Technologies for managing compromised sensors in virtualized environments

US 10,505,828 B2
Filed: 06/02/2016
Issued: 12/10/2019
Est. Priority Date: 06/05/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, from a first capturing agent deployed in a virtualization layer of a first device, a first data report generated by the first capturing agent based on traffic at the first device captured by the first capturing agent at the virtualization layer of the first device;

receiving, from a second capturing agent deployed in a hardware layer of a second device different than the first device, a second data report generated by the second capturing agent based on traffic at the second device captured by the second capturing agent at the hardware layer of the second device;

based on the first data report and the second data report, determining a first set of characteristics of the traffic captured by the first capturing agent and a second set of characteristics of the traffic captured by the second capturing agent;

comparing the first set of characteristics of the traffic captured by the first capturing agent with the second set of characteristics captured by the second capturing agent to determine a multi-layer difference in traffic characteristics; and

based on the multi-layer difference in traffic characteristics, determining that one of the first capturing agent or the second capturing agent is in a faulty state,wherein,the first data report and the second data report are of a plurality of data reports generated during reporting intervals based on observed data, statistics, and/or metadata about one or more packets, flows, communications, processes, events, and/or activities at the first device and the second device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer-readable media for managing compromised sensors in multi-tiered virtualized environments. In some embodiments, a system can receive, from a first capturing agent deployed in a virtualization layer of a first device, data reports generated based on traffic captured by the first capturing agent. The system can also receive, from a second capturing agent deployed in a hardware layer of a second device, data reports generated based on traffic captured by the second capturing agent. Based on the data reports, the system can determine characteristics of the traffic captured by the first capturing agent and the second capturing agent. The system can then compare the characteristics to determine a multi-layer difference in traffic characteristics. Based on the multi-layer difference in traffic characteristics, the system can determine that the first capturing agent or the second capturing agent is in a faulty state.

Citations

20 Claims

1. A method comprising:
- receiving, from a first capturing agent deployed in a virtualization layer of a first device, a first data report generated by the first capturing agent based on traffic at the first device captured by the first capturing agent at the virtualization layer of the first device;
  
  receiving, from a second capturing agent deployed in a hardware layer of a second device different than the first device, a second data report generated by the second capturing agent based on traffic at the second device captured by the second capturing agent at the hardware layer of the second device;
  
  based on the first data report and the second data report, determining a first set of characteristics of the traffic captured by the first capturing agent and a second set of characteristics of the traffic captured by the second capturing agent;
  
  comparing the first set of characteristics of the traffic captured by the first capturing agent with the second set of characteristics captured by the second capturing agent to determine a multi-layer difference in traffic characteristics; and
  
  based on the multi-layer difference in traffic characteristics, determining that one of the first capturing agent or the second capturing agent is in a faulty state,wherein,the first data report and the second data report are of a plurality of data reports generated during reporting intervals based on observed data, statistics, and/or metadata about one or more packets, flows, communications, processes, events, and/or activities at the first device and the second device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the virtualization layer comprises one of a virtual machine or a hypervisor and the second device comprises a leaf switch in a spine-leaf network fabric, the first device comprising a host of the hypervisor coupled with the spine-leaf network fabric via the leaf switch.
  - 3. The method of claim 2, wherein the faulty state comprises unauthorized activity, and wherein the first set of characteristics and the second set of characteristics comprise respective amounts of traffic captured at the virtualization layer of the first device and the hardware layer of the second device.
  - 4. The method of claim 3, wherein the determining that one of the first capturing agent or the second capturing agent is in the faulty state comprises:
    - determining that the respective amounts of traffic indicate a threshold discrepancy between a first amount of traffic captured by the first capturing agent at the host and a second amount of traffic captured by the second capturing agent at the leaf switch; and
      
      determining that the threshold discrepancy is at least partially a result of unauthorized activity at at least one of the first capturing agent or the second capturing agent.
  - 5. The method of claim 4, wherein the determining that the threshold discrepancy is at least partially the result of the unauthorized activity comprises determining the first capturing agent at the host is in the faulty state when the first amount of traffic at the host is greater than the second amount of traffic by a threshold amount.
  - 6. The method of claim 4, wherein the first amount of traffic comprises a number of hits to a database residing at the hypervisor on the host.
  - 7. The method of claim 1, wherein the determining that one of the first capturing agent or the second capturing agent is in the faulty state further comprises:
    - based on the first data report from the first capturing agent, determining a first traffic pattern for traffic captured by the first capturing agent at the first device during a first period of time;
      
      based on the second data report from the second capturing agent, determining a second traffic pattern for traffic captured by the second capturing agent at the second device during the first period of time;
      
      based on a first previous report from the first capturing agent, determining a third traffic pattern for traffic captured by the first capturing agent at the first device during a second period of time before the first period of time;
      
      based on a second previous report from the second capturing agent, determining a fourth traffic pattern for traffic captured by the second capturing agent at the second device during the second period of time;
      
      comparing the first traffic pattern with the third traffic pattern to identify a first traffic pattern delta between the first traffic pattern and the third traffic pattern;
      
      comparing the second traffic pattern with the fourth traffic pattern to identify a second traffic pattern delta between the second traffic pattern and the fourth traffic pattern;
      
      determining whether the first traffic pattern delta or the second traffic pattern delta exceed a delta threshold;
      
      when the first traffic pattern delta exceeds the delta threshold, determining that the first capturing agent is in the faulty state; and
      
      when the second traffic pattern delta exceeds the delta threshold, determining that the second capturing agent is in the faulty state.
  - 8. The method of claim 7, wherein:
    - the first traffic pattern delta comprises a first delta in at least one of;
      
      a first amount of traffic captured by the first capturing agent during the first period of time and the second period of time;
      
      ora first frequency of traffic captured by the first capturing agent during the first period of time and the second period of time; and
      
      the second traffic pattern delta comprises a second delta in at least one of;
      
      a second amount of traffic captured by the second capturing agent during the first period of time and the second period of time;
      
      ora second frequency of traffic captured by the second capturing agent during the first period of time and the second period of time.
  - 9. The method of claim 1, wherein the first capturing agent and the second capturing agent comprise at least one of a process, a kernel module, or a software driver.
  - 10. The method of claim 1, further comprising:
    - in response to the determining that at least one of the first capturing agent or the second capturing agent is in the faulty state, marking traffic or packets in at least one of the first data report and/or the second data report as unreliable.
  - 11. The method of claim 1, further comprising:
    - in response to the determining that at least one of the first capturing agent or the second capturing agent is in the faulty state;
      
      aggregating or summarizing data in at least one of the first data report from the first capturing agent or the second data report from the second capturing agent;
      
      orreducing an amount of data in at least one of the first data report from the first capturing agent or the second data report from the second capturing agent retained after receiving one of the first data report or the second data report.
  - 12. The method of claim 1, further comprising:
    - in response to the determining that at least one of the first capturing agent or the second capturing agent is in the faulty state,increasing a time interval for receiving subsequent reports from at least one of the first capturing agent or the second capturing agent, to reduce an amount of data reported from the at least one of the first capturing agent or the second capturing agent during the faulty state.
  - 13. The method of claim 1, wherein the first data report from the first capturing agent and the second data report from the second capturing agent are received via a collector device, the method further comprising:
    - in response to the determining that at least one of the first capturing agent or the second capturing agent is in the faulty state;
      
      dropping, by the collector device, data transmitted by the at least one of the first capturing agent or the second capturing agent;
      
      orpreventing, by the collector device, access by other devices to data received from the at least one of the first capturing agent or the second capturing agent.
  - 14. The method of claim 1, further comprising:
    - determining that at least one other capturing agent is in the faulty state based on a topology of an associated network and a placement in the associated network of the at least one of the first capturing agent or the second capturing agent relative to the at least one other capturing agent.

15. A system comprising:
- one or more processors; and
  
  one or more computer-readable storage devices having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  receiving, from a first capturing agent deployed in a virtualization layer of a first device, a first data report generated by the first capturing agent based on traffic at the first device captured by the first capturing agent at the virtualization layer of the first device;
  
  receiving, from a second capturing agent deployed in a hardware layer of a second device different than the first device, a second data report generated by the second capturing agent based on traffic at the second device captured by the second capturing agent at the hardware layer of the second device;
  
  based on the first data report and the second data report, determining a first set of characteristics of the traffic captured by the first capturing agent and a second set of characteristics of the traffic captured by the second capturing agent;
  
  comparing the first set of characteristics of the traffic captured by the first capturing agent with the second set of characteristics captured by the second capturing agent to determine a multi-layer difference in traffic characteristics; and
  
  based on the multi-layer difference in traffic characteristics, determining that one of the first capturing agent or the second capturing agent is in a faulty state,wherein,the first data report and the second data report are of a plurality of data reports generated during reporting intervals based on observed data, statistics, and/or metadata about one or more packets, flows, communications, processes, events, and/or activities at the first device and the second device.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15, wherein the virtualization layer comprises a hypervisor and the second device comprises a switch in a network fabric, the first device comprising a host of the hypervisor and being coupled with the network fabric via the switch, wherein:
    - the first set of characteristics and the second set of characteristics comprise respective amounts of traffic captured at the virtualization layer of the first device and the hardware layer of the second device; and
      
      the determining that at least one of the first capturing agent or the second capturing agent is in the faulty state comprises;
      
      determining that the respective amounts of traffic indicate a threshold discrepancy between a first amount of traffic captured by the first capturing agent at the host and a second amount of traffic captured by the second capturing agent at a leaf switch; and
      
      determining that the threshold discrepancy is at least partially a result of unauthorized activity at the at least one of the first capturing agent or the second capturing agent.
  - 17. The system of claim 15, wherein the second device is a switch and the first device is a server coupled with a network fabric via the switch, and wherein the determining that at least one of the first capturing agent or the second capturing agent is in the faulty state further comprises:
    - based on the first data report from the first capturing agent and the second data report from the second capturing agent, determining a first traffic pattern for traffic captured by the first capturing agent during a first period of time and a second traffic pattern for traffic captured by the second capturing agent during the first period of time;
      
      based on a first previous report from the first capturing agent and a second previous data report from the second capturing agent, determining a third traffic pattern for traffic captured by the first capturing agent during a second period of time and a fourth traffic pattern for traffic captured by the second capturing agent during the second period of time;
      
      comparing the first traffic pattern with the third traffic pattern and the second traffic pattern with the fourth traffic pattern to identify a first traffic pattern delta between the first traffic pattern and the third traffic pattern and a second traffic pattern delta between the second traffic pattern and the fourth traffic pattern;
      
      when the first traffic pattern delta exceeds a delta threshold, determining that the first capturing agent is in the faulty state; and
      
      when the second traffic pattern delta exceeds the delta threshold, determining that the second capturing agent is in the faulty state.
  - 18. The system of claim 15, the one or more computer-readable storage devices storing additional instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising, in response to the determining that at least one of the first capturing agent or the second capturing agent is in the faulty state:
    - flagging traffic or packets in at least one of the first data report from the first capturing agent or the second data report from the second capturing agent;
      
      dropping data transmitted by the at least one of the first capturing agent or the second capturing agent;
      
      orpreventing access by other devices to data received from the at least one of the first capturing agent or the second capturing agent.
  - 19. The system of claim 15, the one or more computer-readable storage devices storing additional instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising, in response to the determining that at least one of the first capturing agent or the second capturing agent is in the faulty state:
    - increasing a time interval for receiving subsequent reports from at least one of the first capturing agent or the second capturing agent, to reduce an amount of data reported from the at least one of the first capturing agent or the second capturing agent during the faulty state;
      
      aggregating or summarizing data in subsequent reports from at least one of the first capturing agent or the second capturing agent;
      
      orreducing an amount of data, from subsequent reports received from the first capturing agent or the second capturing agent, retained after receipt.

20. A computer-readable storage device storing instructions which, when executed by a processor, cause the processor to perform operations comprising:
- receiving, from a first capturing agent deployed in a virtualization layer of a first device, one or more data reports generated by the first capturing agent based on traffic at the first device captured by the first capturing agent at the virtualization layer of the first device;
  
  receiving, from a second capturing agent deployed in a hardware layer of a second device different than the first device, one or more data reports generated by the second capturing agent based on traffic at the second device captured by the second capturing agent at the hardware layer of the second device;
  
  based on the one or more data reports from the first capturing agent and the second capturing agent, determining a first set of characteristics of the traffic captured by the first capturing agent and a second set of characteristics of the traffic captured by the second capturing agent;
  
  comparing the first set of characteristics of the traffic captured by the first capturing agent with the second set of characteristics captured by the second capturing agent to determine a multi-layer difference in traffic characteristics; and
  
  based on the multi-layer difference in traffic characteristics, determining that one of the first capturing agent or the second capturing agent is in a faulty state, wherein, the first data report and the second data report are of a plurality of data reports generated during reporting intervals based on observed data, statistics, and/or metadata about one or more packets, flows, communications, processes, events, and/or activities at the first device and the second device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Yadav, Navindra, Singh, Abhishek Ranjan, Gupta, Anubhav, Gandham, Shashidhar, Pang, Jackson Ngoc Ki, Chang, Shih-Chun, Vu, Hai Trong
Primary Examiner(s)
Nguyen, Trong H

Application Number

US15/171,763
Publication Number

US 20160359889A1
Time in Patent Office

1,286 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/122   using management policies b...

G06F 16/137   Hash-based content-based in...

G06F 16/162   Delete operations erasing i...

G06F 16/17   Details of further file sys...

G06F 16/173   Customisation support for f...

G06F 16/174   Redundancy elimination perf...

G06F 16/1744   using compression, e.g. spa...

G06F 16/1748   De-duplication implemented ...

G06F 16/2322   using timestamps

G06F 16/235   Update request formulation

G06F 16/2365   Ensuring data consistency a...

G06F 16/24578   using ranking

G06F 16/248   Presentation of query results

G06F 16/285   Clustering or classification

G06F 16/288   Entity relationship models

G06F 16/29   Geographical information da...

G06F 16/9535   Search customisation based ...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595 : Network integration; Enabli...

G06F 21/53 : by executing in a restricte...

G06F 21/552 : involving long-term monitor...

G06F 21/556 : involving covert channels, ...

G06F 21/566 : Dynamic detection, i.e. det...

G06F 2221/033 : Test or assess software

G06F 2221/2101 : Auditing as a secondary aspect

G06F 2221/2105 : Dual mode as a secondary as...

G06F 2221/2111 : Location-sensitive, e.g. ge...

G06F 2221/2115 : Third party

G06F 2221/2145 : Inheriting rights or proper...

G06F 3/0482 : Interaction with lists of s...

G06F 3/04842 : Selection of displayed obje...

G06F 3/04847 : Interaction techniques to c...

G06F 9/45558 : Hypervisor-specific managem...

G06N 20/00 : Machine learning

G06N 99/00 : Subject matter not provided...

G06T 11/206 : Drawing of charts or graphs

H04J 3/0661 : using timestamps

H04J 3/14 : Monitoring arrangements for...

H04L 1/242 : by comparing a transmitted ...

H04L 41/046 : comprising network manageme...

H04L 41/0668 : by dynamic selection of rec...

H04L 41/0803 : Configuration setting

H04L 41/0806 : for initial configuration o...

H04L 41/0816 : the condition being an adap...

H04L 41/0893 : Assignment of logical group...

H04L 41/0894 : Policy-based network config...

H04L 41/12 : Discovery or management of ...

H04L 41/16 : using machine learning or a...

H04L 41/22 : comprising specially adapte...

H04L 41/40 : using virtualisation of net...

H04L 43/02 : Capturing of monitoring data

H04L 43/026 : using flow identification

H04L 43/04 : Processing captured monitor...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 43/0805 : by checking availability

H04L 43/0811 : by checking connectivity

H04L 43/0829 : Packet loss

H04L 43/0841 : Round trip packet loss

H04L 43/0858 : One way delays

H04L 43/0864 : Round trip delays

H04L 43/0876 : Network utilisation, e.g. v...

H04L 43/0882 : Utilisation of link capacity

H04L 43/0888 : Throughput

H04L 43/10 : Active monitoring, e.g. hea...

H04L 43/106 : using time related informat...

H04L 43/12 : Network monitoring probes

H04L 43/16 : Threshold monitoring

H04L 43/20 : the monitoring system or th...

H04L 45/306 : Route determination based o...

H04L 45/38 : Flow based routing

H04L 45/46 : Cluster building

H04L 45/507 : Label distribution

H04L 45/66 : Layer 2 routing, e.g. in Et...

H04L 45/74 : Address processing for routing

H04L 47/11 : Identifying congestion

H04L 47/20 : Traffic policing

H04L 47/2441 : relying on flow classificat...

H04L 47/2483 : involving identification of...

H04L 47/28 : in relation to timing consi...

H04L 47/31 : by tagging of packets, e.g....

H04L 47/32 : by discarding or delaying d...

H04L 61/5007 : Internet protocol [IP] addr...

H04L 63/0227 : Filtering policies mail mes...

H04L 63/0263 : Rule management

H04L 63/06 : for supporting key manageme...

H04L 63/0876 : based on the identity of th...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/145 : the attack involving the pr...

H04L 63/1458 : Denial of Service

H04L 63/1466 : Active attacks involving in...

H04L 63/16 : Implementing security featu...

H04L 63/20 : for managing network securi...

H04L 67/01 : Protocols

H04L 67/10 : in which an application is ...

H04L 67/1001 : for accessing one among a p...

H04L 67/12 : specially adapted for propr...

H04L 67/51 : Discovery or management the...

H04L 67/535 : Tracking the activity of th...

H04L 67/75 : Indicating network or usage...

H04L 69/16 : Implementation or adaptatio...

H04L 69/22 : Parsing or analysis of headers

H04L 7/10 : Arrangements for initial sy...

H04L 9/0866 : involving user or device id...

H04L 9/3239 : involving non-keyed hash fu...

H04L 9/3242 : involving keyed hash functi...

H04W 72/54 : based on quality criteria

H04W 84/18 : Self-organising networks, e...

View All

Technologies for managing compromised sensors in virtualized environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Technologies for managing compromised sensors in virtualized environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links