Methods and apparatus for tracking data flow based on flow state values

US 9,967,167 B2
Filed: 02/12/2016
Issued: 05/08/2018
Est. Priority Date: 12/23/2009
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a memory configured to store a first flow state value from a series of flow state values at a memory location; and

a processor configured to increment the first flow state value to a second flow state value from the series of flow state values, after a first time period from a series of time periods has expired, when a first packet is received and when the first flow state value is less than the second flow state value, the processor configured to associate the memory location with a data flow in which the first packet is included, based on a hash value calculated using at least a portion of the first packet, the processor configured to increment the second flow state value to a third flow state value, after a second time period from the series of time periods and longer than the first time period has expired, when a second packet is received and when the second flow state value is less than the third flow state value,the processor configured to decrement the third flow state value in response to a third time period from the series of time periods expiring, the third time period being longer than the second time period,the processor configured to send, in response to the first flow state value changing to the second flow state value, a notice based on the second flow state value matching a threshold flow state value that indicates a network anomaly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a processor-readable medium storing code representing instructions that when executed by a processor cause the processor to update, at a memory location, a first flow state value associated with a data flow to a second flow state value when at least one of a packet from the data flow is received or the memory location is selected after a time period has expired. At least a portion of the packet is analyzed when the second flow state value represents a flow rate of a network data flow anomaly.

Citations

18 Claims

1. An apparatus, comprising:
- a memory configured to store a first flow state value from a series of flow state values at a memory location; and
  
  a processor configured to increment the first flow state value to a second flow state value from the series of flow state values, after a first time period from a series of time periods has expired, when a first packet is received and when the first flow state value is less than the second flow state value, the processor configured to associate the memory location with a data flow in which the first packet is included, based on a hash value calculated using at least a portion of the first packet, the processor configured to increment the second flow state value to a third flow state value, after a second time period from the series of time periods and longer than the first time period has expired, when a second packet is received and when the second flow state value is less than the third flow state value,the processor configured to decrement the third flow state value in response to a third time period from the series of time periods expiring, the third time period being longer than the second time period,the processor configured to send, in response to the first flow state value changing to the second flow state value, a notice based on the second flow state value matching a threshold flow state value that indicates a network anomaly.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1, wherein the first time period has a duration based on an order of flow state values within the series of flow state values.
  - 3. The apparatus of claim 1, wherein the processor is further configured to conduct deep packet inspection on the first packet in response to the second flow state value matching the threshold flow state value when the first flow state value is changed to the second flow state value.
  - 4. The apparatus of claim 1, wherein each of the first flow state value, the second flow state value, and the third flow state value is included in the series of flow state values.
  - 5. The apparatus of claim 1, wherein the portion of the first packet is a first portion of the first packet, the processor configured to analyze a second portion of the first packet when the second flow state value matches the threshold flow state value.

6. A processor-readable non-transitory medium storing code representing instructions that when executed by a processor cause the processor to:
- receive a data packet;
  
  associate the data packet with a flow state value after receiving the data packet;
  
  associate a data flow in which the data packet is included with a memory location based on a hash value calculated using at least a portion of the data packet;
  
  increment the flow state value from a first flow state value to a second flow state value, at a time period, in response to the data packet being associated with the flow state value and when the flow state value is less than the second flow state value;
  
  receive an indicator that the time period has expired;
  
  decrement the flow state value from the second flow state value to the first flow state value, at a time after the time period, in response to the indicator;
  
  conduct deep packet inspection on the portion of the data packet in response to the flow state value matching a threshold flow state value that indicates a network anomaly; and
  
  send a notice indicating the network anomaly.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The processor-readable medium of claim 6, wherein each of the first flow state value and the second flow state value are included in a series of flow state values.
  - 8. The processor-readable medium of claim 6, wherein each of the first flow state value and the second flow state value are included in an ordered series of flow state values, such that the second flow state value is ordered after the first flow state value.
  - 9. The processor-readable medium of claim 6, wherein the flow state value is stored at the memory location selected using the hash value of the portion of the data packet.
  - 10. The processor-readable medium of claim 6, wherein the flow state value is a numerical count of a number of data packets that have been transmitted in connection with the data flow that includes the data packet.
  - 11. The processor-readable medium of claim 6, wherein the code representing the instruction to increment includes code representing an instruction to increment the flow state value from the first flow state value to the second flow state value after a delay that is based on a signature of the data packet.

12. A processor-readable non-transitory medium storing code representing instructions that when executed by a processor cause the processor to:
- update, at a memory location and after a time period has expired, a flow state value associated with a data flow when at least one of a packet from the data flow is received or the memory location is selected, the data flow being associated with the memory location based on a hash value calculated using at least a portion of the packet,the update of the flow state value associated with the data flow is based on a progression through a series of flow state values including a first flow state value, a second flow state value, and a third flow state value, the flow state value associated with the data flow is incremented from the first flow state value to the second flow state value when (1) the packet is received, (2) the memory location of the first flow state value is identified based on an index value of the packet, and (3) the first flow state value is less than the second flow state value, the flow state value associated with the data flow is decremented within the series of flow state values from the first flow state value to the third flow state value after the first time period has expired, the flow state value associated with the data flow being a numerical count of a number of data packets that have been transmitted in connection to the data flow;
  
  conduct deep packet inspection on at least the portion of the packet in response to the flow state value associated with the data flow matching a threshold flow state value that indicates a network data flow anomaly; and
  
  send a notice indicating the network data flow anomaly.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The processor-readable medium of claim 12, wherein the memory location is within a memory, the time period corresponds with a processing cycle time period associated with a plurality of flow state values stored in the memory and including the first flow state value and the second flow state value.
  - 14. The processor-readable medium of claim 12, wherein the memory location is within a memory, the time period corresponds with a processing cycle time period defined, at least in part, by a number of flow state values within a plurality of flow state values stored in the memory and including the first flow state value and the second flow state value.
  - 15. The processor-readable medium of claim 12, wherein the time period has a duration defined such that the second flow state value represents the flow rate of the network data flow anomaly when a predefined number of packets from the data flow are received during the time period.
  - 16. The processor-readable medium of claim 12, wherein the packet is received at a flow module of the processor, and the memory location is selected at the flow module, the update of the flow state value associated with the data flow is performed at the flow module.
  - 17. The processor-readable medium of claim 12, wherein the data flow is identified as a new data flow in response to the flow state value associated with the data flow being updated.
  - 18. The processor-readable medium of claim 12, wherein the incrementing of the flow state value associated with the data flow from the first flow state value to the second flow state value is delayed based on a signature of the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Aybay, Gunes
Primary Examiner(s)
Etienne, Ario
Assistant Examiner(s)
RUBIN, BLAKE J

Application Number

US15/043,037
Publication Number

US 20160164765A1
Time in Patent Office

816 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 43/0894   Packet rate

H04L 43/18   Protocol analysers

H04L 47/10   Flow control; Congestion co...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Methods and apparatus for tracking data flow based on flow state values

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for tracking data flow based on flow state values

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links