Augmenting flow data for improved network monitoring and management
First Claim
1. A method comprising:
- capturing one or more packet header attributes for a first flow using a plurality of sensors that includes at least a first sensor of one of a source endpoint or a destination endpoint of the first flow and one or more second sensors of one or more networking devices along a path of the first flow;
determining one or more additional attributes of the first flow using at least the first sensor, the one or more additional attributes including at least one of a host attribute, a virtualization attribute, a process attribute, or a user attribute of the first flow;
normalizing at least one of the one or more additional attributes by calculating a term frequency-inverse document frequency of the at least one of the one or more additional attributes;
calculating a first feature vector that includes at least the one or more packet header attributes and the one or more additional attributes including the at least one normalized attribute;
determining a policy for the first flow based at least in part on a similarity between the first feature vector and a second feature vector of a second flow, the second feature vector being features or attributes of the second flow; and
applying the policy to one or more third flows that are considered similar to the first flow based on second predefined criteria.
1 Assignment
0 Petitions
Accused Products
Abstract
Flow data can be augmented with features or attributes from other domains, such as attributes from a source host and/or destination host of a flow, a process initiating the flow, and/or a process owner or user. A network can be configured to capture network or packet header attributes of a first flow and determine additional attributes of the first flow using a sensor network. The sensor network can include sensors for networking devices (e.g., routers, switches, network appliances), physical servers, hypervisors or container engines, and virtual partitions (e.g., virtual machines or containers). The network can calculate a feature vector including the packet header attributes and additional attributes to represent the first flow. The network can compare the feature vector of the first flow to respective feature vectors of other flows to determine an applicable policy, and enforce that policy for subsequent flows.
-
Citations
19 Claims
-
1. A method comprising:
-
capturing one or more packet header attributes for a first flow using a plurality of sensors that includes at least a first sensor of one of a source endpoint or a destination endpoint of the first flow and one or more second sensors of one or more networking devices along a path of the first flow; determining one or more additional attributes of the first flow using at least the first sensor, the one or more additional attributes including at least one of a host attribute, a virtualization attribute, a process attribute, or a user attribute of the first flow; normalizing at least one of the one or more additional attributes by calculating a term frequency-inverse document frequency of the at least one of the one or more additional attributes; calculating a first feature vector that includes at least the one or more packet header attributes and the one or more additional attributes including the at least one normalized attribute; determining a policy for the first flow based at least in part on a similarity between the first feature vector and a second feature vector of a second flow, the second feature vector being features or attributes of the second flow; and applying the policy to one or more third flows that are considered similar to the first flow based on second predefined criteria. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
a processor; and memory including instructions that, upon being executed by the processor, cause the system to; receive network data for a first flow using a plurality of sensors that includes at least a first sensor of one of a source endpoint or a destination endpoint of the first flow and one or more second sensors of one or more networking devices along a path of the first flow; determine additional data corresponding to the first flow using at least the first sensor, the additional data including at least one of an attribute of the source endpoint or the destination endpoint, an attribute of a process initiating the first flow, or an attribute of an owner of the process; normalize at least one of the one or more additional attributes by calculating a term frequency-inverse document frequency of the at least one of the one or more additional attributes; calculate a first feature vector that includes at least the network data and the additional data including the at least one normalized attribute; determine a policy applicable to the first flow based at least in part on a similarity between the first feature vector and a second feature vector of a second flow, the second feature vector being features or attributes of the second flow; and apply the policy to one or more third flows that are considered similar to the first flow based on second predefined criteria. - View Dependent Claims (13, 14, 15)
-
-
16. A non-transitory computer-readable medium having computer readable instructions that, upon being executed by a processor, cause the processor to:
-
receive network data for a first flow using a plurality of sensors that includes at least a first sensor of one of a source endpoint or a destination endpoint of the first flow and one or more second sensors of one or more networking devices along a path of the first flow; determine additional data corresponding to the first flow using at least the first sensor, the additional data including at least one of an attribute of the source endpoint or the destination endpoint, an attribute of a process initiating the first flow, or an attribute of an owner of the process; normalize at least one of the -one or more additional attributes by calculating a term frequency-inverse document frequency of the at least one of the one or more additional attributes; calculate a first feature vector that includes at least the network data and the additional data including the at least one normalized attribute; determine a policy applicable to the first flow based at least in part on a similarity between the first feature vector and a second feature vector of a second flow, the second feature vector being features or attributes of the second flow; and apply the policy to one or more third flows that are considered similar to the first flow based on second predefined criteria. - View Dependent Claims (17, 18, 19)
-
Specification