Effective policies and policy enforcement using characterization of flow content and content-independent flow information

US 20070088845A1
Filed: 09/19/2006
Published: 04/19/2007
Est. Priority Date: 09/19/2005
Status: Active Grant

First Claim

Patent Images

1. A machine-implemented method comprising:

a) obtaining network packets;

b) grouping the collected network packets into a plurality of flows;

c) for each of the plurality of flows, i) determining a content characteristic by characterizing content of the flow using bit-stream level statistics, and ii) determining at least one of (A) content-independent flow characteristics, (B) port-independent flow characteristics, and (C) application header-independent flow characteristics; and

d) enforcing a policy on at least one of the flows using both (1) the determined content characteristic and the (2) determined at least one of (A) content-independent flow characteristics, (B) port-independent flow characteristics, and (C) application header-independent flow characteristics.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Flexible network policies might be enforced by (a) obtaining a flow of network packets, (b) determining a content characteristic by characterizing content of the flow using bit-stream level statistics, (c) determining content-independent flow characteristics, port-independent flow characteristics, and/or application header-independent flow characteristics, and (d) enforcing a policy on the flow using both (1) the determined content characteristic and the (2) determined content-independent flow characteristics, port-independent flow characteristics, and/or application header-independent flow characteristics.

Citations

22 Claims

1. A machine-implemented method comprising:
- a) obtaining network packets;
  
  b) grouping the collected network packets into a plurality of flows;
  
  c) for each of the plurality of flows, i) determining a content characteristic by characterizing content of the flow using bit-stream level statistics, and ii) determining at least one of (A) content-independent flow characteristics, (B) port-independent flow characteristics, and (C) application header-independent flow characteristics; and
  
  d) enforcing a policy on at least one of the flows using both (1) the determined content characteristic and the (2) determined at least one of (A) content-independent flow characteristics, (B) port-independent flow characteristics, and (C) application header-independent flow characteristics.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The machine-implemented method of claim 1 wherein the content-independent flow characteristics include at least one of (A) a number of packets in the flow, (B) a number of bytes in the flow, (C) inter-packet arrival time, (D) packet sizes, (E) distribution of inter-packet arrival times, (F) distribution of packet sizes, (G) time-to-live values, (H) time-to-live value distributions, (I) sequence number, (J) distribution of sequence numbers, (K) acknowledgement numbers, (L) distribution of acknowledgement numbers, (M) identification numbers, (N) distribution of identification numbers, (O) fragmentation offsets, (P) distribution of fragmentation offsets, (Q) window sizes, (R) distribution of window sizes, (S) streaming, (T) not streaming, (U) interactive session, and (V) not an interactive session.
  - 3. The machine-implemented method of claim 1 wherein the content characteristic is selected from a group of characteristics consisting of (A) text, (B) bitmap, (C) wave, (D) zip, (E) JPEG, (F) MP3, (G) encrypted, and (H) compiled machine instructions.
  - 4. The machine-implemented method of claim 1 wherein the act of obtaining network packets includes i) sniffing the network, and ii) capturing all traffic passing through a monitoring point.
  - 5. The machine-implemented method of claim 1 wherein each of the network packets includes a network protocol, Source (IP) Address, Destination (IP) Address, Source Port and Destination Port, and wherein the act of grouping the collecting network packets into a plurality of flows includes i) defining each of the plurality of flows based on network protocol, Source (IP) Address, Destination (IP) Address, Source Port and Destination Port, and ii) for each of the network packets, assigning the packet to an appropriate one of the plurality of flows based on the network protocol, Source (IP) Address, Destination (IP) Address, Source Port and Destination Port of the network packet
  - 6. The machine-implemented method of claim 1 wherein the policy includes flow characteristic limits for various content types.
  - 7. The machine-implemented method of claim 1 wherein the act of enforcing a policy on at least one of the flows includes determining whether or not the flow violates the policy, and storing the policy violation in association with a source or destination of the flow if it is determined that the flow violates the policy.
  - 8. The machine-implemented method of claim 1 further comprising:
    - e) determining whether or not the flow violates the policy, and f) if it is determined that the flow violates the policy, then identifying, using a directory service, a user who, or client device that, violated the policy.
  - 9. The machine-implemented method of claim 8 wherein the directory service is selected from a groups consisting of Lightweight Directory Access Protocol and Active Directory.
  - 10. The machine-implemented method of claim 1 wherein the act of enforcing a policy one at least one of the flows includes determining whether or not the flow violates the policy, and issuing a request to impede or stop the flow if it is determined that the flow violates the policy.
  - 11. The machine-implemented method of claim 1 wherein the act of determining, for each of the plurality of flows, at least one of (A) content-independent flow characteristics, (B) port-independent flow characteristics, and (C) application header-independent flow characteristics, determines content-independent flow characteristics, and wherein the act of enforcing a policy on at least one of the flows uses both (i) the determined content characteristic and the (2) determined content-independent flow characteristics.
  - 12. The machine-implemented method of claim 1 wherein the act of determining, for each of the plurality of flows, at least one of (A) content-independent flow characteristics, (B) port-independent flow characteristics, and (C) application header-independent flow characteristics, determines port number-independent flow characteristics, and wherein the act of enforcing a policy on at least one of the flows uses both (i) the determined content characteristic and the (2) determined port number-independent flow characteristics.
  - 13. The machine-implemented method of claim 1 wherein the act of determining, for each of the plurality of flows, at least one of (A) content-independent flow characteristics, (B) port-independent flow characteristics, and (C) application header-independent flow characteristics, determines application header-independent flow characteristics, and wherein the act of enforcing a policy on at least one of the flows uses both (i) the determined content characteristic and the (2) determined application header-independent flow characteristics.

14. A machine-implemented method comprising:
- a) obtaining a flow of network packets;
  
  b) determining a content characteristic by characterizing content of the flow using bit-stream level statistics;
  
  c) determining at least one of (i) content-independent flow characteristics, (ii) port-independent flow characteristics, and (iii) application header-independent flow characteristics; and
  
  d) enforcing a policy on the flow using both (1) the determined content characteristic and the (2) determined at least one of (i) content-independent flow characteristics, (ii) port-independent flow characteristics, and (iii) application header-independent flow characteristics.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The machine-implemented method of claim 14 wherein the content-independent flow characteristics include at least one of (A) a number of packets in the flow, (B) a number of bytes in the flow, (C) inter-packet arrival time, (D) packet sizes, (E) distribution of inter-packet arrival times, (F) distribution of packet sizes, (G) time-to-live values, (H) time-to-live value distributions, (I) sequence number, (J) distribution of sequence numbers, (K) acknowledgement numbers, (L) distribution of acknowledgement numbers, (M) identification numbers, (N) distribution of identification numbers, (O) fragmentation offsets, (P) distribution of fragmentation offsets, (Q) window sizes, (R) distribution of window sizes, (S) streaming, (T) not streaming, (U) interactive session, and (V) not an interactive session.
  - 16. The machine-implemented method of claim 14 wherein the content characteristic is selected from a group of characteristics consisting of (A) text, (B) bitmap, (C) wave, (D) zip, (E) JPEG, (F) MP3, (G) encrypted and (H) compiled machine instructions.
  - 17. The machine-implemented method of claim 14 wherein the policy includes flow characteristic limits for various content types.
  - 18. The machine-implemented method of claim 14 wherein the act of determining at least one of (i) content-independent flow characteristics, (ii) port-independent flow characteristics, and (iii) application header-independent flow characteristics, determines content-independent flow characteristics, and wherein the act of enforcing a policy on at least one of the flows uses both (i) the determined content characteristic and the (2) determined content-independent flow characteristics.
  - 19. The machine-implemented method of claim 14 wherein the act of determining at least one of (i) content-independent flow characteristics, (ii) port-independent flow characteristics, and (iii) application header-independent flow characteristics, determines port number-independent flow characteristics, and wherein the act of enforcing a policy on at least one of the flows uses both (i) the determined content characteristic and the (2) determined port number-independent flow characteristics
  - 20. The machine-implemented method of claim 14 wherein the act of determining at least one of (i) content-independent flow characteristics, (ii) port-independent flow characteristics, and (iii) application header-independent flow characteristics, determines application header-independent flow characteristics, and wherein the act of enforcing a policy on at least one of the flows uses both (i) the determined content characteristic and the (2) determined application header-independent flow characteristics

21. Apparatus comprising:
- a) means for obtaining network packets;
  
  b) means for grouping the collected network packets into a plurality of flows;
  
  c) means, for each of the plurality of flows, for i) determining a content characteristic by characterizing content of the flow using bit-stream level statistics, and ii) determining at least one of (A) content-independent flow characteristics, (B) port-independent flow characteristics, and (C) application header-independent flow characteristics; and
  
  d) means for enforcing a policy on at least one of the flows using both (1) the determined content characteristic and the (2) determined at least one of (A) content-independent flow characteristics, (B) port-independent flow characteristics, and (C) application header-independent flow characteristics.

22. Apparatus comprising:
- a) means for obtaining a flow of network packets;
  
  b) means for determining a content characteristic by characterizing content of the flow using bit-stream level statistics;
  
  c) means for determining at least one of (i) content-independent flow characteristics, (ii port-independent flow characteristics, and (iii) application header-independent flow characteristics; and
  
  d) means for enforcing a policy on the flow using both (1) the determined content characteristic and the (2) determined at least one of (i) content-independent flow characteristics, (ii) port-independent flow characteristics, and (iii) application header-independent flow characteristics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Polytechnic Institute Of New York University (New York University)
Original Assignee
Polytechnic Institute Of New York University (New York University)
Inventors
Memon, Nasir, Shanmugasundaram, Kulesh

Granted Patent

US 7,756,997 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/234
CPC Class Codes

H04L 47/10 Flow control; Congestion co...

H04L 47/20 Traffic policing

Effective policies and policy enforcement using characterization of flow content and content-independent flow information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Effective policies and policy enforcement using characterization of flow content and content-independent flow information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links