Intra-datacenter attack detection

US 10,567,247 B2
Filed: 05/03/2016
Issued: 02/18/2020
Est. Priority Date: 06/05/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

capturing, by a datacenter analytics module, traffic that includes intra-datacenter flows and extra-datacenter flows;

identifying with the captured traffic a subset of the intra-datacenter flows;

comparing, by the datacenter analytics module, the subset of the intra-datacenter flows with historical intra-datacenter-data flows, the comparing comprising an iterative comparison utilizing an increasing amount of granularity;

determining, by the datacenter analytics module, that the subset of the intra-datacenter flows corresponds to anomalous traffic based on the comparison;

analyzing, by the datacenter analytics module, the subset of the intra-datacenter flows to determine whether the subset of the intra-datacenter flows corresponds to a malicious attack; and

dropping the subset of the intra-datacenter flows in response to the analyzing making a determination that the subset of the intra-datacenter flows corresponds to a malicious attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method can include receiving a traffic report from a sensor and using the traffic report to detect intra-datacenter flows. These intra-datacenter flows can then be compared with a description of historical flows. The description of historical flows can identify characteristics of normal and malicious flows. Based on the comparison, the flows can be classified and tagged as normal, malicious, or anomalous. If the flows are tagged as malicious or anomalous, corrective action can be taken with respect to the flows. A description of the flows can then be added to the description of historical flows.

632 Citations

20 Claims

1. A computer-implemented method, comprising:
- capturing, by a datacenter analytics module, traffic that includes intra-datacenter flows and extra-datacenter flows;
  
  identifying with the captured traffic a subset of the intra-datacenter flows;
  
  comparing, by the datacenter analytics module, the subset of the intra-datacenter flows with historical intra-datacenter-data flows, the comparing comprising an iterative comparison utilizing an increasing amount of granularity;
  
  determining, by the datacenter analytics module, that the subset of the intra-datacenter flows corresponds to anomalous traffic based on the comparison;
  
  analyzing, by the datacenter analytics module, the subset of the intra-datacenter flows to determine whether the subset of the intra-datacenter flows corresponds to a malicious attack; and
  
  dropping the subset of the intra-datacenter flows in response to the analyzing making a determination that the subset of the intra-datacenter flows corresponds to a malicious attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the comparing includes:
    - determining a number of the subset of the intra-datacenter flows that include unique source hosts communicating with a common destination host.
  - 3. The computer-implemented method of claim 1, wherein obtaining the comparing includes:
    - determining a number of the subset of the intra-datacenter flows that include unique ports.
  - 4. The computer-implemented method of claim 1, wherein the subset of the intra-datacenter flows and the historical intra-datacenter-data flows are limited to flows between one source host and one destination host.
  - 5. The computer-implemented method of claim 1, wherein determining that the subset of the intra-datacenter flows corresponds to anomalous traffic includes:
    - determining a reputation score associated with a host corresponding to one of the subset of the intra-datacenter flows.
  - 6. The computer-implemented method of claim 1, wherein capturing the subset of the intra-datacenter flows includes:
    - receiving a traffic report that includes flow data from a first sensor installed on a host, a second sensor installed on a hypervisor, and a third sensor installed on a switch,wherein each of the first sensor, the second sensor, and the third sensor respectively report on packets sent from or through the host, the hypervisor, and the switch.
  - 7. The computer-implemented method of claim 1, further comprising:
    - capturing a subset of the extra-datacenter flows;
      
      determining that the subset of the intra-datacenter flows originates from one or more attacking hosts;
      
      determining, based on the subset of the extra-datacenter flows, that each of the one or more attacking hosts received a respective extra-datacenter flow of the subset of the extra-datacenter flows from a common host before initiating a respective intra-datacenter flow; and
      
      identifying the common host as an extra-datacenter flow control host by correlating each of the respective extra-datacenter flow with the common host.

8. A non-transitory computer-readable medium comprising instructions stored thereon, the instructions, when executed, cause a computing device, which analyzes intra-datacenter flows and extra-datacenter flows, to perform operations comprising:
- capture traffic that includes intra-datacenter flows and extra-datacenter flows;
  
  identify with the captured traffic a subset of the intra-datacenter flows;
  
  compare the subset of the intra-datacenter flows with historical intra-datacenter-data flows, the compare comprising an iterative comparison utilizing an increasing amount of granularity;
  
  determine that the subset of the intra-datacenter flows corresponds to anomalous traffic based on the comparison;
  
  analyze the subset of the intra-datacenter flows to determine whether the subset of the intra-datacenter flows corresponds to a malicious attack; and
  
  dropping the subset of the intra-datacenter flows in response to the analyze making a determination that the subset of the intra-datacenter flows corresponds to a malicious attack.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, wherein the instructions, when executed to cause the computing device to obtain the comparison, include causing the computing device to:
    - determine a number of the subset of the intra-datacenter flows that include unique source hosts communicating to a common destination host.
  - 10. The non-transitory computer-readable medium of claim 8, wherein the instructions, when executed to cause the computing device to obtain the comparison, include causing the computing device to:
    - determine a number of the subset of the intra-datacenter flows that include unique ports.
  - 11. The non-transitory computer-readable medium of claim 8, wherein the subset of the intra-datacenter flows and the historical intra-datacenter-data flows are limited to flows between one source host and one destination host.
  - 12. The non-transitory computer-readable medium of claim 8, wherein the instructions, when executed to cause the computing device to determine that the subset of the intra-datacenter flow corresponds to anomalous traffic, include causing the computing device to:
    - determine a reputation score associated with a host corresponding to one of the subset of the intra-datacenter flows.
  - 13. The non-transitory computer-readable medium of claim 8, wherein the instructions, when executed to cause the computing device to capture the subset of the intra-datacenter flows, include causing the computing device to:
    - receive a traffic report that includes flow data from a first sensor installed on a host, a second sensor installed on a hypervisor, and a third sensor installed on a switch,wherein each of the first sensor, the second sensor, and the third sensor respectively report on packets sent from or through the host, the hypervisor, and the switch.
  - 14. The non-transitory computer-readable medium of claim 8, wherein the instructions when executed further cause the computing device to:
    - capture a subset of the extra-datacenter flows;
      
      determine that the subset of the intra-datacenter flows originates from one or more attacking hosts;
      
      determine, based on the subset of the extra-datacenter flows, that each of the one or more attacking hosts received a respective extra-datacenter flow of the subset of the extra-datacenter flows from a common host before initiating a respective intra-datacenter flow; and
      
      identify the common host as an extra-datacenter flow control host by correlating each of the respective extra-datacenter flow with the common host.

15. A system, comprising:
- a non-transitory computer readable memory storing instructions;
  
  a processor programmed to cooperate with the instructions to perform operations comprising;
  
  capturing, by a datacenter analytics module, traffic that includes intra-datacenter flows and extra-datacenter flows;
  
  identifying with the captured traffic a subset of the intra-datacenter flows;
  
  comparing, by the datacenter analytics module, the subset of the intra-datacenter flows with historical intra-datacenter-data flows, the comparing comprising an iterative comparison utilizing an increasing amount of granularity;
  
  determining, by the datacenter analytics module, that the subset of the intra-datacenter flows corresponds to anomalous traffic based on the comparison;
  
  analyzing, by the datacenter analytics module, the subset of the intra-datacenter flows to determine whether the subset of the intra-datacenter flows corresponds to a malicious attack; and
  
  dropping the subset of the intra-datacenter flows in response to the analyzing making a determination that the subset of the intra-datacenter flows corresponds to a malicious attack.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the comparing includes:
    - determining a number of the subset of the intra-datacenter flows that include unique source hosts communicating with a common destination host.
  - 17. The system of claim 15, wherein obtaining the comparing includes:
    - determining a number of the subset of the intra-datacenter flows that include unique ports.
  - 18. The system of claim 15, wherein the subset of the intra-datacenter flows and the historical intra-datacenter-data flows are limited to flows between one source host and one destination host.
  - 19. The system of claim 15, wherein capturing the subset of the intra-datacenter flows includes:
    - receiving a traffic report that includes flow data from a first sensor installed on a host, a second sensor installed on a hypervisor, and a third sensor installed on a switch,wherein each of the first sensor, the second sensor, and the third sensor respectively report on packets sent from or through the host, the hypervisor, and the switch.
  - 20. The system of claim 15, further comprising:
    - capturing a subset of the extra-datacenter flows;
      
      determining that the subset of the intra-datacenter flows originates from one or more attacking hosts;
      
      determining, based on the subset of the extra-datacenter flows, that each of the one or more attacking hosts received a respective extra-datacenter flow of the subset of the extra-datacenter flows from a common host before initiating a respective intra-datacenter flow; and
      
      identifying the common host as an extra-datacenter flow control host by correlating each of the respective extra-datacenter flow with the common host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kulshreshtha, Ashutosh, Rao, Supreeth Hosur Nagesh, Yadav, Navindra, Gupta, Anubhav, Gupta, Sunil Kumar, Malhorta, Varun Sagar, Gandham, Shashidhar
Primary Examiner(s)
Gracia, Gary S

Application Number

US15/145,630
Publication Number

US 20160359877A1
Time in Patent Office

1,386 Days
Field of Search

718 1, 726 11, 726 22, 726 23, 726 1
US Class Current
CPC Class Codes

G06F 16/122   using management policies b...

G06F 16/137   Hash-based content-based in...

G06F 16/162   Delete operations erasing i...

G06F 16/17   Details of further file sys...

G06F 16/173   Customisation support for f...

G06F 16/174   Redundancy elimination perf...

G06F 16/1744   using compression, e.g. spa...

G06F 16/1748   De-duplication implemented ...

G06F 16/2322   using timestamps

G06F 16/235   Update request formulation

G06F 16/2365   Ensuring data consistency a...

G06F 16/24578   using ranking

G06F 16/248   Presentation of query results

G06F 16/285   Clustering or classification

G06F 16/288   Entity relationship models

G06F 16/29   Geographical information da...

G06F 16/9535   Search customisation based ...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595 : Network integration; Enabli...

G06F 21/53 : by executing in a restricte...

G06F 21/552 : involving long-term monitor...

G06F 21/556 : involving covert channels, ...

G06F 21/566 : Dynamic detection, i.e. det...

G06F 2221/033 : Test or assess software

G06F 2221/2101 : Auditing as a secondary aspect

G06F 2221/2105 : Dual mode as a secondary as...

G06F 2221/2111 : Location-sensitive, e.g. ge...

G06F 2221/2115 : Third party

G06F 2221/2145 : Inheriting rights or proper...

G06F 3/0482 : Interaction with lists of s...

G06F 3/04842 : Selection of displayed obje...

G06F 3/04847 : Interaction techniques to c...

G06F 9/45558 : Hypervisor-specific managem...

G06N 20/00 : Machine learning

G06N 99/00 : Subject matter not provided...

G06T 11/206 : Drawing of charts or graphs

H04J 3/0661 : using timestamps

H04J 3/14 : Monitoring arrangements for...

H04L 1/242 : by comparing a transmitted ...

H04L 41/046 : comprising network manageme...

H04L 41/0668 : by dynamic selection of rec...

H04L 41/0803 : Configuration setting

H04L 41/0806 : for initial configuration o...

H04L 41/0816 : the condition being an adap...

H04L 41/0893 : Assignment of logical group...

H04L 41/0894 : Policy-based network config...

H04L 41/12 : Discovery or management of ...

H04L 41/16 : using machine learning or a...

H04L 41/22 : comprising specially adapte...

H04L 41/40 : using virtualisation of net...

H04L 43/02 : Capturing of monitoring data

H04L 43/026 : using flow identification

H04L 43/04 : Processing captured monitor...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 43/0805 : by checking availability

H04L 43/0811 : by checking connectivity

H04L 43/0829 : Packet loss

H04L 43/0841 : Round trip packet loss

H04L 43/0858 : One way delays

H04L 43/0864 : Round trip delays

H04L 43/0876 : Network utilisation, e.g. v...

H04L 43/0882 : Utilisation of link capacity

H04L 43/0888 : Throughput

H04L 43/10 : Active monitoring, e.g. hea...

H04L 43/106 : using time related informat...

H04L 43/12 : Network monitoring probes

H04L 43/16 : Threshold monitoring

H04L 43/20 : the monitoring system or th...

H04L 45/306 : Route determination based o...

H04L 45/38 : Flow based routing

H04L 45/46 : Cluster building

H04L 45/507 : Label distribution

H04L 45/66 : Layer 2 routing, e.g. in Et...

H04L 45/74 : Address processing for routing

H04L 47/11 : Identifying congestion

H04L 47/20 : Traffic policing

H04L 47/2441 : relying on flow classificat...

H04L 47/2483 : involving identification of...

H04L 47/28 : in relation to timing consi...

H04L 47/31 : by tagging of packets, e.g....

H04L 47/32 : by discarding or delaying d...

H04L 61/5007 : Internet protocol [IP] addr...

H04L 63/0227 : Filtering policies mail mes...

H04L 63/0263 : Rule management

H04L 63/06 : for supporting key manageme...

H04L 63/0876 : based on the identity of th...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/145 : the attack involving the pr...

H04L 63/1458 : Denial of Service

H04L 63/1466 : Active attacks involving in...

H04L 63/16 : Implementing security featu...

H04L 63/20 : for managing network securi...

H04L 67/01 : Protocols

H04L 67/10 : in which an application is ...

H04L 67/1001 : for accessing one among a p...

H04L 67/12 : specially adapted for propr...

H04L 67/51 : Discovery or management the...

H04L 67/535 : Tracking the activity of th...

H04L 67/75 : Indicating network or usage...

H04L 69/16 : Implementation or adaptatio...

H04L 69/22 : Parsing or analysis of headers

H04L 7/10 : Arrangements for initial sy...

H04L 9/0866 : involving user or device id...

H04L 9/3239 : involving non-keyed hash fu...

H04L 9/3242 : involving keyed hash functi...

H04W 72/54 : based on quality criteria

H04W 84/18 : Self-organising networks, e...

View All

Intra-datacenter attack detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

632 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Intra-datacenter attack detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

632 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others