Network security path identification and validation
US-12170668-B2 · Dec 17, 2024 · US
Policy utilization analysis
US2016359673A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016359673-A1 |
| Application number | US-201615045202-A |
| Country | US |
| Kind code | A1 |
| Filing date | Feb 16, 2016 |
| Priority date | Jun 5, 2015 |
| Publication date | Dec 8, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An example method according to some embodiments includes receiving flow data for a packet traversing a network. The method continues by determining a source endpoint group and a destination endpoint group for the packet. The method continues by determining that a policy was utilized, the policy being applicable to the endpoint group. Finally, the method includes updating utilization data for the policy based on the flow data.
First claim
Opening claim text (preview).
1 . A method comprising: receiving network traffic data relating to a transmission from a source and reception by a destination of a network; determining a source endpoint group and a destination endpoint group for the network traffic data; determining a policy from among a plurality of policies of the network that is applicable to the source endpoint group and the destination endpoint group; and updating utilization data for the policy based on the network traffic data. 2 . The method of claim 1 , further comprising: reordering a first position of the policy within a policy table and a second position of a second policy within the policy table based on a comparison of the utilization data for the policy and second utilization data for the second policy. 3 . The method of claim 1 , further comprising: deleting the policy from a policy table based on the utilization data indicating that the policy has not been utilized for a period of time. 4 . The method of claim 1 , wherein the network traffic data comprises sensor data that is received from a network device, a hypervisor, and a virtual machine. 5 . The method of claim 1 , further comprising: determining whether the policy was enforced based on the network traffic data received by the destination and sent from the source. 6 . The method of claim 1 , further comprising: receiving second network traffic data relating to transmission from a second source and reception by a second destination; determining that a second policy applicable to the second network traffic data denies connectivity between the second source and the second destination; determining that connectivity was allowed from the second source to the second destination; and providing an alert indicating that the second policy was not applied. 7 . The method of claim 1 , further comprising: presenting the utilization data by providing an indication of at least one of a number of flows, a number of packets, or a quantity of data received by the network over a specified period of time to which the policy is applicable. 8 . A non-transitory computer-readable medium having computer readable instructions stored thereon that, when executed by a processor of a computer, cause the computer to: receive to a network source network traffic data for network packets sent by a source and destination network traffic data for network packets received by a destination from the source; determine a respective policy from among a plurality of policies of the network that is applicable to each flow described in the source network traffic data and the destination network traffic data; and update utilization data for the respective policy based on each flow. 9 . The non-transitory computer-readable medium of claim 8 , wherein the instructions further cause the computer to: reorder a first position of the policy within a policy table and a second position of a second policy within the policy table based on a comparison of the utilization data. 10 . The non-transitory computer-readable medium of claim 8 , wherein the instructions further cause the computer to: delete the policy from a policy table based on the utilization data indicating that the policy has not been utilized for a period of time. 11 . The non-transitory computer-readable medium of claim 8 , wherein the source network traffic data describing each flow comprises sensor data that is received from a network device, a hypervisor, and a virtual machine. 12 . The non-transitory computer-readable medium of claim 8 , wherein the instructions further cause the computer to: determine whether the policy was enforced based on the destination network traffic data. 13 . The non-transitory computer-readable medium of claim 8 , wherein the instructions further cause the computer to: receive to the network a second source network traffic data for network packets sent by a source and a second destination network traffic data received by a destination from the source; determine that a second policy, applicable to each flow described in the second destination network traffic data and the destination network traffic data sent from the source and received by the destination, denies connectivity between the second source and the second destination; determine that connectivity was allowed from the second source to the second destination based on the destination network traffic data; and provide an alert indicating that the second policy was not applied. 14 . The non-transitory computer-readable medium of claim 8 , wherein the instructions are further effective to cause the computer to: present the utilization data by providing an indication of at least one of a number of flows, a number of packets; or a quantity of data to which the policy is applicable. 15 . A system comprising: a processor; a computer-readable medium; and non-transitory computer-readable instructions stored thereon that, when executed by the processor, cause the system to: receive network traffic data relating to a transmission from a source and reception by a destination of a network; determine a source endpoint group and a destination endpoint group for the network traffic data; determine a policy from among a plurality of policies of the network that is applicable to the source endpoint group and the destination endpoint group; and update utilization data for the policy based on the network traffic data. 16 . The system of claim 15 , wherein the non-transitory computer-readable instructions, when executed by the processor, further cause the system to: reorder a first position of the policy within a policy table and a second position of a second policy within the policy table based on a comparison of the utilization data for the policy and second utilization data for the second policy. 17 . The system of claim 15 , wherein the non-transitory computer-readable instructions, when executed by the processor, further cause the system to: delete the policy from a policy table based on the utilization data indicating that the policy has not been utilized for a period of time. 18 . The system of claim 15 , wherein the network traffic data comprises sensor data that is received from a network device, a hypervisor, and a virtual machine. 19 . The system of claim 15 , wherein the non-transitory computer-readable instructions, when executed by the processor, further cause the system to: determine whether the policy was enforced based on the network traffic data received by the destination and sent from the source. 20 . The system of claim 15 , wherein the non-transitory computer-readable instructions, when executed by the processor, further cause the system to: receive second network traffic data relating to transmission from a second source and reception by a second destination; determine that a second policy applicable to the second network traffic data denies connectivity between the second source and the second destination; determine that connectivity was allowed from the second source and the second destination; and provide an alert indicating that the second policy was not applied.
Assignees
Inventors
Classifications
Drawing of charts or graphs · CPC title
based on quality criteria · CPC title
Policy-based network configuration management · CPC title
Processing captured monitoring data, e.g. for logfile generation · CPC title
comprising network management agents or mobile agents therefor · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016359673A1 cover?
- An example method according to some embodiments includes receiving flow data for a packet traversing a network. The method continues by determining a source endpoint group and a destination endpoint group for the packet. The method continues by determining that a policy was utilized, the policy being applicable to the endpoint group. Finally, the method includes updating utilization data for th…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L41/0893. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Dec 08 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).