Methods and apparatus for tracking data flow based on flow state values

US 9,264,321 B2
Filed: 12/23/2009
Issued: 02/16/2016
Est. Priority Date: 12/23/2009
Status: Active Grant

First Claim

Patent Images

1. A processor-readable non-transitory medium storing code representing instructions that when executed by a processor cause the processor to:

update, at a memory location, a first flow state value associated with a data flow to a second flow state value when at least one of a packet from the data flow is received or the memory location is selected after a first time period from a series of time periods has expired,the update of the first flow state value is based on a progression through a series of flow state values including the first flow state value and the second flow state value, each flow state value from the series of flow state values being associated with a time period from the series of time periods, the series of the time periods including a second time period different from the first time period, and the first time period being the time period from the series of time periods associated with the first flow state value,the first flow state value is incremented to the second flow state value when (1) the packet is received, (2) the memory location of the first flow state value is identified based on an index value of the packet, and (3) when the first flow state value is less than the second flow state value, the first flow state value is decremented within the series of flow state values after the first time period has expired, the first flow state value being a numerical count of a number of data packets that have been transmitted in connection to the data flow; and

analyze at least a portion of the packet when the second flow state value represents a flow rate of a network data flow anomaly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a processor-readable medium storing code representing instructions that when executed by a processor cause the processor to update, at a memory location, a first flow state value associated with a data flow to a second flow state value when at least one of a packet from the data flow is received or the memory location is selected after a time period has expired. At least a portion of the packet is analyzed when the second flow state value represents a flow rate of a network data flow anomaly.

130 Citations

18 Claims

1. A processor-readable non-transitory medium storing code representing instructions that when executed by a processor cause the processor to:
- update, at a memory location, a first flow state value associated with a data flow to a second flow state value when at least one of a packet from the data flow is received or the memory location is selected after a first time period from a series of time periods has expired,the update of the first flow state value is based on a progression through a series of flow state values including the first flow state value and the second flow state value, each flow state value from the series of flow state values being associated with a time period from the series of time periods, the series of the time periods including a second time period different from the first time period, and the first time period being the time period from the series of time periods associated with the first flow state value,the first flow state value is incremented to the second flow state value when (1) the packet is received, (2) the memory location of the first flow state value is identified based on an index value of the packet, and (3) when the first flow state value is less than the second flow state value, the first flow state value is decremented within the series of flow state values after the first time period has expired, the first flow state value being a numerical count of a number of data packets that have been transmitted in connection to the data flow; and
  
  analyze at least a portion of the packet when the second flow state value represents a flow rate of a network data flow anomaly.
- View Dependent Claims (2, 3, 4, 12, 15)
- - 2. The processor-readable medium of claim 1, wherein the memory location is within a memory, the first time period corresponds with a processing cycle time period associated with a plurality of flow state values stored in the memory and including the first flow state value and second flow state value.
  - 3. The processor-readable medium of claim 2, wherein the processing cycle time period is defined, at least in part, by a number of the plurality of flow state values stored in the memory and including the first flow state value and the second flow state value.
  - 4. The processor-readable medium of claim 1, wherein the first time period has a duration defined such that the second flow state value represents the flow rate of the network data flow anomaly when a specified number of packets from the data flow are received during the first time period.
  - 12. The processor-readable medium of claim 1, wherein each flow state value from the series of flow state values is used to track at least one of a number of unsuccessful network connection attempts and a number of successful network connection attempts.
  - 15. The processor-readable medium of claim 1, wherein updating the first flow state value in the second direction includes decrementing the first flow state value to the second flow state value if the first flow state value is larger than the second flow state value.

5. An apparatus, comprising:
- a memory configured to store a flow state value at a memory location, the flow state value being a numerical count of a number of data packets that have been transmitted in connection to a data flow;
  
  a flow state advancement module configured to change the flow state value in response to an index value representing the memory location being defined at the flow state advancement module based on at least a portion of a packet, the flow state value is a first flow state value from a series of flow state values, the change of the first flow state value associated with the flow state advancement module includes incrementing the first flow state value to a second flow state value when the packet is received and when the first flow state value is less than the second flow state value; and
  
  a flow state timing module configured to change the first flow state value in response to a first time period from a series of time periods expiring, the change of the first flow state value associated with the flow state timing module includes decrementing the first flow state value, each flow state value from the series of flow state values being associated with a time period from the series of time periods, the series of the time periods including a second time period different from the first time period, and the first time period being the time period from the series of time periods associated with the first flow state value.
- View Dependent Claims (6, 7, 13, 16, 17, 18)
- - 6. The apparatus of claim 5, wherein the first time period has a duration based on an order of the first flow state value within the series of flow states value.
  - 7. The apparatus of claim 5, further comprising:
    - a flow analysis module configured to analyze the packet in response to the first flow state value matching a threshold flow state value when the first flow state value is changed by the flow state advancement module.
  - 13. The apparatus of claim 5, wherein each flow state value from the series of flow state values is used to track at least one of a number of unsuccessful network connection attempts and a number of successful network connection attempts.
  - 16. The apparatus of claim 5, wherein:
    - each flow state value in the series of flow state values is stored in a memory location uniquely associated with that flow state value, andincrementing the first flow state value includes changing the first flow state value stored at a first memory location associated with the first flow state value to the second flow state value in the series of flow state values and stored at a second memory location associated with the second flow state value, the second flow state value being greater than the first flow state value.
  - 17. The apparatus of claim 5, wherein:
    - decrementing the first flow state value includes changing the first flow state value to a second flow state value in the series of flow state values, the first flow state value being greater than the second flow state value.
  - 18. The apparatus of claim 5, wherein the flow state advancement module is configured to delay incrementing the flow state value for a predetermined period of time based on a signature of the packet.

8. A processor-readable non-transitory medium storing code representing instructions that when executed by a processor cause the processor to:
- associate a packet with a flow state value, the flow state value being a numerical count of a number of data packets that have been transmitted in connection to a data flow;
  
  increment the flow state value from a first flow state value to a second flow state value, at a first time, based on an order of a series of flow state values, in response to the packet being associated with the flow state value when the packet is received and when the flow state value is less than the second flow state value;
  
  receive an indicator that a first time period from a series of time periods has expired, each flow state value from the series of flow state values being associated with a time period from the series of time periods, the series of the time periods including a second time period different from the first time period, and the first time period being the time period from the series of time periods associated with the flow state value;
  
  decrement the flow state value from the second flow state value to the first flow state value, at a second time after the first time, in response to the indicator, the change at the second time being based on the order of the series of flow state values; and
  
  analyze a portion of the packet when the flow state value matches a threshold flow state value after the change.
- View Dependent Claims (9, 10, 11, 14)
- - 9. The processor-readable medium of claim 8, wherein the packet is a first packet, the flow state value is changed at the first time,the processor-readable medium further storing code representing instructions that when executed by the processor cause the processor to:
    - associate a second packet with the flow state value; and
      
      change the flow state value at a third time after the first time in response to the second packet being associated with the flow state value, the change at the third time being based on the order of the series of flow state values.
  - 10. The processor-readable medium of claim 9, wherein the flow state value is changed at the second time from the second flow state value to a third flow state value.
  - 11. The processor-readable medium of claim 10, wherein the indicator is a first indicator further storing code representing instructions that when executed by the processor cause the processor to:
    - receive a second indicator that a second time period from the series of time periods has expired, the second time period being the time period from the series of time periods associated. with the third flow state value,change the flow state value at a third time from the third flow state value to the second flow state value in response to the second indicator, the third time being after the second time period has expired, the change at the third time being based on the order of the series of flow state values.
  - 14. The processor-readable medium of claim 8, wherein each flow state value from the series of flow state values is used to track at least one of a number of unsuccessful network connection attempts and a number of successful network connection attempts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Aybay, Gunes
Primary Examiner(s)
Etienne, Ario
Assistant Examiner(s)
RUBIN, BLAKE J

Application Number

US12/646,114
Publication Number

US 20110154132A1
Time in Patent Office

2,246 Days
Field of Search

709/244
US Class Current

1/1
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 43/0894   Packet rate

H04L 43/18   Protocol analysers

H04L 47/10   Flow control; Congestion co...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Methods and apparatus for tracking data flow based on flow state values

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

130 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for tracking data flow based on flow state values

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

130 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links