System and method to sample a large data set of network traffic records

US 10,313,209 B2
Filed: 12/30/2016
Issued: 06/04/2019
Est. Priority Date: 12/30/2016
Status: Active Grant

×

Create Patent Alert

District Court Events

PTAB Events

ITC Events

Federal Circuit Events

RPX Reports

Alert Frequency

Daily (M-F)

Weekly

^*Certain alert events are not available for your current subscription level. Upgrade

Cancel
- Alert
- Pin

	Alert Frequency
	Daily (M-F)
	Weekly

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A computer-implemented method to sample a large data set of traffic records, the traffic records corresponding to network traffic flows associated with at least one particular address, the method comprising:

processing multiple iterations associated with respective traffic records of the large data set that satisfy particular criteria, processing an iteration of the multiple iterations comprising;

receiving a traffic record from a source of a large data set of traffic records, the traffic record corresponding to a traffic flow and identifying a pair of addresses exchanging communications included in the traffic flow and including a traffic size value that indicates the size of communications included in the traffic flow;

receiving a flow counter and a total traffic size, the flow counter representing the number of traffic flows received for one of the addresses of the pair identified, the number of traffic flows representing previously received traffic records associated with the address, the total traffic size representing a sum of traffic sizes associated with all previously received traffic records, the previously received traffic records having been received during previous iterations of the multiple iterations;

incrementing the flow counter;

adding the traffic size associated with the received traffic record to the total traffic size;

if the flow counter is less than a predetermined sampling threshold, then storing a traffic record sample associated with the traffic record;

if the flow counter is more than the predetermined sampling threshold, then determining whether or not to sample the received traffic record by applying an exponentially decreasing probability function; and

storing the traffic record sample as sampled data associated with the traffic record only if the determination is to sample the received traffic record.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method to sample a large data set of traffic records, including receiving a traffic record associated with a traffic flow from a source of a large data set of traffic records, incrementing a flow counter representing a number of traffic flows received for one address of a pair of addresses identified by a traffic record, adding a traffic size of the traffic flow associated with the received traffic record to a total traffic size of all flows received in previous iterations. If the flow counter is less than a predetermined sampling threshold, then storing a traffic record sample associated with the traffic record. If the flow counter is more than the predetermined sampling threshold, then determining whether or not to sample the received traffic record by applying an exponentially decreasing probability function. Storing the traffic record sample as sampled data associated with the traffic record only if the determination is to sample the received traffic record.

Citations

20 Claims

1. A computer-implemented method to sample a large data set of traffic records, the traffic records corresponding to network traffic flows associated with at least one particular address, the method comprising:
- processing multiple iterations associated with respective traffic records of the large data set that satisfy particular criteria, processing an iteration of the multiple iterations comprising;
  
  receiving a traffic record from a source of a large data set of traffic records, the traffic record corresponding to a traffic flow and identifying a pair of addresses exchanging communications included in the traffic flow and including a traffic size value that indicates the size of communications included in the traffic flow;
  
  receiving a flow counter and a total traffic size, the flow counter representing the number of traffic flows received for one of the addresses of the pair identified, the number of traffic flows representing previously received traffic records associated with the address, the total traffic size representing a sum of traffic sizes associated with all previously received traffic records, the previously received traffic records having been received during previous iterations of the multiple iterations;
  
  incrementing the flow counter;
  
  adding the traffic size associated with the received traffic record to the total traffic size;
  
  if the flow counter is less than a predetermined sampling threshold, then storing a traffic record sample associated with the traffic record;
  
  if the flow counter is more than the predetermined sampling threshold, then determining whether or not to sample the received traffic record by applying an exponentially decreasing probability function; and
  
  storing the traffic record sample as sampled data associated with the traffic record only if the determination is to sample the received traffic record.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein storing the traffic record sample includes:
    - incrementing a sample flow counter associated with the address, the sample flow counter representing a total number of traffic records saved to a sample storage disk for the address; and
      
      saving data associated with the received traffic record to the sample storage disk.
  - 3. The method of claim 2, wherein the exponentially decreasing probability of sampling the received traffic records is determined by:
    - calculating a sampling rate to be equal to the sampled flow counter divided by the predetermined sampling threshold; and
      
      setting the probability of sampling the received data traffic record to decrease exponentially in accordance with the sampling rate.
  - 4. The method of claim 1, further comprising:
    - comparing the traffic size associated with the received traffic record to a scaled average flow size, the scaled average flow size based on the total traffic size, the total flow count, and a scaling factor;
      
      if the traffic size is larger than the scaled average flow size, then storing the received traffic record; and
      
      if the traffic size is less than the scaled average flow size, then determining whether or not to sample the received traffic record by applying the exponentially decreasing probability of sampling received traffic records.
  - 5. The method of claim 3, wherein the large data set is streamed over time, each traffic record being associated with a time stamp, the sample storage disk including a data structure, wherein,the data structure includes a plurality of bins, each bin being associated with a unique time interval defined by an associated start time relative to a reference time and a time duration, each bin being configured to store one or more sample traffic records that have an associated time stamp that is included in the bin'"'"'s time interval, andthe plurality of bins includes a subset of small bins having associated relatively short time intervals and a subset of large bins having associated relatively long time intervals;
    - the method further comprising;
      
      storing the sampled data that corresponds to the received traffic record in the large bin and the small bin of the plurality of bins that has an associated time interval that includes the time stamp of the received traffic record.
  - 6. The method of claim 5,the method further comprising before storing the sampled data in the small bin, temporarily storing the sampled data as a cached sampled data and the calculated sampling rate as a cached sampling rate in a cache, wherein the cache includes multiple lists, each list of the multiple lists being associated with a different address and having at least one entry associated with at least one previous iteration, each entry storing sampled data and a corresponding calculated sampling, each entry being stored in a list of the multiple lists that is associated with a same address as an address associated with its sampled data, the cached sampled data and the cached sampling rate being stored in a list of the multiple lists that is associated with the same address as the address associated with the sampled data.
  - 7. The method of claim 6, further comprising:
    - determining a maximum sampling rate that is the maximum sampling rate of all of sampling rates associated entries of the list;
      
      determining whether the sampling rate associated with the received traffic record satisfies a criterion related to the determined maximum sampling rate;
      
      if it is determined that the criterion related to the determined maximum sampling rate is satisfied, then storing the cached sampled data in a small bin of the plurality of bins that has an associated time interval that includes the time stamp associated with the sampled data;
      
      if it is determined that the criterion is not satisfied, then determining whether or not to sample the cached sampled data by applying a second probability function that exponentially decreases in accordance with a difference between the determined maximum sampling rate and the calculated sampling rate; and
      
      storing the cached sampled data to the small bin only if the determination is to sample the corresponding cached sampled data.
  - 8. The method of claim 7, further comprising storing to the small bin, in association with storing the cached sampled data, at least one of the cached sampling rate and the second probability function applied.
  - 9. The method of claim 3, further comprising, removing from the sample storage disk sampled data that was stored during previous iterations that is associated with at least one address having an associated sample flow counter that is less than a predetermined minimum storage threshold.
  - 10. The method of claim 2, further comprising:
    - during the previous iterations, storing in association with sampled data a probability determined using the probability function of sampling the sampled data;
      
      storing a low probability list of each address associated with sampled data in which the associated probability determined is less than a probability threshold; and
      
      during the current iteration, temporarily storing the sampled data in the cache if the address is included in the low probability list.
  - 11. The method of claim 1, further comprising, if the received traffic record does not have a corresponding flow count, initializing the flow count to zero.
  - 12. The method claim 11, further comprising:
    - comparing a total amount of flow counters acquired during the previous iterations to a predetermined counter threshold; and
      
      if the total amount of flow counters is less than the predetermined counter threshold, discarding the flow counter if the flow counter fulfills a predetermined criterion that indicates the flow counter is rarely used.
  - 13. The method of claim 5, further comprising:
    - when storing the traffic record sample associated with the traffic record, storing an indication of the probability function that was applied in association with the traffic record sample;
      
      receiving a query for stored sampled data associated with at least one address and a requested time interval;
      
      selecting bins of the plurality of bins that have associated time intervals that satisfy the requested time interval; and
      
      aggregating sample flow counters associated with each of the selected bins and the at least one address by mathematically offsetting for the probability function applied in association with each of the sample flow counters being aggregated.
  - 14. The method of claim 7, further comprising:
    - when storing the traffic record sample associated with the traffic record, storing an indication of the probability function and the second probability function that was applied in association with the traffic record sample;
      
      receiving a query for stored sampled data associated with at least one address and a requested time interval;
      
      selecting bins of the plurality of bins that have associated time intervals that satisfy the requested time interval; and
      
      aggregating sample flow counters associated with each of the selected bins and the at least one address by mathematically offsetting at least one of the probability function and the second probability function applied in association with each of the sample flow counters being aggregated.

15. A system to sample a large data set of traffic records, the traffic records corresponding to network traffic flows associated with at least one particular address, the system comprising:
- a memory configured to store instructions;
  
  a processor disposed in communication with the memory, wherein the processor upon execution of the instructions is configured to;
  
  process, in multiple iterations associated with respective traffic records of the large data set that satisfy particular criteria, processing an iteration of the multiple iterations comprising;
  
  receiving a traffic record from a source of a large data set of traffic records, the traffic record corresponding to a traffic flow and identifying a pair of addresses exchanging communications included in the traffic flow and including a traffic size value that indicates the size of communications included in the traffic flow;
  
  receiving a flow counter and a total traffic size, the flow counter representing the number of traffic flows received for one of the addresses of the pair identified, the number of traffic flows representing previously received traffic records associated with the address, the total traffic size representing a sum of traffic sizes associated with all previously received traffic records, the previously received traffic records having been received during previous iterations of the multiple iterations;
  
  incrementing the flow counter;
  
  adding the traffic size associated with the received traffic record to the total traffic size;
  
  if the flow counter is less than a predetermined sampling threshold, then storing a traffic record sample associated with the traffic record;
  
  if the flow counter is more than the predetermined sampling threshold, then determining whether or not to sample the received traffic record by applying an exponentially decreasing probability function; and
  
  storing the traffic record sample as sampled data associated with the traffic record only if the determination is to sample the received traffic record.
- View Dependent Claims (16, 17, 18)
- - 16. The system of claim 15, wherein storing the traffic record sample includes:
    - incrementing a sample flow counter associated with the address, the sample flow counter representing a total number of traffic records saved to a sample storage disk for the address; and
      
      saving data associated with the received traffic record to the sample storage disk.
  - 17. The system of claim 16, wherein the exponentially decreasing probability of sampling the received traffic records is determined by:
    - calculating a sampling rate to be equal to the sampled flow counter divided by the predetermined sampling threshold; and
      
      setting the probability of sampling the received data traffic record to decrease exponentially in accordance with the sampling rate.
  - 18. The system of claim 17,wherein the processor, upon execution of the instructions, is further configured to, before storing the sampled data, temporarily storing the sampled data as a cached sampled data and the calculated sampling rate as a cached sampling rate in a cache, wherein the cache includes multiple lists, each list of the multiple lists being associated with a different address and having at least one entry associated with at least one previous iteration, each entry storing sampled data and a corresponding calculated sampling, each entry being stored in a list of the multiple lists that is associated with a same address as an address associated with its sampled data, the cached sampled data and the cached sampling rate being stored in a list of the multiple lists that is associated with the same address as the address associated with the sampled data.

19. A non-transitory computer readable storage medium and one or more computer programs embedded therein, the computer programs comprising instructions, which when executed by a computer system, cause the computer system to:
- process multiple iterations associated with respective traffic records of the large data set that satisfy particular criteria, processing an iteration of the multiple iterations comprising;
  
  receiving a traffic record from a source of a large data set of traffic records, the traffic record corresponding to a traffic flow, the traffic record further identifying a pair of addresses of devices that exchange communications included in the traffic flow and including a traffic size value that indicates the size of communications included in the traffic flow;
  
  receiving a flow counter and a total traffic size, the flow counter representing the number of traffic flows received for one of the addresses of the pair identified, the number of traffic flows representing previously received traffic records associated with the address, the total traffic size representing a sum of traffic sizes associated with all previously received traffic records, the previously received traffic records having been received during previous iterations of the multiple iterations;
  
  incrementing the flow counter;
  
  adding the traffic size associated with the received traffic record to the total traffic size;
  
  if the flow counter is less than a predetermined sampling threshold, then storing a traffic record sample associated with the traffic record;
  
  if the flow counter is more than the predetermined sampling threshold, then determining whether or not to sample the received traffic record by applying an exponentially decreasing probability function; and
  
  storing the traffic record sample as sampled data associated with the traffic record only if the determination is to sample the received traffic record.
- View Dependent Claims (20)
- - 20. The computer readable storage medium of claim 19, wherein storing the traffic record sample includes:
    - incrementing a sample flow counter associated with the address, the sample flow counter representing a total number of traffic records saved to a sample storage disk for the address; and
      
      saving data associated with the received traffic record to the sample storage disk.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Original Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Inventors
Bondar, Ivan
Primary Examiner(s)
Parry, Chris
Assistant Examiner(s)
Chouat, Abderrahmen

Application Number

US15/395,562
Publication Number

US 20180191584A1
Time in Patent Office

886 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/024 by adaptive sampling

H04L 43/026 using flow identification

System and method to sample a large data set of network traffic records

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to sample a large data set of network traffic records

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links