US20160028755A1 - Traffic segregation in ddos attack architecture - Google Patents

Traffic segregation in ddos attack architecture Download PDF

Info

Publication number
US20160028755A1
US20160028755A1 US14/339,255 US201414339255A US2016028755A1 US 20160028755 A1 US20160028755 A1 US 20160028755A1 US 201414339255 A US201414339255 A US 201414339255A US 2016028755 A1 US2016028755 A1 US 2016028755A1
Authority
US
United States
Prior art keywords
machine learning
nodes
attack detection
attack
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US14/339,255
Other versions
US9231965B1 (en
Inventor
Jean-Philippe Vasseur
Andrea Di Pietro
Javier Cruz Mota
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Technology Inc filed Critical Cisco Technology Inc
Priority to US14/339,255 priority Critical patent/US9231965B1/en
Assigned to CISCO TECHNOLOGY, INC. reassignment CISCO TECHNOLOGY, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: Cruz Mota, Javier, DI PIETRO, ANDREA, VASSEUR, JEAN-PHILIPPE
Application granted granted Critical
Publication of US9231965B1 publication Critical patent/US9231965B1/en
Publication of US20160028755A1 publication Critical patent/US20160028755A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Definitions

  • the present disclosure relates generally to computer networks, and, more particularly, to traffic segregation in a DDoS attack architecture.
  • Enterprise networks are carrying a very fast growing volume of both business and non-business critical traffics.
  • business applications such as video collaboration, cloud applications, etc.
  • HTTP hypertext transfer protocol
  • HTTPS HTTP secure
  • DoS Denial of Service
  • a DoS jamming attack may artificially introduce interference into the network, thereby causing collisions with legitimate traffic and preventing message decoding.
  • a DoS attack may attempt to overwhelm the network's resources by flooding the network with requests, to prevent legitimate requests from being processed.
  • a DoS attack may also be distributed, to conceal the presence of the attack.
  • a distributed DoS (DDoS) attack may involve multiple attackers sending malicious requests, making it more difficult to distinguish when an attack is underway.
  • the detection of DoS attacks is particularly challenging when network resources are limited, such as in the case of a low power and lossy network (LLN).
  • LLC low power and lossy network
  • FIG. 1 illustrates an example communication network
  • FIG. 2 illustrates an example network device/node
  • FIGS. 3A-3B illustrate an example of a network attack being detected
  • FIG. 4 illustrates an example diagrammatic representation of a DoS attack detection and mitigation architecture
  • FIG. 5 illustrates an example diagrammatic representation of discovering collaborative group node candidates
  • FIG. 6 illustrates an example diagrammatic representation of a collaborative group selection announcement
  • FIG. 7 illustrates an example diagrammatic representation of a collaborative flagging process
  • FIG. 8 illustrates an example simplified procedure for participating in a collaborative attack detection and mitigation group
  • FIG. 9 illustrates an example simplified procedure for determining a collaborative attack detection and mitigation group.
  • a particular node in a network determines information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system.
  • the particular node may send a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information.
  • the particular node receives an indication that it is a member of a collaborative group of nodes along with one or more other nodes in the network based on the capabilities of the local machine learning attack detection and mitigation system (local to the particular node) being complementary to capabilities of one or more other machine learning attack detection and mitigation systems local to the one or more other nodes.
  • the particular node in response to an attack being detected by the local machine learning attack detection and mitigation system, the particular node provides to the collaborative group of nodes an indication of attack data flows identified as corresponding to the attack.
  • the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes are enabled to assist the particular node in mitigating the attack.
  • a centralized entity node in a network receives messages from a plurality of nodes in the network indicating capabilities of a machine learning attack detection and mitigation system local to each respective node.
  • the centralized entity node computes a collaborative group of nodes based on a determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another.
  • the machine learning attack detection and mitigation systems local to the collaborative group of nodes are enabled to assist one another in mitigating attacks in the network.
  • the centralized entity node sends a message to the collaborative group of nodes identifying each node that is a member within the collaborative group of nodes.
  • a computer network is a geographically distributed collection of nodes interconnected by communication links and segments for transporting data between end nodes, such as personal computers and workstations, or other devices, such as sensors, etc.
  • end nodes such as personal computers and workstations, or other devices, such as sensors, etc.
  • LANs local area networks
  • WANs wide area networks
  • LANs typically connect the nodes over dedicated private communications links located in the same general physical location, such as a building or campus.
  • WANs typically connect geographically dispersed nodes over long-distance communications links, such as common carrier telephone lines, optical lightpaths, synchronous optical networks (SONET), synchronous digital hierarchy (SDH) links, or Powerline Communications (PLC) such as IEEE 61334, IEEE P1901.2, and others.
  • SONET synchronous optical networks
  • SDH synchronous digital hierarchy
  • PLC Powerline Communications
  • a Mobile Ad-Hoc Network is a kind of wireless ad-hoc network, which is generally considered a self-configuring network of mobile routers (and associated hosts) connected by wireless links, the union of which forms an arbitrary topology.
  • Smart object networks such as sensor networks, in particular, are a specific type of network having spatially distributed autonomous devices such as sensors, actuators, etc., that cooperatively monitor physical or environmental conditions at different locations, such as, e.g., energy/power consumption, resource consumption (e.g., water/gas/etc. for advanced metering infrastructure or “AMI” applications) temperature, pressure, vibration, sound, radiation, motion, pollutants, etc.
  • Other types of smart objects include actuators, e.g., responsible for turning on/off an engine or perform any other actions.
  • Sensor networks a type of smart object network, are typically shared-media networks, such as wireless or PLC networks.
  • each sensor device (node) in a sensor network may generally be equipped with a radio transceiver or other communication port such as PLC, a microcontroller, and an energy source, such as a battery.
  • a radio transceiver or other communication port such as PLC, a microcontroller, and an energy source, such as a battery.
  • smart object networks are considered field area networks (FANs), neighborhood area networks (NANs), etc.
  • FANs field area networks
  • NANs neighborhood area networks
  • size and cost constraints on smart object nodes result in corresponding constraints on resources such as energy, memory, computational speed and bandwidth.
  • FIG. 1 is a schematic block diagram of an example computer system 100 illustratively comprising one or more server(s)/controller(s) 102 and one or more nodes/devices 104 (e.g., a first through nth node/device) that are interconnected by various methods of communication.
  • links 105 may be wired links or shared media (e.g., wireless links, PLC links, etc.) that illustratively form a network 110 .
  • any number of nodes, devices, links, etc. may be used in computer system 100 , and that the view shown herein is for simplicity.
  • system 100 is merely an example illustration that is not meant to limit the disclosure.
  • server(s)/controller(s) 102 provide some form of control over nodes/devices 104 and, more generally, over the operation of network 110 .
  • servers/controllers 102 may include, but are not limited to, path computation engines
  • PCEs network controllers
  • NMSs network management systems
  • policy engines reporting mechanisms, or any other form of device or system that provides some degree of global or localized control over other devices in the network.
  • Nodes/devices 104 may include any form of networking device used to generate, forward, receive, etc., traffic within network 110 .
  • nodes/device 104 may include, but are not limited to, routers, switches, computers, or the like.
  • Data packets may be exchanged among the nodes/devices of the computer system 100 using predefined network communication protocols such as certain known wired protocols, wireless protocols (e.g., IEEE Std. 802.15.4, WiFi, Bluetooth®, etc.), PLC protocols, or other shared-media protocols where appropriate.
  • a protocol consists of a set of rules defining how the nodes interact with each other.
  • network 110 may be or may include a WAN, LAN, service provider network, customer edge network, multi-protocol label switched (MPLS) network, IP network, wireless network, mesh network, shared media network, virtual private network (VPN), or any other form of computing network.
  • network 110 may be, or may include, a Low Power and Lossy Network (LLN).
  • LLNs e.g., certain sensor networks
  • a number of challenges in LLNs have been presented, such as:
  • Links are generally lossy, such that a Packet Delivery Rate/Ratio (PDR) can dramatically vary due to various sources of interferences, e.g., considerably affecting the bit error rate (BER);
  • PDR Packet Delivery Rate/Ratio
  • Links are generally low bandwidth, such that control plane traffic must generally be bounded and negligible compared to the low rate data traffic;
  • Constraint-routing may be required by some applications, e.g., to establish routing paths that will avoid non-encrypted links, nodes running low on energy, etc.;
  • Scale of the networks may become very large, e.g., on the order of several thousands to millions of nodes;
  • Nodes may be constrained with a low memory, a reduced processing capability, a low power supply (e.g., battery).
  • a low power supply e.g., battery
  • LLNs are a class of network in which both the routers and their interconnections are constrained: LLN routers typically operate with constraints, e.g., processing power, memory, and/or energy (battery), and their interconnections are characterized by, illustratively, high loss rates, low data rates, and/or instability.
  • LLNs are comprised of anything from a few dozen and up to thousands or even millions of LLN routers, and support point-to-point traffic (between devices inside the LLN), point-to-multipoint traffic (from a central control point to a subset of devices inside the LLN) and multipoint-to-point traffic (from devices inside the LLN towards a central control point).
  • An example implementation of LLNs is an “Internet of Things” network.
  • IoT Internet of Things
  • IoT may be used by those in the art to refer to uniquely identifiable objects (things) and their virtual representations in a network-based architecture.
  • objects in general, such as lights, appliances, vehicles, HVAC (heating, ventilating, and air-conditioning), windows and window shades and blinds, doors, locks, etc.
  • the “Internet of Things” thus generally refers to the interconnection of objects (e.g., smart objects), such as sensors and actuators, over a computer network (e.g., IP), which may be the Public Internet or a private network.
  • IP computer network
  • Such devices have been used in the industry for decades, usually in the form of non-IP or proprietary protocols that are connected to IP networks by way of protocol translation gateways.
  • protocol translation gateways e.g., protocol translation gateways.
  • applications such as the smart grid, smart cities, and building and industrial automation, and cars (e.g., that can interconnect millions of objects for sensing things like power quality, tire pressure, and temperature and that can actuate engines and lights), it has been of the utmost importance to extend the IP protocol suite for these networks.
  • FIG. 2 is a schematic block diagram of an example node/device 200 (e.g., a server/controller 102 , a node/device 104 , etc.) that may be used with one or more embodiments described herein, e.g., as any of the devices shown in FIG. 1 above.
  • the device may comprise one or more network interfaces 210 (e.g., wired, wireless, PLC, etc.), at least one processor 220 , and a memory 240 interconnected by a system bus 250 , as well as a power supply 260 (e.g., battery, plug-in, etc.).
  • the network interface(s) 210 include the mechanical, electrical, and signaling circuitry for communicating data over links 105 coupled to the network 100 .
  • the network interfaces may be configured to transmit and/or receive data using a variety of different communication protocols.
  • the nodes may have two different types of network connections 210 , e.g., wireless and wired/physical connections, and that the view herein is merely for illustration.
  • the network interface 210 is shown separately from power supply 260 , for PLC the network interface 210 may communicate through the power supply 260 , or may be an integral component of the power supply. In some specific configurations the PLC signal may be coupled to the power line feeding into the power supply.
  • the memory 240 comprises a plurality of storage locations that are addressable by the processor 220 and the network interfaces 210 for storing software programs and data structures associated with the embodiments described herein. Note that certain devices may have limited memory or no memory (e.g., no memory for storage other than for programs/processes operating on the device and associated caches).
  • the processor 220 may comprise hardware elements or hardware logic adapted to execute the software programs and manipulate the data structures 245 .
  • An operating system 242 portions of which are typically resident in memory 240 and executed by the processor, functionally organizes the device by, inter alia, invoking operations in support of software processes and/or services executing on the device. These software processes and/or services may comprise routing process/services 244 , a collaboration process 247 , and/or an attack detection process 248 , as described herein.
  • processor and memory types including various computer-readable media, may be used to store and execute program instructions pertaining to the techniques described herein.
  • description illustrates various processes, it is expressly contemplated that various processes may be embodied as modules configured to operate in accordance with the techniques herein (e.g., according to the functionality of a similar process). Further, while the processes have been shown separately, those skilled in the art will appreciate that processes may be routines or modules within other processes.
  • Routing process (services) 244 includes computer executable instructions executed by the processor 220 to perform functions provided by one or more routing protocols, such as proactive or reactive routing protocols as will be understood by those skilled in the art. These functions may, on capable devices, be configured to manage a routing/forwarding table (a data structure 245 ) including, e.g., data used to make routing/forwarding decisions.
  • a routing/forwarding table (a data structure 245 ) including, e.g., data used to make routing/forwarding decisions.
  • link state routing such as Open Shortest Path First (OSPF), or Intermediate-System-to-Intermediate-System (ISIS), or Optimized Link State Routing (OLSR).
  • OSPF Open Shortest Path First
  • ISIS Intermediate-System-to-Intermediate-System
  • OLSR Optimized Link State Routing
  • Reactive routing discovers neighbors (i.e., does not have an a priori knowledge of network topology), and in response to a needed route to a destination, sends a route request into the network to determine which neighboring node may be used to reach the desired destination.
  • Example reactive routing protocols may comprise Ad-hoc On-demand Distance Vector (AODV), Dynamic Source Routing (DSR), DYnamic MANET On-demand Routing (DYMO), etc.
  • routing process 244 may consist solely of providing mechanisms necessary for source routing techniques. That is, for source routing, other devices in the network can tell the less capable devices exactly where to send the packets, and the less capable devices simply forward the packets as directed.
  • Attack detection process 248 includes computer executable instructions executed by the processor 220 to perform various functions, such as attack detection and reporting.
  • attack detection process 248 may use machine learning to determine whether an attack and/or a specific type of attack is detected.
  • machine learning is concerned with the design and the development of techniques that take as input empirical data (such as network statistics and performance indicators), and recognize complex patterns in these data.
  • One very common pattern among machine learning techniques is the use of an underlying model M, whose parameters are optimized for minimizing the cost function associated to M, given the input data.
  • attack detection process 248 may be an attack detection classifier that classifies network traffic or conditions into either an “attack” category or a “normal operation” category, based on learned behavior of the network.
  • attack detection process 248 may also be configured to use additional categories (e.g., classification labels), such as labels indicative of specific types of attacks.
  • LMs learning machines
  • IoT Internet of Everything
  • ANNs Artificial Neural Networks
  • ANNs are a type of machine learning technique whose underlying mathematical models that were developed inspired by the hypothesis that mental activity consists primarily of electrochemical activity between interconnected neurons.
  • ANNs are sets of computational units (neurons) connected by directed weighted links. By combining the operations performed by neurons and the weights applied by the links, ANNs are able to perform highly non-linear operations to input data.
  • the interesting aspect of ANNs, though, is not that they can produce highly non-linear outputs of the input, but that they can learn to reproduce a predefined behavior through a training process.
  • an ANN may be trained to identify deviations in the behavior of a network that could indicate the presence of a network attack (e.g., a change in packet losses, link delays, number of requests, etc.).
  • ANN classifiers may be hierarchical in that a more powerful classifier verifies a conclusion reached by a lower-powered classifier.
  • Other machine learning techniques that may be used in an attack detection classifier may include, but are not limited to, support vector machines (SVMs), na ⁇ ve Bayesian models, decision trees, and the like.
  • Attack detection process 248 may also employ anomaly detection techniques, to classify network conditions as being indicative of an attack.
  • Anomaly Detection is a data mining and machine learning technique that entails detecting, from a flow of data, the elements of the flow that do not follow the same pattern as the other flow elements.
  • AD techniques may be used to construct a model of normal behavior and may use the model to detect data points that are unlikely to fit the model.
  • Example AD techniques include, but are not limited to, k-NN techniques, one-class SVM techniques, replicator NN techniques, etc. Notably, such techniques may be used by learning machine process 248 to detect previously unseen forms of attacks.
  • attack detection process 248 may use clustering techniques, to detect a potential network attack.
  • Clustering denotes a family of techniques in which the objective is to group objects according to some (usually predefined) notion of similarity. For instance, clustering is a very popular technique used in recommender systems (RS) for grouping objects that are similar in terms of people's tastes. This way, the system can propose new products that the user will like with a high probability, based on previous choices of this particular user.
  • Typical clustering algorithms are k-means, DBSCAN or Mean-Shift, among others.
  • Collaboration process 247 includes computer executable instructions executed by the processor 220 to perform functions that include collaboratively segregating attack traffic in a computer network, such as network 100 .
  • the collaboration process 247 may operate in conjunction with the attack detection process 248 .
  • FIGS. 3A-3B illustrate an example of a network attack being detected, according to various embodiments.
  • a particular node/device 104 is under attack from an attack node.
  • the attack node may attempt to flood the node/device with request traffic (e.g., SYN flooding), thereby reducing the amount of resources available at the device/node (and potentially the network itself) for legitimate traffic.
  • request traffic e.g., SYN flooding
  • other forms of DoS attacks may attempt to send a high volume of traffic (e.g., a volume based DoS attack) and may, in some cases, be distributed DoS (DDoS) attacks.
  • DDoS distributed DoS
  • the particular node/device 104 under attack is configured to execute an attack detector process (e.g., process 248 ).
  • the attack detector process may be operable to observe traffic behavior and apply a label (e.g., a classification) to the observed traffic behavior.
  • the node/device 104 under attack may determine that a sharp increase in request traffic is indicative of an attack (e.g., the observed behavior may be labeled as an attack by the device's machine learning process).
  • the node/device 104 may initiate countermeasures, such as sending an alert 302 to one of the servers/controller 102 (e.g., to alert a network administrator), etc.
  • denial of service is a broad term for any kind of attack aiming, by any means, at making a particular service unavailable (be it a certain application running on a server or network connectivity itself). This is usually performed by bringing the target's resources to exhaustion (target resources may range from bandwidth to memory and CPU).
  • a denial-of-service attack may consist of flooding a target network with hundreds of megabits of traffic (e.g., a volume-based DoS), exhausting a server state by opening a number of TCP connections (e.g., SYN flooding), or by making an HTTP server unavailable by sending it an overwhelming number of requests.
  • An attack may be subtle and exploit well-known vulnerabilities in the target system (e.g., a large number of fragmented IP packets may exhaust the resources of a router), thus leading to attacks that are difficult to detect and mitigate.
  • DDoS denials of service attacks
  • botnets i.e., armies or infected hosts spread across the network and under the control of a single master
  • source addresses used for attacks can be spoofed, so that blocking an offending address is potentially useless.
  • DoS attacks can be easy to detect when they are brute-force (e.g., volumetric), but, especially when highly distributed, they may be difficult to distinguish from a flash-crowd (e.g., an overload of the system due to many legitimate users accessing it at the same time).
  • This fact in conjunction with the increasing complexity of performed attacks, makes the use of “classic” (usually threshold-based) techniques useless for detecting them.
  • machine learning techniques are particularly beneficial for learning the behavior of these attacks for detecting them before a server or an entire network becomes unavailable.
  • traffic segregation is a fundamental component of DoS/DDoS detection and mitigation, since non-brute force mitigation is only viable if the attacking flow can be flagged (e.g., attack traffic segregation).
  • attack traffic segregation e.g., attack traffic segregation
  • segregation of attack traffic corresponding to a DoS/DDoS attack in the network can be enhanced by utilizing a collaborative model between a set of network devices in order to increase the performance but also the speed at which segregation takes place.
  • current local segregation techniques may imply long convergence times of the traffic flagging techniques, thus impacting the effectiveness of the overall system.
  • the techniques herein provide a collaborative mode of operation for a set of modules capable of flagging (i.e., segregating) traffic responsible for a DoS or DDoS attack.
  • the first component is used for computing optimal groups of collaborative notifiers (CN) according to their capabilities (e.g., based on historical performance), their location along with the network topology, and the available resources on each CN.
  • CN collaborative notifiers
  • Such information is used by the LM-based attack detectors on the CNs to converge much faster in identifying the attacking traffic.
  • the disclosed embodiments specify a fully distributed and collaborative method for identifying attacking traffic in a network, such as a self-learning network (SLN).
  • SSN self-learning network
  • a particular node in a network determines information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system.
  • the particular node may send a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information.
  • the particular node receives an indication that it is a member of a collaborative group of nodes along with one or more other nodes in the network based on the capabilities of the local machine learning attack detection and mitigation system (local to the particular node) being complementary to capabilities of one or more other machine learning attack detection and mitigation systems local to the one or more other nodes.
  • the particular node in response to an attack being detected by the local machine learning attack detection and mitigation system, the particular node provides to the collaborative group of nodes an indication of attack data flows identified as corresponding to the attack.
  • the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes are enabled to assist the particular node in mitigating the attack.
  • a centralized entity node in a network receives messages from a plurality of nodes in the network indicating capabilities of a machine learning attack detection and mitigation system local to each respective node.
  • the centralized entity node computes a collaborative group of nodes based on a determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another.
  • the machine learning attack detection and mitigation systems local to the collaborative group of nodes are enabled to assist one another in mitigating attacks in the network.
  • the centralized entity node sends a message to the collaborative group of nodes identifying each node that is a member within the collaborative group of nodes.
  • the techniques described herein may be performed by hardware, software, and/or firmware, such as in accordance with the processes 244 , 247 and 248 , which may include computer executable instructions executed by the processor 220 (or independent processor of interfaces 210 ) to perform functions relating to the techniques described herein.
  • the techniques herein may be treated as extensions to conventional protocols, such as the various PLC protocols or wireless communication protocols, and as such, may be processed by similar components understood in the art that execute those protocols, accordingly.
  • the techniques herein provide for a collaborative model between a set of devices in the network in order to increase the performance as well as the speed at which segregation takes place in the network after detecting a potential attack.
  • the first component of this disclosure involves the Collaborative Notifier (CN) 410 , a module co-hosted on a device equipped with a Machine Learning (ML) DoS attack detection and mitigation system (e.g., elements 420 , 430 , 440 and 450 ), which may be hosted on a device such as the device 200 , as shown in FIG. 2 , for example.
  • CN Collaborative Notifier
  • ML Machine Learning
  • DoS attack detection and mitigation system e.g., elements 420 , 430 , 440 and 450
  • the objective of the CN 410 is to interact with a local system (e.g., elements 420 , 430 , 440 and 450 ) capable of performing traffic segregation, or traffic “flagging.”
  • a local system e.g., elements 420 , 430 , 440 and 450
  • a traffic segregator such as the segregator 420 , performs an identification of the attacking traffic and segregation of the attacking traffic from normal traffic.
  • any techniques suitable for DoS attack detection and mitigation may be utilized by the illustrative components in FIG. 4 .
  • Another component of this disclosure involves the ability to discover a set of N segregators that may collaborate in their attack traffic segregation attempts, thus increasing the convergence time in flagging traffic and mitigation.
  • the resultant collaborative mode allows segregators to speed up their convergence (e.g., identification of attacking traffic), as well as their remediation process. Indeed, if K segregators identify an attacking flow F in time T while other segregators have not yet detected or flagged the attacking traffic, this mode of collaboration can dramatically improve the efficiency of the overall system.
  • a message (e.g., Notifier_Discovery( ) message 510 ) may be sent from multiple CNs 410 toward a centralized entity node (e.g., collaborative attack segregation engine (CASE) 520 ).
  • the Notifier_Discovery( ) message 510 may include the following characteristics:
  • the Notifier_Discovery( ) message 510 may specify the specific ML technique used for performing traffic segregation on the respective device (e.g., a clustering technique, a supervised statistical model, etc.).
  • the Notifier_Discovery( ) message 510 may specify the list of attacks supported by the local DoS detector 440 , such as Slow Loris, HTTP Recusive GET, and so forth. Also, the message may specify whether the local DoS detector 440 is capable of detecting potential attacks for which it has not been trained, in the event that the DoS detector 440 supports LM-based techniques for automatically creating LM-based signatures for unknown attacks, for example.
  • the Notifier_Discovery( ) message 510 may indicate the network scope for the device that hosts the segregator, or in other words, the network areas on which the particular CN 410 has visibility. For example, if the device is a FAR attached to two PANs, it may include the PAN IDs. If the node is an Area Border Router, it may list the set of OSPF areas it is attached to. Similarly if the device is an ASBR, it may indicate the set of local Autonomous Systems (AS).
  • ASBR Autonomous Systems
  • Averaged convergence time (ACT) the Notifier_Discovery( ) message 510 may indicate the ACT of the local traffic segregator 420 , where the ACT is an indicator of past convergence time.
  • performing traffic segregation may be a complex task involving a number of ML-based algorithms, and consequently, the performance of the segregator may vary by orders of magnitude among segregators according to the degree of sophistication of their algorithms, amount of memory, computing capabilities, etc.
  • the ACT may be a simple scalar (e.g., weighted average convergence time) or a vector of scalars reflecting the convergence time, degree of success, and so forth.
  • each device equipped with a CN 410 may send the Notifier_Discovery( ) message 510 to a centralized entity node called the Collaborative Attack Segregation Engine (CASE) 520 .
  • the CASE 520 may be hosted on a NMS or a Network Controller (NC).
  • the CASE 520 may determine a set of devices that would benefit from the collaboration techniques described herein.
  • the CASE 520 can select the set of CNs 410 whose capabilities intersect.
  • the CNs 410 may be selected based on having a respective local DoS attack detection and mitigation system (e.g., elements with capabilities that are complementary to the other local DoS attack detection and mitigation systems.
  • the set S of collaborative nodes may be selected such that the widest variety of traffic segregators 420 is used, e.g., mixing fast or slow convergence time.
  • the CASE 520 can select CNs 410 by avoiding bad performers while ensuring that the network scopes are compatible, since, for example, it is less likely that two very distant PANs will detect the same attack at the same time.
  • the CASE 520 may make use of historical information. Namely, the recording of simultaneous attacks (which may be retrieved from a DoS attack historical database) may be used to group notifiers should the probability that these devices be exposed to the same attack cross some threshold.
  • the capabilities of the DoS attack detection and mitigation systems (e.g., elements 420 , 430 , 440 and 450 ) of the various CNs 410 are complementary to one another using any suitable approach, technique, or algorithm, as determined by the CASE 520 or the nodes themselves, such that the resources and capabilities of one CN 410 may complement, bolster, enhance, etc. those of another CN 410 within the same collaborative group.
  • the CASE 520 may subsequently send a notification message (e.g., the Group_CN( ) message 610 ) comprising a set of IDs of each selected CN 410 , along with a multicast group address used during the collaborative mode described below. It may be possible for each group of collaborative CNs to be constantly re-adjusted according to the nodes' capabilities (which may be static or dynamic such as the amount of available memory) and their performance. For example, the CASE 520 may determine that a CN 410 is performing poorly and may be detrimental to the other CNs.
  • a notification message e.g., the Group_CN( ) message 610
  • the CASE 520 may determine that a CN 410 is performing poorly and may be detrimental to the other CNs.
  • the poorly performing CN 410 can be removed from the collaborative group, or conversely, notified that it has to join a new collaborative group in listening mode (i.e., receiving the list of flagged traffic but not providing its own computed set of flagged traffic).
  • the CASE 520 may take the network topology into account when computing the group of collaborative CNs 410 .
  • CNs 410 may be grouped according to a set of available resources, should the devices hosting the CNs 410 be interconnected with sparse connectivity resources.
  • the CNs 410 may publish their capabilities using the Notifier_Discovery( ) message 510 described above by sending the message 510 to a well-known multicast address (which may be retrieved during a DHCP process or locally configured, as an example). By doing so, the selection of CNs 410 to join the collaborative group may be performed in a distributed fashion, rather than at a single centralized entity (e.g., CASE 520 ). That is, each node that sends the Notifier_Discovery( ) message 510 can determine the group of collaborative CNs 410 .
  • a well-known multicast address which may be retrieved during a DHCP process or locally configured, as an example.
  • each node is equipped with enough information (e.g., routing information, topology information, etc.) in order to agree on a common selection of CNs 410 and capable of dynamically selecting a multicast group per set of collaborative CNs 410 .
  • each of the CNs 410 will autonomously select which other CN or CNs it will cooperate with. Since not all of the CNs 410 have the capabilities (nor the available topology and routing information) for choosing an optimal set, it is possible that some of them may select a sub-optimal solution.
  • FIG. 7 another component of this disclosure involves the collaborative flagging/segregation process.
  • groups of collaborating CNs 410 have been computed and a multicast group 710 has been assigned, either using the CASE 520 or the distributed mode of operation.
  • a set of flows Fi . . .
  • the CN 410 may publish the set of flagged flows using a multicast message (e.g., the Traffic_Flagging( ) message 720 ) sent to the multicast group 710 , such that the flows become available to all of the other CNs 410 that are a part of the same collaborative group.
  • the Traffic_Flagging( ) message 720 may indicate the following:
  • Set of flows F 1 , . . . , Fn In one embodiment, the entire traces for each flow may be indicated in the message 720 . In another embodiment, a subset of these flows (e.g., samples) may be indicated in the message 720 . In yet another embodiment, the CN 410 may compute a model (e.g., a Mixed Gaussian Model or the like) for one or more of the flows, and the computed model may be indicated in the message 720 .
  • a model e.g., a Mixed Gaussian Model or the like
  • Degree of confidence A degree of confidence in the respective CN's flagged data flows actually corresponding to attack traffic can also be indicated in the message 720 .
  • the degree of confidence may be represented via a normalized vector that provides an indication (when available) of both the confidence of the DoS detector 440 , but also the performance of the segregator 420 , thus indicating how confident is the CN 410 is in its ability to detect a true attack and segregate the attacking flows.
  • the network ID of the DoS attack's origin can be indicated in the message 720 .
  • the device may include the PAN ID.
  • the node is an Area Border Router, it may list the open shortest path first (OSPF) areas where the segregated traffic has been detected.
  • OSPF open shortest path first
  • feedback may be sent either to each CN 410 in the collaborative groups or to the CASE 520 .
  • the feedback may be provided in a feedback message (e.g., Feed-Back( )).
  • This message may specify the accelerating factor on this collaborative mode, i.e., the amount of by which the traffic segregation has been accelerated due to the collaborative efforts.
  • Such a factor may help the CASE 520 , for example, in further group assignments.
  • a local device hosting a segregator module 420 may be able, upon reception of a Traffic-Flagging( ) message 720 comprising a flagged attacking flow, to determine whether or not it had identified a corresponding cluster.
  • the information included in the Traffic_Flagging( ) message 720 can allow the CN 410 to check whether it is, in fact, observing malicious traffic and whether its classifier is detecting it. This allows computing a performance index for the local classifier against an established background truth. This feedback information can further be used in order to optimize the group assignment of CNs 410 . It can also be used by the CN 410 for determining whether its local LM classifier is no longer capable of detecting attacks. In such a case, the CN 410 can raise an alarm for requesting a retraining of the local LM.
  • FIG. 8 illustrates an example simplified procedure for participating in a collaborative attack detection and mitigation group in accordance with one or more embodiments described herein.
  • the procedure 800 may start at step 805 , and continues to step 810 , where, as described in greater detail above, a node in a network (e.g., any of controllers/servers 102 or nodes/devices 104 shown in FIG. 1 ) having a local DoS attack detection and mitigation system may be selected as a member in a collaborative group with other nodes in the network, where every node in the collaborative group has a respective local DoS attack detection and mitigation system.
  • every node in that group may assist one another when performing attack traffic segregation, thereby increasing a quality and efficiency of the segregation process.
  • a particular node in a network determines information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system.
  • the particular node may host multiple modules, including, but not limited to, CN 410 , segregator 420 , aggregator 430 , attack detector 440 , and/or DRC 450 , as shown in FIG. 4 .
  • the CN 410 is operable to communicate with other network entities, including collaborating with other CNs in the network.
  • the machine learning attack detection and mitigation system may include the segregator 420 , aggregator 430 , attack detector 440 , and/or DRC 450 .
  • the machine learning attack detection and mitigation system is local to the CN 410 , as it is hosted on the same node (e.g., the “particular node”) as the CN 410 .
  • the particular node sends a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information.
  • the address may be, for example, an address of the CASE 520 or a multicast group address accessible by other CNs in the same collaborative group.
  • the capabilities of the machine learning attack detection and mitigation system that is local to the particular node may involve, for example, one or more of: i) an attack traffic segregation technique used by the local machine learning attack detection and mitigation system, ii) a list of attacks that are detectable by the local machine learning attack detection and mitigation system, iii) a connectivity range of the local machine learning attack detection and mitigation system in the network, and/or iv) an average convergence time when the local machine learning attack detection and mitigation system performs attack traffic segregation.
  • the particular node receives an indication that the node is a member of a collaborative group of nodes along with one or more other nodes in the network.
  • the determination of the collaborative group of nodes may be based on the capabilities of the local machine learning attack detection and mitigation system being complementary to capabilities of one or more other machine learning attack detection and mitigation systems local to the one or more other nodes.
  • the determination may be made by the CASE 520 or the nodes in the network themselves, where the determination is made in a distributed fashion.
  • the indication may be received via the Group_CN( ) message 610 , as shown in FIG. 6 .
  • the particular node in response to an attack being detected by the local machine learning attack detection and mitigation system, the particular node provides to the collaborative group of nodes an indication of attack data flows identified as corresponding to the attack. To this end, the particular node may send the attack data flows to the multicast group 710 , as shown in FIG. 7 , which is shared and accessible by all of the nodes in the collaborative group of nodes. Therefore, the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes are enabled to assist the particular node in mitigating the attack. As a result, the mitigation (e.g., segregation) of attack traffic can be enhanced due to the contribution of increased resources from the machine learning attack detection and mitigation systems local to other nodes in the collaborative group, as described in more detail above.
  • the mitigation e.g., segregation
  • the procedure illustrative ends at step 830 .
  • FIG. 9 illustrates an example simplified procedure for determining a collaborative attack detection and mitigation group in accordance with one or more embodiments described herein.
  • the procedure 900 may start at step 905 , and continues to step 910 , where, as described in greater detail above, a centralized entity node in a network (e.g., any of controllers/servers 102 or nodes/devices 104 shown in FIG. 1 ) computes a collaborative group of nodes based on a determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another, thereby enabling the machine learning attack detection and mitigation systems local to the collaborative group of nodes to assist one another in mitigating attacks in the network.
  • a centralized entity node in a network e.g., any of controllers/servers 102 or nodes/devices 104 shown in FIG. 1
  • computes a collaborative group of nodes based on a determination that the capabilities of the machine learning attack detection and mitigation systems local to the
  • a centralized entity node in a network receives messages from a plurality of nodes in the network indicating capabilities of a machine learning attack detection and mitigation system local to each respective node.
  • the centralized entity node may correspond to the CASE 520 .
  • the received messages may be sent via the Notifier_Discovery( ) message 510 , as shown in FIG. 5 .
  • the centralized entity node computes a collaborative group of nodes based on a determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another.
  • the set S of collaborative nodes may be selected such that the widest variety of traffic segregators 420 is used, e.g., mixing fast or slow convergence time.
  • the CASE 520 can select CNs 410 by avoiding bad performers while ensuring that the network scopes are compatible, since, for example, it is less likely that two very distant PANs will detect the same attack at the same time.
  • the CASE 520 may make use of historical information. Namely, the recording of simultaneous attacks (which may be retrieved from a DoS attack historical database) may be used to group notifiers should the probability that these devices be exposed to the same attack cross some threshold.
  • the capabilities of the DoS attack detection and mitigation systems (e.g., elements 420 , 430 , 440 and 450 ) of the various CNs 410 are complementary to one another using any suitable approach, technique, or algorithm, as determined by the CASE 520 or the nodes themselves, such that the resources and capabilities of one CN 410 may complement, bolster, enhance, etc. those of another CN 410 within the same collaborative group. Accordingly, the machine learning attack detection and mitigation systems local to the collaborative group of nodes are enabled to assist one another in mitigating attacks in the network.
  • the centralized entity node may send a message to the collaborative group of nodes identifying each node that is a member within the collaborative group of nodes.
  • the message may be sent via the Group_CN( ) message 610 , as shown in FIG. 6 .
  • the procedure illustratively ends at step 925 , though notably may begin again in response to receiving a feedback message indicating a degree to which the detecting and mitigating of an attack in the network has been enhanced due to the collaborative group of nodes. That is, the centralized entity node may re-compute the collaborative group of nodes based on the received feedback message by restarting procedure 900 . Note also that the techniques by which the steps of procedure 900 may be performed, as well as ancillary procedures and parameters, are described in detail above.
  • procedures 800 and 900 may be optional, the steps shown in FIGS. 8 and 9 are merely examples for illustration, and certain other steps may be included or excluded as desired. Further, while a particular order of the steps is shown, this ordering is merely illustrative, and any suitable arrangement of the steps may be utilized without departing from the scope of the embodiments herein. Moreover, while procedures 800 and 900 are described separately, certain steps from each procedure may be incorporated into each other procedure, and the procedures are not meant to be mutually exclusive.

Abstract

In one embodiment, a particular node in a network determines information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system. The particular node sends a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information. In response to the sent message, the particular node receives an indication that it is a member of a collaborative group of nodes based on the capabilities of the local machine learning attack detection and mitigation system being complementary to capabilities of other machine learning attack detection and mitigation systems. Then, in response to an attack being detected by the local machine learning attack detection and mitigation system, the particular node provides to the collaborative group of nodes an indication of attack data flows identified as corresponding to the attack.

Description

    TECHNICAL FIELD
  • The present disclosure relates generally to computer networks, and, more particularly, to traffic segregation in a DDoS attack architecture.
    • BACKGROUND
  • Enterprise networks are carrying a very fast growing volume of both business and non-business critical traffics. Often, business applications such as video collaboration, cloud applications, etc., use the same hypertext transfer protocol (HTTP) and/or HTTP secure (HTTPS) techniques that are used by non-business critical web traffic. This complicates the task of optimizing network performance for specific applications, as many applications use the same protocols, thus making it difficult to distinguish and select traffic flows for optimization.
  • One type of network attack that is of particular concern in the context of a computer network is a Denial of Service (DoS) attack. In general, the goal of a DoS attack is to prevent legitimate use of the services available on the network. For example, a DoS jamming attack may artificially introduce interference into the network, thereby causing collisions with legitimate traffic and preventing message decoding. In another example, a DoS attack may attempt to overwhelm the network's resources by flooding the network with requests, to prevent legitimate requests from being processed. A DoS attack may also be distributed, to conceal the presence of the attack. For example, a distributed DoS (DDoS) attack may involve multiple attackers sending malicious requests, making it more difficult to distinguish when an attack is underway. The detection of DoS attacks is particularly challenging when network resources are limited, such as in the case of a low power and lossy network (LLN).
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The embodiments herein may be better understood by referring to the following description in conjunction with the accompanying drawings in which like reference numerals indicate identically or functionally similar elements, of which:
  • FIG. 1 illustrates an example communication network;
  • FIG. 2 illustrates an example network device/node;
  • FIGS. 3A-3B illustrate an example of a network attack being detected;
  • FIG. 4 illustrates an example diagrammatic representation of a DoS attack detection and mitigation architecture;
  • FIG. 5 illustrates an example diagrammatic representation of discovering collaborative group node candidates;
  • FIG. 6 illustrates an example diagrammatic representation of a collaborative group selection announcement;
  • FIG. 7 illustrates an example diagrammatic representation of a collaborative flagging process;
  • FIG. 8 illustrates an example simplified procedure for participating in a collaborative attack detection and mitigation group; and
  • FIG. 9 illustrates an example simplified procedure for determining a collaborative attack detection and mitigation group.
    •  DESCRIPTION OF EXAMPLE EMBODIMENTS Overview
  • According to one or more embodiments of the disclosure, a particular node in a network determines information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system. The particular node may send a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information. In response to the sent message, the particular node receives an indication that it is a member of a collaborative group of nodes along with one or more other nodes in the network based on the capabilities of the local machine learning attack detection and mitigation system (local to the particular node) being complementary to capabilities of one or more other machine learning attack detection and mitigation systems local to the one or more other nodes. Then, in response to an attack being detected by the local machine learning attack detection and mitigation system, the particular node provides to the collaborative group of nodes an indication of attack data flows identified as corresponding to the attack. Thus, the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes are enabled to assist the particular node in mitigating the attack.
  • Further, according to one or more embodiments of the disclosure, a centralized entity node in a network receives messages from a plurality of nodes in the network indicating capabilities of a machine learning attack detection and mitigation system local to each respective node. In response to the received messages, the centralized entity node computes a collaborative group of nodes based on a determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another. Thus, the machine learning attack detection and mitigation systems local to the collaborative group of nodes are enabled to assist one another in mitigating attacks in the network. Then, the centralized entity node sends a message to the collaborative group of nodes identifying each node that is a member within the collaborative group of nodes.
    • DESCRIPTION
  • A computer network is a geographically distributed collection of nodes interconnected by communication links and segments for transporting data between end nodes, such as personal computers and workstations, or other devices, such as sensors, etc. Many types of networks are available, ranging from local area networks (LANs) to wide area networks (WANs). LANs typically connect the nodes over dedicated private communications links located in the same general physical location, such as a building or campus. WANs, on the other hand, typically connect geographically dispersed nodes over long-distance communications links, such as common carrier telephone lines, optical lightpaths, synchronous optical networks (SONET), synchronous digital hierarchy (SDH) links, or Powerline Communications (PLC) such as IEEE 61334, IEEE P1901.2, and others. In addition, a Mobile Ad-Hoc Network (MANET) is a kind of wireless ad-hoc network, which is generally considered a self-configuring network of mobile routers (and associated hosts) connected by wireless links, the union of which forms an arbitrary topology.
  • Smart object networks, such as sensor networks, in particular, are a specific type of network having spatially distributed autonomous devices such as sensors, actuators, etc., that cooperatively monitor physical or environmental conditions at different locations, such as, e.g., energy/power consumption, resource consumption (e.g., water/gas/etc. for advanced metering infrastructure or “AMI” applications) temperature, pressure, vibration, sound, radiation, motion, pollutants, etc. Other types of smart objects include actuators, e.g., responsible for turning on/off an engine or perform any other actions. Sensor networks, a type of smart object network, are typically shared-media networks, such as wireless or PLC networks. That is, in addition to one or more sensors, each sensor device (node) in a sensor network may generally be equipped with a radio transceiver or other communication port such as PLC, a microcontroller, and an energy source, such as a battery. Often, smart object networks are considered field area networks (FANs), neighborhood area networks (NANs), etc. Generally, size and cost constraints on smart object nodes (e.g., sensors) result in corresponding constraints on resources such as energy, memory, computational speed and bandwidth.
  • FIG. 1 is a schematic block diagram of an example computer system 100 illustratively comprising one or more server(s)/controller(s) 102 and one or more nodes/devices 104 (e.g., a first through nth node/device) that are interconnected by various methods of communication. For example, links 105 may be wired links or shared media (e.g., wireless links, PLC links, etc.) that illustratively form a network 110. Those skilled in the art will understand that any number of nodes, devices, links, etc. may be used in computer system 100, and that the view shown herein is for simplicity. Also, those skilled in the art will further understand that while the network is shown in a certain orientation, system 100 is merely an example illustration that is not meant to limit the disclosure.
  • In general, server(s)/controller(s) 102 provide some form of control over nodes/devices 104 and, more generally, over the operation of network 110. For example, servers/controllers 102 may include, but are not limited to, path computation engines
  • (PCEs), network controllers, network management systems (NMSs), policy engines, reporting mechanisms, or any other form of device or system that provides some degree of global or localized control over other devices in the network.
  • Nodes/devices 104 may include any form of networking device used to generate, forward, receive, etc., traffic within network 110. For example, nodes/device 104 may include, but are not limited to, routers, switches, computers, or the like.
  • Data packets (e.g., traffic and/or messages sent between the devices/nodes) may be exchanged among the nodes/devices of the computer system 100 using predefined network communication protocols such as certain known wired protocols, wireless protocols (e.g., IEEE Std. 802.15.4, WiFi, Bluetooth®, etc.), PLC protocols, or other shared-media protocols where appropriate. In this context, a protocol consists of a set of rules defining how the nodes interact with each other.
  • In some embodiments, network 110 may be or may include a WAN, LAN, service provider network, customer edge network, multi-protocol label switched (MPLS) network, IP network, wireless network, mesh network, shared media network, virtual private network (VPN), or any other form of computing network. In one embodiment, network 110 may be, or may include, a Low Power and Lossy Network (LLN). LLNs (e.g., certain sensor networks), may be used in a myriad of applications, such as for “Smart Grid” and “Smart Cities.” A number of challenges in LLNs have been presented, such as:
  • 1) Links are generally lossy, such that a Packet Delivery Rate/Ratio (PDR) can dramatically vary due to various sources of interferences, e.g., considerably affecting the bit error rate (BER);
  • 2) Links are generally low bandwidth, such that control plane traffic must generally be bounded and negligible compared to the low rate data traffic;
  • 3) There are a number of use cases that require specifying a set of link and node metrics, some of them being dynamic, thus requiring specific smoothing functions to avoid routing instability, considerably draining bandwidth and energy;
  • 4) Constraint-routing may be required by some applications, e.g., to establish routing paths that will avoid non-encrypted links, nodes running low on energy, etc.;
  • 5) Scale of the networks may become very large, e.g., on the order of several thousands to millions of nodes; and
  • 6) Nodes may be constrained with a low memory, a reduced processing capability, a low power supply (e.g., battery).
  • In other words, LLNs are a class of network in which both the routers and their interconnections are constrained: LLN routers typically operate with constraints, e.g., processing power, memory, and/or energy (battery), and their interconnections are characterized by, illustratively, high loss rates, low data rates, and/or instability. LLNs are comprised of anything from a few dozen and up to thousands or even millions of LLN routers, and support point-to-point traffic (between devices inside the LLN), point-to-multipoint traffic (from a central control point to a subset of devices inside the LLN) and multipoint-to-point traffic (from devices inside the LLN towards a central control point).
  • An example implementation of LLNs is an “Internet of Things” network. Loosely, the term “Internet of Things” or “IoT” may be used by those in the art to refer to uniquely identifiable objects (things) and their virtual representations in a network-based architecture. In particular, the next frontier in the evolution of the Internet is the ability to connect more than just computers and communications devices, but rather the ability to connect “objects” in general, such as lights, appliances, vehicles, HVAC (heating, ventilating, and air-conditioning), windows and window shades and blinds, doors, locks, etc. The “Internet of Things” thus generally refers to the interconnection of objects (e.g., smart objects), such as sensors and actuators, over a computer network (e.g., IP), which may be the Public Internet or a private network. Such devices have been used in the industry for decades, usually in the form of non-IP or proprietary protocols that are connected to IP networks by way of protocol translation gateways. With the emergence of a myriad of applications, such as the smart grid, smart cities, and building and industrial automation, and cars (e.g., that can interconnect millions of objects for sensing things like power quality, tire pressure, and temperature and that can actuate engines and lights), it has been of the utmost importance to extend the IP protocol suite for these networks.
  • FIG. 2 is a schematic block diagram of an example node/device 200 (e.g., a server/controller 102, a node/device 104, etc.) that may be used with one or more embodiments described herein, e.g., as any of the devices shown in FIG. 1 above. The device may comprise one or more network interfaces 210 (e.g., wired, wireless, PLC, etc.), at least one processor 220, and a memory 240 interconnected by a system bus 250, as well as a power supply 260 (e.g., battery, plug-in, etc.).
  • The network interface(s) 210 include the mechanical, electrical, and signaling circuitry for communicating data over links 105 coupled to the network 100. The network interfaces may be configured to transmit and/or receive data using a variety of different communication protocols. Note, further, that the nodes may have two different types of network connections 210, e.g., wireless and wired/physical connections, and that the view herein is merely for illustration. Also, while the network interface 210 is shown separately from power supply 260, for PLC the network interface 210 may communicate through the power supply 260, or may be an integral component of the power supply. In some specific configurations the PLC signal may be coupled to the power line feeding into the power supply.
  • The memory 240 comprises a plurality of storage locations that are addressable by the processor 220 and the network interfaces 210 for storing software programs and data structures associated with the embodiments described herein. Note that certain devices may have limited memory or no memory (e.g., no memory for storage other than for programs/processes operating on the device and associated caches). The processor 220 may comprise hardware elements or hardware logic adapted to execute the software programs and manipulate the data structures 245. An operating system 242, portions of which are typically resident in memory 240 and executed by the processor, functionally organizes the device by, inter alia, invoking operations in support of software processes and/or services executing on the device. These software processes and/or services may comprise routing process/services 244, a collaboration process 247, and/or an attack detection process 248, as described herein.
  • It will be apparent to those skilled in the art that other processor and memory types, including various computer-readable media, may be used to store and execute program instructions pertaining to the techniques described herein. Also, while the description illustrates various processes, it is expressly contemplated that various processes may be embodied as modules configured to operate in accordance with the techniques herein (e.g., according to the functionality of a similar process). Further, while the processes have been shown separately, those skilled in the art will appreciate that processes may be routines or modules within other processes.
  • Routing process (services) 244 includes computer executable instructions executed by the processor 220 to perform functions provided by one or more routing protocols, such as proactive or reactive routing protocols as will be understood by those skilled in the art. These functions may, on capable devices, be configured to manage a routing/forwarding table (a data structure 245) including, e.g., data used to make routing/forwarding decisions. In particular, in proactive routing, connectivity is discovered and known prior to computing routes to any destination in the network, e.g., link state routing such as Open Shortest Path First (OSPF), or Intermediate-System-to-Intermediate-System (ISIS), or Optimized Link State Routing (OLSR). Reactive routing, on the other hand, discovers neighbors (i.e., does not have an a priori knowledge of network topology), and in response to a needed route to a destination, sends a route request into the network to determine which neighboring node may be used to reach the desired destination. Example reactive routing protocols may comprise Ad-hoc On-demand Distance Vector (AODV), Dynamic Source Routing (DSR), DYnamic MANET On-demand Routing (DYMO), etc. Notably, on devices not capable or configured to store routing entries, routing process 244 may consist solely of providing mechanisms necessary for source routing techniques. That is, for source routing, other devices in the network can tell the less capable devices exactly where to send the packets, and the less capable devices simply forward the packets as directed.
  • Attack detection process 248 includes computer executable instructions executed by the processor 220 to perform various functions, such as attack detection and reporting. In various embodiments, attack detection process 248 may use machine learning to determine whether an attack and/or a specific type of attack is detected. In general, machine learning is concerned with the design and the development of techniques that take as input empirical data (such as network statistics and performance indicators), and recognize complex patterns in these data. One very common pattern among machine learning techniques is the use of an underlying model M, whose parameters are optimized for minimizing the cost function associated to M, given the input data. For instance, in the context of classification, the model M may be a straight line that separates the data into two classes such that M=a*x+b*y+c and the cost function would be the number of misclassified points. The learning process then operates by adjusting the parameters a,b,c such that the number of misclassified points is minimal. After this optimization phase (or learning phase), the model M can be used very easily to classify new data points. Often, M is a statistical model, and the cost function is inversely proportional to the likelihood of M, given the input data. Accordingly, attack detection process 248 may be an attack detection classifier that classifies network traffic or conditions into either an “attack” category or a “normal operation” category, based on learned behavior of the network. In some implementations, attack detection process 248 may also be configured to use additional categories (e.g., classification labels), such as labels indicative of specific types of attacks.
  • As also noted above, learning machines (LMs) are computational entities that rely on one or more machine learning processes for performing a task for which they haven't been explicitly programmed to perform. In particular, LMs are capable of adjusting their behavior to their environment. In the context of LLNs, and more generally in the context of the IoT (or Internet of Everything, IoE), this ability will be very important, as the network will face changing conditions and requirements, and the network will become too large for efficiently management by a network operator.
  • Artificial Neural Networks (ANNs) are a type of machine learning technique whose underlying mathematical models that were developed inspired by the hypothesis that mental activity consists primarily of electrochemical activity between interconnected neurons. ANNs are sets of computational units (neurons) connected by directed weighted links. By combining the operations performed by neurons and the weights applied by the links, ANNs are able to perform highly non-linear operations to input data. The interesting aspect of ANNs, though, is not that they can produce highly non-linear outputs of the input, but that they can learn to reproduce a predefined behavior through a training process. Accordingly, an ANN may be trained to identify deviations in the behavior of a network that could indicate the presence of a network attack (e.g., a change in packet losses, link delays, number of requests, etc.). In some cases, ANN classifiers may be hierarchical in that a more powerful classifier verifies a conclusion reached by a lower-powered classifier. Other machine learning techniques that may be used in an attack detection classifier may include, but are not limited to, support vector machines (SVMs), naïve Bayesian models, decision trees, and the like.
  • Attack detection process 248 may also employ anomaly detection techniques, to classify network conditions as being indicative of an attack. Anomaly Detection (AD) is a data mining and machine learning technique that entails detecting, from a flow of data, the elements of the flow that do not follow the same pattern as the other flow elements. In particular, AD techniques may be used to construct a model of normal behavior and may use the model to detect data points that are unlikely to fit the model. Example AD techniques include, but are not limited to, k-NN techniques, one-class SVM techniques, replicator NN techniques, etc. Notably, such techniques may be used by learning machine process 248 to detect previously unseen forms of attacks.
  • In further embodiments, attack detection process 248 may use clustering techniques, to detect a potential network attack. Clustering denotes a family of techniques in which the objective is to group objects according to some (usually predefined) notion of similarity. For instance, clustering is a very popular technique used in recommender systems (RS) for grouping objects that are similar in terms of people's tastes. This way, the system can propose new products that the user will like with a high probability, based on previous choices of this particular user. Typical clustering algorithms are k-means, DBSCAN or Mean-Shift, among others.
  • Collaboration process 247, as described in greater detail below, includes computer executable instructions executed by the processor 220 to perform functions that include collaboratively segregating attack traffic in a computer network, such as network 100. The collaboration process 247 may operate in conjunction with the attack detection process 248.
  • FIGS. 3A-3B illustrate an example of a network attack being detected, according to various embodiments. As shown, assume that a particular node/device 104 is under attack from an attack node. During a DoS attack, for example, the attack node may attempt to flood the node/device with request traffic (e.g., SYN flooding), thereby reducing the amount of resources available at the device/node (and potentially the network itself) for legitimate traffic. Notably, other forms of DoS attacks may attempt to send a high volume of traffic (e.g., a volume based DoS attack) and may, in some cases, be distributed DoS (DDoS) attacks.
  • As shown in FIG. 3A, assume that the particular node/device 104 under attack is configured to execute an attack detector process (e.g., process 248). In general, the attack detector process may be operable to observe traffic behavior and apply a label (e.g., a classification) to the observed traffic behavior. For example, the node/device 104 under attack may determine that a sharp increase in request traffic is indicative of an attack (e.g., the observed behavior may be labeled as an attack by the device's machine learning process). In such a case, as shown in FIG. 3B, the node/device 104 may initiate countermeasures, such as sending an alert 302 to one of the servers/controller 102 (e.g., to alert a network administrator), etc.
  • As referenced above, denial of service is a broad term for any kind of attack aiming, by any means, at making a particular service unavailable (be it a certain application running on a server or network connectivity itself). This is usually performed by bringing the target's resources to exhaustion (target resources may range from bandwidth to memory and CPU). In greater detail, a denial-of-service attack may consist of flooding a target network with hundreds of megabits of traffic (e.g., a volume-based DoS), exhausting a server state by opening a number of TCP connections (e.g., SYN flooding), or by making an HTTP server unavailable by sending it an overwhelming number of requests. An attack may be subtle and exploit well-known vulnerabilities in the target system (e.g., a large number of fragmented IP packets may exhaust the resources of a router), thus leading to attacks that are difficult to detect and mitigate.
  • Nowadays, denials of service attacks are mostly distributed (DDoS), meaning they are carried out by multiple sources at the same time, making it more difficult to track. In many cases botnets (i.e., armies or infected hosts spread across the network and under the control of a single master) are used for mounting DoS attacks. In addition, source addresses used for attacks can be spoofed, so that blocking an offending address is potentially useless.
  • DoS attacks can be easy to detect when they are brute-force (e.g., volumetric), but, especially when highly distributed, they may be difficult to distinguish from a flash-crowd (e.g., an overload of the system due to many legitimate users accessing it at the same time). This fact, in conjunction with the increasing complexity of performed attacks, makes the use of “classic” (usually threshold-based) techniques useless for detecting them. As a result, machine learning techniques are particularly beneficial for learning the behavior of these attacks for detecting them before a server or an entire network becomes unavailable.
  • As further noted above, traffic segregation is a fundamental component of DoS/DDoS detection and mitigation, since non-brute force mitigation is only viable if the attacking flow can be flagged (e.g., attack traffic segregation). Notably, segregation of attack traffic corresponding to a DoS/DDoS attack in the network can be enhanced by utilizing a collaborative model between a set of network devices in order to increase the performance but also the speed at which segregation takes place. Indeed, current local segregation techniques may imply long convergence times of the traffic flagging techniques, thus impacting the effectiveness of the overall system.
    • Collaborative Traffic Segregation in a DDoS Attack Architecture
  • The techniques herein provide a collaborative mode of operation for a set of modules capable of flagging (i.e., segregating) traffic responsible for a DoS or DDoS attack. The first component is used for computing optimal groups of collaborative notifiers (CN) according to their capabilities (e.g., based on historical performance), their location along with the network topology, and the available resources on each CN. This leads to the dynamic creation of a publishing bus in the form of a multicast group, which can be used to exchange information about the flagged traffic. Such information is used by the LM-based attack detectors on the CNs to converge much faster in identifying the attacking traffic. Furthermore, this leads to faster mitigation, even in nodes with constrained resources, which are less capable and may not be equipped with a sophisticated segregator. In contrast with existing approaches, the disclosed embodiments specify a fully distributed and collaborative method for identifying attacking traffic in a network, such as a self-learning network (SLN). Such an approach is premised on a combination of the knowledge of the network topology and routing with distributed ML-based algorithms for performing efficient traffic segregation.
  • Specifically, according to one or more embodiments of the disclosure as described in detail below, a particular node in a network determines information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system. The particular node may send a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information. In response to the sent message, the particular node receives an indication that it is a member of a collaborative group of nodes along with one or more other nodes in the network based on the capabilities of the local machine learning attack detection and mitigation system (local to the particular node) being complementary to capabilities of one or more other machine learning attack detection and mitigation systems local to the one or more other nodes. Then, in response to an attack being detected by the local machine learning attack detection and mitigation system, the particular node provides to the collaborative group of nodes an indication of attack data flows identified as corresponding to the attack. Thus, the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes are enabled to assist the particular node in mitigating the attack.
  • Further, according to one or more embodiments of the disclosure, a centralized entity node in a network receives messages from a plurality of nodes in the network indicating capabilities of a machine learning attack detection and mitigation system local to each respective node. In response to the received messages, the centralized entity node computes a collaborative group of nodes based on a determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another. Thus, the machine learning attack detection and mitigation systems local to the collaborative group of nodes are enabled to assist one another in mitigating attacks in the network. Then, the centralized entity node sends a message to the collaborative group of nodes identifying each node that is a member within the collaborative group of nodes.
  • Illustratively, the techniques described herein may be performed by hardware, software, and/or firmware, such as in accordance with the processes 244, 247 and 248, which may include computer executable instructions executed by the processor 220 (or independent processor of interfaces 210) to perform functions relating to the techniques described herein. For example, the techniques herein may be treated as extensions to conventional protocols, such as the various PLC protocols or wireless communication protocols, and as such, may be processed by similar components understood in the art that execute those protocols, accordingly.
  • Operationally, the techniques herein provide for a collaborative model between a set of devices in the network in order to increase the performance as well as the speed at which segregation takes place in the network after detecting a potential attack. Referring to FIG. 4, the first component of this disclosure involves the Collaborative Notifier (CN) 410, a module co-hosted on a device equipped with a Machine Learning (ML) DoS attack detection and mitigation system (e.g., elements 420, 430, 440 and 450), which may be hosted on a device such as the device 200, as shown in FIG. 2, for example. The objective of the CN 410 is to interact with a local system (e.g., elements 420, 430, 440 and 450) capable of performing traffic segregation, or traffic “flagging.” As is known in the art, once an attack has been detected by a DoS detector, such as the LM-based DoS attack detector 440, a traffic segregator, such as the segregator 420, performs an identification of the attacking traffic and segregation of the attacking traffic from normal traffic. Notably, any techniques suitable for DoS attack detection and mitigation may be utilized by the illustrative components in FIG. 4.
  • Another component of this disclosure involves the ability to discover a set of N segregators that may collaborate in their attack traffic segregation attempts, thus increasing the convergence time in flagging traffic and mitigation. The resultant collaborative mode allows segregators to speed up their convergence (e.g., identification of attacking traffic), as well as their remediation process. Indeed, if K segregators identify an attacking flow F in time T while other segregators have not yet detected or flagged the attacking traffic, this mode of collaboration can dramatically improve the efficiency of the overall system.
  • Referring now to FIG. 5, in order to assist in the formation of a collaborative group of nodes having DoS attack detection and mitigation capabilities, a message (e.g., Notifier_Discovery( ) message 510) may be sent from multiple CNs 410 toward a centralized entity node (e.g., collaborative attack segregation engine (CASE) 520). In particular, the Notifier_Discovery( ) message 510, as shown in FIG. 5, may include the following characteristics:
  • 1. Nature of the Segregator: the Notifier_Discovery( ) message 510 may specify the specific ML technique used for performing traffic segregation on the respective device (e.g., a clustering technique, a supervised statistical model, etc.).
  • 2. List of supported attacks: the Notifier_Discovery( ) message 510 may specify the list of attacks supported by the local DoS detector 440, such as Slow Loris, HTTP Recusive GET, and so forth. Also, the message may specify whether the local DoS detector 440 is capable of detecting potential attacks for which it has not been trained, in the event that the DoS detector 440 supports LM-based techniques for automatically creating LM-based signatures for unknown attacks, for example.
  • 3. Networking scope: the Notifier_Discovery( ) message 510 may indicate the network scope for the device that hosts the segregator, or in other words, the network areas on which the particular CN 410 has visibility. For example, if the device is a FAR attached to two PANs, it may include the PAN IDs. If the node is an Area Border Router, it may list the set of OSPF areas it is attached to. Similarly if the device is an ASBR, it may indicate the set of local Autonomous Systems (AS).
  • 4. Averaged convergence time (ACT): the Notifier_Discovery( ) message 510 may indicate the ACT of the local traffic segregator 420, where the ACT is an indicator of past convergence time. Indeed, performing traffic segregation may be a complex task involving a number of ML-based algorithms, and consequently, the performance of the segregator may vary by orders of magnitude among segregators according to the degree of sophistication of their algorithms, amount of memory, computing capabilities, etc. The ACT may be a simple scalar (e.g., weighted average convergence time) or a vector of scalars reflecting the convergence time, degree of success, and so forth.
  • Regarding the transmission of the Notifier_Discovery( ) message 510, several modes of operation are specified. In a first mode of operation, as shown in FIG. 5, each device equipped with a CN 410 may send the Notifier_Discovery( ) message 510 to a centralized entity node called the Collaborative Attack Segregation Engine (CASE) 520. The CASE 520 may be hosted on a NMS or a Network Controller (NC). Upon receiving the Notifier_Discovery( ) message, the CASE 520 may determine a set of devices that would benefit from the collaboration techniques described herein.
  • To this end, the CASE 520 can select the set of CNs 410 whose capabilities intersect. Put another way, the CNs 410 may be selected based on having a respective local DoS attack detection and mitigation system (e.g., elements with capabilities that are complementary to the other local DoS attack detection and mitigation systems. For example, the set S of collaborative nodes may be selected such that the widest variety of traffic segregators 420 is used, e.g., mixing fast or slow convergence time. Also, the CASE 520 can select CNs 410 by avoiding bad performers while ensuring that the network scopes are compatible, since, for example, it is less likely that two very distant PANs will detect the same attack at the same time. Similarly, two distant autonomous system boundary routers (ASBR) may not benefit from such a collaboration if they are connected to autonomous systems (AS) with highly different characteristics. In yet another embodiment, the CASE 520 may make use of historical information. Namely, the recording of simultaneous attacks (which may be retrieved from a DoS attack historical database) may be used to group notifiers should the probability that these devices be exposed to the same attack cross some threshold. Notably, it may be determined that the capabilities of the DoS attack detection and mitigation systems (e.g., elements 420, 430, 440 and 450) of the various CNs 410 are complementary to one another using any suitable approach, technique, or algorithm, as determined by the CASE 520 or the nodes themselves, such that the resources and capabilities of one CN 410 may complement, bolster, enhance, etc. those of another CN 410 within the same collaborative group.
  • Referring now to FIG. 6, once the groups of CNs 410 have been computed, the CASE 520 may subsequently send a notification message (e.g., the Group_CN( ) message 610) comprising a set of IDs of each selected CN 410, along with a multicast group address used during the collaborative mode described below. It may be possible for each group of collaborative CNs to be constantly re-adjusted according to the nodes' capabilities (which may be static or dynamic such as the amount of available memory) and their performance. For example, the CASE 520 may determine that a CN 410 is performing poorly and may be detrimental to the other CNs. In this case, the poorly performing CN 410 can be removed from the collaborative group, or conversely, notified that it has to join a new collaborative group in listening mode (i.e., receiving the list of flagged traffic but not providing its own computed set of flagged traffic). In yet another embodiment, the CASE 520 may take the network topology into account when computing the group of collaborative CNs 410. For example, in the case of the Internet of Things, CNs 410 may be grouped according to a set of available resources, should the devices hosting the CNs 410 be interconnected with sparse connectivity resources.
  • In a second mode of operation, the CNs 410 may publish their capabilities using the Notifier_Discovery( ) message 510 described above by sending the message 510 to a well-known multicast address (which may be retrieved during a DHCP process or locally configured, as an example). By doing so, the selection of CNs 410 to join the collaborative group may be performed in a distributed fashion, rather than at a single centralized entity (e.g., CASE 520). That is, each node that sends the Notifier_Discovery( ) message 510 can determine the group of collaborative CNs 410. Notably, the distributed approach may lead to less optimal groupings unless each node is equipped with enough information (e.g., routing information, topology information, etc.) in order to agree on a common selection of CNs 410 and capable of dynamically selecting a multicast group per set of collaborative CNs 410. Accordingly, in a completely distributed instantiation, each of the CNs 410 will autonomously select which other CN or CNs it will cooperate with. Since not all of the CNs 410 have the capabilities (nor the available topology and routing information) for choosing an optimal set, it is possible that some of them may select a sub-optimal solution.
  • Referring now to FIG. 7, another component of this disclosure involves the collaborative flagging/segregation process. At this point, groups of collaborating CNs 410 have been computed and a multicast group 710 has been assigned, either using the CASE 520 or the distributed mode of operation. Once an attack is detected by a particular node and the CN 410 corresponding to the particular node has computed a set of flows Fi, . . . , Fn marked as potentially attacking flows, the CN 410 may publish the set of flagged flows using a multicast message (e.g., the Traffic_Flagging( ) message 720) sent to the multicast group 710, such that the flows become available to all of the other CNs 410 that are a part of the same collaborative group. The Traffic_Flagging( ) message 720 may indicate the following:
  • 1. Set of flows F1, . . . , Fn: In one embodiment, the entire traces for each flow may be indicated in the message 720. In another embodiment, a subset of these flows (e.g., samples) may be indicated in the message 720. In yet another embodiment, the CN 410 may compute a model (e.g., a Mixed Gaussian Model or the like) for one or more of the flows, and the computed model may be indicated in the message 720.
  • 2. Degree of confidence: A degree of confidence in the respective CN's flagged data flows actually corresponding to attack traffic can also be indicated in the message 720. The degree of confidence may be represented via a normalized vector that provides an indication (when available) of both the confidence of the DoS detector 440, but also the performance of the segregator 420, thus indicating how confident is the CN 410 is in its ability to detect a true attack and segregate the attacking flows.
  • 3. Origin of the attack: Assuming the information is available, the network ID of the DoS attack's origin can be indicated in the message 720. For example, if the device is a FAR attached to two PANs, it may include the PAN ID. If the node is an Area Border Router, it may list the open shortest path first (OSPF) areas where the segregated traffic has been detected.
  • In another component of this disclosure, feedback may be sent either to each CN 410 in the collaborative groups or to the CASE 520. The feedback may be provided in a feedback message (e.g., Feed-Back( )). This message may specify the accelerating factor on this collaborative mode, i.e., the amount of by which the traffic segregation has been accelerated due to the collaborative efforts. Such a factor may help the CASE 520, for example, in further group assignments. Indeed, a local device hosting a segregator module 420 may be able, upon reception of a Traffic-Flagging( ) message 720 comprising a flagged attacking flow, to determine whether or not it had identified a corresponding cluster.
  • In particular, the information included in the Traffic_Flagging( ) message 720 can allow the CN 410 to check whether it is, in fact, observing malicious traffic and whether its classifier is detecting it. This allows computing a performance index for the local classifier against an established background truth. This feedback information can further be used in order to optimize the group assignment of CNs 410. It can also be used by the CN 410 for determining whether its local LM classifier is no longer capable of detecting attacks. In such a case, the CN 410 can raise an alarm for requesting a retraining of the local LM.
  • FIG. 8 illustrates an example simplified procedure for participating in a collaborative attack detection and mitigation group in accordance with one or more embodiments described herein. The procedure 800 may start at step 805, and continues to step 810, where, as described in greater detail above, a node in a network (e.g., any of controllers/servers 102 or nodes/devices 104 shown in FIG. 1) having a local DoS attack detection and mitigation system may be selected as a member in a collaborative group with other nodes in the network, where every node in the collaborative group has a respective local DoS attack detection and mitigation system. Thus, every node in that group may assist one another when performing attack traffic segregation, thereby increasing a quality and efficiency of the segregation process.
  • At step 810, a particular node in a network determines information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system. The particular node may host multiple modules, including, but not limited to, CN 410, segregator 420, aggregator 430, attack detector 440, and/or DRC 450, as shown in FIG. 4. As explained above, the CN 410 is operable to communicate with other network entities, including collaborating with other CNs in the network. The machine learning attack detection and mitigation system may include the segregator 420, aggregator 430, attack detector 440, and/or DRC 450. Thus, the machine learning attack detection and mitigation system is local to the CN 410, as it is hosted on the same node (e.g., the “particular node”) as the CN 410.
  • At step 815, the particular node sends a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information. The address may be, for example, an address of the CASE 520 or a multicast group address accessible by other CNs in the same collaborative group. The capabilities of the machine learning attack detection and mitigation system that is local to the particular node may involve, for example, one or more of: i) an attack traffic segregation technique used by the local machine learning attack detection and mitigation system, ii) a list of attacks that are detectable by the local machine learning attack detection and mitigation system, iii) a connectivity range of the local machine learning attack detection and mitigation system in the network, and/or iv) an average convergence time when the local machine learning attack detection and mitigation system performs attack traffic segregation.
  • In response to the sent message, at step 820, the particular node receives an indication that the node is a member of a collaborative group of nodes along with one or more other nodes in the network. The determination of the collaborative group of nodes may be based on the capabilities of the local machine learning attack detection and mitigation system being complementary to capabilities of one or more other machine learning attack detection and mitigation systems local to the one or more other nodes. The determination may be made by the CASE 520 or the nodes in the network themselves, where the determination is made in a distributed fashion. Further, the indication may be received via the Group_CN( ) message 610, as shown in FIG. 6.
  • At step 825, in response to an attack being detected by the local machine learning attack detection and mitigation system, the particular node provides to the collaborative group of nodes an indication of attack data flows identified as corresponding to the attack. To this end, the particular node may send the attack data flows to the multicast group 710, as shown in FIG. 7, which is shared and accessible by all of the nodes in the collaborative group of nodes. Therefore, the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes are enabled to assist the particular node in mitigating the attack. As a result, the mitigation (e.g., segregation) of attack traffic can be enhanced due to the contribution of increased resources from the machine learning attack detection and mitigation systems local to other nodes in the collaborative group, as described in more detail above.
  • The procedure illustrative ends at step 830. The techniques by which the steps of procedure 800 may be performed, as well as ancillary procedures and parameters, are described in detail above.
  • FIG. 9 illustrates an example simplified procedure for determining a collaborative attack detection and mitigation group in accordance with one or more embodiments described herein. The procedure 900 may start at step 905, and continues to step 910, where, as described in greater detail above, a centralized entity node in a network (e.g., any of controllers/servers 102 or nodes/devices 104 shown in FIG. 1) computes a collaborative group of nodes based on a determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another, thereby enabling the machine learning attack detection and mitigation systems local to the collaborative group of nodes to assist one another in mitigating attacks in the network.
  • At step 910, a centralized entity node in a network receives messages from a plurality of nodes in the network indicating capabilities of a machine learning attack detection and mitigation system local to each respective node. For example, the centralized entity node may correspond to the CASE 520. The received messages may be sent via the Notifier_Discovery( ) message 510, as shown in FIG. 5.
  • At step 915, in response to the received messages, the centralized entity node computes a collaborative group of nodes based on a determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another. For example, the set S of collaborative nodes may be selected such that the widest variety of traffic segregators 420 is used, e.g., mixing fast or slow convergence time. Also, the CASE 520 can select CNs 410 by avoiding bad performers while ensuring that the network scopes are compatible, since, for example, it is less likely that two very distant PANs will detect the same attack at the same time. Similarly, two distant autonomous system boundary routers (ASBR) may not benefit from such a collaboration if they are connected to autonomous systems (AS) with highly different characteristics. In yet another embodiment, the CASE 520 may make use of historical information. Namely, the recording of simultaneous attacks (which may be retrieved from a DoS attack historical database) may be used to group notifiers should the probability that these devices be exposed to the same attack cross some threshold.
  • Notably, it may be determined that the capabilities of the DoS attack detection and mitigation systems (e.g., elements 420, 430, 440 and 450) of the various CNs 410 are complementary to one another using any suitable approach, technique, or algorithm, as determined by the CASE 520 or the nodes themselves, such that the resources and capabilities of one CN 410 may complement, bolster, enhance, etc. those of another CN 410 within the same collaborative group. Accordingly, the machine learning attack detection and mitigation systems local to the collaborative group of nodes are enabled to assist one another in mitigating attacks in the network.
  • At step 920, the centralized entity node may send a message to the collaborative group of nodes identifying each node that is a member within the collaborative group of nodes. The message may be sent via the Group_CN( ) message 610, as shown in FIG. 6.
  • The procedure illustratively ends at step 925, though notably may begin again in response to receiving a feedback message indicating a degree to which the detecting and mitigating of an attack in the network has been enhanced due to the collaborative group of nodes. That is, the centralized entity node may re-compute the collaborative group of nodes based on the received feedback message by restarting procedure 900. Note also that the techniques by which the steps of procedure 900 may be performed, as well as ancillary procedures and parameters, are described in detail above.
  • It should be noted that while certain steps within procedures 800 and 900 may be optional, the steps shown in FIGS. 8 and 9 are merely examples for illustration, and certain other steps may be included or excluded as desired. Further, while a particular order of the steps is shown, this ordering is merely illustrative, and any suitable arrangement of the steps may be utilized without departing from the scope of the embodiments herein. Moreover, while procedures 800 and 900 are described separately, certain steps from each procedure may be incorporated into each other procedure, and the procedures are not meant to be mutually exclusive.
  • The techniques described herein, therefore, offer a number of advantages in using the above collaborative techniques, including: 1) dramatically improving the overall performance of traffic segregation (i.e., identification of attacking traffic); 2) allowing low-end nodes to benefit from higher end (e.g., performance-wise) nodes equipped with more sophisticated traffic flagging techniques; 3) reducing the required processing time for nodes due to traffic identification (which may itself be an attack where the attack may want to purposely trigger heavy computation to steal network CPU resources from the device).
  • While there have been shown and described illustrative embodiments that provide for traffic segregation in a DDoS attack architecture, it is to be understood that various other adaptations and modifications may be made within the spirit and scope of the embodiments herein. For example, while the techniques herein are described primarily with respect to DoS and DDoS attacks, the techniques herein may also be adapted for use with for any type network attack. In addition, while certain networks and topologies are described herein, the techniques may be applied more generally to any form of computer network.
  • The foregoing description has been directed to specific embodiments. It will be apparent, however, that other variations and modifications may be made to the described embodiments, with the attainment of some or all of their advantages. For instance, it is expressly contemplated that the components and/or elements described herein can be implemented as an apparatus that comprises at least one network interface that communicates with a communication network, a processor coupled to the at least one network interface, and a memory configured to store program instructions executable by the processor. Further, it is expressly contemplated that the components and/or elements described herein can be implemented as software being stored on a tangible (non-transitory) computer-readable medium (e.g., disks/CDs/RAM/EEPROM/etc.) having program instructions executing on a computer, hardware, firmware, or a combination thereof. Accordingly this description is to be taken only by way of example and not to otherwise limit the scope of the embodiments herein. Therefore, it is the object of the appended claims to cover all such variations and modifications as come within the true spirit and scope of the embodiments herein.

Claims (24)

What is claimed is:
1. A method, comprising:
determining, by a particular node in a network, information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system;
sending, from the particular node, a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information;
in response to the sent message, receiving, at the particular node, an indication that the node is a member of a collaborative group of nodes along with one or more other nodes in the network based on the capabilities of the local machine learning attack detection and mitigation system being complementary to capabilities of one or more other machine learning attack detection and mitigation systems local to the one or more other nodes; and
in response to an attack being detected by the local machine learning attack detection and mitigation system, providing, by the particular node to the collaborative group of nodes, an indication of attack data flows identified as corresponding to the attack, thereby enabling the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes to assist the particular node in mitigating the attack.
2. The method as in claim 1, wherein the capabilities of the local machine learning attack detection and mitigation system involve one or more of: i) an attack traffic segregation technique used by the local machine learning attack detection and mitigation system, ii) a list of attacks that are detectable by the local machine learning attack detection and mitigation system, iii) a connectivity range of the local machine learning attack detection and mitigation system in the network, and iv) an average convergence time when the local machine learning attack detection and mitigation system performs attack traffic segregation.
3. The method as in claim 1, wherein the sending of the message indicating capabilities of the local machine learning attack detection and mitigation system comprises:
sending, from the particular node, the message to a centralized entity node in the network that is configured to compute the collaborative group of nodes based on a determination that the capabilities of the local machine learning attack detection and mitigation system are complementary to the capabilities of the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes.
4. The method as in claim 1, wherein the sending of the message indicating capabilities of the local machine learning attack detection and mitigation system comprises:
sending, from the particular node, the message to an address in the network that is within communication range of other nodes in the network,
wherein the node and the other nodes are configured to compute the collaborative group of nodes based on a determination that the capabilities of the local machine learning attack detection and mitigation system are complementary to the capabilities of the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes.
5. The method as in claim 1, wherein the providing of the indication of the attack data flows to the collaborative group comprises:
sending, from the particular node, a multicast message indicating the attack data flows to an address in the network that is within communication range of the collaborative group of nodes, thereby enabling the collaborative group of nodes to access the multicast message.
6. The method as in claim 1, further comprising:
in response to the attack being detected by the local machine learning attack detection and mitigation system, providing, by the particular node to the collaborative group of nodes, an indication of one or more of i) a degree of confidence in the local machine learning attack detection and mitigation system's ability to detect and mitigate the attack and ii) an origin of the attack.
7. The method as in claim 1, further comprising:
sending, from the particular node, a feedback message indicating a degree to which the detecting and mitigating of the attack has been enhanced due to the collaborative group of nodes.
8. The method as in claim 1, further comprising:
receiving an indication of attack data flows identified as corresponding to a detected attack from a node of the collaborative group of nodes; and
assisting the node in mitigating the attack data flows using a local machine learning attack detection and mitigation system.
9. A method, comprising:
receiving, at a centralized entity node in a network, messages from a plurality of nodes in the network indicating capabilities of a machine learning attack detection and mitigation system local to each respective node;
in response to the received messages, computing, by the centralized entity node, a collaborative group of nodes based on a determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another, wherein the machine learning attack detection and mitigation systems local to the collaborative group of nodes are enabled to assist one another in mitigating attacks in the network; and
sending, from the centralized entity node, a message to the collaborative group of nodes identifying each node that is a member within the collaborative group of nodes.
10. The method as in claim 9, wherein the capabilities of the machine learning attack detection and mitigation system involve one or more of: i) an attack traffic segregation technique used by the machine learning attack detection and mitigation system, ii) a list of attacks that are detectable by the machine learning attack detection and mitigation system, iii) a connectivity range of the machine learning attack detection and mitigation system in the network, and iv) an average convergence time when the machine learning attack detection and mitigation system performs attack traffic segregation.
11. The method as in claim 9, further comprising:
receiving, at the centralized entity node, a feedback message indicating a degree to which the detecting and mitigating of an attack in the network has been enhanced due to the collaborative group of nodes; and
re-computing, by the centralized entity node, the collaborative group of nodes based on the received feedback message.
12. The method as in claim 9, wherein the determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another is based on one or more of the following factors: i) a relationship between attack traffic segregation techniques used by the machine learning attack detection and mitigation systems, ii) a relationship between attacks that are detectable by the machine learning attack detection and mitigation systems, iii) a relationship between connectivity ranges of the machine learning attack detection and mitigation systems in the network, and iv) a relationship between average convergence times when the machine learning attack detection and mitigation systems perform attack traffic segregation.
13. An apparatus, comprising:
one or more network interfaces to communicate with a network;
a processor coupled to the one or more network interfaces and configured to execute a process; and
a memory configured to store program instructions which include the process executable by the processor, the process comprising:
determining, as a particular node in the network, information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system;
sending, from the particular node, a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information;
in response to the sent message, receiving, at the particular node, an indication that the node is a member of a collaborative group of nodes along with one or more other nodes in the network based on the capabilities of the local machine learning attack detection and mitigation system being complementary to capabilities of one or more other machine learning attack detection and mitigation systems local to the one or more other nodes; and
in response to an attack being detected by the local machine learning attack detection and mitigation system, providing, by the particular node to the collaborative group of nodes, an indication of attack data flows identified as corresponding to the attack, thereby enabling the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes to assist the particular node in mitigating the attack.
14. The apparatus as in claim 13, wherein the capabilities of the local machine learning attack detection and mitigation system involve one or more of: i) an attack traffic segregation technique used by the local machine learning attack detection and mitigation system, ii) a list of attacks that are detectable by the local machine learning attack detection and mitigation system, iii) a connectivity range of the local machine learning attack detection and mitigation system in the network, and iv) an average convergence time when the local machine learning attack detection and mitigation system performs attack traffic segregation.
15. The apparatus as in claim 13, wherein the sending of the message indicating capabilities of the local machine learning attack detection and mitigation system comprises:
sending, from the particular node, the message to a centralized entity node in the network that is configured to compute the collaborative group of nodes based on a determination that the capabilities of the local machine learning attack detection and mitigation system are complementary to the capabilities of the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes.
16. The apparatus as in claim 13, wherein the sending of the message indicating capabilities of the local machine learning attack detection and mitigation system comprises:
sending, from the particular node, the message to an address in the network that is within communication range of other nodes in the network,
wherein the node and the other nodes are configured to compute the collaborative group of nodes based on a determination that the capabilities of the local machine learning attack detection and mitigation system are complementary to the capabilities of the one or more other machine learning attack detection and mitigation systems local to the one or more other nodes.
17. The apparatus as in claim 13, wherein the providing of the indication of the attack data flows to the collaborative group comprises:
sending, from the particular node, a multicast message indicating the attack data flows to an address in the network that is within communication range of the collaborative group of nodes, thereby enabling the collaborative group of nodes to access the multicast message.
18. The apparatus as in claim 13, wherein the process further comprises:
in response to the attack being detected by the local machine learning attack detection and mitigation system, providing, by the particular node to the collaborative group of nodes, an indication of one or more of i) a degree of confidence in the local machine learning attack detection and mitigation system's ability to detect and mitigate the attack and ii) an origin of the attack.
19. The apparatus as in claim 13, wherein the process further comprises:
sending, from the particular node, a feedback message indicating a degree to which the detecting and mitigating of the attack has been enhanced due to the collaborative group of nodes.
20. The apparatus as in claim 19, wherein the process further comprises:
receiving an indication of attack data flows identified as corresponding to a detected attack from a node of the collaborative group of nodes; and
assisting the node in mitigating the attack data flows using a local machine learning attack detection and mitigation system.
21. An apparatus, comprising:
one or more network interfaces to communicate with a network;
a processor coupled to the one or more network interfaces and configured to execute a process; and
a memory configured to store program instructions which include the process executable by the processor, the process comprising:
receiving, as a centralized entity node in the network, messages from a plurality of nodes in the network indicating capabilities of a machine learning attack detection and mitigation system local to each respective node;
in response to the received messages, computing, by the centralized entity node, a collaborative group of nodes based on a determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another, wherein the machine learning attack detection and mitigation systems local to the collaborative group of nodes are enabled to assist one another in mitigating attacks in the network; and
sending, from the centralized entity node, a message to the collaborative group of nodes identifying each node that is a member within the collaborative group of nodes.
22. The apparatus as in claim 21, wherein the capabilities of the machine learning attack detection and mitigation system involve one or more of: i) an attack traffic segregation technique used by the machine learning attack detection and mitigation system, ii) a list of attacks that are detectable by the machine learning attack detection and mitigation system, iii) a connectivity range of the machine learning attack detection and mitigation system in the network, and iv) an average convergence time when the machine learning attack detection and mitigation system performs attack traffic segregation.
23. The apparatus as in claim 21, wherein the process further comprises:
receiving, at the centralized entity node, a feedback message indicating a degree to which the detecting and mitigating of an attack in the network has been enhanced due to the collaborative group of nodes; and
re-computing, by the centralized entity node, the collaborative group of nodes based on the received feedback message.
24. The apparatus as in claim 21, wherein the determination that the capabilities of the machine learning attack detection and mitigation systems local to the collaborative group of nodes are complementary to one another is based on one or more of the following factors: i) a relationship between attack traffic segregation techniques used by the machine learning attack detection and mitigation systems, ii) a relationship between attacks that are detectable by the machine learning attack detection and mitigation systems, iii) a relationship between connectivity ranges of the machine learning attack detection and mitigation systems in the network, and iv) a relationship between average convergence times when the machine learning attack detection and mitigation systems perform attack traffic segregation.
US14/339,255 2014-07-23 2014-07-23 Traffic segregation in DDoS attack architecture Active US9231965B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/339,255 US9231965B1 (en) 2014-07-23 2014-07-23 Traffic segregation in DDoS attack architecture

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US14/339,255 US9231965B1 (en) 2014-07-23 2014-07-23 Traffic segregation in DDoS attack architecture

Publications (2)

Publication Number Publication Date
US9231965B1 US9231965B1 (en) 2016-01-05
US20160028755A1 true US20160028755A1 (en) 2016-01-28

Family

ID=54939368

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/339,255 Active US9231965B1 (en) 2014-07-23 2014-07-23 Traffic segregation in DDoS attack architecture

Country Status (1)

Country Link
US (1) US9231965B1 (en)

Cited By (92)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9774619B1 (en) * 2015-09-24 2017-09-26 Amazon Technologies, Inc. Mitigating network attacks
US9887931B1 (en) 2015-03-30 2018-02-06 Amazon Technologies, Inc. Traffic surge management for points of presence
US9887915B2 (en) 2008-03-31 2018-02-06 Amazon Technologies, Inc. Request routing based on class
US9887932B1 (en) 2015-03-30 2018-02-06 Amazon Technologies, Inc. Traffic surge management for points of presence
US9888089B2 (en) 2008-03-31 2018-02-06 Amazon Technologies, Inc. Client side cache management
US9894168B2 (en) 2008-03-31 2018-02-13 Amazon Technologies, Inc. Locality based content distribution
US9893957B2 (en) 2009-10-02 2018-02-13 Amazon Technologies, Inc. Forward-based resource delivery network management techniques
US9912740B2 (en) 2008-06-30 2018-03-06 Amazon Technologies, Inc. Latency measurement in resource requests
US9929959B2 (en) 2013-06-04 2018-03-27 Amazon Technologies, Inc. Managing network computing components utilizing request routing
US9930131B2 (en) 2010-11-22 2018-03-27 Amazon Technologies, Inc. Request routing processing
US9954934B2 (en) 2008-03-31 2018-04-24 Amazon Technologies, Inc. Content delivery reconciliation
US9985927B2 (en) 2008-11-17 2018-05-29 Amazon Technologies, Inc. Managing content delivery network service providers by a content broker
US9992303B2 (en) 2007-06-29 2018-06-05 Amazon Technologies, Inc. Request routing utilizing client location information
US9992086B1 (en) 2016-08-23 2018-06-05 Amazon Technologies, Inc. External health checking of virtual private cloud network environments
US10015241B2 (en) 2012-09-20 2018-07-03 Amazon Technologies, Inc. Automated profiling of resource usage
US10015237B2 (en) 2010-09-28 2018-07-03 Amazon Technologies, Inc. Point of presence management in request routing
US10021179B1 (en) 2012-02-21 2018-07-10 Amazon Technologies, Inc. Local resource delivery network
US10027582B2 (en) 2007-06-29 2018-07-17 Amazon Technologies, Inc. Updating routing information based on client location
US10033627B1 (en) 2014-12-18 2018-07-24 Amazon Technologies, Inc. Routing mode and point-of-presence selection service
US10033691B1 (en) 2016-08-24 2018-07-24 Amazon Technologies, Inc. Adaptive resolution of domain name requests in virtual private cloud network environments
US10049051B1 (en) 2015-12-11 2018-08-14 Amazon Technologies, Inc. Reserved cache space in content delivery networks
US10075551B1 (en) 2016-06-06 2018-09-11 Amazon Technologies, Inc. Request management for hierarchical cache
US10079742B1 (en) 2010-09-28 2018-09-18 Amazon Technologies, Inc. Latency measurement in resource requests
US10091096B1 (en) 2014-12-18 2018-10-02 Amazon Technologies, Inc. Routing mode and point-of-presence selection service
US10097566B1 (en) 2015-07-31 2018-10-09 Amazon Technologies, Inc. Identifying targets of network attacks
US10097398B1 (en) 2010-09-28 2018-10-09 Amazon Technologies, Inc. Point of presence management in request routing
US10097448B1 (en) 2014-12-18 2018-10-09 Amazon Technologies, Inc. Routing mode and point-of-presence selection service
US10110694B1 (en) 2016-06-29 2018-10-23 Amazon Technologies, Inc. Adaptive transfer rate for retrieving content from a server
US10116584B2 (en) 2008-11-17 2018-10-30 Amazon Technologies, Inc. Managing content delivery network service providers
US10135620B2 (en) 2009-09-04 2018-11-20 Amazon Technologis, Inc. Managing secure content in a content delivery network
US10157135B2 (en) 2008-03-31 2018-12-18 Amazon Technologies, Inc. Cache optimization
US10162753B2 (en) 2009-06-16 2018-12-25 Amazon Technologies, Inc. Managing resources using resource expiration data
US10180993B2 (en) 2015-05-13 2019-01-15 Amazon Technologies, Inc. Routing based request correlation
US10204211B2 (en) 2016-02-03 2019-02-12 Extrahop Networks, Inc. Healthcare operations with passive network monitoring
US10205698B1 (en) 2012-12-19 2019-02-12 Amazon Technologies, Inc. Source-dependent address resolution
US10225362B2 (en) 2012-06-11 2019-03-05 Amazon Technologies, Inc. Processing DNS queries to identify pre-processing information
US10225322B2 (en) 2010-09-28 2019-03-05 Amazon Technologies, Inc. Point of presence management in request routing
US10225326B1 (en) 2015-03-23 2019-03-05 Amazon Technologies, Inc. Point of presence based data uploading
US10230819B2 (en) 2009-03-27 2019-03-12 Amazon Technologies, Inc. Translation of resource identifiers using popularity information upon client request
US10257307B1 (en) 2015-12-11 2019-04-09 Amazon Technologies, Inc. Reserved cache space in content delivery networks
US10264062B2 (en) 2009-03-27 2019-04-16 Amazon Technologies, Inc. Request routing using a popularity identifier to identify a cache component
US10270878B1 (en) 2015-11-10 2019-04-23 Amazon Technologies, Inc. Routing for origin-facing points of presence
US10277618B1 (en) 2018-05-18 2019-04-30 Extrahop Networks, Inc. Privilege inference and monitoring based on network behavior
US10348639B2 (en) 2015-12-18 2019-07-09 Amazon Technologies, Inc. Use of virtual endpoints to improve data transmission rates
US10372499B1 (en) 2016-12-27 2019-08-06 Amazon Technologies, Inc. Efficient region selection system for executing request-driven code
US10382303B2 (en) 2016-07-11 2019-08-13 Extrahop Networks, Inc. Anomaly detection using device relationship graphs
US10382296B2 (en) * 2017-08-29 2019-08-13 Extrahop Networks, Inc. Classifying applications or activities based on network behavior
US10389574B1 (en) 2018-02-07 2019-08-20 Extrahop Networks, Inc. Ranking alerts based on network monitoring
US10411978B1 (en) 2018-08-09 2019-09-10 Extrahop Networks, Inc. Correlating causes and effects associated with network activity
US10447648B2 (en) 2017-06-19 2019-10-15 Amazon Technologies, Inc. Assignment of a POP to a DNS resolver based on volume of communications over a link between client devices and the POP
US10469513B2 (en) 2016-10-05 2019-11-05 Amazon Technologies, Inc. Encrypted network addresses
US10469355B2 (en) 2015-03-30 2019-11-05 Amazon Technologies, Inc. Traffic surge management for points of presence
US10491534B2 (en) 2009-03-27 2019-11-26 Amazon Technologies, Inc. Managing resources and entries in tracking information in resource cache components
US10506029B2 (en) 2010-01-28 2019-12-10 Amazon Technologies, Inc. Content distribution network
US10503613B1 (en) 2017-04-21 2019-12-10 Amazon Technologies, Inc. Efficient serving of resources during server unavailability
US10511567B2 (en) 2008-03-31 2019-12-17 Amazon Technologies, Inc. Network resource identification
US10554748B2 (en) 2008-03-31 2020-02-04 Amazon Technologies, Inc. Content management
US10594709B2 (en) 2018-02-07 2020-03-17 Extrahop Networks, Inc. Adaptive network monitoring with tuneable elastic granularity
US10592578B1 (en) 2018-03-07 2020-03-17 Amazon Technologies, Inc. Predictive content push-enabled content delivery network
US10594718B1 (en) 2018-08-21 2020-03-17 Extrahop Networks, Inc. Managing incident response operations based on monitored network activity
US10616179B1 (en) 2015-06-25 2020-04-07 Amazon Technologies, Inc. Selective routing of domain name system (DNS) requests
US10623408B1 (en) 2012-04-02 2020-04-14 Amazon Technologies, Inc. Context sensitive object management
US10650621B1 (en) 2016-09-13 2020-05-12 Iocurrents, Inc. Interfacing with a vehicular controller area network
US10728126B2 (en) 2018-02-08 2020-07-28 Extrahop Networks, Inc. Personalization of alerts based on network monitoring
US10742677B1 (en) 2019-09-04 2020-08-11 Extrahop Networks, Inc. Automatic determination of user roles and asset types based on network monitoring
US10742530B1 (en) 2019-08-05 2020-08-11 Extrahop Networks, Inc. Correlating network traffic that crosses opaque endpoints
US10831549B1 (en) 2016-12-27 2020-11-10 Amazon Technologies, Inc. Multi-region request-driven code execution system
US10862852B1 (en) 2018-11-16 2020-12-08 Amazon Technologies, Inc. Resolution of domain name requests in heterogeneous network environments
US10938884B1 (en) 2017-01-30 2021-03-02 Amazon Technologies, Inc. Origin server cloaking using virtual private cloud network environments
US10944669B1 (en) 2018-02-09 2021-03-09 GoTenna, Inc. System and method for efficient network-wide broadcast in a multi-hop wireless network using packet echos
US10958501B1 (en) 2010-09-28 2021-03-23 Amazon Technologies, Inc. Request routing information based on client IP groupings
US10965702B2 (en) 2019-05-28 2021-03-30 Extrahop Networks, Inc. Detecting injection attacks using passive network monitoring
CN112702321A (en) * 2020-12-15 2021-04-23 深圳市快付通金融网络科技服务有限公司 Distributed transaction current limiting method, device, equipment and storage medium
US11025747B1 (en) 2018-12-12 2021-06-01 Amazon Technologies, Inc. Content request pattern-based routing system
US11075987B1 (en) 2017-06-12 2021-07-27 Amazon Technologies, Inc. Load estimating content delivery network
US11108729B2 (en) 2010-09-28 2021-08-31 Amazon Technologies, Inc. Managing request routing information utilizing client identifiers
US11165823B2 (en) 2019-12-17 2021-11-02 Extrahop Networks, Inc. Automated preemptive polymorphic deception
US11165831B2 (en) 2017-10-25 2021-11-02 Extrahop Networks, Inc. Inline secret sharing
US11165814B2 (en) 2019-07-29 2021-11-02 Extrahop Networks, Inc. Modifying triage information based on network monitoring
US11218506B2 (en) * 2018-12-17 2022-01-04 Microsoft Technology Licensing, Llc Session maturity model with trusted sources
US11290418B2 (en) 2017-09-25 2022-03-29 Amazon Technologies, Inc. Hybrid content request routing system
US11297688B2 (en) 2018-03-22 2022-04-05 goTenna Inc. Mesh network deployment kit
US11296967B1 (en) 2021-09-23 2022-04-05 Extrahop Networks, Inc. Combining passive network analysis and active probing
US11310256B2 (en) 2020-09-23 2022-04-19 Extrahop Networks, Inc. Monitoring encrypted network traffic
US11349861B1 (en) 2021-06-18 2022-05-31 Extrahop Networks, Inc. Identifying network entities based on beaconing activity
US11388072B2 (en) 2019-08-05 2022-07-12 Extrahop Networks, Inc. Correlating network traffic that crosses opaque endpoints
US11431744B2 (en) 2018-02-09 2022-08-30 Extrahop Networks, Inc. Detection of denial of service attacks
US11463466B2 (en) 2020-09-23 2022-10-04 Extrahop Networks, Inc. Monitoring encrypted network traffic
US11546153B2 (en) 2017-03-22 2023-01-03 Extrahop Networks, Inc. Managing session secrets for continuous packet capture systems
US11604667B2 (en) 2011-04-27 2023-03-14 Amazon Technologies, Inc. Optimized deployment based upon customer locality
US11811642B2 (en) 2018-07-27 2023-11-07 GoTenna, Inc. Vine™: zero-control routing using data packet inspection for wireless mesh networks
US11843606B2 (en) 2022-03-30 2023-12-12 Extrahop Networks, Inc. Detecting abnormal data access based on data similarity

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9411916B2 (en) * 2013-12-31 2016-08-09 Cisco Technology, Inc. Distributed approach for feature modeling using principal component analysis
US10015720B2 (en) 2014-03-14 2018-07-03 GoTenna, Inc. System and method for digital communication between computing devices
US10320813B1 (en) * 2015-04-30 2019-06-11 Amazon Technologies, Inc. Threat detection and mitigation in a virtualized computing environment
US10362373B2 (en) * 2016-01-07 2019-07-23 Cisco Technology, Inc. Network telemetry with byte distribution and cryptographic protocol data elements
BR112018073335A2 (en) * 2016-05-13 2019-02-26 Ericsson Telecomunicações S.A. method, service function thread node, and, computer readable storage media.
US11232217B2 (en) 2018-12-06 2022-01-25 Oracle International Corporation Managing a security policy for a device
US20210226988A1 (en) * 2019-12-31 2021-07-22 Radware, Ltd. Techniques for disaggregated detection and mitigation of distributed denial-of-service attacks
CN111507262B (en) * 2020-04-17 2023-12-08 北京百度网讯科技有限公司 Method and apparatus for detecting living body
US11632393B2 (en) * 2020-10-16 2023-04-18 International Business Machines Corporation Detecting and mitigating malware by evaluating HTTP errors
CN115589323B (en) * 2022-10-18 2024-04-02 湖南大学 DLDoS attack detection and alleviation method based on machine learning in data plane

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7120934B2 (en) * 2000-03-30 2006-10-10 Ishikawa Mark M System, method and apparatus for detecting, identifying and responding to fraudulent requests on a network
US7234168B2 (en) 2001-06-13 2007-06-19 Mcafee, Inc. Hierarchy-based method and apparatus for detecting attacks on a computer system
US7788718B1 (en) 2002-06-13 2010-08-31 Mcafee, Inc. Method and apparatus for detecting a distributed denial of service attack
US8423645B2 (en) 2004-09-14 2013-04-16 International Business Machines Corporation Detection of grid participation in a DDoS attack
US7690037B1 (en) * 2005-07-13 2010-03-30 Symantec Corporation Filtering training data for machine learning
CN101682626A (en) * 2007-05-24 2010-03-24 爱维技术解决方案私人有限公司 Method and system for simulating a hacking attack on a network
US8745731B2 (en) * 2008-04-03 2014-06-03 Microsoft Corporation Clustering botnet behavior using parameterized models
US8844033B2 (en) * 2008-05-27 2014-09-23 The Trustees Of Columbia University In The City Of New York Systems, methods, and media for detecting network anomalies using a trained probabilistic model
US20110194698A1 (en) * 2008-10-22 2011-08-11 Tomoyuki Asano Key Sharing System
US8375452B2 (en) * 2008-12-25 2013-02-12 Check Point Software Technologies Ltd Methods for user profiling for detecting insider threats based on internet search patterns and forensics of search keywords
US9166990B2 (en) 2009-02-09 2015-10-20 Hewlett-Packard Development Company, L.P. Distributed denial-of-service signature transmission
US20110072515A1 (en) 2009-09-22 2011-03-24 Electronics And Telecommunications Research Institute Method and apparatus for collaboratively protecting against distributed denial of service attack
US9106689B2 (en) * 2011-05-06 2015-08-11 Lockheed Martin Corporation Intrusion detection using MDL clustering
US20120307624A1 (en) * 2011-06-01 2012-12-06 Cisco Technology, Inc. Management of misbehaving nodes in a computer network
US8745737B2 (en) * 2011-12-29 2014-06-03 Verisign, Inc Systems and methods for detecting similarities in network traffic
US8966637B2 (en) * 2013-02-08 2015-02-24 PhishMe, Inc. Performance benchmarking for simulated phishing attacks

Cited By (155)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9992303B2 (en) 2007-06-29 2018-06-05 Amazon Technologies, Inc. Request routing utilizing client location information
US10027582B2 (en) 2007-06-29 2018-07-17 Amazon Technologies, Inc. Updating routing information based on client location
US10158729B2 (en) 2008-03-31 2018-12-18 Amazon Technologies, Inc. Locality based content distribution
US10305797B2 (en) 2008-03-31 2019-05-28 Amazon Technologies, Inc. Request routing based on class
US9888089B2 (en) 2008-03-31 2018-02-06 Amazon Technologies, Inc. Client side cache management
US9894168B2 (en) 2008-03-31 2018-02-13 Amazon Technologies, Inc. Locality based content distribution
US10771552B2 (en) 2008-03-31 2020-09-08 Amazon Technologies, Inc. Content management
US10511567B2 (en) 2008-03-31 2019-12-17 Amazon Technologies, Inc. Network resource identification
US11451472B2 (en) 2008-03-31 2022-09-20 Amazon Technologies, Inc. Request routing based on class
US10157135B2 (en) 2008-03-31 2018-12-18 Amazon Technologies, Inc. Cache optimization
US10530874B2 (en) 2008-03-31 2020-01-07 Amazon Technologies, Inc. Locality based content distribution
US10554748B2 (en) 2008-03-31 2020-02-04 Amazon Technologies, Inc. Content management
US9887915B2 (en) 2008-03-31 2018-02-06 Amazon Technologies, Inc. Request routing based on class
US11245770B2 (en) 2008-03-31 2022-02-08 Amazon Technologies, Inc. Locality based content distribution
US10645149B2 (en) 2008-03-31 2020-05-05 Amazon Technologies, Inc. Content delivery reconciliation
US11194719B2 (en) 2008-03-31 2021-12-07 Amazon Technologies, Inc. Cache optimization
US9954934B2 (en) 2008-03-31 2018-04-24 Amazon Technologies, Inc. Content delivery reconciliation
US11909639B2 (en) 2008-03-31 2024-02-20 Amazon Technologies, Inc. Request routing based on class
US10797995B2 (en) 2008-03-31 2020-10-06 Amazon Technologies, Inc. Request routing based on class
US9912740B2 (en) 2008-06-30 2018-03-06 Amazon Technologies, Inc. Latency measurement in resource requests
US11115500B2 (en) 2008-11-17 2021-09-07 Amazon Technologies, Inc. Request routing utilizing client location information
US11283715B2 (en) 2008-11-17 2022-03-22 Amazon Technologies, Inc. Updating routing information based on client location
US10523783B2 (en) 2008-11-17 2019-12-31 Amazon Technologies, Inc. Request routing utilizing client location information
US9985927B2 (en) 2008-11-17 2018-05-29 Amazon Technologies, Inc. Managing content delivery network service providers by a content broker
US10116584B2 (en) 2008-11-17 2018-10-30 Amazon Technologies, Inc. Managing content delivery network service providers
US11811657B2 (en) 2008-11-17 2023-11-07 Amazon Technologies, Inc. Updating routing information based on client location
US10742550B2 (en) 2008-11-17 2020-08-11 Amazon Technologies, Inc. Updating routing information based on client location
US10264062B2 (en) 2009-03-27 2019-04-16 Amazon Technologies, Inc. Request routing using a popularity identifier to identify a cache component
US10574787B2 (en) 2009-03-27 2020-02-25 Amazon Technologies, Inc. Translation of resource identifiers using popularity information upon client request
US10230819B2 (en) 2009-03-27 2019-03-12 Amazon Technologies, Inc. Translation of resource identifiers using popularity information upon client request
US10491534B2 (en) 2009-03-27 2019-11-26 Amazon Technologies, Inc. Managing resources and entries in tracking information in resource cache components
US10521348B2 (en) 2009-06-16 2019-12-31 Amazon Technologies, Inc. Managing resources using resource expiration data
US10162753B2 (en) 2009-06-16 2018-12-25 Amazon Technologies, Inc. Managing resources using resource expiration data
US10783077B2 (en) 2009-06-16 2020-09-22 Amazon Technologies, Inc. Managing resources using resource expiration data
US10135620B2 (en) 2009-09-04 2018-11-20 Amazon Technologis, Inc. Managing secure content in a content delivery network
US10785037B2 (en) 2009-09-04 2020-09-22 Amazon Technologies, Inc. Managing secure content in a content delivery network
US10218584B2 (en) 2009-10-02 2019-02-26 Amazon Technologies, Inc. Forward-based resource delivery network management techniques
US9893957B2 (en) 2009-10-02 2018-02-13 Amazon Technologies, Inc. Forward-based resource delivery network management techniques
US10506029B2 (en) 2010-01-28 2019-12-10 Amazon Technologies, Inc. Content distribution network
US11205037B2 (en) 2010-01-28 2021-12-21 Amazon Technologies, Inc. Content distribution network
US10225322B2 (en) 2010-09-28 2019-03-05 Amazon Technologies, Inc. Point of presence management in request routing
US11336712B2 (en) 2010-09-28 2022-05-17 Amazon Technologies, Inc. Point of presence management in request routing
US11108729B2 (en) 2010-09-28 2021-08-31 Amazon Technologies, Inc. Managing request routing information utilizing client identifiers
US10079742B1 (en) 2010-09-28 2018-09-18 Amazon Technologies, Inc. Latency measurement in resource requests
US10778554B2 (en) 2010-09-28 2020-09-15 Amazon Technologies, Inc. Latency measurement in resource requests
US10015237B2 (en) 2010-09-28 2018-07-03 Amazon Technologies, Inc. Point of presence management in request routing
US10958501B1 (en) 2010-09-28 2021-03-23 Amazon Technologies, Inc. Request routing information based on client IP groupings
US11632420B2 (en) 2010-09-28 2023-04-18 Amazon Technologies, Inc. Point of presence management in request routing
US10097398B1 (en) 2010-09-28 2018-10-09 Amazon Technologies, Inc. Point of presence management in request routing
US10931738B2 (en) 2010-09-28 2021-02-23 Amazon Technologies, Inc. Point of presence management in request routing
US10951725B2 (en) 2010-11-22 2021-03-16 Amazon Technologies, Inc. Request routing processing
US9930131B2 (en) 2010-11-22 2018-03-27 Amazon Technologies, Inc. Request routing processing
US11604667B2 (en) 2011-04-27 2023-03-14 Amazon Technologies, Inc. Optimized deployment based upon customer locality
US10021179B1 (en) 2012-02-21 2018-07-10 Amazon Technologies, Inc. Local resource delivery network
US10623408B1 (en) 2012-04-02 2020-04-14 Amazon Technologies, Inc. Context sensitive object management
US10225362B2 (en) 2012-06-11 2019-03-05 Amazon Technologies, Inc. Processing DNS queries to identify pre-processing information
US11729294B2 (en) 2012-06-11 2023-08-15 Amazon Technologies, Inc. Processing DNS queries to identify pre-processing information
US11303717B2 (en) 2012-06-11 2022-04-12 Amazon Technologies, Inc. Processing DNS queries to identify pre-processing information
US10015241B2 (en) 2012-09-20 2018-07-03 Amazon Technologies, Inc. Automated profiling of resource usage
US10542079B2 (en) 2012-09-20 2020-01-21 Amazon Technologies, Inc. Automated profiling of resource usage
US10205698B1 (en) 2012-12-19 2019-02-12 Amazon Technologies, Inc. Source-dependent address resolution
US10645056B2 (en) 2012-12-19 2020-05-05 Amazon Technologies, Inc. Source-dependent address resolution
US10374955B2 (en) 2013-06-04 2019-08-06 Amazon Technologies, Inc. Managing network computing components utilizing request routing
US9929959B2 (en) 2013-06-04 2018-03-27 Amazon Technologies, Inc. Managing network computing components utilizing request routing
US10728133B2 (en) 2014-12-18 2020-07-28 Amazon Technologies, Inc. Routing mode and point-of-presence selection service
US10091096B1 (en) 2014-12-18 2018-10-02 Amazon Technologies, Inc. Routing mode and point-of-presence selection service
US11381487B2 (en) 2014-12-18 2022-07-05 Amazon Technologies, Inc. Routing mode and point-of-presence selection service
US10097448B1 (en) 2014-12-18 2018-10-09 Amazon Technologies, Inc. Routing mode and point-of-presence selection service
US11863417B2 (en) 2014-12-18 2024-01-02 Amazon Technologies, Inc. Routing mode and point-of-presence selection service
US10033627B1 (en) 2014-12-18 2018-07-24 Amazon Technologies, Inc. Routing mode and point-of-presence selection service
US10225326B1 (en) 2015-03-23 2019-03-05 Amazon Technologies, Inc. Point of presence based data uploading
US11297140B2 (en) 2015-03-23 2022-04-05 Amazon Technologies, Inc. Point of presence based data uploading
US9887932B1 (en) 2015-03-30 2018-02-06 Amazon Technologies, Inc. Traffic surge management for points of presence
US9887931B1 (en) 2015-03-30 2018-02-06 Amazon Technologies, Inc. Traffic surge management for points of presence
US10469355B2 (en) 2015-03-30 2019-11-05 Amazon Technologies, Inc. Traffic surge management for points of presence
US10691752B2 (en) 2015-05-13 2020-06-23 Amazon Technologies, Inc. Routing based request correlation
US11461402B2 (en) 2015-05-13 2022-10-04 Amazon Technologies, Inc. Routing based request correlation
US10180993B2 (en) 2015-05-13 2019-01-15 Amazon Technologies, Inc. Routing based request correlation
US10616179B1 (en) 2015-06-25 2020-04-07 Amazon Technologies, Inc. Selective routing of domain name system (DNS) requests
US10097566B1 (en) 2015-07-31 2018-10-09 Amazon Technologies, Inc. Identifying targets of network attacks
US9774619B1 (en) * 2015-09-24 2017-09-26 Amazon Technologies, Inc. Mitigating network attacks
US10200402B2 (en) * 2015-09-24 2019-02-05 Amazon Technologies, Inc. Mitigating network attacks
US11134134B2 (en) 2015-11-10 2021-09-28 Amazon Technologies, Inc. Routing for origin-facing points of presence
US10270878B1 (en) 2015-11-10 2019-04-23 Amazon Technologies, Inc. Routing for origin-facing points of presence
US10049051B1 (en) 2015-12-11 2018-08-14 Amazon Technologies, Inc. Reserved cache space in content delivery networks
US10257307B1 (en) 2015-12-11 2019-04-09 Amazon Technologies, Inc. Reserved cache space in content delivery networks
US10348639B2 (en) 2015-12-18 2019-07-09 Amazon Technologies, Inc. Use of virtual endpoints to improve data transmission rates
US10204211B2 (en) 2016-02-03 2019-02-12 Extrahop Networks, Inc. Healthcare operations with passive network monitoring
US10075551B1 (en) 2016-06-06 2018-09-11 Amazon Technologies, Inc. Request management for hierarchical cache
US10666756B2 (en) 2016-06-06 2020-05-26 Amazon Technologies, Inc. Request management for hierarchical cache
US11463550B2 (en) 2016-06-06 2022-10-04 Amazon Technologies, Inc. Request management for hierarchical cache
US10110694B1 (en) 2016-06-29 2018-10-23 Amazon Technologies, Inc. Adaptive transfer rate for retrieving content from a server
US11457088B2 (en) 2016-06-29 2022-09-27 Amazon Technologies, Inc. Adaptive transfer rate for retrieving content from a server
US10382303B2 (en) 2016-07-11 2019-08-13 Extrahop Networks, Inc. Anomaly detection using device relationship graphs
US9992086B1 (en) 2016-08-23 2018-06-05 Amazon Technologies, Inc. External health checking of virtual private cloud network environments
US10516590B2 (en) 2016-08-23 2019-12-24 Amazon Technologies, Inc. External health checking of virtual private cloud network environments
US10033691B1 (en) 2016-08-24 2018-07-24 Amazon Technologies, Inc. Adaptive resolution of domain name requests in virtual private cloud network environments
US10469442B2 (en) 2016-08-24 2019-11-05 Amazon Technologies, Inc. Adaptive resolution of domain name requests in virtual private cloud network environments
US11232655B2 (en) 2016-09-13 2022-01-25 Iocurrents, Inc. System and method for interfacing with a vehicular controller area network
US10650621B1 (en) 2016-09-13 2020-05-12 Iocurrents, Inc. Interfacing with a vehicular controller area network
US10616250B2 (en) 2016-10-05 2020-04-07 Amazon Technologies, Inc. Network addresses with encoded DNS-level information
US10469513B2 (en) 2016-10-05 2019-11-05 Amazon Technologies, Inc. Encrypted network addresses
US11330008B2 (en) 2016-10-05 2022-05-10 Amazon Technologies, Inc. Network addresses with encoded DNS-level information
US10505961B2 (en) 2016-10-05 2019-12-10 Amazon Technologies, Inc. Digitally signed network address
US11762703B2 (en) 2016-12-27 2023-09-19 Amazon Technologies, Inc. Multi-region request-driven code execution system
US10831549B1 (en) 2016-12-27 2020-11-10 Amazon Technologies, Inc. Multi-region request-driven code execution system
US10372499B1 (en) 2016-12-27 2019-08-06 Amazon Technologies, Inc. Efficient region selection system for executing request-driven code
US10938884B1 (en) 2017-01-30 2021-03-02 Amazon Technologies, Inc. Origin server cloaking using virtual private cloud network environments
US11546153B2 (en) 2017-03-22 2023-01-03 Extrahop Networks, Inc. Managing session secrets for continuous packet capture systems
US10503613B1 (en) 2017-04-21 2019-12-10 Amazon Technologies, Inc. Efficient serving of resources during server unavailability
US11075987B1 (en) 2017-06-12 2021-07-27 Amazon Technologies, Inc. Load estimating content delivery network
US10447648B2 (en) 2017-06-19 2019-10-15 Amazon Technologies, Inc. Assignment of a POP to a DNS resolver based on volume of communications over a link between client devices and the POP
US10382296B2 (en) * 2017-08-29 2019-08-13 Extrahop Networks, Inc. Classifying applications or activities based on network behavior
US11290418B2 (en) 2017-09-25 2022-03-29 Amazon Technologies, Inc. Hybrid content request routing system
US11165831B2 (en) 2017-10-25 2021-11-02 Extrahop Networks, Inc. Inline secret sharing
US11665207B2 (en) 2017-10-25 2023-05-30 Extrahop Networks, Inc. Inline secret sharing
US10979282B2 (en) 2018-02-07 2021-04-13 Extrahop Networks, Inc. Ranking alerts based on network monitoring
US10389574B1 (en) 2018-02-07 2019-08-20 Extrahop Networks, Inc. Ranking alerts based on network monitoring
US10594709B2 (en) 2018-02-07 2020-03-17 Extrahop Networks, Inc. Adaptive network monitoring with tuneable elastic granularity
US11463299B2 (en) 2018-02-07 2022-10-04 Extrahop Networks, Inc. Ranking alerts based on network monitoring
US10728126B2 (en) 2018-02-08 2020-07-28 Extrahop Networks, Inc. Personalization of alerts based on network monitoring
US11750505B1 (en) 2018-02-09 2023-09-05 goTenna Inc. System and method for efficient network-wide broadcast in a multi-hop wireless network using packet echos
US10944669B1 (en) 2018-02-09 2021-03-09 GoTenna, Inc. System and method for efficient network-wide broadcast in a multi-hop wireless network using packet echos
US11431744B2 (en) 2018-02-09 2022-08-30 Extrahop Networks, Inc. Detection of denial of service attacks
US10592578B1 (en) 2018-03-07 2020-03-17 Amazon Technologies, Inc. Predictive content push-enabled content delivery network
US11297688B2 (en) 2018-03-22 2022-04-05 goTenna Inc. Mesh network deployment kit
US10277618B1 (en) 2018-05-18 2019-04-30 Extrahop Networks, Inc. Privilege inference and monitoring based on network behavior
US11811642B2 (en) 2018-07-27 2023-11-07 GoTenna, Inc. Vine™: zero-control routing using data packet inspection for wireless mesh networks
US11012329B2 (en) 2018-08-09 2021-05-18 Extrahop Networks, Inc. Correlating causes and effects associated with network activity
US11496378B2 (en) 2018-08-09 2022-11-08 Extrahop Networks, Inc. Correlating causes and effects associated with network activity
US10411978B1 (en) 2018-08-09 2019-09-10 Extrahop Networks, Inc. Correlating causes and effects associated with network activity
US10594718B1 (en) 2018-08-21 2020-03-17 Extrahop Networks, Inc. Managing incident response operations based on monitored network activity
US11323467B2 (en) 2018-08-21 2022-05-03 Extrahop Networks, Inc. Managing incident response operations based on monitored network activity
US11362986B2 (en) 2018-11-16 2022-06-14 Amazon Technologies, Inc. Resolution of domain name requests in heterogeneous network environments
US10862852B1 (en) 2018-11-16 2020-12-08 Amazon Technologies, Inc. Resolution of domain name requests in heterogeneous network environments
US11025747B1 (en) 2018-12-12 2021-06-01 Amazon Technologies, Inc. Content request pattern-based routing system
US11218506B2 (en) * 2018-12-17 2022-01-04 Microsoft Technology Licensing, Llc Session maturity model with trusted sources
US10965702B2 (en) 2019-05-28 2021-03-30 Extrahop Networks, Inc. Detecting injection attacks using passive network monitoring
US11706233B2 (en) 2019-05-28 2023-07-18 Extrahop Networks, Inc. Detecting injection attacks using passive network monitoring
US11165814B2 (en) 2019-07-29 2021-11-02 Extrahop Networks, Inc. Modifying triage information based on network monitoring
US11438247B2 (en) 2019-08-05 2022-09-06 Extrahop Networks, Inc. Correlating network traffic that crosses opaque endpoints
US10742530B1 (en) 2019-08-05 2020-08-11 Extrahop Networks, Inc. Correlating network traffic that crosses opaque endpoints
US11388072B2 (en) 2019-08-05 2022-07-12 Extrahop Networks, Inc. Correlating network traffic that crosses opaque endpoints
US11652714B2 (en) 2019-08-05 2023-05-16 Extrahop Networks, Inc. Correlating network traffic that crosses opaque endpoints
US11463465B2 (en) 2019-09-04 2022-10-04 Extrahop Networks, Inc. Automatic determination of user roles and asset types based on network monitoring
US10742677B1 (en) 2019-09-04 2020-08-11 Extrahop Networks, Inc. Automatic determination of user roles and asset types based on network monitoring
US11165823B2 (en) 2019-12-17 2021-11-02 Extrahop Networks, Inc. Automated preemptive polymorphic deception
US11310256B2 (en) 2020-09-23 2022-04-19 Extrahop Networks, Inc. Monitoring encrypted network traffic
US11463466B2 (en) 2020-09-23 2022-10-04 Extrahop Networks, Inc. Monitoring encrypted network traffic
US11558413B2 (en) 2020-09-23 2023-01-17 Extrahop Networks, Inc. Monitoring encrypted network traffic
CN112702321A (en) * 2020-12-15 2021-04-23 深圳市快付通金融网络科技服务有限公司 Distributed transaction current limiting method, device, equipment and storage medium
US11349861B1 (en) 2021-06-18 2022-05-31 Extrahop Networks, Inc. Identifying network entities based on beaconing activity
US11296967B1 (en) 2021-09-23 2022-04-05 Extrahop Networks, Inc. Combining passive network analysis and active probing
US11916771B2 (en) 2021-09-23 2024-02-27 Extrahop Networks, Inc. Combining passive network analysis and active probing
US11843606B2 (en) 2022-03-30 2023-12-12 Extrahop Networks, Inc. Detecting abnormal data access based on data similarity

Also Published As

Publication number Publication date
US9231965B1 (en) 2016-01-05

Similar Documents

Publication Publication Date Title
US9231965B1 (en) Traffic segregation in DDoS attack architecture
US10200404B2 (en) Behavioral white labeling
US9407646B2 (en) Applying a mitigation specific attack detector using machine learning
US9635050B2 (en) Distributed supervised architecture for traffic segregation under attack
US9450972B2 (en) Network attack detection using combined probabilities
US9497215B2 (en) Stealth mitigation for simulating the success of an attack
US9705914B2 (en) Signature creation for unknown attacks
US9922196B2 (en) Verifying network attack detector effectiveness
EP3140975B1 (en) Distributed voting mechanism for attack detection
EP3172885B1 (en) Hierarchical attack detection in a network
EP2890079B1 (en) Attack mitigation using learning machines
US9450978B2 (en) Hierarchical event detection in a computer network
US9641542B2 (en) Dynamic tuning of attack detector performance
US11005728B2 (en) Designating a voting classifier using distributed learning machines
US10038713B2 (en) Predicted attack detection rates along a network path
EP3143744B1 (en) Voting strategy optimization using distributed classifiers

Legal Events

Date Code Title Description
AS Assignment

Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:VASSEUR, JEAN-PHILIPPE;DI PIETRO, ANDREA;CRUZ MOTA, JAVIER;REEL/FRAME:033384/0972

Effective date: 20140715

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8