Automatic network traffic discovery and classification mechanism including dynamic discovery thresholds

US 7,543,052 B1
Filed: 12/22/2003
Issued: 06/02/2009
Est. Priority Date: 12/22/2003
Status: Active Grant

First Claim

Patent Images

1. An apparatus facilitating the monitoring of network traffic, comprising:

one or more network interfaces;

a memory;

a processor; and

computer-executable program code stored in the memory and executable by the processor, the computer-executable program code comprisinga traffic classification database module comprising computer-executable instructions configured, when executed, to cause the processor tostore at least one traffic class including a traffic class identifier and at least one attribute defining the traffic class;

compare attributes stored in association with traffic class identifiers to attributes of a data flow to match a traffic class that corresponds to the data flow;

a traffic discovery module comprising computer-executable instructions configured, when executed, to cause the processor todiscover new traffic classes associated with data flows for which the traffic classification database did not find a matching traffic class;

add discovered traffic classes to the traffic classification database after a discovery threshold has been exceeded;

dynamically adjust under one or more computer program controls the discovery threshold based on a comparison of a current rate at which the discovered traffic classes are added to the traffic classification database to a threshold rate.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatuses and systems directed to an automatic network traffic discovery and classification mechanism that includes dynamically adjusted traffic discovery thresholds. In one implementation, the dynamic discovery thresholds are adjusted based on analysis of one or more operational parameters associated with network traffic discovery, and/or network traffic characteristics. The present invention in one implementation can be configured to dynamically adjust one or more thresholds or range limits that affect the behavior of the automatic traffic classification mechanism, such as the rate at which new traffic classes are added to a traffic classification database. One implementation of the present invention minimizes the user intervention often required with the use of static traffic discovery thresholds.

Citations

26 Claims

1. An apparatus facilitating the monitoring of network traffic, comprising:
- one or more network interfaces;
  
  a memory;
  
  a processor; and
  
  computer-executable program code stored in the memory and executable by the processor, the computer-executable program code comprisinga traffic classification database module comprising computer-executable instructions configured, when executed, to cause the processor tostore at least one traffic class including a traffic class identifier and at least one attribute defining the traffic class;
  
  compare attributes stored in association with traffic class identifiers to attributes of a data flow to match a traffic class that corresponds to the data flow;
  
  a traffic discovery module comprising computer-executable instructions configured, when executed, to cause the processor todiscover new traffic classes associated with data flows for which the traffic classification database did not find a matching traffic class;
  
  add discovered traffic classes to the traffic classification database after a discovery threshold has been exceeded;
  
  dynamically adjust under one or more computer program controls the discovery threshold based on a comparison of a current rate at which the discovered traffic classes are added to the traffic classification database to a threshold rate.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11)
- - 5. The apparatus of claim 1 further comprising a user interface module comprising computer-executable instructions configured, when executed, to cause the processor to display the traffic classes stored by the traffic classification database.
  - 6. The apparatus of claim 1 further comprising a bandwidth control mechanism configured to enforce bandwidth utilization controls on data flows associated with corresponding traffic classes.
  - 7. The apparatus of claim 1 wherein the traffic discovery module further comprises computer-executable instructions configured, when executed, to cause the processor tomonitor the discovery of new traffic classes in relation to a maximum number of discovered traffic classes;
    - andterminate adding discovered traffic classes to the traffic classification database when the maximum number of newly discovered traffic classes has been met.
  - 8. The apparatus of claim 1 further comprising a traffic class pruning module comprising computer-executable instructions configured, when executed, to cause the processor to delete inactive traffic classes added to the traffic classification database by the traffic discovery module.
  - 9. The apparatus of claim 1 further comprising an administrator interface comprising computer-executable instructions configured, when executed, to cause the processor to allow a user to configure the traffic discovery module to prevent selected traffic classes from being added to the traffic classification database.
  - 10. The apparatus of claim 1 wherein the traffic discovery module further comprises computer-executable instructions configured, when executed, to cause the processor tomonitor data flows for which the traffic classification database did not find a matching traffic class relative to one or more host systems associated with the network traffic;
    - identify the host systems behaving as servers in the data flows; and
      
      add a traffic class associated with host systems identified as servers in the traffic classification database, if a threshold utilization threshold is exceeded.
  - 11. The apparatus of claim 1 wherein the traffic classification database includes a discovered traffic class section for storing discovered traffic classes added by the traffic discovery module.

2. An apparatus facilitating the monitoring of network traffic, comprising:
- one or more network interfaces;
  
  a memory;
  
  a processor; and
  
  computer-executable program code stored in the memory and executable by the processor, the computer-executable program code comprisinga traffic classification database module comprising computer-executable instructions configured, when executed, to cause the processor tostore at least one traffic class including a traffic class identifier and at least one attribute defining the traffic class;
  
  compare attributes stored in association with traffic class identifiers to attributes of a data flow to match a traffic class that corresponds to the data flow;
  
  a traffic discovery module comprising computer-executable instructions configured, when executed, to cause the processor todiscover new traffic classes associated with data flows for which the traffic classification database did not find a matching traffic class;
  
  add discovered traffic classes to the traffic classification database after a discovery threshold has been exceeded;
  
  dynamically adjust under one or more computer program controls the discovery threshold based on an initial value of the discovery threshold and an amount of time since the traffic discovery module was initialized.

3. An apparatus facilitating the monitoring of network traffic, comprising:
- one or more network interfaces;
  
  a memory;
  
  a processor; and
  
  computer-executable program code stored in the memory and executable by the processor, the computer-executable program code comprisinga traffic classification database module comprising computer-executable instructions configured, when executed, to cause the processor tostore at least one traffic class including a traffic class identifier and at least one attribute defining the traffic class;
  
  compare attributes stored in association with traffic class identifiers to attributes of a data flow to match a traffic class that corresponds to the data flow;
  
  a traffic discovery module comprising computer-executable instructions configured, when executed, to cause the processor todiscover new traffic classes associated with data flows for which the traffic classification database did not find a matching traffic class;
  
  add discovered traffic classes to the traffic classification database after a discovery threshold has been exceeded;
  
  dynamically adjust under one or more computer program controls the discovery threshold based on a comparison of a total number of data flows traversing the apparatus to a total number of data flows unmatched by the traffic classification database.

4. An apparatus facilitating the monitoring of network traffic, comprising:
- one or more network interfaces;
  
  a memory;
  
  a processor; and
  
  computer-executable program code stored in the memory and executable by the processor, the computer-executable program code comprisinga traffic classification database module comprising computer-executable instructions configured, when executed, to cause the processor tostore at least one traffic class including a traffic class identifier and at least one attribute defining the traffic class;
  
  compare attributes stored in association with traffic class identifiers to attributes of a data flow to match a traffic class that corresponds to the data flow;
  
  a traffic discovery module comprising computer-executable instructions configured, when executed, to cause the processor todiscover new traffic classes associated with data flows for which the traffic classification database did not find a matching traffic class;
  
  add discovered traffic classes to the traffic classification database after a discovery threshold has been exceeded;
  
  dynamically adjust under one or more computer program controls the discovery threshold based on a comparison of a threshold ratio value to a current ratio between a total number of data flows traversing the apparatus and a total number of data flows unmatched by the traffic classification database.

12. A method facilitating the monitoring of network traffic, comprisingdetecting a data flow in network traffic traversing a communications path, the data flows each comprising at least one packet;
- parsing at least one packet associated with the data flow into a flow specification,matching the flow specification to a first set of traffic classes, wherein the traffic classes in the first set of traffic classes are each defined by one or more attributes,having found a matching traffic class in the matching step, associating the flow specification corresponding to the data flow with a traffic class from the first set of traffic classes,not having found a matching traffic class in the first set of traffic classes, matching the flow specification to a second set including at least one additional traffic class;
  
  having found a matching traffic class in the second set, updating at least one discovery parameter associated with the matching traffic class,upon a discovery parameter crossing a discovery threshold, adding the corresponding traffic class to the first set of traffic classes; and
  
  dynamically adjusting under one or more computer program controls the discovery threshold based on a comparison of a current rate at which the discovered traffic classes are added to the traffic classification database to a threshold rate.
- View Dependent Claims (13, 14)
- - 13. The method of claim 12 wherein the flow specification contains at least one instance of any one of the following:
    - a protocol family designation, a direction of packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a MIME type, and a pointer to an application-specific attribute.
  - 14. The method of claim 12 wherein said flow specification contains, and wherein the one or more matching attributes include, at least one instance of any one of the following:
    - a protocol family designation, a direction of packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a MIME type, and a pointer to an application-specific attribute.

15. An apparatus comprisingone or more network interfaces;
- a memory;
  
  a processor; and
  
  computer-executable program code stored in the memory and executable by the processor, the computer-executable program code comprisinga packet processor module comprising computer-executable instructions configured, when executed, to cause the processor todetect data flows in network traffic traversing a communications path, the data flows each comprising at least one packet;
  
  parse at least one packet associated with a data flow into a flow specification,a traffic classification database module comprising computer-executable instructions configured, when executed, to cause the processor tomatch the data flow to a plurality of traffic classes, at least one of the plurality of traffic classes is defined by one or more matching attributes; and
  
  a traffic discovery module comprising computer-executable instructions configured, when executed, to cause the processor todiscover new traffic classes associated with data flows for which the traffic classification database did not find a matching traffic class;
  
  add newly discovered traffic classes to the traffic classification database after a discovery threshold has been exceeded;
  
  dynamically adjust under one or more computer program controls the discovery threshold based on a comparison of a current rate at which the discovered traffic classes are added to the traffic classification database to a threshold rate.
- View Dependent Claims (16, 17, 18)
- - 16. The apparatus of claim 15 wherein said flow specification contains at least one instance of any one of the following:
    - a protocol family designation, a direction of packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a MIME type, and a pointer to an application-specific attribute.
  - 17. The apparatus of claim 15 wherein said flow specification contains, and wherein the one or more matching attributes include, at least one instance of any one of the following:
    - a protocol family designation, a direction of packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a MIME type, and a pointer to an application-specific attribute.
  - 18. The apparatus of claim 15 further comprisinga flow control module operative to apply bandwidth utilization controls to the data flows based on the traffic class associated with the data flows.

19. An apparatus facilitating the monitoring of network traffic, comprising:
- one or more network interfaces;
  
  a memory;
  
  a processor; and
  
  computer-executable program code stored in the memory and executable by the processor, the computer-executable program code comprisinga traffic discovery module comprising computer-executable instructions configured, when executed, to cause the processor toidentify traffic classes corresponding to data flows traversing an access link;
  
  monitor bandwidth utilization across the access link with respect to a plurality of traffic classes in relation to at least one bandwidth utilization statistic;
  
  add an identified traffic class to a traffic classification database upon achievement of a minimum bandwidth utilization threshold;
  
  dynamically adjust under one or more computer program controls the minimum bandwidth utilization threshold based on a comparison of a current rate at which the discovered traffic classes are added to the traffic classification database to a threshold rate; and
  
  a user interface module operative to display the traffic classes maintained by the traffic classification database.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The apparatus of claim 19 further comprising a bandwidth control mechanism configured to enforce bandwidth utilization controls on data flows associated with corresponding traffic classes.
  - 21. The apparatus of claim 20 wherein the user interface module facilitates association of a bandwidth utilization control to a selected traffic class.
  - 22. The apparatus of claim 19 wherein the minimum bandwidth utilization threshold is a minimum number of data flows.
  - 23. The apparatus of claim 19 wherein the minimum bandwidth utilization threshold is a minimum number of bytes.
  - 24. The apparatus of claim 19 wherein the minimum bandwidth utilization threshold is a minimum number of packets.

25. A method for automatically classifying traffic in a packet communications network, said network having any number of flows, including zero, comprising the steps of:
- parsing a packet into a flow specification, wherein said flow specification including at least one attribute;
  
  matching the first flow specification of the parsing step to a plurality of traffic classes, each said traffic class having a traffic specification;
  
  thereupon,if a matching classification tree type node was not found in the matching step,associating the flow specification with one or more newly-created traffic classes;
  
  thereupon,incorporating said newly-created traffic class into said plurality of traffic classes upon an achievement of a minimum usage threshold; and
  
  dynamically adjusting under one or more computer program controls the minimum usage threshold based on a comparison of a threshold ratio value to a current ratio between a total number of data flows traversing the apparatus and a total number of data flows unmatched by the traffic classification database.
- View Dependent Claims (26)
- - 26. The method of claim 25 wherein the plurality of traffic classes is represented by a plurality nodes of a classification tree, each said classification tree node having a traffic specification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Packeteer Incorporated (Gen Digital Inc.)
Inventors
Cesa Klein, Anne
Primary Examiner(s)
Winder; Patrice
Assistant Examiner(s)
Tang; Karen C

Application Number

US10/744,268
Time in Patent Office

1,989 Days
Field of Search

709/223, 709/224
US Class Current

709/224
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/16   Threshold monitoring

H04L 47/10   Flow control; Congestion co...

H04L 47/20   Traffic policing

H04L 47/2483   involving identification of...

Automatic network traffic discovery and classification mechanism including dynamic discovery thresholds

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic network traffic discovery and classification mechanism including dynamic discovery thresholds

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links