Processing data flows with a data flow processor
US-9800608-B2 · Oct 24, 2017 · US
Augmenting flow data for improved network monitoring and management
US2016359740A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016359740-A1 |
| Application number | US-201615173210-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jun 3, 2016 |
| Priority date | Jun 5, 2015 |
| Publication date | Dec 8, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Flow data can be augmented with features or attributes from other domains, such as attributes from a source host and/or destination host of a flow, a process initiating the flow, and/or a process owner or user. A network can be configured to capture network or packet header attributes of a first flow and determine additional attributes of the first flow using a sensor network. The sensor network can include sensors for networking devices (e.g., routers, switches, network appliances), physical servers, hypervisors or container engines, and virtual partitions (e.g., virtual machines or containers). The network can calculate a feature vector including the packet header attributes and additional attributes to represent the first flow. The network can compare the feature vector of the first flow to respective feature vectors of other flows to determine an applicable policy, and enforce that policy for subsequent flows.
First claim
Opening claim text (preview).
1 . A method comprising: capturing one or more packet header attributes for a first flow using a plurality of sensors that includes at least a first sensor of one of a source endpoint or a destination endpoint of the first flow and one or more second sensors of one or more networking devices along a path of the first flow; determining one or more additional attributes of the first flow using at least the first sensor, the one or more additional attributes including at least one of a host attribute, a virtualization attribute, a process attribute, or a user attribute of the first flow; calculating a first feature vector that includes at least the one or more packet header attributes and the one or more additional attributes; determining a policy for the first flow based at least in part on a similarity between the first feature vector and a second feature vector of a second flow; and applying the policy to one or more third flows corresponding to the first flow. 2 . The method of claim 1 , further comprising: determining that the first flow corresponds to one of routine traffic, anomalous traffic, misconfigured traffic, or malicious traffic based at least in part on the similarity between the first feature vector and the second feature vector. 3 . The method of claim 2 , further comprising: determining that the similarity between the first feature vector and a second feature vector satisfies a first similarity threshold; and determining that a second similarity between the first feature vector and a third feature vector of a third flow satisfies a second similarity threshold. 4 . The method of claim 1 , further comprising: determining that a first endpoint that corresponds to the first flow and a second endpoint that corresponds to the second flow form at least a part of a first endpoint group based at least in part on the similarity between the first feature vector and the second feature vector. 5 . The method of claim 4 , further comprising: generating an application dependency map that includes at least the first endpoint group. 6 . The method of claim 1 , wherein at least one of the additional attributes is a combination of attributes from a single domain. 7 . The method of claim 1 , wherein at least one of the additional attributes is a combination of attributes from a plurality of domains. 8 . The method of claim 7 , wherein the plurality of domains include two or more of a network domain, a virtualization domain, a process domain, or a user domain. 9 . The method of claim 7 , wherein the plurality of domains includes at least a network domain. 10 . The method of claim 1 , further comprising: calculating a term frequency-inverse document frequency vector for at least one domain of the first flow. 11 . The method of claim 10 , further comprising: determining an l 2 norm of the term frequency-inverse document frequency vector. 12 . The method of claim 1 , further comprising: capturing one or more second packet header attributes for the second flow using at least a third sensor of one of a second source endpoint or a second destination endpoint of the second flow and one or more fourth sensors of one or more second networking devices along a second path of the second flow; determining one or more second additional attributes of the second flow using at least the third sensor; and calculating the second feature vector that includes the one or more second packet header attributes and the one or more second additional attributes. 13 . A system comprising: a processor; and memory including instructions that, upon being executed by the processor, cause the system to: receive network data for a first flow using a plurality of sensors that includes at least a first sensor of one of a source endpoint or a destination endpoint of the first flow and one or more second sensors of one or more networking devices along a path of the first flow; determine additional data corresponding to the first flow using at least the first sensor, the additional data including at least one of an attribute of the source endpoint or the destination endpoint, an attribute of a process initiating the first flow, or an attribute of an owner of the process; calculate a first feature vector that includes at least the network data and the additional data; determine a policy applicable to the first flow based at least in part on a similarity between the first feature vector and a second feature vector of a second flow; and apply the policy to one or more third flows corresponding to the first flow. 14 . The system of claim 13 , wherein the instructions upon being executed further cause the system to: determine that the first flow corresponds to one of routine traffic, anomalous traffic, misconfigured traffic, or malicious traffic based at least in part on the similarity between the first feature vector and the second feature vector. 15 . The system of claim 14 , wherein the instructions upon being executed further cause the system to: determine that the similarity between the first feature vector and a second feature vector satisfies a first similarity threshold; and determine that a second similarity between the first feature vector and a third feature vector of a third flow satisfies a second similarity threshold. 16 . The system of claim 15 , wherein the additional data includes at least one attribute representing a combination of attributes from a single domain. 17 . A non-transitory computer-readable medium having computer readable instructions that, upon being executed by a processor, cause the processor to: receive network data for a first flow using a plurality of sensors that includes at least a first sensor of one of a source endpoint or a destination endpoint of the first flow and one or more second sensors of one or more networking devices along a path of the first flow; determine additional data corresponding to the first flow using at least the first sensor, the additional data including at least one of an attribute of the source endpoint or the destination endpoint, an attribute of a process initiating the first flow, or an attribute of an owner of the process; calculate a first feature vector that includes at least the network data and the additional data; determine a policy applicable to the first flow based at least in part on a similarity between the first feature vector and a second feature vector of a second flow; and apply the policy to one or more third flows corresponding to the first flow. 18 . The non-transitory computer-readable medium of claim 17 , wherein the instructions upon being executed further cause the processor to: determine that a first endpoint that corresponds to the first flow and a second endpoint that corresponds to the second flow form at least a part of a first endpoint group based at least in part on the similarity between the first feature vector and the second feature vector. 19 . The non-transitory computer-readable medium of claim 18 , wherein the instructions further cause the processor to: generate an application dependency map that includes at least the first endpoint group. 20 . The non-transitory computer-readable medium of claim 17 , wherein the additional data includes at least one attribute representing a combination of attributes from a plurality of domains, and wherein the plurality of domains include two or more of a network domain, a virtualization domain, a process domain, or a user domain.
Assignees
Inventors
Classifications
Drawing of charts or graphs · CPC title
based on quality criteria · CPC title
Policy-based network configuration management · CPC title
Layer 2 routing, e.g. in Ethernet based MAN's · CPC title
by comparing a transmitted test signal with a locally generated replica · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016359740A1 cover?
- Flow data can be augmented with features or attributes from other domains, such as attributes from a source host and/or destination host of a flow, a process initiating the flow, and/or a process owner or user. A network can be configured to capture network or packet header attributes of a first flow and determine additional attributes of the first flow using a sensor network. The sensor networ…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L45/74. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Dec 08 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).