PACKET CAPTURE FOR ANOMALOUS TRAFFIC FLOWS
First Claim
Patent Images
1. A method comprising:
- identifying, by a first device in a network, an anomalous traffic flow in the network;
reporting, by the first device, the anomalous traffic flow to a supervisory device in the network;
determining, by the first device, a quarantine policy for the anomalous traffic flow;
determining, by the first device, an action policy for the anomalous traffic flow; and
applying, by the first device, the quarantine and action policies to one or more packets of the anomalous traffic flow.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a first device in a network identifies an anomalous traffic flow in the network. The first device reports the anomalous traffic flow to a supervisory device in the network. The first device determines a quarantine policy for the anomalous traffic flow. The first device determines an action policy for the anomalous traffic flow. The first device applies the quarantine and action policies to one or more packets of the anomalous traffic flow.
94 Citations
27 Claims
-
1. A method comprising:
-
identifying, by a first device in a network, an anomalous traffic flow in the network; reporting, by the first device, the anomalous traffic flow to a supervisory device in the network; determining, by the first device, a quarantine policy for the anomalous traffic flow; determining, by the first device, an action policy for the anomalous traffic flow; and applying, by the first device, the quarantine and action policies to one or more packets of the anomalous traffic flow. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method comprising:
-
receiving, at a device in a network, an indication of an anomalous traffic flow detected by a node in the network; determining, by the device, an action policy for the anomalous traffic flow, based on an anomaly type or severity associated with the anomalous traffic flow; determining, by the device, a quarantine policy for the anomalous traffic flow, based on the anomaly type or severity associated with the anomalous traffic flow; and providing, by the device, the action and quarantine policies to the node. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the one or more network interfaces and configured to execute a process; and a memory configured to store the process executable by the processor, the process when executed operable to; identify an anomalous traffic flow in the network; report the anomalous traffic flow to a supervisory device in the network; determine a quarantine policy for the anomalous traffic flow; determine an action policy for the anomalous traffic flow; and apply the quarantine and action policies to one or more packets of the anomalous traffic flow. - View Dependent Claims (21, 22, 23)
-
-
24. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the one or more network interfaces and configured to execute a process; and a memory configured to store the process executable by the processor, the process when executed operable to; receive an indication of an anomalous traffic flow detected by a node in the network; determine an action policy for the anomalous traffic flow, based on an anomaly type or severity associated with the anomalous traffic flow; determine a quarantine policy for the anomalous traffic flow, based on the anomaly type or severity associated with the anomalous traffic flow; and provide the action and quarantine policies to the node. - View Dependent Claims (25, 26, 27)
-
Specification