TWO-STAGE HASH BASED LOGIC FOR APPLICATION LAYER DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK ATTRIBUTION
US-2018262528-A1 · Sep 13, 2018 · US
Performing upper layer inspection of a flow based on a sampling rate
US10476629B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10476629-B2 |
| Application number | US-201715584625-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 2, 2017 |
| Priority date | May 2, 2017 |
| Publication date | Nov 12, 2019 |
| Grant date | Nov 12, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A device may receive a first portion of network traffic associated with a flow. The device may perform a first upper layer inspection of the first portion of network traffic associated with the flow. The device may identify a set of parameters of the flow based on performing the first upper layer inspection of the first portion of network traffic associated with the flow. The device may determine, based on the set of parameters, a sampling rate at which to perform a second upper layer inspection of a second portion of network traffic associated with the flow. The device may instruct a lower layer to use the sampling rate to provide the second portion of network traffic associated with the flow for the second upper layer inspection. The device may perform the second upper layer inspection of the second portion of network traffic associated with the flow based on receiving the second portion of network traffic associated with the flow from the lower layer. The device may perform an action with regard to the flow based on a result of performing the second upper layer inspection.
First claim
Opening claim text (preview).
What is claimed is: 1. A device, comprising: a memory; and one or more processors to: receive a first portion of network traffic associated with a flow, the first portion of network traffic associated with the flow being a first subset of packets included in the flow; perform a first application layer inspection of the first portion of network traffic associated with the flow; identify a set of parameters of the flow based on performing the first application layer inspection of the first portion of network traffic associated with the flow; determine, based on the set of parameters, a sampling rate at which to perform a second application layer inspection of a second portion of network traffic associated with the flow, the second portion of network traffic associated with the flow being a second subset of packets included in the flow, the sampling rate indicating a ratio or a percentage of packets, on which the second application layer inspection is to be performed, with respect to a total quantity of packets of the flow that are received, the sampling rate being greater than zero and less than one, and the first portion of the network traffic associated with the flow and the second portion of the network traffic associated with the flow being included in a same flow; instruct a lower layer to use the sampling rate to provide the second portion of network traffic associated with the flow for the second application layer inspection; perform the second application layer inspection of the second portion of network traffic associated with the flow based on receiving the second portion of network traffic associated with the flow from the lower layer; and perform an action with regard to the flow based on a result of performing the second application layer inspection. 2. The device of claim 1 , where the one or more processors are further to: identify an application layer application associated with the flow after performing the first application layer inspection of the first portion of network traffic associated with the flow; and where the one or more processors, when determining the sampling rate, are to: determine the sampling rate based on the application layer application. 3. The device of claim 1 , where the one or more processors are further to: identify an application layer protocol associated with the flow after performing the first application layer inspection of the first portion of network traffic associated with the flow; and where the one or more processors, when determining the sampling rate, are to: determine the sampling rate based on the application layer protocol. 4. The device of claim 1 , where the one or more processors are further to: identify a geolocation of a source device associated with the flow; and where the one or more processors, when determining the sampling rate, are to: determine the sampling rate based on the geolocation of the source device. 5. The device of claim 1 , where the one or more processors are further to: determine another sampling rate at which to perform a third application layer inspection of a third portion of network traffic associated with the flow, the another sampling rate being different than the sampling rate; instruct the lower layer to use the another sampling rate to provide the third portion of network traffic associated with the flow for the third application layer inspection; and perform the third application layer inspection of the third portion of network traffic associated with the flow based on receiving the third portion of network traffic associated with the flow from the lower layer. 6. The device of claim 1 , where the one or more processors are further to: determine another sampling rate at which to perform a third application layer inspection of a third portion of network traffic associated with the flow, the another sampling rate being different than the sampling rate, the second portion of network traffic being provided by a source device to a destination device associated with the flow, and the third portion of network traffic being provided by the destination device to the source device; instruct the lower layer to use the another sampling rate to provide the third portion of network traffic associated with the flow for the third application layer inspection; and perform the third application layer inspection of the third portion of network traffic associated with the flow based on receiving the third portion of network traffic associated with the flow from the lower layer. 7. The device of claim 1 , where the first application layer inspection and the second application layer inspection are performed by an application layer of a communication model, where the application layer is higher in the communication model than the lower layer. 8. A non-transitory computer-readable medium storing instructions, the instructions comprising: one or more instructions that, when executed by one or more processors of a device, cause the one or more processors to: receive a first portion of network traffic associated with a flow, the first portion of network traffic associated with the flow being a first subset of packets included in the flow; perform a first application layer inspection of the first portion of network traffic associated with the flow; identify a set of parameters of the flow based on performing the first application layer inspection of the first portion of network traffic associated with the flow; determine, based on the set of parameters, a sampling rate at which to perform a second application layer inspection of a second portion of network traffic associated with the flow, the second portion of network traffic associated with the flow being a second subset of packets included in the flow, the sampling rate indicating a ratio or a percentage of packets, on which the second application layer inspection is to be performed, with respect to a total quantity of packets of the flow that are received, the sampling rate being greater than zero and less than one, and the first portion of the network traffic associated with the flow and the second portion of the network traffic associated with the flow being included in a same flow; instruct a lower layer to use the sampling rate to provide the second portion of network traffic associated with the flow for the second application layer inspection; perform the second application layer inspection of the second portion of network traffic associated with the flow based on receiving the second portion of network traffic associated with the flow from the lower layer; and perform an action with regard to the flow based on a result of performing the second application layer inspection. 9. The non-transitory computer-readable medium of claim 8 , where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: identify a uniform resource locator associated with the first portion of network traffic based on performing the first application layer inspection; and where the one or more instructions, that cause the one or more processors to determine the sampling rate, cause the one or more processors to: determine the sampling rate based on the uniform resource locator associated with the first portion of network traffic. 10. The non-transitory computer-readable medium of claim 8 , where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: identify an application associated with the flow based on performing the first application layer inspection; and where the one or more instructions, that cause the
Assignees
Inventors
Classifications
by balancing the load, e.g. traffic engineering · CPC title
relying on flow classification, e.g. using integrated services [IntServ] · CPC title
by adaptive sampling · CPC title
by using congestion prediction · CPC title
involving identification of individual flows · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10476629B2 cover?
- A device may receive a first portion of network traffic associated with a flow. The device may perform a first upper layer inspection of the first portion of network traffic associated with the flow. The device may identify a set of parameters of the flow based on performing the first upper layer inspection of the first portion of network traffic associated with the flow. The device may determi…
- Who is the assignee on this patent?
- Juniper Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L43/18. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 12 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).