Detecting network misuse

US 20030002436A1
Filed: 06/20/2002
Published: 01/02/2003
Est. Priority Date: 06/20/2001
Status: Active Grant

First Claim

Patent Images

1. A networking method comprising:

receiving threshold specifications for a plurality of network traffic metrics defining an expected network traffic pattern for one or more network links relevant to a network link of interest;

receiving network traffic data associated with said network traffic metrics; and

determining whether said network link of interest is being misused based on said received network traffic data and said received threshold specifications for said network traffic metrics defining said expected network traffic pattern for said one or more network links relevant to said network link of interest.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus is equipped to receive network traffic data for network traffic routed over one or more network links relevant to a network link. Selected numbers of analysis are performed to determine if the network link of interest is being misused. The analyses include but are not limited to analyses to determine whether the network traffic routed are inconsistent with an expected traffic pattern, whether unallocated source addresses are present, whether source addresses exhibit an uncharacteristic even distribution pattern, whether a server is uncharacteristically excessive in responding to the same source address, whether normal bursty behavior is absent from the traffic, whether a ratio of packets in one direction to packets in another direction is out of balance, whether a ratio of packets of one type to packets of another type is out of balance, and whether a server is uncharacteristically excessive in responding with error responses.

Citations

48 Claims

1. A networking method comprising:
- receiving threshold specifications for a plurality of network traffic metrics defining an expected network traffic pattern for one or more network links relevant to a network link of interest;
  
  receiving network traffic data associated with said network traffic metrics; and
  
  determining whether said network link of interest is being misused based on said received network traffic data and said received threshold specifications for said network traffic metrics defining said expected network traffic pattern for said one or more network links relevant to said network link of interest.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein said receiving of threshold specifications comprises receiving threshold specifications for a plurality of network traffic metrics for a plurality of network traffic types.
  - 3. The method of claim 1, wherein at least one of said network links is a virtual network link comprising a plurality of physical network links;
    - said receiving of threshold specifications comprises receiving threshold specifications for said plurality of network traffic metrics for said virtual network link;
      
      said receiving of network traffic data comprises receiving network traffic data associated with said network traffic metrics for said plurality of physical network links; and
      
      said determining comprises aggregating said received network traffic data related to said physical network links to generate network traffic data associated with said network traffic metrics for said virtual network link.
  - 4. The method of claim 1, wherein the method further comprises activating/deactivating monitoring of network traffic routed over one or more network links relevant to said network link of interest based at least in part on the result of said determining.
  - 5. The method of claim 1, wherein the method further comprises activating/deactivating regulation of network traffic at one or more network nodes based at least in part on the result of said determining.
  - 6. The method of claim 1, wherein the method further comprises repeating said receiving of network traffic data, and said determining, and automatically adjusting said received threshold specifications to be employed in a next repetition of said determining, based at least in part on the result of one or more prior performance of said determining.

7. An apparatus comprising storage medium having stored therein executable instructions designed to implement a plurality of network link misuse determination functions including a receiving function to receive threshold specifications for a plurality of network traffic metrics defining an expected network traffic pattern for one or more network links relevant to a network link of interest, a determination function to receive network traffic data associated with said network traffic metrics, and in response, determine whether said network link of interest is being misused based on said received network traffic data and said received threshold specifications for said network traffic metrics defining said expected network traffic pattern for said network link of interest;
- and one or more processors coupled to the storage medium to execute the instructions.
- View Dependent Claims (8, 9, 10, 11, 12, 14, 15, 16, 18, 19, 20)
- - 8. The apparatus of claim 7, wherein said receiving function is designed to receive threshold specifications for a plurality of network traffic metrics for a plurality of network traffic types.
  - 9. The apparatus of claim 7, wherein at least one of said network links is a virtual network link comprising a plurality of physical network links;
    - said receiving function is designed to receive threshold specifications for said plurality of network traffic metrics for said virtual network link;
      
      said determining function is designed to receive network traffic data associated with said network traffic metrics for said plurality of physical network links and in response, aggregate said received network traffic data related to said physical network links to generate network traffic data associated with said network traffic metrics for said virtual network link.
  - 10. The apparatus of claim 7, wherein said determining function is further designed to activate/deactivate monitoring of network traffic relevant to said network link of interest based at least in part on the result of said determining function.
  - 11. The apparatus of claim 7, wherein the instructions are further designed to implement a regulation function that activates/deactivates regulation of selected network traffic at one or more network nodes based at least in part on the result of said determining function.
  - 12. The apparatus of claim 7, wherein the instructions further implement a control function to control said second receiving function and said determining function to repeat said receiving of network traffic data, and said determining of misuse, and to automatically adjust said received threshold specifications to be employed by said determining function in a next repetition of said determining, based at least in part on the result of one or more prior performance of said determining.
  - 14. The method of claim 13, wherein said establishing comprises systematically pinging IP addresses for replies.
  - 15. The method of claim 13, wherein the method further comprises activating/deactivating monitoring of network traffic to be routed over one or more network links relevant to said network link of interest based at least in part on the result of said determining.
  - 16. The method of claim 13, wherein the method further comprises activating/deactivating regulation of network traffic at one or more network nodes based at least in part on the result of said determining.
  - 18. The apparatus of claim 17, wherein said database establishing function is designed to establish said database by systematically pinging IP addresses for replies.
  - 19. The apparatus of claim 17, wherein said receiving function is further designed to activate/deactivate monitoring of network traffic to be routed over one or more network links relevant to said network link of interest based at least in part on the result of said determining function.
  - 20. The apparatus of claim 17, wherein the instructions are further designed to implement a regulation function that activates/deactivates regulation of selected network traffic at one or more network nodes based at least in part on the result of said determining function.

13. A networking method comprising:
- establishing a database of allocated IP addresses;
  
  receiving source addresses of network traffic routed over one or more network links relevant to a network link of interest; and
  
  determining whether said network link of interest is being misused based on said received source addresses and said established database of allocated IP addresses.

17. An apparatus comprising storage medium having stored therein executable instructions designed to implement a plurality of network link misuse determination functions including a database establishing function to establish a database of allocated IP addresses, a receiving function to receive source addresses of network traffic routed over one or more network links relevant to a network link of interest, and a determination function to determine if said network link of interest is being misused based on said established database of IP addresses and said received source addresses of network traffic routed over said one or more network links relevant to said network link of interest;
- and one or more processors coupled to the storage medium to execute the instructions.

21. A networking method comprising:
- receiving source addresses of network traffic routed over one or more network links relevant to a network link of interest;
  
  generating a distribution profile of said source addresses;
  
  determining one or more characteristic measures for said distribution profile; and
  
  determining whether said network link of interest is being misused based on said one or more characteristic measures of said distribution profile.
- View Dependent Claims (22, 23, 24, 26, 27, 28, 30, 31)
- - 22. The method of claim 21, wherein said generating comprises generating said distribution profile for a subnet range.
  - 23. The method of claim 21, wherein the method further comprises activating/deactivating monitoring of network traffic to be routed over one or more network links relevant to said network link of interest based at least in part on the result of said determining.
  - 24. The method of claim 21, wherein the method further comprises activating/deactivating regulation of network traffic at one or more network nodes based at least in part on the result of said determining.
  - 26. The apparatus of claim 25, wherein said generation function is designed to accept a subnet range specification, and generates said distribution profile for said specified subnet range.
  - 27. The apparatus of claim 25, wherein said receiving function is further designed to activate/deactivate monitoring of network traffic to be routed over one or more network links relevant to said network link of interest based at least in part on the result of said determining function.
  - 28. The apparatus of claim 25, wherein the instructions are further designed to implement a regulation function that activates/deactivates regulation of selected network traffic at one or more network nodes based at least in part on the result of said determining function.
  - 30. The method of claim 29, wherein the method further comprises activating/deactivating monitoring of network traffic to be routed over one or more network links relevant to said network link of interest based at least in part on the result of said determining.
  - 31. The method of claim 29, wherein the method further comprises activating/deactivating regulation of network traffic at one or more network nodes based at least in part on the result of said determining.

25. An apparatus comprising storage medium having stored therein executable instructions designed to implement a plurality of network link misuse determination functions including a receiving function to receive source addresses of network traffic routed over one or more network links relevant to a network link of interest, a generation function to generate a distribution profile of said received source addresses, a first determination function to determine one or more characteristic measures for said generated distribution profile, and a second determination function to determine whether said network link of interest is being misused based on said one or more determined characteristic measures of said distribution profile;
- and one or more processors coupled to the storage medium to execute the instructions.

29. A networking method comprising:
- receiving source addresses, destination addresses and traffic types of network traffic routed over one or more network links relevant to a network link of interest;
  
  determining a transmission frequency for a type of network traffic transmitted from a source address to one or more destination addresses; and
  
  determining whether said network link of interest is being misused based on whether said determined transmission frequency is consistent with said network traffic type.

32. An apparatus comprising storage medium having stored therein executable instructions designed to implement a plurality of network link misuse determination functions including a receiving function to receive source addresses, destination addresses and traffic types of network traffic routed over one or more network links relevant to a network link of interest, a first determination function to determine a transmission frequency for a type of network traffic transmitted from a source address to one or more destination addresses, and a second determination function to determine whether said network link of interest is being misused based on whether said determined transmission frequency is consistent with said network traffic type;
- and one or more processors coupled to the storage medium to execute the instructions.
- View Dependent Claims (33, 34, 36, 37, 38, 40, 41, 42)
- - 33. The apparatus of claim 32, wherein said receiving function is further designed to activate/deactivate monitoring of network traffic to be routed over one or more network links relevant to said network link of interest based at least in part on the result of said determining function.
  - 34. The apparatus of claim 32, wherein the instructions are further designed to implement a regulation function that activates/deactivates regulation of selected network traffic at one or more network nodes based at least in part on the result of said determining function.
  - 36. The method of claim 35, wherein said at least one generated measurement metric comprises at least a selected one of traffic intensity, intensity per subnet, packet sizes and packets per flow.
  - 37. The method of claim 35, wherein the method further comprises activating/deactivating monitoring of network traffic to be routed over one or more network links relevant to said network link of interest based at least in part on the result of said determining.
  - 38. The method of claim 35, wherein the method further comprises activating/deactivating regulation of network traffic at one or more network nodes based at least in part on the result of said determining.
  - 40. The apparatus of claim 39, wherein said at least one generated measurement metric comprises at least a selected one of traffic intensity, intensity per subnet, packet sizes and packets per flow.
  - 41. The apparatus of claim 39, wherein said receiving function is further designed to activate/deactivate monitoring of network traffic to be routed over one or more network links relevant to said network link of interest based at least in part on the result of said determining function.
  - 42. The apparatus of claim 39, wherein the instructions are further designed to implement a regulation function that activates/deactivates regulation of selected network traffic at one or more network nodes based at least in part on the result of said determining function.

35. A networking method comprising:
- receiving descriptive data associated with network traffic routed over one or more network links relevant to a network link of interest;
  
  generating at least one measurement metric that normally exhibits a bursty characteristic during normal operation; and
  
  determining whether said network link of interest is being misused based on whether said at least one generated measurement metric exhibits said bursty characteristic.

39. An apparatus comprising storage medium having stored therein executable instructions designed to implement a plurality of network link misuse determination functions including a generator function to receive descriptive data associated with network traffic routed over one or more network links relevant to a network link of interest, and in response, generate at least one measurement metric that normally exhibits a bursty characteristic during normal operation, and a determination function to determine whether said network link of interest is being misused based on whether said at least one generated measurement metric exhibits said bursty characteristic;
- and one or more processors coupled to the storage medium to execute the instructions.

43. A networking method comprising:
- receiving descriptive data associated with network traffic flows routed over one or more network links relevant to a network link of interest;
  
  generating a ratio for a selected one of packets flowing in a first direction to packets flowing in a second direction and packets of a first type to packets of a second type, using said received descriptive data; and
  
  determining whether said network link of interest is being misused based at least in part on said generated ratio.
- View Dependent Claims (44, 45, 47, 48)
- - 44. The method of claim 43, wherein the method further comprises activating/deactivating distributed monitoring of network traffic to be routed over one or more network links relevant to said network link of interest based at least in part on the result of said determining.
  - 45. The method of claim 43, wherein the method further comprises activating/deactivating regulation of network traffic at one or more network nodes based at least in part on the result of said determining.
  - 47. The apparatus of claim 46, wherein said receiving function is further designed to activate/deactivate monitoring of network traffic to be routed over one or more network links relevant to said network link of interest based at least in part on the result of said determining function.
  - 48. The apparatus of claim 46, wherein the instructions are further designed to implement a regulation function that activates/deactivates regulation of selected network traffic at one or more network nodes based at least in part on the result of said determining function.

46. An apparatus comprising storage medium having stored therein executable instructions designed to implement a plurality of network link misuse determination functions including a generation function to receive descriptive data associated with network traffic flows routed over one or more network links relevant to a network link of interest and in response, generate a ratio for a selected one of packets flowing in a first direction to packets flowing in a second direction and packets of a first type to packets to a second type, using said received descriptive data, and a determination function to determine whether said network link of interest is being misused based at least in part on said generated ratio;
- and one or more processors coupled to the storage medium to execute the instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Original Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Inventors
Anderson, Thomas E., Wetherall, David J., Savage, Stefan R.

Granted Patent

US 8,509,086 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/218
CPC Class Codes

H04L 12/56   Packet switching systems

H04L 43/00   Arrangements for monitoring...

H04L 43/06   Generation of reports

H04L 43/10   Active monitoring, e.g. hea...

H04L 43/16   Threshold monitoring

H04L 47/10   Flow control; Congestion co...

H04L 47/11   Identifying congestion

H04L 63/1416   Event detection, e.g. attac...

Detecting network misuse

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting network misuse

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links