User-specific policy enforcement based on network traffic fingerprinting
First Claim
1. A method for applying a user-specific policy in a network, comprising:
- identifying a historical portion of network traffic of the network as associated with a user;
analyzing, by a computer processor, the historical portion of network traffic to generate a fingerprint of the user, wherein the fingerprint represents characteristics of user activity in the network, wherein the fingerprint is generated by extracting Domain Name System (DNS) names associated with various sites visited by the user, wherein generating a fingerprint includes extracting statistical features that are assessed by two factors;
1) uniqueness and
2) persistence, each factor being a quantifiable value determined algorithmically, wherein only statistical features with assessed uniqueness and persistence values above predetermined thresholds are stored as fingerprints of users and statistical features with assessed uniqueness and persistence values below predetermined thresholds are stored as candidate fingerprints;
identifying an ongoing portion of network traffic of the network as associated with a single user;
analyzing, by the computer processor and based on the fingerprint, the ongoing portion of network traffic to determine a match, wherein the match is determined at a time point within the ongoing portion of network traffic; and
applying, in response to determining the match, the user-specific policy to the ongoing portion of network traffic subsequent to the time point.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for applying a user-specific policy in a network. The method includes identifying a historical portion of network traffic of the network as associated with a user, analyzing, by a computer processor, the historical portion of network traffic to generate a fingerprint of the user, wherein the fingerprint represents characteristics of user activity in the network, identifying, by the computer processor, an ongoing portion of network traffic of the network as associated with the user, analyzing, by the computer processor and based on the fingerprint, the ongoing portion of network traffic to determine a match, wherein the match is determined at a time point within the ongoing portion of network traffic, and applying, in response to determining the match, the user-specific policy to the ongoing portion of network traffic subsequent to the time point.
20 Citations
20 Claims
-
1. A method for applying a user-specific policy in a network, comprising:
-
identifying a historical portion of network traffic of the network as associated with a user; analyzing, by a computer processor, the historical portion of network traffic to generate a fingerprint of the user, wherein the fingerprint represents characteristics of user activity in the network, wherein the fingerprint is generated by extracting Domain Name System (DNS) names associated with various sites visited by the user, wherein generating a fingerprint includes extracting statistical features that are assessed by two factors;
1) uniqueness and
2) persistence, each factor being a quantifiable value determined algorithmically, wherein only statistical features with assessed uniqueness and persistence values above predetermined thresholds are stored as fingerprints of users and statistical features with assessed uniqueness and persistence values below predetermined thresholds are stored as candidate fingerprints;identifying an ongoing portion of network traffic of the network as associated with a single user; analyzing, by the computer processor and based on the fingerprint, the ongoing portion of network traffic to determine a match, wherein the match is determined at a time point within the ongoing portion of network traffic; and applying, in response to determining the match, the user-specific policy to the ongoing portion of network traffic subsequent to the time point. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for applying a user-specific policy in a network, comprising:
-
a processor and memory; a user flow group generator comprising instructions stored in the memory, when executed on the processor having functionality to; identify each of a historical portion and an ongoing portion of network traffic of the network as associated with a single user; a user activity analyzer comprising instructions stored in the memory, when executed on the processor having functionality to; analyze the historical portion of network traffic to generate a fingerprint of the user, wherein the fingerprint represents characteristics of user activity in the network, wherein the fingerprint is generated by extracting Domain Name System (DNS) names associated with various sites visited by the user, wherein generating a fingerprint includes extracting statistical features that are assessed by two factors;
1) uniqueness and
2) persistence, each factor being a quantifiable value determined algorithmically, wherein only statistical features with assessed uniqueness and persistence values above predetermined thresholds are stored as fingerprints of users and statistical features with assessed uniqueness and persistence values below predetermined thresholds are stored as candidate fingerprints; andanalyze, based on the fingerprint, the ongoing portion of network traffic to determine a match, wherein the match is determined at a time point within the ongoing portion of network traffic; and a network traffic manager comprising instructions stored in the memory, when executed on the processor having functionality to; apply, in response to determining the match, the user-specific policy to the ongoing portion of network traffic subsequent to the time point. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer readable medium embodying instructions for applying a user-specific policy in a network, the instructions when executed by a processor comprising functionality for:
-
identifying a historical portion of network traffic of the network as associated with a user; analyzing the historical portion of network traffic to generate a fingerprint of the user, wherein the fingerprint represents characteristics of user activity in the network; identifying an ongoing portion of network traffic of the network as associated with a single user; analyzing, based on the fingerprint, the ongoing portion of network traffic to determine a match, wherein the match is determined at a time point within the ongoing portion of network traffic, wherein the fingerprint is generated by extracting Domain Name System (DNS) names associated with various sites visited by the user, wherein generating a fingerprint includes extracting statistical features that are assessed by two factors;
1) uniqueness and
2) persistence, each factor being a quantifiable value determined algorithmically, wherein only statistical features with assessed uniqueness and persistence values above predetermined thresholds are stored as fingerprints of users and statistical features with assessed uniqueness and persistence values below predetermined thresholds are stored as candidate fingerprints; andapplying, in response to determining the match, the user-specific policy to the ongoing portion of network traffic subsequent to the time point. - View Dependent Claims (18, 19, 20)
-
Specification