User-specific policy enforcement based on network traffic fingerprinting

US 10,263,868 B1
Filed: 07/17/2014
Issued: 04/16/2019
Est. Priority Date: 04/11/2012
Status: Active Grant

First Claim

Patent Images

1. A method for applying a user-specific policy in a network, comprising:

identifying a historical portion of network traffic of the network as associated with a user;

analyzing, by a computer processor, the historical portion of network traffic to generate a fingerprint of the user, wherein the fingerprint represents characteristics of user activity in the network, wherein the fingerprint is generated by extracting Domain Name System (DNS) names associated with various sites visited by the user, wherein generating a fingerprint includes extracting statistical features that are assessed by two factors;

1) uniqueness and

2) persistence, each factor being a quantifiable value determined algorithmically, wherein only statistical features with assessed uniqueness and persistence values above predetermined thresholds are stored as fingerprints of users and statistical features with assessed uniqueness and persistence values below predetermined thresholds are stored as candidate fingerprints;

identifying an ongoing portion of network traffic of the network as associated with a single user;

analyzing, by the computer processor and based on the fingerprint, the ongoing portion of network traffic to determine a match, wherein the match is determined at a time point within the ongoing portion of network traffic; and

applying, in response to determining the match, the user-specific policy to the ongoing portion of network traffic subsequent to the time point.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for applying a user-specific policy in a network. The method includes identifying a historical portion of network traffic of the network as associated with a user, analyzing, by a computer processor, the historical portion of network traffic to generate a fingerprint of the user, wherein the fingerprint represents characteristics of user activity in the network, identifying, by the computer processor, an ongoing portion of network traffic of the network as associated with the user, analyzing, by the computer processor and based on the fingerprint, the ongoing portion of network traffic to determine a match, wherein the match is determined at a time point within the ongoing portion of network traffic, and applying, in response to determining the match, the user-specific policy to the ongoing portion of network traffic subsequent to the time point.

20 Citations

View as Search Results

20 Claims

1. A method for applying a user-specific policy in a network, comprising:
- identifying a historical portion of network traffic of the network as associated with a user;
  
  analyzing, by a computer processor, the historical portion of network traffic to generate a fingerprint of the user, wherein the fingerprint represents characteristics of user activity in the network, wherein the fingerprint is generated by extracting Domain Name System (DNS) names associated with various sites visited by the user, wherein generating a fingerprint includes extracting statistical features that are assessed by two factors;
  
  1) uniqueness and
  
  2) persistence, each factor being a quantifiable value determined algorithmically, wherein only statistical features with assessed uniqueness and persistence values above predetermined thresholds are stored as fingerprints of users and statistical features with assessed uniqueness and persistence values below predetermined thresholds are stored as candidate fingerprints;
  
  identifying an ongoing portion of network traffic of the network as associated with a single user;
  
  analyzing, by the computer processor and based on the fingerprint, the ongoing portion of network traffic to determine a match, wherein the match is determined at a time point within the ongoing portion of network traffic; and
  
  applying, in response to determining the match, the user-specific policy to the ongoing portion of network traffic subsequent to the time point.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the user-specific policy comprises at least one selected from a group consisting of a network resource access permission policy and a network bandwidth allocation policy.
  - 3. The method of claim 1, further comprising:
    - extracting a plurality of features from the historical portion of the network traffic,wherein generating the fingerprint of the user comprises analyzing the plurality of features to determine a uniqueness measure and a persistence measure of network activity of the user, andwherein the plurality of features comprises at least one selected from a group consisting of a user identifier, a domain name of an accessed server, a universal resource locator (URL) of an accessed web service, a network application identifier, a geo-location report, a point-of-interest (POI) name, and an online social network (OSN) message.
  - 4. The method of claim 3,wherein the plurality of features comprises statistical features, andwherein the uniqueness measure and the persistence measure of network activity comprises a statistical uniqueness measure and a statistical persistence measure of network activity of the user.
  - 5. The method of claim 1, further comprising:
    - contemporaneous to analyzing the ongoing portion of network traffic to determine the match, identifying a most current source Internet Protocol (IP) address assigned to a device most recently used by the user to contribute to the ongoing portion of network traffic,wherein identifying the ongoing portion of network traffic as associated with the user subsequent to the time point is based on the most current source IP address.
  - 6. The method of claim 1, wherein identifying the historical portion and the ongoing portion of network traffic as associated with the user is based on at least one selected from a group consisting of an IP address assigned to a device of the user, a time window associated with the IP address assigned to the device of the user, a dynamic host configuration protocol (DHCP) message, a remote authentication dial in user service (RADIUS) message;
    - and a RADIUS identifier.
  - 7. The method of claim 1, wherein identifying the historical portion and the ongoing portion of network traffic as associated with the user comprises:
    - identifying, from the network, a plurality of application sessions;
      
      extracting a plurality of user identifiers from the plurality of application sessions based on a pre-determined criterion;
      
      analyzing the plurality of application sessions to determine a plurality of session blocks, wherein each session block comprises a plurality of application sessions sharing an originating IP address and is defined based on a minimum separation time between said each session block and any other session block sharing the originating IP address;
      
      extracting a traffic marker from the plurality of session blocks based on a user identifier of the plurality of user identifiers, wherein the user is identified by the user identifier;
      
      identifying a first portion of the plurality of the session blocks based on the user identifier, wherein the first portion of the plurality of the session blocks is associated with first network activities of the user; and
      
      identifying a second portion of the plurality of the session blocks based on the traffic marker, wherein the second portion of the plurality of the session blocks is associated with second network activities of the user,wherein the historical portion and the ongoing portion of network traffic comprises the first portion and the second portion of the plurality of the session blocks.
  - 8. The method of claim 7,wherein the user identifier comprises at least one selected from a group consisting of an online social network (OSN) user identifier and an email address,wherein the pre-determined criterion comprises at least one selected from a group consisting of an OSN-specific parsing algorithm and a layer-7-application-specific parsing algorithm applied to the plurality of application sessions,wherein extracting the traffic marker from the plurality of session blocks based on the user identifier comprises:
    - determining a measure of co-occurrence in the plurality of session blocks between the user identifier and a data string; and
      
      identifying the data string as the traffic marker in response to the measure meeting a pre-determined threshold.

9. A system for applying a user-specific policy in a network, comprising:
- a processor and memory;
  
  a user flow group generator comprising instructions stored in the memory, when executed on the processor having functionality to;
  
  identify each of a historical portion and an ongoing portion of network traffic of the network as associated with a single user;
  
  a user activity analyzer comprising instructions stored in the memory, when executed on the processor having functionality to;
  
  analyze the historical portion of network traffic to generate a fingerprint of the user, wherein the fingerprint represents characteristics of user activity in the network, wherein the fingerprint is generated by extracting Domain Name System (DNS) names associated with various sites visited by the user, wherein generating a fingerprint includes extracting statistical features that are assessed by two factors;
  
  1) uniqueness and
  
  2) persistence, each factor being a quantifiable value determined algorithmically, wherein only statistical features with assessed uniqueness and persistence values above predetermined thresholds are stored as fingerprints of users and statistical features with assessed uniqueness and persistence values below predetermined thresholds are stored as candidate fingerprints; and
  
  analyze, based on the fingerprint, the ongoing portion of network traffic to determine a match, wherein the match is determined at a time point within the ongoing portion of network traffic; and
  
  a network traffic manager comprising instructions stored in the memory, when executed on the processor having functionality to;
  
  apply, in response to determining the match, the user-specific policy to the ongoing portion of network traffic subsequent to the time point.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the user-specific policy comprises at least one selected from a group consisting of a network resource access permission policy and a network bandwidth allocation policy.
  - 11. The system of claim 9, wherein the user activity analyzer further comprises instructions stored in the memory, when executed on the processor having functionality to:
    - extract a plurality of features from the historical portion of the network traffic,wherein generating the fingerprint of the user comprises analyzing the plurality of features to determine a uniqueness measure and a persistence measure of network activity of the user, andwherein the plurality of features comprises at least one selected from a group consisting of a user identifier, a domain name of an accessed server, a universal resource locator (URL) of an accessed web service, a network application identifier, a geo-location report, a point-of-interest (POI) name, and an online social network (OSN) message.
  - 12. The system of claim 11,wherein the plurality of features comprises statistical features, andwherein the uniqueness measure and the persistence measure of network activity comprises a statistical uniqueness measure and a statistical persistence measure of network activity of the user.
  - 13. The system of claim 9, wherein the user activity analyzer further comprises instructions stored in the memory, when executed on the processor having functionality to:
    - contemporaneous to analyzing the ongoing portion of network traffic to determine the match, identify a most current source Internet Protocol (IP) address assigned to a device most recently used by the user to contribute to the ongoing portion of network traffic,wherein identifying the ongoing portion of network traffic as associated with the user subsequent to the time point is based on the most current source IP address.
  - 14. The system of claim 9, wherein identifying the historical portion and the ongoing portion of network traffic as associated with the user is based on at least one selected from a group consisting of an IP address assigned to a device of the user, a time window associated with the IP address assigned to the device of the user, a dynamic host configuration protocol (DHCP) message, a remote authentication dial in user service (RADIUS) message, and a RADIUS identifier.
  - 15. The system of claim 9, wherein identifying the historical portion and the ongoing portion of network traffic as associated with the user comprises:
    - identifying, from the network, a plurality of application sessions;
      
      extracting a plurality of user identifiers from the plurality of application sessions based on a pre-determined criterion;
      
      analyzing the plurality of application sessions to determine a plurality of session blocks, wherein each session block comprises a plurality of application sessions sharing an originating IP address and is defined based on a minimum separation time between said each session block with any other session block sharing the originating IP address;
      
      extracting a traffic marker from the plurality of session blocks based on a user identifier of the plurality of user identifiers, wherein the user is identified by the user identifier;
      
      identifying a first portion of the plurality of the session blocks based on the user identifier, wherein the first portion of the plurality of the session blocks is associated with first network activities of the user; and
      
      identifying a second portion of the plurality of the session blocks based on the traffic marker, wherein the second portion of the plurality of the session blocks is associated with second network activities of the user,wherein the historical portion and the ongoing portion of network traffic comprises the first portion and the second portion of the plurality of the session blocks.
  - 16. The system of claim 15,wherein the user identifier comprises at least one selected from a group consisting of an online social network (OSN) user identifier and an email address,wherein the pre-determined criterion comprises at least one selected from a group consisting of an OSN-specific parsing algorithm and a layer-7-application-specific parsing algorithm applied to the plurality of application sessions,wherein extracting the traffic marker from the plurality of session blocks based on the user identifier comprises:
    - determining a measure of co-occurrence in the plurality of session blocks between the user identifier and a data string; and
      
      identifying the data string as the traffic marker in response to the measure meeting a pre-determined threshold.

17. A non-transitory computer readable medium embodying instructions for applying a user-specific policy in a network, the instructions when executed by a processor comprising functionality for:
- identifying a historical portion of network traffic of the network as associated with a user;
  
  analyzing the historical portion of network traffic to generate a fingerprint of the user, wherein the fingerprint represents characteristics of user activity in the network;
  
  identifying an ongoing portion of network traffic of the network as associated with a single user;
  
  analyzing, based on the fingerprint, the ongoing portion of network traffic to determine a match, wherein the match is determined at a time point within the ongoing portion of network traffic, wherein the fingerprint is generated by extracting Domain Name System (DNS) names associated with various sites visited by the user, wherein generating a fingerprint includes extracting statistical features that are assessed by two factors;
  
  1) uniqueness and
  
  2) persistence, each factor being a quantifiable value determined algorithmically, wherein only statistical features with assessed uniqueness and persistence values above predetermined thresholds are stored as fingerprints of users and statistical features with assessed uniqueness and persistence values below predetermined thresholds are stored as candidate fingerprints; and
  
  applying, in response to determining the match, the user-specific policy to the ongoing portion of network traffic subsequent to the time point.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer readable medium of claim 17, wherein the user-specific policy comprises at least one selected from a group consisting of a network resource access permission policy and a network bandwidth allocation policy.
  - 19. The non-transitory computer readable medium of claim 17, further comprising:
    - extracting a plurality of features from the historical portion of the network traffic,wherein generating the fingerprint of the user comprises analyzing the plurality of features to determine a uniqueness measure and a persistence measure of network activity of the user, andwherein the plurality of features comprises at least one selected from a group consisting of a user identifier, a domain name of an accessed server, a universal resource locator (URL) of an accessed web service, a network application identifier, a geo-location report, a point-of-interest (POI) name, and an online social network (OSN) message.
  - 20. The non-transitory computer readable medium of claim 17, further comprising:
    - contemporaneous to analyzing the ongoing portion of network traffic to determine the match, identifying a most current source Internet Protocol (IP) address assigned to a device most recently used by the user to contribute to the ongoing portion of network traffic,wherein identifying the ongoing portion of network traffic as associated with the user subsequent to the time point is based on the most current source IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
Narus, Inc. (Gen Digital Inc.)
Inventors
Baldi, Mario, Liao, Yong, Miskovic, Stanislav, Nucci, Antonio, Song, Han Hee
Primary Examiner(s)
Strange, Aaron N
Assistant Examiner(s)
Mian, Mohammad Yousuf A.

Application Number

US14/334,141
Time in Patent Office

1,734 Days
Field of Search

709224
US Class Current
CPC Class Codes

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/102   Entity profiles

H04L 63/108   when the policy decisions a...

H04L 67/535   Tracking the activity of th...

H04W 12/02   Protecting privacy or anony...

User-specific policy enforcement based on network traffic fingerprinting

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

User-specific policy enforcement based on network traffic fingerprinting

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links