Intra-datacenter attack detection
First Claim
Patent Images
1. A computer-implemented method, comprising:
- capturing, by a datacenter analytics module, traffic that includes intra-datacenter flows and extra-datacenter flows;
identifying with the captured traffic a subset of the intra-datacenter flows;
comparing, by the datacenter analytics module, the subset of the intra-datacenter flows with historical intra-datacenter-data flows, the comparing comprising an iterative comparison utilizing an increasing amount of granularity;
determining, by the datacenter analytics module, that the subset of the intra-datacenter flows corresponds to anomalous traffic based on the comparison;
analyzing, by the datacenter analytics module, the subset of the intra-datacenter flows to determine whether the subset of the intra-datacenter flows corresponds to a malicious attack; and
dropping the subset of the intra-datacenter flows in response to the analyzing making a determination that the subset of the intra-datacenter flows corresponds to a malicious attack.
1 Assignment
0 Petitions
Accused Products
Abstract
An example method can include receiving a traffic report from a sensor and using the traffic report to detect intra-datacenter flows. These intra-datacenter flows can then be compared with a description of historical flows. The description of historical flows can identify characteristics of normal and malicious flows. Based on the comparison, the flows can be classified and tagged as normal, malicious, or anomalous. If the flows are tagged as malicious or anomalous, corrective action can be taken with respect to the flows. A description of the flows can then be added to the description of historical flows.
632 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
capturing, by a datacenter analytics module, traffic that includes intra-datacenter flows and extra-datacenter flows; identifying with the captured traffic a subset of the intra-datacenter flows; comparing, by the datacenter analytics module, the subset of the intra-datacenter flows with historical intra-datacenter-data flows, the comparing comprising an iterative comparison utilizing an increasing amount of granularity; determining, by the datacenter analytics module, that the subset of the intra-datacenter flows corresponds to anomalous traffic based on the comparison; analyzing, by the datacenter analytics module, the subset of the intra-datacenter flows to determine whether the subset of the intra-datacenter flows corresponds to a malicious attack; and dropping the subset of the intra-datacenter flows in response to the analyzing making a determination that the subset of the intra-datacenter flows corresponds to a malicious attack. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable medium comprising instructions stored thereon, the instructions, when executed, cause a computing device, which analyzes intra-datacenter flows and extra-datacenter flows, to perform operations comprising:
-
capture traffic that includes intra-datacenter flows and extra-datacenter flows; identify with the captured traffic a subset of the intra-datacenter flows; compare the subset of the intra-datacenter flows with historical intra-datacenter-data flows, the compare comprising an iterative comparison utilizing an increasing amount of granularity; determine that the subset of the intra-datacenter flows corresponds to anomalous traffic based on the comparison; analyze the subset of the intra-datacenter flows to determine whether the subset of the intra-datacenter flows corresponds to a malicious attack; and dropping the subset of the intra-datacenter flows in response to the analyze making a determination that the subset of the intra-datacenter flows corresponds to a malicious attack. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system, comprising:
-
a non-transitory computer readable memory storing instructions; a processor programmed to cooperate with the instructions to perform operations comprising; capturing, by a datacenter analytics module, traffic that includes intra-datacenter flows and extra-datacenter flows; identifying with the captured traffic a subset of the intra-datacenter flows; comparing, by the datacenter analytics module, the subset of the intra-datacenter flows with historical intra-datacenter-data flows, the comparing comprising an iterative comparison utilizing an increasing amount of granularity; determining, by the datacenter analytics module, that the subset of the intra-datacenter flows corresponds to anomalous traffic based on the comparison; analyzing, by the datacenter analytics module, the subset of the intra-datacenter flows to determine whether the subset of the intra-datacenter flows corresponds to a malicious attack; and dropping the subset of the intra-datacenter flows in response to the analyzing making a determination that the subset of the intra-datacenter flows corresponds to a malicious attack. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification