MDL-based clustering for application dependency mapping

US 10,326,672 B2
Filed: 05/03/2016
Issued: 06/18/2019
Est. Priority Date: 06/05/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

capturing network flow data using sensors executing on servers of a data center network and sensors executing on networking devices connected to the servers;

determining a graph including nodes representing the servers and observed edges and unobserved edges representing the network flow data in which the observed edges between any pair of nodes of the graph indicate there are one or more observed flows between a pair of servers represented by that pair of nodes and in which the unobserved edges between any pair of nodes of the graph indicates there are no observed flows between a pair of servers represented by that pair of nodes;

determining different clusterings of the nodes of the graph in which each clustering includes clusters of one or more nodes of the graph;

determining a minimum description length (MDL) score for each clustering in which the MDL score aggregates a description length of each cluster of the clustering and in which the description length of each cluster is computed based on a minimum value between a number of the observed edges of the graph from the cluster to each other cluster of the clustering and a number of the unobserved edges of the graph from the cluster to each other cluster of the clustering;

identifying a first clustering having a minimum value for the MDL score among the different clusterings; and

generating an application dependency map including representations of applications executing in the data center network and representations of application dependencies in which the representations of applications each correspond to one of the clusters of the first clustering and the representations of application dependencies each correspond to one of the observed edges of the first clustering.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Application dependency mapping (ADM) can be automated in a network. The network can determine an optimum number of clusters for the network using the minimum description length principle (MDL). The network can capture network and associated data using a sensor network that provides multiple perspectives and generate a graph therefrom. The nodes of the graph can include sources, destinations, and destination ports identified in the captured data, and the edges of the graph can include observed flows from the sources to the destinations at the destination ports. Each clustering can be evaluated according to an MDL score. The optimum number of clusters for the network may correspond to the number of clusters of the clustering associated with the minimum MDL score.

573 Citations

19 Claims

1. A method comprising:
- capturing network flow data using sensors executing on servers of a data center network and sensors executing on networking devices connected to the servers;
  
  determining a graph including nodes representing the servers and observed edges and unobserved edges representing the network flow data in which the observed edges between any pair of nodes of the graph indicate there are one or more observed flows between a pair of servers represented by that pair of nodes and in which the unobserved edges between any pair of nodes of the graph indicates there are no observed flows between a pair of servers represented by that pair of nodes;
  
  determining different clusterings of the nodes of the graph in which each clustering includes clusters of one or more nodes of the graph;
  
  determining a minimum description length (MDL) score for each clustering in which the MDL score aggregates a description length of each cluster of the clustering and in which the description length of each cluster is computed based on a minimum value between a number of the observed edges of the graph from the cluster to each other cluster of the clustering and a number of the unobserved edges of the graph from the cluster to each other cluster of the clustering;
  
  identifying a first clustering having a minimum value for the MDL score among the different clusterings; and
  
  generating an application dependency map including representations of applications executing in the data center network and representations of application dependencies in which the representations of applications each correspond to one of the clusters of the first clustering and the representations of application dependencies each correspond to one of the observed edges of the first clustering.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein determining the MDL score for each clustering includes:
    - computing the number of the observed edges from each node of each cluster of the clustering to each node of each other cluster of the clustering;
      
      computing the of the unobserved edges between each node of each cluster of the clustering to each node of each other cluster of the clustering;
      
      determining a minimum value between the number of the observed edges and the number of the unobserved edges for each cluster of the clustering; and
      
      summing the minimum value between the number of the observed edges and the number of the observed edges for each cluster of the clustering.
  - 3. The method of claim 1, wherein the data center network includes a plurality of partitions, and:
    - each cluster of the different clusterings consists of one or more nodes of a single partition.
  - 4. The method of claim 1, wherein a portion of the nodes of the graph represent destination servers and destination server ports.
  - 5. The method of claim 1, further comprising:
    - determining a weight for one or more of the observed edges of the graph based on a number of the observed flows corresponding to the one or more observed edges,wherein the MDL score for each clustering is further determined based at least in part on the weight.
  - 6. The method of claim 1, wherein each cluster of the first clustering corresponds to a respective endpoint group.
  - 7. The method of claim 1, wherein a one of the servers of the data center network is a virtual partition, and the sensors executing on the servers of the data center network include a first sensor executing within the virtual partition and a second sensor executing on a physical server hosting the virtual partition.
  - 8. The method of claim 1, further comprising:
    - capturing data in a second domain corresponding to the network flow data,wherein a portion of the nodes of the graph represent servers and attributes of the second domain.
  - 9. The method of claim 8, wherein the second domain is at least one of a host domain, a process domain, a user domain, a virtualization domain, or a tenant domain.
  - 10. The method of claim 1, further comprising:
    - identifying an application dependency between a first application of the application dependency map and a second application of the application dependency map; and
      
      determining a policy allowing traffic from the first application to the second application.
  - 11. The method of claim 10, further comprising:
    - enforcing the policy within a simulated environment corresponding to the data center network using at least one of historical ground truth traffic data or real time ground truth traffic data.

12. A system comprising:
- one or more processors; and
  
  memory including instructions that, upon being executed by the one or more processors, cause the system to;
  
  capture network flow data using sensors executing on servers of a data center network and sensors executing on networking devices connected to the servers;
  
  determine a graph including nodes representing the servers and observed edges and unobserved edges representing the network flow data in which the observed edges between any pair of nodes of the graph indicate there are one or more observed flows between a pair of servers represented by that pair of nodes and in which the unobserved edges between any pair of nodes of the graph indicates there are no observed flows between a pair of servers represented by that pair of nodes;
  
  determine different clusterings of the nodes of the graph in which each clustering includes clusters of one or more nodes of the graph; and
  
  determine a minimum description length (MDL) score for each clustering of the different clusterings in which the MDL score aggregates a description length of each cluster of the clustering and in which the description length of each cluster is computed based on a minimum value between a number of the observed edges of the graph from the cluster to each other cluster of the clustering and a number of the unobserved edges of the graph from the cluster to each other cluster of the clustering;
  
  identify a first clustering having a minimum value for the MDL score among the different clusterings; and
  
  generate an application dependency map including representations of applications executing in the data center network and representations of application dependencies in which the representations of applications each correspond to one of the clusters of the first clustering and the representations of application dependencies each correspond to one of the observed edges of the first clustering.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the instructions upon being executed further cause the system:
    - compute the number of the observed edges from each node of each cluster of the clustering to each node of each other cluster of the clustering;
      
      compute the number of the unobserved edges from each node of each cluster of the clustering to each node of each other cluster of the clustering;
      
      determine a minimum value between the number of the observed edges and the number of the unobserved edges for each cluster of the clustering; and
      
      sum the minimum value between the number of the observed edges and the number of the unobserved edges for each cluster of the clustering.
  - 14. The system of claim 12, wherein the data center network includes a plurality of partitions, andeach cluster of the different clusterings consists of one or more nodes of a single partition.
  - 15. The system of claim 14, wherein the instructions upon being executed further cause the system to:
    - capture data in a second domain corresponding to the network flow data,wherein a portion of the nodes of the graph represent servers and attributes of the second domain, andwherein the second domain is at least one of a host domain, a process domain, a user domain, a virtualization domain, or a tenant domain.

16. A non-transitory computer-readable medium having computer readable instructions that, upon being executed by one or more processors, cause the one or more processors to:
- capture network flow data using sensors executing on a servers of a data center network and sensors executing on networking devices connected to the servers;
  
  determine a graph including nodes representing the servers and observed edges and unobserved edges representing the network flow data in which the observed edges between any pair of nodes of the graph indicate there are one or more observed flows between a pair of servers represented by that pair of nodes and in which the unobserved edges between any pair of nodes of the graph indicates there are no observed flows between a pair of servers represented by that pair of nodes;
  
  determine different clusterings of the nodes of the graph in which each clustering includes clusters of one or more nodes of the graph;
  
  determine a minimum description length (MDL) score for each clustering of the different clusterings in which the MDL score sums a description length of each cluster of the clustering and in which the description length of each cluster is computed based on a minimum value between a number of the observed edges of the graph from the cluster to each other cluster of the clustering and a number of the unobserved edges of the graph from the cluster to each other cluster of the clustering;
  
  identify a first clustering having a minimum value for the MDL score among the different clusterings; and
  
  generate an application dependency map including representations of applications executing in the data center network and representations of application dependencies in which the representations of applications each correspond to one of the clusters of the first clustering and the representations of application dependencies each correspond to one of the observed edges of the first clustering.
- View Dependent Claims (17, 18, 19)
- - 17. The non-transitory computer-readable medium of claim 16, wherein the instructions upon being executed further cause the one or more processors to:
    - determine a weight for one or more observed edges of the graph based on a number of the observed flows corresponding to the one or more observed edges,wherein the MDL score for each clustering is further determined based at least in part on the weight.
  - 18. The non-transitory computer-readable medium of claim 16, wherein the instructions upon being executed further cause the one or more processors to:
    - identify an application dependency between a first application of the application dependency map and a second application of the application dependency map; and
      
      determine a policy allowing traffic from the first application to the second application.
  - 19. The non-transitory computer-readable medium of claim 18, wherein the instructions upon being executed further cause the one or more processors to:
    - enforce the policy within a simulated environment corresponding to the data center network using at least one of historical ground truth traffic data or real time ground truth traffic data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Scheib, Ellen Christine, Parandehgheibi, Ali, Madani, Omid, Jeyakumar, Vimalkumar, Yadav, Navindra, Alizadeh Attar, Mohammadreza
Primary Examiner(s)
Khan, Aftab N.

Application Number

US15/145,666
Publication Number

US 20160359697A1
Time in Patent Office

1,141 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/122   using management policies b...

G06F 16/137   Hash-based content-based in...

G06F 16/162   Delete operations erasing i...

G06F 16/17   Details of further file sys...

G06F 16/173   Customisation support for f...

G06F 16/174   Redundancy elimination perf...

G06F 16/1744   using compression, e.g. spa...

G06F 16/1748   De-duplication implemented ...

G06F 16/2322   using timestamps

G06F 16/235   Update request formulation

G06F 16/2365   Ensuring data consistency a...

G06F 16/24578   using ranking

G06F 16/248   Presentation of query results

G06F 16/285   Clustering or classification

G06F 16/288   Entity relationship models

G06F 16/29   Geographical information da...

G06F 16/9535   Search customisation based ...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595 : Network integration; Enabli...

G06F 21/53 : by executing in a restricte...

G06F 21/552 : involving long-term monitor...

G06F 21/556 : involving covert channels, ...

G06F 21/566 : Dynamic detection, i.e. det...

G06F 2221/033 : Test or assess software

G06F 2221/2101 : Auditing as a secondary aspect

G06F 2221/2105 : Dual mode as a secondary as...

G06F 2221/2111 : Location-sensitive, e.g. ge...

G06F 2221/2115 : Third party

G06F 2221/2145 : Inheriting rights or proper...

G06F 3/0482 : Interaction with lists of s...

G06F 3/04842 : Selection of displayed obje...

G06F 3/04847 : Interaction techniques to c...

G06F 9/45558 : Hypervisor-specific managem...

G06N 20/00 : Machine learning

G06N 99/00 : Subject matter not provided...

G06T 11/206 : Drawing of charts or graphs

H04J 3/0661 : using timestamps

H04J 3/14 : Monitoring arrangements for...

H04L 1/242 : by comparing a transmitted ...

H04L 41/046 : comprising network manageme...

H04L 41/0668 : by dynamic selection of rec...

H04L 41/0803 : Configuration setting

H04L 41/0806 : for initial configuration o...

H04L 41/0816 : the condition being an adap...

H04L 41/0893 : Assignment of logical group...

H04L 41/0894 : Policy-based network config...

H04L 41/12 : Discovery or management of ...

H04L 41/16 : using machine learning or a...

H04L 41/22 : comprising specially adapte...

H04L 41/40 : using virtualisation of net...

H04L 43/02 : Capturing of monitoring data

H04L 43/026 : using flow identification

H04L 43/04 : Processing captured monitor...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 43/0805 : by checking availability

H04L 43/0811 : by checking connectivity

H04L 43/0829 : Packet loss

H04L 43/0841 : Round trip packet loss

H04L 43/0858 : One way delays

H04L 43/0864 : Round trip delays

H04L 43/0876 : Network utilisation, e.g. v...

H04L 43/0882 : Utilisation of link capacity

H04L 43/0888 : Throughput

H04L 43/10 : Active monitoring, e.g. hea...

H04L 43/106 : using time related informat...

H04L 43/12 : Network monitoring probes

H04L 43/16 : Threshold monitoring

H04L 43/20 : the monitoring system or th...

H04L 45/306 : Route determination based o...

H04L 45/38 : Flow based routing

H04L 45/46 : Cluster building

H04L 45/507 : Label distribution

H04L 45/66 : Layer 2 routing, e.g. in Et...

H04L 45/74 : Address processing for routing

H04L 47/11 : Identifying congestion

H04L 47/20 : Traffic policing

H04L 47/2441 : relying on flow classificat...

H04L 47/2483 : involving identification of...

H04L 47/28 : in relation to timing consi...

H04L 47/31 : by tagging of packets, e.g....

H04L 47/32 : by discarding or delaying d...

H04L 61/5007 : Internet protocol [IP] addr...

H04L 63/0227 : Filtering policies mail mes...

H04L 63/0263 : Rule management

H04L 63/06 : for supporting key manageme...

H04L 63/0876 : based on the identity of th...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/145 : the attack involving the pr...

H04L 63/1458 : Denial of Service

H04L 63/1466 : Active attacks involving in...

H04L 63/16 : Implementing security featu...

H04L 63/20 : for managing network securi...

H04L 67/01 : Protocols

H04L 67/10 : in which an application is ...

H04L 67/1001 : for accessing one among a p...

H04L 67/12 : specially adapted for propr...

H04L 67/51 : Discovery or management the...

H04L 67/535 : Tracking the activity of th...

H04L 67/75 : Indicating network or usage...

H04L 69/16 : Implementation or adaptatio...

H04L 69/22 : Parsing or analysis of headers

H04L 7/10 : Arrangements for initial sy...

H04L 9/0866 : involving user or device id...

H04L 9/3239 : involving non-keyed hash fu...

H04L 9/3242 : involving keyed hash functi...

H04W 72/54 : based on quality criteria

H04W 84/18 : Self-organising networks, e...

View All

MDL-based clustering for application dependency mapping

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

573 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

MDL-based clustering for application dependency mapping

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

573 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links