Augmenting flow data for improved network monitoring and management

US 10,177,998 B2
Filed: 06/03/2016
Issued: 01/08/2019
Est. Priority Date: 06/05/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

capturing one or more packet header attributes for a first flow using a plurality of sensors that includes at least a first sensor of one of a source endpoint or a destination endpoint of the first flow and one or more second sensors of one or more networking devices along a path of the first flow;

determining one or more additional attributes of the first flow using at least the first sensor, the one or more additional attributes including at least one of a host attribute, a virtualization attribute, a process attribute, or a user attribute of the first flow;

normalizing at least one of the one or more additional attributes by calculating a term frequency-inverse document frequency of the at least one of the one or more additional attributes;

calculating a first feature vector that includes at least the one or more packet header attributes and the one or more additional attributes including the at least one normalized attribute;

determining a policy for the first flow based at least in part on a similarity between the first feature vector and a second feature vector of a second flow, the second feature vector being features or attributes of the second flow; and

applying the policy to one or more third flows that are considered similar to the first flow based on second predefined criteria.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Flow data can be augmented with features or attributes from other domains, such as attributes from a source host and/or destination host of a flow, a process initiating the flow, and/or a process owner or user. A network can be configured to capture network or packet header attributes of a first flow and determine additional attributes of the first flow using a sensor network. The sensor network can include sensors for networking devices (e.g., routers, switches, network appliances), physical servers, hypervisors or container engines, and virtual partitions (e.g., virtual machines or containers). The network can calculate a feature vector including the packet header attributes and additional attributes to represent the first flow. The network can compare the feature vector of the first flow to respective feature vectors of other flows to determine an applicable policy, and enforce that policy for subsequent flows.

603 Citations

19 Claims

1. A method comprising:
- capturing one or more packet header attributes for a first flow using a plurality of sensors that includes at least a first sensor of one of a source endpoint or a destination endpoint of the first flow and one or more second sensors of one or more networking devices along a path of the first flow;
  
  determining one or more additional attributes of the first flow using at least the first sensor, the one or more additional attributes including at least one of a host attribute, a virtualization attribute, a process attribute, or a user attribute of the first flow;
  
  normalizing at least one of the one or more additional attributes by calculating a term frequency-inverse document frequency of the at least one of the one or more additional attributes;
  
  calculating a first feature vector that includes at least the one or more packet header attributes and the one or more additional attributes including the at least one normalized attribute;
  
  determining a policy for the first flow based at least in part on a similarity between the first feature vector and a second feature vector of a second flow, the second feature vector being features or attributes of the second flow; and
  
  applying the policy to one or more third flows that are considered similar to the first flow based on second predefined criteria.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - determining that the first flow corresponds to one of routine traffic, anomalous traffic, misconfigured traffic, or malicious traffic based at least in part on the similarity between the first feature vector and the second feature vector.
  - 3. The method of claim 2, further comprising:
    - determining that the similarity between the first feature vector and a second feature vector satisfies a first similarity threshold; and
      
      determining that a second similarity between the first feature vector and a third feature vector of a third flow satisfies a second similarity threshold.
  - 4. The method of claim 1, further comprising:
    - determining that a first endpoint that corresponds to the first flow and a second endpoint that corresponds to the second flow from at least a part of a first endpoint group based at least in part on the similarity between the first feature vector and the second feature vector.
  - 5. The method of claim 4, further comprising:
    - generating an application dependency map that includes at least the first endpoint group.
  - 6. The method of claim 1, wherein at least one of the additional attributes is a combination of attributes from a single domain.
  - 7. The method of claim 1, wherein at least one of the additional attributes is a combination of attributes from a plurality of domains.
  - 8. The method of claim 7, wherein the plurality of domains include two or more of a network domain, a virtualization domain, a process domain, or a user domain.
  - 9. The method of claim 7, wherein the plurality of domains includes at least a network domain.
  - 10. The method of claim 1, further comprising:
    - determining an I²norm of the term frequency-inverse document frequency vector.
  - 11. The method of claim 1, further comprising:
    - capturing one or more second packet header attributes for the second flow using at least a third sensor of one of a second source endpoint or a second destination endpoint of the second flow and one or more fourth sensors of one or more second networking devices along a second path of the second flow;
      
      determining one or more second additional attributes of the second flow using at least the third sensor; and
      
      calculating the second feature vector that includes the one or more second packet header attributes and the one or more second additional attributes.

12. A system comprising:
- a processor; and
  
  memory including instructions that, upon being executed by the processor, cause the system to;
  
  receive network data for a first flow using a plurality of sensors that includes at least a first sensor of one of a source endpoint or a destination endpoint of the first flow and one or more second sensors of one or more networking devices along a path of the first flow;
  
  determine additional data corresponding to the first flow using at least the first sensor, the additional data including at least one of an attribute of the source endpoint or the destination endpoint, an attribute of a process initiating the first flow, or an attribute of an owner of the process;
  
  normalize at least one of the one or more additional attributes by calculating a term frequency-inverse document frequency of the at least one of the one or more additional attributes;
  
  calculate a first feature vector that includes at least the network data and the additional data including the at least one normalized attribute;
  
  determine a policy applicable to the first flow based at least in part on a similarity between the first feature vector and a second feature vector of a second flow, the second feature vector being features or attributes of the second flow; and
  
  apply the policy to one or more third flows that are considered similar to the first flow based on second predefined criteria.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the instructions upon being executed further cause the system to:
    - determine that the first flow corresponds to one of routine traffic, anomalous traffic, misconfigured traffic, or malicious traffic based at least in part on the similarity between the first feature vector and the second feature vector.
  - 14. The system of claim 13, wherein the instructions upon being executed further cause the system to:
    - determine that the similarity between the first feature vector and a second feature vector satisfies a first similarity threshold; and
      
      determine that a second similarity between the first feature vector and a third feature vector of a third flow satisfies a second similarity threshold.
  - 15. The system of claim 14, wherein the additional data includes at least one attribute representing a combination of attributes from a single domain.

16. A non-transitory computer-readable medium having computer readable instructions that, upon being executed by a processor, cause the processor to:
- receive network data for a first flow using a plurality of sensors that includes at least a first sensor of one of a source endpoint or a destination endpoint of the first flow and one or more second sensors of one or more networking devices along a path of the first flow;
  
  determine additional data corresponding to the first flow using at least the first sensor, the additional data including at least one of an attribute of the source endpoint or the destination endpoint, an attribute of a process initiating the first flow, or an attribute of an owner of the process;
  
  normalize at least one of the -one or more additional attributes by calculating a term frequency-inverse document frequency of the at least one of the one or more additional attributes;
  
  calculate a first feature vector that includes at least the network data and the additional data including the at least one normalized attribute;
  
  determine a policy applicable to the first flow based at least in part on a similarity between the first feature vector and a second feature vector of a second flow, the second feature vector being features or attributes of the second flow; and
  
  apply the policy to one or more third flows that are considered similar to the first flow based on second predefined criteria.
- View Dependent Claims (17, 18, 19)
- - 17. The non-transitory computer-readable medium of claim 16, wherein the instructions upon being executed further cause the processor to:
    - determine that a first endpoint that corresponds to the first flow and a second endpoint that corresponds to the second flow from at least a part of a first endpoint group based at least in part on the similarity between the first feature vector and the second feature vector.
  - 18. The non-transitory computer-readable medium of claim 17, wherein the instructions further cause the processor to:
    - generate an application dependency map that includes at least the first endpoint group.
  - 19. The non-transitory computer-readable medium of claim 16, wherein the additional data includes at least one attribute representing a combination of attributes from a plurality of domains, and wherein the plurality of domains include two or more of a network domain, a virtualization domain, a process domain, or a user domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Parandehgheibi, Ali, Alizadeh Attar, Mohammadreza, Madani, Omid, Jeyakumar, Vimalkumar, Scheib, Ellen Christine, Yadav, Navindra
Primary Examiner(s)
Jung, Min

Application Number

US15/173,210
Publication Number

US 20160359740A1
Time in Patent Office

949 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/122   using management policies b...

G06F 16/137   Hash-based content-based in...

G06F 16/162   Delete operations erasing i...

G06F 16/17   Details of further file sys...

G06F 16/173   Customisation support for f...

G06F 16/174   Redundancy elimination perf...

G06F 16/1744   using compression, e.g. spa...

G06F 16/1748   De-duplication implemented ...

G06F 16/2322   using timestamps

G06F 16/235   Update request formulation

G06F 16/2365   Ensuring data consistency a...

G06F 16/24578   using ranking

G06F 16/248   Presentation of query results

G06F 16/285   Clustering or classification

G06F 16/288   Entity relationship models

G06F 16/29   Geographical information da...

G06F 16/9535   Search customisation based ...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595 : Network integration; Enabli...

G06F 21/53 : by executing in a restricte...

G06F 21/552 : involving long-term monitor...

G06F 21/556 : involving covert channels, ...

G06F 21/566 : Dynamic detection, i.e. det...

G06F 2221/033 : Test or assess software

G06F 2221/2101 : Auditing as a secondary aspect

G06F 2221/2105 : Dual mode as a secondary as...

G06F 2221/2111 : Location-sensitive, e.g. ge...

G06F 2221/2115 : Third party

G06F 2221/2145 : Inheriting rights or proper...

G06F 3/0482 : Interaction with lists of s...

G06F 3/04842 : Selection of displayed obje...

G06F 3/04847 : Interaction techniques to c...

G06F 9/45558 : Hypervisor-specific managem...

G06N 20/00 : Machine learning

G06N 99/00 : Subject matter not provided...

G06T 11/206 : Drawing of charts or graphs

H04J 3/0661 : using timestamps

H04J 3/14 : Monitoring arrangements for...

H04L 1/242 : by comparing a transmitted ...

H04L 41/046 : comprising network manageme...

H04L 41/0668 : by dynamic selection of rec...

H04L 41/0803 : Configuration setting

H04L 41/0806 : for initial configuration o...

H04L 41/0816 : the condition being an adap...

H04L 41/0893 : Assignment of logical group...

H04L 41/0894 : Policy-based network config...

H04L 41/12 : Discovery or management of ...

H04L 41/16 : using machine learning or a...

H04L 41/22 : comprising specially adapte...

H04L 41/40 : using virtualisation of net...

H04L 43/02 : Capturing of monitoring data

H04L 43/026 : using flow identification

H04L 43/04 : Processing captured monitor...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 43/0805 : by checking availability

H04L 43/0811 : by checking connectivity

H04L 43/0829 : Packet loss

H04L 43/0841 : Round trip packet loss

H04L 43/0858 : One way delays

H04L 43/0864 : Round trip delays

H04L 43/0876 : Network utilisation, e.g. v...

H04L 43/0882 : Utilisation of link capacity

H04L 43/0888 : Throughput

H04L 43/10 : Active monitoring, e.g. hea...

H04L 43/106 : using time related informat...

H04L 43/12 : Network monitoring probes

H04L 43/16 : Threshold monitoring

H04L 43/20 : the monitoring system or th...

H04L 45/306 : Route determination based o...

H04L 45/38 : Flow based routing

H04L 45/46 : Cluster building

H04L 45/507 : Label distribution

H04L 45/66 : Layer 2 routing, e.g. in Et...

H04L 45/74 : Address processing for routing

H04L 47/11 : Identifying congestion

H04L 47/20 : Traffic policing

H04L 47/2441 : relying on flow classificat...

H04L 47/2483 : involving identification of...

H04L 47/28 : in relation to timing consi...

H04L 47/31 : by tagging of packets, e.g....

H04L 47/32 : by discarding or delaying d...

H04L 61/5007 : Internet protocol [IP] addr...

H04L 63/0227 : Filtering policies mail mes...

H04L 63/0263 : Rule management

H04L 63/06 : for supporting key manageme...

H04L 63/0876 : based on the identity of th...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/145 : the attack involving the pr...

H04L 63/1458 : Denial of Service

H04L 63/1466 : Active attacks involving in...

H04L 63/16 : Implementing security featu...

H04L 63/20 : for managing network securi...

H04L 67/01 : Protocols

H04L 67/10 : in which an application is ...

H04L 67/1001 : for accessing one among a p...

H04L 67/12 : specially adapted for propr...

H04L 67/51 : Discovery or management the...

H04L 67/535 : Tracking the activity of th...

H04L 67/75 : Indicating network or usage...

H04L 69/16 : Implementation or adaptatio...

H04L 69/22 : Parsing or analysis of headers

H04L 7/10 : Arrangements for initial sy...

H04L 9/0866 : involving user or device id...

H04L 9/3239 : involving non-keyed hash fu...

H04L 9/3242 : involving keyed hash functi...

H04W 72/54 : based on quality criteria

H04W 84/18 : Self-organising networks, e...

View All

Augmenting flow data for improved network monitoring and management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

603 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Augmenting flow data for improved network monitoring and management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

603 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links