Events from network flows

US 9,374,383 B2
Filed: 10/21/2014
Issued: 06/21/2016
Est. Priority Date: 10/21/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising a hardware processor;

and a memory to store data used by the hardware processor, wherein the hardware processor is operative to;

receive a plurality of network flows from a network;

read, from the memory, a flow-specific criteria for each one event-type of a plurality of event-types, wherein for each one event-type of the plurality of event-types, the flow-specific criteria of the one event-type is defined to identify if each one network flow of the plurality of network flows potentially forms part of one or more events of the one event-type when each one network flow of the plurality of network flows is examined independently of all other ones of the plurality of network flows with respect to the flow-specific criteria of the one event-type;

for each one event-type of the plurality of event-types, compare each one network flow of the plurality of network flows to the flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria of the one event-type;

for each one event-type of the plurality of event-types, for each one network flow of the plurality of network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow satisfying the flow-specific criteria of the one event-type to a proto-event of the one-event type, the proto-event being assigned at least two network flows of the plurality of network flows, wherein the plurality of event-types includes a plurality of proto-events, each one event-type of the plurality of event-types including at least one proto-event;

read, from the memory, an aggregation criteria for one of the event-types, wherein the aggregation criteria is defined to identify an event in the proto-event of the one event-type from the at least two networks flows in the proto-event of the one event-type when the at least two network flows that form part of the proto-event of the one event-type are examined together as a group; and

test different combinations of the at least two network flows assigned to the proto-event of the one event-type against the aggregation criteria of the one event-type to determine if one combination of the different combinations of the at least two network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the at least two network flows of the proto-event.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a system includes a processor to receive network flows, for each of one of a plurality of event-types, compare each one of the network flows to a flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria, for each one of the event-types, for each one of the network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow to a proto-event of the one-event type, test different combinations of the network flows assigned to the proto-event of the one event-type against aggregation criteria of the one event-type to determine if one combination of the network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the network flows of the proto-event. Related apparatus and methods are also described.

12 Citations

View as Search Results

20 Claims

1. A system comprising a hardware processor;
- and a memory to store data used by the hardware processor, wherein the hardware processor is operative to;
  
  receive a plurality of network flows from a network;
  
  read, from the memory, a flow-specific criteria for each one event-type of a plurality of event-types, wherein for each one event-type of the plurality of event-types, the flow-specific criteria of the one event-type is defined to identify if each one network flow of the plurality of network flows potentially forms part of one or more events of the one event-type when each one network flow of the plurality of network flows is examined independently of all other ones of the plurality of network flows with respect to the flow-specific criteria of the one event-type;
  
  for each one event-type of the plurality of event-types, compare each one network flow of the plurality of network flows to the flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria of the one event-type;
  
  for each one event-type of the plurality of event-types, for each one network flow of the plurality of network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow satisfying the flow-specific criteria of the one event-type to a proto-event of the one-event type, the proto-event being assigned at least two network flows of the plurality of network flows, wherein the plurality of event-types includes a plurality of proto-events, each one event-type of the plurality of event-types including at least one proto-event;
  
  read, from the memory, an aggregation criteria for one of the event-types, wherein the aggregation criteria is defined to identify an event in the proto-event of the one event-type from the at least two networks flows in the proto-event of the one event-type when the at least two network flows that form part of the proto-event of the one event-type are examined together as a group; and
  
  test different combinations of the at least two network flows assigned to the proto-event of the one event-type against the aggregation criteria of the one event-type to determine if one combination of the different combinations of the at least two network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the at least two network flows of the proto-event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system according to claim 1, wherein the hardware processor is operative to determine, to which one of the plurality of proto-events to assign the one network flow satisfying the flow-specific criteria of the one event-type.
  - 3. The system according to claim 1, wherein at least two network flows of the plurality of network flows will be determined as being part of more than one of the plurality of proto-events of different ones of the plurality of event-types.
  - 4. The system according to claim 1, wherein for each one proto-event of the proto-events, the processor is operative to test the different combinations of the at least two network flows assigned to the one proto-event against the aggregation criteria of the one event-types of the one proto-event to determine if one of the different combinations of the at least two network flows assigned to the one proto-event satisfies the aggregation criteria for the one event-type of the one proto-event and identifies the event of the one event-type from among the at least two network flows of the one proto-event.
  - 5. The system accord to claim 1, wherein the flow-specific criteria is defined to check a protocol of one the plurality of network flows.
  - 6. The system according to claim 1, wherein the flow-specific criteria is defined to check a flag value of one of the plurality of network flows.
  - 7. The system according to claim 1, wherein the flow-specific criteria is defined to check a number of bytes of one of the plurality of network flows.
  - 8. The system according to claim 1, wherein the flow-specific criteria is defined to check a number of packets of one of the plurality of network flows.
  - 9. The system according to claim 1, wherein the aggregation criteria is defined to limit a maximum or minimum number of the plurality of network flows in the event of the one event-type.
  - 10. The system according to claim 1, wherein the aggregation criteria is defined to limit an average number of bytes of the plurality of network flows in the event of the one event-type.
  - 11. The system according to claim 1, wherein the aggregation criteria is defined to limit an average entropy of ports of the plurality of network flows in the event of the one event-type.
  - 12. The system according to claim 1, wherein the hardware processor is operative, for each one proto-event of the plurality of proto-events, to:
    - create a data sub-set including data from each one network flow of the plurality of network flows that are to be assigned to the one proto-event; and
      
      store the data sub-set of the one proto-event in the memory.
  - 13. The system according to claim 12, wherein the hardware processor is operative to:
    - provide a hash-table in the memory; and
      
      store the data sub-set of the one proto-event in the hash-table.
  - 14. The system according to claim 12, wherein the hardware processor is operative to:
    - provide a hash function for each one event-type of the plurality of event-types, the hash function for the one event-type mapping the data from each one network flow of the plurality of network flows that are to be assigned to a same one of the plurality of proto-events to a same hash-key; and
      
      for each one event-type of the plurality of event-types, for each one network flow of the plurality of network flows satisfying the flow-specific criteria of the one event-type, determine a first hash-key of the one network flow satisfying the flow-specific criteria of the one event-type using a part, or all, of the data from the one network flow satisfying the flow-specific criteria of the one event-type as input to the hash function for the one event-type, wherein;
      
      if the first hash-key already exists in the hash-table, the hardware processor is operative to add the data from the one network flow satisfying the flow-specific criteria of the one event-type to a value in the hash-table corresponding to the first hash-key; and
      
      if the first hash-key does not already exist in the hash-table, the hardware processor is operative to add the hash-key and a corresponding value including the data from the one network flow satisfying the flow-specific criteria of the one event-type to the hash-table.
  - 15. The system according to claim 14, wherein the data from the one network flow satisfying the flow-specific criteria of the one event-type includes one or more of the following:
    - a protocol of the one network flow satisfying the flow-specific criteria of the one event-type, a source-IP of the one network flow satisfying the flow-specific criteria of the one event-type, a source-Port of the one network flow satisfying the flow-specific criteria of the one event-type, a destination-IP of the one network flow satisfying the flow-specific criteria of the one event-type, a destination-Port of the one network flow satisfying the flow-specific criteria of the one event-type, flags of the one network flow satisfying the flow-specific criteria of the one event-type, a number of packets of the one network flow satisfying the flow-specific criteria of the one event-type, a number of bytes of the one network flow satisfying the flow-specific criteria of the one event-type.

16. A method comprising:
- receiving a plurality of network flows from a network;
  
  reading, from a memory, a flow-specific criteria for each one event-type of a plurality of event-types, wherein for each one event-type of the plurality event-types, the flow-specific criteria of the one event-type is defined to identify if each one network flow of the plurality network flows potentially forms part of one or more events of the one event-type when each one network flow of the plurality of network flows is examined independently of all other ones of the plurality of network flows with respect to the flow-specific criteria of the one event-type;
  
  for each one event-type of the plurality of event-types, comparing each one network flow of the plurality of network flows to the flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria of the one event-type;
  
  for each one event-type of the plurality of event-types, for each one network flow of the plurality of network flows satisfying the flow-specific criteria of the one event-type, assigning the one network flow satisfying the flow-specific criteria of the one event-type to a proto-event of the one-event type, the proto-event being assigned at least two network flows of the plurality of network flows, wherein the plurality of event-types includes a plurality of proto-events, each one event-type of the plurality of event-types including at least one proto-event;
  
  reading, from the memory, an aggregation criteria for one of the event-types, wherein the aggregation criteria is defined to identify an event in the proto-event of the one event-type from the at least two networks flows in the proto-event of the one event-type when the at least two network flows that form part of the proto-event of the one event-type are examined together as a group; and
  
  testing different combinations of the at least two network flows assigned to the proto-event of the one event-type against the aggregation criteria of the one event-type to determine if one combination of the different combinations of the at least two network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the at least two network flows of the proto-event.
- View Dependent Claims (17, 18)
- - 17. The method according to claim 16, further comprising outputting a report of the event of the one event-type identified from the plurality of network flows.
  - 18. The method according to claim 16, further comprising:
    - providing a hash function for each one event-type of the plurality of event-types, the hash function for the one event-type mapping the data from each one network flow of the network flows that are to be assigned to a same one of the plurality of proto-events to a same hash-key; and
      
      for each one event-type of the plurality of event-types, for each one network flow of the plurality of network flows satisfying the flow-specific criteria of the one event-type, determining a first hash-key of the one network flow satisfying the flow-specific criteria of the one event-type using a part, or all, of the data from the one network flow satisfying the flow-specific criteria of the one event-type as input to the hash function for the one event-type;
      
      if the first hash-key already exists in the hash-table, adding the data from the one network flow satisfying the flow-specific criteria of the one event-type to a value in the hash-table corresponding to the first hash-key; and
      
      if the first hash-key does not already exist in the hash-table, adding the hash-key and a corresponding value including the data from the one network flow satisfying the flow-specific criteria of the one event-type to the hash-table.

19. A system comprising a hardware processor;
- and a memory to store data used by the hardware processor, wherein the hardware processor is operative to;
  
  receive a plurality of network flows from a network;
  
  read, from the memory, a flow-specific criteria for each one event-type of a plurality of event-types, wherein for each one event-type of the plurality of event-types, the flow-specific criteria of the one event-type is defined to identify if each one network flow of the plurality of network flows potentially forms part of one or more events of the one event-type when each one network flow of the plurality of network flows is examined independently of all other ones of the plurality of network flows with respect to the flow-specific criteria of the one event-type;
  
  for each one event-type of the plurality of event-types, compare each one network flow of the plurality of network flows to the flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria of the one event-type;
  
  for each one event-type of the plurality of event-types, for each one network flow of the plurality of network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow satisfying the flow-specific criteria of the one event-type to a proto-event of the one-event type, the proto-event being assigned at least two network flows of the plurality of network flows, wherein the plurality of event-types includes a plurality of proto-events, each one event-type of the plurality of event-types including at least one proto-event;
  
  read, from the memory, an aggregation criteria for one of the event-types, wherein the aggregation criteria is defined to identify an event in the proto-event of the one event-type from the at least two networks flows in the proto-event of the one event-type when the at least two network flows that form part of the proto-event of the one event-type are examined together as a group;
  
  test different combinations of the at least two network flows assigned to the proto-event of the one event-type against the aggregation criteria of the one event-type to determine if one combination of the different combinations of the at least two network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the at least two network flows of the proto-event; and
  
  identify a suspicious event based on applying the flow-specific criteria and the aggregation criteria for at least one event-type of the plurality of event-types.
- View Dependent Claims (20)
- - 20. The system according to claim 19, wherein the processor is operative to output a report of the event of the one event-type identified from the plurality of network flows.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sourek, Gustav, Bartos, Karel, Zelezny, Filip, Pevny, Tomas, Somol, Petr
Primary Examiner(s)
LEE, JASON T

Application Number

US14/519,160
Publication Number

US 20160112442A1
Time in Patent Office

609 Days
Field of Search

723/23
US Class Current

1/1
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 67/10 in which an application is ...

Events from network flows

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Events from network flows

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links