Adaptive network monitoring with tuneable elastic granularity

US 10,594,709 B2
Filed: 04/15/2019
Issued: 03/17/2020
Est. Priority Date: 02/07/2018
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers performs actions, comprising:

passively monitoring information that is associated with network traffic associated with one or more networks;

in response to a determination that one or more conditions associated with activating one or more triggers for the monitored information has occurred, performing actions, including;

ranking a priority for each activated trigger, wherein an allocation of one or more of compute, data storage, or network resources for each activated trigger is based on its rank;

modifying a deep packet level of inspection based on an available amount of the one or more of compute, data storage or network resources allocated to each activated trigger, wherein the modification initiates or stops the deep packet level of inspection for the monitored information; and

employing available resources to perform the deep packet level of inspection on packets that were communicated in the network traffic during the occurrence of the one or more conditions; and

providing analysis of the network traffic based on the monitored information and the deep packet level of inspection for the packets.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring network traffic using network computers. Monitoring triggers associated with one or more conditions and one or more actions may be provided. A monitoring engine may monitor information that is associated with network traffic associated with networks based on an inspection detail level. The monitoring engine may compare the monitored information to the conditions associated with the monitoring triggers. The monitoring engine may activate one or more monitoring triggers based on a result of the comparison. The monitoring engine may modify the inspection detail level based on the actions associated with the activated monitoring triggers to increase the amount of the information monitored by the monitoring engine. An analysis engine may provide analysis of the network traffic based on the monitored information.

228 Citations

20 Claims

1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers performs actions, comprising:
- passively monitoring information that is associated with network traffic associated with one or more networks;
  
  in response to a determination that one or more conditions associated with activating one or more triggers for the monitored information has occurred, performing actions, including;
  
  ranking a priority for each activated trigger, wherein an allocation of one or more of compute, data storage, or network resources for each activated trigger is based on its rank;
  
  modifying a deep packet level of inspection based on an available amount of the one or more of compute, data storage or network resources allocated to each activated trigger, wherein the modification initiates or stops the deep packet level of inspection for the monitored information; and
  
  employing available resources to perform the deep packet level of inspection on packets that were communicated in the network traffic during the occurrence of the one or more conditions; and
  
  providing analysis of the network traffic based on the monitored information and the deep packet level of inspection for the packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the passive monitoring information, further comprises:
    - in response to a non-occurrence of the one or more conditions, performing another level of inspection of the packets that is less comprehensive than the deep packet level of inspection.
  - 3. The method of claim 1, wherein the determination that one or more conditions have occurred, further comprises:
    - employing the deep packet level of inspection to additionally monitor information associated with the network traffic; and
      
      in response to the additionally monitored information, activating one or more other triggers that provide associated alerts to a user.
  - 4. The method of claim 1, wherein the passively monitored information further comprises:
    - providing one or more metrics associated with the network traffic, and wherein the one or more metrics include collecting information regarding one or more different layers of a same network flow.
  - 5. The method of claim 1, wherein the performing of the deep packet level of inspection on packets that were communicated in the network traffic, further comprises providing one or more metrics for network traffic communicated by one or more entities on the one or more networks.
  - 6. The method of claim 1, further comprising:
    - providing one or more agents that perform one or more actions, including;
      
      capturing one or more portions of the packets that were communicated in the network traffic during the occurrence of the one or more conditions;
      
      orcapturing one or more portions of one or more network flows associated with the occurrence of the one or more conditions.
  - 7. The method of claim 1, wherein employing the available resources, further comprises:
    - providing a resource budget that is associated with the one or more networks and the one or more activated triggers, wherein at least a portion of the resource budget is allocated as available resources based on a resource cost that is associated with each activated trigger.

8. A processor readable non-transitory storage media that includes instructions for monitoring network traffic using one or more network monitoring computers, wherein execution of the instructions by the one or more network computers perform actions, comprising:
- passively monitoring information that is associated with network traffic associated with one or more networks;
  
  in response to a determination that one or more conditions associated with activating one or more triggers for the monitored information has occurred, performing actions, including;
  
  ranking a priority for each activated trigger, wherein an allocation of one or more of compute, data storage, or network resources for each activated trigger is based on its rank;
  
  modifying a deep packet level of inspection based on an available amount of the one or more of compute, data storage or network resources allocated to each activated trigger, wherein the modification initiates or stops the deep packet level of inspection for the monitored information; and
  
  employing available resources to perform the deep packet level of inspection on packets that were communicated in the network traffic during the occurrence of the one or more conditions; and
  
  providing analysis of the network traffic based on the monitored information and the deep packet level of inspection for the packets.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The media of claim 8, wherein the passive monitoring information, further comprises:
    - in response to a non-occurrence of the one or more conditions, performing another level of inspection of the packets that is less comprehensive than the deep packet level of inspection.
  - 10. The media of claim 8, wherein the determination that one or more conditions have occurred, further comprises:
    - employing the deep packet level of inspection to additionally monitor information associated with the network traffic; and
      
      in response to the additionally monitored information, activating one or more other triggers that provide associated alerts to a user.
  - 11. The media of claim 8, wherein the passively monitored information further comprises:
    - providing one or more metrics associated with the network traffic, and wherein the one or more metrics include collecting information regarding one or more different layers of a same network flow.
  - 12. The media of claim 8, wherein the performing of the deep packet level of inspection on packets that were communicated in the network traffic, further comprises providing one or more metrics for network traffic communicated by one or more entities on the one or more networks.
  - 13. The media of claim 8, further comprising:
    - providing one or more agents that perform one or more actions, including;
      
      capturing one or more portions of the packets that were communicated in the network traffic during the occurrence of the one or more conditions;
      
      orcapturing one or more portions of one or more network flows associated with the occurrence of the one or more conditions.
  - 14. The media of claim 8, wherein employing the available resources, further comprises:
    - providing a resource budget that is associated with the one or more networks and the one or more activated triggers, wherein at least a portion of the resource budget is allocated as available resources based on a resource cost that is associated with each activated trigger.

15. A network computer for monitoring communication over a network between two or more computers, comprising:
- a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  passively monitoring information that is associated with network traffic associated with one or more networks;
  
  in response to a determination that one or more conditions associated with activating one or more triggers for the monitored information has occurred, performing actions, including;
  
  ranking a priority for each activated trigger, wherein an allocation of one or more of compute, data storage, or network resources for each activated trigger is based on its rank;
  
  modifying a deep packet level of inspection based on an available amount of the one or more of compute, data storage or network resources allocated to each activated trigger, wherein the modification initiates or stops the deep packet level of inspection for the monitored information; and
  
  employing available resources to perform the deep packet level of inspection on packets that were communicated in the network traffic during the occurrence of the one or more conditions; and
  
  providing analysis of the network traffic based on the monitored information and the deep packet level of inspection for the packets.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The network computer of claim 15, wherein the passive monitoring information, further comprises:
    - in response to a non-occurrence of the one or more conditions, performing another level of inspection of the packets that is less comprehensive than the deep packet level of inspection.
  - 17. The network computer of claim 15, wherein the determination that one or more conditions have occurred, further comprises:
    - employing the deep packet level of inspection to additionally monitor information associated with the network traffic; and
      
      in response to the additionally monitored information, activating one or more other triggers that provide associated alerts to a user.
  - 18. The network computer of claim 15, wherein the passively monitored information further comprises:
    - providing one or more metrics associated with the network traffic, and wherein the one or more metrics include collecting information regarding one or more different layers of a same network flow.
  - 19. The network computer of claim 15, wherein the performing of the deep packet level of inspection on packets that were communicated in the network traffic, further comprises providing one or more metrics for network traffic communicated by one or more entities on the one or more networks.
  - 20. The network computer of claim 15, further comprising:
    - providing one or more agents that perform one or more actions, including;
      
      capturing one or more portions of the packets that were communicated in the network traffic during the occurrence of the one or more conditions;
      
      orcapturing one or more portions of one or more network flows associated the occurrence of the one or more conditions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Wu, Xue Jun, Braun, Nicholas Jordan, Deaguero, Joel Benjamin, Montague, Michael Kerber Krause, Khanal, Bhushan Prasad
Primary Examiner(s)
Giddins, Nelson S.

Application Number

US16/384,574
Publication Number

US 20190245873A1
Time in Patent Office

337 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 41/0681   Configuration of triggering...

H04L 43/08   Monitoring or testing based...

H04L 43/0894   Packet rate

H04L 43/20   the monitoring system or th...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

Adaptive network monitoring with tuneable elastic granularity

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

228 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive network monitoring with tuneable elastic granularity

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

228 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links