A network flow is a data stream that carries information between a source and a destination. As streaming video and other timing sensitive services become more ubiquitous, it has become important to recognize and prioritize traffic based on content of each network flow. Network flow identification can be used to support Quality of Service (QoS) tools, but also can be used to reveal malware and hacking attempts disguised as normal network traffic.
Flow Identification (FI) recognizes particular flows; traffic can then be adjusted as needed based on the traffic characteristics of a given flow. Deep packet Inspection (DPI) goes further. DPI is a form of packet filtering that examines the data and portions of the header as it passes through a router. It can not only identify a flow, but inspect the flow to detect security problems such as viruses, spam, and attempted intrusions.
In the following detailed description of example embodiments of the invention, reference is made to specific examples by way of drawings and illustrations. These examples are described in sufficient detail to enable those skilled in the art to practice the invention, and serve to illustrate how the invention may be applied to various purposes or embodiments. Other embodiments of the invention exist and are within the scope of the invention, and logical, mechanical, electrical, and other changes may be made without departing from the subject or scope of the present invention. Features or limitations of various embodiments of the invention described herein, however essential to the example embodiments in which they are incorporated, do not limit the invention as a whole, and any reference to the invention, its elements, operation, and application do not limit the invention as a whole but serve only to define these example embodiments. The following detailed description does not, therefore, limit the scope of the invention, which is defined only by the appended claims.
Conventional flow identification and Deep Packet Inspection (DPI) systems are stand-alone systems. They are either placed in line with the traffic or connected in a mirror configuration so that they receive mirrored traffic, What is described below is a way to lower the cost of flow identification and DPI by embedding flow identification and deep packet processing into network elements in such a way that the logic is federated across the access network. In one such approach, one can coordinate inspection of high line rate traffic by separating the inspection into 1) detection and isolation of traffic of interest (called “Fast Path FI”) and 2) its analysis (called “Deep FI”). Such an approach increases utility and efficiency while reducing the cost of providing flow identification throughout the network by capitalizing on synergies with pre-existing network packet processing functions. In addition, the distributed nature of the approach can be hidden from the user by a centralized controller that virtuallizes the distributed system into appearing like a monolithic appliance.
A distributed system for flow identification is shown in
In the embodiment shown in
In one embodiment, flow identification control unit 102 is connected to FI agents 114 in residential services gateways 106 and to the FI agent 112 in service delivery node 104. In one such embodiment, an application running in control unit 102 coordinates distributed DPI elements in node 104 and gateways 106 and provides a virtualized appliance view augmented with insight from multiple points in the network. This enables one to add value-added applications such as network analytics, network security, traffic engineering, application level QoS (like Netflix), application Blacklisting/Whitelisting (like BitTorrent), etc. In one such embodiment, control unit 102 coordinates the selection of the application signatures the distributed DPI elements search for in a federated manner. It also controls how the detected application signatures are treated such that they can be mirrored to other DPI appliances (e.g., FI agent 112 or one of the services gateway FI agents 114) for post processing or processed inline by one of the FI agents.
In one embodiment, system 100 is a packet flow inspection system, comprising a flow identification control unit 102, a plurality of residential services gateways 106, and a service delivery node 104 communicatively coupled to the flow identification control unit 102 and to the residential services gateways 106. Each residential services gateway 106 includes a flow identification (FI) agent 114, wherein the flow identification agent on each residential gateway analyzes packet flows through the residential services gateway and communicates the packet flow identifications to the flow identification control unit.
In one such embodiment, the service delivery node 104 is communicatively coupled to the flow identification control unit 102 and to the residential services gateways 106. The service delivery node 104 includes a service access platform 110 and a flow identification agent 112. The flow identification agent 112 identifies packet flows through the service access platform 110 and communicates the packet flow identifications to the flow identification control unit 102.
In one embodiment, the flow identification control unit 102 analyzes the flow analytics information received from the residential services gateways 106 and the service delivery node 104 and adjusts packet traffic through the service access platform 110 and the residential services gateways 106 as a function of the flow analytics information. In some embodiments, the adjustment is in the form of prioritizing some packet flows over others. Other adjustments include, for instance, isolation of particular flows, the blocking or suppression of flows (e.g., blocking or suppressing file downloads in favor of Netflix traffic, or based on a signature), applying a blacklist or whitelist, gathering additional data (via, e.g., analysis software embedded in residential services gateways) and identifying patterns for future identification and blocking.
In one embodiment, flow identification control unit 102 instructs one or more of the flow identification agents 114 in the residential services gateways to perform deep packet inspection on flows identified by the flow identification agent 112. The flow identification agents 114 perform deep packet inspection on the indicated flows and forward the results of the deep packet inspection to the flow identification control unit 102.
In one embodiment, flow identification control unit 102 instructs flow identification agent 112 to perform deep packet inspection of selected flows. The flow identification agent 112 performs deep packet inspection on the indicated flows and forwards the results of the deep packet inspection to the flow identification control unit 102.
In one embodiment, flow identification control unit 102 instructs flow identification agent 112 to perform fast path flow identification inspection of flows. The flow identification agent 112 performs inspection on flows passing through service delivery node 104 and forwards the results of the inspection to the flow identification control unit 102.
In one embodiment, a distributed DPI messaging protocol is used to coordinate DPI handling through the distributed system. The distributed DPI messaging protocol is a messaging protocol used by the controller 102 and the agents (112, 114) to coordinate DPI handling through the distributed system. This includes coordination of what application/traffic signatures to search for, and notification of detection of an application signature of interest.
In some embodiments, Application/Traffic signatures of interest change over time and locality. In one such embodiment, each signature is based on a definition that characterizes the TCP/IP five tuple, state-full packet flow pattern (i.e. session initiation, session body and session termination), and packet content including application header and payload. The application/traffic signatures can range from congestion patterns (service, interface), to security threats such as malware, or network attacks such as DoS, or application signatures such as Netflix or torrent.
In one embodiment, each FI agent 112 performs a first pass flow identification, termed “Fast Path FI Agent”. In one such embodiment, flows are categorized into flow type and origin. In some embodiments, this level of flow identification is sufficient for applications such as Traffic Engineering and Network Analytics but not for applications that require deeper packet inspection like that involved in protection from Viruses, Worms, and Trojans.
In one embodiment, a DPI agent is installed in one or more of agents 112 and 114. This type of agent has deep packet inspection capabilities and is often used on a second pass of inspection. A Fast Path FI Agent is used to initially identify a flow of interest in one location in the network, passes the flow identity to the Control Unit 102, then the Control Unit 102 will message a Deep FI Agent for deeper inspection.
In some embodiments, a Distributed FI Messaging Protocol is used to pass FI information between agents 112 and 114 and control unit 102. Distributed FI is a comprehensive messaging system that is used to pass FI information between agents and the controller. In one embodiment, the protocol includes a cut-through mode for fast message passing between fast-path FI agents and deep FI agents or between FI agents and an external actor where latency through the control unit 102 would be a problem.
In one embodiment, such as is shown in
A method of adjusting network traffic will be discussed next. As in
One example embodiment s shown in
Another example embodiment is shown in
A method of performing deep packet inspection (DPI) of network traffic in a network having a service delivery node 104, one or more residential services gateways 106 and a flow identification (FI) control unit 102 will be discussed next.
Flows passing through the residential services gateways 106 are recognized within the residential services gateways and flow analytics information corresponding to the packet flows recognized in the residential services gateways are transferred from the residential gateways to the flow identification control unit 102. Flows passing through the residential services gateways 106 are recognized within the service access platform and flow analytics information corresponding to the packet flows recognized in the service access platform are transferred from the service access platform to the flow identification control unit 102.
Flow identification control unit analyzes the flow analytics information received from the residential services gateways and the service delivery node and selects, as a function of the flow analytics information analyzed by the flow identification control unit 102, a selected flow on which to perform deep packet inspection and the unit 104 or 106 that is to perform the deep packet inspection on the selected flow. Deep packet inspection of the selected flow is then performed at the selected FI agent.
In one such embodiment, analyzing the flow analytics information includes aggregating the flow analytics information received from the residential services gateways and the service delivery node to form a representation of the packet flows throughout the network.
In one embodiment, analyzing the flow analytics information includes displaying the flow analytics information received from the residential services gateways and from the service delivery node as packet flows through a single virtual network appliance, such as the network representation 160 shown in
In one embodiment, flow identification (FI) agents operating in the residential services gateways and the service access platform operate to recognize flows passing through their corresponding devices and the flow identification control unit and the FI agents use a distributed DPI messaging protocol to coordinate DPI throughout the network. In one such embodiment, this DPI coordination includes detailing the signatures of applications to be analyzed. In another such embodiment, this DPI coordination includes detailing a response when a particular signature is detected. In another such embodiment, this DPI coordination includes detailing traffic to be analyzed.
In one embodiment, as is shown in
In one embodiment, control unit 102 decides where to perform packet flow analysis. In one such embodiment, unit 10 performs analysis as close to the subscriber as possible. Thus, a preference is given to performing flow analysis at the gateway 106 over the service access platform 110, and at the service access platform 110 over service access node 120. Decisions can, therefore, be made as close to the subscriber as possible.
In some embodiments, each agent has a profile that looks for certain events or conditions. For example, one agent may note “Netflix flow has started”, “Netflix flow has stopped”, and “Skype flow has started”. Real-time information on the start and stop of certain packet flows can be advantageous in recognizing and taking action on security issues related to the packet flows.
What has been discussed above is the distribution of flow analysis across two or more appliances in a residential gateway services network. Such an approach takes advantage of the use of inexpensive software or hardware-based flow inspection applications to analyze packet flows through network 100 under control of a flow identification control unit 102. The results can be displayed as if being performed by one or more virtual network appliances for ease of understanding. An advantage of such an approach is that you avoid having to split out or mirror network traffic to perform analysis of particular packet flows. In addition, flow analysis can be tuned to the needs of network 100. That is, various degrees of packet inspection can be used based on the agent installed and the security needs of the system. In addition, analysis can be performed real-time, with the results used to adjust packet flow to support desired quality of service parameters.
Although specific embodiments have been illustrated and described herein, it will be appreciated by those of ordinary skill in the art that any arrangement which is calculated to achieve the same purpose may be substituted for the specific embodiments shown. The invention may be implemented in various modules and in hardware, software, and various combinations thereof, and any combination of the features described in the examples presented herein is explicitly contemplated as an additional example embodiment. This application is intended to cover any adaptations or variations of the example embodiments of the invention described herein. It is intended that this invention be limited only by the claims, and the full scope of equivalents thereof.
This application is a divisional application of U.S. application Ser. No. 14/034,282, filed Sep. 23, 2013, the contents of which are incorporated herein by reference.
Number | Name | Date | Kind |
---|---|---|---|
5500899 | Snow | Mar 1996 | A |
6389468 | Muller et al. | May 2002 | B1 |
6567861 | Kasichainula et al. | May 2003 | B1 |
6681232 | Sistanizadeh et al. | Jan 2004 | B1 |
6957269 | Williams et al. | Oct 2005 | B2 |
7065779 | Crocker et al. | Jun 2006 | B1 |
7711844 | Schuehler et al. | May 2010 | B2 |
7725919 | Thiagarajan et al. | May 2010 | B1 |
7817549 | Kasralikar et al. | Oct 2010 | B1 |
7869428 | Shake et al. | Jan 2011 | B2 |
8005012 | Aybay et al. | Aug 2011 | B1 |
8027305 | Rogers et al. | Sep 2011 | B1 |
8046479 | Einarsson et al. | Oct 2011 | B2 |
8085775 | Pappu et al. | Dec 2011 | B1 |
8238241 | Samuels et al. | Aug 2012 | B2 |
8310934 | Hou et al. | Nov 2012 | B2 |
8339954 | Dahod | Dec 2012 | B2 |
8718131 | Park et al. | May 2014 | B2 |
8850590 | Kellerman | Sep 2014 | B2 |
8867529 | Pearce | Oct 2014 | B2 |
9240938 | Dimond et al. | Jan 2016 | B2 |
9319293 | Sodhi et al. | Apr 2016 | B2 |
9391903 | Hayes et al. | Jul 2016 | B2 |
20030188252 | Kim et al. | Oct 2003 | A1 |
20030198189 | Roberts et al. | Oct 2003 | A1 |
20040030745 | Boucher et al. | Feb 2004 | A1 |
20040141530 | Spio | Jul 2004 | A1 |
20050094726 | Park | May 2005 | A1 |
20070006293 | Balakrishnan et al. | Jan 2007 | A1 |
20070121615 | Weill et al. | May 2007 | A1 |
20070220251 | Rosenberg et al. | Sep 2007 | A1 |
20080013542 | Youm et al. | Jan 2008 | A1 |
20080056153 | Liu | Mar 2008 | A1 |
20080201733 | Ertugrul et al. | Aug 2008 | A1 |
20090022134 | Chun et al. | Jan 2009 | A1 |
20090119722 | Versteeg et al. | May 2009 | A1 |
20090241170 | Kumar et al. | Sep 2009 | A1 |
20090287807 | Sueyoshi | Nov 2009 | A1 |
20100043068 | Varadhan et al. | Feb 2010 | A1 |
20100088756 | Balakrishnan et al. | Apr 2010 | A1 |
20100103837 | Jungck et al. | Apr 2010 | A1 |
20100138920 | Kim | Jun 2010 | A1 |
20110022721 | Diab et al. | Jan 2011 | A1 |
20110032951 | Butler et al. | Feb 2011 | A1 |
20110107379 | Lajoie et al. | May 2011 | A1 |
20110110382 | Jabr et al. | May 2011 | A1 |
20110113218 | Lee et al. | May 2011 | A1 |
20110158146 | Poola et al. | Jun 2011 | A1 |
20110216774 | Nevil et al. | Sep 2011 | A1 |
20110255408 | Aybay et al. | Oct 2011 | A1 |
20110295983 | Medved et al. | Dec 2011 | A1 |
20110317557 | Siddam et al. | Dec 2011 | A1 |
20120014282 | Pappu et al. | Jan 2012 | A1 |
20120243871 | Huang et al. | Sep 2012 | A1 |
20120317276 | Muniraju | Dec 2012 | A1 |
20130024901 | Sharif-Ahmadi et al. | Jan 2013 | A1 |
20140056182 | Chai | Feb 2014 | A1 |
20140269403 | Anghel et al. | Sep 2014 | A1 |
20150016247 | Hayes et al. | Jan 2015 | A1 |
20150036533 | Sodhi et al. | Feb 2015 | A1 |
20150085678 | Dimond et al. | Mar 2015 | A1 |
Entry |
---|
“U.S. Appl. No. 13/941,678, Non Final Office Action dated Aug. 28, 2015”, 25 pgs. |
“U.S. Appl. No. 13/941,678, Response filed Nov. 30, 2015 to Non Final Office Action dated Aug. 28, 2015”, 11 pgs. |
“U.S. Appl. No. 13/955,864, Advisory Action dated Oct. 29, 2015”, 4 pgs. |
“U.S. Appl. No. 13/955,864, Examiner interview Summary dated May 26, 2015”, 3 pgs. |
“U.S. Appl. No. 13/955,864, Final Office Action dated Jul. 15, 2015”, 23 pgs. |
“U.S. Appl. No. 13/955,864, Non Final Office Action dated Mar. 25, 2015”, 18 pgs. |
“U.S. Appl. No. 13/955,864, Notice of Allowance dated Dec. 18, 2015”, 14 pgs. |
“U.S. Appl. No. 13/955,864, Response filed May 19, 2015 to Non Final Office Action dated Mar. 25, 2015”, 13 pgs. |
“U.S. Appl. No. 13/955,864, Response filed Sep. 23, 2015 to Final Office Action dated Jul. 15, 2015”, 12 pgs. |
“U.S. Appl. No. 13/955,864, Response filed Nov. 3, 2015 to Advisory Action dated Oct. 29, 2015”, 13 pgs. |
“U.S. Appl. No. 14/034,282, Corrected Notice of Allowability dated Dec. 21, 2015”, 2 pgs. |
“U.S. Appl. No. 14/034,282, Non Final Office Action dated Jun. 1, 2015”, 22 pgs. |
“U.S. Appl. No. 14/034,282, Notice of Allowance dated Oct. 13, 2015”, 7 pgs. |
“U.S. Appl. No. 14/034,282, Response filed May 5, 2015 to Restriction Requirement dated Mar. 5, 2015”, 8 pgs. |
“U.S. Appl. No. 14/034,282, Restriction Requirement dated Mar. 5, 2015”, 7 pgs. |
“U.S. Appl. No. 14/034,282, Response filed Sep. 1, 2015 to Non Final Office Action dated Jun. 1, 2015”, 9 pgs. |
Baruch, Z., et al., “Embedded System for Network Flow Identification”, Automation, Quality and Testing, Robotics, 2006 IEEE International Conference on , vol. 1, (May 2006), 426,429, 25-28. |
“U.S. Appl. No. 13/941,678, Notice of Allowance dated Mar. 28, 2016”, 22 pgs. |
Number | Date | Country | |
---|---|---|---|
20160119227 A1 | Apr 2016 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 14034282 | Sep 2013 | US |
Child | 14990120 | US |