers executed by one or more nodes in the network as potential voters in the voting mechanism used to detect a network attack; determining, by the device, one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements; adjusting, by the device, the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism; and determining, by the device, whether the one or more attack detection service level agreements have been met by the adjusted voting mechanism. 2. The method as in claim 1 , wherein the one or more parameters for the voting mechanism comprise the set of potential voters, and wherein adjusting the voting mechanism comprises: instructing one or more of the potential voters to participate in the voting mechanism as actual voters. 3. The method as in claim 2 , wherein the one or more parameters for the voting mechanism comprises a consensus threshold for the actual voters, wherein a network attack is detected by the voting mechanism if a number of attack votes from the actual voters meets or exceeds the consensus threshold. 4. The method as in claim 1 , wherein the one or more parameters for the voting mechanism comprises a sampling period for a particular voter, wherein a vote generated by the particular voter is based on classification of network characteristics sampled by the particular voter during the sampling period. 5. The method as in claim 4 , wherein the one or more parameters for the voting mechanism comprises a number of samples of the network characteristics to be obtained by the particular voter during the sampling period. 6. The method as in claim 1 , wherein the one or more parameters for the voting mechanism comprises an attack threshold, wherein the particular voter votes that an attack is present when a number of samples from the sampling period that are labeled by the voter as indicative of an attack meets or exceeds the attack threshold. 7. The method as in claim 1 , further comprising: in response to a determination that a service level agreement has not been met, determining one or more new parameters for the voting mechanism; and re-adjusting the voting mechanism using the one or more new parameters. 8. The method as in claim 1 , further comprising: providing an alert to a network management system in response to a determination that the one or more attack detection service level agreements cannot be met. 9. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: receive information regarding one or more attack detection service level agreements for a voting mechanism between attack detection classifiers and used to detect a network attack, wherein the one or more attack detection service level agreements comprise at least one of: a recall threshold for the voting mechanism, a precision threshold for the voting mechanism, or a false positive rate for the voting mechanism; identify a set of attack detection classifiers executed by one or more nodes in the network as potential voters in the voting mechanism used to detect a network attack; determine one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements; adjust the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism; and determine whether the one or more attack detection service level agreements have been met by the adjusted voting mechanism. 10. The apparatus as in claim 9 , wherein the one or more parameters for the voting mechanism comprise the set of potential voters, and wherein adjusting the voting mechanism comprises: instructing one or more of the potential voters to participate in the voting mechanism as actual voters. 11. The apparatus as in claim 10 , wherein the one or more parameters for the voting mechanism comprises a consensus threshold for the actual voters, wherein a network attack is detected by the voting mechanism if a number of attack votes from the actual voters meets or exceeds the consensus threshold. 12. The apparatus as in claim 9 , wherein the one or more parameters for the voting mechanism comprises a sampling period for a particular voter, wherein a vote generated by the particular voter is based on classification of network characteristics sampled by the particular voter during the sampling period. 13. The apparatus as in claim 12 , wherein the one or more parameters for the voting mechanism comprises a number of samples of the network characteristics to be obtained by the particular voter during the sampling period. 14. The apparatus as in claim 9 , wherein the one or more parameters for the voting mechanism comprises an attack threshold, wherein the particular voter votes that an attack is present when a number of samples from the sampling period that are labeled by the voter as indicative of an attack meets or exceeds the attack threshold. 15. The apparatus as in claim 9 , wherein the process when executed is further operable to: in response to a determination that a service level agreement has not been met, determine one or more new parameters for the voting mechanism; and re-adjust the voting mechanism using the one or more new parameters. 16. The apparatus as in claim 9 , wherein the process when executed is further operable to: provide an alert to a network management system in response to a determination that the one or more attack detection service level agreements cannot be met. 17. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to: receive information regarding one or more attack detection service level agreements for a voting mechanism between attack detection classifiers and used to detect a network attack, wherein the one or more attack detection service level agreements comprise at least one of: a recall threshold for the voting mechanism, a precision threshold for the voting mechanism, or a false positive rate for the voting mechanism; identify a set of attack detection classifiers executed by one or more nodes in the network as potential voters in the voting mechanism used to detect a network attack; determine one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements; adjust the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism; and determine whether the one or more attack detection service level agreements have been met by the adjusted voting mechanism. 18. The computer-readable media as in claim 17 , wherein the software when executed by t
Assignees
Inventors
Classifications
Denial of Service · CPC title
- H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9641542B2 cover?
- In one embodiment, a device in a network receives information regarding one or more attack detection service level agreements. The device identifies a set of attack detection classifiers as potential voters in a voting mechanism used to detect a network attack. The device determines one or more parameters for the voting mechanism based on the information regarding the one or more attack detecti…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 02 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).