Classifying applications or activities based on network behavior
First Claim
1. A method for monitoring network traffic in a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising:
- employing a network monitoring engine to perform further actions, comprising;
providing one or more profile objects based on one or more metric profiles for one or more monitored network flows, wherein one or more metrics that correspond to a network entity in the monitored network are based on one or more characteristics of the one or more monitored network flows that are separate from other characteristics associated with the network entity; and
providing one or more device objects based on associating the one or more profile objects with one or more network entities on the network; and
employing a classifier engine to perform further actions, including;
providing one or more trained activity models; and
providing one or more classification results for the one or more device objects based on the one or more trained activity models; and
executing one or more policies based on the one or more classification results associated with the one or more device objects.
6 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed to monitoring network traffic in a network. A network monitoring engine may be employed to monitor the network to provide metric profiles based on a plurality of characteristics associated with one or more network flows. The network monitoring engine may provide profile objects based on the metric profiles. The network monitoring engine may provide the profile objects to a classifier engine. The classifier engine provide trained activity models selected from a plurality of trained activity models that may be based on a ranked ordering of characteristics of the trained activity models and the profile objects. The classifier engine may provide classification results for the profile objects based on the trained activity models. And, the network monitoring engine may execute policies based on the classification results associated with the profile objects.
217 Citations
15 Claims
-
1. A method for monitoring network traffic in a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising:
-
employing a network monitoring engine to perform further actions, comprising; providing one or more profile objects based on one or more metric profiles for one or more monitored network flows, wherein one or more metrics that correspond to a network entity in the monitored network are based on one or more characteristics of the one or more monitored network flows that are separate from other characteristics associated with the network entity; and providing one or more device objects based on associating the one or more profile objects with one or more network entities on the network; and employing a classifier engine to perform further actions, including; providing one or more trained activity models; and providing one or more classification results for the one or more device objects based on the one or more trained activity models; and executing one or more policies based on the one or more classification results associated with the one or more device objects. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for monitoring network traffic in a network:
-
one or more network monitoring computers (NMCs), comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; employing a network monitoring engine to perform further actions, comprising; providing one or more profile objects based on one or more metric profiles for one or more monitored network flows, wherein one or more metrics that correspond to a network entity in the monitored network are based on one or more characteristics of the one or more network flows that are separate from other characteristics associated with the network entity; and providing one or more device objects based on associating the one or more profile objects and one or more network entities on the network; and employing a classifier engine to perform further actions, including; providing one or more trained activity models; and providing one or more classification results for the one or more device objects based on the one or more trained activity models; and executing one or more policies based on the one or more classification results associated with the one or more device objects; and one or more client computers, comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; providing one or more portions of the one or more network flows. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A processor readable non-transitory storage media that includes instructions for monitoring network traffic over a network between one or more computers, wherein execution of the instructions by one or more processors on one or more network monitoring computers (NMCs) performs actions, comprising:
-
employing a network monitoring engine to perform further actions, comprising; providing one or more profile objects based on one or more metric profiles for one or more monitored network flows, wherein one or more metrics that correspond to a network entity in the monitored network are based on one or more characteristics of the one or more network flows that are separate from other characteristics associated with the network entity; and providing one or more device objects based on associating the one or more profile objects with one or more network entities on the network; and employing a classifier engine to perform further actions, including; providing one or more trained activity models; and providing one or more classification results for the one or more device objects based on the one or more trained activity models; and executing one or more policies based on the one or more classification results associated with the one or more device objects. - View Dependent Claims (12, 13, 14, 15)
-
Specification