Correlating network traffic that crosses opaque endpoints

US 10,742,530 B1
Filed: 08/05/2019
Issued: 08/11/2020
Est. Priority Date: 08/05/2019
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic using one or more network monitoring computers, comprising:

monitoring two or more network segments that are coupled by one or more bridge devices, wherein the one or more bridge devices modify network traffic passed from one network segment to another network segment;

determining one or more flows in one or more network segments based on network traffic associated with the one or more network segments;

determining one or more other flows in one or more other network segments based on other network traffic associated with the one or more other network segments;

providing a correlation score for two or more flows that are in different network segments based on one or more of a correlation model, a characteristic of the one or more flows, or another characteristic of the one or more other flows;

modifying one or more timing characteristics associated with the one or more flows in the one or more network segments;

determining the one or more other flows in the one or more other network segments based on the one or more timing characteristics;

updating the correlation score for the two or more flows based on the timing characteristics;

determining two or more related flows based on a value of the correlation score of the two or more related flows, wherein the two or more related flows are located in different network segments; and

providing a report that includes information about the two or more related flows.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by bridge devices may be monitored by NMCs. The bridge devices may modify network traffic passed from one network segment to another network segment. Flows in network segments may be determined based on monitored network traffic associated with the network segments. Other flows in other network segments may be determined based on other monitored network traffic associated with the other network segments. A correlation score for two or more flows in different network segments may be provided based on a correlation model. Two or more related flows may be determined based on a value of the correlation score of the two or more related flows located in different network segments. A report that includes information about the two or more related flows may be provided.

Citations

24 Claims

1. A method for monitoring network traffic using one or more network monitoring computers, comprising:
- monitoring two or more network segments that are coupled by one or more bridge devices, wherein the one or more bridge devices modify network traffic passed from one network segment to another network segment;
  
  determining one or more flows in one or more network segments based on network traffic associated with the one or more network segments;
  
  determining one or more other flows in one or more other network segments based on other network traffic associated with the one or more other network segments;
  
  providing a correlation score for two or more flows that are in different network segments based on one or more of a correlation model, a characteristic of the one or more flows, or another characteristic of the one or more other flows;
  
  modifying one or more timing characteristics associated with the one or more flows in the one or more network segments;
  
  determining the one or more other flows in the one or more other network segments based on the one or more timing characteristics;
  
  updating the correlation score for the two or more flows based on the timing characteristics;
  
  determining two or more related flows based on a value of the correlation score of the two or more related flows, wherein the two or more related flows are located in different network segments; and
  
  providing a report that includes information about the two or more related flows.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein modifying the network traffic further comprises:
    - obscuring one or more characteristics of the network traffic passed between network segments, wherein the one or more characteristics of the network traffic includes one or more of source tuple information, destination tuple information, sequence numbers, protocol header fields, or payload content.
  - 3. The method of claim 1, further comprising:
    - modifying the network traffic associated with the one or more flows in the one or more network segments to include fingerprint information, wherein the fingerprint information is passed by the one or more bridge devices from the one or more network segments to the one or more other network segments;
      
      determining the one or more other flows in the one or more other network segments based on the fingerprint information; and
      
      updating the correlation score for the two or more flows based on the fingerprint information.
  - 4. The method of claim 1, further comprising:
    - determining one or more transactions associated with the one or more flows in the one or more network segments based on one or more characteristics of the one or more flows, wherein information associated with the one or more transactions is included in network traffic in the one or more network segments and other network traffic is included in the one or more other network segments;
      
      determining the one or more other flows in the one or more other network segments based on the one or more transactions; and
      
      updating the correlation score for the two or more flows based on the one or more transactions.
  - 5. The method of claim 1, further comprising:
    - determining one or more control flows in the one or more network segments based on one or more characteristics of the one or more control flows;
      
      determining one or more content flows in the one or more other network segments based on one or more characteristics of the one or more content flows; and
      
      updating the correlation score for the one or more control flows and the one or more content flows.
  - 6. The method of claim 1, further comprises:
    - progressively updating information associated with one or more characteristics of the one or more flows based on monitoring the network traffic in the one or more network segments;
      
      progressively updating other information associated with one or more other characteristics of the one or more other flows based on monitoring other network traffic in the one or more other network segments; and
      
      updating the correlation score based on the updated information and the updated other information.

7. A processor readable non-transitory storage media that includes instructions for monitoring network traffic using one or more network monitoring computers, wherein execution of the instructions by the one or more networking monitoring computers perform the method comprising:
- monitoring two or more network segments that are coupled by one or more bridge devices, wherein the one or more bridge devices modify network traffic passed from one network segment to another network segment;
  
  determining one or more flows in one or more network segments based on network traffic associated with the one or more network segments;
  
  determining one or more other flows in one or more other network segments based on other network traffic associated with the one or more other network segments;
  
  providing a correlation score for two or more flows that are in different network segments based on one or more of a correlation model, a characteristic of the one or more flows, or another characteristic of the one or more other flows;
  
  modifying one or more timing characteristics associated with the one or more flows in the one or more network segments;
  
  determining the one or more other flows in the one or more other network segments based on the one or more timing characteristics;
  
  updating the correlation score for the two or more flows based on the timing characteristics;
  
  determining two or more related flows based on a value of the correlation score of the two or more related flows, wherein the two or more related flows are located in different network segments; and
  
  providing a report that includes information about the two or more related flows.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The processor readable non-transitory storage media of claim 7, wherein modifying the network traffic further comprises:
    - obscuring one or more characteristics of the network traffic passed between network segments, wherein the one or more characteristics of the network traffic includes one or more of source tuple information, destination tuple information, sequence numbers, protocol header fields, or payload content.
  - 9. The processor readable non-transitory storage media of claim 7, further comprising:
    - modifying the network traffic associated with the one or more flows in the one or more network segments to include fingerprint information, wherein the fingerprint information is passed by the one or more bridge devices from the one or more network segments to the one or more other network segments;
      
      determining the one or more other flows in the one or more other network segments based on the fingerprint information; and
      
      updating the correlation score for the two or more flows based on the fingerprint information.
  - 10. The processor readable non-transitory storage media of claim 7, further comprising:
    - determining one or more transactions associated with the one or more flows in the one or more network segments based on one or more characteristics of the one or more flows, wherein information associated with the one or more transactions is included in network traffic in the one or more network segments and other network traffic is included in the one or more other network segments;
      
      determining the one or more other flows in the one or more other network segments based on the one or more transactions; and
      
      updating the correlation score for the two or more flows based on the one or more transactions.
  - 11. The processor readable non-transitory storage media of claim 7, further comprising:
    - determining one or more control flows in the one or more network segments based on one or more characteristics of the one or more control flows;
      
      determining one or more content flows in the one or more other network segments based on one or more characteristics of the one or more content flows; and
      
      updating the correlation score for the one or more control flows and the one or more content flows.
  - 12. The processor readable non-transitory storage media of claim 7, further comprises:
    - progressively updating information associated with one or more characteristics of the one or more flows based on monitoring the network traffic in the one or more network segments;
      
      progressively updating other information associated with one or more other characteristics of the one or more other flows based on monitoring other network traffic in the one or more other network segments; and
      
      updating the correlation score based on the updated information and the updated other information.

13. A system for monitoring network traffic in a network, comprising:
- one or more network monitoring computers (NMCs), wherein each of the one or more NMCs comprises;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  monitoring two or more network segments that are coupled by one or more bridge devices, wherein the one or more bridge devices modify network traffic passed from one network segment to another network segment;
  
  determining one or more flows in one or more network segments based on network traffic associated with the one or more network segments;
  
  determining one or more other flows in one or more other network segments based on other network traffic associated with the one or more other network segments;
  
  providing a correlation score for two or more flows that are in different network segments based on one or more of a correlation model, a characteristic of the one or more flows, or another characteristic of the one or more other flows;
  
  modifying one or more timing characteristics associated with the one or more flows in the one or more network segments;
  
  determining the one or more other flows in the one or more other network segments based on the one or more timing characteristics;
  
  updating the correlation score for the two or more flows based on the timing characteristics;
  
  determining two or more related flows based on a value of the correlation score of the two or more related flows, wherein the two or more related flows are located in different network segments; and
  
  providing a report that includes information about the two or more related flows; and
  
  one or more client computers, wherein each of the one or more client computers comprises;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing a portion of the network traffic associated with the one or more flows.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein modifying the network traffic further comprises:
    - obscuring one or more characteristics of the network traffic passed between network segments, wherein the one or more characteristics of the network traffic includes one or more of source tuple information, destination tuple information, sequence numbers, protocol header fields, or payload content.
  - 15. The system of claim 13, wherein the one or more NMC processors execute instructions that perform actions, further comprising:
    - modifying the network traffic associated with the one or more flows in the one or more network segments to include fingerprint information, wherein the fingerprint information is passed by the one or more bridge devices from the one or more network segments to the one or more other network segments;
      
      determining the one or more other flows in the one or more other network segments based on the fingerprint information; and
      
      updating the correlation score for the two or more flows based on the fingerprint information.
  - 16. The system of claim 13, wherein the one or more NMC processors execute instructions that perform actions, further comprising:
    - determining one or more transactions associated with the one or more flows in the one or more network segments based on one or more characteristics of the one or more flows, wherein information associated with the one or more transactions is included in network traffic in the one or more network segments and other network traffic is included in the one or more other network segments;
      
      determining the one or more other flows in the one or more other network segments based on the one or more transactions; and
      
      updating the correlation score for the two or more flows based on the one or more transactions.
  - 17. The system of claim 13, wherein the one or more NMC processors execute instructions that perform actions, further comprising:
    - determining one or more control flows in the one or more network segments based on one or more characteristics of the one or more control flows;
      
      determining one or more content flows in the one or more other network segments based on one or more characteristics of the one or more content flows; and
      
      updating the correlation score for the one or more control flows and the one or more content flows.
  - 18. The system of claim 13, wherein the one or more NMC processors execute instructions that perform actions, further comprising:
    - progressively updating information associated with one or more characteristics of the one or more flows based on monitoring the network traffic in the one or more network segments;
      
      progressively updating other information associated with one or more other characteristics of the one or more other flows based on monitoring other network traffic in the one or more other network segments; and
      
      updating the correlation score based on the updated information and the updated other information.

19. A network monitoring computer (NMC) for monitoring network traffic between one or more computers, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  monitoring two or more network segments that are coupled by one or more bridge devices, wherein the one or more bridge devices modify network traffic passed from one network segment to another network segment;
  
  determining one or more flows in one or more network segments based on network traffic associated with the one or more network segments;
  
  determining one or more other flows in one or more other network segments based on other network traffic associated with the one or more other network segments;
  
  providing a correlation score for two or more flows that are in different network segments based on one or more of a correlation model, a characteristic of the one or more flows, or another characteristic of the one or more other flows;
  
  modifying one or more timing characteristics associated with the one or more flows in the one or more network segments;
  
  determining the one or more other flows in the one or more other network segments based on the one or more timing characteristics;
  
  updating the correlation score for the two or more flows based on the timing characteristics;
  
  determining two or more related flows based on a value of the correlation score of the two or more related flows, wherein the two or more related flows are located in different network segments; and
  
  providing a report that includes information about the two or more related flows.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The NMC of claim 19, wherein modifying the network traffic further comprises:
    - obscuring one or more characteristics of the network traffic passed between network segments, wherein the one or more characteristics of the network traffic includes one or more of source tuple information, destination tuple information, sequence numbers, protocol header fields, or payload content.
  - 21. The NMC of claim 19, wherein the one or more processors execute instructions that perform actions, further comprising:
    - modifying the network traffic associated with the one or more flows in the one or more network segments to include fingerprint information, wherein the fingerprint information is passed by the one or more bridge devices from the one or more network segments to the one or more other network segments;
      
      determining the one or more other flows in the one or more other network segments based on the fingerprint information; and
      
      updating the correlation score for the two or more flows based on the fingerprint information.
  - 22. The NMC of claim 19, wherein the one or more processors execute instructions that perform actions, further comprising:
    - determining one or more transactions associated with the one or more flows in the one or more network segments based on one or more characteristics of the one or more flows, wherein information associated with the one or more transactions is included in network traffic in the one or more network segments and other network traffic is included in the one or more other network segments;
      
      determining the one or more other flows in the one or more other network segments based on the one or more transactions; and
      
      updating the correlation score for the two or more flows based on the one or more transactions.
  - 23. The NMC of claim 19, wherein the one or more processors execute instructions that perform actions, further comprising:
    - determining one or more control flows in the one or more network segments based on one or more characteristics of the one or more control flows;
      
      determining one or more content flows in the one or more other network segments based on one or more characteristics of the one or more content flows; and
      
      updating the correlation score for the one or more control flows and the one or more content flows.
  - 24. The NMC of claim 19, wherein the one or more processors execute instructions that perform actions, further comprising:
    - progressively updating information associated with one or more characteristics of the one or more flows based on monitoring the network traffic in the one or more network segments;
      
      progressively updating other information associated with one or more other characteristics of the one or more other flows based on monitoring other network traffic in the one or more other network segments; and
      
      updating the correlation score based on the updated information and the updated other information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Wu, Xue Jun, Mukerji, Arindum, Costlow, Jeff James, Montague, Michael Kerber Krause
Primary Examiner(s)
Nowlin, Eric

Application Number

US16/532,275
Time in Patent Office

372 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 41/12   Discovery or management of ...

H04L 41/142   using statistical or mathem...

H04L 41/145   involving simulating, desig...

H04L 41/40   using virtualisation of net...

H04L 41/5009   Determining service level p...

H04L 43/026   using flow identification

H04L 43/062   related to network traffic

H04L 43/08   Monitoring or testing based...

H04L 43/20   the monitoring system or th...

H04L 47/41   by acting on aggregated flo...

Correlating network traffic that crosses opaque endpoints

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Correlating network traffic that crosses opaque endpoints

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links