APPLICATION SESSION CONTROL USING PACKET INSPECTION

US 20110196971A1
Filed: 02/10/2010
Published: 08/11/2011
Est. Priority Date: 02/10/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage medium storing computer-executable instructions that when executed by a computer cause the computer to perform an operation, the operation comprising:

inspecting, in a network device, a packet transmitted as part of a data stream, where the data stream comprises a sequence of packets transmitted from a source to a destination, where the data stream is associated with a session and an identity, and where the session is associated with an application;

storing a set of data associated with the data stream, where the set of data is acquired as a function of inspecting the packet, the set of data comprising data identifying the session and data identifying the identity; and

controlling the network device to selectively perform an action upon determining that an attribute associated with the session matches a condition associated with a policy, the action being defined for the identity and the session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network devices, computer-readable media, and other embodiments associated with packet inspection are described. Packet inspection may be performed on data packets associated with a session, where a session can include multiple data channels and associated control channels that have been bound together. A session may be associated with an identity. Various policies may be associated with that identity. As packet inspection occurs, it can be determined whether policies are being violated on a per identity basis. If a policy is being violated, then an action may be selectively performed. The action performed may affect a single channel in the session or may affect the whole session. Different identities may have different policies. Example actions include dropping a session, throttling a session, monitoring a session, controlling the number of channels associated with a session, dropping a channel, throttling a channel, monitoring a channel, and other actions.

104 Citations

View as Search Results

20 Claims

1. A computer-readable storage medium storing computer-executable instructions that when executed by a computer cause the computer to perform an operation, the operation comprising:
- inspecting, in a network device, a packet transmitted as part of a data stream, where the data stream comprises a sequence of packets transmitted from a source to a destination, where the data stream is associated with a session and an identity, and where the session is associated with an application;
  
  storing a set of data associated with the data stream, where the set of data is acquired as a function of inspecting the packet, the set of data comprising data identifying the session and data identifying the identity; and
  
  controlling the network device to selectively perform an action upon determining that an attribute associated with the session matches a condition associated with a policy, the action being defined for the identity and the session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-readable storage medium of claim 1, where inspecting the packet comprises determining the session associated with the data stream using one or more of, stateful classification, stateless classification, and statistical classification.
  - 3. The computer-readable storage medium of claim 1, where inspecting the packet comprises determining an application with which the data stream is associated using one or more of, stateful classification, stateless classification, and statistical classification.
  - 4. The computer-readable storage medium of claim 3, where inspecting the packet comprises determining the application with which the data stream is associated using deep packet inspection for one or more of, stateful classification, stateless classification and statistical classification.
  - 5. The computer-readable storage medium of claim 1, where the identity is one of, a user, a device and a virtual device.
  - 6. The computer-readable storage medium of claim 1, where the session comprises a set of related data channels and associated control channels.
  - 7. The computer-readable storage medium of claim 1, where the action comprises one or more of adjusting an attribute of a single session associated with the identity, adjusting an attribute associated with a collection of sessions associated with the identity, adjusting an attribute associated with the session, adjusting an attribute associated with the application, and adjusting the attribute associated with the collection of sessions.
  - 8. The computer-readable storage medium of claim 1, where the action comprises logging data associated with the data stream and with the session.
  - 9. The computer-readable storage medium of claim 8, where the data is one or more of, billing data, and resource data.
  - 10. The computer-readable storage medium of claim 1, where the action is performed for one or more of, a collection of channels associated with the session, and an individual channel associated with the session.
  - 11. The computer-readable storage medium of claim 1, where the condition specifies one or more of a maximum number of concurrent sessions, a data rate limit, a data size limit, a maximum number of sessions per unit time, and a maximum number of channels per session.
  - 12. The computer-readable storage medium of claim 1, where the application is one or more of, a hyper text transfer protocol (HTTP) application, a file transfer protocol (FTP) application, a file sharing application, a voice over internet protocol application, a streaming media application, and an online gaming application.

13. A network device, comprising:
- a packet inspection logic to inspect a packet from a data stream for session data identifying a session associated with the data stream and to inspect the packet for application data identifying an application associated with the data stream, where the data stream comprises a sequence of packets transmitted from a source to a destination;
  
  a data store to store the session data, the application data, and device data identifying a tracked identity; and
  
  a session control logic to provide a control signal causing an action to be performed upon determining that an attribute associated with the session matches a condition associated with a policy, the action being defined for the identity and the session.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The network device of claim 13, comprising a security logic to selectively adjust a security parameter as a function of the control signal.
  - 15. The network device of claim 13, comprising a quality of service logic to selectively adjust a quality of service value as a function of the control signal.
  - 16. The network device of claim 13, comprising a data recording logic to selectively record data associated with at least the session in response to receiving the control signal.
  - 17. The network device of claim 13, wherein the action comprises redirecting network traffic associated with the session.
  - 18. The network device of claim 13, where the condition specifies one or more of a maximum number of concurrent sessions, a data rate limit, a data size limit, a maximum number of sessions per unit time, and a maximum number of channels per session
  - 19. The network device of claim 13, where the application is one or more of, a hyper text transfer protocol (HTTP) application, a file transfer protocol (FTP) application, a file sharing application, a voice over internet protocol application, a streaming media application, and an online gaming application.

20. A computer-implemented method, comprising:
- inspecting, in a network device, a packet transmitted as part of a data stream, where the data stream comprises a sequence of packets transmitted from a source to a destination, where the data stream is associated with a session and an identity, and where the session is associated with an application;
  
  storing a set of data associated with the data stream, where the set of data is acquired as a function of inspecting the packet, the set of data comprising data identifying the session and data identifying the identity; and
  
  controlling the network device to selectively perform an action upon determining that an attribute associated with the session matches a condition associated with a policy, the action being defined for the identity and the session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kandaswamy, Sridar, Warkhedi, Abhijit V., Manam, Rajasekhar, REGURAMAN, PRAVEENKUMAR

Granted Patent

US 8,301,786 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/228
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 45/76   Routing in software-defined...

H04L 47/20   Traffic policing

H04L 47/2441   relying on flow classificat...

H04L 47/32   by discarding or delaying d...

H04L 63/1458   Denial of Service

H04L 67/14   Session management for real...

H04L 67/146   Markers for unambiguous ide...

H04L 67/535   Tracking the activity of th...

H04L 67/564   Enhancement of application ...

H04L 67/568   Storing data temporarily at...

APPLICATION SESSION CONTROL USING PACKET INSPECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

104 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

APPLICATION SESSION CONTROL USING PACKET INSPECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

104 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links