Distributed voting mechanism for attack detection

摘要

In one embodiment, a network node receives a voting request from a neighboring node that indicates a potential network attack. The network node determines a set of feature values to be used as input to a classifier based on the voting request. The network node also determines whether the potential network attack is present by using the set of feature values as input to the classifier. The network node further sends a vote to the neighboring node that indicates whether the potential network attack was determined to be present.

主权项

1. A method, comprising:
detecting, at a first network device, a potential network attack by executing a classifier, wherein the classifier is configured to select a label from among a plurality of labels based on a set of input features; sending voting requests that identify the potential network attack to a plurality of neighboring network devices, wherein the voting requests include a set of values for the set of input features that were used to detect the potential attack at the first network device, and wherein a particular neighboring network device determines input features for a local classifier and uses the local classifier to generate a vote regarding the potential network attack; receiving, from each of the one or more of the neighboring network devices, a vote regarding the potential network attack; confirming, by the first network device, that the network attack is present based on the received votes; and generating, by the first network device, an alert that an attack has been detected.