Using flow metric events to control network operation

US 20060075093A1
Filed: 10/05/2004
Published: 04/06/2006
Est. Priority Date: 10/05/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method of monitoring flows of a network system and responding to triggering conditions based on the monitoring, the network system including one or more network devices, the method comprising the steps of:

a. monitoring the network system for flow metrics events;

b. analyzing the monitored flow metric events; and

c. generating a response deemed responsive to any analyzed flow metric events determined to require a response.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method to monitor, detect, analyze and respond to, triggering conditions associated with packet and signal flows in a network system including attached functions and a network infrastructure. The system includes a detection function, an analysis function, and a response function. The detection function includes a monitoring sub-function, a flow definition sub-function, and a monitor counter sub-function. The flow definition sub-function defines the types of activities associated with the traffic flow that may indicate a triggering condition requiring analysis and potentially a response. The monitor sub-function observes traffic flows. The monitor counter sub-function counts the defined types of activities occurring in the device. The analysis function analyzes the event from the monitored flows, flow counters, status and other network information and determines whether a response is required. The response function initiates a response to a perceived event or attack based on the events detected in the flow metrics and other data. The response function further includes a sub-function for activating changes throughout the network system based on receiving and sending event notifications. Responses generated by the response function include dynamic policy changes.

141 Citations

55 Claims

1. A method of monitoring flows of a network system and responding to triggering conditions based on the monitoring, the network system including one or more network devices, the method comprising the steps of:
- a. monitoring the network system for flow metrics events;
  
  b. analyzing the monitored flow metric events; and
  
  c. generating a response deemed responsive to any analyzed flow metric events determined to require a response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method as claimed in claim 1 further comprising the step of establishing flow metrics, events and corresponding responses.
  - 3. The method as claimed in claim 1 wherein the responses include dynamic policy changes.
  - 4. The method as claimed in claim 1 further comprising the step of logging flow metrics events.
  - 5. The method as claimed in claim 1 further comprising the step of logging analyses performed and responses generated.
  - 6. The method as claimed in claim 5 further comprising the step of modifying flows and responses based on logged analyses.
  - 7. The method as claimed in claim 1 wherein the step of generating a response includes distributing one or more policy changes to one or more network devices.
  - 8. The method as claimed in claim 1 wherein the step of generating a response includes modifying the flow metrics being monitored.
  - 9. The method as claimed in claim 1 wherein steps a-c are performed by a single network device or by two or more network devices.
  - 10. The method as claimed in claim 9 wherein the network devices are selected from the group consisting of switches, routers, wireless APs, network entry devices, central switching devices, and servers.
  - 11. The method as claimed in claim 1 wherein a flow metric event is based on a flow definition.
  - 12. The method as claimed in claim 11 wherein the flow definition includes Open System Interconnection (OSI) information from any layer of the OSI model.
  - 13. The method as claimed in claim 11 wherein the flow definition includes data based on field definitions within the packets of data.
  - 14. The method as claimed in claim 11 wherein the flow definition includes data field and bit pattern information within the packets of data.
  - 15. The method as claimed in claim 11 wherein the step of analyzing further includes the step of analyzing other information in addition to flow metric events.
  - 16. The method as claimed in claim 1 wherein the flow metrics are selected from a group consisting of an active flows counter, an historical flows counter, a new flow creation rate, a peak new flow creation rate, an instantaneous attempted new flow creation rate, an average attempted new flow creation rate, a peak attempted new flow creation rate, an instantaneous failed new flow creation rate, flows since a defined event, time since last new flow creation, network administrator defined, and system-wide aggregate instantaneous, average and peak, counters.

17. A method of detecting and responding to one or more triggering conditions associated with flows of signal exchanges from or between a plurality of attached functions of a network system, the network system including one or more network devices, the method comprising the steps of:
- a. establishing flow definitions;
  
  b. associating each flow definition with a flow counter, wherein the flow counter generates count information for the defined flow;
  
  c. monitoring one or more flows of the network system for the flow definitions; and
  
  d. generating a response when the count information reaches a defined value.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The method as claimed in claim 17 wherein the step of monitoring includes monitoring one or more source addresses of one or more network infrastructure devices, one or more attached functions, or a combination of one or more network infrastructure devices and one or more attached functions.
  - 19. The method as claimed in claim 17 wherein the step of monitoring includes monitoring one or more destination addresses of one or more network infrastructure devices, one or more attached functions, or a combination of one or more network infrastructure devices and one or more attached functions.
  - 20. The method as claimed in claim 17 wherein the step of monitoring includes monitoring one or more ingress ports of one or more network infrastructure devices.
  - 21. The method as claimed in claim 17 wherein the step of monitoring includes monitoring one or more egress ports of one or more network infrastructure devices.
  - 22. The method as claimed in claim 17 wherein the step of monitoring includes monitoring bilateral address pairs between two network system devices.

23. A method of tracking flows of signal exchanges via packets between a plurality of attached functions of a network system, identifying one or more triggering conditions associated with the flows, and generating a response, the network system including one or more network infrastructure devices, the method comprising the steps of:
- a. establishing a flow definition;
  
  b. monitoring one or more defined flows;
  
  c. associating each flow definition with a flow counter, wherein the flow counter generates count information for the flow definition;
  
  d. defining particular count information as a triggering condition; and
  
  e. upon determining that a triggering condition exists, generating a response by changing one or more policies associated with one or more network infrastructure devices, one or more attached functions, or both.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 24. The method as claimed in claim 23 wherein the response triggering condition is count information generated by the flow counter exceeding a defined value.
  - 25. The method as claimed in claim 24 wherein the response is deactivated when the count information value falls below the defined value.
  - 26. The method as claimed in claim 24 wherein the response is deactivated when the count information value falls below a second defined value that is below the defined value.
  - 27. The method as claimed in claim 23 wherein the response triggering condition is count information generated by a first flow counter reaching a first defined value and count information generated by a second flow counter reaching a second defined value.
  - 28. The method as claimed in claim 23 wherein the triggering condition is count information generated by a first flow counter reaching a first defined value and after determining that the first defined value has been reached, determining whether count information generated by a second flow counter has reached a second defined value.
  - 29. The method as claimed in claim 23 wherein the step of generating a response includes dropping one or more packets of a monitored flow to force creation of a new flow.
  - 30. The method as claimed in claim 23 wherein the step of generating a response includes sending an SNMP trap.
  - 31. The method as claimed in claim 23 wherein the step of generating a response includes logging the monitored flow with a syslog server.
  - 32. The method as claimed in claim 23 wherein the step of generating a response includes reducing the priority of the monitored flow.
  - 33. The method as claimed in claim 23 wherein the step of generating a response includes disabling the port of entry of the monitored flow.
  - 34. The method as claimed in claim 23 wherein the step of generating a response includes changing one or more policies associated with one or more attached functions, one or more network infrastructure devices, or a combination thereof, associated with the monitored flow by adjusting an access control list, a packet filtering arrangement, or a bandwidth permission.

35. A Detection and Response System (DRS) for tracking flows of signal exchanges via packets from or between a plurality of functions of a network system, identifying one or more triggering conditions associated with the flows, and generating a response to the one or more triggering conditions, the network system including one or more network infrastructure devices, the DRS comprising:
- a. a Detection Function for monitoring defined flows associated with the network system, and detecting defined triggering conditions; and
  
  b. a Response Function for responding to triggering conditions defined to require a response and implementing a change of condition of the network system.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 36. The DRS as claimed in claim 35 wherein the Detection Function includes a monitor sub-function for monitoring flows based on specific metrics.
  - 37. The DRS as claimed in claim 36 wherein the specified metrics are selected from the group consisting of:
    - source address, destination address, ingress port, egress port, and bilateral address pair.
  - 38. The DRS as claimed in claim 35 wherein the Detection Function includes a flow definition sub-function for defining other information associated with a monitored flow.
  - 39. The DRS as claimed in claim 38 wherein the information associated with a monitored flow is selected from the group consisting of:
    - any layer of the OSI model.
  - 40. The DRS as claimed in claim 35 further comprising an Analysis Function for analyzing detected triggering conditions and identifying the response to generate.
  - 41. The DRS as claimed in claim 40 wherein the Detection Function, the Analysis Function, and the Response Function are embodied in a plurality of network devices, the DRS further comprising means for the plurality of devices to communicate.
  - 42. The DRS as claimed in claim 35 wherein the Detection Function includes and uses other network status, data or information, in addition to the defined flow to create a triggering condition.
  - 43. The DRS as claimed in claim 42 wherein the data or information includes time based information.
  - 44. The DRS as claimed in claim 35 wherein the response function initiates a change in operation upon detection by the Detection Function of a monitored flow having activity exceeding a first defined threshold value over a defined time interval and the Response Function deactivating the change upon the monitored flow activity reaching a second defined threshold value less than the first defined threshold value.
  - 45. The DRS as claimed in claim 35 wherein the Response Function initiates an action in response to a trigger from the Detection Function, the action selected from the group consisting of:
    - drop one or more packets, allow one or more packets to be processed, send an SNMP trap, log the activity causing initiation of the trigger, delay the flow, reduce the priority of the flow, and initiate a defined policy change.

46. A Detection and Response System (DRS) for tracking flows of signal exchanges via packets between a plurality of attached functions of a network system, identifying one or more triggering conditions associated with the flows, and generating a response, the network system including one or more network infrastructure devices, the DRS comprising:
- a. a flow definition sub-function for defining activity types to be monitored;
  
  b. a monitor sub-function for monitoring flows associated with the network system;
  
  c. a monitor counter sub-function for counting the defined activity types; and
  
  d. a response function for initiating a response in the network system to a monitored flow based on a count of a defined activity type.

47. A method of detecting one or more triggering conditions associated with flows of signal exchanges between a plurality of attached functions of a network system and responding thereto, the network system including one or more network infrastructure devices, the method comprising the steps of:
- a. establishing for the one or more network infrastructure devices a flow definition for each flow monitored;
  
  b. monitoring each defined flow of the network system;
  
  c. associating each flow definition with a flow counter, wherein the flow counter generates count information for the flow definition;
  
  d. analyzing the count information;
  
  e. determining whether the analyzed count information indicates a triggering condition requiring a response; and
  
  f. responding to the triggering condition through modification of the operation of the one or more network infrastructure devices.
- View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55)
- - 48. The method as claimed in claim 47 further comprising the step of storing the count information locally.
  - 49. The method as claimed in claim 47 further comprising the step of storing the count information remotely.
  - 50. The method as claimed in claim 47 further comprising the step of enacting the response to the detected triggering condition locally on one or more of the network infrastructure devices associated with the monitored flow, or remotely by one or more devices not associated with the monitored flow.
  - 51. The method as claimed in claim 47 wherein the step of monitoring is performed by a plurality of network infrastructure devices.
  - 52. The method as claimed in claim 47 wherein the step of analyzing is performed concurrently for a plurality of flows under monitor.
  - 53. The method as claimed in claim 47 further comprising the step of initiating one or more additional analyses based on the first analysis of the count information, past stored analysis information, or a combination of the two.
  - 54. The method as claimed in claim 47 wherein the responses that may be enabled under the step of responding may be disabled to allow a flow condition to remain in effect that would otherwise be blocked.
  - 55. The method as claimed in claim 54 wherein the step of analyzing includes the step of analyzing historical counter information and determining based on that historical counter information whether to block the disabling of the flow condition block.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Enterasys Networks Incorporated (Extreme Networks, Inc.)
Original Assignee
Enterasys Networks Incorporated (Extreme Networks, Inc.)
Inventors
Graham, Richard W., Frattura, David Edward

Application Number

US10/958,761
Publication Number

US 20060075093A1
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/0681   Configuration of triggering...

H04L 41/069   using logs of notifications...

H04L 43/026   using flow identification

H04L 43/0852   Delays

H04L 43/16   Threshold monitoring

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Using flow metric events to control network operation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

141 Citations

55 Claims

Specification

Solutions

Use Cases

Quick Links

Using flow metric events to control network operation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

141 Citations

55 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links