Learning Or Emulation Approach to Traffic Engineering in Information-Centric Networks
US-2016057061-A1 · Feb 25, 2016 · US
Information reporting for anomaly detection
US9722906B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9722906-B2 |
| Application number | US-201514604570-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 23, 2015 |
| Priority date | Jan 23, 2015 |
| Publication date | Aug 1, 2017 |
| Grant date | Aug 1, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In one embodiment, a first device in a network receives traffic flow data from a plurality of devices in the network. The traffic flow data from at least one of the plurality of devices comprises raw packets of a traffic flow. The first device selects a set of reporting devices from among the plurality of devices based on the received traffic flow data. The first device provides traffic flow reporting instructions to the selected set of reporting devices. The traffic flow reporting instructions cause each reporting device to provide sampled traffic flow data to an anomaly detection device.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving, at a first device in a network, traffic flow data from a plurality of devices in the network, wherein the traffic flow data from at least one of the plurality of devices comprises raw packets of a traffic flow; selecting, by the first device, a set of reporting devices from among the plurality of devices based on the received traffic flow data; and providing, by the first device, traffic flow reporting instructions to the selected set of reporting devices, wherein the traffic flow reporting instructions cause each “of the selected” reporting device to provide sampled traffic flow data to an anomaly detection device. 2. The method as in claim 1 , wherein the traffic flow data received by the first device from at least one of the plurality of devices comprises a summarized traffic flow record. 3. The method as in claim 1 , further comprising: converting, by the first device, the raw packets of the traffic flow into a summarized traffic flow record. 4. The method as in claim 1 , wherein selecting, by the first device, the set of reporting devices from among the plurality of devices based on the received traffic flow data comprises: selecting, by the first device, data regarding one or more intra-network traffic flows from the received traffic flow data; and using, by the first device, the data regarding the one or more intra-network traffic flows to select the set of reporting devices from among the plurality of devices. 5. The method as in claim 1 , wherein selecting, by the first device, the set of reporting devices from among the plurality of devices based on the received traffic flow data comprises: selecting, by the first device, a minimal number of devices from among the plurality of devices as reporting devices, based on the received traffic flow data. 6. The method as in claim 1 , further comprising: determining, by the first device, a reporting schedule for a particular reporting device in the set of reporting devices based on an expected amount of network congestion associated with the sampled traffic flow data, wherein the traffic flow reporting instruction provided to the particular reporting device identifies the reporting schedule. 7. The method as in claim 1 , further comprising: determining, by the first device, a reporting path for a particular reporting device in the set of reporting devices that differs from a routing path between the particular reporting device and the first device and is computed by a routing protocol, wherein the traffic flow reporting instruction provided to the particular reporting device identifies the reporting path, and wherein the particular reporting device provides the sampled traffic flow data to the first device via the reporting path. 8. The method as in claim 7 , wherein the first device determines the reporting path for the particular reporting device based on a history of the received traffic flow data. 9. The method as in claim 7 , wherein the first device determines the reporting path for the particular reporting device based on routing data received by the first device via the routing protocol or from a network management server (NMS). 10. The method as in claim 1 , wherein the first device is the anomaly detection device, the method further comprising: detecting, by the first device, an anomaly in the network using the sampled traffic flow data reported by the selected set of reporting devices. 11. The method as in claim 1 , further comprising: receiving, at the first device, capability information from the plurality of devices, wherein the capability information from a particular one of the plurality of devices indicates whether the particular device is operable to generate summarized traffic flow records. 12. The method as in claim 1 , wherein the raw packets of the traffic flow are copied by the at least one of the plurality of devices. 13. The method as in claim 1 , wherein the traffic flow reporting instructions cause the at least one of the plurality of devices to provide raw traffic flow packets to another one of the plurality of devices, wherein the other one of the plurality of devices is configured to generate a summarized traffic flow record from the raw traffic flow packets and to provide the summarized traffic flow record to the anomaly detection device. 14. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the one or more network interfaces and configured to execute a process; and a memory configured to store the process executable by the processor, the process when executed operable to: receive traffic flow data from a plurality of devices in the network, wherein the traffic flow data from at least one of the plurality of devices comprises raw packets of a traffic flow; select a set of reporting devices from among the plurality of devices based on the received traffic flow data; and provide traffic flow reporting instructions to the selected set of reporting devices, wherein the traffic flow reporting instructions cause each “of the selected” reporting device to provide sampled traffic flow data to an anomaly detection device. 15. The apparatus as in claim 14 , wherein the traffic flow data received by the apparatus from at least one of the plurality of devices comprises a summarized traffic flow record. 16. The apparatus as in claim 14 , wherein the traffic flow reporting instruction provided to a particular reporting device comprises at least one of: data indicative of a reporting schedule or data indicative of a reporting path via which the particular reporting device is to send the sampled traffic flow data. 17. The apparatus as in claim 14 , wherein the apparatus selects the set of reporting devices from among the plurality of devices based on the received traffic flow data by: selecting a minimal number of devices from among the plurality of devices as reporting devices, based on the received traffic flow data. 18. The apparatus as in claim 14 , wherein the process when executed is further operable to: receive capability information from the plurality of devices, wherein the capability information from a particular one of the plurality of devices indicates whether the particular device is operable to generate summarized traffic flow records.
Assignees
Inventors
Classifications
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Event detection, e.g. attack signature detection · CPC title
- H04L43/12Primary
Network monitoring probes · CPC title
Network architectures or network communication protocols for network security (cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00; network architectures or network communication protocols for wireless network security H04W12/00; security arrangements for protecting computers or computer systems against unauthorised activity G06F21/00) · CPC title
related to network traffic · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9722906B2 cover?
- In one embodiment, a first device in a network receives traffic flow data from a plurality of devices in the network. The traffic flow data from at least one of the plurality of devices comprises raw packets of a traffic flow. The first device selects a set of reporting devices from among the plurality of devices based on the received traffic flow data. The first device provides traffic flow re…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 01 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).