Stackable aggregation for connection based anomaly detection

US 20060089985A1
Filed: 10/26/2004
Published: 04/27/2006
Est. Priority Date: 10/26/2004
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a plurality of collector devices that are disposed to collect statistical information on packets sent between nodes on a network;

a stackable aggregator device that receives network data from the plurality of collector devices, the aggregator device producing a connection table that maps each node on the network to a record that stores information about traffic to or from the node, the stackable aggregator comprising;

a manager blade, a database blade, and two or more, analyzer blades.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes a plurality of collector devices that are disposed to collect statistical information on packets that are sent between nodes on a network. The system also includes a stackable aggregator that receives network data from the plurality of collector devices, and which produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The stackable aggregator includes a manager blade, a database blade, and two or more, analyzer blades.

193 Citations

20 Claims

1. A system, comprising:
- a plurality of collector devices that are disposed to collect statistical information on packets sent between nodes on a network;
  
  a stackable aggregator device that receives network data from the plurality of collector devices, the aggregator device producing a connection table that maps each node on the network to a record that stores information about traffic to or from the node, the stackable aggregator comprising;
  
  a manager blade, a database blade, and two or more, analyzer blades.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1 wherein the manager blade includes an event manager process for correlation and reporting events to an operator console.
  - 3. The system of claim 2 wherein each analyzer blade is responsible for storing and analyzing approximately 1/N of network data, where N corresponds to the number of analyzer blades in the aggregator.
  - 4. The system of claim 1 wherein one of the analyzer blades, comprises:
    - a dispatcher process that receives flow records and traffic counters from network sensors and forwards flow records and statistical data on network traffic to a specific one of the two or more analyzer blades.
  - 5. The system of claim 4 wherein the dispatcher process produces a hash of source and destination host identification values in the flow records or statistic records received, and uses the hash of the source and destination host identification values to distribute the flow records or statistic records to particular analyzer blades.
  - 6. The system of claim 1 wherein each of the analyzer blades comprises:
    - local storage for storing flow records.
  - 7. The system of claim 1 wherein each of the analyzer blades produces statistical data for its fraction of the network traffic.
  - 8. The system of claim 2 wherein each of the analyzer blades examines statistical data to determine the presence of anomalies, and as anomalies are determined by the analyzer blades, data regarding the anomalies are forwarded to the event manager process.
  - 9. The system of claim 1 wherein each of the analyzer blades receives flow records from the dispatcher process in the one of the analyzer blades comprising the dispatcher process.
  - 10. The system of claim 1 wherein the database blade manages a database that stores the connection table.
  - 11. The system of claim 10 wherein the connection table includes a plurality of records indexed by source address, destination address and time.
  - 12. The system of claim 11 wherein the connection table includes a plurality of connection sub-tables to track data at different time scales.
  - 13. The system of claim 1 wherein each blade comprising the aggregator includes:
    - at least two processors; and
      
      memory associated with the at least two processors.

14. A method, comprises:
- collecting statistical information on packets that are sent between nodes on a network;
  
  dispatching statistical information to one of two or more analyzer blades to produce a connection table that maps each node on the network to a record that stores information about traffic to or from the node.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14 wherein each analyzer blade is responsible for storing and analyzing approximately 1/N of network data, where N corresponds to the number of analyzer blades in the aggregator.
  - 16. The method of claim 14 further comprising:
    - assembling flow records and traffic counters from network sensors; and
      
      forwarding flow records and statistical data on network traffic to a specific one of two or more analyzer systems to assemble the connection table.

17. A computer program product residing on a computer readable medium, comprising instructions for causing a computer to:
- receive network data from a plurality of collector devices that collect statistical information on packets that are sent between nodes on a network; and
  
  dispatch received network data from a plurality of collector devices to a specific one of the two or more analyzer blades to produce multiple connection tables each table storing a portion of the collect statistical information on packets sent on the network to a record.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product of claim 17 further comprising:
    - an event manager process for correlation and reporting of events to an operator console.
  - 19. The computer program product of claim 17 further comprising instructions to cause a computer to:
    - hash source and destination host identification values in the flow records or statistic records received; and
      
      distribute the flow records or statistic records to particular analyzer blades according to the hash of the source and destination host identification values.
  - 20. The computer program product of claim 18 further comprising instructions to cause a computer to:
    - examine statistical data to determine the presence of anomalies; and
      
      forward anomalies to the event manager process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Mazu Networks, Inc. (Riverbed Technology Incorporated)
Inventors
Poletto, Massimiliano Antonio

Granted Patent

US 7,760,653 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/0631   using root cause analysis; ...

H04L 43/02   Capturing of monitoring data

H04L 43/12   Network monitoring probes

H04L 63/14   for detecting or protecting...

H04L 69/40   for recovering from a failu...

Stackable aggregation for connection based anomaly detection

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

193 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Stackable aggregation for connection based anomaly detection

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

193 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links