Method and system for limiting the impact of undesirable behavior of computers on a shared data network

US 7,383,574 B2
Filed: 11/16/2001
Issued: 06/03/2008
Est. Priority Date: 11/22/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method for limiting the impact of undesirable behavior of computers on a network through which packets of data are interchanged between the computers, comprising:

monitoring the network for any patterns of behavior;

determining, upon discovering that one or more of the patterns of behavior is undesirable, a type of the undesirable pattern of behavior;

determining a proper action for mitigating that type of undesirable behavior, the proper action including preventing dissemination through the network of packets associated with the undesirable behavior and allowing dissemination of packets not associated with the undesirable behavior,wherein preventing dissemination comprises at least one of changing a routing table, changing a forwarding table, turning off at least one port of a forwarding device, filtering on Internet Protocol (IP) addresses, and filtering on media access control (MAC) addresses, andwherein a discovery, including that of a network topology, facilitates the network monitoring and type of undesirable behavior determination, andwherein the dissemination through the network of packets associated with the undesirable behavior is prevented for a time period that is lengthened gradually as long as the undesirable behavior continues or intermittently reappears, the time period being gradually shortened if the undesirable behavior stops for a predetermined time.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Undesirable behavior patterns of computers on a network impact network performance. A system and method are provided for limiting the impact of undesirable behavior of computers on the network. The network, through which packets of data are interchanged between the computers, includes one or more forwarding devices that are controlled or instructed by one or more packet traffic monitors. Each of the packet traffic monitors is configured for monitoring the packets; for determining if the information about the pattern of behavior from any of the computers is trustworthy; for determining, upon discovering that one or more of the patterns of behavior is undesirable, a type of the undesirable pattern behavior; and for determining a proper action for mitigating that type of undesirable behavior. The proper action is performed by mitigation means controlling the one or more forwarding devices.

49 Citations

View as Search Results

32 Claims

1. A method for limiting the impact of undesirable behavior of computers on a network through which packets of data are interchanged between the computers, comprising:
- monitoring the network for any patterns of behavior;
  
  determining, upon discovering that one or more of the patterns of behavior is undesirable, a type of the undesirable pattern of behavior;
  
  determining a proper action for mitigating that type of undesirable behavior, the proper action including preventing dissemination through the network of packets associated with the undesirable behavior and allowing dissemination of packets not associated with the undesirable behavior,wherein preventing dissemination comprises at least one of changing a routing table, changing a forwarding table, turning off at least one port of a forwarding device, filtering on Internet Protocol (IP) addresses, and filtering on media access control (MAC) addresses, andwherein a discovery, including that of a network topology, facilitates the network monitoring and type of undesirable behavior determination, andwherein the dissemination through the network of packets associated with the undesirable behavior is prevented for a time period that is lengthened gradually as long as the undesirable behavior continues or intermittently reappears, the time period being gradually shortened if the undesirable behavior stops for a predetermined time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 wherein the time period corresponds to a skepticism level that depends on a history of the undesirable pattern of behavior, a skepticism level zero (0) denoting a good history.
  - 3. The method of claim 1, wherein the undesirable pattern of behavior is characterized in that it matches behavior defined by a network administrator as notable or undesirable.
  - 4. The method of claim 1, wherein the undesirable pattern of behavior is any network pathology characterized as a broadcast storm or an address resolution protocol (ARP) fight.
  - 5. The method of claim 1, wherein the undesirable pattern of behavior includes any one or more of a stolen Internet protocol (IP) address, a stolen media access control (MAC) address, a malformed packet, too many packets directed to an overloaded server, too many probe packets directed to a firewall or too many ARP request packets.
  - 6. The method of claim 1, wherein the undesirable pattern of behavior is a broadcast storm, and wherein the monitoring includesrecovering a topology of the network using information obtained through a network management protocol interface, andlearning historical packet traffic statistics for any segment of the network.
  - 7. The method of claim 6, wherein the network management protocol is the simple network management protocol (SNMP).
  - 8. The method of claim 1, wherein the undesirable pattern of behavior is a broadcast storm, and wherein the monitoring includes learning a topology of the network from a forwarding database or table of a forwarding device in the network.
  - 9. The method of the claim 1, wherein the network is a shared data network.
  - 10. The method of claim 8, wherein the network is a switched Ethernet network and the forwarding device is a switch.
  - 11. The method of claim 8, wherein the network is a bridged Ethernet network and the forwarding device is a bridge or a smart bridge.
  - 12. The method of the claim 1, wherein the undesirable pattern of behavior is too many ARP requests and wherein the monitoring includes verifying stability and lack of conflicts in an IP or MAC address mapping.
  - 13. The method of the claim 1, wherein the proper action further includes alerting a system administrator about the existence of the undesirable pattern of behavior.
  - 14. The method of claim 1, wherein the undesirable pattern of behavior is a simultaneous use of a network address, and wherein the proper action includes disabling any address associated to the network address that contradicts an address list in a network server or disabling any associated address that is not included in a list of addresses that are allowed to map to the network address.
  - 15. The method of claim 1 wherein discovery of the network topology facilitates disablement of ports in forwarding devices that connect to offending computers.
  - 16. The method of claim 1 wherein the time period becomes longer in a random exponential backoff before an attempt is made to allow resumption of the packets from any offending computer that originated the undesirable pattern of behavior, the time period becoming longer if the undesirable pattern of behavior reoccurs during a current backoff time, the time period becoming shorter if the undesirable pattern of behavior disappears and does not reoccur in the current backoff time.

17. A system for limiting the impact of undesirable behavior of computers on a network through which packets of data are interchanged between the computers, comprising:
- means for monitoring the packets for any patterns of behavior;
  
  means for determining, upon discovering that one or more of the patterns of behavior is undesirable, a type of the undesirable pattern of behavior;
  
  means for determining a proper action for mitigating that type of undesirable behavior, the proper action, performed by mitigation means, including preventing dissemination through the network of packets associated with the undesirable behavior and allowing dissemination of packets not associated with the undesirable behavior,wherein preventing dissemination comprises at least one of changing a routing table, changing a forwarding table, and turning off at least one port of a forwarding device, andwherein means for discovery, including that of a network topology, facilitates network monitoring and type of undesirable behavior determination, andwherein the dissemination through the network of packets associated with the undesirable behavior is prevented for a time period that is lengthened gradually as long as the undesirable behavior continues or intermittently reappears, the time period being gradually shortened if the undesirable behavior stops for a predetermined time.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The system of claim 17, wherein the time period corresponds to a skepticism level that depends on a history of the undesirable pattern of behavior, a skepticism level zero (0) denoting a good history.
  - 19. The system of claim 17, wherein the undesirable pattern of behavior is characterized in that it matches behavior defined by a network administrator as notable or undesirable.
  - 20. The system of claim 17, wherein the undesirable pattern of behavior is any network pathology characterized as a broadcast storm or an address resolution protocol (ARP) fight.
  - 21. The system of claim 17, wherein the undesirable pattern of behavior includes any one or more of a stolen Internet protocol (IP) address, a stolen media access control (MAC) address, a malformed packet, too many packets directed to an overloaded server, too many probe packets directed to a firewall or too many ARP request packets.
  - 22. The system of claim 17, wherein preventing the dissemination of Packets associated with the undesirable pattern of behavior includes discarding the packets associated with such behavior, isolating any of the computers at which such behavior originates, or isolating any network segments at which such behavior originates.
  - 23. The system of claim 17, wherein the undesirable pattern of behavior is a broadcast storm, and wherein the monitoring means includesmeans for recovering a topology of the network using information obtained through a standard SNMP (simple network management protocol) interface, andmeans for learning historical packet traffic statistics for any segment of the network.
  - 24. The system of claim 17, wherein the undesirable pattern of behavior is a broadcast storm, and wherein the monitoring means includes means for learning the topology of the network from a forwarding database or table of a forwarding device in the network.
  - 25. The system of claim 24, wherein the network is a switched Ethernet network and the forwarding device is a switch.
  - 26. The system of claim 17, wherein the network is a shared data network.
  - 27. The system of claim 17, wherein the undesirable pattern of behavior is too many ARP requests and wherein the monitoring means includes means for verifying stability and lack of conflicts in an IP or MAC address mapping.
  - 28. The system of claim 17 wherein the proper action includes alerting a system administrator about the existence of the undesirable pattern of behavior.
  - 29. The system of claim 17, wherein the undesirable pattern of behavior is a simultaneous use of a network address, and wherein the proper action includes disabling any address associated to the network address that contradicts an address list in a network server or disabling any associated address that is not included in a list of addresses that are allowed to map to the network address.
  - 30. The system of claim 17, wherein discovery of the network topology facilitates disablement of ports in forwarding devices that connect to offending computers.
  - 31. The system of claim 17, wherein the time period becomes longer in a random exponential backoff before an attempt is made to allow resumption of the packets from any offending computer that originated the undesirable pattern of behavior, the time period becoming longer if the undesirable pattern of behavior reoccurs during a current backoff time, the time period becoming shorter if the undesirable pattern of behavior disappears and does not reoccur in the current backoff time.
  - 32. The method of claim 17, wherein the dissemination through the network of packets associated with the undesirable behavior is prevented for a time period that is exponentially increasing as long as the undesirable behavior continues or intermittently reappears, the time period being exponentially shortened if the undesirable behavior stops for a predetermined time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Burrows, Michael, Mogul, Jeffrey Clifford, Stata, Raymond P.
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
Chai; Longbit

Application Number

US09/991,108
Publication Number

US 20020073338A1
Time in Patent Office

2,391 Days
Field of Search

713200-202, 713165-167, 713187-189, 370/229, 709/226, 709/207, 709238-254, 714/4, 714/47, 379111-113, 726/13, 726 23- 26
US Class Current

726/13
CPC Class Codes

H04L 41/0213 Standardised network manage...

H04L 43/00 Arrangements for monitoring...

Method and system for limiting the impact of undesirable behavior of computers on a shared data network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Method and system for limiting the impact of undesirable behavior of computers on a shared data network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others