Selective flow inspection based on endpoint behavior and random sampling

US 20150256431A1
Filed: 03/07/2014
Published: 09/10/2015
Est. Priority Date: 03/07/2014
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method comprising:

determining an initiator of network traffic;

at each of multiple instants of time, collecting usage data for network traffic associated with the initiator;

storing historical usage data based on updates from usage data for the network traffic over time;

determining whether current usage data are within an expected distribution with respect to the historical usage data by comparing the current usage data to the historical usage data of the initiator;

selecting an inspection threshold for traffic flows from the initiator based upon the comparison between the current usage data and the historical usage data; and

determining a proportion of traffic flows associated with the initiator to be inspected based on the inspection threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Presented herein are techniques for determining an initiator of network traffic, collecting at each of multiple instants of time, usage data for network traffic associated with the initiator, and storing historical usage data based on updates from usage data for the network traffic over time. Current usage data are compared to historical usage data of the initiator to determine whether current usage data are within an expected distribution with respect to the historical usage data. Based upon the comparison between the current usage data and the historical usage data, an inspection threshold is selected for traffic flows from the initiator, and a proportion of traffic flows associated with the initiator is determined to be inspected based on the inspection threshold.

88 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- determining an initiator of network traffic;
  
  at each of multiple instants of time, collecting usage data for network traffic associated with the initiator;
  
  storing historical usage data based on updates from usage data for the network traffic over time;
  
  determining whether current usage data are within an expected distribution with respect to the historical usage data by comparing the current usage data to the historical usage data of the initiator;
  
  selecting an inspection threshold for traffic flows from the initiator based upon the comparison between the current usage data and the historical usage data; and
  
  determining a proportion of traffic flows associated with the initiator to be inspected based on the inspection threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein collecting usage data comprises collecting data descriptive of an application type for each network traffic flow associated with the initiator.
  - 3. The method of claim 1, further comprising:
    - determining whether a current traffic flow from the initiator is to be inspected based upon a random algorithm that selects traffic flows for inspection in accordance with the selected inspection threshold; and
      
      inspecting the current traffic flow as determined by the random algorithm and the historical usage data of the initiator and an application.
  - 4. The method of claim 1, further comprising:
    - repeatedly monitoring current usage data to determine whether the current usage data are within the expected distribution; and
      
      in response to determining that the current usage data deviates from the expected distribution, selecting another inspection threshold resulting in inspection of a higher proportion of traffic flows as compared to the proportion of traffic flows currently inspected.
  - 5. The method of claim 1, wherein determining comprises determining whether the current usage data are within an expected distribution based on the historical usage data by comparing one or more of traffic flow duration, port type, exchanged byte count, exchanged packet count and total data usage.
  - 6. The method of claim 1, further comprising:
    - determining that historical usage data for the initiator is unknown; and
      
      if it is determined that the historical usage data is unknown, selecting an inspection threshold that results in inspection of a greater proportion of traffic flows from the initiator as compared to a proportion of traffic flows currently selected for inspection.
  - 7. The method of claim 6, further comprising:
    - establishing a trusted reputation for the initiator based upon inspecting the traffic flows from the initiator; and
      
      selecting another inspection threshold resulting in inspection of a lesser proportion of traffic flows from the initiator as compared to a proportion of traffic flows currently selected for inspection if a trusted reputation for the initiator is established.
  - 8. The method of claim 1, further comprising:
    - determining whether the initiator has previously been associated with malicious network activity; and
      
      inspecting or dropping all traffic flows from the initiator when it is determined that the initiator has previously been associated with malicious network activity.

9. An apparatus comprising:
- a network interface unit configured to receive communications over a network;
  
  memory configured to store usage data and historical usage data; and
  
  one or more processors coupled to the network interface unit, and configured to;
  
  determine an initiator of network traffic;
  
  at each of multiple instants of time, collect usage data for network traffic associated with the initiator;
  
  store historical usage data based on updates from usage data for the network traffic over time;
  
  determine whether current usage data are within an expected distribution with respect to the historical usage data by comparing the current usage data to the historical usage data of the initiator;
  
  select an inspection threshold for traffic flows from the initiator based upon the comparison between the current usage data and the historical usage data; and
  
  determine a proportion of traffic flows associated with the initiator to be inspected based on the inspection threshold.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, wherein the processor is further configured to collect data descriptive of an application type for each network traffic flow associated with the initiator.
  - 11. The apparatus of claim 9, wherein the processor is further configured to:
    - determine whether a current traffic flow from the initiator is to be inspected based upon a random algorithm that selects traffic flows for inspection in accordance with the selected inspection threshold; and
      
      inspect the current traffic flow as determined by the random algorithm and the historical usage data of the initiator and an application.
  - 12. The apparatus of claim 9, wherein the processor is further configured to:
    - repeatedly monitor current usage data to determine whether the current usage data are within the expected distribution; and
      
      select another inspection threshold resulting in inspection of a higher proportion of traffic flows as compared to the proportion of traffic flows currently inspected, in response to determining that the current usage data deviates from the expected distribution.
  - 13. The apparatus of claim 9, wherein the processor is further configured to:
    - determine whether the current usage data are within an expected distribution based on the historical usage data by comparing one or more of traffic flow duration, port type, exchanged byte count, exchanged packet count and total data usage.
  - 14. The apparatus of claim 9, wherein the processor is further configured to:
    - determine that historical usage data for the initiator is unknown; and
      
      select an inspection threshold that results in inspection of a greater proportion of traffic flows from the initiator as compared to a proportion of traffic flows currently selected for inspection, if it is determined that the historical usage data is unknown.
  - 15. The apparatus of claim 14, wherein the processor is further configured to:
    - establish a trusted reputation for the initiator based upon inspecting the traffic flows from the initiator; and
      
      select another inspection threshold resulting in inspection of a lesser proportion of traffic flows from the initiator as compared to a proportion of traffic flows currently selected for inspection, if a trusted reputation for the initiator is established.
  - 16. The apparatus of claim 9, wherein the processor is further configured to:
    - determine whether the initiator has previously been associated with malicious network activity; and
      
      inspect or drop all traffic flows from the initiator when it is determined that the initiator has previously been associated with malicious network activity.

17. A computer-implemented method comprising:
- storing in a database, current usage data for an initiator of network traffic, wherein the stored usage data is descriptive of an application type for each network traffic flow associated with the initiator and is cumulative over a prescribed period of time;
  
  determining whether the current usage data are within an expected distribution with respect to historical usage data by comparing the current usage data to the historical usage data;
  
  selecting an inspection threshold for traffic flows from the initiator based upon the comparison between the current usage data and the historical usage data; and
  
  determining a proportion of traffic flows associated with the initiator to be inspected based on the inspection threshold.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the stored cumulative data comprises information pertaining to the number of times that an initiator has attempted and/or completed a connection with a security device, the total amount of data or packets transferred, and/or the length of time of the connection.
  - 19. The method of claim 18, wherein determining whether the current usage data are within an expected distribution with respect to the historical usage data further comprises:
    - determining an average amount of data or packets transferred per connection and an average length of duration per connection; and
      
      comparing one or more of the determined average values of current usage data to corresponding average values of the historical usage data to determine if the current usage data significantly deviates from the historical usage data.
  - 20. The method of claim 17, further comprising repeatedly monitoring current usage data to determine whether the current usage data are within the expected distribution;
    - and in response to determining that the current usage data deviates from the expected distribution, selecting another inspection threshold resulting in inspection of a higher proportion of traffic flows as compared to the proportion of traffic flows currently inspected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Ossipov, Andrew E., Buchanan, Kevin A.

Application Number

US14/200,669
Publication Number

US 20150256431A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 67/535 Tracking the activity of th...

Selective flow inspection based on endpoint behavior and random sampling

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

88 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Selective flow inspection based on endpoint behavior and random sampling

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links