Processing Of Finite Automata Based On Memory Hierarchy
US-2015293846-A1 · Oct 15, 2015 · US
Hierarchical attack detection in a network
US9674207B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9674207-B2 |
| Application number | US-201414338794-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 23, 2014 |
| Priority date | Jul 23, 2014 |
| Publication date | Jun 6, 2017 |
| Grant date | Jun 6, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In one embodiment, a device in a network identifies a set of traffic flow records that triggered an attack detector. The device selects a subset of the traffic flow records and calculates aggregated metrics for the subset. The device provides the aggregated metrics for the subset to the attack detector to generate an attack detection determination for the subset of traffic flow records. The device identifies one or more attack traffic flows from the set of traffic flow records based on the attack detection determination for the subset of traffic flow records.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: identifying, by a device in a network, a set of traffic flow records that triggered an attack detector to detect a network attack; applying, by the device, clustering to the set of traffic flow records to form non-overlapping clusters of the traffic flow records in the set of traffic flow records; iteratively analyzing the set of traffic flow records by: selecting, by the device, a subset of the set of traffic flow records as a combination of one or more of the non-overlapping clusters of the traffic flow records; calculating, by the device, aggregated metrics for the selected subset of the set of traffic flow records, wherein the aggregated metrics comprise one or more statistics regarding network traffic flows associated with the traffic flow records in the selected subset of the set of traffic flow records; and providing, by the device, the aggregated metrics for the selected subset of the set of traffic flow records to the attack detector, to generate an attack detection determination for the subset of the set of traffic flow records, wherein the device repeats the selecting, calculating, and providing, to generate attack detection determinations for different combinations of the non-overlapping clusters of the traffic flow records until a convergence criterion is met; wherein the convergence criterion corresponds to the attack detector determining that a particular combination of the non-overlapping clusters of the traffic flow records does not trigger the attack detector to detect the network attack; wherein the non-overlapping clusters of the traffic flow records are formed based on one or more of: flow durations indicated by the traffic flow records, flow sizes indicated by the traffic flow records, application types indicated by the traffic flow records, or statistical properties of the traffic flow records; and identifying, by the device, one or more attack traffic flows from the set of traffic flow records based in part on the attack detection determination for the subset of the set of traffic flow records. 2. The method as in claim 1 , wherein the particular combination of the non-overlapping clusters of the traffic flow records comprises a maximal number of the non-overlapping clusters of the traffic flow records that does not trigger the attack detector to detect the network attack. 3. The method as in claim 1 , further comprising: associating anomaly scores with the non-overlapping clusters of the traffic flow records, wherein the subset of the set of traffic flow records is selected based in part on the anomaly scores associated with the combination of the one or more non-overlapping clusters of the traffic flow records. 4. The method as in claim 3 , wherein selecting the subset of the set of traffic flow records comprises: excluding a particular one of the non-overlapping clusters of the traffic flow records from the selected subset of the set of traffic flow records based on the anomaly score associated with the particular one of the non-overlapping clusters of the traffic flow records. 5. The method as in claim 1 , wherein the different combinations of the non-overlapping clusters of the traffic flow records vary in quantity. 6. The method as in claim 1 , further comprising: executing the attack detector on the device. 7. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: identify a set of traffic flow records that triggered an attack detector to detect a network attack; apply clustering to the set of traffic flow records to form non-overlapping clusters of the traffic flow records in the set of traffic flow records; iteratively analyze the set of traffic flow records by: selecting a subset of the set of traffic flow records as a combination of one or more of the non-overlapping clusters of the traffic flow records; calculating aggregated metrics for the selected subset of the set of traffic flow records, wherein the aggregated metrics comprise one or more statistics regarding network traffic flows associated with the traffic flow records in the selected subset of the set of traffic flow records; and providing the aggregated metrics for the selected subset of the set of traffic flow records to the attack detector to generate an attack detection determination for the subset of set of traffic flow records, wherein the apparatus repeats the selecting, calculating, and providing, to generate attack detection determinations for different combinations of the non-overlapping clusters of the traffic flow records until a convergence criterion is met; wherein the convergence criterion corresponds to the attack detector determining that a particular combination of the non-overlapping clusters of the traffic flow records does not trigger the attack detector to detect the network attack: wherein the non-overlapping clusters of the traffic flow records are formed based on one or more of: flow durations indicated by the traffic flow records, flow sizes indicated by the traffic flow records, application types indicated by the traffic flow records, or statistical properties of the traffic flow records; and identify one or more attack traffic flows from the set of traffic flow records based in part on the attack detection determination for the subset of the set of traffic flow records. 8. The apparatus as in claim 7 , wherein the particular combination of the non-overlapping clusters of the traffic flow records comprises a maximal number of the non-overlapping clusters of the traffic flow records that does not trigger the attack detector to detect the network attack. 9. The apparatus as in claim 7 , wherein the process when executed is further operable to: associate anomaly scores with the non-overlapping clusters of the traffic flow records, wherein the subset of the set of traffic flow records is selected based in part on the anomaly scores associated with the combination of the one or more non-overlapping clusters of the traffic records. 10. The method as in claim 9 , wherein the subset of the set of traffic flow records is selected by: excluding a particular one of the non-overlapping clusters of the traffic flow records from the selected subset of the set of traffic flow records based on the anomaly score associated with the particular one of the non-overlapping clusters of the traffic flow records. 11. The apparatus as in claim 7 , wherein the different combinations of the non-overlapping clusters of the traffic flow records vary in quantity. 12. The apparatus as in claim 7 , wherein the process when executed is further operable to: execute the attack detector on the apparatus. 13. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to: identify a set of traffic flow records that triggered an attack detector to detect a network attack; apply clustering to the set of traffic flow records to form non-overlapping clusters of the traffic flow records in the set of traffic flow records; iteratively analyze the set of traffic flow records by: selecting a subset of the set of traffic flow records as a combination of one or more of the non-overlapping clusters of the traffic flow records; calculating aggregated metrics for the subset of the traffic flow records, wherein the aggregated metrics comprise one or more statistics regarding network traffic
Assignees
Inventors
Classifications
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
- H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Denial of Service · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9674207B2 cover?
- In one embodiment, a device in a network identifies a set of traffic flow records that triggered an attack detector. The device selects a subset of the traffic flow records and calculates aggregated metrics for the subset. The device provides the aggregated metrics for the subset to the attack detector to generate an attack detection determination for the subset of traffic flow records. The dev…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1416. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 06 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).