Hierarchical navigation through network flow data

US 10,728,109 B1
Filed: 03/15/2017
Issued: 07/28/2020
Est. Priority Date: 03/15/2017
Status: Active Grant

First Claim

Patent Images

1. A method for hierarchical navigation of network flow data, the method comprising:

receiving, over a network, network flow data describing communications between servers;

receiving multi-dimensional labels for each of the different servers, wherein each multi-dimensional label comprises a set of values corresponding to a set of respective server dimensions, wherein a server dimension describes a characteristic of the server;

annotating the network flow data with the multi-dimensional labels describing the servers associated with the communications;

storing the annotated network flow data to a database;

configuring a user interface to display the annotated network flow data from the database using a parallel coordinate graph having a plurality of axes, the configuring comprising;

configuring the parallel coordinate graph to have a first axis associated with a first set of server dimensions of the multi-dimensional labels;

identifying a first set of servers each having a first set of label values assigned to the first set of server dimensions associated with the first axis;

representing the first set of servers as a first data point on the first axis;

configuring the parallel coordinate graph to have a second axis associated with a second set of server dimensions of the multi-dimensional labels;

identifying a second set of servers each having a second set of label values assigned to the second set of server dimensions associated with the second axis;

representing the second set of servers as a second data point on the second axis;

configuring the parallel coordinate graph to have a third axis associated with a third set of server dimensions of the multi-dimensional labels;

identifying a third set of servers each having a third set of label values assigned to the third set of server dimensions associated with the third axis;

representing the third set of servers as a third data point on the third axis;

determining, based on the network flow data, if at least one of the first set of servers communicates with at least one of the second set servers;

responsive to determining that at least one of the first set of servers communicates with at least one of the second set of servers, generating a representation of a connection between the first set of servers and the second set of servers as a line connecting the first data point on the first axis to the second data point on the second axis;

determining, based on the network flow data, if a connection between at least one of the first set of servers and at least one of the third set servers is blocked by a domain wide administrative policy;

responsive to that the connection is blocked, generating a representation of a blocked connection between the first set of servers and the third set of servers as a line connecting the first data point on the first axis to the third data point on the third axis that is visually distinguished from the line connecting the first data point to the second data point; and

sending the configured user interface for display via a client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system performs hierarchical navigation through network flow data. A user interface is configured to display network flow data and allow hierarchical navigation across the network flow data. The user interface comprises a plurality of axes and lines connecting data points between axes. Data points along an axis represent values of an attribute aggregated along a set of dimensions. The system receives requests for expanding data points along a particular dimension or collapsing the data points along the particular dimension. The system reconfigures the user interface according to the received request and sends the reconfigured user interface for display via the client device. The user interface provides better visibility into the network flow data, thereby allowing security analysts to spot communication patterns associated with security issues and navigate through various dimensions to further analyze a suspect communication pattern.

Citations

20 Claims

1. A method for hierarchical navigation of network flow data, the method comprising:
- receiving, over a network, network flow data describing communications between servers;
  
  receiving multi-dimensional labels for each of the different servers, wherein each multi-dimensional label comprises a set of values corresponding to a set of respective server dimensions, wherein a server dimension describes a characteristic of the server;
  
  annotating the network flow data with the multi-dimensional labels describing the servers associated with the communications;
  
  storing the annotated network flow data to a database;
  
  configuring a user interface to display the annotated network flow data from the database using a parallel coordinate graph having a plurality of axes, the configuring comprising;
  
  configuring the parallel coordinate graph to have a first axis associated with a first set of server dimensions of the multi-dimensional labels;
  
  identifying a first set of servers each having a first set of label values assigned to the first set of server dimensions associated with the first axis;
  
  representing the first set of servers as a first data point on the first axis;
  
  configuring the parallel coordinate graph to have a second axis associated with a second set of server dimensions of the multi-dimensional labels;
  
  identifying a second set of servers each having a second set of label values assigned to the second set of server dimensions associated with the second axis;
  
  representing the second set of servers as a second data point on the second axis;
  
  configuring the parallel coordinate graph to have a third axis associated with a third set of server dimensions of the multi-dimensional labels;
  
  identifying a third set of servers each having a third set of label values assigned to the third set of server dimensions associated with the third axis;
  
  representing the third set of servers as a third data point on the third axis;
  
  determining, based on the network flow data, if at least one of the first set of servers communicates with at least one of the second set servers;
  
  responsive to determining that at least one of the first set of servers communicates with at least one of the second set of servers, generating a representation of a connection between the first set of servers and the second set of servers as a line connecting the first data point on the first axis to the second data point on the second axis;
  
  determining, based on the network flow data, if a connection between at least one of the first set of servers and at least one of the third set servers is blocked by a domain wide administrative policy;
  
  responsive to that the connection is blocked, generating a representation of a blocked connection between the first set of servers and the third set of servers as a line connecting the first data point on the first axis to the third data point on the third axis that is visually distinguished from the line connecting the first data point to the second data point; and
  
  sending the configured user interface for display via a client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - receiving a request to modify data points along the first axis wherein the request is for;
      
      expanding data points along the first axis or collapsing the data points along the first axis;
      
      reconfiguring the user interface in accordance with the received request, the reconfiguring comprising representing a modified set of data points on the first axis; and
      
      sending the reconfigured user interface for display via the client device.
  - 3. The method of claim 2, wherein reconfiguring the user interface in accordance with the received request, comprises:
    - modifying the first set of server dimensions associated with the first axis in accordance with the received request, the modifying comprising one of;
      
      adding a server dimension to the first set of dimensions or removing a server dimension from the first set of server dimensions;
      
      replacing the data points along the first axis with new data points obtained by aggregating along the modified first set of server dimensions; and
      
      replacing lines connecting the data points of the first axis to connect the new data points with other axes.
  - 4. The method of claim 3, wherein the received request is a request for expanding data points of the first axis, the method further comprising:
    - for each data point along the first axis represented by a first tuple, replacing the data point by one or more data points, wherein each replaced data point is represented by a second tuple, the second tuple comprising elements of the first tuple and an element representing a value of the first server dimension.
  - 5. The method of claim 3, wherein the received request is a request for collapsing data points of the first axis, the method further comprising:
    - replacing one or more data points of the first axis with a combined data point, the combined data point represented by a tuple obtained by removing the first server dimension from the tuples representing the one or more data points.
  - 6. The method of claim 1, wherein each communication is from a source server to a destination server, wherein the plurality of axes comprises a source axis representing a source servers of the communications and a destination axis representing destination servers of the communications.
  - 7. The method of claim 6, further configuring for display a port axis wherein a data point on the port axis represents a port of a destination server used for communicating with the destination server, the method comprising:
    - configuring for display via the user interface, lines connecting data points on the destination axis with data points on the port axis.
  - 8. The method of claim 6, wherein the user interface comprises lines connecting data points along the source axis with data point along the destination axis, wherein a data point on the source axis represents a set of source servers and a data point on the destination axis represents a set of destination servers.
  - 9. The method of claim 8, wherein a display attribute of lines connecting data points along the source axis with data point along the destination axis is determined based on a rate of communications from the set of source servers to the set of destination servers, wherein the display attribute is one of:
    - a width of the line, a color of the line, or a shading of the line.
  - 10. The method of claim 8, wherein a display attribute of lines connecting data points along the source axis with data point along the destination axis represents whether a connection is allowed or rejected.
  - 11. The method of claim 1, wherein each data point along the first axis is associated with a tuple, wherein each element of the tuple specifies one or more values of a server dimension from the first set of server dimensions.
  - 12. The method of claim 1, wherein the multi-dimensional labels represent one or more of:
    - a role of a server within an administrative domain, an application to which the server belongs, or an environment representing a lifecycle stage associated with a server.

13. A non-transitory computer readable storage medium storing instructions executable by a processor for:
- receiving network flow data describing communications between servers;
  
  receiving, over a network, network flow data describing communications between servers;
  
  receiving multi-dimensional labels for each of the different servers, wherein each multi-dimensional label comprises a set of values corresponding to a set of respective server dimensions, wherein a server dimension describes a characteristic of the server;
  
  annotating the network flow data with the multi-dimensional labels describing the servers associated with the communications;
  
  storing the annotated network flow data to a database;
  
  configuring a user interface to display the annotated network flow data from the database using a parallel coordinate graph having a plurality of axes, the configuring comprising;
  
  configuring the parallel coordinate graph to have a first axis associated with a first set of server dimensions of the multi-dimensional labels;
  
  identifying a first set of servers each having a first set of label values assigned to the first set of server dimensions associated with the first axis;
  
  representing the first set of servers as a first data point on the first axis;
  
  configuring the parallel coordinate graph to have a second axis associated with a second set of server dimensions of the multi-dimensional labels;
  
  identifying a second set of servers each having a second set of label values assigned to the second set of server dimensions associated with the second axis;
  
  representing the second set of servers as a second data point on the second axis;
  
  configuring the parallel coordinate graph to have a third axis associated with a third set of server dimensions of the multi-dimensional labels;
  
  identifying a third set of servers each having a third set of label values assigned to the third set of server dimensions associated with the third axis;
  
  representing the third set of servers as a third data point on the third axis;
  
  determining, based on the network flow data, if at least one of the first set of servers communicates with at least one of the second set servers;
  
  responsive to determining that at least one of the first set of servers communicates with at least one of the second set of servers, generating a representation of a connection between the first set of servers and the second set of servers as a line connecting the first data point on the first axis to the second data point on the second axis;
  
  determining, based on the network flow data, if a connection between at least one of the first set of servers and at least one of the third set servers is blocked by a domain wide administrative policy;
  
  responsive to that the connection is blocked, generating a representation of a blocked connection between the first set of servers and the third set of servers as a line connecting the first data point on the first axis to the third data point on the third axis that is visually distinguished from the line connecting the first data point to the second data point; and
  
  sending the configured user interface for display via a client device.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory computer readable storage medium of claim 13, wherein the stored instructions further comprise instructions for:
    - receiving a request to modify data points along the first axis wherein the request is for;
      
      expanding data points along the first axis or collapsing the data points along the first axis;
      
      reconfiguring the user interface in accordance with the received request, the reconfiguring comprising representing a modified set of data points on the first axis; and
      
      sending the reconfigured user interface for display via the client device.
  - 15. The non-transitory computer readable storage medium of claim 14, wherein instructions for reconfiguring the user interface in accordance with the received request comprise instructions for:
    - modifying the first set of server dimensions associated with the first axis in accordance with the received request, the modifying comprising one of;
      
      adding a server dimension to the first set of dimensions or removing a server dimension from the first set of server dimensions;
      
      replacing the data points along the first axis with new data points obtained by aggregating along the modified first set of server dimensions; and
      
      replacing lines connecting the data points of the first axis to connect the new data points with other axes.
  - 16. The non-transitory computer readable storage medium of claim 15, wherein the received request is a request for expanding data points of the particular axis along the particular server dimension, the stored instructions further comprising instructions for:
    - for each data point along the first axis represented by a first tuple, replacing the data point by one or more data points, wherein each replaced data point is represented by a second tuple, the second tuple comprising elements of the first tuple and an element representing a value of the first server dimension.
  - 17. The non-transitory computer readable storage medium of claim 15, wherein the received request is a request for collapsing data points of the first axis, the method further comprising:
    - replacing one or more data points of the first axis with a combined data point, the combined data point represented by a tuple obtained by removing the first server dimension from the tuples representing the one or more data points.

18. A computer system comprising:
- one or more processors;
  
  a computer readable non-transitory storage medium storing instructions for execution by the one or more processors, wherein the stored instructions comprise instructions for;
  
  receiving, over a network, network flow data describing communications between servers;
  
  receiving multi-dimensional labels for each of the different servers, wherein each multi-dimensional label comprises a set of values corresponding to a set of respective server dimensions, wherein a server dimension describes a characteristic of the server;
  
  annotating the network flow data with the multi-dimensional labels describing the servers associated with the communications;
  
  storing the annotated network flow data to a database;
  
  configuring a user interface to display the annotated network flow data from the database using a parallel coordinate graph having a plurality of axes, the configuring comprising;
  
  configuring the parallel coordinate graph to have a first axis associated with a first set of server dimensions of the multi-dimensional labels;
  
  identifying a first set of servers each having a first set of label values assigned to the first set of server dimensions associated with the first axis;
  
  representing the first set of servers as a first data point on the first axis;
  
  configuring the parallel coordinate graph to have a second axis associated with a second set of server dimensions of the multi-dimensional labels;
  
  identifying a second set of servers each having a second set of label values assigned to the second set of server dimensions associated with the second axis;
  
  representing the second set of servers as a second data point on the second axis;
  
  configuring the parallel coordinate graph to have a third axis associated with a third set of server dimensions of the multi-dimensional labels;
  
  identifying a third set of servers each having a third set of label values assigned to the third set of server dimensions associated with the third axis;
  
  representing the third set of servers as a third data point on the third axis;
  
  determining, based on the network flow data, if at least one of the first set of servers communicates with at least one of the second set servers;
  
  responsive to determining that at least one of the first set of servers communicates with at least one of the second set of servers, generating a representation of a connection between the first set of servers and the second set of servers as a line connecting the first data point on the first axis to the second data point on the second axis;
  
  determining, based on the network flow data, if a connection between at least one of the first set of servers and at least one of the third set servers is blocked by a domain wide administrative policy;
  
  responsive to that the connection is blocked, generating a representation of a blocked connection between the first set of servers and the third set of servers as a line connecting the first data point on the first axis to the third data point on the third axis that is visually distinguished from the line connecting the first data point to the second data point; and
  
  sending the configured user interface for display via a client device.
- View Dependent Claims (19, 20)
- - 19. The computer system of claim 18, wherein the stored instructions further comprise instructions for:
    - receiving a request to modify data points along the first axis wherein the request is for;
      
      expanding data points along the first axis or collapsing the data points along the first axis;
      
      reconfiguring the user interface in accordance with the received request, the reconfiguring comprising representing a modified set of data points on the first axis; and
      
      sending the reconfigured user interface for display via the client device.
  - 20. The computer system of claim 19, wherein instructions for reconfiguring the user interface in accordance with the received request comprise instructions for:
    - modifying the first set of server dimensions associated with the first axis in accordance with the received request, the modifying comprising one of;
      
      adding a server dimension to the first set of dimensions or removing a server dimension from the first set of server dimensions;
      
      replacing the data points along the first axis with new data points obtained by aggregating along the modified first set of server dimensions; and
      
      replacing lines connecting the data points of the first axis to connect the new data points with other axes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Illumio, Inc.
Original Assignee
Illumio, Inc.
Inventors
Hu, Xianlin
Primary Examiner(s)
Dollinger, Tonia L
Assistant Examiner(s)
Nguyen, Linh T.

Application Number

US15/460,158
Time in Patent Office

1,231 Days
Field of Search

709224, 726 3, 345440, 345594
US Class Current
CPC Class Codes

H04L 41/0813   characterised by the condit...

H04L 41/0894   Policy-based network config...

H04L 41/22   comprising specially adapte...

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 67/01   Protocols

Y02D 30/50   in wire-line communication ...

Hierarchical navigation through network flow data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hierarchical navigation through network flow data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links