PACKET CAPTURE FOR ANOMALOUS TRAFFIC FLOWS

US 20160219065A1
Filed: 01/23/2015
Published: 07/28/2016
Est. Priority Date: 01/23/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying, by a first device in a network, an anomalous traffic flow in the network;

reporting, by the first device, the anomalous traffic flow to a supervisory device in the network;

determining, by the first device, a quarantine policy for the anomalous traffic flow;

determining, by the first device, an action policy for the anomalous traffic flow; and

applying, by the first device, the quarantine and action policies to one or more packets of the anomalous traffic flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a first device in a network identifies an anomalous traffic flow in the network. The first device reports the anomalous traffic flow to a supervisory device in the network. The first device determines a quarantine policy for the anomalous traffic flow. The first device determines an action policy for the anomalous traffic flow. The first device applies the quarantine and action policies to one or more packets of the anomalous traffic flow.

94 Citations

View as Search Results

27 Claims

1. A method comprising:
- identifying, by a first device in a network, an anomalous traffic flow in the network;
  
  reporting, by the first device, the anomalous traffic flow to a supervisory device in the network;
  
  determining, by the first device, a quarantine policy for the anomalous traffic flow;
  
  determining, by the first device, an action policy for the anomalous traffic flow; and
  
  applying, by the first device, the quarantine and action policies to one or more packets of the anomalous traffic flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as in claim 1, wherein the anomalous traffic flow is identified by the first device using a machine learning or analytics model.
  - 3. The method as in claim 1, wherein determining the quarantine policy for the anomalous traffic flow comprises:
    - receiving, at the first device, the quarantine policy from the supervisory device, in response to reporting the anomalous traffic flow to the supervisory device.
  - 4. The method as in claim 1, wherein applying the quarantine policy to the one or more packets of the anomalous traffic flow comprises:
    - providing, by the first device, a copy of the one or more packets of the anomalous traffic flow to a device for further analysis.
  - 5. The method as in claim 1, wherein applying the quarantine policy to the one or more packets of the anomalous traffic flow comprises:
    - sampling, by the first device, the one or more packets of the anomalous traffic flow; and
      
      providing, by the first device, the one or more sampled packets to a quarantine device.
  - 6. The method as in claim 1, wherein applying the quarantine policy to the one or more packets of the anomalous traffic flow comprises:
    - rerouting, by the first device, the one or more packets of the anomalous traffic flow to a quarantine device.
  - 7. The method as in claim 1, wherein applying the quarantine policy to the one or more packets of the anomalous traffic flow comprises:
    - buffering, at the first device, the one or more packets of the anomalous traffic flow; and
      
      providing, by the first device, the buffered one or more packets of the anomalous traffic flow to a quarantine device.
  - 8. The method as in claim 1, wherein determining the action policy for the anomalous traffic flow comprises:
    - receiving, at the first device, the action policy from the supervisory device, in response to reporting the anomalous traffic flow to the supervisory device.
  - 9. The method as in claim 1, wherein applying the action policy to the one or more packets of the anomalous traffic flow comprises at least one of:
    - flagging the one or more packets as anomalous, dropping the one or more packets, lowering a priority associated with the one or more packets, or applying traffic shaping to the one or more packets.
  - 10. The method as in claim 1, wherein the first device proactively applies the quarantine and action policies to one or more packets of the anomalous traffic flow, in response to identifying the anomalous traffic flow.
  - 11. The method as in claim 1, further comprising:
    - receiving, at the first device, packet tracking criteria from the supervisory device; and
      
      applying, by the first device, the quarantine and action policies to the one or more packets of the anomalous traffic flow and to at least one packet outside of the anomalous traffic flow, based on the packet tracking criteria.

12. A method comprising:
- receiving, at a device in a network, an indication of an anomalous traffic flow detected by a node in the network;
  
  determining, by the device, an action policy for the anomalous traffic flow, based on an anomaly type or severity associated with the anomalous traffic flow;
  
  determining, by the device, a quarantine policy for the anomalous traffic flow, based on the anomaly type or severity associated with the anomalous traffic flow; and
  
  providing, by the device, the action and quarantine policies to the node.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method as in claim 12, wherein the provided action policy causes the node to at least one of:
    - flag one or more packets of the anomalous traffic flow as anomalous, drop the one or more packets of the anomalous traffic flow, or lower a priority associated with the one or more packets of the anomalous traffic flow.
  - 14. The method as in claim 12, wherein the provided quarantine policy causes the node to at least one of:
    - provide sampled copies of packets of the anomalous traffic flow to the device, provide copies of all packets of the anomalous traffic flow to the device, reroute packets of the anomalous traffic flow to the device.
  - 15. The method as in claim 12, further comprising:
    - providing, by the device, the indication of the anomalous traffic flow to a user interface; and
      
      receiving, at the device, the action and quarantine policies from the user interface, in response to providing the indication of the anomalous traffic flow to the user interface.
  - 16. The method as in claim 12, further comprising:
    - storing, by the device, packets of the anomalous traffic flow with metadata indicative of at least one of;
      
      the anomaly type, the severity, a packet capture duration, or an indication as to whether the packets were captured proactively by the node.
  - 17. The method as in claim 16, further comprising:
    - receiving, at the device, a query request for the packets of the anomalous traffic flow from a user interface; and
      
      providing, by the device, data regarding the packets to the user interface based on the query request.
  - 18. The method as in claim 17, wherein the query request requests one of:
    - a raw representation of all stored packets of the anomalous traffic flow, a subset of the stored packets that contain payloads, or a subset of the stored packets that are control packets.
  - 19. The method as in claim 17, wherein the data regarding the packets includes data regarding at least one packet of the anomalous traffic flow captured in real time.

20. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the one or more network interfaces and configured to execute a process; and
  
  a memory configured to store the process executable by the processor, the process when executed operable to;
  
  identify an anomalous traffic flow in the network;
  
  report the anomalous traffic flow to a supervisory device in the network;
  
  determine a quarantine policy for the anomalous traffic flow;
  
  determine an action policy for the anomalous traffic flow; and
  
  apply the quarantine and action policies to one or more packets of the anomalous traffic flow.
- View Dependent Claims (21, 22, 23)
- - 21. The apparatus as in claim 20, wherein the apparatus proactively applies the quarantine and action policies to one or more packets of the anomalous traffic flow, in response to identifying the anomalous traffic flow.
  - 22. The apparatus as in claim 20, wherein the apparatus identifies the anomalous traffic flow using a machine learning or analytics model.
  - 23. The apparatus as in claim 20, wherein the apparatus applies the quarantine policy to the one or more packets of the anomalous traffic flow by at least one of:
    - rerouting the one or more packets to a quarantine device in the network, providing a copy of the one or more packets to a device for further analysis, or providing a buffered set of packets of the anomalous traffic flow to the quarantine device.

24. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the one or more network interfaces and configured to execute a process; and
  
  a memory configured to store the process executable by the processor, the process when executed operable to;
  
  receive an indication of an anomalous traffic flow detected by a node in the network;
  
  determine an action policy for the anomalous traffic flow, based on an anomaly type or severity associated with the anomalous traffic flow;
  
  determine a quarantine policy for the anomalous traffic flow, based on the anomaly type or severity associated with the anomalous traffic flow; and
  
  provide the action and quarantine policies to the node.
- View Dependent Claims (25, 26, 27)
- - 25. The apparatus as in claim 24, wherein the provided action policy causes the node to at least one of:
    - flag one or more packets of the anomalous traffic flow as anomalous, drop the one or more packets of the anomalous traffic flow, lower a priority associated with the one or more packets of the anomalous traffic flow, or apply traffic shaping to the anomalous traffic flow, and wherein the provided quarantine policy causes the node to at least one of;
      
      provide sampled copies of packets of the anomalous traffic flow to the device, provide copies of all packets of the anomalous traffic flow to the device, reroute packets of the anomalous traffic flow to the device.
  - 26. The apparatus as in claim 24, wherein the process when executed is further operable to:
    - store packets of the anomalous traffic flow with metadata indicative of at least one of;
      
      the anomaly type, the severity, a packet capture duration, or an indication as to whether the packets were captured proactively by the node.
  - 27. The apparatus as in claim 26, wherein the process when executed is further operable to:
    - receive a query request for the packets of the anomalous traffic flow from a user interface; and
      
      provide data regarding the packets to the user interface based on the query request, wherein the query request requests one of;
      
      a raw representation of all stored packets of the anomalous traffic flow, a subset of the stored packets that contain payloads, or a subset of the stored packets that are control packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Dasgupta, Sukrit, Vasseur, Jean-Philippe

Granted Patent

US 10,484,405 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

PACKET CAPTURE FOR ANOMALOUS TRAFFIC FLOWS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

94 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

PACKET CAPTURE FOR ANOMALOUS TRAFFIC FLOWS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

94 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links