Detecting network misuse
First Claim
1. A networking method comprising:
- receiving threshold specifications for a plurality of network traffic metrics defining an expected network traffic pattern for one or more network links relevant to a network link of interest;
receiving network traffic data associated with said network traffic metrics; and
determining whether said network link of interest is being misused based on said received network traffic data and said received threshold specifications for said network traffic metrics defining said expected network traffic pattern for said one or more network links relevant to said network link of interest.
3 Assignments
0 Petitions
Accused Products
Abstract
An apparatus is equipped to receive network traffic data for network traffic routed over one or more network links relevant to a network link. Selected numbers of analysis are performed to determine if the network link of interest is being misused. The analyses include but are not limited to analyses to determine whether the network traffic routed are inconsistent with an expected traffic pattern, whether unallocated source addresses are present, whether source addresses exhibit an uncharacteristic even distribution pattern, whether a server is uncharacteristically excessive in responding to the same source address, whether normal bursty behavior is absent from the traffic, whether a ratio of packets in one direction to packets in another direction is out of balance, whether a ratio of packets of one type to packets of another type is out of balance, and whether a server is uncharacteristically excessive in responding with error responses.
-
Citations
48 Claims
-
1. A networking method comprising:
-
receiving threshold specifications for a plurality of network traffic metrics defining an expected network traffic pattern for one or more network links relevant to a network link of interest;
receiving network traffic data associated with said network traffic metrics; and
determining whether said network link of interest is being misused based on said received network traffic data and said received threshold specifications for said network traffic metrics defining said expected network traffic pattern for said one or more network links relevant to said network link of interest. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus comprising
storage medium having stored therein executable instructions designed to implement a plurality of network link misuse determination functions including a receiving function to receive threshold specifications for a plurality of network traffic metrics defining an expected network traffic pattern for one or more network links relevant to a network link of interest, a determination function to receive network traffic data associated with said network traffic metrics, and in response, determine whether said network link of interest is being misused based on said received network traffic data and said received threshold specifications for said network traffic metrics defining said expected network traffic pattern for said network link of interest; - and
one or more processors coupled to the storage medium to execute the instructions. - View Dependent Claims (8, 9, 10, 11, 12, 14, 15, 16, 18, 19, 20)
- and
-
13. A networking method comprising:
-
establishing a database of allocated IP addresses;
receiving source addresses of network traffic routed over one or more network links relevant to a network link of interest; and
determining whether said network link of interest is being misused based on said received source addresses and said established database of allocated IP addresses.
-
-
17. An apparatus comprising
storage medium having stored therein executable instructions designed to implement a plurality of network link misuse determination functions including a database establishing function to establish a database of allocated IP addresses, a receiving function to receive source addresses of network traffic routed over one or more network links relevant to a network link of interest, and a determination function to determine if said network link of interest is being misused based on said established database of IP addresses and said received source addresses of network traffic routed over said one or more network links relevant to said network link of interest; - and
one or more processors coupled to the storage medium to execute the instructions.
- and
-
21. A networking method comprising:
-
receiving source addresses of network traffic routed over one or more network links relevant to a network link of interest;
generating a distribution profile of said source addresses;
determining one or more characteristic measures for said distribution profile; and
determining whether said network link of interest is being misused based on said one or more characteristic measures of said distribution profile. - View Dependent Claims (22, 23, 24, 26, 27, 28, 30, 31)
-
-
25. An apparatus comprising
storage medium having stored therein executable instructions designed to implement a plurality of network link misuse determination functions including a receiving function to receive source addresses of network traffic routed over one or more network links relevant to a network link of interest, a generation function to generate a distribution profile of said received source addresses, a first determination function to determine one or more characteristic measures for said generated distribution profile, and a second determination function to determine whether said network link of interest is being misused based on said one or more determined characteristic measures of said distribution profile; - and
one or more processors coupled to the storage medium to execute the instructions.
- and
-
29. A networking method comprising:
-
receiving source addresses, destination addresses and traffic types of network traffic routed over one or more network links relevant to a network link of interest;
determining a transmission frequency for a type of network traffic transmitted from a source address to one or more destination addresses; and
determining whether said network link of interest is being misused based on whether said determined transmission frequency is consistent with said network traffic type.
-
-
32. An apparatus comprising
storage medium having stored therein executable instructions designed to implement a plurality of network link misuse determination functions including a receiving function to receive source addresses, destination addresses and traffic types of network traffic routed over one or more network links relevant to a network link of interest, a first determination function to determine a transmission frequency for a type of network traffic transmitted from a source address to one or more destination addresses, and a second determination function to determine whether said network link of interest is being misused based on whether said determined transmission frequency is consistent with said network traffic type; - and
one or more processors coupled to the storage medium to execute the instructions. - View Dependent Claims (33, 34, 36, 37, 38, 40, 41, 42)
- and
-
35. A networking method comprising:
-
receiving descriptive data associated with network traffic routed over one or more network links relevant to a network link of interest;
generating at least one measurement metric that normally exhibits a bursty characteristic during normal operation; and
determining whether said network link of interest is being misused based on whether said at least one generated measurement metric exhibits said bursty characteristic.
-
-
39. An apparatus comprising
storage medium having stored therein executable instructions designed to implement a plurality of network link misuse determination functions including a generator function to receive descriptive data associated with network traffic routed over one or more network links relevant to a network link of interest, and in response, generate at least one measurement metric that normally exhibits a bursty characteristic during normal operation, and a determination function to determine whether said network link of interest is being misused based on whether said at least one generated measurement metric exhibits said bursty characteristic; - and
one or more processors coupled to the storage medium to execute the instructions.
- and
-
43. A networking method comprising:
-
receiving descriptive data associated with network traffic flows routed over one or more network links relevant to a network link of interest;
generating a ratio for a selected one of packets flowing in a first direction to packets flowing in a second direction and packets of a first type to packets of a second type, using said received descriptive data; and
determining whether said network link of interest is being misused based at least in part on said generated ratio. - View Dependent Claims (44, 45, 47, 48)
-
-
46. An apparatus comprising
storage medium having stored therein executable instructions designed to implement a plurality of network link misuse determination functions including a generation function to receive descriptive data associated with network traffic flows routed over one or more network links relevant to a network link of interest and in response, generate a ratio for a selected one of packets flowing in a first direction to packets flowing in a second direction and packets of a first type to packets to a second type, using said received descriptive data, and a determination function to determine whether said network link of interest is being misused based at least in part on said generated ratio; - and
one or more processors coupled to the storage medium to execute the instructions.
- and
Specification