Anomaly detection for storage traffic in a data center

US 7,793,138 B2
Filed: 12/21/2005
Issued: 09/07/2010
Est. Priority Date: 12/21/2005
Status: Active Grant

First Claim

Patent Images

1. A method of detecting anomalies in a storage area network (SAN) comprising at least a network device, a plurality of servers, and a plurality of storage devices accessible by the plurality of servers, the method comprising:

at the network device, providing an anomaly type and corresponding action to be performed when the anomaly type is detected for traffic received by the network device of the SAN and such received traffic pertains to a particular server of the SAN requesting that data be read to a particular storage device of the SAN or written to the particular storage device of the SAN, wherein the particular server of the SAN is logged into the particular storage device of the SAN;

at the network device, monitoring traffic that is received by the network device sent from the particular server to the particular storage device so as to detect the provided anomaly type in the monitored traffic; and

when the provided anomaly type is detected, performing the corresponding action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are methods and apparatus for detecting anomalies in a storage area network (SAN). Provided are one or more anomaly type(s) and corresponding actions to be performed when the one or more anomaly types are detected. Traffic in the SAN is then inspected in order to detect the one or more provided anomaly type(s). When a one of the provided one or more anomaly type(s) is detected, one or more of the corresponding action(s) is performed. The provided anomaly type(s) may include one or more of the following: a read or write access pattern anomaly, excessive login or control requests, a bandwidth usage anomaly, a configuration anomaly, and a hardware anomaly. The provided corresponding actions may include logging and/or publishing the detected anomaly, enabling capture of the detected anomaly by an analysis device, re-authentication of a host that is responsible for the anomaly, disable access control for a host that is responsible for the anomaly, rate control of an anomalous link, and shut down of an anomalous link.

Citations

39 Claims

1. A method of detecting anomalies in a storage area network (SAN) comprising at least a network device, a plurality of servers, and a plurality of storage devices accessible by the plurality of servers, the method comprising:
- at the network device, providing an anomaly type and corresponding action to be performed when the anomaly type is detected for traffic received by the network device of the SAN and such received traffic pertains to a particular server of the SAN requesting that data be read to a particular storage device of the SAN or written to the particular storage device of the SAN, wherein the particular server of the SAN is logged into the particular storage device of the SAN;
  
  at the network device, monitoring traffic that is received by the network device sent from the particular server to the particular storage device so as to detect the provided anomaly type in the monitored traffic; and
  
  when the provided anomaly type is detected, performing the corresponding action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. A method as recited in claim 1, wherein the provided anomaly type pertains to only the traffic sent between the particular server and the particular storage device in the SAN.
  - 3. A method as recited in claim 2, wherein the anomaly type is a Read or Write pattern anomaly for traffic sent between the particular server and the particular storage device in the SAN.
  - 4. A method as recited in claim 3, wherein the Read or Write pattern anomaly indicates that a frequency of Read and/or Write activity has exceeded a predefined threshold for the particular server and the particular storage device in the SAN.
  - 5. A method as recited in claim 4, wherein the Read or Write access pattern anomaly indicates that the frequency of Read and/or Write activity has exceeded the predefined threshold for the particular server and a particular one or more logical unit(s) (LUNs) of the particular storage device.
  - 6. A method as recited in claim 5, wherein the Read or Write access pattern anomaly indicates that the frequency of Read and/or Write activity has exceeded the predefined threshold for the particular server and one or more specified logical block address (LBA) range(s) of the particular storage device.
  - 7. A method as recited in claim 1, wherein the provided anomaly type is traffic pertaining to excessive login or control requests from the particular server in the SAN that have a frequency that exceeds a predefined threshold.
  - 8. A method as recited in claim 1, wherein the provided anomaly type is traffic that has an anomalous bandwidth usage by the particular server in the SAN that has exceeded a predefined threshold.
  - 9. A method as recited in claim 8, wherein the anomalous bandwidth usage corresponds to (i) data size per second and/or (ii) write or read (IO) operations per second.
  - 10. A method as recited in claim 2, wherein the provided anomaly type is a specified configuration change in the SAN that exceeds a predefined deviation level.
  - 11. A method as recited in claim 10, wherein the configuration change is selected from a group consisting of an I/O size change, a stripe unit size change, a change in the number of servers, a service policy change, a change in the number of ports of the storage device, a software change, and a change in a Read or Write flow sequence.
  - 12. A method as recited in claim 1, wherein the provided anomaly type is anomalous hardware behavior in the SAN.
  - 13. A method as recited in claim 12, wherein the anomalous hardware behavior includes an error report anomaly or a drop rate anomaly.
  - 14. A method as recited in claim 1, wherein the corresponding action includes logging and publishing the detected anomaly.
  - 15. A method as recited in claim 1, wherein the corresponding action includes enabling SPAN (switched port analyzer) in the particular storage device so that the detected anomaly is captured for off-line analysis by an analysis device.
  - 16. A method as recited in claim 1, wherein the corresponding action includes re-authenticating the particular server and the particular server is responsible or has caused the detected anomaly.
  - 17. A method as recited in claim 1, wherein the corresponding action includes disabling access for the particular server and such particular server is responsible or has caused the detected anomaly, wherein access by the particular server is disabled via an access control list (ACL) for the particular storage device.
  - 18. A method as recited in claim 1, wherein the corresponding action includes controlling the rate of the traffic on a link coupled to the particular storage device on which the anomaly is detected.
  - 19. A method as recited in claim 1, wherein the corresponding action includes shutting down a link coupled to the particular storage device on which the anomaly is detected.

20. An apparatus for detecting anomalies in a storage area network (SAN) comprising the apparatus, a plurality of servers, and a plurality of storage devices accessible by the plurality of servers, the apparatus comprising:
- one or more processors;
  
  one or more memory, wherein at least one of the processors and memory are adapted for;
  
  at the apparatus, providing an anomaly type and corresponding action to be performed when the anomaly type is detected for traffic received by the apparatus of the SAN and such received traffic pertains to a particular server of the SAN requesting that data be read to a particular storage device of the SAN or written to the particular storage device of the SAN, wherein the particular server of the SAN is logged into the particular storage device of the SAN;
  
  at the apparatus, monitoring traffic that is received by the network device sent from the particular server to the particular storage device so as to detect the provided anomaly type in the monitored traffic; and
  
  when the provided anomaly type is detected, performing the corresponding action.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 21. An apparatus as recited in claim 20, wherein the anomaly type and corresponding action are provided to the apparatus by a user.
  - 22. An apparatus as recited in claim 20, wherein the anomaly type is a Read or Write pattern anomaly for traffic sent between the particular server and the particular storage device in the SAN and wherein the Read or Write pattern anomaly indicates that a frequency of Read and/or Write activity has exceeded a predefined threshold for the particular server and the particular storage device in the SAN.
  - 23. An apparatus as recited in claim 22, wherein the Read or Write access pattern anomaly indicates that the frequency of Read and/or Write activity has exceeded the predefined threshold for the particular server and a particular one or more logical unit(s) (LUNs) of the particular storage device.
  - 24. An apparatus as recited in claim 23, wherein the Read or Write access pattern anomaly indicates that the frequency of Read and/or Write activity has exceeded the predefined threshold for the particular server and one or more specified logical block address (LBA) range(s) of the particular storage device.
  - 25. An apparatus as recited in claim 20, wherein the provided anomaly type is traffic pertaining to excessive login or control requests from the particular server in the SAN that have a frequency that exceeds a predefined threshold.
  - 26. An apparatus as recited in claim 20, wherein the provided anomaly type is traffic that has an anomalous bandwidth usage by the particular server in the SAN that has exceeded a predefined threshold.
  - 27. An apparatus as recited in claim 26, wherein the anomalous bandwidth usage corresponds to (i) data size per second and/or (ii) write or read (IO) operations per second.
  - 28. An apparatus as recited in claim 20, wherein the provided anomaly type is a specified configuration change in the SAN that exceeds a predefined deviation level.
  - 29. An apparatus as recited in claim 28, wherein the configuration change is selected from a group consisting of an I/0 size change, a stripe unit size change, a change in the number of servers, a service policy change, a change in the number of ports of the apparatus, a software change, and a change in a Read or Write flow sequence.
  - 30. An apparatus as recited in claim 20, wherein the provided anomaly type is anomalous hardware behavior in the SAN.
  - 31. An apparatus as recited in claim 30, wherein the anomalous hardware behavior includes an error report anomaly or a drop rate anomaly.
  - 32. An apparatus as recited in claim 20, wherein the corresponding action includes logging and publishing the detected anomaly.
  - 33. An apparatus as recited in claim 20, wherein the corresponding action include enabling SPAN (switched port analyzer) in the apparatus so that the detected anomaly is captured for off-line analysis by an analysis device.
  - 34. An apparatus as recited in claim 20, wherein the corresponding action includes re-authenticating the particular server and the particular server is responsible or has caused the detected anomaly.
  - 35. An apparatus as recited in claim 20, wherein the corresponding action includes disabling access for the particular server and such particular server is responsible or has caused the detected anomaly, wherein access by the particular server is disabled via an access control list (ACL) for the particular storage device.
  - 36. An apparatus as recited in claim 20, wherein the corresponding action includes controlling the rate of the traffic on a link coupled to the apparatus on which the anomaly is detected.
  - 37. An apparatus as recited in claim 20, wherein the corresponding action includes shutting down a link coupled to the apparatus on which the anomaly is detected.

38. An apparatus for detecting anomalies in a storage area network (SAN) comprising the apparatus, a plurality of servers, and a plurality of storage devices accessible by the plurality of servers, comprising:
- means for providing an anomaly type and corresponding action to be performed when the anomaly type is detected for traffic received by the apparatus of the SAN and such received traffic pertains to a particular server of the SAN requesting that data be read to a particular storage device of the SAN or written to the particular storage device of the SAN, wherein the particular server of the SAN is logged into the particular storage device of the SAN;
  
  means for monitoring traffic that is received by the network device sent from the particular server to the particular storage device so as to detect the provided anomaly type in the monitored traffic; and
  
  means for performing the corresponding action when the provided anomaly type is detected.

39. A storage area network (SAN) system for detecting anomalies, comprising:
- a plurality of network devices; and
  
  a plurality of storage devices which are each accessible by one or more servers through at least one of the network devices,wherein at least a first one of the network devices of the SAN network is operable to;
  
  provide an anomaly type and corresponding action to be performed when the anomaly type is detected for traffic received by the first network device and such received traffic pertains to a particular server of the SAN network accessing or initiating access with a particular storage device of the SAN, wherein accessing and initiating access each include the particular server logging into the particular storage device of the SAN;
  
  examine traffic that is received by in the first network device sent from the particular server to the particular storage device so as to detect the provided anomaly type in the examined traffic; and
  
  when the provided anomaly type is detected, performing the corresponding action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Bhandari, Rajesh, Rastogi, Gaurav, Sharma, Samar, Maino, Fabio
Primary Examiner(s)
Beausoliel; Robert
Assistant Examiner(s)
Lottich; Joshua P

Application Number

US11/316,026
Publication Number

US 20070143552A1
Time in Patent Office

1,721 Days
Field of Search

714/4, 714/5, 714/47, 726/22
US Class Current

714/4.1
CPC Class Codes

G06F 11/3409   for performance assessment

H04L 63/101   Access control lists [ACL]

H04L 63/1458   Denial of Service

H04L 67/1097   for distributed storage of ...

Anomaly detection for storage traffic in a data center

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Anomaly detection for storage traffic in a data center

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links