Identification of potential network threats using a distributed threshold random walk

US 20080101234A1
Filed: 10/30/2006
Published: 05/01/2008
Est. Priority Date: 10/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

recording, with a plurality of intermediate devices located on a set of asymmetrically routed paths within a network, a number of network flows sourced by a host device on the network and a number of network flows sent to the host device on the network;

determining whether a difference between the number of network flows sourced by the host device and the number of network flows sent to the host device exceeds a first threshold; and

rerouting network traffic from the host device when the difference exceeds the first threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, the invention is directed to techniques of identifying an infected network device in a computer network where traffic to and from the infected network device is not necessarily routed through a single point on the computer network. For example, individual line cards in network devices count incoming network flows from network devices in host tables. The host tables of all line cards of all participating network devices are then correlated. It is then determined whether the number of flows from a network device outweighs the number of flows to the network device to a significant degree. If so, the network device may be considered suspicious. Packets from a suspicious network device may be rerouted to a network security device for more thorough inspection.

197 Citations

41 Claims

1. A method comprising:
- recording, with a plurality of intermediate devices located on a set of asymmetrically routed paths within a network, a number of network flows sourced by a host device on the network and a number of network flows sent to the host device on the network;
  
  determining whether a difference between the number of network flows sourced by the host device and the number of network flows sent to the host device exceeds a first threshold; and
  
  rerouting network traffic from the host device when the difference exceeds the first threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein recording a number of flows comprises recording a number of network flows sourced by the host device that do not represent rejections of network connections and a number of network flows sent to the host device that do not represent rejections of network connections.
  - 3. The method of claim 1, wherein rerouting network traffic from the host device comprises rerouting network traffic sourced by the host device to an Intrusion Detection and Prevention (“
    - IDP”
      
      ) device that inspects the network traffic to identify malicious software.
  - 4. The method of claim 1, further comprising:
    - determining whether a difference between a number of network flows sourced by the host device on the network and the number of network flows sent to the host device on the network falls beneath a second threshold; and
      
      rerouting network traffic sent to the host device to the network security device when it is determined that the difference falls beneath the second threshold.
  - 5. The method of claim 1, wherein rerouting network traffic comprises sending instructions to a set of line cards, such that the line cards forward packets from the network device to the network security device.
  - 6. The method of claim 1,wherein recording a number of network flows sourced by a host device on the network and a number of network flows sent to the host device on the network comprises maintaining a record of the number of flows through the network for which the host device is a source and a record of the number of flows through the network for which the host device is a destination;
    - andwherein determining a difference comprises determining a difference between the record of the number of flows through the network for which the host device is a source and the record of the number of flows through the network for which the host device is a destination.
  - 7. The method of claim 6, wherein maintaining a record comprises:
    - maintaining, with each intermediate device in a set of intermediate devices in the network, records of the number of flows through the intermediate device for which the host device is a source;
      
      maintaining, with each intermediate device in the set of intermediate devices, records of the number of flows through the intermediate device for which the host device is a destination;
      
      correlating the records of the number of flows through the intermediate devices for which the host device is a source into the record of the number of flows through the network for which the host device is a source; and
      
      correlating the records of the number of flows through the intermediate devices for which the host device is a destination into the record of the number of flows through the network for which the host device is a destination.
  - 8. The method of claim 7, wherein the intermediate devices are routers.
  - 9. The method of claim 7,wherein maintaining, with each intermediate device in a set of intermediate devices in the network, records of the number of flows through the intermediate devices for which the host device is a source comprises maintaining, with each line card in a set of line cards in each intermediate device in the set of intermediate devices, a record of the number of flows through the line card for which the host device is a source;
    - andwherein correlating the records of the number of flows through the intermediate devices that specify the host device is a source comprises correlating the records of the number of flows through the line cards for which the host device is a source.
  - 10. The method of claim 9, wherein maintaining, with each line card in a set of line cards in each intermediate device in the set of intermediate devices, a record of the number of flows through the line card for which the host device is a source comprises:
    - receiving a network packet from the network;
      
      determining whether the packet is a member of a new flow; and
      
      incrementing a number of flows through the line card for which the host device is a source if the packet is a member of a new flow and a source address field of the packet specifies the host device.
  - 11. The method of claim 10, wherein determining whether the packet is a member of a new flow comprises:
    - extracting flow information from the packet;
      
      determining whether a flow database contains a record that corresponds with the extracted flow information; and
      
      determining that the packet is a member of a new flow when it is determined that the flow database does not contain a record that corresponds with the extracted flow information.
  - 12. The method of claim 11, further comprising adding a record that corresponds with the extracted flow information when it is determined that the flow database does not contain a record that corresponds with the extracted flow information.
  - 13. The method of claim 11, wherein the flow database is a hash table.
  - 14. The method of claim 11, wherein incrementing a number of flows through the line card for which the host device is a source comprises:
    - determining whether a host table contains an entry for the host device;
      
      creating an entry in the host table for the host device if it is determined that the host table does not contain an entry for the host device; and
      
      incrementing a source counter in the entry in the host table for the host device.
  - 15. The method of claim 9, wherein maintaining, with each line card in a set of line cards in each intermediate device in the set of intermediate devices, a record of a number of flows through the line card for which the host device is a source comprises summing the records of the number of flows through the line cards for which the host device is a source.
  - 16. The method of claim 7,wherein maintaining, with each intermediate device in the set of intermediate devices, records of the number of flows through the intermediate device for which the host device is a destination comprises maintaining with each line card in the set of line cards in each intermediate device in the set of intermediate devices, a record of the number of flows through the line card for which the host device is a destination;
    - andwherein correlating the records of the number of flows through the intermediate devices that specify the host device is a destination comprises correlating the records of the number of flows through the line cards for which the host device is a destination.
  - 17. The method of claim 16, wherein maintaining, with each line card in a set of line cards in each intermediate device in the set of intermediate devices, a record of the number of flows through the line card for which the host device is a destination comprises:
    - receiving a network packet from the network;
      
      determining whether the packet is a member of a new flow; and
      
      incrementing the number of flows through the line card for which the host device is a destination if the packet is a member of the new flow and a destination address field of the packet specifies the host device.
  - 18. The method of claim 7, wherein correlating the records of the number of flows through the intermediate devices for which the host device is a source into the record of the number of flows through the network for which the host device is a source comprises summing the records of the number of flows through the intermediate devices for which the host device is a source.
  - 19. The method of claim 1, wherein the determining whether a difference between a number of network flows sourced by the host device and the number of network flows sent to the host device exceeds a first threshold comprises determining whether a difference between an approximate number of network flows sourced by the host device and an approximate number of network flows sent to the host device exceeds a first threshold.

20. A network device,wherein the network device is a member of a plurality of intermediate devices located on a set of asymmetrically routed paths within a network;
- andwherein the network device comprises;
  
  a device correlation module to record a number of flows sourced by a host device on the network and the number of network flows sent to the host device on the network;
  
  a threat identification module to determine whether a difference between a number of network flows sourced by a host device on a network via a plurality of network paths and a number of network flows sent to the host device on the network via the plurality of network paths exceeds a first threshold; and
  
  a traffic redirection module to reroute network traffic from the host device to a network security device when the threat identification module determines that the difference exceeds the first threshold.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 21. The network device of claim 20, wherein the device correlation module records a number of flows sourced by a host device on the network and the number of network flows sent to the host device on the network by recording a number of network flows sourced by the host device that do not represent rejections of network connections and a number of network flows sent to the host device that do not represent rejections of network connections.
  - 22. The network device of claim 20, wherein the network security device is an Intrusion Detection and Prevention (“
    - IDP”
      
      ) device that deeply inspects the network traffic to identify signatures of malicious software.
  - 23. The network device of claim 20,wherein the threat identification module determines whether a difference between a number of network flows sourced by the host device and a number of network flows sent to the host device falls beneath a second threshold;
    - andwherein the traffic redirection module reroutes network traffic to the host device to the network security device when the threat identification module determines that the difference falls beneath the second threshold.
  - 24. The network device of claim 20, wherein the traffic redirection module reroutes network traffic by sending instructions to a set of line cards, such that the line cards forward packets sourced by the host device to the network security device.
  - 25. The network device of claim 20,wherein the device correlation module maintains a record of the number of flows through the network for which the host device is a source and a record of the number of flows through the network for which the host device is a destination;
    - andwherein the threat identification module determines whether a difference between the number of network flows sourced by the host device and the number of network flows sent to the host device exceeds a first threshold by determining a difference between the record of the number of flows through the network for which the host device is a source and the record of the number of flows through the network for which the host device is a destination.
  - 26. The network device of claim 25,wherein the network device comprises a line card correlation module to maintain records of the number of flows through the network device for which the host device is a source, and to maintain records of the numbers of flows through the network device for which the host device is a destination;
    - andwherein the device correlation module maintains a record of the number of flows through the network for which the host device is a source and a record of the number of flows through the network for which the host device is a destination by correlating the records of the number of flows through the network device and other network devices that specify the host device as a source into the record of the number of flows through the network that specify the host device as a source and by correlating the records of the numbers of flows through the network device and other network devices that specify the host device as a destination into the record of the number of flows through the network that specify the host device as a destination.
  - 27. The network device of claim 26, wherein the network device and the other network devices are routers.
  - 28. The network device of claim 26,wherein the network device further comprises a set of line cards, wherein each line card in the set of line cards maintains a record of the number of flows through the line card that specify the host device as a source and maintains a record of the number of flows through the line card that specify the host device as a destination;
    - wherein the line card correlation module maintains records of the number of flows through the line cards that specify the host device as a source by correlating the records of the number of flows through the line cards that specify the host device as a source; and
      
      wherein the line card correlation module maintains records of the number of flows through the line cards that specify the host device as a destination by correlating the records of the number of flows through the line cards that specify the host device as a destination.
  - 29. The network device of claim 28, wherein a line card in the set of the line cards includes a flow module to receive a network packet from the network, to determine whether the packet is a member of a new flow, and to increment the number of flows through the line card that specify the host device is a source if the packet is a member of a new flow and a source address field of the packet specifies the host device.
  - 30. The network device of claim 29,wherein the line card comprises a flow database to contain records that corresponds with flow information;
    - andwherein the flow module extracts flow information from the packet, determines whether the flow database contains a record that corresponds to the extracted flow information, and determines that the packet is a member of a new flow when the flow module determines that the flow database does not contain a record that corresponds with the extracted flow information.
  - 31. The network device of claim 30, wherein the flow module adds a record to the flow database that corresponds with the extracted flow information when the flow module determines that the flow database does not contain a record that corresponds with the extracted flow information.
  - 32. The network device of claim 30, wherein the flow database is a hash table.
  - 33. The network device of claim 29,wherein the line card comprises a host table to contain entries for host devices;
    - andwherein the flow module determines whether the host table contains an entry for the host device, creates an entry in the host table for the host device if the flow module determines that the host table does not contain an entry for the host device, and increments a source counter in the entry in the host table for the host device.
  - 34. The network device of claim 28, wherein the line card correlation module maintains a record of the number of flows through the line card that specify the host device a source by summing the records of the number of flows through the line cards that specify the host device as a source.
  - 35. The network device of claim 28, wherein each line card in the set of line cards maintains a record of the number of flows through the line card that specify the host device as a destination by receiving a network packet from the network, determining whether the packet is a member of a new flow, and incrementing the number of flows through the line card that specify the host device as a destination if the packet is a member of a new flow and a destination address field of the packet specifies the host device.
  - 36. The network device of claim 24, wherein the device correlation module correlates the records of the number of flows through the network device and the other network devices that specify the host device as a source by summing the records of the number of flows through the network device and the other network devices for which the host device is a source.
  - 37. The network device of claim 20, wherein the network is an enterprise network and the host device is a personal computer.
  - 38. The network device of claim 20, wherein the threat identification module determines whether a difference between an approximation of the number of network flows sent from the host device and an approximation of the number of network flows sent to the network device exceeds the first threshold.

39. A computer-readable medium comprising instructions, the instructions causing a programmable processor to:
- record, with a plurality of intermediate devices located on a set of asymmetrically routed paths within a network, a number of network flows sourced by a host device on the network and a number of network flows sent to the host device on the network;
  
  determine whether a difference between a number of network flows sent from a host device on a network via a plurality of network paths and a number of network flows sent to the host device on the network via the plurality of network paths exceeds a first threshold; and
  
  reroute network traffic from the host device to a network security device when it is determined that the difference exceeds the first threshold.
- View Dependent Claims (40, 41)
- - 40. The computer-readable medium of claim 39, wherein the instructions further cause the processor to:
    - determine whether a difference between a number of network flows sourced by the host device and a number of network flows sent to the host device falls beneath a second threshold; and
      
      reroute network traffic sent to the host device to the network security device when it is determined that the difference falls beneath the second threshold.
  - 41. The computer-readable medium of claim 39,wherein the instructions that cause the processor to record a number of network flows comprise instructions that cause the processor to maintain a record of the number of flows through the network for which the host device is a source and a record of the number of flows through the network for which the host device is a destination;
    - andwherein the instructions that cause the processor to determine a difference comprise instructions that cause the processor to determine a difference between the record of the number of flows through the network for which the host device is a source and the record of the number of flows through the network for which the host device is a destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Burns, Bryan, Nakil, Harshad, Singla, Ankur

Granted Patent

US 7,768,921 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/235
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Identification of potential network threats using a distributed threshold random walk

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

197 Citations

41 Claims

Specification

Use Cases

Quick Links

Others

Identification of potential network threats using a distributed threshold random walk

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

197 Citations

41 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others