Network agent for reporting to a network policy system

Description

TECHNICAL FIELD

The subject matter of this disclosure relates in general to the field of computer networks, and more specifically for management of entities and resources within a computer network.

BACKGROUND

A managed network, such as an enterprise private network (EPN), may contain a large number of entities distributed across the network. These entities include, for example, nodes, endpoints, machines, virtual machines, containers (an instance of container-based virtualization), and applications. In addition to being different types, these entities may be grouped in different departments, located in different geographical locations, and/or serve different functions.

An expansive or thorough understanding of the network can be critical for network management tasks such as anomaly detection (e.g., network attacks and misconfiguration), network security (e.g., preventing network breaches and reducing network vulnerabilities), asset management (e.g., monitoring, capacity planning, consolidation, migration, and continuity planning), and compliance (e.g. conformance with governmental regulations, industry standards, and corporate policies). Traditional approaches for managing large networks require comprehensive knowledge on the part of highly specialized human operators because of the complexities of the interrelationships among the entities.

BRIEF DESCRIPTION OF THE FIGURES

In order to describe the manner in which the above-recited and other advantages and features of the disclosure can be obtained, a more particular description of the principles briefly described above will be rendered by reference to specific embodiments that are illustrated in the appended drawings. Understanding that these drawings depict only embodiments of the disclosure and are not therefore to be considered to be limiting of its scope, the principles herein are described and explained with additional specificity and detail through the use of the accompanying drawings in which:

FIG. 1 is a conceptual block diagram illustrating an example of an intent driven network policy platform, in accordance with various embodiments of the subject technology;

FIG. 2 is an illustration showing contents of an inventory store, in accordance with various embodiments of the subject technology;

FIG. 3 illustrates two examples of inventory filters, in accordance with various embodiments of the subject technology;

FIG. 4 illustrates an example flow filter incorporating two inventory filters, in accordance with various embodiments of the subject technology;

FIG. 5 shows an example process for managing a network using user intent statements, in accordance with various embodiments of the subject technology;

FIG. 6 is a conceptual block diagram illustrating an example of a network entity that includes a network agent, in accordance with various embodiments of the subject technology;

FIG. 7 shows an example process for implementing network policies on a network entity, in accordance with various embodiments of the subject technology;

FIG. 8 shows an example process for providing network entity reports to a network policy system, in accordance with various embodiments of the subject technology; and

FIGS. 9A and 9B illustrate examples of systems in accordance with some embodiments.

DESCRIPTION OF EXAMPLE EMBODIMENTS

The detailed description set forth below is intended as a description of various configurations of embodiments and is not intended to represent the only configurations in which the subject matter of this disclosure can be practiced. The appended drawings are incorporated herein and constitute a part of the detailed description. The detailed description includes specific details for the purpose of providing a more thorough understanding of the subject matter of this disclosure. However, it will be clear and apparent that the subject matter of this disclosure is not limited to the specific details set forth herein and may be practiced without these details. In some instances, structures and components are shown in block diagram form in order to avoid obscuring the concepts of the subject matter of this disclosure.

Overview

Large networks often require comprehensive knowledge on the part of highly specialized human operators (e.g., network administrators) to effectively manage. However, controls available to the human operators are not very flexible and the human operators with the specialized knowledge able to manage the network(s) are often not the individuals with a higher level understanding of how the network should operate with respect to certain applications or functionalities. Furthermore, once a change in network management is executed, it is often difficult to roll back the changes, make alterations, or understand the changes, even for network operators.

The disclosed technology addresses the need in the art for a more intuitive way to manage a network and a way to manage the network in a more targeted manner. For example, many networks may be secured using access control lists (ACLs) implemented by routers and switches to permit and restrict data flow within the network. When an ACL is configured on an interface, the network device examines data packets passing through the interface to determine whether to forward or drop the packet based on the criteria specified within the ACLs. Each ACL includes entries where each entry includes a destination target internet protocol (IP) address, a source target IP address, and a statement of permission or denial for that entry.

The ACLs, however, may be difficult for application developers and other users with limited knowledge of network engineering to understand and use. A development team that builds a particular application, set of applications, or function(s) (e.g., an “application owner”) is typically not responsible for managing an enterprise network and are not expected to have a deep understanding of the network. The application owner understands at a high level how certain applications or functions should operate, which entities should be allowed or restricted from communicating with other entities, and how entities should be allowed or restricted from communicating with other entities (e.g., which ports and/or communication protocols are allowed or restricted). In order to implement desired network policies, the application owner must contact a network operator and communicate their objectives to the network operator. The network operator tries to understand the objectives and then creates ACL entries that satisfy the application owner's objectives.

Even relatively simple network policies take hundreds, thousands, or more ACL entries to implement and ACLs often end up containing millions of entries. For example, to implement a simple network rule where a first subnet of machines cannot communicate with a second subnet of machines requires 2(m×n) ACL entries for a number of m endpoints in the first subnet and a number of n endpoints in the second subnet to explicitly list out each IP address in the first subnet that cannot send data to each IP address in the second subnet and each IP address in the second subnet cannot send data to each IP address in the first subnet. The size of the ACLs can further complicate matters making intelligently altering the ACLs increasingly difficult. For example, if an application owner wants to alter the implemented network policies, it is difficult for the application owner or the network operator to know which ACL entries were created based on the original network policy and, as a result, difficult to identify ACL entries to add, delete, or modify based on the alteration of the network policies.

Furthermore, traditional ACLs permit and restrict data flow within the network at the machine level. For example, ACL entries permit or restrict communication based on a destination target internet protocol (IP) address and a source target IP address. However, in some cases, applications on one network entity (e.g., a physical server, virtual machine, container, etc.) should be able to communicate with other applications on a different network entity, but other communications between the entities should be restricted for security reasons (e.g., some hackers may take advantage of broad traditional ACL entries and use applications to gain access to other areas of the network). Traditional ACL entries are unable to accommodate for more tailored control of network traffic.

Various embodiments of the subject technology address these and other technical problems by providing an intent driven network policy platform that allows both application owner and network operators to define network policies in a more understandable manner and provides these users with finer levels of controls.

Detailed Description

Various embodiments of the disclosure are discussed in detail below. While specific implementations are discussed, it should be understood that this is done for illustrative purposes only. A person skilled in the relevant art will recognize that other components and configurations may be used without departing from the spirit and scope of the disclosure.

Various embodiments relate to an intent driven network policy platform configured to ingest network data and generate an inventory of network entities. The network policy platform receives a user intent statement, translates the intent into network policies, and enforces the network policies.

FIG. 1 is a conceptual block diagram illustrating an example network environment 100 that includes an intent driven network policy platform 110, in accordance with various embodiments of the subject technology. Various embodiments are discussed with respect to an enterprise private network (EPN) for illustrative purposes. However, these embodiments and others may be applied to other types of networks. For example, the network environment 100 may be implemented by any type of network and may include, for example, any one or more of a cellular network, a satellite network, a personal area network (PAN), a local area network (LAN), a wide area network (WAN), a broadband network (BBN), the Internet, and the like. The network environment 100 can be a public network, a private network, or a combination thereof. The network environment 100 may be implemented using any number of communications links associated with one or more service providers, including one or more wired communication links, one or more wireless communication links, or any combination thereof. Additionally, the network environment 100 can be configured to support the transmission of data formatted using any number of protocols.

The network environment 100 includes one or more network agents 105 configured to communicate with an intent driven network policy platform 110 via enforcement front end modules (EFEs) 115. The intent driven network policy platform 110 is shown with one or more EFEs 115, a user interface module 120, a coordinator module 125, an intent service module 130, an inventory store 150, and a policy store 155. In other embodiments, the intent driven network policy platform 110 may include additional components, fewer components, or alternative components. The network policy platform 110 may be implemented as a single machine or distributed across a number of machines in the network.

Each network agent 105 may be installed on a network entity and configured to receive network policies (e.g., enforcement policies, configuration policies, etc.) from the network policy platform 110 via the enforcement front end modules 115. After an initial installation on a network entity (e.g., a machine, virtual machine, or container, etc.), a network agent 105 can register with the network policy platform 110 and communicate with one or more EFEs to receive network policies that are configured to be applied to the host on which the network agent 105 is running. In some embodiments, the network policies may be received in a high-level, platform independent format. The network agent 105 may convert the high-level network policies into platform specific policies and apply any number of optimizations before applying the network policies to the host network entity. In some embodiments, the high-level network policies may be converted at the network policy platform 110.

Each network agent 105 may further be configured to observe and collect data and report the collected data to the intent driven network policy platform 110 via the EFEs 115. The network agent 105 may collect policy enforcement related data associated with the host entity such as a number of policies being enforced, a number of rules being enforced, a number of data packets being allowed, dropped, forwarded, redirected, or copied, or any other data related to the enforcement of network policies. The network agent 105 may also collect data related to host entity performance such as CPU usage, memory usage, a number of TCP connections, a number of failed connection, etc. The network agent 105 may also collect other data related to the host such as an entity name, operating system, entity interface information, file system information, applications or processes installed or running, or disks that are mounted.

The enforcement front end modules (EFEs) 115 are configured to handle the registration of the network agents 105 with the network policy platform 110, receive collected data from the network agents 105, and store the collected data in inventory store 150. The EFEs may be further configured to store network policies (high-level platform independent policies or platform specific policies) in memory, periodically scan a policy store 155 for updates to network policies, and notify and update network agents 105 with respect to changes in the network policies.

The user interface 120 receives input from users of the network policy platform 110. For example, the user interface 120 may be configured to receive user configured data for entities in the network from a network operator. The user configured data may include IP addresses, host names, geographic locations, departments, functions, a VPN routing/forwarding (VRF) table, or other data for entities in the network. The user interface 120 may be configured to collect the user configured data and store the data in the inventory store 150.

The user interface 120 may also be configured to receive one or more user intent statements. The user intent statements may be received from a network operator, application owner, or other administrator or through another entity via an application programming interface (API). A user intent statement is a high-level expression of one or more network rules that may be translated into a network policy.

The user interface 120 may pass a received user intent statement to the intent service 130 where the intent service 130 is configured to format the user intent statements and transform the user intent statement into network policies that may be applied to entities in the network. According to some embodiments, the intent service 130 may be configured to store the user intent statements, either in formatted or non-formatted form, in an intent store. After the user intent statements are translated into network policies, the intent service 130 may store the network policies in policy store 155. The policy store 155 is configured to store network policies. The network policies may be high-level platform independent network policies or platform specific policies. In some embodiments, the policy store 155 is implemented as a NoSQL database.

The intent service 130 may also track changes to intent statements and make sure the network policies in the policy store are up-to-date with the intent statements in the intent store. For example, if a user intent statement in the intent store is deleted or changed, the intent service 130 may be configured to located network policies associated with the deleted user intent statement and delete or update the network policies as appropriate.

The coordinator module 125 is configured to assign network agents 105 to EFEs. For example, the coordinator 125 may use a sharding technique to balance load and improve efficiency of the network policy platform 110. The coordinator 125 may also be configured to determine if an update to the policy store is needed and update the policy store accordingly. The coordinator 125 may further be configured to receive data periodically from the network agents 105 via the EFEs 115, store the data in the inventory store 150, and update the inventory store 150 if necessary.

FIG. 2 is an illustration showing contents of an inventory store 200, in accordance with various embodiments of the subject technology. The inventory store 200 is configured to contain data and attributes for each network entity managed by the intent driven network policy platform 110. The network entities may include machines (e.g., servers, personal computers, laptops), virtual machines, containers, mobile devices (e.g., tablets or smart phones), smart devices (e.g., set top boxes, smart appliances, smart televisions, internet-of-things devices), or network equipment, among other computing devices. Although the inventory store 200 is implemented as a conventional relational database in this example, other embodiments may utilize other types of databases (e.g., NoSQL, NewSQL, etc.).

The inventory store 200 may receive user configured data from the user interface 120 and data received from the network agents 105 via the EFEs 115 and store the data in records or entries associated with network entities managed by the network policy platform 110. Each record in the inventory store 200 may include attribute data for a network entity such as one or more entity identifiers (e.g., a host name, IP address, MAC addresses, hash value, etc.), a geographic location, an operating system, a department, interface data, functionality, a list of one or more annotations, file system information, disk mount information, top-of-rack (ToR) location, and a scope.

In some embodiments, the inventory store 200 may also include entity performance and network enforcement data either together with the attribute data or separately in one or more separate data stores. The performance and network enforcement data may include CPU usage, memory usage, a number of TCP connections, a number of failed connections, a number of network policies, or a number of data packets that have been allowed, dropped, forwarded, or redirected. The inventory store 200 may include historical performance or enforcement data associated with network entities or metrics calculated based on historical data.

A user intent statement is a high-level expression of that may be translated into one or more network policies. A user intent statement may be composed of one or more filters and at least one action. The filters may include inventory filters that identify network entities on which the action is to be applied and flow filters that identify network data flows on which the action is to be applied.

For example, if a user wished to identify all network entities located in Mountain View, Calif. (abbreviated MTV in the location column of the inventory store), the inventory filter “Location==MTV” may be used. If a user wished to identify all network entities located in a Research Triangle Park facility in North Carolina (abbreviated RTP in the location column of the inventory store), the inventory filter “Location==RTP” may be used. Inventory filters may also identify relationships between two or more sets of entities (e.g., a union or intersection of sets). For example, if a user wished to identify all network entities located in Mountain View, Calif. and running Windows 8 operating system, the inventory filter “Location==MTV and OS==Windows8” may be used.

A flow filter identifies network data flows. For example, if a user wished to identify all data flows from network entities in Mountain View to network entities in the Research Triangle Park facility, the following flow filter may be used:

Source:Location==MTV

Destination:Location==RTP

Each filter may further be defined beforehand and assigned a name for more convenient use. For example, the inventory filter “Location==MTV” may be assigned the name “MTV_entities” and the inventory filter “Location==RTP” may be assigned the name “RTP_entities.” As a result, a user may use the following to achieve the same result as the above example flow filter:

Source:MTV_entities

Destination:RTP_entities

Different actions may be applied to different filters. For example, actions applicable to inventory filters may include annotation and configuration actions. Annotating actions adds tags or labels to network items in the inventory store or flow data. Annotations may help network operators identify network entities. Configuration actions may be used to configure network entities. For example, some configuration actions may be used to set a CPU quota for certain applications, processes, or virtual machines. Other configuration actions may enable or disable monitoring of certain metrics, collection and transmittal of certain data, or enforcement of certain network policies. Some configuration actions may also be able to enable or disable certain modes within a network entity. For example, some entities may be configured to run in a “high visibility mode” in which most metrics and data (e.g., full time series data) are collected and transmitted to the network policy platform for analysis or in “low visibility mode” in which only a small subset of the available metrics and data are collected and transmitted. Some configuration actions are able to enable or disable these modes.

Actions applicable to flow filters may include annotation or network enforcement actions. Network enforcement actions include, for example, allowing data packets, dropping data packets, copying data packets, redirecting data packets, encrypting data packets, or load balance across network entities.

Using the above examples, a user that wishes to drop all data flowing from entities in Mountain View to entities in Research Triangle Park may use the following user intent statement:

Source:MTV_entities

Destination:RTP_entities

Action:Drop

User intent statements may further specify types of communications or communication protocols used, ports used, or use any other filter to identify a network entity or network flow on which to apply an action. For example, if the user only wishes to drop transmission control protocol (TCP) communications out of port 80 for these network entities, the following user intent statement may be used instead:

Source:MTV_entities

Destination:RTP_entities

Action:Drop

Protocol:TCP

Port:80

In another example, to disable all incoming connections to network entities running a Windows 8 operating system, a user can utilize the following user intent statement:

Source:*

Destination:Win8_Filter

Action:Drop

In the above user intent statement, “Win_Filter” is the name of an inventory filter that includes “OS==Windows8.”

The example user intent statements above are presented for illustrative purposes. In some embodiments, user intent statements, inventory filters, flow filters, or actions may appear in different formats or even in a natural language format. For example, FIG. 3 illustrates two example inventory filters, in accordance with various embodiments of the subject technology. The first inventory filter 300 is named “Inventory_Filter_1” and is configured to identify all network entities in the inventory store that run on a Linux operating system and have a VRF ID of 676767. The second inventory filter 350 is named “Inventory_Filter_2” and is configured to identify all network entities in the inventory store that represent the 10.0.0.0/8 and 1.1.11.0/24 subnets.

FIG. 4 illustrates an example flow filter incorporating two inventory filters, in accordance with various embodiments of the subject technology. The flow filter 400 is configured to identify TCP data flows between the 10.0.0.0/8 and 11.0.0.1 subnets. The flow filter 400 further uses two inventory filters 405 and 410 to help identify the subnets.

FIG. 5 shows an example process 500 for managing a network using inventory filters, in accordance with various embodiments of the subject technology. It should be understood that, for any process discussed herein, there can be additional, fewer, or alternative steps performed in similar or alternative orders, or in parallel, within the scope of the various embodiments unless otherwise stated. The process 500 can be performed by a network, and particularly, a network policy system (e.g., the network policy platform 110 of FIG. 1) or similar system.

At operation 505, the system may generate an inventory store that includes records for network entities in the network. The records may be created or updated based on configuration data received from a network operator. The configuration data may include various attributes of certain network entities. The attributes may include, for example, an internet protocol (IP) address, a host name, a geographic location, or a department. The configuration data may also include annotations, labels, VPN routing/forwarding (VRF) information, interface information, or any other data that may be used to identify one or more network entities.

The records may further be created, updated, or supplemented with information observed by network agents and reported to the network policy system by the network agents. This information may include operating system information, hostnames, interface information, entity identifiers, policy enforcement information, or data related to entity performance. Policy enforcement information may include a number of policies being enforced, a number of rules being enforced, a number of data packets being allowed, dropped, forwarded, redirected, or copied, or any other data related to the enforcement of network policies. Data related to entity performance may include CPU usage, memory usage, a number of TCP connections, a number of failed connection, applications or processes installed or running, disks that are mounted, or other time series data.

At operation 510, the system receives a user intent statement that includes at least one filter and an action. The user intent statement may be received from a network operator, application owner, or other administrator via a user interface or through another party or service via an application program interface (API). The filter may be an inventory filter configured to help identify network entities on which the action is to be applied or a flow filter configured to help identify network data flows on which the action is to be applied. The action may be an enforcement action, a configuration action, or an annotation action.

The system may query the inventory store to identify network entities to which the user intent statement applies at operation 515. For example, system may query the inventory store using the one or more filters found in the user intent statement to identify network entities that match the conditions of the filters. The filters may include one or more attributes that can be used to narrow down the network entities to only those to which the action is to be applied. The attributes may be, for example, an entity type (e.g., machine, virtual machine, container, process, etc.), an IP subnet, an operating system, or any other information that may be found in the inventory store and used to identify network entities.

At operation 520, the system generates network policies that apply the action to the network entities identified by the query. According to some embodiments, the network policies for user intent statements that include a flow filter or an enforcement action may be implemented in the form of one or more access control lists (ACLs). In some embodiments, network policies for user intent statements that include an annotation action or configuration action may be implemented in the form of instructions to the network entity or a network agent to implement the actions.

The system then enforces the network policies at operation 525. According to some embodiments, some network policies may be enforced on the system. However, in some embodiments, the system transmits the network policies to one or more network agents configured to implement the network policies on the network entities.

According to various embodiments of the disclosure, a user or service is able to provide a user intent statement that the system uses to generate multiple network policies. Accordingly, the user need not spend time and resources explicitly crafting each network policy. Instead, the user may specify a reduced number of user intent statements that express the user's network management desires. Furthermore, the user intent statements are more understandable to network operators and application owners and the system is configured to take the user intent statements and translate the statements into network policies that network agents or network entities may use to implement the user's network management desires.

In some embodiments, the user intent statements are translated into platform independent network policies and stored in the policy store. To enforce these network policies, the network policy system transmits the platform independent network policies to network agents running on network entities, where the platform independent network policies are converted into platform specific network policies and implemented.

FIG. 6 is a conceptual block diagram illustrating an example of a network entity 605 that includes a network agent 610, in accordance with various embodiments of the subject technology. The network entity 605 may be a physical machine (e.g., a server, desktop computer, laptop, tablet, mobile device, set top box, or other physical computing machine), a virtual machine, a container, an application, or other computing unit. A network agent 610 may be installed on the network entity 605 and may be configured to receive network policies (e.g., enforcement policies, configuration policies, etc.) from the network policy system 650 via one or more enforcement front end (EFE) modules 655.

After an initial installation on a network entity 605, a network agent 610 can register with the network policy system 650. According to some embodiments, the network agent 610 may read the Basic Input/Output System (BIOS) universally unique identifier (UUID) of the network entity 605, gather other host specific information, and access an agent identifier for the network agent 610. The network agent 610 generates a registration request message containing the agent identifier, host specific information (including the BIOS UUID) and transmits the registration request message to an EFE module 655. In some cases (e.g., when a network agent is just installed), the network agent 610 may not have an agent identifier. Accordingly, this field in the registration request message may be kept blank until one is assigned.

The EFE module receives the registration request message and, if the request message contains an agent identifier, the EFE module will validate that the BIOS UUID is the same as the BIOS UUID for the entry associated with the agent identifier in the inventory store. If the information matches, the agent identifier in registration request is validated and the network agent 610 is registered. The EFE module may generate a registration response message with the validated agent identifier and transmit the registration response message to the network agent. A BIOS UUID that does not match may indicate that the network agent's identity has changed. Accordingly, the EFE module may generate a new agent identifier, create an entry in the inventory store for the new agent identifier and transmit the new agent identifier to the network agent in the registration response message. If the network agent receives a registration response message that includes an agent identifier which is different from the agent identifier the network agent sent in the registration request message, the network agent will update its agent identifier and adopt the received agent identifier.

An EFE module 655 may send network policy configuration messages as a separate message or part of the registration response message. The network policy configuration messages may contain platform independent network policies to implement on the network entity 605 as well as version information. The network agent 610 receives a network policy configuration message and checks the currently applied policy version. If the policy version for the received network policy configuration message is lower than or equal to the applied version, the network agent 610 does not need to update the applied policies. If, on the other hand, the policy version is higher than the applied version, the network agent 610 will process the received network policy configuration message. In some embodiments, the network policies in the network policy configuration message may be in a platform independent format. The network agent 610 may convert the platform independent network policies into platform specific policies and apply any number of optimizations before applying the network policies to the network entity 605.

The network agent 610 may further be configured to observe and collect data and report the collected data to the network policy system 650 via the EFE modules 655. The network agent 610 may collect policy enforcement related data associated with the host entity such as a number of policies being enforced, a number of rules being enforced, a number of data packets being allowed, dropped, forwarded, redirected, or copied, or any other data related to the enforcement of network policies. The network agent 610 may also collect data related to host entity 605 performance such as CPU usage, memory usage, a number of TCP connections, a number of failed connection, etc.

According to some embodiments, some of the information collected by the network agent 610 may be obtained by one or more sensors 625 of the network entity 605. The sensors 625 may be physical sensors or logical sensors and, in some embodiments, may be a part of the network agent 610 (e.g., a part of the agent enforcer 615 shown in FIG. 6). The network agent 610 may also collect other data related to the host such as an entity name, operating system, entity interface information, file system information, applications or processes installed or running, or disks that are mounted. The network agent 610 may collect the information, store the information, and send the information to an EFE module 655 from time to time.

According to some embodiments, the network agent 610 may be partitioned into two or more portions with varying permissions or privileges in order to provide additional protections to the network entity 605. For example, in FIG. 6, the network agent 610 is shown to include an agent enforcer 615 and an agent controller 620.

The agent controller 620 is associated with an unprivileged status that does not grant the agent controller 620 certain privileges and may be unable to directly access system protected resources. The agent controller 620 is configured to communicate with the EFE modules 655 of the network policy system 650 via a Secure Sockets Layer (SSL) channel and pass critical data to the agent enforcer via an interprocess communication (IPC) channel 630. Interprocess communications (IPC) are communication channels provided by an operating system running on the network entity 605 that enable processes running on the network entity 605 to communicate and share data.

For example, the agent controller 620 may receive platform independent network policies from one or more EFE modules 655 and pass the network policies to the agent enforcer 615 via the IPC channel 630. The agent controller 620 may also receive data collected by the agent enforcer 615 (e.g., policy enforcement related data, data related to entity performance, or other data related to the network entity 605) via the IPC channel 630, generate a message containing the collected data, and transmit the message to one or more EFE modules 655.

The agent enforcer 615 is associated with a privileged status that provides the agent enforcer 615 with additional privileges with respect to the network entity 605. For example, the agent enforcer may directly access or manipulate the network entity's protected resources such as a system firewall, CPU usage, memory usage, sensors 625, or system interfaces. The agent enforcer 615 may be configured to manage registration of the network agent 610 and select which EFE modules 655 with which to communicate. The agent enforcer 615 may further validate network policies received from the network policy system 650 to ensure that the network policies do not violate any sanity checks or golden rules (e.g., a network policy that blocks communication from a port that communicates with EFE modules 655 may be ignored) and translate platform independent network policies received from the network policy system 650 to platform specific policies. The agent enforcer 615 may also maintain a policy cache, enforce platform specific network policies, and determine whether a network policy has been altered. The agent enforcer 615 may also monitors system metrics and policy enforcement metrics so that the data may periodically be sent to the network policy system 650 for analysis.

According to some embodiments, the agent enforcer 615 and the agent controller 620 may run independently and the separation of the agent enforcer 615 and the agent controller 620 allow for a more secure network agent 610 and network entity 605. For example, the agent enforcer 620 may have no external socket connections in order to reduce the number of vulnerable areas that malicious actors (e.g., hackers) may attack. Although the agent controller 620 communicates with the network policy system 650 via a SSL channel, damage caused by the corruption of the agent controller 620 is limited since the agent controller 620 is unable to directly access privileged resources and cannot enforce arbitrary network policies.

FIG. 7 shows an example process for implementing network policies on a network entity, in accordance with various embodiments of the subject technology. It should be understood that, for any process discussed herein, there can be additional, fewer, or alternative steps performed in similar or alternative orders, or in parallel, within the scope of the various embodiments unless otherwise stated. The process 700 can be performed by a network agent (e.g., the network agent 610 of FIG. 6) or similar system.

At operation 705, an agent controller of the network agent may receive a platform independent network policy from a network policy system. The platform independent network policy may be generated by the network policy system based on, for example, a user intent statement. The agent controller may transmit the platform independent network policy to an agent enforcer via an interprocess communication at operation 710. At operation 715, the agent enforce may determine implementation characteristics of the network entity. The implementation characteristics may include, for example, the operating system information of the network entity, port configurations, storage available to the network entity, accessories attached to the network entity, file system information, applications or processes installed or running on the network entity, etc.

At operation 720, the agent enforcer may generate one or more platform specific policies from the platform independent network policy based on the implementation characteristics and, at operation 725, implement the platform specific policies on the network entity. Once the platform specific policies are implemented, the agent enforcer may further monitor the network entity to collect data to be reported back to the network policy system or to identify policies that have been altered.

An altered network policy may indicate that a user (e.g., a system administrator) or a malicious actor (e.g., a hacker or malicious code) may be trying to change the network policies and a report should be sent to the network policy system for notification purposes. For example, an agent enforcer may identify that a policy in the platform specific policies has been altered and revert the altered policy back to a previous state. The agent enforcer may generate a report detailing the alteration of the network policy and transmit the report, via the IPC channel, to the agent controller where the agent controller may transmit the report to the network policy system.

According to some embodiments, the network agent is able to monitor the network entity and collect data to be sent to the network policy system for analysis. FIG. 8 shows an example process for providing network entity reports to a network policy system, in accordance with various embodiments of the subject technology. It should be understood that, for any process discussed herein, there can be additional, fewer, or alternative steps performed in similar or alternative orders, or in parallel, within the scope of the various embodiments unless otherwise stated. The process 800 can be performed by a network agent (e.g., the network agent 610 of FIG. 6) or similar system.

At operation 805, an agent enforcer of a network agent may implement the network policies on the network entity. As described above, the agent enforcer may have a privileged status with respect to the network entity and have permission to take certain actions, access more sensitive resources, and make privileged system calls. The agent enforcer may also be allowed to access certain data that is to be reported to the network policy system at operation 810.

This information may include, for example, policy enforcement data associated with the implementation of the network policies on the network entity, system performance data associated with operation of the network entity, or other entity data. The policy enforcement data may include, for example, a number of policies being enforced, a number of times each network policy is enforced, a number of data packets being allowed, dropped, forwarded, redirected, or copied, or any other data related to the enforcement of network policies. The performance data may include, for example, central processing unit (CPU) usage, memory usage, a number of inbound and/or outbound connections over time, a number of failed connection, etc. Entity data may include, for example, an agent identifier, an operating system, a hostname, entity interface information, file system information, applications or processes installed or running, or disks that are mounted. In some embodiments, one or more sensors are configured to collect and store the data and the agent enforcer is able to access the data via an application programming interface (API) for the sensors.

At operation 815, the agent enforcer may transmit the data to an agent controller on the system via an interprocess communication (IPC) channel. The agent controller receives the data and generates a report that includes the data at operation 820 and transmits the report to the network policy system at operation 825.

According to various embodiments, the network policy system may use the data to provide network administrators with reports on a whole network ecosystem and/or individual network entities. The network policy system may also use the data to monitor network performance, identify threats to the network, and/or manage the network policies for the network. For example, depending on which policy rules being violated and/or whether they are being violated on one, a small group, or across the network, the network policy system may be able to characterize of identify the threat to the network. Based on historical policy enforcement data, the network policy system may be able to determine whether a threat is new or active.

According to some embodiments, the network policy system may determine that a policy is never violated based on the policy enforcement data. The larger number of rules increases the computational overhead of the network, the network policy system, and the network entities. To increase efficiency, the network policy system may remove the policy that is never violated.

FIG. 9A and FIG. 9B illustrate systems in accordance with various embodiments. The more appropriate system will be apparent to those of ordinary skill in the art when practicing the various embodiments. Persons of ordinary skill in the art will also readily appreciate that other systems are possible.

FIG. 9A illustrates an example architecture for a conventional bus computing system 900 wherein the components of the system are in electrical communication with each other using a bus 905. The computing system 900 can include a processing unit (CPU or processor) 910 and a system bus 905 that may couple various system components including the system memory 915, such as read only memory (ROM) in a storage device 920 and random access memory (RAM) 925, to the processor 910. The computing system 900 can include a cache 912 of high-speed memory connected directly with, in close proximity to, or integrated as part of the processor 910. The computing system 900 can copy data from the memory 915 and/or the storage device 930 to the cache 912 for quick access by the processor 910. In this way, the cache 912 can provide a performance boost that avoids processor delays while waiting for data. These and other modules can control or be configured to control the processor 910 to perform various actions. Other system memory 915 may be available for use as well. The memory 915 can include multiple different types of memory with different performance characteristics. The processor 910 can include any general purpose processor and a hardware module or software module, such as module 1932, module 2934, and module 3936 stored in storage device 930, configured to control the processor 910 as well as a special-purpose processor where software instructions are incorporated into the actual processor design. The processor 910 may essentially be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc. A multi-core processor may be symmetric or asymmetric.

To enable user interaction with the computing system 900, an input device 945 can represent any number of input mechanisms, such as a microphone for speech, a touch-protected screen for gesture or graphical input, keyboard, mouse, motion input, speech and so forth. An output device 935 can also be one or more of a number of output mechanisms known to those of skill in the art. In some instances, multimodal systems can enable a user to provide multiple types of input to communicate with the computing system 900. The communications interface 940 can govern and manage the user input and system output. There may be no restriction on operating on any particular hardware arrangement and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed.

Storage device 930 can be a non-volatile memory and can be a hard disk or other types of computer readable media which can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs) 925, read only memory (ROM) 920, and hybrids thereof.

The storage device 930 can include software modules 932, 934, 936 for controlling the processor 910. Other hardware or software modules are contemplated. The storage device 930 can be connected to the system bus 905. In one aspect, a hardware module that performs a particular function can include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as the processor 910, bus 905, output device 935, and so forth, to carry out the function.

FIG. 9B illustrates an example architecture for a conventional chipset computing system 950 that can be used in accordance with an embodiment. The computing system 950 can include a processor 955, representative of any number of physically and/or logically distinct resources capable of executing software, firmware, and hardware configured to perform identified computations. The processor 955 can communicate with a chipset 960 that can control input to and output from the processor 955. In this example, the chipset 960 can output information to an output device 965, such as a display, and can read and write information to storage device 970, which can include magnetic media, and solid state media, for example. The chipset 960 can also read data from and write data to RAM 975. A bridge 980 for interfacing with a variety of user interface components 985 can be provided for interfacing with the chipset 960. The user interface components 985 can include a keyboard, a microphone, touch detection and processing circuitry, a pointing device, such as a mouse, and so on. Inputs to the computing system 950 can come from any of a variety of sources, machine generated and/or human generated.

The chipset 960 can also interface with one or more communication interfaces 990 that can have different physical interfaces. The communication interfaces 990 can include interfaces for wired and wireless LANs, for broadband wireless networks, as well as personal area networks. Some applications of the methods for generating, displaying, and using the GUI disclosed herein can include receiving ordered datasets over the physical interface or be generated by the machine itself by processor 955 analyzing data stored in the storage device 970 or the RAM 975. Further, the computing system 900 can receive inputs from a user via the user interface components 985 and execute appropriate functions, such as browsing functions by interpreting these inputs using the processor 955.

It will be appreciated that computing systems 900 and 950 can have more than one processor 910 and 955, respectively, or be part of a group or cluster of computing devices networked together to provide greater processing capability.

For clarity of explanation, in some instances the various embodiments may be presented as including individual functional blocks including functional blocks comprising devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software.

In some embodiments the computer-readable storage devices, mediums, and memories can include a cable or wireless signal containing a bit stream and the like. However, when mentioned, non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.

Methods according to the above-described examples can be implemented using computer-executable instructions that are stored or otherwise available from computer readable media. Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.

Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, small form factor personal computers, personal digital assistants, rackmount devices, standalone devices, and so on. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.

The instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.

Although a variety of examples and other information was used to explain aspects within the scope of the appended claims, no limitation of the claims should be implied based on particular features or arrangements in such examples, as one of ordinary skill would be able to use these examples to derive a wide variety of implementations. Further and although some subject matter may have been described in language specific to examples of structural features and/or method steps, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to these described features or acts. For example, such functionality can be distributed differently or performed in components other than those identified herein. Rather, the described features and steps are disclosed as examples of components of systems and methods within the scope of the appended claims.

Claims

1. A network entity comprising: at least one processor; andat least one memory storing instructions that, when executed by the at least one processor, cause the at least one processor to: receive a network policy;implement, by a first agent with a privileged status running on the network entity, the network policy;access, by the first agent and based on the privileged status, policy enforcement data associated with the implementation of the network policy;enable access, by the first agent to a second agent without a privileged status running on the network entity, the policy enforcement data;generate, by the second agent, a report based on the policy enforcement data; andtransmit the report.
2. The network entity of claim 1, further comprising: one or more sensors configured to collect the policy enforcement data.
3. The network entity of claim 1, further comprising instructions which when executed by the at least one processor, cause the at least one processor to: access, by the first agent based on the privileged status, entity or performance data of the network entity;enable access, to the second agent, to the entity or performance data; andgenerate, by the second agent, the report to include the entity or performance data.
4. The network entity of claim 1, further comprising instructions which when executed by the at least one processor, cause the at least one processor to: periodically collect the policy enforcement data; andenable access, to the second agent, to the periodically collected policy enforcement data for generating the report.
5. The network entity of claim 1, further comprising instructions which when executed by the at least one processor, cause the at least one processor to: determine implementation characteristics of the network entity;generate one or more specific polices from the network policy based on the implementation characteristics; andimplement the one or more specific policies.
6. The network entity of claim 5, further comprising instructions which when executed by the at least one processor, cause the at least one processor to: identity that a specific policy from the one or more specific policies has been altered; andin response to the identification that the specific policy is altered, revert to a previous policy.
7. The network entity of claim 1, wherein the network policy is based on user intent.
8. At least one non-transitory computer readable medium storing instructions that, when executed by the at least one processor, cause the at least one processor to: receive a network policy;implement, by a first agent with a privileged status running on the network entity, the network policy;access, by the first agent and based on the privileged status, policy enforcement data associated with the implementation of the network policy;enable access, by the first agent to a second agent without a privileged status running on the network entity, the policy enforcement data;generate, by the second agent, a report based on the policy enforcement data; andtransmit the report.
9. The at least one non-transitory computer readable medium of claim 8, further comprising: one or more sensors configured to collect the policy enforcement data.
10. The at least one non-transitory computer readable medium of claim 8, further comprising instructions which when executed by the at least one processor, cause the at least one processor to: access, by the first agent based on the privileged status, entity or performance data of the network entity;enable access, to the second agent, to the entity or performance data; andgenerate, by the second agent, the report to include the entity or performance data.
11. The at least one non-transitory computer readable medium of claim 8, further comprising instructions which when executed by the at least one processor, cause the at least one processor to: periodically collect the policy enforcement data; andenable access, to the second agent, to the periodically collected policy enforcement data for generating the report.
12. The at least one non-transitory computer readable medium of claim 8, further comprising instructions which when executed by the at least one processor, cause the at least one processor to: determine implementation characteristics of the network entity;generate one or more specific polices from the network policy based on the implementation characteristics; andimplement the one or more specific policies.
13. The at least one non-transitory computer readable medium of claim 12, further comprising instructions which when executed by the at least one processor, cause the at least one processor to: identity that a specific policy from the one or more specific policies has been altered; andin response to the identification that the specific policy is altered, revert to a previous policy.
14. The least one non-transitory computer readable medium of claim 8, wherein the network policy is based on user intent.
15. A method comprising: receiving, at a network entity, a network policy;implementing, by a first agent with a privileged status running on a network entity, the network policy;accessing, by the first agent and based on the privileged status, policy enforcement data associated with the implementation of the network policy;enabling access, by the first agent to a second agent without a privileged status running on the network entity, the policy enforcement data;generating, by the second agent, a report based on the policy enforcement data; andtransmitting the report.
16. The method of claim 15, further comprising: accessing, by the first agent based on the privileged status, entity or performance data of the network entity;enabling access, to the second agent, to the entity or performance data; andgenerating, by the second agent, the report to include the entity or performance data.
17. The method of claim 15, further comprising: periodically collecting the policy enforcement data; andenabling access, to the second agent, to the periodically collected policy enforcement data for generating the report.
18. The method of claim 15, further comprising: determining implementation characteristics of the network entity;generating one or more specific polices from the network policy based on the implementation characteristics; andimplementing the one or more specific policies.
19. The method of claim 18, further comprising: identifying that a specific policy from the one or more specific policies has been altered; andin response to identifying that the specific policy is altered, reverting to a previous policy.
20. The method of claim 15, wherein the network policy is based on user intent.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a Continuation of, and claims priority to, U.S. Non-Provisional patent application Ser. No. 15/469,737, filed Mar. 27, 2017, the content of which is incorporated herein by reference in its entirety.

US Referenced Citations (675)

Number	Name	Date	Kind
5086385	Launey et al.	Feb 1992	A
5319754	Meinecke et al.	Jun 1994	A
5400246	Wilson et al.	Mar 1995	A
5436909	Dev et al.	Jul 1995	A
5555416	Owens et al.	Sep 1996	A
5726644	Jednacz et al.	Mar 1998	A
5742829	Davis et al.	Apr 1998	A
5822731	Schultz	Oct 1998	A
5831848	Rielly et al.	Nov 1998	A
5903545	Sabourin et al.	May 1999	A
6012096	Link et al.	Jan 2000	A
6085243	Fletcher et al.	Jul 2000	A
6141595	Gloudeman et al.	Oct 2000	A
6144962	Weinberg et al.	Nov 2000	A
6167445	Gai et al.	Dec 2000	A
6239699	Ronnen	May 2001	B1
6247058	Miller et al.	Jun 2001	B1
6249241	Jordan et al.	Jun 2001	B1
6330562	Boden et al.	Dec 2001	B1
6353775	Nichols	Mar 2002	B1
6525658	Streetman et al.	Feb 2003	B2
6546420	Lemler et al.	Apr 2003	B1
6597663	Rekhter	Jul 2003	B1
6611896	Mason, Jr. et al.	Aug 2003	B1
6654750	Adams et al.	Nov 2003	B1
6728779	Griffin et al.	Apr 2004	B1
6801878	Hintz et al.	Oct 2004	B1
6816461	Scrandis et al.	Nov 2004	B1
6847993	Novaes et al.	Jan 2005	B1
6848106	Hipp	Jan 2005	B1
6925490	Novaes et al.	Aug 2005	B1
6958998	Shorey	Oct 2005	B2
6983323	Cantrell et al.	Jan 2006	B2
6996817	Birum et al.	Feb 2006	B2
6999452	Drummond-Murray et al.	Feb 2006	B1
7002464	Bruemmer et al.	Feb 2006	B2
7024468	Meyer et al.	Apr 2006	B1
7096368	Kouznetsov et al.	Aug 2006	B2
7111055	Falkner	Sep 2006	B2
7120934	Ishikawa	Oct 2006	B2
7133923	MeLampy et al.	Nov 2006	B2
7162643	Sankaran et al.	Jan 2007	B1
7181769	Keanini et al.	Feb 2007	B1
7185073	Gai et al.	Feb 2007	B1
7185103	Jain	Feb 2007	B1
7203740	Putzolu et al.	Apr 2007	B1
7302487	Ylonen et al.	Nov 2007	B2
7337206	Wen et al.	Feb 2008	B1
7349761	Cruse	Mar 2008	B1
7353511	Ziese	Apr 2008	B1
7356679	Le et al.	Apr 2008	B1
7360072	Soltis et al.	Apr 2008	B1
7370092	Aderton et al.	May 2008	B2
7395195	Suenbuel et al.	Jul 2008	B2
7444404	Wetherall et al.	Oct 2008	B2
7466681	Ashwood-Smith et al.	Dec 2008	B2
7467205	Dempster et al.	Dec 2008	B1
7496040	Seo	Feb 2009	B2
7496575	Buccella et al.	Feb 2009	B2
7506307	McCollum et al.	Mar 2009	B2
7530105	Gilbert et al.	May 2009	B2
7539770	Meier	May 2009	B2
7568107	Rathi et al.	Jul 2009	B1
7610330	Quinn et al.	Oct 2009	B1
7633942	Bearden et al.	Dec 2009	B2
7644438	Dash et al.	Jan 2010	B1
7676570	Levy et al.	Mar 2010	B2
7681131	Quarterman et al.	Mar 2010	B1
7693947	Judge et al.	Apr 2010	B2
7743242	Oberhaus et al.	Jun 2010	B2
7752307	Takara	Jul 2010	B2
7774498	Kraemer et al.	Aug 2010	B1
7783457	Cunningham	Aug 2010	B2
7787480	Mehta et al.	Aug 2010	B1
7788477	Huang et al.	Aug 2010	B1
7808897	Mehta et al.	Oct 2010	B1
7813822	Hoffberg	Oct 2010	B1
7844696	Labovitz et al.	Nov 2010	B2
7844744	Abercrombie et al.	Nov 2010	B2
7864707	Dimitropoulos et al.	Jan 2011	B2
7873025	Patel et al.	Jan 2011	B2
7873074	Boland	Jan 2011	B1
7874001	Beck et al.	Jan 2011	B2
7885197	Metzler	Feb 2011	B2
7895649	Brook et al.	Feb 2011	B1
7904420	Ianni	Mar 2011	B2
7930752	Hertzog et al.	Apr 2011	B2
7934248	Yehuda et al.	Apr 2011	B1
7957934	Greifeneder	Jun 2011	B2
7961637	McBeath	Jun 2011	B2
7970946	Djabarov et al.	Jun 2011	B1
7975035	Popescu et al.	Jul 2011	B2
8001610	Chickering et al.	Aug 2011	B1
8005935	Pradhan et al.	Aug 2011	B2
8040232	Oh et al.	Oct 2011	B2
8040822	Proulx et al.	Oct 2011	B2
8056134	Ogilvie	Nov 2011	B1
8115617	Thubert et al.	Feb 2012	B2
8135657	Kapoor et al.	Mar 2012	B2
8156430	Newman	Apr 2012	B2
8160063	Maltz et al.	Apr 2012	B2
8179809	Eppstein et al.	May 2012	B1
8181248	Oh et al.	May 2012	B2
8185824	Mitchell et al.	May 2012	B1
8239365	Salman	Aug 2012	B2
8239915	Satish et al.	Aug 2012	B1
8250657	Nachenberg et al.	Aug 2012	B1
8255972	Azagury et al.	Aug 2012	B2
8266697	Coffman	Sep 2012	B2
8272875	Jurmain	Sep 2012	B1
8281397	Vaidyanathan et al.	Oct 2012	B2
8291495	Burns et al.	Oct 2012	B1
8296847	Mendonca et al.	Oct 2012	B2
8311973	Zadeh	Nov 2012	B1
8365286	Poston	Jan 2013	B2
8370407	Devarajan et al.	Feb 2013	B1
8381289	Pereira et al.	Feb 2013	B1
8391270	Van Der Stok et al.	Mar 2013	B2
8407164	Malik et al.	Mar 2013	B2
8407798	Lotem et al.	Mar 2013	B1
8413235	Chen et al.	Apr 2013	B1
8442073	Skubacz et al.	May 2013	B2
8451731	Lee et al.	May 2013	B1
8462212	Kundu et al.	Jun 2013	B1
8489765	Vasseur et al.	Jul 2013	B2
8499348	Rubin	Jul 2013	B1
8516590	Ranadive et al.	Aug 2013	B1
8527977	Cheng et al.	Sep 2013	B1
8549635	Muttik et al.	Oct 2013	B2
8570861	Brandwine et al.	Oct 2013	B1
8572600	Chung et al.	Oct 2013	B2
8572734	McConnell et al.	Oct 2013	B2
8572735	Ghosh et al.	Oct 2013	B2
8572739	Cruz et al.	Oct 2013	B1
8588081	Salam et al.	Nov 2013	B2
8600726	Varshney et al.	Dec 2013	B1
8613084	Dalcher	Dec 2013	B2
8615803	Dacier et al.	Dec 2013	B2
8630316	Haba	Jan 2014	B2
8631464	Belakhdar et al.	Jan 2014	B2
8640086	Bonev et al.	Jan 2014	B2
8656493	Capalik	Feb 2014	B2
8661544	Yen et al.	Feb 2014	B2
8677487	Balupari et al.	Mar 2014	B2
8683389	Bar-Yam et al.	Mar 2014	B1
8706914	Duchesneau	Apr 2014	B2
8713676	Pandrangi et al.	Apr 2014	B2
8719452	Ding et al.	May 2014	B1
8719835	Kanso et al.	May 2014	B2
8750287	Bui et al.	Jun 2014	B2
8752042	Ratica	Jun 2014	B2
8752179	Zaitsev	Jun 2014	B2
8755396	Sindhu et al.	Jun 2014	B2
8762951	Kosche et al.	Jun 2014	B1
8769084	Westerfeld et al.	Jul 2014	B2
8775577	Alford et al.	Jul 2014	B1
8776180	Kumar et al.	Jul 2014	B2
8812448	Anderson et al.	Aug 2014	B1
8812725	Kulkarni	Aug 2014	B2
8813236	Saha et al.	Aug 2014	B1
8825848	Dotan et al.	Sep 2014	B1
8832013	Adams et al.	Sep 2014	B1
8832461	Saroiu et al.	Sep 2014	B2
8849926	Marzencki et al.	Sep 2014	B2
8881258	Paul et al.	Nov 2014	B2
8887238	Howard et al.	Nov 2014	B2
8904520	Nachenberg et al.	Dec 2014	B1
8908685	Patel et al.	Dec 2014	B2
8914497	Xiao et al.	Dec 2014	B1
8931043	Cooper et al.	Jan 2015	B2
8954610	Berke et al.	Feb 2015	B2
8955124	Kim et al.	Feb 2015	B2
8966021	Allen	Feb 2015	B1
8966625	Zuk et al.	Feb 2015	B1
8973147	Pearcy et al.	Mar 2015	B2
8984331	Quinn	Mar 2015	B2
8990386	He et al.	Mar 2015	B2
8996695	Anderson et al.	Mar 2015	B2
8997227	Mhatre et al.	Mar 2015	B1
9014047	Alcala et al.	Apr 2015	B2
9015716	Fletcher et al.	Apr 2015	B2
9071575	Lemaster et al.	Jun 2015	B2
9088598	Zhang et al.	Jul 2015	B1
9110905	Polley et al.	Aug 2015	B2
9117075	Yeh	Aug 2015	B1
9130836	Kapadia et al.	Sep 2015	B2
9152789	Natarajan et al.	Oct 2015	B2
9160764	Stiansen et al.	Oct 2015	B2
9170917	Kumar et al.	Oct 2015	B2
9178906	Chen et al.	Nov 2015	B1
9185127	Neou et al.	Nov 2015	B2
9191400	Ptasinski et al.	Nov 2015	B1
9191402	Yan	Nov 2015	B2
9197654	Ben-Shalom et al.	Nov 2015	B2
9225793	Dutta et al.	Dec 2015	B2
9237111	Banavalikar et al.	Jan 2016	B2
9246702	Sharma et al.	Jan 2016	B1
9246773	Degioanni	Jan 2016	B2
9253042	Lumezanu et al.	Feb 2016	B2
9253206	Fleischman	Feb 2016	B1
9258217	Duffield et al.	Feb 2016	B2
9281940	Matsuda et al.	Mar 2016	B2
9286047	Avramov et al.	Mar 2016	B1
9294486	Chiang et al.	Mar 2016	B1
9317574	Brisebois et al.	Apr 2016	B1
9319384	Yan et al.	Apr 2016	B2
9369435	Short et al.	Jun 2016	B2
9369479	Lin	Jun 2016	B2
9378068	Anantharam et al.	Jun 2016	B2
9396327	Shimomura et al.	Jun 2016	B2
9405903	Xie et al.	Aug 2016	B1
9417985	Baars et al.	Aug 2016	B2
9418222	Rivera et al.	Aug 2016	B1
9426068	Dunbar et al.	Aug 2016	B2
9454324	Madhavapeddi	Sep 2016	B1
9462013	Boss et al.	Oct 2016	B1
9465696	McNeil et al.	Oct 2016	B2
9501744	Brisebois et al.	Nov 2016	B1
9531589	Clemm et al.	Dec 2016	B2
9563517	Natanzon et al.	Feb 2017	B1
9621413	Lee	Apr 2017	B1
9634915	Bley	Apr 2017	B2
9645892	Patwardhan	May 2017	B1
9684453	Holt et al.	Jun 2017	B2
9697033	Koponen et al.	Jul 2017	B2
9733973	Prasad et al.	Aug 2017	B2
9749145	Banavalikar et al.	Aug 2017	B2
9762619	Vaidya	Sep 2017	B1
9800608	Korsunsky et al.	Oct 2017	B2
9819540	Bahadur et al.	Nov 2017	B1
9904584	Konig et al.	Feb 2018	B2
9916538	Zadeh et al.	Mar 2018	B2
9935851	Gandham et al.	Apr 2018	B2
10009240	Rao et al.	Jun 2018	B2
20010028646	Arts et al.	Oct 2001	A1
20020053033	Cooper et al.	May 2002	A1
20020097687	Meiri et al.	Jul 2002	A1
20020103793	Koller et al.	Aug 2002	A1
20020107857	Teraslinna	Aug 2002	A1
20020141343	Bays	Oct 2002	A1
20020184393	Leddy et al.	Dec 2002	A1
20020194317	Kanada	Dec 2002	A1
20030023601	Fortier, Jr. et al.	Jan 2003	A1
20030065986	Fraenkel et al.	Apr 2003	A1
20030097439	Strayer et al.	May 2003	A1
20030126242	Chang	Jul 2003	A1
20030145232	Poletto et al.	Jul 2003	A1
20030151513	Herrmann et al.	Aug 2003	A1
20030154399	Zuk et al.	Aug 2003	A1
20030177208	Harvey, IV	Sep 2003	A1
20040019676	Iwatsuki et al.	Jan 2004	A1
20040030776	Cantrell et al.	Feb 2004	A1
20040213221	Civanlar et al.	Oct 2004	A1
20040220984	Dudfield et al.	Nov 2004	A1
20040243533	Dempster et al.	Dec 2004	A1
20040255050	Takehiro et al.	Dec 2004	A1
20040268149	Aaron	Dec 2004	A1
20050028154	Smith et al.	Feb 2005	A1
20050039104	Shah et al.	Feb 2005	A1
20050063377	Bryant et al.	Mar 2005	A1
20050083933	Fine et al.	Apr 2005	A1
20050108331	Osterman	May 2005	A1
20050122325	Twait	Jun 2005	A1
20050138157	Jung et al.	Jun 2005	A1
20050166066	Ahuja et al.	Jul 2005	A1
20050177829	Vishwanath	Aug 2005	A1
20050182681	Bruskotter et al.	Aug 2005	A1
20050185621	Sivakumar et al.	Aug 2005	A1
20050198247	Perry et al.	Sep 2005	A1
20050198371	Smith et al.	Sep 2005	A1
20050198629	Vishwanath	Sep 2005	A1
20050207376	Ashwood-Smith et al.	Sep 2005	A1
20050257244	Joly et al.	Nov 2005	A1
20050289244	Sahu et al.	Dec 2005	A1
20060048218	Lingafelt et al.	Mar 2006	A1
20060077909	Saleh et al.	Apr 2006	A1
20060080733	Khosmood et al.	Apr 2006	A1
20060089985	Poletto	Apr 2006	A1
20060095968	Portolani et al.	May 2006	A1
20060143432	Rothman et al.	Jun 2006	A1
20060156408	Himberger et al.	Jul 2006	A1
20060159032	Ukrainetz et al.	Jul 2006	A1
20060173912	Lindvall et al.	Aug 2006	A1
20060195448	Newport	Aug 2006	A1
20060272018	Fouant	Nov 2006	A1
20060274659	Ouderkirk	Dec 2006	A1
20060280179	Meier	Dec 2006	A1
20060294219	Ogawa et al.	Dec 2006	A1
20070014275	Bettink et al.	Jan 2007	A1
20070025306	Cox et al.	Feb 2007	A1
20070044147	Choi et al.	Feb 2007	A1
20070097976	Wood et al.	May 2007	A1
20070118654	Jamkhedkar et al.	May 2007	A1
20070127491	Verzijp et al.	Jun 2007	A1
20070162420	Ou et al.	Jul 2007	A1
20070169179	Narad	Jul 2007	A1
20070195729	Li et al.	Aug 2007	A1
20070195794	Fujita et al.	Aug 2007	A1
20070195797	Patel et al.	Aug 2007	A1
20070201474	Isobe	Aug 2007	A1
20070211637	Mitchell	Sep 2007	A1
20070214348	Danielsen	Sep 2007	A1
20070230415	Malik	Oct 2007	A1
20070232265	Park et al.	Oct 2007	A1
20070250930	Aziz et al.	Oct 2007	A1
20070300061	Kim et al.	Dec 2007	A1
20080002697	Anantharamaiah et al.	Jan 2008	A1
20080022385	Crowell et al.	Jan 2008	A1
20080028389	Genty et al.	Jan 2008	A1
20080046708	Fitzgerald et al.	Feb 2008	A1
20080049633	Edwards et al.	Feb 2008	A1
20080056124	Nanda et al.	Mar 2008	A1
20080082662	Danliker et al.	Apr 2008	A1
20080101234	Nakil et al.	May 2008	A1
20080120350	Grabowski et al.	May 2008	A1
20080126534	Mueller et al.	May 2008	A1
20080141246	Kuck et al.	Jun 2008	A1
20080155245	Lipscombe et al.	Jun 2008	A1
20080250122	Zsigmond et al.	Oct 2008	A1
20080270199	Chess et al.	Oct 2008	A1
20080282347	Dadhia et al.	Nov 2008	A1
20080295163	Kang	Nov 2008	A1
20080301765	Nicol et al.	Dec 2008	A1
20090059934	Aggarwal et al.	Mar 2009	A1
20090064332	Porras et al.	Mar 2009	A1
20090109849	Wood et al.	Apr 2009	A1
20090133126	Jang et al.	May 2009	A1
20090138590	Lee et al.	May 2009	A1
20090180393	Nakamura	Jul 2009	A1
20090241170	Kumar et al.	Sep 2009	A1
20090292795	Ford et al.	Nov 2009	A1
20090296593	Prescott	Dec 2009	A1
20090300180	Dehaan et al.	Dec 2009	A1
20090307753	Dupont et al.	Dec 2009	A1
20090313373	Hanna et al.	Dec 2009	A1
20090313698	Wahl	Dec 2009	A1
20090319912	Serr et al.	Dec 2009	A1
20090323543	Shimakura	Dec 2009	A1
20090328219	Narayanaswamy	Dec 2009	A1
20100005288	Rao et al.	Jan 2010	A1
20100049839	Parker et al.	Feb 2010	A1
20100054241	Shah et al.	Mar 2010	A1
20100077445	Schneider et al.	Mar 2010	A1
20100095293	O'Neill et al.	Apr 2010	A1
20100095367	Narayanaswamy	Apr 2010	A1
20100095377	Krywaniuk	Apr 2010	A1
20100138526	DeHaan et al.	Jun 2010	A1
20100138810	Komatsu et al.	Jun 2010	A1
20100148940	Gelvin et al.	Jun 2010	A1
20100153316	Duffield et al.	Jun 2010	A1
20100153696	Beachem et al.	Jun 2010	A1
20100180016	Bugwadia et al.	Jul 2010	A1
20100194741	Finocchio	Aug 2010	A1
20100220584	DeHaan et al.	Sep 2010	A1
20100235514	Beachem	Sep 2010	A1
20100235879	Burnside et al.	Sep 2010	A1
20100235915	Memon et al.	Sep 2010	A1
20100287266	Asati et al.	Nov 2010	A1
20100303240	Beachem	Dec 2010	A1
20100306180	Johnson et al.	Dec 2010	A1
20100317420	Hoffberg	Dec 2010	A1
20100319060	Aiken et al.	Dec 2010	A1
20110004935	Moffie et al.	Jan 2011	A1
20110010585	Bugenhagen et al.	Jan 2011	A1
20110022641	Werth et al.	Jan 2011	A1
20110055381	Narasimhan et al.	Mar 2011	A1
20110055388	Yumerefendi et al.	Mar 2011	A1
20110066719	Miryanov et al.	Mar 2011	A1
20110069685	Tofighbakhsh	Mar 2011	A1
20110072119	Bronstein et al.	Mar 2011	A1
20110083125	Komatsu et al.	Apr 2011	A1
20110085556	Breslin et al.	Apr 2011	A1
20110103259	Aybay et al.	May 2011	A1
20110107074	Chan et al.	May 2011	A1
20110107331	Evans et al.	May 2011	A1
20110126136	Abella et al.	May 2011	A1
20110126275	Anderson et al.	May 2011	A1
20110145885	Rivers et al.	Jun 2011	A1
20110153039	Gvelesiani et al.	Jun 2011	A1
20110153811	Jeong et al.	Jun 2011	A1
20110158088	Lofstrand et al.	Jun 2011	A1
20110170860	Smith et al.	Jul 2011	A1
20110173490	Narayanaswamy et al.	Jul 2011	A1
20110185423	Sallam	Jul 2011	A1
20110196957	Ayachitula et al.	Aug 2011	A1
20110202655	Sharma et al.	Aug 2011	A1
20110214174	Herzog et al.	Sep 2011	A1
20110225207	Subramanian et al.	Sep 2011	A1
20110228696	Agarwal et al.	Sep 2011	A1
20110238793	Bedare et al.	Sep 2011	A1
20110246663	Meisen et al.	Oct 2011	A1
20110277034	Hanson	Nov 2011	A1
20110283277	Castillo et al.	Nov 2011	A1
20110302652	Westerfeld	Dec 2011	A1
20110314148	Petersen et al.	Dec 2011	A1
20110317982	Xu et al.	Dec 2011	A1
20120005542	Petersen et al.	Jan 2012	A1
20120079592	Pandrangi	Mar 2012	A1
20120089664	Igelka	Apr 2012	A1
20120102361	Sass et al.	Apr 2012	A1
20120102543	Kohli et al.	Apr 2012	A1
20120110188	Van Biljon et al.	May 2012	A1
20120117226	Tanaka et al.	May 2012	A1
20120117642	Lin et al.	May 2012	A1
20120136996	Seo et al.	May 2012	A1
20120137278	Draper et al.	May 2012	A1
20120137361	Yi et al.	May 2012	A1
20120140626	Anand et al.	Jun 2012	A1
20120195198	Regan	Aug 2012	A1
20120197856	Banka et al.	Aug 2012	A1
20120198541	Reeves	Aug 2012	A1
20120216271	Cooper et al.	Aug 2012	A1
20120218989	Tanabe et al.	Aug 2012	A1
20120219004	Balus et al.	Aug 2012	A1
20120233348	Winters	Sep 2012	A1
20120233473	Vasseur et al.	Sep 2012	A1
20120240232	Azuma	Sep 2012	A1
20120246303	Petersen et al.	Sep 2012	A1
20120254109	Shukla et al.	Oct 2012	A1
20120260227	Shukla et al.	Oct 2012	A1
20120278021	Lin et al.	Nov 2012	A1
20120281700	Koganti et al.	Nov 2012	A1
20120300628	Prescott et al.	Nov 2012	A1
20130003538	Greenburg et al.	Jan 2013	A1
20130003733	Venkatesan et al.	Jan 2013	A1
20130006935	Grisby	Jan 2013	A1
20130007435	Bayani	Jan 2013	A1
20130038358	Cook et al.	Feb 2013	A1
20130041934	Annamalaisami et al.	Feb 2013	A1
20130054682	Malik et al.	Feb 2013	A1
20130085889	Fitting et al.	Apr 2013	A1
20130086272	Chen et al.	Apr 2013	A1
20130103827	Dunlap et al.	Apr 2013	A1
20130107709	Campbell et al.	May 2013	A1
20130124807	Nielsen et al.	May 2013	A1
20130125107	Bandakka et al.	May 2013	A1
20130145099	Liu et al.	Jun 2013	A1
20130148663	Xiong	Jun 2013	A1
20130159999	Chiueh et al.	Jun 2013	A1
20130166730	Wilkinson	Jun 2013	A1
20130173784	Wang et al.	Jul 2013	A1
20130174256	Powers	Jul 2013	A1
20130179487	Lubetzky et al.	Jul 2013	A1
20130179879	Zhang et al.	Jul 2013	A1
20130198517	Mazzarella	Aug 2013	A1
20130198839	Wei et al.	Aug 2013	A1
20130201986	Sajassi et al.	Aug 2013	A1
20130205293	Levijarvi et al.	Aug 2013	A1
20130219161	Fontignie et al.	Aug 2013	A1
20130219500	Lukas et al.	Aug 2013	A1
20130232498	Mangtani et al.	Sep 2013	A1
20130242999	Kamble et al.	Sep 2013	A1
20130246925	Ahuja et al.	Sep 2013	A1
20130247201	Alperovitch et al.	Sep 2013	A1
20130254879	Chesla et al.	Sep 2013	A1
20130268994	Cooper et al.	Oct 2013	A1
20130275579	Hernandez et al.	Oct 2013	A1
20130283374	Zisapel et al.	Oct 2013	A1
20130290521	Labovitz	Oct 2013	A1
20130297771	Osterloh et al.	Nov 2013	A1
20130301472	Allan	Nov 2013	A1
20130304900	Trabelsi et al.	Nov 2013	A1
20130305369	Karta et al.	Nov 2013	A1
20130318357	Abraham et al.	Nov 2013	A1
20130326623	Kruglick	Dec 2013	A1
20130333029	Chesla et al.	Dec 2013	A1
20130336164	Yang et al.	Dec 2013	A1
20130346736	Cook et al.	Dec 2013	A1
20130347103	Veteikis et al.	Dec 2013	A1
20140006610	Formby et al.	Jan 2014	A1
20140006871	Lakshmanan et al.	Jan 2014	A1
20140012814	Bercovici et al.	Jan 2014	A1
20140019972	Yahalom et al.	Jan 2014	A1
20140031005	Sumcad et al.	Jan 2014	A1
20140033193	Palaniappan	Jan 2014	A1
20140036688	Stassinopoulos et al.	Feb 2014	A1
20140040343	Nickolov et al.	Feb 2014	A1
20140047185	Peterson et al.	Feb 2014	A1
20140047372	Gnezdov et al.	Feb 2014	A1
20140056318	Hansson et al.	Feb 2014	A1
20140059200	Nguyen et al.	Feb 2014	A1
20140074946	Dirstine et al.	Mar 2014	A1
20140089494	Dasari et al.	Mar 2014	A1
20140092884	Murphy et al.	Apr 2014	A1
20140096058	Molesky et al.	Apr 2014	A1
20140105029	Jain et al.	Apr 2014	A1
20140115219	Ajanovic et al.	Apr 2014	A1
20140129942	Rathod	May 2014	A1
20140136680	Joshi et al.	May 2014	A1
20140137109	Sharma et al.	May 2014	A1
20140140244	Kapadia et al.	May 2014	A1
20140143825	Behrendt et al.	May 2014	A1
20140149490	Luxenberg et al.	May 2014	A1
20140156814	Barabash et al.	Jun 2014	A1
20140156861	Cruz-Aguilar et al.	Jun 2014	A1
20140164607	Bai et al.	Jun 2014	A1
20140165200	Singla	Jun 2014	A1
20140165207	Engel et al.	Jun 2014	A1
20140173623	Chang et al.	Jun 2014	A1
20140192639	Smirnov	Jul 2014	A1
20140201717	Mascaro et al.	Jul 2014	A1
20140215573	Cepuran	Jul 2014	A1
20140215621	Xaypanya et al.	Jul 2014	A1
20140224784	Kohler	Aug 2014	A1
20140225603	Auguste et al.	Aug 2014	A1
20140233387	Zheng et al.	Aug 2014	A1
20140269777	Rothstein et al.	Sep 2014	A1
20140280499	Basavaiah et al.	Sep 2014	A1
20140281030	Cui et al.	Sep 2014	A1
20140286354	Van De Poel et al.	Sep 2014	A1
20140289854	Mahvi	Sep 2014	A1
20140298461	Hohndel et al.	Oct 2014	A1
20140301213	Khanal et al.	Oct 2014	A1
20140307686	Su et al.	Oct 2014	A1
20140317278	Kersch et al.	Oct 2014	A1
20140317737	Shin et al.	Oct 2014	A1
20140330616	Lyras	Nov 2014	A1
20140331048	Casas-Sanchez et al.	Nov 2014	A1
20140331276	Frascadore et al.	Nov 2014	A1
20140331280	Porras et al.	Nov 2014	A1
20140331304	Wong	Nov 2014	A1
20140348182	Chandra et al.	Nov 2014	A1
20140351203	Kunnatur et al.	Nov 2014	A1
20140351415	Harrigan et al.	Nov 2014	A1
20140359695	Chari et al.	Dec 2014	A1
20150006689	Szilagyi et al.	Jan 2015	A1
20150006714	Jain	Jan 2015	A1
20150009840	Pruthi et al.	Jan 2015	A1
20150026809	Altman et al.	Jan 2015	A1
20150033305	Shear et al.	Jan 2015	A1
20150036480	Huang et al.	Feb 2015	A1
20150036533	Sodhi et al.	Feb 2015	A1
20150039751	Harrigan et al.	Feb 2015	A1
20150046882	Menyhart et al.	Feb 2015	A1
20150052441	Degioanni	Feb 2015	A1
20150058976	Carney et al.	Feb 2015	A1
20150067143	Babakhan et al.	Mar 2015	A1
20150067786	Fiske	Mar 2015	A1
20150082151	Liang et al.	Mar 2015	A1
20150082430	Sridhara et al.	Mar 2015	A1
20150085665	Kompella et al.	Mar 2015	A1
20150095332	Beisiegel et al.	Apr 2015	A1
20150112933	Satapathy	Apr 2015	A1
20150113133	Srinivas et al.	Apr 2015	A1
20150124608	Agarwal et al.	May 2015	A1
20150124652	Dhamapurikar et al.	May 2015	A1
20150128133	Pohlmann	May 2015	A1
20150128205	Mahaffey et al.	May 2015	A1
20150138993	Forster et al.	May 2015	A1
20150142962	Srinivas et al.	May 2015	A1
20150195291	Zuk et al.	Jul 2015	A1
20150222939	Gallant et al.	Aug 2015	A1
20150249622	Phillips et al.	Sep 2015	A1
20150256555	Choi et al.	Sep 2015	A1
20150261842	Huang et al.	Sep 2015	A1
20150261886	Wu et al.	Sep 2015	A1
20150271008	Jain et al.	Sep 2015	A1
20150271255	Mackay et al.	Sep 2015	A1
20150295945	Canzanese, Jr. et al.	Oct 2015	A1
20150312233	Graham, III et al.	Oct 2015	A1
20150356297	Yang et al.	Oct 2015	A1
20150347554	Vasantham et al.	Dec 2015	A1
20150358352	Chasin et al.	Dec 2015	A1
20160006753	McDaid et al.	Jan 2016	A1
20160019030	Shukla et al.	Jan 2016	A1
20160020959	Rahaman	Jan 2016	A1
20160021131	Heilig	Jan 2016	A1
20160026552	Holden et al.	Jan 2016	A1
20160036636	Erickson et al.	Feb 2016	A1
20160036837	Jain et al.	Feb 2016	A1
20160050132	Zhang et al.	Feb 2016	A1
20160072815	Rieke et al.	Mar 2016	A1
20160080414	Kolton et al.	Mar 2016	A1
20160087861	Kuan et al.	Mar 2016	A1
20160094394	Sharma et al.	Mar 2016	A1
20160094529	Mityagin	Mar 2016	A1
20160103692	Guntaka et al.	Apr 2016	A1
20160105350	Greifeneder et al.	Apr 2016	A1
20160112270	Danait et al.	Apr 2016	A1
20160112284	Pon et al.	Apr 2016	A1
20160119234	Valencia Lopez et al.	Apr 2016	A1
20160127395	Underwood et al.	May 2016	A1
20160147585	Konig et al.	May 2016	A1
20160162308	Chen et al.	Jun 2016	A1
20160162312	Doherty et al.	Jun 2016	A1
20160173446	Nantel	Jun 2016	A1
20160173535	Barabash et al.	Jun 2016	A1
20160183093	Vaughn et al.	Jun 2016	A1
20160191476	Schutz et al.	Jun 2016	A1
20160205002	Rieke et al.	Jul 2016	A1
20160216994	Sefidcon et al.	Jul 2016	A1
20160217022	Velipasaoglu et al.	Jul 2016	A1
20160255082	Rathod	Sep 2016	A1
20160269424	Chandola et al.	Sep 2016	A1
20160269442	Shieh	Sep 2016	A1
20160269482	Jamjoom et al.	Sep 2016	A1
20160294691	Joshi	Oct 2016	A1
20160308908	Kirby et al.	Oct 2016	A1
20160337204	Dubey et al.	Nov 2016	A1
20160357424	Pang et al.	Dec 2016	A1
20160357546	Chang et al.	Dec 2016	A1
20160357587	Yadav et al.	Dec 2016	A1
20160357957	Deen et al.	Dec 2016	A1
20160359592	Kulshreshtha et al.	Dec 2016	A1
20160359628	Singh et al.	Dec 2016	A1
20160359658	Yadav et al.	Dec 2016	A1
20160359673	Gupta et al.	Dec 2016	A1
20160359677	Kulshreshtha et al.	Dec 2016	A1
20160359678	Madani et al.	Dec 2016	A1
20160359679	Parasdehgheibi et al.	Dec 2016	A1
20160359680	Parasdehgheibi et al.	Dec 2016	A1
20160359686	Parasdehgheibi et al.	Dec 2016	A1
20160359695	Yadav et al.	Dec 2016	A1
20160359696	Yadav et al.	Dec 2016	A1
20160359697	Scheib et al.	Dec 2016	A1
20160359698	Deen et al.	Dec 2016	A1
20160359699	Gandham et al.	Dec 2016	A1
20160359700	Pang et al.	Dec 2016	A1
20160359701	Pang et al.	Dec 2016	A1
20160359703	Gandham et al.	Dec 2016	A1
20160359704	Gandham et al.	Dec 2016	A1
20160359705	Parasdehgheibi et al.	Dec 2016	A1
20160359709	Deen et al.	Dec 2016	A1
20160359711	Deen et al.	Dec 2016	A1
20160359712	Alizadeh Attar et al.	Dec 2016	A1
20160359740	Parasdehgheibi et al.	Dec 2016	A1
20160359759	Singh et al.	Dec 2016	A1
20160359862	Riva et al.	Dec 2016	A1
20160359872	Yadav et al.	Dec 2016	A1
20160359877	Kulshreshtha et al.	Dec 2016	A1
20160359878	Prasad et al.	Dec 2016	A1
20160359879	Deen et al.	Dec 2016	A1
20160359880	Pang et al.	Dec 2016	A1
20160359881	Yadav et al.	Dec 2016	A1
20160359888	Gupta et al.	Dec 2016	A1
20160359889	Yadav et al.	Dec 2016	A1
20160359890	Deen et al.	Dec 2016	A1
20160359891	Pang et al.	Dec 2016	A1
20160359897	Yadav et al.	Dec 2016	A1
20160359905	Touboul et al.	Dec 2016	A1
20160359912	Gupta et al.	Dec 2016	A1
20160359913	Gupta et al.	Dec 2016	A1
20160359914	Deen et al.	Dec 2016	A1
20160359915	Gupta et al.	Dec 2016	A1
20160359917	Rao et al.	Dec 2016	A1
20160373481	Sultan et al.	Dec 2016	A1
20160380865	Dubai et al.	Dec 2016	A1
20160380869	Shen et al.	Dec 2016	A1
20170006141	Bhadra	Jan 2017	A1
20170024453	Raja et al.	Jan 2017	A1
20170032310	Mimnaugh	Feb 2017	A1
20170034018	Parasdehgheibi et al.	Feb 2017	A1
20170048121	Hobbs et al.	Feb 2017	A1
20170070582	Desai et al.	Mar 2017	A1
20170085483	Mihaly et al.	Mar 2017	A1
20170201460	Hall et al.	Jul 2017	A1
20170208487	Ratakonda et al.	Jul 2017	A1
20170250880	Akens et al.	Aug 2017	A1
20170250951	Wang et al.	Aug 2017	A1
20170289067	Lu et al.	Oct 2017	A1
20170295141	Thubert et al.	Oct 2017	A1
20170302691	Singh et al.	Oct 2017	A1
20170331747	Singh et al.	Nov 2017	A1
20170339023	Aström et al.	Nov 2017	A1
20170346736	Chander et al.	Nov 2017	A1
20170364380	Frye, Jr. et al.	Dec 2017	A1
20180006911	Dickey	Jan 2018	A1
20180007115	Nedeltchev et al.	Jan 2018	A1
20180013670	Kapadia et al.	Jan 2018	A1
20180063194	Vaidya	Mar 2018	A1
20180145906	Yadav et al.	May 2018	A1
20180278459	Prasad et al.	Sep 2018	A1
20180278478	Prasad et al.	Sep 2018	A1
20180278479	Vu et al.	Sep 2018	A1
20180287902	Chitalia et al.	Oct 2018	A1

Foreign Referenced Citations (25)

Number	Date	Country
101093452	Dec 2007	CN
101770551	Jul 2010	CN
102521537	Jun 2012	CN
103023970	Apr 2013	CN
103716137	Apr 2014	CN
104065518	Sep 2014	CN
107196807	Sep 2017	CN
0811942	Dec 1997	EP
1076848	Jul 2002	EP
1383261	Jan 2004	EP
1450511	Aug 2004	EP
2045974	Apr 2008	EP
2043320	Apr 2009	EP
2860912	Apr 2015	EP
2887595	Jun 2015	EP
2009-016906	Jan 2009	JP
1394338	May 2014	KR
WO 2007014314	Feb 2007	WO
WO 2007070711	Jun 2007	WO
WO 2008069439	Jun 2008	WO
WO 2013030830	Mar 2013	WO
WO 2015042171	Mar 2015	WO
WO 2015099778	Jul 2015	WO
WO 2016004075	Jan 2016	WO
WO 2016019523	Feb 2016	WO

Non-Patent Literature Citations (101)

Entry
Al-Fuqaha, Ala, et al., “Internet of Things: A Survey on Enabling Technologies, Protocols, and Applications,” IEEE Communication Surveys & Tutorials. vol. 17, No. 4, Nov. 18, 2015, pp. 2347-2376.
Arista Networks, Inc., “Application Visibility and Network Telemtry using Splunk,” Arista White Paper, Nov. 2013, 11 pages.
Aydin, et al., “Architecture and Implementation of a Scalable Sensor Data Storage and Analysis System Using Cloud Computing and Big Data Technologies,” Journal of Sensors, vol. 2015, pp. 1-11.
Australian Government Department of Defence, Intelligence and Security, “Top 4 Strategies to Mitigate Targeted Cyber Intrusions,” Cyber Security Operations Centre Jul. 2013, http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm.
Author Unknown, “Blacklists & Dynamic Reputation: Understanding Why the Evolving Threat Eludes Blacklists,” www.darnbaia.com, 9 pages, Dambala, Atlanta, GA, USA.
Backes, Michael, et al., “Data Lineage in Malicious Environments,” IEEE 2015, pp. 1-13.
Baek, Kwang-Hyun, et al., “Preventing Theft of Quality of Service on Open Platforms,” 2005 Workshop of the 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks, 2005, 12 pages.
Bauch, Petr, “Reader's Report of Master's Thesis, Analysis and Testing of Distributed NoSQL Datastore Riak,” May 28, 2015, Brno. 2 pages.
Bayati, Mohsen, et al., “Message-Passing Algorithms for Sparse Network Alignment,” Mar. 2013, 31 pages.
Berezinski, Przemyslaw, et al., “An Entropy-Based Network Anomaly Detection Method,” Entropy, 2015, vol. 17, www.mdpi.com/joumal/entropy, pp. 2367-2408.
Berthier, Robin, et al. “Nfsight: Netflow-based Network Awareness Tool,” 2010, 16 pages.
Bhuyan, Dhiraj, “Fighting Bots and Botnets,” 2006, pp. 23-28.
Blair, Dana, et al., U.S. Appl. No. 62/106,006, tiled Jan. 21, 2015, entitled “Monitoring Network Policy Compliance.”.
Bosch, Greg, “Virtualization,” 2010, 33 pages.
Breen, Christopher, “Mac 911, How to dismiss Mac App Store Notifications,” Macworld.com, Mar. 24, 2014, 3 pages.
Brocade Communications Systems, Inc., “Chapter 5—Configuring Virtual LANs (VLANs),” Jun. 2009, 38 pages.
Chandran, Midhun, et al., “Monitoring in a Virtualized Environment,” Gstf International Journal On Computing, vol. 1, No. 1, Aug. 2010.
Chari, Suresh, et al., “Ensuring continuous compliance through reconciling policy with usage,” Proceedings of the 18th ACM symposium on Access control models and technologies (SACMAT '13). ACM, New York, NY, USA, 49-60.
Chen, Xu, et al., “Automating network application dependency discovery: experiences, limitations, and new solutions,” 8th USENIX conference on Operating systems design and implementation (OSDI'08), USENIX Association, Berkeley, CA, USA, 117-130.
Chou, C.W., et al., “Optical Clocks and Relativity,” Science vol. 329, Sep. 24, 2010, pp. 1630-1633.
Cisco Systems, “Cisco Network Analysis Modules (NAM) Tutorial,” Cisco Systems, Inc., Version 3.5.
Cisco Systems, Inc. “Cisco, Nexus 3000 Series NX-OS Release Notes, Release 5.0(3)U3(1),” Feb. 29, 2012, Part No. OL-26631 -01, 16 pages.
Cisco Systems, Inc., “Addressing Compliance from One Infrastructure: Cisco Unified Compliance Solution Framework,” 2014.
Cisco Systems, Inc., “Cisco—VPN Client User Guide for Windows,” Release 4.6, Aug. 2004, 148 pages.
Cisco Systems, Inc., “Cisco 4710 Application Control Engine Appliance Hardware Installation Guide,” Nov. 2007, 66 pages.
Cisco Systems, Inc., “Cisco Application Dependency Mapping Service,” 2009.
Cisco Systems, Inc., “Cisco Data Center Network Architecture and Solutions Overview,” Feb. 2006, 19 pages.
Cisco Systems, Inc., “Cisco IOS Configuration Fundamentals Configuration Guide: Using Autoinstall and Setup,” Release 12.2, first published Apr. 2001, last updated Sep. 2003, 32 pages.
Cisco Systems, Inc., “Cisco VN-Link: Virtualization-Aware Networking,” White Paper, Mar. 2009, 10 pages.
Cisco Systems, Inc., “Cisco, Nexus 5000 Series and Cisco Nexus 2000 Series Release Notes, Cisco NX-OS Release 5.1(3)N2(1b), NX-OS Release 5.1(3)N2(1a) and NX-OS Release 5.1(3)N2(1),” Sep. 5, 2012, Part No. OL-26652-03 CO, 24 pages.
Cisco Systems, Inc., “Nexus 3000 Series NX-OS Fundamentals Configuration Guide, Release 5.0(3)U3(1): Using PowerOn Auto Provisioning,” Feb. 29, 2012, Part No. OL-26544-01, 10 pages.
Cisco Systems, Inc., “Quick Start Guide, Cisco ACE 4700 Series Application Control Engine Appliance,” Software Ve740rsion A5(1.0), Sep. 2011, 138 pages.
Cisco Systems, Inc., “Routing And Bridging Guide, Cisco ACE Application Control Engine,” Software Version A5(1.0), Sep. 2011,248 pages.
Cisco Systems, Inc., “VMWare and Cisco Virtualization Solution: Scale Virtual Machine Networking,” Jul. 2009, 4 pages.
Cisco Systems, Inc., “White Paper—New Cisco Technologies Help Customers Achieve Regulatory Compliance,” 1992-2008.
Cisco Systems, Inc., “A Cisco Guide to Defending Against Distributed Denial of Service Attacks,” May 3, 2016, 34 pages.
Cisco Systems, Inc., “Cisco Application Visibility and Control,” Oct. 2011, 2 pages.
Cisco Systems, Inc., “Cisco Remote Integrated Service Engine for Citrix NetScaler Appliances and Cisco Nexus 7000 Series Switches Configuration Guide,” Last modified Apr. 29, 2014, 78 pages.
Cisco Systems, Inc., “Cisco Tetration Platform Data Sheet”, Updated Mar. 5, 2018, 21 pages.
Cisco Technology, Inc., “Cisco IOS Software Release 12.4T Features and Hardware Support,” Feb. 2009, 174 pages.
Cisco Technology, Inc., “Cisco Lock-and-Key:Dynamic Access Lists,” http//www/cisco.com/c/en/us/support/docs/security-vpn/lock-key/7604.13.html; Updated Jul. 12, 2006, 16 pages.
Cisco Systems, Inc., “Cisco Application Control Engine (ACE) Troubleshooting Guide — Understanding the ACE Module Architecture and Traffic Flow,” Mar. 11, 2011,6 pages.
Costa, Raul, et al., “An Intelligent Alarm Management System for Large-Scale Telecommunication Companies,” In Portuguese Conference on Artificial Intelligence, Oct. 2009, 14 pages.
De Carvalho, Tiago Filipe Rodrigues, “Root Cause Analysis in Large and Complex Networks,” Dec. 2008, Repositorio.ui.pi, pp. 1-55.
Di Lorenzo, Guisy, et al., “EXSED: An Intelligent Tool for Exploration of Social Events Dynamics from Augmented Trajectories,” Mobile Data Management (MDM), pp. 323-330, Jun. 3-6, 2013.
Duan, Yiheng, et al., Detective: Automatically Identify and Analyze Malware Processes in Forensic Scenarios via DLLs, IEEE ICC 2015—Next Generation Networking Symposium, pp. 5691-5696.
Feinstein, Laura, et al., “Statistical Approaches to DDoS Attack Detection and Response,” Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX '03), Apr. 2003, 12 pages.
Foundation for Intelligent Physical Agents, “FIPA Agent Message Transport Service Specification,” Dec. 3, 2002, http://www.fipa.org; 15 pages.
George, Ashley, et al., “NetPal: A Dynamic Network Administration Knowledge Base,” 2008, pp. 1-14.
Gia, Tuan Nguyen, et al., “Fog Computing in Healthcare Internet of Things: A Case Study on ECG Feature Extraction,” 2015 IEEE International Conference on Computerand Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing, Oct. 26, 2015, pp. 356-363.
Goldsteen, Abigail, et al., “A Tool for Monitoring and Maintaining System Trustworthiness at Run Time,” REFSQ (2015), pp. 142-147.
Hamadi, S., et al., “Fast Path Acceleration for Open vSwitch in Overlay Networks,” Global Information Infrastructure and Networking Symposium (GIIS), Montreal, QC, pp. 1-5, Sep. 15-19, 2014.
Heckman, Sarah, et al., “On Establishing a Benchmark for Evaluating Static Analysis Alert Prioritization and Classification Techniques,” IEEE, 2008; 10 pages.
Hewlett-Packard, “Effective use of reputation intelligence in a security operations center,” Jul. 2013, 6 pages.
Hideshima, Yusuke, et al., “Starmine: A Visualization System for Cyber Attacks,” https://www.researchgate.net/publication/221536306, Feb. 2006, 9 pages.
Huang, Hing-Jie, et al., “Clock Skew Based Node Identification in Wireless Sensor Networks,” IEEE, 2008, 5 pages.
Internetperils, Inc., “Control Your Internet Business Risk,” 2003-2015, https://www.internetperils.com.
Ives, Herbert, E., et al., “An Experimental Study of the Rate of a Moving Atomic Clock,” Journal of the Optical Society of America, vol. 28, No. 7, Jul. 1938, pp. 215-226.
Janoff, Christian, et al., “Cisco Compliance Solution for HIPAA Security Rule Design and Implementation Guide,” Cisco Systems, Inc., Updated Nov. 14, 2015, part 1 of 2, 350 pages.
Janoff, Christian, et al., “Cisco Compliance Solution for HIPAA Security Rule Design and Implementation Guide,” Cisco Systems, Inc., Updated Nov. 14, 2015, part 2 of 2, 588 pages.
Joseph, Dilip, et al., “Modeling Middleboxes,” IEEE Network, Sep./Oct. 2008, pp. 20-25.
Kent, S., et al. “Security Architecture for the Internet Protocol,” Network Working Group, Nov. 1998, 67 pages.
Kerrison, Adam, et al., “Four Steps to Faster, Better Application Dependency Mapping—Laying the Foundation for Effective Business Service Models,” BMCSoftware, 2011.
Kim, Myung-Sup, et al. “A Flow-based Method for Abnormal Network Traffic Detection, ” IEEE, 2004, pp. 599-612.
Kraemer, Brian, “Get to know your data center with CMDB,” TechTarget, Apr. 5, 2006, http://searctidatacenter.techtarqet.com/news/118820/Get-to-know-your-data-center-with-CMDB.
Lab SKU, “VMware Hands-on Labs—HOL-SDC-1301” Version: Mar. 21, 2014-Jul. 9, 2016, 2013; http://docs.hol.vmware.com/HOL-2013/hoisdc-1301_html_en/ (part 1 of 2).
Lab SKU, “VMware Hands-on Labs—HOL-SDC-1301” Version: Mar. 21, 2014-Jul. 9, 2016, 2013; http://docs.hol.vmware.com/HQL-2013/hoisde-1 301_html_en/ (part 2 of 2).
Lachance, Michael, “Dirty Little Secrets of Application Dependency Mapping,” Dec. 26, 2007.
Landman, Yoav, et al., “Dependency Analyzer,” Feb. 14, 2008, http://jfrog.com/confluence/display/DA/Home.
Lee, Sihyung, “Reducing Complexity of Large-Scale Network Configuration Management,” Ph.D. Dissertation, Carniege Mellon University, 2010.
Li, Ang, et al., “Fast Anomaly Detection for Large Data Centers,” Global Telecommunications Conference (GLOBECOM 2010, Dec. 2010, 6 pages.
Li, Bingbong, et al., “A Supervised Machine Learning Approach to Classify Host Roles On Line Using sFlow,” in Proceedings of the first edition workshop on High performance and programmable networking, 2013, ACM, New York, NY, USA, 53-60.
Liu, Ting, et al., “Impala: A Middleware System For Managing Autonomic, Parallel Sensor Systems,” In Proceedings of the Ninth ACM SIGPLAN Symposium On Principles And Practice Of Parallel Programming(PPoPP '03), ACM, New York, NY, USA, Jun. 11-13, 2003, pp. 107-118.
Lu, Zhonghai, et al., “Cluster-based Simulated Annealing for Mapping Cores onto 2D Mesh Networks on Chip,” Design and Diagnostics of Electronic Circuits and Systems, pp. 1,6, 16-18, Apr. 2008.
Matteson, Ryan, “Depmap: Dependency Mapping of Applications Using Operating System Events: a Thesis,” Master's Thesis, California Polytechnic State University, Dec. 2010.
Miller, N., et al., “Collecting network status information for network-aware applications,” Proceedings IEEE INFOCOM 2000. Vol. 2, 2000, pp. 641-650.
Natarajan, Arun, et al., “NSDMiner: Automated Discovery of Network Service Dependencies,” Institute of Electrical and Electronics Engineers INFOCOM, Feb. 2012, 9 pages.
Navaz, A.S. Syed, et al., “Entropy based Anomaly Detection System to Prevent DDoS Attacks in Cloud,” International Journal of computer Applications (0975-8887), vol. 62, No. 15, Jan. 2013, pp. 42-47.
Neverfail, “Neverfail IT Continuity Architect,” 2015, https://web.archive.org/web/20150908090456/http://ww.neverfallgroup.com/products/it-continuity-architect.
Nilsson, Dennis K., et al., “Key Management And Secure Software Updates In Wireless Process Control Environments,” In Proceedings of the First ACM Conference On Wireless Network Security (WiSec '08), ACM, New York, Ny, USA, March 31-Apr. 2, 2008, pp. 100-108.
Nunnally, Troy, et al., “P3D: A Parallel 3D Coordinate Visualization for Advanced Network Scans,” IEEE 2013, Jun. Sep. 13, 2013, 6 pages.
O'Donnell, Glenn, et al., “The CMDB Imperative: How to Realize the Dream and Avoid the Nightmares,” Prentice Hall, Feb. 19, 2009.
Ohta, Kohei, et al., “Detection, Defense, and Tracking of Internet-Wide Illegal Access in a Distributed Manner,” 2000, pp. 1-16.
Online Collins English Dictionary, 1 page (Year: 2018).
Pathway Systems International Inc., “How Blueprints does Integration,” Apr. 15, 2014, 9 pages, http://pathwaysystems.com/company-blog/.
Pathway Systems International Inc., “What is Blueprints?” 2010-2016, http://pathwaysystems.com/blueprints-about/.
Popa, Lucian, et al., “Macroscope: End-Point Approach to Networked Application Dependency Discovery,” CoNEXT'09, Dec. 1-4, 2009, Rome, Italy, 12 pages.
Prasad, K. Munivara, et al., “An Efficient Detection of Flooding Attacks to Internet Threat Monitors (ITM) using Entropy Variations under Low Traffic,” Computing Communication & Networking Technologies (ICCCNT '12), Jul. 26-28, 2012, 11 pages.
Sachan, Mrinmaya, et al., “Solving Electrical Networks to incorporate Supervision in Random Walks,” May 13-17, 2013, pp. 109-110.
Sammarco, Matteo, et al., “Trace Selection for Improved WLAN Monitoring,” Aug. 16, 2013, pp. 9-14.
Shneiderman, Ben, et al., “Network Visualization by Semantic Substrates,” Visualization and Computer Graphics, vol. 12, No. 5, pp. 733,740, Sep.-Oct. 2006.
Theodorakopoulos, George, et al., “On Trust Models and Trust Evaluation Metrics for Ad Hoc Networks,” IEEE Journal on Selected Areas in Communications. Vol. 24, Issue 2, Feb. 2006, pp. 318-328.
Thomas, R., “Bogon Dotted Decimal List,” Version 7.0, Team Cymru NOC, Apr. 27, 2012, 5 pages.
Voris, Jonathan, et al., “Bait and Snitch: Defending Computer Systems with Decoys,” Columbia University Libraries, Department of Computer Science, 2013, pp. 1-25.
Wang, Ru, et al., “Learning directed acyclic graphs via bootstarp aggregating,” 2014, 47 pages, http://arxiv.org/abs/1406.2098.
Wang, Yongjun, et al., “A Network Gene-Based Framework for Detecting Advanced Persistent Threats,” Nov. 2014, 7 pages.
Witze, Alexandra, “Special relativity aces time trial, ‘Time dilation’ predicted by Einstein confirmed by lithium ion experiment,” Nature, Sep. 19, 2014, 3 pages.
Woodberg, Brad, “Snippet from Juniper SRX Series” Jun. 17, 2013, 1 page, O'Reilly Media, Inc.
Zatrochova, Zuzana, “Analysis and Testing of Distributed NoSQL Datastore Riak,” Spring, 2015, 76 pages.
Zeng, Sai, et al., “Managing Risk in Multi-node Automation of Endpoint Management,” 2014 IEEE Network Operations and Management Symposium (NOMS), 2014, 6 pages.
Zhang, Yue, et al., “Cantina: A Content-Based Approach to Detecting Phishing Web Sites,” May 8-12, 2007, pp. 639-648.

Related Publications (1)

	Number	Date	Country
	20200389361 A1	Dec 2020	US

Continuations (1)

	Number	Date	Country
Parent	15469737	Mar 2017	US
Child	16999447		US

Network agent for reporting to a network policy system

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

Field of Search

CPC

International Classifications

Term Extension

Abstract

Description

Claims

CROSS-REFERENCE TO RELATED APPLICATION

US Referenced Citations (675)

Foreign Referenced Citations (25)

Non-Patent Literature Citations (101)

Related Publications (1)

Continuations (1)