Incremental application of resources to network traffic flows based on heuristics and business policies

US 9,088,508 B1
Filed: 04/11/2014
Issued: 07/21/2015
Est. Priority Date: 04/11/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of inspecting network traffic, comprising:

determining that a traffic flow satisfies a first condition;

transmitting a first portion of the traffic flow to a network service based on the determining the traffic flow satisfies the first condition;

inspecting, at the network service, the first portion of the traffic flow at a first level of detail based on the first condition;

determining, based on the inspecting, that the traffic flow satisfies a second condition;

transmitting a second portion of the traffic flow to the network service based on the determining the traffic flow satisfies the second condition;

inspecting, at the network service, the second portion of the traffic flow at a second level of detail, wherein the inspecting at the second level of detail requires a different amount of computing resources than the inspecting at the first level of detailwherein the second portion of the traffic flow comprises a larger amount of information than the first portion of the traffic flow.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are system, method, and computer program product embodiments for increasingly applying network resources to traffic flows based on heuristics and policy conditions. A network determines that a traffic flow satisfies a first condition and transmits a first portion of the traffic flow to a network service. A network service then inspects the first portion of the traffic flow at a first level of detail and determines that the traffic flow satisfies a second condition. The network can then transmit a second portion of the traffic flow to the network service based on the determining the traffic flow satisfies the second condition. The network service can inspect the second portion of the traffic flow at a second level of detail, wherein the inspecting at the second level of detail requires a different amount of computing resources than the inspecting at the first level of detail.

41 Citations

View as Search Results

19 Claims

1. A computer-implemented method of inspecting network traffic, comprising:
- determining that a traffic flow satisfies a first condition;
  
  transmitting a first portion of the traffic flow to a network service based on the determining the traffic flow satisfies the first condition;
  
  inspecting, at the network service, the first portion of the traffic flow at a first level of detail based on the first condition;
  
  determining, based on the inspecting, that the traffic flow satisfies a second condition;
  
  transmitting a second portion of the traffic flow to the network service based on the determining the traffic flow satisfies the second condition;
  
  inspecting, at the network service, the second portion of the traffic flow at a second level of detail, wherein the inspecting at the second level of detail requires a different amount of computing resources than the inspecting at the first level of detailwherein the second portion of the traffic flow comprises a larger amount of information than the first portion of the traffic flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - wherein the first condition comprises one of a heuristic, a policy associated with the traffic flow, or an event of interest.
  - 3. The method of claim 1, further comprising:
    - wherein the second condition comprises one of a heuristic, a policy associated with the traffic flow, or an event of interest.
  - 4. The method of claim 1, wherein a first portion of a traffic flow comprises a random sample of packets.
  - 5. The method of claim 1, further comprising:
    - transmitting a third portion of the traffic flow to the network service based on the inspecting the traffic flow at the second level of detail;
      
      inspecting, at the network service, the third portion of the traffic flow at a third level of detail.
  - 6. The method of claim 1, further comprising:
    - determining that the traffic flow no longer satisfies the second condition; and
      
      when the traffic flow is determined to no longer satisfy the second condition, inspecting, at the network service, a third portion of the traffic flow at the first level of detail.
  - 7. The method of claim 1, wherein the inspecting the second portion of the traffic flow at a second level of detail comprises performing an intrusion detection analysis.
  - 8. The method of claim 1, wherein the first condition comprises a parameter associated with the traffic flow and a level of security desired for the traffic flow.

9. A system comprising:
- an analytics module configured to determine that a traffic flow satisfies a first condition;
  
  a controller configured to configure one or more routers to;
  
  transmit a first portion of the traffic flow to a network service based on the determining the traffic flow satisfies the first condition;
  
  a network service configured to;
  
  inspect the first portion of the traffic flow at a first level of detail based on the first condition; and
  
  determine, based on the inspecting, that the traffic flow satisfies a second condition;
  
  wherein the controller is further configured to configure one or more routers to transmit a second portion of the traffic flow to the network service based on the determining the traffic flow satisfies the second condition,wherein the network service is further configured to inspect the second portion of the traffic flow at a second level of detail, wherein the inspecting at the second level of detail requires a different amount of computing resources than the inspecting at the first level of detail, andwherein the second portion of the traffic flow comprises a larger amount of information than the first portion of the traffic flow.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, further comprising:
    - wherein the first condition comprises one of a heuristic, a policy associated with the traffic flow, or an event of interest.
  - 11. The system of claim 9, further comprising:
    - wherein the second condition comprises one of a heuristic, a policy associated with the traffic flow, or an event of interest.
  - 12. The system of claim 9, wherein a first portion of a traffic flow comprises a random sample of packets.
  - 13. The system of claim 9, further comprising:
    - transmitting a third portion of the traffic flow to the network service based on the inspecting the traffic flow at the second level of detail;
      
      inspecting, at the network service, the third portion of the traffic flow at a third level of detail.
  - 14. The system of claim 9, wherein the inspecting the second portion of the traffic flow at a second level of detail comprises performing an intrusion detection analysis.
  - 15. The system of claim 9, wherein the first condition comprises a parameter associated with the traffic flow and a level of security desired for the traffic flow.
  - 16. The system of claim 9, wherein the network service is configured to determine that the traffic flow no longer satisfies the second condition, and when the traffic flow is determined to no longer satisfy the second condition, inspect, at the network service, a third portion of the traffic flow at the first level of detail.

17. A non-transitory computer-readable medium having instructions stored thereon that, when executed by at least one computing device, causes the at least one computing device to perform operations comprising:
- determining that a traffic flow satisfies a first condition;
  
  transmitting a first portion of the traffic flow to a network service based on the determining the traffic flow satisfies the first condition;
  
  inspecting, at the network service, the first portion of the traffic flow at a first level of detail based on the first condition;
  
  determining, based on the inspecting, that the traffic flow satisfies a second condition;
  
  transmitting a second portion of the traffic flow to the network service based on the determining the traffic flow satisfies the second condition;
  
  inspecting, at the network service, the second portion of the traffic flow at a second level of detail, wherein the inspecting at the second level of detail requires a different amount of computing resources than the inspecting at the first level of detail,wherein the second portion of the traffic flow comprises a larger amount of information than the first portion of the traffic flow.
- View Dependent Claims (18, 19)
- - 18. The computer-readable medium of claim 17, further comprising:
    - wherein the first condition comprises one of a heuristic, a policy associated with the traffic flow, or an event of interest.
  - 19. The computer-readable medium of claim 17, further comprising:
    - wherein the second condition comprises one of a heuristic, a policy associated with the traffic flow, or an event of interest.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Level 3 Communications LLC (Lumen Technologies, Inc.)
Original Assignee
Level 3 Communications LLC (Lumen Technologies, Inc.)
Inventors
Caputo, Pete Joseph II, Sella, William Thomas
Primary Examiner(s)
Chu, Wutchung

Application Number

US14/251,049
Time in Patent Office

466 Days
Field of Search

370229-253, 709223-225, 726 22- 23, 726/11, 726/13, 726/24
US Class Current

1/1
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 43/026   using flow identification

H04L 43/028   by filtering

H04L 43/18   Protocol analysers

H04L 45/22   Alternate routing

H04L 45/243   using M+N parallel active p...

H04L 45/30   Routing of multiclass traffic

H04L 47/10   Flow control; Congestion co...

H04L 47/20   Traffic policing

H04L 47/24   Traffic characterised by sp...

H04L 47/2441   relying on flow classificat...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 69/22   Parsing or analysis of headers

Incremental application of resources to network traffic flows based on heuristics and business policies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Incremental application of resources to network traffic flows based on heuristics and business policies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links