Traffic analysis of data flows

US 9,485,155 B2
Filed: 06/30/2011
Issued: 11/01/2016
Est. Priority Date: 01/30/2009
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a plurality of network devices, in a network, to;

aggregate information regarding a plurality of data flows associated with data units received or transmitted by the plurality of network devices without impacting throughput of the data units, andoutput the aggregated information; and

a traffic analyzer, connected to the plurality of network devices, to;

receive the aggregated information from the plurality of network devices,the aggregated information including information regarding successful data flows and unsuccessful data flows associated with a particular source,the aggregated information providing an indication of an attack on the network or a misconfiguration of the network when the particular source is responsible for creation of more than a particular quantity of the plurality of data flows during a period of time,the successful data flows being data flows that are successfully established, andthe unsuccessful data flows being data flows that are unsuccessfully established,the plurality of data flows including the successful data flows and the unsuccessful data flows, andthe successful data flows and the unsuccessful data flows including at least a portion of the data units,determine creation information regarding when one or more of the successful data flows were created;

determine termination information regarding when the one or more of the successful data flows were terminated,the termination information being determined based on the one or more of the successful data flows for which no data units are received for at least a threshold amount of time; and

provide information based on one or more of the aggregated information, the creation information, or the termination information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device includes a memory, flow table logic, sampling logic, and a processing unit. The memory is configured to store a flow table that stores, as a number of entries, statistics regarding a number of data flows. The flow table logic is configured to generate records corresponding to data flows for which entries are created in the flow table or removed from the flow table. The sampling logic is configured to select one of the data flows for sampling and sample initial data units for the one of the data flows. The processing unit is configured to receive the records generated by the flow table logic, receive the initial data units sampled by the sampling logic, analyze the initial data units to generate analysis results, correlate the records and the analysis results associated with a same one of the data flows, and store the correlated records and analysis results.

Citations

20 Claims

1. A system comprising:
- a plurality of network devices, in a network, to;
  
  aggregate information regarding a plurality of data flows associated with data units received or transmitted by the plurality of network devices without impacting throughput of the data units, andoutput the aggregated information; and
  
  a traffic analyzer, connected to the plurality of network devices, to;
  
  receive the aggregated information from the plurality of network devices,the aggregated information including information regarding successful data flows and unsuccessful data flows associated with a particular source,the aggregated information providing an indication of an attack on the network or a misconfiguration of the network when the particular source is responsible for creation of more than a particular quantity of the plurality of data flows during a period of time,the successful data flows being data flows that are successfully established, andthe unsuccessful data flows being data flows that are unsuccessfully established,the plurality of data flows including the successful data flows and the unsuccessful data flows, andthe successful data flows and the unsuccessful data flows including at least a portion of the data units,determine creation information regarding when one or more of the successful data flows were created;
  
  determine termination information regarding when the one or more of the successful data flows were terminated,the termination information being determined based on the one or more of the successful data flows for which no data units are received for at least a threshold amount of time; and
  
  provide information based on one or more of the aggregated information, the creation information, or the termination information.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, where the aggregated information further includes:
    - information identifying which of the plurality of data flows are active data flows and which are terminated data flows, andinformation regarding sampled data units of at least one of the active data flows or the terminated data flows,the data units including the sampled data units.
  - 3. The system of claim 1, where a portion of the aggregated information, aggregated by a particular network device of the plurality of network devices, is associated with all data flows, of the plurality of data flows, associated with particular data units, of the data units, that are received by the particular network device.
  - 4. The system of claim 1, where a portion of the aggregated information, aggregated by a particular network device of the plurality of network devices, is associated with all data flows, of the plurality of data flows, associated with particular data units, of the data units, that are transmitted by the particular network device.
  - 5. The system of claim 1, where the traffic analyzer is further to:
    - receive a search query;
      
      identify, based on the search query, particular information in the aggregated information; and
      
      provide, for presentation, the particular information via a user interface.
  - 6. The system of claim 5, where, when receiving the search query, the traffic analyzer is to:
    - receive the search query via the user interface.
  - 7. The system of claim 1,where the traffic analyzer is further to:
    - identify, in the aggregated information, a particular data flow of the plurality of data flows; and
      
      where the traffic analyzer is further to;
      
      store information that identifies the particular data flow.

8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by at least one processor, cause the at least one processor to;
  
  receive aggregated information from a plurality of network devices, in a network, without impacting throughput of data units via the plurality of network devices,the aggregated information including information regarding successful data flows and unsuccessful data flows associated with a particular source,the aggregated information providing an indication of an attack on the network or a misconfiguration of the network when the particular source is responsible for creation of more than a particular quantity of a plurality of data flows during a period of time,the successful data flows being data flows that are successfully established, andthe unsuccessful data flows being data flows that are unsuccessfully established, andthe successful data flows and the unsuccessful data flows including at least a portion of the data units,determine creation information regarding when one or more of the successful data flows were created,determine termination information regarding when the one or more of the successful data flows were terminated,the termination information being determined based on the one or more of the successful data flows for which no data units are received for at least a threshold amount of time,store records based on the aggregated information, the creation information, and the termination information, andprovide information associated with a user interface to facilitate searching and retrieval of information from the records.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8,where the aggregated information further includes:
    - information regarding active data flows and terminated data flows of the successful data flows, andinformation regarding sampled data units of at least one of the active data flows or the terminated data flows, andwhere the data units include the sampled data units.
  - 10. The non-transitory computer-readable medium of claim 8, where a portion of the aggregated information, aggregated by a particular network device of the plurality of network devices, is associated with all data flows, of the successful data flows and the unsuccessful data flows, associated with particular data units, of the data units, that are received by the particular network device.
  - 11. The non-transitory computer-readable medium of claim 8, where a portion of the aggregated information, aggregated by a particular network device of the plurality of network devices, is associated with all data flows, of the successful data flows and the unsuccessful data flows, associated with particular data units, of the data units, that are transmitted by the particular network device.
  - 12. The non-transitory computer-readable medium of claim 8, where the instructions further comprise:
    - one or more instructions that, when executed by the at least one processor, cause the at least one processor to;
      
      receive a search query,identify, based on the search query, particular information in the stored records, andprovide, for presentation, the particular information via the user interface.
  - 13. The non-transitory computer-readable medium of claim 12, where the one or more instructions to receive the search query include:
    - one or more instructions that, when executed by the at least one processor, cause the at least one processor to;
      
      receive the search query via the user interface.
  - 14. The non-transitory computer-readable medium of claim 8, where the instructions further comprise:
    - one or more instructions that, when executed by the at least one processor, cause the at least one processor to;
      
      identify, in the aggregated information, a particular data flow of the successful data flows and the unsuccessful data flows; and
      
      where the one or more instructions to store the records include;
      
      one or more instructions that, when executed by the at least one processor, cause the at least one processor to;
      
      store information that identifies the particular data flow.

15. A method comprising:
- receiving, by one or more server devices, aggregated information from a plurality of network devices, in a network, without impacting throughput of data units via the plurality of network devices,the aggregated information including information regarding successful data flows and unsuccessful data flows associated with a particular source,the aggregated information providing an indication of an attack on the network or a misconfiguration of the network when the particular source is responsible for creation of more than a particular quantity of the plurality of data flows during a period of time,the successful data flows being data flows that are successfully established, andthe unsuccessful data flows being data flows that are unsuccessfully established, andthe successful data flows and the unsuccessful data flows including at least a portion of the data units;
  
  determining, by the one or more server devices, creation information regarding when one or more of the successful data flows were created;
  
  determining, by the one or more server devices, termination information regarding when the one or more of the successful data flows were terminated,the termination information being determined based on the one or more of the successful data flows for which no data units are received for at least a threshold amount of time; and
  
  providing, by the one or more server devices, information based on one or more of the aggregated information, the creation information, or the termination information.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15,where the aggregated information further includes:
    - information regarding active data flows and terminated data flows, andinformation regarding sampled data units of at least one of the active data flows or the terminated data flows, andwhere the data units include the sampled data units.
  - 17. The method of claim 15, where a portion of the aggregated information, aggregated by a particular network device of the plurality of network devices, is associated with particular data flows associated with particular data units, of the data units, that are received by the particular network device.
  - 18. The method of claim 15, where a portion of the aggregated information, aggregated by a particular network device of the plurality of network devices, is associated with particular data flows associated with particular data units, of the data units, that are transmitted by the particular network device.
  - 19. The method of claim 15, further comprising:
    - receiving a search query;
      
      identifying, based on the search query, particular information in the aggregated information; and
      
      providing, for presentation, the particular information via a user interface.
  - 20. The method of claim 15, further comprising:
    - identifying, in the aggregated information, a particular data flow,where the method further includes;
      
      storing information that identifies the particular data flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Aybay, Gunes, Kohn, Jack, Rowell, David, Shi, Fuguang
Primary Examiner(s)
Kao, Jutai

Application Number

US13/174,366
Publication Number

US 20110255408A1
Time in Patent Office

1,951 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 43/02   Capturing of monitoring data

H04L 43/04   Processing captured monitor...

H04L 43/0811   by checking connectivity

H04L 47/10   Flow control; Congestion co...

H04L 63/1458   Denial of Service

Traffic analysis of data flows

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Traffic analysis of data flows

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links