Methods, apparatuses, and systems allowing for bandwidth management schemes responsive to utilization characteristics associated with individual users

US 7,296,288 B1
Filed: 11/15/2002
Issued: 11/13/2007
Est. Priority Date: 11/15/2002
Status: Active Grant

First Claim

Patent Images

1. A method allowing for bandwidth management schemes responsive to utilization characteristics associated with individual users, the method comprisingmonitoring, at a network device, data flows relative to at least one user for indications of suspicious activity directed to evading classification of network traffic associated with the at least one user by a network traffic classification device;

maintaining a suspicion level for the at least one user based on detected indications of suspicious activity, wherein the detected indications of suspicious activity comprise a user connecting to a tunnel proxy resource operative to encrypt data flows corresponding to the user; and

applying bandwidth utilization controls to the data flows associated with the at least one user based on the respective suspicion level.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatuses and systems allowing for bandwidth management schemes responsive to utilization characteristics associated with individual users. In one embodiment, the present invention allows network administrators to penalize users who carry out specific questionable or suspicious activities, such as the use of proxy tunnels to disguise the true nature of the data flows in order to evade classification and control by bandwidth management devices. In one embodiment, each individual user may be accorded an initial suspicion score. Each time the user is associated with a questionable or suspicious activity (for example, detecting the set up of a connection to an outside HTTP tunnel, or peer-to-peer application flow), his or her suspicion score is downgraded. Data flows corresponding to users with sufficiently low suspicion scores, in one embodiment, can be treated in a different manner from data flows associated with other users. For example, different or more rigorous classification rules and policies can be applied to the data flows associated with suspicious users.

176 Citations

34 Claims

1. A method allowing for bandwidth management schemes responsive to utilization characteristics associated with individual users, the method comprisingmonitoring, at a network device, data flows relative to at least one user for indications of suspicious activity directed to evading classification of network traffic associated with the at least one user by a network traffic classification device;
- maintaining a suspicion level for the at least one user based on detected indications of suspicious activity, wherein the detected indications of suspicious activity comprise a user connecting to a tunnel proxy resource operative to encrypt data flows corresponding to the user; and
  
  applying bandwidth utilization controls to the data flows associated with the at least one user based on the respective suspicion level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 29, 30, 31)
- - 2. The method of claim 1 wherein at least one of the indications of suspicious activity comprises a user connecting to a tunnel proxy resource further comprising the step of conditionally applying a decay rate to the suspicion level, wherein the decay rate results in the lowering of the suspicion level for the user if no detected indications of suspicious activity occur during a pre-defined number of periods.
  - 3. The method of claim 1 wherein at least one of the indications of suspicious activity comprises irregular data flow patterns.
  - 4. The method of claim 1 wherein at least one of the indications of suspicious activity comprises a user connecting to a peer-to-peer application resource.
  - 5. The method of claim 1 wherein at least one of the indications of suspicious activity comprises beyond a threshold number of connections to a host system.
  - 6. The method of claim 5 wherein the host system is a server relative to the connections.
  - 7. The method of claim 1 wherein the suspicion level is expressed as a suspicion score.
  - 8. The method of claim 1 wherein the monitoring step comprisescollecting raw data corresponding to data flows associated with the at least one user;
    - andprocessing the collected raw data in a separate process to detect indications of suspicious activity.
  - 29. The method of claim 1 wherein the monitoring step comprisesanalyzing network traffic associated with one or more users against one or more traffic pattern templates;
    - andwherein the maintaining step comprisesadjusting the suspicion level for the one or more users based on analyzing step.
  - 30. The method of claim 1 wherein the monitoring step comprisesanalyzing HTTP network traffic associated with one or more users against an HTTP traffic pattern template;
    - andwherein the maintaining step comprisesadjusting the suspicion level for a given user based on the analyzing step.
  - 31. The method of claim 30 wherein the HTTP traffic pattern template comprises at least one attribute characterizing an expected behavior of regular HTTP traffic, and at least one attribute characterizing a suspicious behavior involving HTTP traffic.

9. An apparatus allowing for bandwidth management schemes responsive to utilization characteristics associated with individual users, comprisinga suspicion scoring module operative to:
- monitor data flows relative to at least one user for indications of suspicious activity directed to evading classification of network traffic associated with the at least one user by a network traffic classification device; and
  
  generate a suspicion level for the at least one user based on detected indications of suspicious activity, wherein the detected indications of suspicious activity comprise a user connecting to a tunnel proxy resource operative to encrypt data flows corresponding to the user; and
  
  a bandwidth utilization control module operative to apply bandwidth utilization controls to data flows associated with the at least one user based at least in part on the respective suspicion levels.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 32, 33, 34)
- - 10. The apparatus of claim 9 wherein the bandwidth utilization control module comprisesa packet processor, a traffic classification databases and a flow control module;
    - wherein the packet processor is operative to;
      
      construct control block objects including attributes characterizing data flows traversing the apparatus, andassociate packets to control block objects;
      
      wherein the traffic classification database is operative to;
      
      operate on control block object attributes to identify traffic classes associated with data flows traversing the apparatus, andassociate bandwidth utilization controls to the data flows based on identified traffic classes; and
      
      wherein the flow control module is operative to enforce bandwidth utilization controls on data flows associated with corresponding traffic classes.
  - 11. The apparatus of claim 9 wherein the suspicion scoring module is operative to:
    - execute in the packet processing path to collect raw data associated with data flows traversing the bandwidth utilization control module; and
      
      process the collected raw data in a separate process to generate suspicion levels for the at least one user.
  - 12. The apparatus of claim 9 wherein the suspicion scoring module includes a heightened scrutiny list comprising at least one user identification;
    - and wherein the suspicion scoring module is operative to monitor only the data flows associated with user identifications in the heightened scrutiny list.
  - 13. The apparatus of claim 12 wherein the user identification is a computer network address.
  - 14. The apparatus of claim 12 wherein the user identification is a range of computer network addresses.
  - 15. The apparatus of claim 14 wherein the range is expressed as a computer network subnet.
  - 16. The apparatus of claim 9 wherein the suspicion scoring module is operative to maintain an exclude list comprising at least one user identification;
    - and wherein the suspicion scoring module is operative to exclude from monitoring data flows associated with the at least one user identification on the exclude list.
  - 17. The apparatus of claim 16 wherein the user identification is a computer network address.
  - 18. The apparatus of claim 16 wherein the user identification is a range of computer network addresses.
  - 19. The apparatus of claim 18 wherein the range is expressed as a computer network subnet.
  - 20. The apparatus of claim 12 wherein the user identification is a ticket issued by a network authentication mechanism.
  - 21. The apparatus of claim 10 further comprising a host database storing computer network addresses associated with data flows traversing the apparatus, wherein the host database maintains suspicion levels generated by the suspicion scoring module in association with the computer network addresses.
  - 22. The apparatus of claim 10 wherein the traffic classification database maintains a traffic class for suspicious users;
    - and wherein the suspicion scoring module is operative to change the configuration of the traffic classification database to classify data lows associated with users having a suspicion level beyond a threshold level in the traffic class for suspicious users.
  - 32. The apparatus of claim 9 wherein the suspicion scoring module is operative toanalyze network traffic associated with one or more users against one or more traffic pattern templates;
    - andadjust the suspicion level for the one or more users based on analyzing step.
  - 33. The apparatus of claim 9 wherein the suspicion scoring module is operative toanalyze HTTP network traffic associated with one or more users against an HTTP traffic pattern template;
    - andadjust the suspicion level for a given user based on the analyzing step.
  - 34. The apparatus of claim 33 wherein the HTTP traffic pattern template comprises at least one attribute characterizing an expected behavior of regular HTTP traffic, and at least one attribute characterizing a suspicious behavior involving HTTP traffic.

23. A method allowing for bandwidth management schemes responsive to utilization characteristics associated with individual users, the method comprisingmonitoring, at a network device, data flows relative to at least one user for indications of suspicious activity directed to evading classification of network traffic associated with the at least one user by a network traffic classification device;
- maintaining a suspicion level for the at least one user based on detected indications of suspicious activity, wherein the detected indications of suspicious activity comprise a user connecting to a tunnel proxy resource operative to encrypt data flows corresponding to the user; and
  
  applying a heightened level of scrutiny to data flows associated with users having a suspicion level beyond a threshold suspicion level.

24. A method allowing for bandwidth management schemes responsive to utilization characteristics associated with individual users, the method comprisingmonitoring, at a network device, data flows relative to at least one user for indications of suspicious activity directed to evading classification of network traffic associated with the at least one use, by a network traffic classification device, wherein the indications of suspicious activity comprise a user connecting to a tunnel proxy resource operative to encrypt data flows corresponding to the user;
- andmaintaining a suspicion level for the at least one user based on detected indications of suspicious activity.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The method of claim 24 further comprisingreporting the suspicion level for the at least one user.
  - 26. The method of claim 25 wherein the reporting step comprisestransmitting the suspicion level for the at least one user to a remote network device.
  - 27. The method of claim 26 wherein the remote network device is a central management server.
  - 28. The method of claim 24 further comprisingmodifying the configuration of at least one network device in response to the suspicion level for the at least one user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Packeteer Incorporated (Gen Digital Inc.)
Inventors
Riddle, Guy, Purvy, Robert E., Hill, Mark
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
PAN, PEILIANG

Application Number

US10/295,391
Time in Patent Office

1,824 Days
Field of Search

713/1, 713/2, 713/188, 713/194, 713/193, 380/200, 380/201, 380/255, 380/277, 726/2, 726/3, 726 11- 15
US Class Current

726/2
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/0896   Bandwidth or capacity manag...

H04L 43/0882   Utilisation of link capacity

H04L 43/16   Threshold monitoring

H04L 63/1408   by monitoring network traff...

Methods, apparatuses, and systems allowing for bandwidth management schemes responsive to utilization characteristics associated with individual users

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

176 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, apparatuses, and systems allowing for bandwidth management schemes responsive to utilization characteristics associated with individual users

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

176 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links