Behavior-based traffic profiling based on access control information

US 8,621,615 B2
Filed: 06/02/2009
Issued: 12/31/2013
Est. Priority Date: 04/03/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining, by a device, a plurality of traffic behavior patterns,the plurality of traffic behavior patterns being associated with a respective plurality of user roles associated with a user;

monitoring, by the device, a traffic flow on a network,the monitoring of the traffic flow including;

determining a user role, of the plurality of user roles, associated with the traffic flow,identifying, based on the determined user role, a traffic behavior pattern of the plurality of traffic behavior patterns, andidentifying a traffic behavior associated with the traffic flow;

comparing, by the device, the traffic behavior, associated with the traffic flow, and the traffic behavior pattern to form comparison results;

determining, by the device and based on the comparison results, whether an anomaly is associated with the traffic flow,determining whether the anomaly is associated with the traffic flow including;

determining that the anomaly is associated with the traffic flow when the traffic flow is associated with a first network protocol that differs from a second network protocol associated with the traffic behavior pattern;

performing, by the device and when the anomaly is associated with the traffic flow, a security response; and

updating, when the anomaly is not associated with the traffic flow, the traffic behavior pattern based on monitoring the traffic flow,the traffic behavior pattern not being updated based on monitoring the traffic flow when the anomaly is associated with the traffic flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes receiving one or more of user information, role information, or authorization information associated with a user accessing a network, selecting a traffic flow to monitor that is associated with the one or more of user information, role information, or authorization information, monitoring the traffic flow, determining whether an anomaly exists with respect to the traffic flow based on a traffic behavior pattern associated with the one or more of user information, role information, or authorization information, and performing a security response when it is determined that the anomaly exists.

39 Citations

View as Search Results

16 Claims

1. A method comprising:
- determining, by a device, a plurality of traffic behavior patterns,the plurality of traffic behavior patterns being associated with a respective plurality of user roles associated with a user;
  
  monitoring, by the device, a traffic flow on a network,the monitoring of the traffic flow including;
  
  determining a user role, of the plurality of user roles, associated with the traffic flow,identifying, based on the determined user role, a traffic behavior pattern of the plurality of traffic behavior patterns, andidentifying a traffic behavior associated with the traffic flow;
  
  comparing, by the device, the traffic behavior, associated with the traffic flow, and the traffic behavior pattern to form comparison results;
  
  determining, by the device and based on the comparison results, whether an anomaly is associated with the traffic flow,determining whether the anomaly is associated with the traffic flow including;
  
  determining that the anomaly is associated with the traffic flow when the traffic flow is associated with a first network protocol that differs from a second network protocol associated with the traffic behavior pattern;
  
  performing, by the device and when the anomaly is associated with the traffic flow, a security response; and
  
  updating, when the anomaly is not associated with the traffic flow, the traffic behavior pattern based on monitoring the traffic flow,the traffic behavior pattern not being updated based on monitoring the traffic flow when the anomaly is associated with the traffic flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, where identifying determining the plurality of traffic behavior patterns includes:
    - receiving, by the device, one or more of the plurality of traffic behavior patterns from another device that differs from the device.
  - 3. The method of claim 1, where determining the plurality of traffic behavior patterns includesidentifying information associated with the user;
    - anddetermining the plurality of traffic behavior patterns based on the information associated with the user.
  - 4. The method of claim 3, where the received information associated with the user includes data associated with at least one of:
    - an identifier associated with the user,a status associated with the user,a job title associated with the user,an access level associated with the user,a password associated with the user,log-in data associated with the user,an authorization code associated with the user, orcredential information associated with the user.
  - 5. The method of claim 3, where identifying the information includes:
    - receiving, by the device, the information from at least one of;
      
      a user device utilized, by the user, to access the network, oranother device that regulates access, by the user, to the network.
  - 6. The method of claim 1, further comprising:
    - storing security policies; and
      
      where the performing of the security response further includes;
      
      selecting one of the security policies based on the anomaly; and
      
      performing the security response based on the selected one of the security policies.
  - 7. The method of claim 1, where identifying the traffic behavior pattern further includes:
    - monitoring one or more other traffic flows associated with the user; and
      
      identifying the traffic behavior pattern further based on the monitoring of the one or more other traffic flows.

8. A network device, comprising:
- a processor to;
  
  determine a plurality of traffic behavior patterns,the plurality of traffic behavior patterns being associated with a respective plurality of user roles associated with a user;
  
  determine, from the plurality of user roles, a user role associated with a traffic flow;
  
  identify, based on the determined user role, a traffic behavior pattern, of the plurality of traffic behavior patterns, associated with the traffic flow;
  
  compare traffic flow information, associated with the traffic flow, to the identified traffic behavior pattern;
  
  detect an anomaly of traffic behavior associated with the traffic flow based on comparing the traffic flow information to the identified traffic behavior pattern,the processor, when detecting the anomaly, being further to;
  
  detect the anomaly of traffic behavior associated with the traffic flow based on determining that the traffic flow is associated with a first network protocol that differs from a second network protocol associated with the traffic behavior pattern;
  
  perform, when the anomaly is detected, a security response; and
  
  update, when the anomaly is not associated with the traffic flow, the traffic behavior pattern based on monitoring the traffic flow,the processor not updating the traffic behavior pattern, based on monitoring the traffic flow, when the anomaly is associated with the traffic flow.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The network device of claim 8, where the processor, when determining the plurality of traffic behavior patterns, is further to:
    - receive the plurality of traffic behavior patterns from another device.
  - 10. The network device of claim 8, where the network device is associated with an intrusion, detection, and prevention device.
  - 11. The network device of claim 8, where the traffic flow information includes data associated with one or more of:
    - a source address associated with the traffic flow,a source port associated with the traffic flow,a destination address associated with the traffic flow,a destination port associated with the traffic flow,a type of service associated with the traffic flow,a quality of service associated with the traffic flow,timestamp information associated with the traffic flow, ora quantity of packets or bytes associated with the traffic flow.
  - 12. The network device of claim 8, where the processor is further to:
    - monitor the traffic flow; and
      
      obtain the traffic flow information based on monitoring the traffic flow.
  - 13. The network device of claim 8, where the processor is further to:
    - receive at least one of a source address or a source port identifier associated with a network access associated with the user, andselect the traffic flow, from a plurality of traffic flows, further based on the at least one of the source address or the source port identifier.
  - 14. The network device of claim 8, where the processor, when identifying the traffic behavior pattern, is further to:
    - monitor one or more other traffic flows associated with the user, the one or more other traffic flows being different from the traffic flow; and
      
      determine the traffic behavior pattern based on the monitoring of the one or more other traffic flows.

15. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions which, when executed by a processor, cause the processor to acquire data associated with activities of a user on a network;
  
  one or more instructions which, when executed by the processor, cause the processor to determine, based on the acquired data, a plurality of traffic behavior patterns associated with the user,the plurality of traffic behavior patterns being associated with a respective plurality of user roles of the user;
  
  one or more instructions which, when executed by the processor, cause the processor to monitor a traffic flow to produce monitoring results;
  
  one or more instructions which, when executed by the processor, cause the processor to determine a user role, of the plurality of user roles, associated with the traffic flow;
  
  one or more instructions which, when executed by the processor, cause the processor to identify, based on the determined user role, a traffic behavior pattern, of the plurality of traffic behavior patterns, associated with the traffic flow;
  
  one or more instructions which, when executed by the processor, cause the processor to compare the monitoring results with the traffic behavior pattern to form comparison results;
  
  one or more instructions which, when executed by the processor, cause the processor to determine, based on the comparison results, whether the traffic flow is associated with an anomaly of traffic behavior,the one or more instructions to determine whether the traffic flow is associated with the anomaly of traffic behavior further including;
  
  one or more instructions to determine that the traffic flow is associated with the anomaly of traffic behavior when the traffic flow is associated with a first network protocol that differs from a second network protocol associated with the traffic behavior pattern;
  
  one or more instructions which, when executed by the processor, cause the processor to perform a security response when the traffic flow is associated with the anomaly; and
  
  one or more instructions to update, when the traffic flow is not associated with the anomaly, the traffic behavior pattern based on information associated with the traffic flow,the traffic behavior pattern not being updated based on the information associated with the traffic flow when the traffic flow is associated with the anomaly.
- View Dependent Claims (16)
- - 16. The non-transitory computer-readable medium of claim 15, the one or more instructions to identify the traffic behavior pattern further comprising:
    - one or more instructions to identify the traffic behavior pattern further based on monitoring one or more other traffic flows associated with the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Zhao, Ye
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US12/476,567
Publication Number

US 20100257580A1
Time in Patent Office

1,673 Days
Field of Search

726/22, 726/26
US Class Current

726/22
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/125   involving control of end-de...

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

Behavior-based traffic profiling based on access control information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Behavior-based traffic profiling based on access control information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links