Patent application number | Description | Published |
20150186642 | QUARANTINE-BASED MITIGATION OF EFFECTS OF A LOCAL DOS ATTACK - In one embodiment, techniques are shown and described relating to quarantine-based mitigation of effects of a local DoS attack. A management device may receive data indicating that one or more nodes in a shared-media communication network are under attack by an attacking node. The management device may then communicate a quarantine request packet to the one or more nodes under attack, the quarantine request packet providing instructions to the one or more nodes under attack to alter their frequency hopping schedule without allowing the attacking node to learn of the altered frequency hopping schedule. | 07-02-2015 |
20150186775 | DISTRIBUTED APPROACH FOR FEATURE MODELING USING PRINCIPAL COMPONENT ANALYSIS - In one embodiment, techniques are shown and described relating to a distributed approach for feature modeling on an LLN using principal component analysis. In one specific embodiment, a computer network has a plurality of nodes and a router. The router is configured to select one or more nodes of the plurality of nodes that will collaborate with the router for collectively computing a model of respective features for input to a Principal Component Analysis (PCA) model. In addition, the selected one or more nodes and the router are configured to perform a distributed computation of a PCA model between the router and the selected one or more nodes. | 07-02-2015 |
20150188934 | CONTROL LOOP CONTROL USING BROADCAST CHANNEL TO COMMUNICATE WITH A NODE UNDER ATTACK - In one embodiment, a control loop control using a broadcast channel may be used to communicate with a node under attack. A management device may receive data indicating that one or more nodes in a computer network are under attack. The management device may then determine that one or more intermediate nodes are in proximity to the one or more nodes under attack, and communicate an attack-mitigation packet to the one or more nodes under attack by using the one or more intermediate nodes to relay the attack-mitigation packet to the one or more nodes under attack. | 07-02-2015 |
20150188935 | ATTACK MITIGATION USING LEARNING MACHINES - In one embodiment, techniques are shown and described relating to attack mitigation using learning machines. A node may receive network traffic data for a computer network, and then predict a probability that one or more nodes are under attack based on the network traffic data. The node may then decide to mitigate a predicted attack by instructing nodes to forward network traffic on an alternative route without altering an existing routing topology of the computer network to reroute network communication around the one or more nodes under attack, and in response, the node may communicate an attack notification message to the one or more nodes under attack. | 07-02-2015 |
20150193693 | LEARNING MODEL SELECTION IN A DISTRIBUTED NETWORK - In one embodiment, local model parameters are generated by training a machine learning model at a device in a computer network using a local data set. One or more other devices in the network are identified that have trained machine learning models using remote data sets that are similar to the local data set. The local model parameters are provided to the one or more other devices to cause the one or more other devices to generate performance metrics using the provided model parameters. Performance metrics for model parameters are received from the one or more other devices and a global set of model parameters is selected for the device and the one or more other devices using the received performance metrics. | 07-09-2015 |
20150193694 | DISTRIBUTED LEARNING IN A COMPUTER NETWORK - In one embodiment, a first data set is received by a network device that is indicative of the statuses of a plurality of network devices when a type of network attack is not present. A second data set is also received that is indicative of the statuses of the plurality of network devices when the type of network attack is present. At least one of the plurality simulates the type of network attack by operating as an attacking node. A machine learning model is trained using the first and second data set to identify the type of network attack. A real network attack is then identified using the trained machine learning model. | 07-09-2015 |
20150193695 | DISTRIBUTED MODEL TRAINING - In one embodiment, a device determines that a machine learning model is to be trained by a plurality of devices in a network. A set of training devices are identified from among the plurality of devices to train the model, with each of the training devices having a local set of training data. An instruction is then sent to each of the training devices that is configured to cause a training device to receive model parameters from a first training device in the set, use the parameters with at least a portion of the local set of training data to generate new model parameters, and forward the new model parameters to a second training device in the set. Model parameters from the training devices are also received that have been trained using a global set of training data that includes the local sets of training data on the training devices. | 07-09-2015 |
20150193696 | HIERARCHICAL EVENT DETECTION IN A COMPUTER NETWORK - In one embodiment, network data is received at a first node in a computer network. A low precision machine learning model is used on the network data to detect a network event. A notification is then sent to a second node in the computer network that the network event was detected, to cause the second node to use a high precision machine learning model to validate the detected network event. | 07-09-2015 |
20150193697 | CROSS-VALIDATION OF A LEARNING MACHINE MODEL ACROSS NETWORK DEVICES - In one embodiment, a first network device receives a notification that the first network device has been selected to validate a machine learning model for a second network device. The first network device receives model parameters for the machine learning model that were generated by the second network device using training data on the second network device. The model parameters are used with local data on the first network device to determine performance metrics for the model parameters. The performance metrics are then provided to the second network device. | 07-09-2015 |
20150195145 | SCHEDULING A NETWORK ATTACK TO TRAIN A MACHINE LEARNING MODEL - In one embodiment, a device evaluates a set of training data for a machine learning model to identify a missing feature subset in a feature space of the set of training data. The device identifies a plurality of network nodes eligible to initiate an attack on a network to generate the missing feature subset. One or more attack nodes are selected from among the plurality of network nodes. An attack routine is provided to the one or more attack nodes to cause the one or more attack nodes to initiate the attack. An indication that the attack has completed is then received from the one or more attack nodes. | 07-09-2015 |
20150195146 | FEATURE AGGREGATION IN A COMPUTER NETWORK - In one embodiment, a device determines that input data to a machine learning model sent from a plurality of source nodes to an aggregation node is causing network congestion. A set of one or more other nodes to perform aggregation of the machine learning model input data is selected. A type of aggregation to be performed by the set of one or more other nodes is also selected. The set of one or more other nodes is also instructed to perform the selected type of aggregation on the data sent from the source nodes. | 07-09-2015 |
20150195216 | USING LEARNING MACHINE-BASED PREDICTION IN MULTI-HOPPING NETWORKS - In one embodiment, statistical information is collected relating to one or both of communication link quality or channel quality in a frequency-hopping network, in which packets are sent according to a frequency-hopping schedule that defines one or more timeslots, each timeslot corresponding to a transmission frequency. Also, a performance metric of a particular transmission frequency corresponding to a scheduled timeslot is predicted based on the collected statistical information. Based on the predicted performance metric, it is determined whether a transmitting node in the frequency-hopping network should transmit a packet during the scheduled timeslot using the particular transmission channel or wait until a subsequent timeslot to transmit the packet using another transmission frequency. | 07-09-2015 |
20150195296 | ANOMALY DETECTION IN A COMPUTER NETWORK - In one embodiment, a training request is sent to a plurality of nodes in a network to cause the nodes to generate statistics regarding unicast and broadcast message reception rates associated with the nodes. The statistics are received from the nodes and a statistical model is generated using the received statistics and is configured to detect a network attack by comparing unicast and broadcast message reception statistics. The statistical model is then provided to the nodes and an indication that a network attack was detected by a particular node is received from the particular node. | 07-09-2015 |
20150324582 | DISTRIBUTED VOTING MECHANISM FOR ATTACK DETECTION - In one embodiment, a network node receives a voting request from a neighboring node that indicates a potential network attack. The network node determines a set of feature values to be used as input to a classifier based on the voting request. The network node also determines whether the potential network attack is present by using the set of feature values as input to the classifier. The network node further sends a vote to the neighboring node that indicates whether the potential network attack was determined to be present. | 11-12-2015 |
20150326450 | VOTING STRATEGY OPTIMIZATION USING DISTRIBUTED CLASSIFIERS - In one embodiment, voting optimization requests that identify a validation data set are sent to a plurality of network nodes. Voting optimization data is received from the plurality of network nodes that was generated by executing classifiers using the validation data set. A set of one or more voting classifiers is then selected from among the classifiers based on the voting optimization data. One or more network nodes that host a voting classifier in the set of one or more selected voting classifiers is then notified of the selection. | 11-12-2015 |
20150326598 | PREDICTED ATTACK DETECTION RATES ALONG A NETWORK PATH - In one embodiment, attack detectability metrics are received from nodes along a path in a network. The attack detectability metrics from the nodes along the path are used to compute a path attack detectability value. A determination is made as to whether the path attack detectability value satisfies a network policy and one or more routing paths in the network are adjusted based on the path attack detectability value not satisfying the network policy. | 11-12-2015 |
20150326609 | DESIGNATING A VOTING CLASSIFIER USING DISTRIBUTED LEARNING MACHINES - In one embodiment, possible voting nodes in a network are identified. The possible voting nodes each execute a classifier that is configured to select a label from among a plurality of labels based on a set of input features. A set of one or more eligible voting nodes is selected from among the possible voting nodes based on a network policy. Voting requests are then provided to the one or more eligible voting nodes that cause the one or more eligible voting nodes to select labels from among the plurality of labels. Votes are received from the eligible voting nodes that include the selected labels and are used to determine a voting result. | 11-12-2015 |
20150334123 | GROUND TRUTH EVALUATION FOR VOTING OPTIMIZATION - In one embodiment, attack observations by a first node are provided to a user interface device regarding an attack detected by the node. Input from the user interface device is received that confirms that a particular attack observation by the first node indicates that the attack was detected correctly by the first node. Attack observations by one or more other nodes are provided to the user interface device. Input is received from the user interface device that confirms whether the attack observations by the first node and the attack observations by the one or more other nodes are both related to the attack. The one or more other nodes are identified as potential voters for the first node in a voting-based attack detection mechanism based on the attack observations from the first node and the one or more other nodes being related. | 11-19-2015 |
20160028750 | SIGNATURE CREATION FOR UNKNOWN ATTACKS - In one embodiment, a device in a network generates an expected traffic model based on a training set of data used to train a machine learning attack detector. The device provides the expected traffic model to one or more nodes in the network. The device receives an unexpected behavior notification from a particular node of the one or more nodes. The particular node generates the unexpected behavior notification based on a comparison between the expected traffic model and an observed traffic behavior by the node. The particular node also prevents the machine learning attack detector from analyzing the observed traffic behavior. The device updates the machine learning attack detector to account for the observed traffic behavior. | 01-28-2016 |
20160028751 | NETWORK ATTACK DETECTION USING COMBINED PROBABILITIES - In one embodiment, a device in a network receives a set of output label dependencies for a set of attack detectors. The device identifies applied labels that were applied by the attack detectors to input data regarding a network, the applied labels being associated with probabilities. The device determines a combined probability for two or more of the applied labels based on the output label dependencies and the probabilities associated with the two or more labels. The device selects one of the applied labels as a finalized label for the input data based on the probabilities associated with the applied labels and on the combined probability for the two or more labels. | 01-28-2016 |
20160028752 | HIERARCHICAL ATTACK DETECTION IN A NETWORK - In one embodiment, a device in a network identifies a set of traffic flow records that triggered an attack detector. The device selects a subset of the traffic flow records and calculates aggregated metrics for the subset. The device provides the aggregated metrics for the subset to the attack detector to generate an attack detection determination for the subset of traffic flow records. The device identifies one or more attack traffic flows from the set of traffic flow records based on the attack detection determination for the subset of traffic flow records. | 01-28-2016 |
20160028753 | VERIFYING NETWORK ATTACK DETECTOR EFFECTIVENESS - In one embodiment, a device receives a classifier tracking request from a coordinator device that specifies a classifier verification time period. During the classifier verification time period, the device classifies a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device. The device generates classification results based on the classified set of network traffic and provides the classification results to the coordinator device. | 01-28-2016 |
20160028754 | APPLYING A MITIGATION SPECIFIC ATTACK DETECTOR USING MACHINE LEARNING - In one embodiment, a device in a network detects a network attack using aggregated metrics for a set of traffic data. In response to detecting the network attack, the device causes the traffic data to be clustered into a set of traffic data clusters. The device causes one or more attack detectors to analyze the traffic data clusters. The device causes the traffic data clusters to be segregated into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the one or more attack detectors. | 01-28-2016 |
20160028755 | TRAFFIC SEGREGATION IN DDOS ATTACK ARCHITECTURE - In one embodiment, a particular node in a network determines information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system. The particular node sends a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information. In response to the sent message, the particular node receives an indication that it is a member of a collaborative group of nodes based on the capabilities of the local machine learning attack detection and mitigation system being complementary to capabilities of other machine learning attack detection and mitigation systems. Then, in response to an attack being detected by the local machine learning attack detection and mitigation system, the particular node provides to the collaborative group of nodes an indication of attack data flows identified as corresponding to the attack. | 01-28-2016 |
20160028762 | DISTRIBUTED SUPERVISED ARCHITECTURE FOR TRAFFIC SEGREGATION UNDER ATTACK - In one embodiment, data flows are received in a network, and information relating to the received data flows is provided to a machine learning attack detector. Then, in response to receiving an attack detection indication from the machine teaming attack detector, a traffic segregation procedure is performed including: computing an anomaly score for each of the received data flows based on a degree of divergence from an expected traffic model, determining a subset of the received data flows that have an anomaly score that is lower than or equal to an anomaly threshold value, and providing information relating to the subset of the received data flows to the machine learning attack detector. | 01-28-2016 |
20160028763 | BEHAVIORAL WHITE LABELING - In one embodiment, a traffic model manager node receives data flows in a network and determines a degree to which the received data flows conform to one or more traffic models classifying particular types of data flows as non-malicious. If the degree to which the received data flows conform to the one or more traffic models is sufficient, the traffic model manager node characterizes the received data flows as non-malicious. Otherwise, the traffic model manager node provides the received data flows to a denial of service (DoS) attack detector in the network to allow the received data flows to be scanned for potential attacks. | 01-28-2016 |
20160028764 | STEALTH MITIGATION FOR SIMULATING THE SUCCESS OF AN ATTACK - In one embodiment, attack traffic corresponding to a detected DoS attack from one or more attacker nodes is received at a denial of service (DoS) attack management node in a network. The DoS attack management node determines attack information relating to the attack traffic, including a type of the DoS attack and an intended target of the DoS attack. Then, the DoS attack management node triggers an attack mimicking action based on the attack information, where the attack mimicking action mimics a behavior of the intended target of the DoS attack that would be expected by the one or more attacker nodes if the DoS attack were successful. | 01-28-2016 |