This application is related to U.S. patent application Ser. No. 15/883,534, entitled, “Network Application Security Policy Enforcement,” filed on Jan. 30, 2018, which is hereby incorporated by reference herein.
Applications connected by network infrastructure communicate with each other in order to share data and perform business operations. Computers known as “load balancers” often are used to balance the load of network communications between computers. In general, a load balancer is a computer that sits between machines which use a service and the servers that supply that service, and which balances the workload among such servers in order to avoid overloading any one server and thereby to improve network performance.
Networked systems such as those described in the above-referenced Pat. App. Ser. No. 62/457,508 may include many computers that act as load balancers. Although it would be useful for a variety of purposes to know which computers in the system are load balancers, the identity of such load balancers is not typically known a priori to other computers on the network.
Computer-implemented systems and methods automatically identify computers that act as load balancers on a digital communications network, using data collected from one or more computers on that network. Once a load balancer has been identified, the communications between two hosts may be connected across the identified load balancer, thereby making it possible to better analyze the behavior of hosts and applications on that network.
Other features and advantages of various aspects and embodiments of the present invention will become apparent from the following description and from the claims.
Embodiments of the present invention include computer-implemented systems and methods for automatically identifying load balancers on a digital communications network, using data collected from one or more computers on that network. Once a load balancer has been identified, the communications between two hosts may be connected across the identified load balancer, thereby making it possible to better analyze the behavior of hosts and applications on that network.
Referring to
The system 100 includes a source system 102a and a destination system 102b. A “system,” as that term is used herein (e.g., the source system 102a and/or destination system 102b), may be any device and/or software operating environment that is addressable over an Internet Protocol (IP) network. For example, each of the source system 102a and the destination system 102b may be any type of physical or virtual computing device, such as a server computer, virtual machine, desktop computer, laptop computer, tablet computer, smartphone, or wearable computer. The source system 102a and the destination system 102b may have the same or different characteristics. For example, the source system 102a may be a smartphone and the destination system 102b may be a server computer. A system (such as the source system 102a and/or destination system 102b) may include one or more other systems, and/or be included within another system. As merely one example, a system may include a plurality of virtual machines, one of which may include the source system 102a and/or destination system 102b.
The source system 102a and destination system 102b are labeled as such in
The source system 102a includes a source application 104a (which may, for example, be installed and executing on the source system 102a) and the destination system 102b includes a destination application 104b (which may, for example, be installed and executing on the destination system 102b). Each of these applications 104a and 104b may be any kind of application, as that term is used herein. The source application 104a and the destination application 104b may have the same or different characteristics. For example, the source application 104a and destination application 104b may both be the same type of application or even be instances of the same application. As another example, the source application 104a may be a client application and the destination application 104b may be a server application, or vice versa.
The source system 102a includes a local security agent 106a and the destination system 102b includes a local security agent 106b. More generally, a local security agent may be contained within (e.g., installed and executing on) any system that executes one or more applications to which the security techniques disclosed herein are to be applied. A local security agent may, for example, execute within the same operating system on the same system as the application(s) that the local security agent monitors. Each such local security agent (e.g., the local security agents 106a and 106b) may include any combination of hardware and/or software for performing the functions disclosed herein.
The system 100 also includes a policy management engine 110. The policy management engine may include any combination of hardware and/or software for performing the functions disclosed herein. In the particular embodiment illustrated in
Some or all of the local security agents 106a-b may report the state of the local applications as well as the state of the network on their system to the policy management engine 110. For example, in
Similarly, the local security agent 106b on the destination system 102b may obtain and transmit state information for the destination application 104b (and for any other applications executing on the destination system 102b) and for the network configuration information of destination system 102b and transmit such information via communication 116 to the policy management engine 110 in any of the ways disclosed above in connection with the local security agent 106a, the source system 102a, the source application 104a, and the communication 114.
The policy management engine 110 may receive the transmitted state information from communications 114 and 116 and store some or all of it in any suitable form. As described above, such state information may include both application state information and network topology information (e.g., addresses, listening ports, broadcast zones). The policy management engine 110 may, for example, store such state information from communications 114 and 116 in a log (e.g., database) of state information received from one or more local security agents (e.g., local security agents 106a-b) over time. Such a log may include, for each unit of state information received, an identifier of the system (e.g., source system 102a or destination system 102b) from which the state information was received. In this way, the policy management engine 110 may build and maintain a record of application state and network configuration information from various systems over time.
Referring to
The system 200 includes a plurality of computers 202a-d. Although four computers 202a-d are shown in
The system 200 also includes a network 206, which may be any digital communications network (or combination of such networks), such as a private intranet or the public Internet. The computers 202a-d communicate with each other, and with the management server 204, in any of a variety of ways over the network 206. Communications 208a-e in
Some of the computers 202a-d may contain management software. In the particular example of
As described in more detail below, managed computers in the network (e.g., computers 202a and 202b) use their management software (e.g., management software 210a and 210b, respectively) to inform the management server 204 about which applications on those computers are in communication with other computers on the network 206. Examples of how managed computers may perform this function in cooperation with the management server 204 are described in more detail in Pat. App. Ser. No. 62/457,508. For example, managed computers in the system 200 of
The system 200 may distinguish between communications 208a-e among computers in the network 206 (e.g., computers 202a-d and management server 204) and communications (not shown) which leave the network 206, using techniques that are well-known to those having ordinary skill in the art. The latter communications are not described herein.
As will now be described, the system 200 and method 300 may automatically discover load balancers in the system 200, i.e., determine which of the computers 202a-d in the system 200 is a load balancer. Typically, although not necessarily, a load balancer has load balancer software installed on it and few or no other applications installed on it, so that the load balancer can devote its resources primarily to performing the function of load balancing. In some cases a load balancer may be prohibited from having software other than load balancer software installed on it.
The system 200 includes a load balancer detector 212, which may be a “system,” as that term is used herein. A “system,” as that term is used herein, may be any device and/or software operating environment that is addressable over an Internet Protocol (IP) network. For example, a system may be any type of physical or virtual computing device, such as a server computer, virtual machine, desktop computer, laptop computer, tablet computer, smartphone, or wearable computer. Any two systems may have the same or different characteristics as each other. For example, one system may be a smartphone and another system may be a server computer. A system may include one or more other systems, and/or be included within another system. As merely one example, a system may include one or more virtual machines. In
Although the management server 204 and the load balancer detector 212 are shown as separate elements in
Without loss of generality, assume that the load balancer detector 212 receives messages, over the network 206, which may, for example, be messages sent from managed computers 202a-b or messages containing information about messages sent from managed computers 202a-b, in the following format: {in/out, managedHost, unmanagedHost, size, timestamp}. In this tuple:
Note that the network communications that are evaluated by the load balancer detector 212 to automatically identify load balancers will always be between managed and unmanaged hosts. The reason is that if both hosts that are party to a connection are managed, then the connection does not involve a load balancer and the connection need not be taken into account by the load balancer detector 212, even if they are received by the load balancer detector. On the other hand, if both hosts that are party to a connection are unmanaged, then the messages transmitted between those hosts within the connection are not seen by the load balancer detector 212.
As will now be described in more detail, the method 300 of
In general, communications 214 are communications between the load balancer detector 212 and other computers on the network 206. For example, the communications 214 may include: (1) communications sent from and/or to managed computers (e.g., computers 202a and 202b), such communications intercepted from and/or to such computers; and (2) communications sent from the management server 204 to the load balancer detector 212, representing communications received from and/or sent to managed computers (e.g., computers 202a and 202b) in the network 206. The management server 204 may, for example, use any of the techniques disclosed in Pat. App. Ser. No. 62/457,508 and in connection with
If all of the systems that connect to a particular (unmanaged) load balancer in the network 206 are managed computers, then the management server 204 will receive information about all communications received and sent by the load balancer, and the load balancer detector 212 will receive information about all such communications. In this case, the load balancer detector 212 may identify such a load balancer as follows. As the load balancer detector 212 receives information about communications to and from a particular unmanaged computer on the network 206 (
The process just described is most accurate when applied to a sufficiently large quantity of communications to and from the unmanaged computer over a sufficiently large amount of time. The same process may, however, be applied to a smaller quantity of communications over a shorter amount of time, although the determination made by such a process (in operation 304 of
A more serious complication is that not every system which sends and/or receives flows from a load balancer is a managed computer (i.e., not every such system has an agent, such as agents 210a and 210b, installed on it). Therefore, when a communication between a managed computer and an unmanaged computer passes through a load balancer, the management server 204 (and therefore the load balancer detector 212) only receives information about the managed half of that communication. As a result, the inbound size of the communication that is detected by the load balancer detector 212 will differ from the outbound size of the same communication as detected by the load balancer detector 212.
Embodiments of the present invention may solve the problem created by this complication using the method 400 of
Once the inbound and outbound communications have been matched in this way, the load balancer detector 212 may calculate, for each timestamp window, an approximate fraction of the sizes of the inbound and outbound communications to the unmanaged system within that timestamp window, by counting the matched inbound communications and the matched outbound communications within that timestamp window (
The load balancer detector 212 may then determine whether the matched fraction satisfies a predetermined criterion (
The method 400 of
The modified method just described may be modified to execute more efficiently in a variety of ways by embodiments of the present invention. In general, such increased efficiency may be obtained by finding an approximation to the size requirement, by finding an intersection between sets of {timestamp, size} tuples, one of which is extracted from the inbound data of an unmanaged system, and the other of which is extracted from the outbound data for the same unmanaged system. For example, the MinHash data structure may be used to succinctly, quickly, and accurately approximate the size of the intersection between two sets, and may be applied to the data extracted for the unmanaged system to obtain an approximation of the size of the intersection between the two sets described above. The MinHash data structure estimates the size of the Jaccard similarity, which is defined as: J(A,B)=|A∩B|/|A ∪B|.
Therefore, to approximate the balance between two unmanaged systems A and B, embodiments of the present invention may calculate the size of the intersection of the inbound MinHash of system A with the outbound MinHash of system B, and add the size of the intersection of the inbound MinHash of system B to the outbound MinHash of system A. Stated differently, in pseudocode:
Embodiments of the present invention may then examine all possible unique pairs of unmanaged hosts A and B, for which minHashValue (A,B)>0. This reduces the processing time by several orders of magnitude compared to the previously-described method, because fewer than one pair in a thousand has a non-zero minHashValue.
Embodiments of the present invention may automatically identify load balancers which are set up in various other ways. Some additional examples, without limitation, are as follows.
In some situations, multiple incoming requests may be combined by a load balancer into a single combined request, and the combined request may be sent to a single host server for processing. Although this affects the number of connections on the inbound side of the load balancer relative to the number of connections on the outbound side, the size should remain the same in the face of such combining. However, in this situation, it is no longer possible to find the size requirement in the data by matching timestamps and sizes directly, because one side's timestamp/size combination is represented on the other side by a set of timestamp/size pairs, with the condition that the sum of all of the sizes is the same on both sides. Embodiments of the present invention may find where the size requirement is satisfied in this situation using a more elaborate method than the method described above in connection with multi-address load balancers. Embodiments of the present invention may, however, still find the size requirement in the data by determining whether the sum of all of the sizes on the inbound side of the candidate load balancer is approximately the same as the sum of the sizes on the outbound side of the load balancer.
A load balancer which combines multiple incoming requests into a single outgoing request makes use of the MinHash method described above, however, much more difficult. Embodiments of the present invention may apply a modified version of the MinHash method described above to find the size requirement in the data for a load balancer that combines multiple inbound requests into one outbound request, by combining the (timestamp, size) tuples from all of the set members. This allows clean comparisons of the sizes.
As described above, some load balancers have one IP address on the inbound side and a different IP address on the outbound side. Furthermore, some load balancers have multiple IP addresses on the inbound side, multiple IP addresses on the outbound side, or multiple IP addresses on the inbound side and the outbound side. Embodiments of the present invention may find the size requirement in the data for such load balancers by considering sets of unmanaged hosts, rather than merely pairs of unmanaged hosts. If the maximum size of set under consideration is limited to K, then the computation complexity required to evaluate such sets increases from O(n2) to O(nk). In general, the techniques disclosed herein may be modified to evaluate such sets, and thereby to find the size requirement in the data even for load balancers which have multiple IP addresses on one or both sides. K may be selected to have any value.
One of the advantages of embodiments of the present invention is that it may be used to automatically identify systems (e.g., computers) on a network which are load balancers, without any a priori knowledge of which systems are load balancers, and based solely on observing network traffic among systems on the network. Embodiments of the present invention do not require load balancers to be managed in order to detect such load balancers. Furthermore, embodiments of the present invention do not even require all systems that are parties to communications to be managed systems in order to detect load balancers. Once load balancers have been identified automatically using embodiments of the present invention, embodiments of the present invention may connect communications between two systems across one or more such identified load balancers, thereby improving the efficiency of network communications.
It is to be understood that although the invention has been described above in terms of particular embodiments, the foregoing embodiments are provided as illustrative only, and do not limit or define the scope of the invention. Various other embodiments, including but not limited to the following, are also within the scope of the claims. For example, elements and components described herein may be further divided into additional components or joined together to form fewer components for performing the same functions.
The solution described in this patent discovers at least two types of load balancers. First, “proxy load balancers,” where the connection from source system is terminated at the load balancer, then a new connection is initiated to the destination system. Second, “pass-through load balancers,” which maintain end-to-end connectivity between source and destination using methods similar to network address translation (NAT). Amazon's network load balancer (NLB) is an example of a pass-through load balancer, as is Google's NLB. Amazon's elastic load balancer (ELB) and application load balancer (ALB) are both examples of proxy load balancers.
Any of the functions disclosed herein may be implemented using means for performing those functions. Such means include, but are not limited to, any of the components disclosed herein, such as the computer-related components described below.
The techniques described above may be implemented, for example, in hardware, one or more computer programs tangibly stored on one or more computer-readable media, firmware, or any combination thereof. The techniques described above may be implemented in one or more computer programs executing on (or executable by) a programmable computer including any combination of any number of the following: a processor, a storage medium readable and/or writable by the processor (including, for example, volatile and non-volatile memory and/or storage elements), an input device, and an output device. Program code may be applied to input entered using the input device to perform the functions described and to generate output using the output device.
Embodiments of the present invention include features which are only possible and/or feasible to implement with the use of one or more computers, computer processors, and/or other elements of a computer system. Such features are either impossible or impractical to implement mentally and/or manually. For example, embodiments of the present invention automatically, receive, transmit, and analyze communications on a digital communications network, and automatically identify computer systems that perform the function of load balancing on the network. Such features are applicable only within the context of networked communications, cannot be performed mentally and/or manually, and solve a problem that is necessarily rooted in network technology using a computer-automated solution.
Any claims herein which affirmatively require a computer, a processor, a memory, or similar computer-related elements, are intended to require such elements, and should not be interpreted as if such elements are not present in or required by such claims. Such claims are not intended, and should not be interpreted, to cover methods and/or systems which lack the recited computer-related elements. For example, any method claim herein which recites that the claimed method is performed by a computer, a processor, a memory, and/or similar computer-related element, is intended to, and should only be interpreted to, encompass methods which are performed by the recited computer-related element(s). Such a method claim should not be interpreted, for example, to encompass a method that is performed mentally or by hand (e.g., using pencil and paper). Similarly, any product claim herein which recites that the claimed product includes a computer, a processor, a memory, and/or similar computer-related element, is intended to, and should only be interpreted to, encompass products which include the recited computer-related element(s). Such a product claim should not be interpreted, for example, to encompass a product that does not include the recited computer-related element(s).
Each computer program within the scope of the claims below may be implemented in any programming language, such as assembly language, machine language, a high-level procedural programming language, or an object-oriented programming language. The programming language may, for example, be a compiled or interpreted programming language.
Each such computer program may be implemented in a computer program product tangibly embodied in a machine-readable storage device for execution by a computer processor. Method steps of the invention may be performed by one or more computer processors executing a program tangibly embodied on a computer-readable medium to perform functions of the invention by operating on input and generating output. Suitable processors include, by way of example, both general and special purpose microprocessors. Generally, the processor receives (reads) instructions and data from a memory (such as a read-only memory and/or a random access memory) and writes (stores) instructions and data to the memory. Storage devices suitable for tangibly embodying computer program instructions and data include, for example, all forms of non-volatile memory, such as semiconductor memory devices, including EPROM, EEPROM, and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and CD-ROMs. Any of the foregoing may be supplemented by, or incorporated in, specially-designed ASICs (application-specific integrated circuits) or FPGAs (Field-Programmable Gate Arrays). A computer can generally also receive (read) programs and data from, and write (store) programs and data to, a non-transitory computer-readable storage medium such as an internal disk (not shown) or a removable disk. These elements will also be found in a conventional desktop or workstation computer as well as other computers suitable for executing computer programs implementing the methods described herein, which may be used in conjunction with any digital print engine or marking engine, display monitor, or other raster output device capable of producing color or gray scale pixels on paper, film, display screen, or other output medium.
Any data disclosed herein may be implemented, for example, in one or more data structures tangibly stored on a non-transitory computer-readable medium. Embodiments of the invention may store such data in such data structure(s) and read such data from such data structure(s).
Number | Name | Date | Kind |
---|---|---|---|
4941089 | Fischer | Jul 1990 | A |
5577209 | Boyle | Nov 1996 | A |
6453419 | Flint | Sep 2002 | B1 |
6950947 | Purtell | Sep 2005 | B1 |
7318105 | Bongiovanni | Jan 2008 | B1 |
7546629 | Albert | Jun 2009 | B2 |
7890612 | Todd | Feb 2011 | B2 |
8370509 | Faynberg | Feb 2013 | B2 |
8392972 | Manring | Mar 2013 | B2 |
8499348 | Rubin | Jul 2013 | B1 |
9003484 | May | Apr 2015 | B2 |
9349103 | Eberhardt, III | May 2016 | B2 |
9419949 | Sharma | Aug 2016 | B2 |
9436820 | Gleichauf | Sep 2016 | B1 |
9503470 | Gertner | Nov 2016 | B2 |
9525696 | Kapoor | Dec 2016 | B2 |
9773107 | White | Sep 2017 | B2 |
10104643 | Tsai | Oct 2018 | B2 |
10154067 | Smith | Dec 2018 | B2 |
20030051026 | Carter | Mar 2003 | A1 |
20030149895 | Choo | Aug 2003 | A1 |
20040252694 | Adhikari | Dec 2004 | A1 |
20070118655 | Tsumura | May 2007 | A1 |
20070150933 | Dougherty | Jun 2007 | A1 |
20080034418 | Venkatraman | Feb 2008 | A1 |
20090100261 | Aoshima | Apr 2009 | A1 |
20090106842 | Durie | Apr 2009 | A1 |
20100011433 | Harrison | Jan 2010 | A1 |
20110252462 | Bonanno | Oct 2011 | A1 |
20120023230 | Hosking | Jan 2012 | A1 |
20120311654 | Dougherty, III | Dec 2012 | A1 |
20130191517 | Ling | Jul 2013 | A1 |
20130246606 | Branch | Sep 2013 | A1 |
20140108558 | Borzycki | Apr 2014 | A1 |
20150326486 | Zawadowskiy | Nov 2015 | A1 |
20160078365 | Baumard | Mar 2016 | A1 |
20160080236 | Nikolaev | Mar 2016 | A1 |
20160323318 | Terrill | Nov 2016 | A1 |
20160330222 | Brandt | Nov 2016 | A1 |
20160352683 | Cooper | Dec 2016 | A1 |
20160352766 | Flacher | Dec 2016 | A1 |
20170033995 | Banka | Feb 2017 | A1 |
20170063798 | Lapidous | Mar 2017 | A1 |
20170063896 | Muddu | Mar 2017 | A1 |
20170118249 | Motukuru | Apr 2017 | A1 |
20170330107 | Gonzalez Sanchez | Nov 2017 | A1 |
20180234385 | O'Neil | Aug 2018 | A1 |
20180234460 | Smith | Aug 2018 | A1 |
20180248851 | Kaplan Haelion | Aug 2018 | A1 |
20190068474 | Vasseur | Feb 2019 | A1 |
Number | Date | Country |
---|---|---|
2795556 | Oct 2014 | EP |
201617036751 | Oct 2016 | IN |
100615080 | Aug 2006 | KR |
20090006632 | Jan 2009 | KR |
2008095010 | Aug 2008 | WO |
2018148058 | Aug 2018 | WO |
2018152303 | Aug 2018 | WO |
Entry |
---|
International Search Report and Written Opinion dated Feb. 15, 2019, by the International Search Authority in International Patent Application No. PCT/US2018/059924, 10 pages. |
Adyisory Action dated Dec. 14, 2018 in U.S. Appl. No. 15/899,453 of John O'Neil, filed Feb. 20, 2018, 3 pages. |
Notice of allowance dated May 8, 2019 in U.S. Appl. No. 15/899,453 of John O'Neil, filed Feb. 20, 2018, 19 pages. |
Number | Date | Country | |
---|---|---|---|
20190149444 A1 | May 2019 | US |
Number | Date | Country | |
---|---|---|---|
62584456 | Nov 2017 | US |