System and method for managing computer networks

US 8,667,047 B2
Filed: 03/21/2008
Issued: 03/04/2014
Est. Priority Date: 11/21/2002
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring traffic in a computer network comprising acts of:

receiving, by an interface of a flow capture device coupled to the computer network via the network interface, flow information related to network traffic of a plurality of hosts in the computer network;

determining, by a flow controller device, similarity between the plurality of hosts in the computer network based on the flow information;

calculating similarity values representing the similarity between the plurality of hosts;

arranging the hosts into hierarchical clusters based on the similarity values, comprising arranging each of a plurality of entities in a separate cluster and merging the two most similar clusters into a single cluster;

selecting at least two of the hierarchical clusters as groups; and

creating, by a policy engine, a network access policy for the plurality of hosts in the network based on the flow information, wherein the act of creating a network access policy for the plurality of hosts is performed automatically, and wherein the network access policy is defined at a group level.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided for monitoring traffic in an enterprise network. Similar hosts may be grouped using flow information. Network policy may then be created at the group level based on the signatures of the hosts and groups of hosts in the enterprise. Hosts may be arranged in hierarchical clusters. Some of these clusters may be selected as groups based on a desired degree of similarity between hosts in a group. The similarity between hosts may be determined based on similarity of network behavior of the hosts.

Citations

24 Claims

1. A method for monitoring traffic in a computer network comprising acts of:
- receiving, by an interface of a flow capture device coupled to the computer network via the network interface, flow information related to network traffic of a plurality of hosts in the computer network;
  
  determining, by a flow controller device, similarity between the plurality of hosts in the computer network based on the flow information;
  
  calculating similarity values representing the similarity between the plurality of hosts;
  
  arranging the hosts into hierarchical clusters based on the similarity values, comprising arranging each of a plurality of entities in a separate cluster and merging the two most similar clusters into a single cluster;
  
  selecting at least two of the hierarchical clusters as groups; and
  
  creating, by a policy engine, a network access policy for the plurality of hosts in the network based on the flow information, wherein the act of creating a network access policy for the plurality of hosts is performed automatically, and wherein the network access policy is defined at a group level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising an act of:
    - arranging the plurality of hosts into a plurality of groups based on the similarity between the plurality of hosts.
  - 3. The method of claim 2, wherein the act of arranging the plurality of hosts into a plurality of groups is performed automatically.
  - 4. The method of claim 2, further comprising an act of:
    - creating the network access policy for the plurality of groups of hosts based on the flow information.
  - 5. The method of claim 4, wherein the act of creating the network access policy for the plurality of groups is performed automatically.
  - 6. The method of claim 1, wherein the act of determining similarity further comprises modifying the flow information according to a predetermined set of rules.
  - 7. The method of claim 1, wherein the act of creating network access policy for the plurality of hosts further comprises an act of determining a baseline of network traffic for the plurality of hosts based on the flow information relating to the plurality of hosts in the group.
  - 8. The method of claim 7, further comprising an act of manually altering the baseline.
  - 9. The method of claim 7, further comprising an act of monitoring network traffic relating to the plurality of hosts for at least one deviation from the baseline.
  - 10. The method of claim 9, further comprising an act of providing at least one alert if a deviation from the baseline is detected.

11. A system for monitoring traffic in a computer network comprising:
- at least one flow capture device configured to create flow information based on network traffic of a plurality of hosts in the computer network wherein the at least one flow capture device comprises;
  
  a network interface device coupled to the computer network, the network interface device configured to receive data from the network; and
  
  a packet analyzer and flow generation engine configured to receive network traffic from the network interface and generate flow information based on the network traffic;
  
  a flow controller device configured to determine similarity between the plurality of hosts in the computer network based on the flow information, and further configured to;
  
  calculate similarity values representing the similarity between the plurality of hosts;
  
  arrange the plurality of hosts into hierarchical clusters based on the similarity values, comprising arranging each of a plurality of entities in a separate cluster and merging the two most similar clusters into a single cluster; and
  
  select at least some of the hierarchical clusters as groups; and
  
  a policy management engine configured to automatically create and manage network access policy for the plurality of hosts based on the generated flow information, wherein the policy management engine is configured to define access information for the network access policy at a group level;
  
  wherein the packet analyzer and flow generation engine and the policy management engine are implemented in software.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 12. The system of claim 11, further comprising an interface processor configured to provide an interface between a user and the packet analyzer and flow generation engine.
  - 13. The system of claim 12, wherein the interface processor is configured to provide the user with remote access to the packet analyzer and flow generation engine.
  - 14. The system of claim 13, wherein the remote access includes world wide web (WWW) access.
  - 15. The system of claim 13, wherein the remote access includes simple network management protocol (SNMP) access.
  - 16. The system of claim 13, wherein the packet analyzer and flow generation engine is configured to export the flow information to the flow controller.
  - 17. The system of claim 11, wherein the flow controller comprises a network interface configured to receive data from the network;
    - and an aggregation engine configured to collect flows received from the at least one flow capture device.
  - 18. The system of claim 17, wherein the flow controller further comprises a database management system configured to store the flow received from the at least one flow capture device.
  - 19. The system of claim 17, wherein the flow controller further comprises a signature generation engine configured to receive the flow information from the aggregation engine and generate signatures based on the flow information.
  - 20. The system of claim 19, wherein the flow controller further comprises a grouping engine configured to receive the signatures from the signature generation engine and determine similarity between the plurality of hosts.
  - 21. The system of claim 11, the policy management engine is further configured to create and manage network access policy based on a similarity between the plurality of hosts.
  - 22. The system of claim 11, further comprising an interface processor configured to provide an interface between a user and the flow controller.
  - 23. The system of claim 12, wherein the interface processor is configured to provide the user with remote access to the flow controller.
  - 24. The system of claim 23, wherein the remote access includes world wide web (WWW) access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Original Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Inventors
Song, Douglas J., Fleis, Lawrence Benjamin, Dysart, Aidan Christopher, Malan, Gerald R., Jackson, Eric S.
Primary Examiner(s)
Joo, Joshua

Application Number

US12/053,111
Publication Number

US 20080294770A1
Time in Patent Office

2,174 Days
Field of Search

709220-226, 709/200
US Class Current

709/200
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/142   using statistical or mathem...

H04L 43/026   using flow identification

Y02D 30/50   in wire-line communication ...

System and method for managing computer networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for managing computer networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links