Traffic analysis of data flows
First Claim
1. A system comprising:
- a plurality of network devices, in a network, to;
aggregate information regarding a plurality of data flows associated with data units received or transmitted by the plurality of network devices without impacting throughput of the data units, andoutput the aggregated information; and
a traffic analyzer, connected to the plurality of network devices, to;
receive the aggregated information from the plurality of network devices,the aggregated information including information regarding successful data flows and unsuccessful data flows associated with a particular source,the aggregated information providing an indication of an attack on the network or a misconfiguration of the network when the particular source is responsible for creation of more than a particular quantity of the plurality of data flows during a period of time,the successful data flows being data flows that are successfully established, andthe unsuccessful data flows being data flows that are unsuccessfully established,the plurality of data flows including the successful data flows and the unsuccessful data flows, andthe successful data flows and the unsuccessful data flows including at least a portion of the data units,determine creation information regarding when one or more of the successful data flows were created;
determine termination information regarding when the one or more of the successful data flows were terminated,the termination information being determined based on the one or more of the successful data flows for which no data units are received for at least a threshold amount of time; and
provide information based on one or more of the aggregated information, the creation information, or the termination information.
1 Assignment
0 Petitions
Accused Products
Abstract
A device includes a memory, flow table logic, sampling logic, and a processing unit. The memory is configured to store a flow table that stores, as a number of entries, statistics regarding a number of data flows. The flow table logic is configured to generate records corresponding to data flows for which entries are created in the flow table or removed from the flow table. The sampling logic is configured to select one of the data flows for sampling and sample initial data units for the one of the data flows. The processing unit is configured to receive the records generated by the flow table logic, receive the initial data units sampled by the sampling logic, analyze the initial data units to generate analysis results, correlate the records and the analysis results associated with a same one of the data flows, and store the correlated records and analysis results.
-
Citations
20 Claims
-
1. A system comprising:
-
a plurality of network devices, in a network, to; aggregate information regarding a plurality of data flows associated with data units received or transmitted by the plurality of network devices without impacting throughput of the data units, and output the aggregated information; and a traffic analyzer, connected to the plurality of network devices, to; receive the aggregated information from the plurality of network devices, the aggregated information including information regarding successful data flows and unsuccessful data flows associated with a particular source, the aggregated information providing an indication of an attack on the network or a misconfiguration of the network when the particular source is responsible for creation of more than a particular quantity of the plurality of data flows during a period of time, the successful data flows being data flows that are successfully established, and the unsuccessful data flows being data flows that are unsuccessfully established, the plurality of data flows including the successful data flows and the unsuccessful data flows, and the successful data flows and the unsuccessful data flows including at least a portion of the data units, determine creation information regarding when one or more of the successful data flows were created; determine termination information regarding when the one or more of the successful data flows were terminated, the termination information being determined based on the one or more of the successful data flows for which no data units are received for at least a threshold amount of time; and provide information based on one or more of the aggregated information, the creation information, or the termination information. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by at least one processor, cause the at least one processor to; receive aggregated information from a plurality of network devices, in a network, without impacting throughput of data units via the plurality of network devices, the aggregated information including information regarding successful data flows and unsuccessful data flows associated with a particular source, the aggregated information providing an indication of an attack on the network or a misconfiguration of the network when the particular source is responsible for creation of more than a particular quantity of a plurality of data flows during a period of time, the successful data flows being data flows that are successfully established, and the unsuccessful data flows being data flows that are unsuccessfully established, and the successful data flows and the unsuccessful data flows including at least a portion of the data units, determine creation information regarding when one or more of the successful data flows were created, determine termination information regarding when the one or more of the successful data flows were terminated, the termination information being determined based on the one or more of the successful data flows for which no data units are received for at least a threshold amount of time, store records based on the aggregated information, the creation information, and the termination information, and provide information associated with a user interface to facilitate searching and retrieval of information from the records. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A method comprising:
-
receiving, by one or more server devices, aggregated information from a plurality of network devices, in a network, without impacting throughput of data units via the plurality of network devices, the aggregated information including information regarding successful data flows and unsuccessful data flows associated with a particular source, the aggregated information providing an indication of an attack on the network or a misconfiguration of the network when the particular source is responsible for creation of more than a particular quantity of the plurality of data flows during a period of time, the successful data flows being data flows that are successfully established, and the unsuccessful data flows being data flows that are unsuccessfully established, and the successful data flows and the unsuccessful data flows including at least a portion of the data units; determining, by the one or more server devices, creation information regarding when one or more of the successful data flows were created; determining, by the one or more server devices, termination information regarding when the one or more of the successful data flows were terminated, the termination information being determined based on the one or more of the successful data flows for which no data units are received for at least a threshold amount of time; and providing, by the one or more server devices, information based on one or more of the aggregated information, the creation information, or the termination information. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification