Behavior-based traffic profiling based on access control information

US 8,955,119 B2
Filed: 09/05/2013
Issued: 02/10/2015
Est. Priority Date: 04/03/2009
Status: Active Grant

First Claim

Patent Images

1. A device comprising:

one or more processors to;

obtain, from a security device, traffic flow information associated with a user accessing a resource via a network,the traffic flow information being generated based on monitoring network traffic associated with the user accessing the resource, andthe traffic flow information including information indicating a user role associated with the user and information identifying a source address and a destination address associated with the user accessing the resource;

determine, based on the information identifying the source address and the destination address, a user device and a destination device associated with the user accessing the resource;

determine whether a traffic behavior pattern, associated with the user role, exists;

when the traffic behavior pattern exists, the one or more processors are to;

update the traffic behavior pattern based on the traffic flow information, the user device, and the destination device to form an updated traffic behavior pattern;

when the traffic behavior pattern does not exist, the one or more processors are to;

determine, based on the traffic flow information, a quantity of sessions associated with the user accessing the resource is greater than a threshold quantity of sessions;

generate, based on the quantity of sessions being greater than the threshold quantity of sessions, the traffic behavior pattern based on the traffic flow information and information associated with the user device and the destination device; and

provide one of the updated traffic behavior pattern or the generated traffic behavior pattern to the security device,the one of the updated traffic behavior pattern or the created traffic behavior pattern permitting the security device to control access, by the user, to the resource.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes receiving one or more of user information, role information, or authorization information associated with a user accessing a network, selecting a traffic flow to monitor that is associated with the one or more of user information, role information, or authorization information, monitoring the traffic flow, determining whether an anomaly exists with respect to the traffic flow based on a traffic behavior pattern associated with the one or more of user information, role information, or authorization information, and performing a security response when it is determined that the anomaly exists.

Citations

20 Claims

1. A device comprising:
- one or more processors to;
  
  obtain, from a security device, traffic flow information associated with a user accessing a resource via a network,the traffic flow information being generated based on monitoring network traffic associated with the user accessing the resource, andthe traffic flow information including information indicating a user role associated with the user and information identifying a source address and a destination address associated with the user accessing the resource;
  
  determine, based on the information identifying the source address and the destination address, a user device and a destination device associated with the user accessing the resource;
  
  determine whether a traffic behavior pattern, associated with the user role, exists;
  
  when the traffic behavior pattern exists, the one or more processors are to;
  
  update the traffic behavior pattern based on the traffic flow information, the user device, and the destination device to form an updated traffic behavior pattern;
  
  when the traffic behavior pattern does not exist, the one or more processors are to;
  
  determine, based on the traffic flow information, a quantity of sessions associated with the user accessing the resource is greater than a threshold quantity of sessions;
  
  generate, based on the quantity of sessions being greater than the threshold quantity of sessions, the traffic behavior pattern based on the traffic flow information and information associated with the user device and the destination device; and
  
  provide one of the updated traffic behavior pattern or the generated traffic behavior pattern to the security device,the one of the updated traffic behavior pattern or the created traffic behavior pattern permitting the security device to control access, by the user, to the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The device of claim 1, where the one or more processors are further to:
    - receive user information from the user device;
      
      grant the user device access to the network based on the user information; and
      
      provide the user information to the security device to cause the security device to monitor the network traffic.
  - 3. The device of claim 1, where the traffic flow information includes information identifying a quantity of data included in one or more traffic flows associated with the user accessing the resource;
    - where the one or more processors are to;
      
      determine, based on the quantity of data included in the one or more traffic flows, a volume of traffic per session associated with the user accessing the resource;
      
      where, when updating the traffic behavior pattern, the one or more processors are to;
      
      update the traffic flow pattern based on the volume of traffic per session associated with the user accessing the resource; and
      
      where, when generating the traffic behavior pattern, the one or more processors are to;
      
      generate the traffic flow pattern based on the volume of traffic per session associated with the user accessing the resource.
  - 4. The device of claim 1, where the one or more processors are to:
    - determine, based on the traffic flow information, a type of service accessed by the user, anddetermine, based on the type of service accessed by the user, one or more services associated with the user role;
      
      where, when updating the traffic behavior pattern, the one or more processors are to;
      
      update the traffic behavior pattern based on the one or more services associated with the user role; and
      
      where, when generating the traffic behavior pattern, the one or more processors are to;
      
      generate the traffic behavior pattern based on the one or more services associated with the user role.
  - 5. The device of claim 1, where the user role includes one or more of:
    - a user role associated with a job title associated with the user, ora user role associated with an access level associated with the user.
  - 6. The device of claim 1, where, when the traffic pattern does not exist, the one or more processors are further to:
    - associate the generated traffic behavior pattern with one or more of;
      
      the user role,information provided by the user to access the network, orinformation identifying the user.
  - 7. The device of claim 1, where the one of the updated traffic behavior pattern or the generated traffic behavior pattern is compared to the traffic flow information to determine whether to perform a security response associated with the user accessing the resource.

8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause the one or more processors to;
  
  obtain, from a security device, traffic flow information associated with a user accessing a resource via a network,the traffic flow information being generated based on monitoring network traffic associated with the user accessing the resource, andthe traffic flow information including information indicating a user role associated with the user and information identifying a source address and a destination address associated with the user accessing the resource;
  
  determine, based on the information identifying the source address and the destination address, a user device and a destination device associated with the user accessing the resource;
  
  determine whether a traffic pattern, associated with the user role, exists;
  
  update, when the traffic pattern exists, the traffic pattern based on the traffic flow information, the user device, and the destination device;
  
  when the traffic pattern does not exist;
  
  determine, based on the traffic flow information, that a quantity of sessions associated with the user accessing the resource is greater than a threshold quantity of sessions;
  
  generate, based on the quantity of sessions being greater than the threshold quantity of sessions, the traffic pattern based on the traffic flow information and information associated with the user device and the destination device; and
  
  provide one of the updated traffic pattern or the generated traffic pattern to the security device,the one of the updated traffic pattern or the generated traffic pattern permitting the security device to control access, by the user, to the resource.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, where the instructions further comprise:
    - one or more instructions that, when executed by the one or more processors, cause the one or more processors to;
      
      receive user information from the user device;
      
      grant the user device access to the network based on the user information; and
      
      provide the user information to the security device to cause the security device to monitor the network traffic.
  - 10. The non-transitory computer-readable medium of claim 8, where the traffic flow information includes information identifying a quantity of data included in one or more traffic flows associated with the user accessing the resource;
    - where the instructions further comprise;
      
      one or more instructions that, when executed by the one or more processors, cause the one or more processors to determine, based on the quantity of data included in the one or more traffic flows, a volume of traffic per session associated with the user accessing the resource;
      
      where the one or more instructions to update the traffic behavior pattern include;
      
      one or more instructions that, when executed by the one or more processors, cause the one or more processors to update the traffic flow pattern based on the volume of traffic per session associated with the user accessing the resource; and
      
      where the one or more instructions to generate the traffic behavior pattern include;
      
      one or more instructions that, when executed by the one or more processors, cause the one or more processors to generate the traffic flow pattern based on the volume of traffic per session associated with the user accessing the resource.
  - 11. The non-transitory computer-readable medium of claim 8, where the instructions further comprise:
    - one or more instructions that, when executed by the one or more processors, cause the one or more processors to;
      
      determine, based on the traffic flow information, a type of service accessed by the user, anddetermine, based on the type of service accessed by the user, one or more services associated with the user role;
      
      where the one or more instructions to update the traffic pattern include;
      
      one or more instructions that, when executed by the one or more processors, cause the one or more processors to update the traffic pattern based on the one or more services associated with the user role; and
      
      where the one or more instructions to generate the traffic pattern include;
      
      one or more instructions that, when executed by the one or more processors, cause the one or more processors to generate the traffic pattern based on the one or more services associated with the user role.
  - 12. The non-transitory computer-readable medium of claim 8, where the user role includes one or more of:
    - a user role associated with a job title associated with the user, ora user role associated with an access level associated with the user.
  - 13. The non-transitory computer-readable medium of claim 8, where the traffic pattern corresponds to a history of traffic behavior associated with one or more of the user or the user role.
  - 14. The non-transitory computer-readable medium of claim 8, where, when the traffic pattern does not exist, the instructions further comprise:
    - one or more instructions that, when executed by the one or more processors, cause the one or more processors to associate the generated traffic behavior pattern with one or more of;
      
      the user role,information provided by the user to access the network, orinformation identifying the user.

15. A method comprising:
- obtaining, by a network device and from a security device, traffic flow information associated with a user accessing a resource via a network,the traffic flow information being generated based on monitoring network traffic associated with the user accessing the resource, andthe traffic flow information including information indicating a user role associated with the user and information identifying a source address and a destination address associated with the user accessing the resource;
  
  determining, by the network device and based on the information identifying the source address and the destination address, a user device and a destination device associated with the user accessing the resource;
  
  determining, by the network device, whether a traffic behavior pattern, associated with the user role, exists;
  
  updating, by the network device and when the traffic behavior pattern exists, the traffic behavior pattern based on the traffic flow information, the user device, and the destination device to form an updated traffic behavior pattern;
  
  when the traffic behavior pattern does not exist;
  
  determining, by the network device and based on the traffic flow information, that a quantity of sessions associated with the user accessing the resource is greater than a threshold quantity of sessions; and
  
  generating, by the network device and based on the quantity of sessions being greater than the threshold quantity of sessions, the traffic behavior pattern based on the traffic flow information and information associated with the user device and the destination device; and
  
  providing, by the network device, one of the updated traffic behavior pattern or the generated traffic behavior pattern to a security device,the one of the updated traffic behavior pattern or the generated traffic behavior pattern permitting the security device to control access, by the user, to the resource.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, further comprising:
    - receiving user information from the user device;
      
      granting the user device access to the network based on the user information; and
      
      providing the user information to the security device to cause the security device to monitor the network traffic.
  - 17. The method of claim 15, where the traffic flow information includes information identifying a quantity of data included in one or more traffic flows associated with the user accessing the resource, the method further comprising:
    - determining, based on the quantity of data included in the one or more traffic flows, a volume of traffic per session associated with the user accessing the resource;
      
      where updating the traffic behavior pattern includes;
      
      updating the traffic flow pattern based on the volume of traffic per session associated with the user accessing the resource; and
      
      where generating the traffic behavior pattern includes;
      
      generating the traffic flow pattern based on the volume of traffic per session associated with the user accessing the resource.
  - 18. The method of claim 15, further comprising:
    - determining, based on the traffic flow information, a type of service accessed by the user, anddetermining, based on the type of service accessed by the user, one or more services associated with the user role;
      
      where updating the traffic behavior pattern includes;
      
      updating the traffic behavior pattern based on the one or more services associated with the user role; and
      
      where generating the traffic behavior pattern includes;
      
      generating the traffic behavior pattern based on the one or more services associated with the user role.
  - 19. The method of claim 15, where the one of the updated traffic behavior pattern or the generated traffic behavior pattern is compared to the traffic flow information to determine whether to perform a security response associated with the user accessing the resource.
  - 20. The method of claim 15, further comprising:
    - associating, when the traffic pattern does not exist, the generated traffic behavior pattern with one or more of;
      
      the user role,information provided by the user to access the network, orinformation identifying the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Zhao, Ye
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US14/019,101
Publication Number

US 20140007202A1
Time in Patent Office

523 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/125   involving control of end-de...

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

Behavior-based traffic profiling based on access control information

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Behavior-based traffic profiling based on access control information

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links