Anomaly detection in software defined networking

US 10,986,067 B2
Filed: 07/03/2017
Issued: 04/20/2021
Est. Priority Date: 08/10/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising performing, in a network apparatus, the steps ofclassifying traffic flows containing packets based on packet features;

providing a copy of a packet contained in a traffic flow to a cluster node;

controlling the cluster node to select at least one detector node based on the features of the packet and to forward said copy to the selected detector node to find out based on said copy whether the packet is malicious or not; and

in response to receiving from the detector node a flow indication on the traffic flow, controlling a switch node to perform at least one flow control action on the traffic flow, the action including one or more of flow removal, flow modification and flow installation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network apparatus of a communication system classifies traffic flows containing packets based on packet features. The network apparatus provides a copy of a packet contained in a traffic flow to a cluster node, and controls the cluster node to select at least one detector node based on the features of the packet and to forward said copy to the selected detector node to find out based on said copy whether the packet is malicious or not. In response to receiving from the detector node a flow indication on the traffic flow, the network apparatus controls a switch node to perform at least one flow control action on the traffic flow, the action including one or more of flow removal, flow modification and flow installation.

6 Citations

View as Search Results

16 Claims

1. A method comprising performing, in a network apparatus, the steps ofclassifying traffic flows containing packets based on packet features;
- providing a copy of a packet contained in a traffic flow to a cluster node;
  
  controlling the cluster node to select at least one detector node based on the features of the packet and to forward said copy to the selected detector node to find out based on said copy whether the packet is malicious or not; and
  
  in response to receiving from the detector node a flow indication on the traffic flow, controlling a switch node to perform at least one flow control action on the traffic flow, the action including one or more of flow removal, flow modification and flow installation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as claimed in claim 1, wherein the method comprisesdynamically defining or obtaining one or more traffic flow forwarding rules, wherein a traffic flow forwarding rule includes information fordetermining traffic flow type based on the features, andselecting one or more detector nodes for the traffic flow based on the features;
    - wherein said defining or obtaining is carried out in at least one of the control node and the cluster node.
  - 3. A method as claimed in claim 2, wherein the traffic flow forwarding rule comprises information obtained from a switch node.
  - 4. A method as claimed in claim 1, wherein the method comprisesdetermining traffic flow type based on at least one feature of the packet, such as the packet being sent from a specific IP address, the packet being sent to a specific port, the packet being sent to a specific URL, or some other packet feature.
  - 5. A method as claimed in claim 1,wherein the control node comprises at least one of an SDN controller and an SDN orchestrator.
  - 6. An apparatus comprisingat least one processor;
    - andat least one memory including a computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to cause the apparatus to perform the method steps of claim 1.
  - 7. A communications system comprising at least one apparatus according to claim 6.
  - 8. A computer program product stored on a non-transitory distribution medium readable by a computer and comprising program instructions which, when loaded into an apparatus, execute the method according to claim 1.

9. A method comprising performing, in a network apparatus, the steps ofobtaining a copy of a packet contained in a traffic flow from a switch node;
- checking packet features;
  
  selecting, based on the packet features, at least one detector node among one or more detector nodes capable of checking based on said copy whether the packet is malicious or not; and
  
  forwarding said copy to the selected detector node for checking whether the packet is malicious or not.
- View Dependent Claims (10)
- - 10. An apparatus comprising:
    - at least one processor; and
      
      at least one non-transitory memory including a computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to;
      
      cause the apparatus to perform the method of claim 9.

11. A method comprising performing, in a network apparatus, the steps ofclassifying traffic flows containing packets based on packet features;
- providing a sample of a traffic flow to a cluster node;
  
  receiving, from the cluster node, information on one or more detector nodes selected in the cluster node for features of the sample;
  
  controlling a switch node to forward the traffic flow based on rules extracted from the cluster node to the selected detector node to find out whether a packet contained in said traffic flow is malicious or not; and
  
  in response to receiving, from the detector node, a flow indication on the traffic flow, controlling the switch node to perform at least one flow control action on the traffic flow, the action including one or more of flow removal, flow modification and flow installation.
- View Dependent Claims (12, 13, 14)
- - 12. A method as claimed in claim 11, wherein the method comprisesperforming load balancing and/or latency mitigation by distributed anomaly detection in multiple detector nodes.
  - 13. A method as claimed in claim 11, wherein the method comprises distributing input traffic roughly evenly between multiple detector nodes.
  - 14. An apparatus comprising:
    - at least one processor; and
      
      at least one non-transitory memory including a computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to;
      
      cause the apparatus to perform the method of claim 11.

15. A method comprising performing, in a network apparatus, the steps ofobtaining a sample of a traffic flow from a switch node;
- checking features of the sample;
  
  based on the checking, selecting at least one detector node among one or more detector nodes capable of checking whether a packet is malicious or not; and
  
  indicating to a control node the at least one detector node selected for traffic flow anomaly detection.
- View Dependent Claims (16)
- - 16. An apparatus comprising:
    - at least one processor; and
      
      at least one non-transitory memory including a computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to;
      
      cause the apparatus to perform the method of claim 15.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Solutions and Networks US LLC (Nokia Corporation)
Original Assignee
Nokia Solutions and Networks US LLC (Nokia Corporation)
Inventors
Monshizadeh, Mehrnoosh, Khatri, Vikramajeet, Hatonen, Kimmo Kalervo, Kalliola, Aapo
Primary Examiner(s)
Steinle, Andrew J

Application Number

US16/323,829
Publication Number

US 20190215305A1
Time in Patent Office

1,387 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04W 12/121   Wireless intrusion detectio...

H04W 12/122   Counter-measures against at...

H04W 28/10   Flow control between commun...

Anomaly detection in software defined networking

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Anomaly detection in software defined networking

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others