What technology area does this patent fall under?

Primary CPC classification H04L63/104. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Sep 19 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Modifying network relationships using a heterogenous network flows graph

US11765179B2 · US · B2

Patent metadata
Field	Value
Publication number	US-11765179-B2
Application number	US-202217677039-A
Country	US
Kind code	B2
Filing date	Feb 22, 2022
Priority date	Jan 24, 2022
Publication date	Sep 19, 2023
Grant date	Sep 19, 2023

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Systems and methods are described for recommending security groups using graph-based learning models. A server can create a network graph that illustrates network flows between devices in a network and security groups that the devices belong to. The network graph can include nodes that represent the devices and security groups. The server can apply a graph-based learning model to learn embeddings of the nodes and create vectors using the embeddings. Using vectors of two nodes, the server can calculate a vector that represents an edge between the two nodes. The server can apply a binary classifier determine whether the edge should exist. A “true” classification between two nodes can indicate that they should be able to communicate, and vice versa. A “true” classification between a device node and a security group node can indicate that the device should be assigned to the security group, and vice versa.

First claim

Opening claim text (preview).

What is claimed is: 1. A method for modifying network relationships using a heterogenous network flows graph, comprising: creating a graph of network traffic flows for a network, the graph including a first device node that represents a first network device and a second device node that represents a second network device, wherein the graph indicates that the first network device communicates with the second network device; applying a graph-based learning model to the graph to create a first vector that represents the first device node and a second vector that represents the second device node; calculating a norm of the first and second vectors to create a third vector that represents an edge between the first device node and the second device node; applying a binary classifier to the third vector; determining, based on the output of the binary classifier, that communications between the first network device and the second network device are anomalous; and based on the determination, causing the first network device to be reconfigured so that the first network device and the second network device do not communicate. 2. The method of claim 1 , wherein the graph is created using network flows data by performing stages comprising: extracting a first Internet Protocol (“IP”) address that is associated with the first network device; extracting a second IP address that is associated with the second network device; creating the first and second device nodes in the graph; applying a first link of a first link type to the first and second IP addresses, the first link indicating a flow of network traffic from the second network device to the first network device; and inserting the edge in the graph that connects the first and second device nodes based on the first link. 3. The method of claim 2 , wherein the first IP address includes a unique combination of an Internet Protocol address, a logical transport layer, and a communication protocol of the first network device that the second network device uses to communicate with the first network device. 4. The method of claim 3 , wherein constructing the graph further comprises: creating a unique combination node for the unique combination; and applying a second link of a second link type to the unique combination and the first network device, the second link indicating that the unique combination is associated with the first network device, wherein the first link is applied to the second IP address and the unique combination, and inserting the edge in the graph includes inserting a first edge that connects the second device node to the unique combination and a second edge that connects the unique combination to the first device node, indicating a flow of network traffic from the second network device to the first network device using the unique combination. 5. The method of claim 4 , wherein constructing the graph further comprises: extracting, from the network flows data, a security group that the unique combination belongs to, and applying a third link of a third link type to the unique combination and the security group, the third link indicating that the unique combination belongs to the security group, wherein inserting the edge in the graph includes inserting a third edge that connects the unique combination to the security group. 6. The method of claim 1 , wherein the binary classifier is one of a logistic regression, decision tree, random forest, support vector machine, neural network, and probit model. 7. The method of claim 1 , wherein the graph-based learning model is one of a metapath2vec, node2vec, DeepWalk, Graph Neural Network, and GraphSAGE model. 8. A non-transitory, computer-readable medium containing instructions that, when executed by a hardware-based processor, causes the processor to perform stages for modifying network relationships using a heterogenous network flows graph, the stages comprising: creating a graph of network traffic flows for a network, the graph including a first device node that represents a first network device and a second device node that represents a second network device, wherein the graph indicates that the first network device communicates with the second network device; applying a graph-based learning model to the graph to create a first vector that represents the first device node and a second vector that represents the second device node; calculating a norm of the first and second vectors to create a third vector that represents an edge between the first device node and the second device node; applying a binary classifier to the third vector; determining, based on the output of the binary classifier, that communications between the first network device and the second network device are anomalous; and based on the determination, causing the first network device to be reconfigured so that the first network device and the second network device do not communicate. 9. The non-transitory, computer-readable medium of claim 8 , wherein the graph is created using network flows data by performing stages comprising: extracting a first Internet Protocol (“IP”) address that is associated with the first network device; extracting a second IP address that is associated with the second network device; creating the first and second device nodes in the graph; applying a first link of a first link type to the first and second IP addresses, the first link indicating a flow of network traffic from the second network device to the first network device; and inserting the edge in the graph that connects the first and second device nodes based on the first link. 10. The non-transitory, computer-readable medium of claim 9 , wherein the first IP address includes a unique combination of an Internet Protocol address, a logical transport layer, and a communication protocol of the first network device that the second network device uses to communicate with the first network device. 11. The non-transitory, computer-readable medium of claim 10 , wherein constructing the graph further comprises: creating a unique combination node for the unique combination; and applying a second link of a second link type to the unique combination and the first network device, the second link indicating that the unique combination is associated with the first network device, wherein the first link is applied to the second IP address and the unique combination, and inserting the edge in the graph includes inserting a first edge that connects the second device node to the unique combination and a second edge that connects the unique combination to the first device node, indicating a flow of network traffic from the second network device to the first network device using the unique combination. 12. The non-transitory, computer-readable medium of claim 11 , wherein constructing the graph further comprises: extracting, from the network flows data, a security group that the unique combination belongs to, and applying a third link of a third link type to the unique combination and the security group, the third link indicating that the unique combination belongs to the security group, wherein inserting the edge in the graph includes inserting a third edge that connects the unique combination to the security group. 13. The non-transitory, computer-readable medium of claim 8 , wherein the binary classifier is a logistic regression, decision tree, random forest, support vector machine, neural network, or probit model. 14. The non-transitory, computer-readable medium of claim 8 , wherein the graph-based learning model is a metapath2vec, node2vec, DeepWalk, Graph Neur

Assignees

Vmware Inc

Inventors

Classifications

H04L63/104Primary
Grouping of entities · CPC title
H04L63/1425
Traffic logging, e.g. anomaly detection · CPC title
H04L41/16
using machine learning or artificial intelligence · CPC title
H04L63/20
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
H04L41/0893
Assignment of logical groups to network elements · CPC title

Patent family

Related publications grouped by family.

View patent family 87314792

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US11765179B2 cover?: Systems and methods are described for recommending security groups using graph-based learning models. A server can create a network graph that illustrates network flows between devices in a network and security groups that the devices belong to. The network graph can include nodes that represent the devices and security groups. The server can apply a graph-based learning model to learn embeddin…
Who is the assignee on this patent?: Vmware Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/104. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Sep 19 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).