Patent Grant
10812348
This invention relates generally to data network and more particularly to a network node automatically capturing network data during an anomaly.
Both consumer computing and business computing are moving at a fast pace toward mobile computing and cloud computing. Data networks that support mobile computing and cloud computing needs are growing at accelerated rates. These data networks behave differently from prior data networks supporting mostly static computing environments such as desktops, offices, and server rooms. In a mobile computing environment, users do not stay in a place for a long time. They move from place to place in a matter of hours, minutes, or even seconds as the users may be in a driving vehicle or strolling on a street. In a cloud computing environment, enterprise or service servers are allocated in different data centers in different locations, perhaps in different cities or countries. The servers may be allocated on demand and may be brought to service in a matter of minutes. Therefore, in today's data networks, it is difficult, if not impossible, to predict where a user terminal is or where a server is for a network service session. The task for a network administrator to troubleshoot a data network is very difficult. Once a data network is put in place based on a current plan, a network administrator must oversee the usage of the data network and address any usage anomaly due to unexpected usage or failure of the network. Typically, a usage anomaly occurs when a service becomes popular, leading to excessive server access, or when a resource or facility fails causing traffic to be routed and congested. In the new mobile and cloud computing environments, the same usage showing a healthy functioning data network yesterday may lead to a congested server without any failure of data network. In part, the anomaly may be caused by changing locations of mobile users. In part, it may be caused by changing of allocation of servers. In part, it may be caused by a combination of mobile users and server allocation. When an anomaly occurs, it is important for the network administrator to examine detailed data to determine the cause, so as to correct the configurations of the data network.
It should be apparent from the foregoing that there is a need to provide a smart analyzer to assist a network element to capture detailed network data during a network usage anomaly.
This summary is provided to introduce a selection of concepts in a simplified form that are further described in the Detailed Description below. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
According to some embodiments, the present technology is directed to a network node for detecting and storing network usage anomalies, the network node storing instructions that when executed by at least one processor: establish a baseline usage by applying at least one baselining rule to network traffic to generate baseline statistics; detect an anomaly usage by applying at least one anomaly rule to network traffic and generating an anomaly event; and capture network data according to an anomaly event by triggering at least one capturing rule to be applied to network traffic when an associated anomaly event is generated.
According to other embodiments, the present technology is directed to a corresponding method for capturing network data during a network usage anomaly based on a network usage model.
Embodiments are illustrated by way of example and not by limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:
The following detailed description includes references to the accompanying drawings, which form a part of the detailed description. The drawings show illustrations in accordance with example embodiments. These example embodiments, which are also referred to herein as “examples,” are described in enough detail to enable those skilled in the art to practice the present subject matter. The embodiments can be combined, other embodiments can be utilized, or structural, logical, and electrical changes can be made without departing from the scope of what is claimed. The following detailed description is therefore not to be taken in a limiting sense, and the scope is defined by the appended claims and their equivalents.
In exemplary embodiments, service node 301 includes a smart analyzer 362 to process network traffic 121 based on network usage model 351. Network usage model 351 may include at least one baselining rule 411, at least one anomaly rule 421, or at least one data capturing rule 441. In some embodiments, smart analyzer 362 processes baselining rules 411 and generates baseline statistics 412; processes anomaly rules 421 and generates at least one anomaly event 422; and processes capturing rules 441 to generate captured data 442. In further embodiments, smart analyzer 362 processes anomaly rules 421 together with baselining rules 411 and/or baseline statistics 412 to generate anomaly event 422. In some embodiments, smart analyzer 362 processes capturing rules 441 according to anomaly event 422 to generate captured data 442 for anomaly event 422.
In exemplary embodiments, service node 301 stores baseline statistics 412, anomaly event 422, and/or captured data 442 in a storage medium of service node 301. Service node 301 may send baseline statistics 412, anomaly event 422, and/or captured data 442 to network controller 367 computing device, which may be a network computer such as a network management system for storage or for further processing.
Returning to
In exemplary embodiments, service node 301 is a network node and includes at least one of a functionality of a firewall, a SSL proxy gateway, a server load balancer (SLB), an application delivery controller (ADC), a threat protection system (TPS), a secure traffic manager, a legal interception gateway, a virtual private network (VPN) gateway, or a TCP proxy gateway. In another embodiment, service node 301 includes at least one of a functionality of a network switch, a network router, a security network appliance, a broadband gateway, a broadband remote access system, or a layer 2 or layer 3 network element.
In some embodiments, smart analyzer 362 includes a piece of software residing and executing in service node 301. In exemplary embodiments, smart analyzer 362 includes at least one of a processor module, a storage module, or a piece of hardware-based network processing module.
Data network 500 may include an Ethernet network, an ATM network, a cellular network, a wireless network, a Frame Relay network, an optical network, an IP network or any data communication network utilizing other physical layer, link layer capability or network layer to carry data packets. Additionally, data network 500 may include a corporate network, a data center network, the Internet, a service provider network, or a mobile operator network.
In some embodiments, baselining rules 411 include a time duration 416 indicating a duration of time where the baselining rules 411 are to be applied to generate baseline statistics 412. For example, time duration 416 may include morning hours, 5 am-8 am, lunch hour, 12 pm-2 pm, evening, weekend, a day of a year, February 14, a range of days, June 1-August 15, day of a week, Monday morning, Friday evening, 12:15 pm-4:27 pm today, or any duration of time or days. In exemplary embodiments, smart analyzer 362 is connected to a clock 365 and checks clock 365 against time duration 416 to start and stop applying baselining rules 411.
In various embodiments, baselining rules 411 include usage 418, indicating at least one quantitative counter to be calculated by smart analyzer 362 in order to generate baseline statistics 412. Usage 418 may indicate packet length, session count, bandwidth utilization, a rate, such as rate per second, rate per minute, rate per hour, rate per day, rate per millisecond, or other types. For example, combining usage 418, filter 419, and time duration 416, baselining rules 411 may specify to smart analyzer 362 to count packet lengths of IP packets over an interface where the destination IP address is in range 134.154.1.0 to 134.154.27.234, or to count HTTP session rate per minute during Christmas 2015 for domain names abc.com and google.com, or to count bandwidth usage of all interfaces on the gigabit Ethernet card in the last 24 hours.
In some embodiments, smart analyzer 362 processes baselining rules 411 and determines one or more counters accordingly. Moreover, smart analyzer 362 may generate one or more baseline statistics 412 based on the counters. In an exemplary embodiment, smart analyzer 362 calculates a minimum value, a maximum value, a mean value, or a median value of the counters. In another embodiment, smart analyzer 362 calculates values based on a statistical model such as a standard deviation, a second moment, or a distribution, based on the counters. In further embodiments, smart analyzer 362 calculates these statistical values as baseline statistics 412. Furthermore, smart analyzer 362 stores baseline statistics 412 in a datastore or storage medium of service node 301.
In an exemplary embodiment, capturing rules 441 indicates an association to anomaly event 422, which indicates a high access rate of website internal.abcde.com; a time duration 446 of start time in one minute and a duration of one hour; an action 445 to capture session timestamps, source IP address, or user-id in cookies; a filter 449 to indicate virtual IP address corresponding to abcde.com, protocol of HTTP, or a content pattern matching “internal.abcde.com”.
Smart analyzer 362, upon applying capturing rules 441 to network traffic 121, generates captured data 442. Smart analyzer 362 generates a data entry 444, according to action 445, to be stored in captured data 442. Data entry 444 may include a timestamp, a packet trace, a session trace of all content for the session, a network address, or a piece data captured according to action 445.
Smart analyzer 362 sends captured data 442 to network controller 367. In another embodiment, smart analyzer 362 sends anomaly event 422 to network controller 367. Network controller 367 processes anomaly event 422 and requests smart analyzer 362 to apply capturing rules 441 of network usage model 351. In some embodiments, network controller 367 sends network usage model 551 or capturing rules 441 to smart analyzer 362.
The invention can be used to detect and record security anomaly using a network usage model 351 including a combination of baselining rules 411, anomaly rules 421, and capturing rules 441. The following tables illustrate one or more security anomaly addressed using this invention.
The description of the present technology has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the invention. Exemplary embodiments were chosen and described in order to best explain the principles of the present technology and its practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.
Aspects of the present technology are described above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by programming instructions. These programming instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4001819 | Wise | Jan 1977 | A |
| 5101402 | Chiu et al. | Mar 1992 | A |
| 5163088 | LoCascio | Nov 1992 | A |
| 5359659 | Rosenthal | Oct 1994 | A |
| 5414833 | Hershey et al. | May 1995 | A |
| 5684875 | Ellenberger | Nov 1997 | A |
| 5940002 | Finn et al. | Aug 1999 | A |
| 5960177 | Tanno | Sep 1999 | A |
| 6088804 | Hill et al. | Jul 2000 | A |
| 6119236 | Shipley | Sep 2000 | A |
| 6205115 | Ikebe et al. | Mar 2001 | B1 |
| 6237036 | Ueno et al. | May 2001 | B1 |
| 6304975 | Shipley | Oct 2001 | B1 |
| 6324286 | Lai et al. | Nov 2001 | B1 |
| 6449651 | Dorfman et al. | Sep 2002 | B1 |
| 6519703 | Joyce | Feb 2003 | B1 |
| 6594780 | Shen et al. | Jul 2003 | B1 |
| 6715081 | Attwood et al. | Mar 2004 | B1 |
| 6732279 | Hoffman | May 2004 | B2 |
| 6735702 | Yavatkar et al. | May 2004 | B1 |
| 6754832 | Godwin et al. | Jun 2004 | B1 |
| 6757822 | Feiertag et al. | Jun 2004 | B1 |
| 6779117 | Wells | Aug 2004 | B1 |
| 6988106 | Enderwick et al. | Jan 2006 | B2 |
| 7159237 | Schneier et al. | Jan 2007 | B2 |
| 7194766 | Noehring et al. | Mar 2007 | B2 |
| 7222366 | Bruton, III et al. | May 2007 | B2 |
| 7296283 | Hrastar et al. | Nov 2007 | B2 |
| 7392241 | Lin et al. | Jun 2008 | B2 |
| 7418733 | Connary et al. | Aug 2008 | B2 |
| 7543052 | Cesa Klein | Jun 2009 | B1 |
| 7565549 | Satterlee et al. | Jul 2009 | B2 |
| 7577833 | Lai | Aug 2009 | B2 |
| 7593936 | Hooks | Sep 2009 | B2 |
| 7640591 | Tripathi et al. | Dec 2009 | B1 |
| 7653633 | Villella et al. | Jan 2010 | B2 |
| 7665138 | Song et al. | Feb 2010 | B2 |
| 7739736 | Tripathi et al. | Jun 2010 | B1 |
| 7809131 | Njemanze et al. | Oct 2010 | B1 |
| 7895649 | Brook et al. | Feb 2011 | B1 |
| 8037532 | Haswell | Oct 2011 | B2 |
| 8220056 | Owens, Jr. | Jul 2012 | B2 |
| 8239670 | Kaufman et al. | Aug 2012 | B1 |
| 8289981 | Wei et al. | Oct 2012 | B1 |
| 8301802 | Wei et al. | Oct 2012 | B2 |
| 8448245 | Banerjee et al. | May 2013 | B2 |
| 8478708 | Larcom | Jul 2013 | B1 |
| 8595845 | Basavapatna et al. | Nov 2013 | B2 |
| 8800034 | McHugh et al. | Aug 2014 | B2 |
| 8806011 | Graham-Cumming | Aug 2014 | B1 |
| 8813228 | Magee et al. | Aug 2014 | B2 |
| 8832832 | Visbal | Sep 2014 | B1 |
| 8984331 | Quinn | Mar 2015 | B2 |
| 9141792 | Baluda | Sep 2015 | B2 |
| 9215208 | Fraize et al. | Dec 2015 | B2 |
| 9258217 | Duffield et al. | Feb 2016 | B2 |
| 9332024 | Gulko | May 2016 | B1 |
| 20010042204 | Blaker et al. | Nov 2001 | A1 |
| 20020087708 | Low et al. | Jul 2002 | A1 |
| 20020188839 | Noehring et al. | Dec 2002 | A1 |
| 20030023846 | Krishna et al. | Jan 2003 | A1 |
| 20030028585 | Yeager et al. | Feb 2003 | A1 |
| 20030061507 | Xiong et al. | Mar 2003 | A1 |
| 20030069973 | Ganesan et al. | Apr 2003 | A1 |
| 20030135625 | Fontes et al. | Jul 2003 | A1 |
| 20030187688 | Fey et al. | Oct 2003 | A1 |
| 20030196081 | Savarda et al. | Oct 2003 | A1 |
| 20030200456 | Cyr et al. | Oct 2003 | A1 |
| 20040008711 | Lahti et al. | Jan 2004 | A1 |
| 20040054807 | Harvey et al. | Mar 2004 | A1 |
| 20040059943 | Marquet et al. | Mar 2004 | A1 |
| 20040059951 | Pinkas et al. | Mar 2004 | A1 |
| 20040059952 | Newport et al. | Mar 2004 | A1 |
| 20040093524 | Sakai | May 2004 | A1 |
| 20040111635 | Boivie et al. | Jun 2004 | A1 |
| 20040143751 | Peikari | Jul 2004 | A1 |
| 20040242200 | Maeoka et al. | Dec 2004 | A1 |
| 20040250124 | Chesla | Dec 2004 | A1 |
| 20050021999 | Touitou et al. | Jan 2005 | A1 |
| 20050036501 | Chung et al. | Feb 2005 | A1 |
| 20050041584 | Lau et al. | Feb 2005 | A1 |
| 20050044068 | Lin et al. | Feb 2005 | A1 |
| 20050044270 | Grove et al. | Feb 2005 | A1 |
| 20050108377 | Lee | May 2005 | A1 |
| 20050108434 | Witchey | May 2005 | A1 |
| 20050210243 | Archard et al. | Sep 2005 | A1 |
| 20050234920 | Rhodes | Oct 2005 | A1 |
| 20050257093 | Johnson et al. | Nov 2005 | A1 |
| 20060026678 | Zakas | Feb 2006 | A1 |
| 20060056297 | Bryson et al. | Mar 2006 | A1 |
| 20060061507 | Mohamadi | Mar 2006 | A1 |
| 20060143707 | Song et al. | Jun 2006 | A1 |
| 20060206936 | Liang et al. | Sep 2006 | A1 |
| 20060212522 | Walter et al. | Sep 2006 | A1 |
| 20060251057 | Kwon et al. | Nov 2006 | A1 |
| 20060253902 | Rabadan et al. | Nov 2006 | A1 |
| 20060256716 | Caci | Nov 2006 | A1 |
| 20060265585 | Lai | Nov 2006 | A1 |
| 20060288411 | Garg et al. | Dec 2006 | A1 |
| 20070056038 | Lok | Mar 2007 | A1 |
| 20070073660 | Quinlan | Mar 2007 | A1 |
| 20070245420 | Yong | Oct 2007 | A1 |
| 20070291773 | Khan et al. | Dec 2007 | A1 |
| 20080181100 | Yang | Jul 2008 | A1 |
| 20080183885 | Durrey et al. | Jul 2008 | A1 |
| 20080229418 | Chen et al. | Sep 2008 | A1 |
| 20080256623 | Worley et al. | Oct 2008 | A1 |
| 20090049198 | Blinn et al. | Feb 2009 | A1 |
| 20090070470 | Bauman et al. | Mar 2009 | A1 |
| 20090150996 | Haswell | Jun 2009 | A1 |
| 20090168995 | Banga et al. | Jul 2009 | A1 |
| 20090227228 | Hu et al. | Sep 2009 | A1 |
| 20090241190 | Todd et al. | Sep 2009 | A1 |
| 20090287941 | Shouno | Nov 2009 | A1 |
| 20100027432 | Gopalan | Feb 2010 | A1 |
| 20100106833 | Banerjee et al. | Apr 2010 | A1 |
| 20100284300 | Deshpande et al. | Nov 2010 | A1 |
| 20100286998 | Picken | Nov 2010 | A1 |
| 20110026537 | Kolhi et al. | Feb 2011 | A1 |
| 20110029599 | Pulleyn et al. | Feb 2011 | A1 |
| 20110082947 | Szeto et al. | Apr 2011 | A1 |
| 20110093785 | Lee et al. | Apr 2011 | A1 |
| 20110131646 | Park et al. | Jun 2011 | A1 |
| 20110153744 | Brown | Jun 2011 | A1 |
| 20110249572 | Singhal et al. | Oct 2011 | A1 |
| 20120036272 | El Zur | Feb 2012 | A1 |
| 20120042060 | Jackowski et al. | Feb 2012 | A1 |
| 20120110472 | Amrhein et al. | May 2012 | A1 |
| 20120117646 | Yoon et al. | May 2012 | A1 |
| 20120163186 | Wei et al. | Jun 2012 | A1 |
| 20120174196 | Bhogavilli et al. | Jul 2012 | A1 |
| 20120226582 | Hammad | Sep 2012 | A1 |
| 20120307631 | Yang et al. | Dec 2012 | A1 |
| 20130019025 | Chaturvedi et al. | Jan 2013 | A1 |
| 20130124713 | Feinberg et al. | May 2013 | A1 |
| 20130128885 | Kardashov et al. | May 2013 | A1 |
| 20130139245 | Thomas | May 2013 | A1 |
| 20130173795 | McPherson | Jul 2013 | A1 |
| 20130198385 | Han et al. | Aug 2013 | A1 |
| 20130212265 | Rubio Vidales et al. | Aug 2013 | A1 |
| 20140006508 | Goyet et al. | Jan 2014 | A1 |
| 20140025568 | Smith et al. | Jan 2014 | A1 |
| 20140137190 | Carey et al. | May 2014 | A1 |
| 20140143868 | Shiva | May 2014 | A1 |
| 20140258489 | Muppala et al. | Sep 2014 | A1 |
| 20140258536 | Chiong | Sep 2014 | A1 |
| 20140269308 | Oshiba | Sep 2014 | A1 |
| 20140269339 | Jaafar | Sep 2014 | A1 |
| 20140280832 | Oshiba | Sep 2014 | A1 |
| 20140283065 | Teddy et al. | Sep 2014 | A1 |
| 20140298091 | Carlen | Oct 2014 | A1 |
| 20140310396 | Christodorescu et al. | Oct 2014 | A1 |
| 20140325588 | Jalan et al. | Oct 2014 | A1 |
| 20150033341 | Schmidtler et al. | Jan 2015 | A1 |
| 20150088597 | Doherty et al. | Mar 2015 | A1 |
| 20150312268 | Ray | Oct 2015 | A1 |
| 20150333988 | Jalan et al. | Nov 2015 | A1 |
| Number | Date | Country |
|---|---|---|
| 1422468 | Jun 2003 | CN |
| 104106241 | Oct 2014 | CN |
| 1198848 | Jun 2015 | HK |
| 375721 | Dec 1999 | TW |
| 477140 | Feb 2002 | TW |
| 574655 | Feb 2004 | TW |
| 576066 | Feb 2004 | TW |
| I225999 | Jan 2005 | TW |
| I252976 | Apr 2006 | TW |
| WO1998042108 | Sep 1998 | WO |
| WO2013112492 | Aug 2013 | WO |
| WO2014150617 | Sep 2014 | WO |
| WO2014151072 | Sep 2014 | WO |
| WO2014176461 | Oct 2014 | WO |
| Entry |
|---|
| “How to Create a Rule in Outlook 2003” CreateaRule-Outlook2003.doc 031405 mad, 3 pages. |
| Oracle Corporation, “Oracle Intelligent Agent User's Guide,” Release 9.2.0, Part No. A96676-01, Mar. 2002. |
| F5 Networks, Inc., “SOL11243: iRules containing the RULE_INIT iRule event do not re-initialize when a syntax error is corrected,” f5.support.com, May 24, 2010, 1 page. |
| Ganesan et al., “YAPPERS: a peer-to-peer lookup service over arbitrary topology,” IEEE, pp. 1250-1260, Mar. 30-Apr. 3, 2003. |
| Annexstein et al., “Indexing Techniques for File Sharing in Scalable Peer-to-Peer Networks,” IEEE, pp. 10-15, Oct. 14-16, 2002. |
| Ling et al., “A Content-Based Resource Location Mechanism in PeerlS,” IEEE, pp. 279-288, Dec. 12-14, 2002. |
| Dainotti, Albert et al., “TIE: A Community-Oriented Traffic Classification Platform,” May 11, 2009, Springer-Verlag, Traffic Monitoring and Analysis: Proceedings First International Workshop, TMA 2009. pp. 64-74. Retrieved from: Inspec. Accession No. 11061142. |
| Dainotti, Albert et al., “Early Classification of Network Traffic through Multi-Classification,” Apr. 27, 2011, Springer Verlag, Traffic Monitoring and Analysis, Proceedings of the Third International Workshop, TMA 2011. pp. 122-135. Retrieved from INSPEC. Accession No. 12232145. |
| Search Report and Written Opinion dated Sep. 28, 2017 for PCT Application No. PCT/US2017/041463. |
| Guo, Yuan-ni et al., “An Embedded Firewall System Design Based on Ptolemy II,” Journal of System Simulation, vol. 16, No. 6, pp. 1361-1363, Jun. 2004. |
| Huang, Quan et al., “An Embedded Firewall Based on Network Processor,” IEEE, 2nd International Conference on Embedded Software and Systems, 7 pages, Dec. 16-18, 2005. |
| Ihde, Michael et al., “Barbarians in the Gate: An Experimental Validation of NIC-Based Distributed Firewall Performance and Flood Tolerance,” IEEE, International Conference on Dependable Systems and Networks, Jun. 25-28, 2006, 6 pages. |
| Susilo, W. et al., “Personal Firewall for Pocket PC 2003: Design & Implementation,” IEEE 19th International Conference on Advanced Information Networking and Applications, vol. 2 pp. 661-666, Mar. 28-30, 2005. |
| Number | Date | Country | |
|---|---|---|---|
| 20180019931 A1 | Jan 2018 | US |
