Aggregation of network traffic source behavior data across network-based endpoints
First Claim
1. A network traffic analysis system, comprising:
- a plurality of traffic behavior aggregation nodes that implement a plurality of different aggregation levels for traffic source behavior data for a network traffic analysis system, the plurality of traffic behavior aggregation nodes implemented via one or more computers comprising one or more hardware processors and configured to;
receive respective indications of endpoint-specific network traffic directed to different ones of a plurality of network endpoints from a plurality of traffic sources;
based, at least in part, on the respective indications of the endpoint-specific network traffic from the plurality of traffic sources, generate aggregate traffic source behavior data that is maintained across the plurality of different aggregation levels, wherein a different respective granularity of the aggregate traffic source behavior data is maintained at the plurality of different aggregation levels, wherein the plurality of traffic behavior aggregation nodes maintain different respective portions of the aggregate traffic source behavior data according to the different respective granularity of the plurality of different aggregation levels;
a control plane for the network traffic analysis system, configured to;
identify traffic behavior for a particular traffic source of the plurality of traffic sources based, at least in part, on the aggregate traffic source behavior data at one or more of the plurality of different aggregation levels, wherein to identify the traffic behavior for the particular traffic source of the plurality of traffic sources, the control plane is configured to;
in response to a received request for traffic behavior data;
identify one or more aggregation levels that provide a respective granularity of the aggregate traffic source behavior data that includes the requested traffic behavior data;
identify at least one of the one or more traffic behavior aggregation nodes of the identified one or more aggregation levels to query for the traffic behavior data; and
send a query to the identified at least one traffic behavior aggregation node to obtain the traffic behavior data; and
provide an indication of the identified traffic behavior of the particular traffic source such that a traffic control action is performed with regard to the particular traffic source for one or more network endpoints of the plurality of endpoints, wherein the particular traffic source did not direct endpoint-specific network traffic to at least one of the one or more network endpoints.
1 Assignment
0 Petitions
Accused Products
Abstract
Aggregation of network traffic source behavior data across network endpoints may be implemented. Indications of endpoint-specific network traffic directed to different network endpoints may be received. Aggregate traffic source behavior data may be generated across multiple aggregation levels. One or more traffic aggregation nodes may be implemented for each aggregation level to maintain different respective portions of the aggregate traffic source behavior data. Different granularity of the aggregate traffic source behavior data may be maintained at each of the aggregation levels. An indication of traffic source behavior for traffic sources may be provided such that responsive actions, such as traffic control actions, may be performed with regard to the traffic sources.
-
Citations
20 Claims
-
1. A network traffic analysis system, comprising:
-
a plurality of traffic behavior aggregation nodes that implement a plurality of different aggregation levels for traffic source behavior data for a network traffic analysis system, the plurality of traffic behavior aggregation nodes implemented via one or more computers comprising one or more hardware processors and configured to; receive respective indications of endpoint-specific network traffic directed to different ones of a plurality of network endpoints from a plurality of traffic sources; based, at least in part, on the respective indications of the endpoint-specific network traffic from the plurality of traffic sources, generate aggregate traffic source behavior data that is maintained across the plurality of different aggregation levels, wherein a different respective granularity of the aggregate traffic source behavior data is maintained at the plurality of different aggregation levels, wherein the plurality of traffic behavior aggregation nodes maintain different respective portions of the aggregate traffic source behavior data according to the different respective granularity of the plurality of different aggregation levels; a control plane for the network traffic analysis system, configured to; identify traffic behavior for a particular traffic source of the plurality of traffic sources based, at least in part, on the aggregate traffic source behavior data at one or more of the plurality of different aggregation levels, wherein to identify the traffic behavior for the particular traffic source of the plurality of traffic sources, the control plane is configured to; in response to a received request for traffic behavior data; identify one or more aggregation levels that provide a respective granularity of the aggregate traffic source behavior data that includes the requested traffic behavior data; identify at least one of the one or more traffic behavior aggregation nodes of the identified one or more aggregation levels to query for the traffic behavior data; and send a query to the identified at least one traffic behavior aggregation node to obtain the traffic behavior data; and provide an indication of the identified traffic behavior of the particular traffic source such that a traffic control action is performed with regard to the particular traffic source for one or more network endpoints of the plurality of endpoints, wherein the particular traffic source did not direct endpoint-specific network traffic to at least one of the one or more network endpoints. - View Dependent Claims (2, 3, 4)
-
-
5. A method, comprising:
performing, by one or more computing devices comprising one or more hardware processors; receiving respective indications of endpoint-specific network traffic directed to different ones of a plurality of network endpoints from a plurality of traffic sources; based, at least in part, on the respective indications of the endpoint-specific network traffic from the plurality of traffic sources, generating aggregate traffic source behavior data that is maintained across a plurality of different aggregation levels, wherein a different respective granularity of the aggregate traffic source behavior data is maintained at the plurality of different aggregation levels, wherein the plurality of different aggregation levels respectively comprise one or more traffic behavior aggregation nodes that maintain different portions of the aggregate traffic source behavior data according to the respective granularity of the aggregation level; and based, at least in part, on the aggregate traffic source behavior data at one or more of the plurality of different aggregation levels, providing a traffic behavior indication for one or more traffic sources of the plurality of traffic sources such that a responsive action is performed with regard to at least one of the one or more traffic sources for one or more network endpoints of the plurality of endpoints, wherein providing the traffic behavior indication for the one or more traffic sources of the plurality of traffic sources comprises; in response to receiving a request for traffic behavior data; identifying one or more aggregation levels that provide a respective granularity of the aggregate traffic source behavior data that includes the requested traffic behavior data; identifying at least one of the one or more traffic behavior aggregation nodes of the identified one or more aggregation levels to query for the traffic behavior data; and sending a query to the identified at least one traffic behavior aggregation nodes to obtain the traffic behavior data. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
-
14. A non-transitory, computer-readable storage medium, storing program instructions that when executed by one or more computing devices cause the one or more computing devices to implement:
-
receiving respective indications of endpoint-specific network traffic directed to different ones of a plurality of network endpoints from a plurality of traffic sources; based, at least in part, on the respective indications of the endpoint-specific network traffic from the plurality of traffic sources, generating aggregate traffic source behavior data that is maintained across a plurality of different aggregation levels, wherein a different respective granularity of the aggregate traffic source behavior data is maintained at the plurality of different aggregation levels, wherein the plurality of different aggregation levels respectively comprise one or more traffic behavior aggregation nodes that maintain different portions of the aggregate traffic source behavior data according to the respective granularity of the aggregation level; and based, at least in part, on the aggregate traffic source behavior data at one or more of the plurality of different aggregation levels, providing a traffic behavior indication for one or more traffic sources of the plurality of traffic sources such that a traffic control action is performed with regard to at least one of the one or more traffic sources for one or more network endpoints of the plurality of endpoints, wherein the at least one traffic source did not direct endpoint-specific network traffic to at least one of the one or more network endpoints, and wherein providing the traffic behavior indication for the one or more traffic sources of the plurality of traffic sources comprises; in response to receiving a request for traffic behavior data; identifying one or more aggregation levels that provide a respective granularity of the aggregate traffic source behavior data that includes the requested traffic behavior data; identifying at least one of the one or more traffic behavior aggregation nodes of the identified one or more aggregation levels to query for the traffic behavior data; and sending a query to the identified at least one traffic behavior aggregation nodes to obtain the traffic behavior data. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification