Creating classifiers for servers and clients in a network
First Claim
Patent Images
1. A method comprising:
- receiving, from a first sensor that monitors at least part of first data traffic exchanged between a pair of nodes in a network, first information of the first data traffic, the pair of nodes comprising a first node and a second node, wherein the first information includes timing, port magnitude, degree of communication, and/or historical data;
estimating, by analyzing the first information, that the first node initiated the first data traffic;
first determining, based on the estimating, that the first node is a client and that the second node is a server; and
creating one or more classifiers of servers and clients in the network from the result of the first determining;
wherein the estimating and first determining are not based on any IP address within the first information.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and computer-readable media are provided for determining whether a node in a network is a server or a client. In some examples, a system can collect, from one or more sensors that monitor at least part of data traffic being transmitted via a pair of nodes in a network, information of the data traffic. The system can analyze attributes of the data traffic such as timing, port magnitude, degree of communication, historical data, etc. Based on analysis results and a predetermined rule associated with the attributes, the system can determine which node of the pair of nodes is a client and which node is a server.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, from a first sensor that monitors at least part of first data traffic exchanged between a pair of nodes in a network, first information of the first data traffic, the pair of nodes comprising a first node and a second node, wherein the first information includes timing, port magnitude, degree of communication, and/or historical data; estimating, by analyzing the first information, that the first node initiated the first data traffic; first determining, based on the estimating, that the first node is a client and that the second node is a server; and creating one or more classifiers of servers and clients in the network from the result of the first determining; wherein the estimating and first determining are not based on any IP address within the first information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
receiving, from a first sensor that monitors at least part of first data traffic being transmitted via a pair of nodes in a network, first information of the first data traffic, the pair of nodes comprising a first node and a second node; first determining, by analyzing the first information, a first degree of connection for the first node and a second degree of connection for the second node, wherein the first degree of connection indicates how many unique address-port pairs that the first node has communicated with, and wherein the second degree of connection indicates how many unique address-port pairs that the second node has communicated with; second determining that the first degree of connection is greater than the second degree of connection; third determining, based on the second determining, that the first node is likely a server and that the second node is likely a client; and creating one or more classifiers of servers and clients in the network from the result of the third determining; wherein the second and third determining are not based on any IP address within the first information. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A system comprising:
-
a processor; and a computer-readable storage medium storing instructions which, when executed by the processor, cause the system to perform operations comprising; receiving, from a first sensor that monitors at least part of first data traffic being transmitted via a pair of nodes in a network, first information of the first data traffic, the pair of nodes comprising a first node and a second node; first determining, by analyzing the first information, timings of first data traffic being transmitted via the pair of nodes and degrees of connection for the pair of nodes, the first node having a first degree of connection and the second node having a second degree of connection; and based at least upon the timings of first data traffic, the degrees of connection, and a predetermined rule associated with the timings of the first data traffic and the degrees of connections, estimating that the first node initiated the first data traffic or second determining the first degree of connection is less than the second degree of connection; third determining, from the estimating or the second determining, that the first node is a client and that the second node is a server; and creating one or more classifiers of servers and clients in the network from the result of the third determining; wherein the estimating and third determining are not based on any IP address within the first information. - View Dependent Claims (19, 20)
-
Specification