Selective flow inspection based on endpoint behavior and random sampling
First Claim
1. A computer-implemented method comprising:
- determining an initiator of network traffic;
at each of multiple instants of time, collecting usage data for network traffic associated with the initiator;
storing historical usage data based on updates from usage data for the network traffic over time;
determining whether current usage data are within an expected distribution with respect to the historical usage data by comparing the current usage data to the historical usage data of the initiator;
selecting an inspection threshold for traffic flows from the initiator based upon the comparison between the current usage data and the historical usage data; and
determining a proportion of traffic flows associated with the initiator to be inspected based on the inspection threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
Presented herein are techniques for determining an initiator of network traffic, collecting at each of multiple instants of time, usage data for network traffic associated with the initiator, and storing historical usage data based on updates from usage data for the network traffic over time. Current usage data are compared to historical usage data of the initiator to determine whether current usage data are within an expected distribution with respect to the historical usage data. Based upon the comparison between the current usage data and the historical usage data, an inspection threshold is selected for traffic flows from the initiator, and a proportion of traffic flows associated with the initiator is determined to be inspected based on the inspection threshold.
88 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
determining an initiator of network traffic; at each of multiple instants of time, collecting usage data for network traffic associated with the initiator; storing historical usage data based on updates from usage data for the network traffic over time; determining whether current usage data are within an expected distribution with respect to the historical usage data by comparing the current usage data to the historical usage data of the initiator; selecting an inspection threshold for traffic flows from the initiator based upon the comparison between the current usage data and the historical usage data; and determining a proportion of traffic flows associated with the initiator to be inspected based on the inspection threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus comprising:
-
a network interface unit configured to receive communications over a network; memory configured to store usage data and historical usage data; and one or more processors coupled to the network interface unit, and configured to; determine an initiator of network traffic; at each of multiple instants of time, collect usage data for network traffic associated with the initiator; store historical usage data based on updates from usage data for the network traffic over time; determine whether current usage data are within an expected distribution with respect to the historical usage data by comparing the current usage data to the historical usage data of the initiator; select an inspection threshold for traffic flows from the initiator based upon the comparison between the current usage data and the historical usage data; and determine a proportion of traffic flows associated with the initiator to be inspected based on the inspection threshold. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-implemented method comprising:
-
storing in a database, current usage data for an initiator of network traffic, wherein the stored usage data is descriptive of an application type for each network traffic flow associated with the initiator and is cumulative over a prescribed period of time; determining whether the current usage data are within an expected distribution with respect to historical usage data by comparing the current usage data to the historical usage data; selecting an inspection threshold for traffic flows from the initiator based upon the comparison between the current usage data and the historical usage data; and determining a proportion of traffic flows associated with the initiator to be inspected based on the inspection threshold. - View Dependent Claims (18, 19, 20)
-
Specification