Systems and methods for relating network traffic using traffic-based signatures

US 7,881,255 B1
Filed: 04/05/2010
Issued: 02/01/2011
Est. Priority Date: 09/29/2004
Status: Active Grant

First Claim

Patent Images

1. A method performed by one or more server devices, comprising:

receiving, via at least one server device of the one or more server devices, attributes associated with network traffic logged at a plurality of network nodes;

generating, via at least one server device of the one or more server devices, traffic signatures using the received attributes;

determining, via at least one server device of the one or more server devices, relationships between the plurality of network nodes or among the network traffic using the generated traffic signatures, where determining the relationships includes;

clustering the generated traffic signatures to determine the relationships between the plurality of network nodes or among the network traffic, anddetermining clusters of the plurality of network nodes that are related using the clustered traffic signatures, where determining the clusters includes determining, based on the relationships, one or more of the plurality of network nodes that receive traffic from a common source;

determining, via at least one server device of the one or more server devices, a common traffic value comprising a number of times the common source visited a document stored at one of the plurality of network nodes; and

storing, via at least one server device of the one or more server devices, the common traffic value.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes multiple logging units, an aggregating unit, and an evaluation unit. The logging unit logs traffic attributes associated with network traffic received at multiple network nodes and generates traffic signatures using the received attributes. The aggregating unit aggregates the traffic signatures generated at the multiple logging units. The evaluating unit determines relationships among the network traffic or between the plurality of network nodes using the aggregated traffic signatures.

24 Citations

25 Claims

1. A method performed by one or more server devices, comprising:
- receiving, via at least one server device of the one or more server devices, attributes associated with network traffic logged at a plurality of network nodes;
  
  generating, via at least one server device of the one or more server devices, traffic signatures using the received attributes;
  
  determining, via at least one server device of the one or more server devices, relationships between the plurality of network nodes or among the network traffic using the generated traffic signatures, where determining the relationships includes;
  
  clustering the generated traffic signatures to determine the relationships between the plurality of network nodes or among the network traffic, anddetermining clusters of the plurality of network nodes that are related using the clustered traffic signatures, where determining the clusters includes determining, based on the relationships, one or more of the plurality of network nodes that receive traffic from a common source;
  
  determining, via at least one server device of the one or more server devices, a common traffic value comprising a number of times the common source visited a document stored at one of the plurality of network nodes; and
  
  storing, via at least one server device of the one or more server devices, the common traffic value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, where each of the attributes comprises a network address associated with the respective user.
  - 3. The method of claim 1, where each network address comprises an Internet Protocol (IP) address.
  - 4. The method of claim 1, where each of the attributes further comprises a country of origin associated with the network traffic.
  - 5. The method of claim 1, where each of the attributes comprises an identifier that corresponds to a respective user transmitting traffic of the network traffic.
  - 6. The method of claim 5, where the identifier originates from a browser application implemented at a client from which the respective user transmits the traffic.
  - 7. The method of claim 5, where the identifier corresponds to a signature associated with a browser application implemented at a client from which the respective user transmits the traffic.
  - 8. The method of claim 1, where determining the relationships comprises:
    - using transitive closure to determine one or more of the plurality of network nodes that receive traffic from a given network address.
  - 9. The method of claim 1, further comprising:
    - receiving traffic values, corresponding to each received attribute, associated with the network traffic logged at the plurality of network nodes, where the common traffic value is based on the received traffic values.
  - 10. The method of claim 9, where the attributes comprise network addresses associated with each user transmitting traffic of the network traffic, and where the traffic values comprise a number of times a respective user accesses a document stored at a respective one of the plurality of network nodes.
  - 11. The method of claim 1, where clustering the generated traffic signatures comprises:
    - determining clusters of the plurality of network nodes that receive similar traffic using the traffic signatures.
  - 12. The method of claim 1, where determining the relationships comprises:
    - determining sizes of audiences associated with content stored at each of the plurality of network nodes using the traffic signatures.
  - 13. The method of claim 1, where determining the relationships comprises:
    - determining sources of illicit traffic using the traffic signatures.

14. A system, comprising:
- a plurality of logging units to;
  
  log traffic attributes associated with network traffic received at a plurality of network nodes, andgenerate traffic signatures using the received attributes;
  
  an aggregating unit to aggregate the traffic signatures generated at the plurality of logging units; and
  
  an evaluation unit to determine relationships between the plurality of network nodes or among the network traffic using the aggregated traffic signatures, where the evaluation unit, when determining the relationships, is further to;
  
  cluster the generated traffic signatures to determine the relationships between the plurality of network nodes or among the network traffic, anddetermine clusters of the plurality of network nodes that are related using the clustered traffic signatures,where the evaluation unit, when determining the clusters, is further to determine, based on the relationships, one or more of the plurality of network nodes that receive traffic from a common source.
- View Dependent Claims (15)
- - 15. The system of claim 14, where the traffic signatures comprise network addresses associated with each user transmitting traffic of the network traffic and a number of times a respective user accessed a document stored at a respective one of the plurality of network nodes.

16. A method, comprising:
- receiving, via at least one server device of one or more server devices, traffic signatures, where the traffic signatures comprise network addresses associated with clients that have accessed documents stored at a plurality of network nodes and a number of times each respective client accessed the documents; and
  
  determining, via at least one server device of the one or more server devices, relationships between the plurality of network nodes or among the network traffic using the received traffic signatures, where determining the relationships includes;
  
  clustering the traffic signatures to determine the relationships between the plurality of network nodes or among the network traffic, anddetermining clusters of the plurality of network nodes that are related using the clustered traffic signatures, where determining the clusters includes determining, based on the relationships, one or more of the plurality of network nodes that receive traffic from a common source.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, where determining the relationships comprises:
    - using transitive closure to determine one or more of the plurality of network nodes that receive traffic from a given network address.
  - 18. The method of claim 16, where clustering comprises:
    - determining clusters of the plurality of network nodes that receive similar traffic using the traffic signatures.
  - 19. The method of claim 16, where determining the relationships comprises:
    - determining sizes of audiences associated with content stored at each of the plurality of network nodes using the traffic signatures.
  - 20. The method of claim 16, where determining the relationships comprises:
    - determining sources of illicit traffic using the traffic signatures.

21. One or more memory devices containing instructions to control at least one processor in one or more computer devices to perform a method, the method comprising:
- receiving traffic signatures, where the traffic signatures comprise network addresses associated with clients that have accessed documents stored at a plurality of network nodes and a number of times each respective client accessed the documents; and
  
  determining relationships between the plurality of network nodes using the received traffic signatures, where determining the relationships includes;
  
  clustering the traffic signatures to determine the relationships between the plurality of network nodes or among the network traffic, anddetermining clusters of the plurality of network nodes that are related using the clustered traffic signatures, where determining the clusters includes determining, based on the relationships, one or more of the plurality of network nodes that receive traffic from a common source.
- View Dependent Claims (22, 23, 24)
- - 22. The one or more memory devices of claim 21, where each of the network addresses comprises an Internet Protocol (IP) address.
  - 23. The method of claim 22, where clustering the generated traffic signatures comprises:
    - determining clusters of the plurality of network nodes that receive similar traffic using the traffic signatures.
  - 24. The one or more memory devices of claim 21, where clustering the generated traffic signatures comprises:
    - determining clusters of the plurality of network nodes that receive similar traffic using the traffic signatures.

25. A method, comprising:
- receiving, via at least one server device of one or more server devices, Internet Protocol (IP) addresses associated with network traffic received at a plurality of network nodes, where the network traffic is associated with attempts by users to access documents stored at the plurality of network nodes;
  
  receiving, via at least one server device of the one or more server devices, traffic values that comprise a number of times respective users have attempted to access respective one of the documents stored at the plurality of network nodes;
  
  generating, via at least one server device of the one or more server devices, traffic signatures using the received IP addresses and traffic values;
  
  clustering, via the at least one server device, the generated traffic signatures to determine relationships between the plurality of network nodes or among the network traffic; and
  
  determining clusters of the plurality of network nodes that are related using the traffic signatures, where determining the clusters includes determining, based on the relationships, one or more of the plurality of network nodes that receive traffic from a common source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Mudunuri, Sasank, Bennett, Victor
Primary Examiner(s)
Moe; Aung S
Assistant Examiner(s)
ELLIOTT IV, BENJAMIN H

Application Number

US12/754,171
Time in Patent Office

302 Days
Field of Search

370/310, 370/328, 370/389, 370/395.3, 370/423, 709201-203, 726 1- 3, 726 6- 8
US Class Current

370/328
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/028   by filtering

H04L 63/1425   Traffic logging, e.g. anoma...

Y02D 30/50   in wire-line communication ...

Systems and methods for relating network traffic using traffic-based signatures

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for relating network traffic using traffic-based signatures

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links