US20090168648A1 - Method and System for Annotating Network Flow Information - Google Patents
Method and System for Annotating Network Flow Information Download PDFInfo
- Publication number
- US20090168648A1 US20090168648A1 US11/967,130 US96713007A US2009168648A1 US 20090168648 A1 US20090168648 A1 US 20090168648A1 US 96713007 A US96713007 A US 96713007A US 2009168648 A1 US2009168648 A1 US 2009168648A1
- Authority
- US
- United States
- Prior art keywords
- flow
- information
- annotated
- annotator
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Definitions
- Host computers including servers and client computers, are typically interconnected to form computer networks.
- a computer network and more generally a communications network, is a group of devices or network entities that are interconnected by one or more segments of transmission media on which communications are exchanged between those network entities.
- the communications can be transmitted electrically, including wireless links, or optically.
- the computer networks typically further comprise separate network communications devices, such as routers, switches, bridges, and hubs, for transmitting and relaying the communications between the network entities through the network's mesh.
- Computer networks are typically classified by their size or by the type of entity that owns the network. Often, business organizations maintain large computer networks. These computer networks are referred to as enterprise networks. Enterprise networks are typically connected to other enterprise networks or home networks via service provider and public networks.
- network management systems are used to monitor networks. These systems can exist as stand-alone, dedicated systems or be embedded in network communications devices such as routers and switches.
- network communications devices such as routers and switches.
- NetFlow technology offered by Cisco Systems.
- Other tools include special-purpose systems, such as firewalls and other network security devices, that are typically used to manage the communications at boundaries between the networks.
- flow information This is defined as “a unidirectional sequence of packets with some common properties that pass through a network device.”
- IP internet protocol
- ToS Type of Service
- IP internet protocol
- ToS Type of Service
- computer network devices that generate flow records include, for example, routers, switches, firewalls, and hubs.
- packet scanners/analyzers e.g. Arbor Networks PEAKFLOW® threat management system (TMS)
- TMS threat management system
- Flows may be collected and exported for analysis. Flow analysis is a central component of large-scale network management and service systems.
- Network management systems allow the network administrators to apply policies.
- Policies are typically used to govern or dictate how entities are allowed to communicate over the network, generally called security policies. These policies can be applied to entities individually, by setting operating parameters of devices separately.
- Policy-based management systems have simplified configuration of devices by allowing administrators to define a policy and apply this policy across groups of network entities, generally.
- a policy is a collection of rules.
- a rule for example, can be defined to govern what traffic a particular firewall ignores or prevents a given address or device from accessing a particular service or network resource.
- the rules can be applied by routers that decide whether to forward packets from or to a particular address.
- Network policies are often defined and applied based on flow information.
- many products are available that attempt to correlate flow information with other data sources to provide value-added analysis.
- These types of analysis tools are now a central component of administering large communication networks. Such analysis facilitates the creation of higher level policies that facilitate the management of the network.
- the process for abstracting the dataflow between the network entities is typically articulated in the context of the OSI (Open Systems Interconnection) model communications stack.
- the lowest layer 1 describes physical layer functions such as the transmission of bits over the communication medium, activation/deactivation of the physical connection, use of idle conditions, control bit generation/detection, start and stop, and zero bit insertion.
- These functions are requested by data link layer 2 functions, which control the transmission of packets over a logical communications link.
- Other data link functions include establishing/releasing logical connections, error detection, correction, and recovery, in conjunction with the delimiting of transmitted packets.
- the network layer 3 Functions here include the transfer of units or packets between two transport entities. Further, at this layer, routing through the network is determined, including segmenting or combining packets into smaller and larger data units, the establishment, maintenance, and relinquishment of end-to-end logical circuits, and the detection and recovery from errors. Network management activities often take place at the network layer and data link layer.
- transport layer 4 functions handle the transmission of complete messages between network entities.
- sessions between the network entities are established and then taken down.
- This layer ensures the correct sequence of packets, partition, and combination of messages into packets, and the control of data flow to avoid network overload.
- the session layer 5 organizes and synchronizes the dialog that takes place between applications running on network entities. This provides a one-to-one correspondence between a session connection and a presentation connection at a given time. It provides for session continuity, even when transport connections may fail.
- the presentation layer provides independence from differences between data presentations, such as encryption, by translating from application to network format, and back.
- the application layers support application and end user processes. However, user authentication and privacy are also considered and any constraints on data syntax are identified.
- communication is application-specific.
- the standard flow information that is available from network devices is limited, however. It would be desirable in computer networks to be able to add intelligence to standard network flow monitoring to implement new types of detection and analysis based on flow data.
- the present invention can be used to facilitate the creation of scalable flow monitoring solutions.
- the invention also demonstrates that there can be a reasonably low overhead for this approach.
- An embodiment of the present invention takes in standard flow records exported from network devices such as routers, switches, firewalls, hubs, etc., and annotates the flow with additional information.
- This information is derived from a number of sources, including Border Gateway Protocol (BGP), Simple Network Management Protocol (SNMP), user configuration, and other, intelligent flow analysis.
- BGP Border Gateway Protocol
- SNMP Simple Network Management Protocol
- user configuration user configuration
- other, intelligent flow analysis add information to the flow data, and can be used to perform value-added flow analysis.
- the annotated flow is then resent to a configurable set of destinations using standard flow formatting, e.g., Cisco System Inc.'s NetFlow technology, version 9, in one implementation. This allows the annotated flow to be processed and the enhanced information to be used by other flow analysis tools and existing flow analysis infrastructure.
- Various data sources may be used to annotate the flow. These can include but are not limited to BGP, SNMP, user configuration, raw packet analysis information (e.g. from Peakflow TMS), and other flow analysis information.
- the added information can be incorporated into existing flow monitoring tools.
- Existing tools need not even be able to make sense of the information added to the flow by the present invention—they can still access the original data put in the flow record by the router.
- the invention features a method of processing network flow information.
- the method comprises receiving a flow record exported from a network device and annotating the flow with additional information.
- the network device is any of: a router, a switch, a firewall and a packet scanner/analyzer.
- the method includes sending the annotated flow to a configurable set of destinations using standard flow formatting.
- the additional information is derived, at least in part, from a BGP source, in one example.
- the source and destination addresses identified in the received flow record are looked up in the BGP routing information and the BGP attributes for the matching routes are added to the flow.
- the additional information is derived, at least in part, from a SNMP source.
- the flow record is annotated with information describing interfaces which saw the flow, including interface name and description, and a unique identifier that maps into a database of additional interface information.
- the additional information can be derived, at least in part, from user configuration information.
- the flow record is annotated with information about traffic attributes which match user configuration.
- the additional information can also be derived, at least in part, from raw packet analysis.
- the flow record is annotated with information derived from raw traffic.
- the invention features a flow annotator.
- This annotator comprises a flow analysis engine which receives flow data from a network device, and which selects information from at least one source to be added to the flow data.
- a flow encoding and distribution engine is provided that annotates the flow data with the selected data to create an annotated flow, and that transmits the annotated flow to a configurable set of destinations comprising at least one of an additional flow annotator and a flow consumer.
- FIG. 1 is a block diagram of the inventive flow annotation system deployed within a network
- FIG. 2 is a schematic diagram of the flow annotating network monitor according to the present invention.
- FIG. 3 is a flowchart showing the operation of flow annotating network monitor according to an embodiment of the present invention
- FIG. 4 is a schematic diagram illustrating a packet for transporting flow information
- FIG. 5 is a schematic diagram illustrating flow information in a packet
- FIG. 6 is a schematic diagram illustrating flowset information in a packet according to an embodiment of the present invention.
- FIG. 7 shows one concrete example of an annotated flow packet according to an embodiment of the present invention.
- FIG. 1 is a block diagram of a flow annotation system 100 deployed within a network 10 according to the principles of the present invention.
- network communication devices such as routers 12 a , 12 b and/or switches 18 collect flow information from the packet information that is transmitted through the network 10 between other network communications devices, network nodes, and host computers. Flow information is also collected, in some examples from packet monitors or taps 14 that are installed usually solely to monitor packet traffic.
- An example here is the Netflow Analyzer offered by Cisco Systems, Inc.
- Other exemplary sources of flow information include network security devices, e.g., firewalls 16 , that apply security policies and monitor for malicious code/packets.
- the flow information 103 from these collectors is forwarded to one or more network monitors 100 a , 100 b .
- these network monitors 100 a , 100 b and other network monitors in the network, 100 c , 100 d , 100 e function in a peer-to-peer relationship. Such a relationship is used to provide redundancy such that failure of any network monitor does not undermine the operation of other monitors.
- master-slave relationships are defined in which one of the monitors 100 functions as master to other slave monitors.
- a separate monitor controller 102 is deployed.
- the network monitors 100 are used to monitor network activity based on the received flow information 103 .
- the network monitors 100 a , 100 b analyze the flow to determine whether the network activity is in compliance with policies for the network 10 .
- policies include network management policies related to traffic levels, for example, and network security policies related to maintaining the security of the network and protecting it against attacks, such as denial of service attacks, viruses, or worms.
- the network monitors 100 a , 100 b further annotate the flow information with additional information derived from analysis of the flow information or internally generated information, such as configuration.
- the network monitors 100 a , 100 b annotate the flow information and send the annotated flow information 107 to each other and also various flow consumers 109 , which include additional flow annotating network monitors 100 c , 100 d and also possibly the controller 102 .
- the additional flow annotators 100 c for example, output one or more further annotated flows 113 to further flow consumers and/or annotators 100 e , in one example.
- FIG. 2 is a schematic diagram of the flow annotating network monitors 100 of FIG. 1 .
- the monitor 100 is logically broken down into two functions: a flow analysis engine 201 and a flow encoding and distribution engine 203 . Although shown separately, these two functions are often combined into a single operating module, implemented in hardware, software, or a combination thereof.
- the network monitor 100 applies available policies to the flow and analyzes the flow in term of BGP, SNMP, its own configuration information, and other data sources including one or more internally maintained databases 205 .
- the annotated flow is then encoded and distributed by the distribution engine 203 to various consumers of the flow information.
- a distribution list 207 identifies the entities that will receive the annotated flow information.
- FIG. 3 is a flowchart showing the operation flow analysis engine 201 and the encoding and distribution engine 203 of the network monitor 100 .
- a given input e.g., BGP, SNMP, etc.
- steps relating to annotating flow according to a given input could be performed in a different order.
- step 301 flow data are received. This is, in examples, standard flow records, for example from network communication devices such as routers 12 and switch 18 or other network device 14 , 16 ; or alternatively, it is annotated flow records from another flow annotating monitor.
- step 303 if BGP information is available, then the source and destination addresses of the flow are looked up in the BGP routing information by the flow analysis engine 201 and the BGP attributes for the matching routes are added to the flow by the flow encoding and distribution engine 203 .
- step 305 if SNMP is available, then the flow analysis engine 201 identifies information about the interfaces that saw the flow in one example, including interface name and description, and a unique identifier that maps into a database of additional interface information. The flow encoding and distribution engine 203 then annotates the flow with the identified interface information.
- the flow data are preferably annotated with information about the raw traffic, including application identifier(s) based on layer 4 - 7 payload analysis, virtual local area network (VLAN) identifiers, and other information from the packet that would not normally be available in the original flow record.
- application identifier(s) based on layer 4 - 7 payload analysis
- VLAN virtual local area network
- step 308 if user configuration is available, then the flow is annotated with information about traffic attributes that matched user configuration. For example, if the network administrator configured the network monitor 100 to match a specified IP address range to a user-readable identifier (name), then the source and/or destination of the flow is annotated to indicate that it matches that user-defined identifier.
- the system performs its own flow analysis and annotates the flow with useful information in step 3 10 .
- This information can include, for example, network topology information and/or signature detection.
- network topology information potentially includes information as to whether the flow is entering or leaving the network 10 at this point; whether the flow is entering or leaving through a peering edge or customer-facing interface; whether the flow is entering or leaving a customer site or other user-defined part of the network, etc.
- the network topology information includes: 1) whether the flow belongs to a VPN (virtual private network); 2) if so, to which VPN the flow belongs; and 3) whether the flow is leaving or entering the VPN.
- VPN virtual private network
- the flow information is annotated with contents of the actual packets from raw packet inspection, including but not limited to universal resource locators (URLs) and other hypertext transport protocol (http) post information, voice and/or video call endpoints and setup information for voice over internet protocol (VOIP) and/or session initiation protocol (SIP) traffic, filenames or other information from peer to peer (P2P) and bittorrent traffic.
- URLs universal resource locators
- http hypertext transport protocol
- VOIP voice over internet protocol
- SIP session initiation protocol
- P2P peer to peer
- bittorrent traffic bittorrent traffic.
- the annotation data includes whether the flow belongs to a VPN and is entering or leaving a particular VPN Site, whether the flow is entering or leaving through a paid transit or complementary peering link, for example.
- the flow information is annotated with policy information.
- the annotated data describes whether the flow matches a configured network traffic policy signature, or not, and identifies that signature.
- Signature detection includes flags that indicate if the flow matches a known worm or denial of service (DOS) attack signature, or other signatures either auto-learned by the system or configured by the user.
- DOS denial of service
- any given flow may be annotated by any combination of the above information.
- the information chosen for annotation can be based on user configuration or automatically determined by the system based on that data that are available for the flow.
- step 312 the annotated flow is sent to a configurable set of destinations that often make use of both the original flow information and the flow annotations to do useful work, either by reporting on the flow information, detecting network problems, generating alerts, or other analysis.
- the annotated flows further preferably use a standard flow representation method to encode and send the annotated flows, such as the industry-standard NetFlow version 9 format, which is maintained by Cisco Systems Inc. and which has also been implemented by Juniper, and which is related to ipfix (RFC 3955).
- Annotated flows can thus be processed by both standard flow analysis tools as well as flow analyzers enhanced to make use of the additional annotations.
- the packets includes the annotated flow information are implemented using Netflow.
- new “field type definitions” are added and populated with the exported annotated flow information.
- Netflow v9 information is sent in packets that contain header information and then one or more flow records.
- All version 9 flow packets (including annotated flow packets) preferably use a standard header format, which is defined by the Netflow v9, in one implementation.
- the packet headers include the protocol (Netflow) version, record count, system uptime, a time stamp, sequence number and source identification.
- FIG. 5 shows the flow information. That is, after the header, each packet then contains one or more flow records in a FlowSet.
- the FlowSets use the following format: flowset template identification indicating the format for the flowset, and the length. Then a series of records are attached, each record containing N field values.
- Netflow v9 The content and format of these records is defined by a Netflow v9 template, which is sent periodically by the flow source using the Template FlowSet packet format.
- This is a standard packet format for NetFlow v9.
- Each template sent by a flow source is given a unique ID, which must be placed in the FlowSet Template ID field of a FlowSet packet, so that the receiver can know how to decode the FlowSet records.
- the template defines which data fields are present in each FlowSet and in which order, what values represent, and what size values are.
- Some example field types that might be defined in a standard NetFlow v9 Template include:
- IPV4 SRC ADDR 8 4 IPv4 Source Address IPV4 DST ADDR 12 4 IPv4 Destination Address L4 SRC PORT 7 2 TCP/UDP source port number L4 DST PORT 11 2 TCP/UDP dest. port number PROTOCOL 4 1 IP Protocol INPUT SNMP 10 2 Input interface SNMP index OUTPUT SNMP 14 2 Output interface SNMP index
- FIG. 6 shows a sample FlowSet packet. (For readability, the size of the fields has been rounded up to 4 bytes, even though in actuality they may use different sizes).
- annotated flow adds new field type definitions to represent the new information being added to the annotated flows.
- An annotated flow sender (see reference 100 ) sends out an annotated flow template using the standard flow template format and incorporating these new field types. The sender then sends annotated flows using the standard FlowSet format and incorporating the new information defined by the template definition.
- Example, additional template field types are show in the following table:
- identifications are well-known references to either a public or private database record, or based on a user-configured mapping (e.g. to a customer name).
- FIG. 7 shows one concrete example of an annotated flow packet. It uses a flow template that was the concatenation of all template fields defined above, i.e. the “standard” flow template plus the example flow annotation fields. (Note that again, field sizes are shown in 4-byte multiples for readability, even though the actual packet may store some fields as a different size.)
Abstract
A scalable flow monitoring solution takes in standard flow records exported from network devices such as routers, switches, firewalls, hubs, etc., and annotates the flow with additional information. This information is derived from a number of sources, including Border Gateway Protocol (BGP), Simple Network Management Protocol (SNMP), user configuration, and other, intelligent flow analysis. These annotations add information to the flow data, and can be used to perform value-added flow analysis. The annotated flow is then resent to a configurable set of destinations using standard flow formatting, e.g., Cisco System Inc.'s NetFlow, in one implementation. This allows the annotated flow to be processed and the enhanced information to be used by other flow analysis tools and existing flow analysis infrastructure.
Description
- Host computers, including servers and client computers, are typically interconnected to form computer networks. A computer network, and more generally a communications network, is a group of devices or network entities that are interconnected by one or more segments of transmission media on which communications are exchanged between those network entities. The communications can be transmitted electrically, including wireless links, or optically. The computer networks typically further comprise separate network communications devices, such as routers, switches, bridges, and hubs, for transmitting and relaying the communications between the network entities through the network's mesh.
- Computer networks are typically classified by their size or by the type of entity that owns the network. Often, business organizations maintain large computer networks. These computer networks are referred to as enterprise networks. Enterprise networks are typically connected to other enterprise networks or home networks via service provider and public networks.
- At the enterprise, service provider, and public network scale, network management systems are used to monitor networks. These systems can exist as stand-alone, dedicated systems or be embedded in network communications devices such as routers and switches. One specific example is NetFlow technology offered by Cisco Systems. Other tools include special-purpose systems, such as firewalls and other network security devices, that are typically used to manage the communications at boundaries between the networks.
- One source of information for monitoring networks is flow information. This is defined as “a unidirectional sequence of packets with some common properties that pass through a network device.” Internet Engineering Task Force, RFC 3954. Flow records are often generated by the network devices. These are often digested information concerning individual network flows or groups of network flows sharing some common characteristic(s). The flow records often include, for example, internet protocol (IP) addresses, packet and byte counts, timestamps, Type of Service (ToS), application ports, input and output interfaces, to list a few examples. This information is available from Netflow technology, for example. Generally, computer network devices that generate flow records include, for example, routers, switches, firewalls, and hubs. In other examples, packet scanners/analyzers (e.g. Arbor Networks PEAKFLOW® threat management system (TMS)) are used. Flows may be collected and exported for analysis. Flow analysis is a central component of large-scale network management and service systems.
- Network management systems allow the network administrators to apply policies. Policies are typically used to govern or dictate how entities are allowed to communicate over the network, generally called security policies. These policies can be applied to entities individually, by setting operating parameters of devices separately. Policy-based management systems have simplified configuration of devices by allowing administrators to define a policy and apply this policy across groups of network entities, generally.
- A policy is a collection of rules. A rule, for example, can be defined to govern what traffic a particular firewall ignores or prevents a given address or device from accessing a particular service or network resource. The rules can be applied by routers that decide whether to forward packets from or to a particular address.
- Network policies are often defined and applied based on flow information. Moreover, many products are available that attempt to correlate flow information with other data sources to provide value-added analysis. These types of analysis tools are now a central component of administering large communication networks. Such analysis facilitates the creation of higher level policies that facilitate the management of the network.
- By way of additional background, the process for abstracting the dataflow between the network entities is typically articulated in the context of the OSI (Open Systems Interconnection) model communications stack. The
lowest layer 1 describes physical layer functions such as the transmission of bits over the communication medium, activation/deactivation of the physical connection, use of idle conditions, control bit generation/detection, start and stop, and zero bit insertion. These functions are requested bydata link layer 2 functions, which control the transmission of packets over a logical communications link. Other data link functions include establishing/releasing logical connections, error detection, correction, and recovery, in conjunction with the delimiting of transmitted packets. - At the next higher level of abstraction is the
network layer 3. Functions here include the transfer of units or packets between two transport entities. Further, at this layer, routing through the network is determined, including segmenting or combining packets into smaller and larger data units, the establishment, maintenance, and relinquishment of end-to-end logical circuits, and the detection and recovery from errors. Network management activities often take place at the network layer and data link layer. - Then, transport layer 4 functions handle the transmission of complete messages between network entities. At this layer, sessions between the network entities are established and then taken down. This layer ensures the correct sequence of packets, partition, and combination of messages into packets, and the control of data flow to avoid network overload.
- The session layer 5 organizes and synchronizes the dialog that takes place between applications running on network entities. This provides a one-to-one correspondence between a session connection and a presentation connection at a given time. It provides for session continuity, even when transport connections may fail.
- Finally, at the two highest levels of abstraction,
layers 6 and 7, the presentation layer provides independence from differences between data presentations, such as encryption, by translating from application to network format, and back. The application layers support application and end user processes. However, user authentication and privacy are also considered and any constraints on data syntax are identified. At this layer, communication is application-specific. - The standard flow information that is available from network devices is limited, however. It would be desirable in computer networks to be able to add intelligence to standard network flow monitoring to implement new types of detection and analysis based on flow data.
- The challenge has in the past been addressed, for example, by employing multiple flow analysis engines. Any additional information calculated about each flow is simply used internally by the flow analysis engine, however. This locally calculated flow information is not re-exported as part of the flow record. Alternatively, some products maintain separate data stores (e.g. a border gateway protocol (BGP) routing table) that is distributed separately from the flow records. Nevertheless, any receivers then have to redo the work of correlating the flow and the BGP data since available systems either distribute the original flow records and separately distribute additional data, as described above, or simply keep the flow and other databases internally. Queries are allowed that will perform flow matching against other data at query time. A report containing the resulting information about the flows can then be generated.
- These solutions do not provide real-time flow information, nor is their information made available using existing flow export methods. Thus, these solutions are not nearly as scalable, and are much more restricted in the type of data they can provide. It also means that accessing the data they provide requires writing custom software, rather than being able to reuse existing flow collection and analysis infrastructure.
- The present invention can be used to facilitate the creation of scalable flow monitoring solutions. The invention also demonstrates that there can be a reasonably low overhead for this approach.
- An embodiment of the present invention takes in standard flow records exported from network devices such as routers, switches, firewalls, hubs, etc., and annotates the flow with additional information. This information is derived from a number of sources, including Border Gateway Protocol (BGP), Simple Network Management Protocol (SNMP), user configuration, and other, intelligent flow analysis. These annotations add information to the flow data, and can be used to perform value-added flow analysis. The annotated flow is then resent to a configurable set of destinations using standard flow formatting, e.g., Cisco System Inc.'s NetFlow technology, version 9, in one implementation. This allows the annotated flow to be processed and the enhanced information to be used by other flow analysis tools and existing flow analysis infrastructure.
- Various data sources may be used to annotate the flow. These can include but are not limited to BGP, SNMP, user configuration, raw packet analysis information (e.g. from Peakflow TMS), and other flow analysis information.
- Advantages over existing systems include real-time data collection, scalability and intelligence. In contrast, currently used systems require data to be collected and analyzed after the fact, often accompanied by long delays between the sending of the original flow information from the network devices and the availability of the additional information generated by the flow analysis tools.
- Furthermore, by reusing the existing flow export protocol and resending the flow with additional annotations, the added information can be incorporated into existing flow monitoring tools. Existing tools need not even be able to make sense of the information added to the flow by the present invention—they can still access the original data put in the flow record by the router.
- Third, by resending flow to a configurable set of destinations, the same data are reused multiple times in different network monitors for different applications.
- In general, according to one aspect, the invention features a method of processing network flow information. The method comprises receiving a flow record exported from a network device and annotating the flow with additional information.
- In a common implementation, the network device is any of: a router, a switch, a firewall and a packet scanner/analyzer. Also, the method includes sending the annotated flow to a configurable set of destinations using standard flow formatting.
- The additional information is derived, at least in part, from a BGP source, in one example. The source and destination addresses identified in the received flow record are looked up in the BGP routing information and the BGP attributes for the matching routes are added to the flow. In the same or other examples, the additional information is derived, at least in part, from a SNMP source. The flow record is annotated with information describing interfaces which saw the flow, including interface name and description, and a unique identifier that maps into a database of additional interface information.
- The additional information can be derived, at least in part, from user configuration information. The flow record is annotated with information about traffic attributes which match user configuration. The additional information can also be derived, at least in part, from raw packet analysis. The flow record is annotated with information derived from raw traffic.
- In general according to another aspect, the invention features a flow annotator. This annotator comprises a flow analysis engine which receives flow data from a network device, and which selects information from at least one source to be added to the flow data. A flow encoding and distribution engine is provided that annotates the flow data with the selected data to create an annotated flow, and that transmits the annotated flow to a configurable set of destinations comprising at least one of an additional flow annotator and a flow consumer.
- The above and other features of the invention including various novel details of construction and combinations of parts, and other advantages, will now be more particularly described with reference to the accompanying drawings and pointed out in the claims. It will be understood that the particular method and device embodying the invention are shown by way of illustration and not as a limitation of the invention. The principles and features of this invention may be employed in various and numerous embodiments without departing from the scope of the invention.
- In the accompanying drawings, reference characters refer to the same parts throughout the different views. The drawings are not necessarily to scale; emphasis has instead been placed upon illustrating the principles of the invention. Of the drawings:
-
FIG. 1 is a block diagram of the inventive flow annotation system deployed within a network; -
FIG. 2 is a schematic diagram of the flow annotating network monitor according to the present invention; -
FIG. 3 is a flowchart showing the operation of flow annotating network monitor according to an embodiment of the present invention; -
FIG. 4 is a schematic diagram illustrating a packet for transporting flow information; -
FIG. 5 is a schematic diagram illustrating flow information in a packet; -
FIG. 6 is a schematic diagram illustrating flowset information in a packet according to an embodiment of the present invention; and -
FIG. 7 shows one concrete example of an annotated flow packet according to an embodiment of the present invention. -
FIG. 1 is a block diagram of aflow annotation system 100 deployed within anetwork 10 according to the principles of the present invention. - In more detail, network communication devices such as
routers network 10 between other network communications devices, network nodes, and host computers. Flow information is also collected, in some examples from packet monitors or taps 14 that are installed usually solely to monitor packet traffic. An example here is the Netflow Analyzer offered by Cisco Systems, Inc. Other exemplary sources of flow information include network security devices, e.g., firewalls 16, that apply security policies and monitor for malicious code/packets. - The
flow information 103 from these collectors is forwarded to one or more network monitors 100 a, 100 b. In some examples, these network monitors 100 a, 100 b and other network monitors in the network, 100 c, 100 d, 100 e, function in a peer-to-peer relationship. Such a relationship is used to provide redundancy such that failure of any network monitor does not undermine the operation of other monitors. On the other hand, in some examples, master-slave relationships are defined in which one of themonitors 100 functions as master to other slave monitors. In still other examples, aseparate monitor controller 102 is deployed. - Primarily, the network monitors 100 are used to monitor network activity based on the received
flow information 103. In a general sense, the network monitors 100 a, 100 b analyze the flow to determine whether the network activity is in compliance with policies for thenetwork 10. Such policies include network management policies related to traffic levels, for example, and network security policies related to maintaining the security of the network and protecting it against attacks, such as denial of service attacks, viruses, or worms. - According to aspects of the invention, the network monitors 100 a, 100 b further annotate the flow information with additional information derived from analysis of the flow information or internally generated information, such as configuration.
- The network monitors 100 a, 100 b annotate the flow information and send the annotated
flow information 107 to each other and alsovarious flow consumers 109, which include additional flow annotating network monitors 100 c, 100 d and also possibly thecontroller 102. - The
additional flow annotators 100 c, for example, output one or more further annotatedflows 113 to further flow consumers and/orannotators 100 e, in one example. -
FIG. 2 is a schematic diagram of the flow annotating network monitors 100 ofFIG. 1 . Here themonitor 100 is logically broken down into two functions: aflow analysis engine 201 and a flow encoding anddistribution engine 203. Although shown separately, these two functions are often combined into a single operating module, implemented in hardware, software, or a combination thereof. - When the
flow data 103 are received from thenetwork devices network monitor 100 applies available policies to the flow and analyzes the flow in term of BGP, SNMP, its own configuration information, and other data sources including one or more internally maintaineddatabases 205. - The annotated flow is then encoded and distributed by the
distribution engine 203 to various consumers of the flow information. Adistribution list 207 identifies the entities that will receive the annotated flow information. -
FIG. 3 is a flowchart showing the operationflow analysis engine 201 and the encoding anddistribution engine 203 of thenetwork monitor 100. One skilled in the art would recognize, however, that the steps relating to annotating flow according to a given input, e.g., BGP, SNMP, etc., could be performed in a different order. - In
step 301, flow data are received. This is, in examples, standard flow records, for example from network communication devices such as routers 12 and switch 18 orother network device - In
step 303, if BGP information is available, then the source and destination addresses of the flow are looked up in the BGP routing information by theflow analysis engine 201 and the BGP attributes for the matching routes are added to the flow by the flow encoding anddistribution engine 203. - Similarly, in
step 305, if SNMP is available, then theflow analysis engine 201 identifies information about the interfaces that saw the flow in one example, including interface name and description, and a unique identifier that maps into a database of additional interface information. The flow encoding anddistribution engine 203 then annotates the flow with the identified interface information. - In
step 307, if raw packet analysis is available, then the flow data are preferably annotated with information about the raw traffic, including application identifier(s) based on layer 4-7 payload analysis, virtual local area network (VLAN) identifiers, and other information from the packet that would not normally be available in the original flow record. - In
step 308, if user configuration is available, then the flow is annotated with information about traffic attributes that matched user configuration. For example, if the network administrator configured the network monitor 100 to match a specified IP address range to a user-readable identifier (name), then the source and/or destination of the flow is annotated to indicate that it matches that user-defined identifier. - In addition to the above data sources, the system performs its own flow analysis and annotates the flow with useful information in
step 3 10. This information can include, for example, network topology information and/or signature detection. - For example, network topology information potentially includes information as to whether the flow is entering or leaving the
network 10 at this point; whether the flow is entering or leaving through a peering edge or customer-facing interface; whether the flow is entering or leaving a customer site or other user-defined part of the network, etc. In other examples, the network topology information includes: 1) whether the flow belongs to a VPN (virtual private network); 2) if so, to which VPN the flow belongs; and 3) whether the flow is leaving or entering the VPN. - In other examples, the flow information is annotated with contents of the actual packets from raw packet inspection, including but not limited to universal resource locators (URLs) and other hypertext transport protocol (http) post information, voice and/or video call endpoints and setup information for voice over internet protocol (VOIP) and/or session initiation protocol (SIP) traffic, filenames or other information from peer to peer (P2P) and bittorrent traffic.
- In examples where the flow information is annotated with network topology information, the annotation data includes whether the flow belongs to a VPN and is entering or leaving a particular VPN Site, whether the flow is entering or leaving through a paid transit or complementary peering link, for example.
- In still other examples, the flow information is annotated with policy information. For example, the annotated data describes whether the flow matches a configured network traffic policy signature, or not, and identifies that signature.
- Signature detection includes flags that indicate if the flow matches a known worm or denial of service (DOS) attack signature, or other signatures either auto-learned by the system or configured by the user.
- Generally, any given flow may be annotated by any combination of the above information. The information chosen for annotation can be based on user configuration or automatically determined by the system based on that data that are available for the flow.
- In
step 312, the annotated flow is sent to a configurable set of destinations that often make use of both the original flow information and the flow annotations to do useful work, either by reporting on the flow information, detecting network problems, generating alerts, or other analysis. - This annotation and flow redistribution is preferably performed in real-time. The annotated flows further preferably use a standard flow representation method to encode and send the annotated flows, such as the industry-standard NetFlow version 9 format, which is maintained by Cisco Systems Inc. and which has also been implemented by Juniper, and which is related to ipfix (RFC 3955). Annotated flows can thus be processed by both standard flow analysis tools as well as flow analyzers enhanced to make use of the additional annotations.
- In one embodiment, the packets includes the annotated flow information are implemented using Netflow. According to one implementation, new “field type definitions” are added and populated with the exported annotated flow information.
- In more detail, Netflow v9 information is sent in packets that contain header information and then one or more flow records.
- All version 9 flow packets (including annotated flow packets) preferably use a standard header format, which is defined by the Netflow v9, in one implementation.
- In more detail, as shown in
FIG. 4 , the packet headers include the protocol (Netflow) version, record count, system uptime, a time stamp, sequence number and source identification. -
FIG. 5 shows the flow information. That is, after the header, each packet then contains one or more flow records in a FlowSet. The FlowSets use the following format: flowset template identification indicating the format for the flowset, and the length. Then a series of records are attached, each record containing N field values. - The content and format of these records is defined by a Netflow v9 template, which is sent periodically by the flow source using the Template FlowSet packet format. This is a standard packet format for NetFlow v9. Each template sent by a flow source is given a unique ID, which must be placed in the FlowSet Template ID field of a FlowSet packet, so that the receiver can know how to decode the FlowSet records.
- The template defines which data fields are present in each FlowSet and in which order, what values represent, and what size values are. Some example field types that might be defined in a standard NetFlow v9 Template include:
-
Field Field Type Field ID Length Description IPV4 SRC ADDR 8 4 IPv4 Source Address IPV4 DST ADDR 12 4 IPv4 Destination Address L4 SRC PORT 7 2 TCP/UDP source port number L4 DST PORT 11 2 TCP/UDP dest. port number PROTOCOL 4 1 IP Protocol INPUT SNMP 10 2 Input interface SNMP index OUTPUT SNMP 14 2 Output interface SNMP index - Based on the above template,
FIG. 6 shows a sample FlowSet packet. (For readability, the size of the fields has been rounded up to 4 bytes, even though in actuality they may use different sizes). - According to one embodiment, annotated flow adds new field type definitions to represent the new information being added to the annotated flows. An annotated flow sender (see reference 100) sends out an annotated flow template using the standard flow template format and incorporating these new field types. The sender then sends annotated flows using the standard FlowSet format and incorporating the new information defined by the template definition. Example, additional template field types are show in the following table:
-
Field Field Field Type ID Length Description SRC_PEER_AS 66 2 AS Number of source BGP peer INPUT_IFACE_GID 67 4 Reference ID of input interface in an interface database OUTPUT_IFACE_GID 68 2 Reference ID of output interface in an interface database CUSTOMER_MATCH_4 69 8 List of 4 customer IDs that matched the flow APPLICATION_ID 90 4 ID of flow's application based on packet inspection WORM_MATCH 91 4 ID of a worm signature which matched the flow HTTP_URL 92 256 URL contained by HTTP packets, based on packet inspection - Note that in many cases the value is defined as an identification. It is assumed that these identifications are well-known references to either a public or private database record, or based on a user-configured mapping (e.g. to a customer name).
-
FIG. 7 shows one concrete example of an annotated flow packet. It uses a flow template that was the concatenation of all template fields defined above, i.e. the “standard” flow template plus the example flow annotation fields. (Note that again, field sizes are shown in 4-byte multiples for readability, even though the actual packet may store some fields as a different size.) - The benefit of the above-described flow annotation approach is that all standard flow template fields can now be incorporated into annotated flow, and then additional template fields added to provide arbitrary information. When the flow is re-exported with the additional information, the ability of existing flow analysis software to decode and read the standard flow fields is not impacted. On the other hand, a scalable and flexible way to support new analysis software is provided, which can make use of both the standard and new flow annotation fields, from the same NetFlow v9 packet.
- While this invention has been particularly shown and described with references to preferred embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the invention encompassed by the appended claims.
Claims (27)
1. A method of processing network flow information, comprising:
receiving a flow record exported from a network device; and
annotating the flow with additional information.
2. The method of claim 1 , wherein the network device is any of: a router, a switch, a firewall and a packet scanner/analyzer.
3. The method of claim 1 , further comprising sending the annotated flow to a configurable set of destinations.
4. The method of claim 1 , wherein the additional information is derived, at least in part, from a BGP source.
5. The method of claim 4 wherein source and destination addresses identified in the received flow record are looked up in BGP routing information and BGP attributes for the matching routes are added to the flow.
6. The method of claim 1 , wherein the additional information is derived, at least in part, from a SNMP source.
7. The method of claim 6 wherein the flow record is annotated with information describing interfaces which saw the flow, including interface name and description, and a unique identifier that maps into a database of additional interface information.
8. The method of claim 1 , wherein the additional information is derived, at least in part, from user configuration information.
9. The method of claim 8 wherein the flow record is annotated with information about traffic attributes which match user configuration.
10. The method of claim 1 , wherein the additional information is derived, at least in part, from raw packet analysis.
11. The method of claim 10 wherein the flow record is annotated with information derived from raw traffic.
12. The method of claim 11 , wherein the information about raw traffic comprises at least one of: an application identifier based on payload analysis; and VLAN identifiers.
13. The method of claim 1 , further comprising:
performing flow analysis;
annotating the received flow record, based on the flow analysis, with at least one of network topology information and signature detection.
14. The method of claim 1 , wherein the method is performed in real-time.
15. A flow annotator comprising:
a flow analysis engine which receives flow data from a network device, and which selects information from at least one source to be added to the flow data; and
a flow encoding and distribution engine which annotates the flow data with the selected data to create an annotated flow, and which transmits the annotated flow to a configurable set of destinations comprising at least one of an additional flow annotator and a flow consumer.
16. The flow annotator of claim 15 , wherein the network device is any of: a router, a switch, a firewall and a packet scanner/analyzer.
17. The flow annotator of claim 15 , wherein the additional information is derived, at least in part, from a BGP source.
18. The flow annotator of claim 17 wherein source and destination addresses identified in the received flow record are looked up in BGP routing information and BGP attributes for the matching routes are added to the flow.
19. The flow annotator of claim 15 , wherein the additional information is derived, at least in part, from a SNMP source.
20. The flow annotator of claim 19 , wherein the flow record is annotated with information about interfaces which saw the flow, including interface name and description, and a unique identifier that maps into a database of additional interface information.
21. The flow annotator of claim 15 , wherein the additional information is derived, at least in part, from user configuration information.
22. The flow annotator of claim 21 wherein the flow record is annotated with information about traffic attributes which match user configuration.
23. The flow annotator of claim 15 , wherein the additional information is derived, at least in part, from raw packet analysis.
24. The flow annotator of claim 23 wherein the flow record is annotated with information derived from raw traffic.
25. The flow annotator of claim 24 , wherein the information about raw traffic comprises at least one of: an application identifier based on layer 4-7 payload analysis; and VLAN identifiers.
26. The flow annotator of claim 15 , wherein the received flow record is annotated, based on the flow analysis, with at least one of network topology information and signature detection.
27. The flow annotator of claim 15 , wherein flow analysis and annotation are performed in real-time.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/967,130 US20090168648A1 (en) | 2007-12-29 | 2007-12-29 | Method and System for Annotating Network Flow Information |
US13/782,776 US8879415B2 (en) | 2007-12-29 | 2013-03-01 | Method and system for annotating network flow information |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/967,130 US20090168648A1 (en) | 2007-12-29 | 2007-12-29 | Method and System for Annotating Network Flow Information |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/782,776 Continuation US8879415B2 (en) | 2007-12-29 | 2013-03-01 | Method and system for annotating network flow information |
Publications (1)
Publication Number | Publication Date |
---|---|
US20090168648A1 true US20090168648A1 (en) | 2009-07-02 |
Family
ID=40798280
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/967,130 Abandoned US20090168648A1 (en) | 2007-12-29 | 2007-12-29 | Method and System for Annotating Network Flow Information |
US13/782,776 Active 2028-01-13 US8879415B2 (en) | 2007-12-29 | 2013-03-01 | Method and system for annotating network flow information |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/782,776 Active 2028-01-13 US8879415B2 (en) | 2007-12-29 | 2013-03-01 | Method and system for annotating network flow information |
Country Status (1)
Country | Link |
---|---|
US (2) | US20090168648A1 (en) |
Cited By (43)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090228586A1 (en) * | 2008-03-10 | 2009-09-10 | Cisco Technology, Inc. | Periodic exporting of information over a flow protocol |
US20090327903A1 (en) * | 2006-07-06 | 2009-12-31 | Referentia Systems, Inc. | System and Method for Network Topology and Flow Visualization |
US20100138555A1 (en) * | 2008-12-01 | 2010-06-03 | At&T Corp. | System and Method to Guide Active Participation in Peer-to-Peer Systems with Passive Monitoring Environment |
US20100211668A1 (en) * | 2009-02-13 | 2010-08-19 | Alcatel-Lucent | Optimized mirror for p2p identification |
US20100271973A1 (en) * | 2007-04-05 | 2010-10-28 | Yong Lee | System and method for estimating flow-specific traffic volumes |
US20100325419A1 (en) * | 2009-06-22 | 2010-12-23 | Tushar Kanekar | Systems and methods for encoding the core identifier in the session identifier |
US20110058481A1 (en) * | 2009-09-09 | 2011-03-10 | Lee Chang-Yong | Device and method for generating statistical information for voip traffic analysis and abnormal voip detection |
US20110125748A1 (en) * | 2009-11-15 | 2011-05-26 | Solera Networks, Inc. | Method and Apparatus for Real Time Identification and Recording of Artifacts |
US20110149734A1 (en) * | 2009-12-21 | 2011-06-23 | Electronics And Telecommunications Research Institute | Smart border router and method for transmitting flow using the same |
US20110167149A1 (en) * | 2010-01-06 | 2011-07-07 | The Industry & Academic Cooperation In Chungnam National University | Internet flow data analysis method using parallel computations |
US8521732B2 (en) | 2008-05-23 | 2013-08-27 | Solera Networks, Inc. | Presentation of an extracted artifact based on an indexing technique |
US8614946B1 (en) | 2013-06-07 | 2013-12-24 | Sideband Networks Inc. | Dynamic switch port monitoring |
US8625642B2 (en) | 2008-05-23 | 2014-01-07 | Solera Networks, Inc. | Method and apparatus of network artifact indentification and extraction |
US8666985B2 (en) | 2011-03-16 | 2014-03-04 | Solera Networks, Inc. | Hardware accelerated application-based pattern matching for real time classification and recording of network traffic |
US20140126396A1 (en) * | 2012-11-05 | 2014-05-08 | Broadcom Corporation | Annotated Tracing Driven Network Adaptation |
US20140136680A1 (en) * | 2012-11-09 | 2014-05-15 | Citrix Systems, Inc. | Systems and methods for appflow for datastream |
US8849991B2 (en) | 2010-12-15 | 2014-09-30 | Blue Coat Systems, Inc. | System and method for hypertext transfer protocol layered reconstruction |
US20150043570A1 (en) * | 2013-08-08 | 2015-02-12 | Cisco Technology, Inc. | Discovery of connectivity and compatibility in a communication network |
US9100430B1 (en) | 2014-12-29 | 2015-08-04 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US9276957B2 (en) | 2009-06-22 | 2016-03-01 | Citrix Systems, Inc. | Systems and methods for handling SSL session not reusable across multiple cores |
US20160105462A1 (en) * | 2008-12-16 | 2016-04-14 | At&T Intellectual Property I, L.P. | Systems and Methods for Rule-Based Anomaly Detection on IP Network Flow |
US20160255000A1 (en) * | 2015-02-27 | 2016-09-01 | Arista Networks, Inc. | System and method for bgp sflow export |
US9467455B2 (en) | 2014-12-29 | 2016-10-11 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US9485263B2 (en) | 2014-07-16 | 2016-11-01 | Microsoft Technology Licensing, Llc | Volatility-based classifier for security solutions |
US9569232B1 (en) * | 2013-02-19 | 2017-02-14 | Amazon Technologies, Inc. | Network traffic data in virtualized environments |
US9619648B2 (en) | 2014-07-16 | 2017-04-11 | Microsoft Technology Licensing, Llc | Behavior change detection system for services |
US9648036B2 (en) | 2014-12-29 | 2017-05-09 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US9680916B2 (en) | 2013-08-01 | 2017-06-13 | Flowtraq, Inc. | Methods and systems for distribution and retrieval of network traffic records |
US9906542B2 (en) | 2015-03-30 | 2018-02-27 | Microsoft Technology Licensing, Llc | Testing frequency control using a volatility score |
CN107864110A (en) * | 2016-09-22 | 2018-03-30 | 中国电信股份有限公司 | Botnet main control end detection method and device |
WO2018122640A1 (en) * | 2016-12-30 | 2018-07-05 | Redsocks Security Holdings Bv | System for preparing network traffic for fast analysis |
US10110622B2 (en) | 2015-02-13 | 2018-10-23 | Microsoft Technology Licensing, Llc | Security scanner |
US20190104144A1 (en) * | 2017-09-29 | 2019-04-04 | Cisco Technology, Inc. | Enhanced flow-based computer network threat detection |
GB2567334A (en) * | 2016-02-25 | 2019-04-10 | Sas Inst Inc | Cybersecurity system |
US10554515B2 (en) * | 2015-12-31 | 2020-02-04 | Bright House Networks, Llc | Customer premises network access device for displaying data usage |
CN111131041A (en) * | 2019-11-28 | 2020-05-08 | 中盈优创资讯科技有限公司 | VPN flow obtaining method and device based on NetFlow and BGP |
US20210152660A1 (en) * | 2019-11-18 | 2021-05-20 | International Business Machines Corporation | Communication with an application flow in an integration system |
RU2757597C1 (en) * | 2018-07-18 | 2021-10-19 | БИТДЕФЕНДЕР АйПиАр МЕНЕДЖМЕНТ ЛТД | Systems and methods for reporting computer security incidents |
US20210377133A1 (en) * | 2020-05-28 | 2021-12-02 | Axellio Inc. | High Performance Packet Capture and Analytics Architecture |
EP3934176A1 (en) * | 2020-06-30 | 2022-01-05 | Juniper Networks, Inc. | Application flow monitoring |
US11444855B2 (en) | 2020-07-07 | 2022-09-13 | Juniper Networks, Inc. | System and method for determining a data flow path in an overlay network |
US11658909B2 (en) * | 2018-04-10 | 2023-05-23 | Kentik Technologies, Inc. | Analyzing network traffic by enriching inbound network flows with exit data |
US11888738B2 (en) | 2019-08-15 | 2024-01-30 | Juniper Networks, Inc. | System and method for determining a data flow path in an overlay network |
Families Citing this family (40)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8964763B2 (en) * | 2009-02-09 | 2015-02-24 | Hewlett-Packard Development Company, L.P. | Inter-router communication method and module |
US10412550B2 (en) | 2012-10-29 | 2019-09-10 | T-Mobile Usa, Inc. | Remote driving of mobile device diagnostic applications |
US10313905B2 (en) | 2012-10-29 | 2019-06-04 | T-Mobile Usa, Inc. | Contextual quality of user experience analysis using equipment dynamics |
US10237144B2 (en) | 2012-10-29 | 2019-03-19 | T-Mobile Usa, Inc. | Quality of user experience analysis |
US9237474B2 (en) * | 2012-10-29 | 2016-01-12 | T-Mobile Usa, Inc. | Network device trace correlation |
US10952091B2 (en) | 2012-10-29 | 2021-03-16 | T-Mobile Usa, Inc. | Quality of user experience analysis |
US9538409B2 (en) | 2012-10-29 | 2017-01-03 | T-Mobile Usa, Inc. | Quality of user experience analysis |
US9286047B1 (en) | 2013-02-13 | 2016-03-15 | Cisco Technology, Inc. | Deployment and upgrade of network devices in a network environment |
US10374904B2 (en) | 2015-05-15 | 2019-08-06 | Cisco Technology, Inc. | Diagnostic network visualization |
US9800497B2 (en) | 2015-05-27 | 2017-10-24 | Cisco Technology, Inc. | Operations, administration and management (OAM) in overlay data center environments |
US10033766B2 (en) * | 2015-06-05 | 2018-07-24 | Cisco Technology, Inc. | Policy-driven compliance |
US9967158B2 (en) | 2015-06-05 | 2018-05-08 | Cisco Technology, Inc. | Interactive hierarchical network chord diagram for application dependency mapping |
US10089099B2 (en) | 2015-06-05 | 2018-10-02 | Cisco Technology, Inc. | Automatic software upgrade |
US10142353B2 (en) | 2015-06-05 | 2018-11-27 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US10536357B2 (en) | 2015-06-05 | 2020-01-14 | Cisco Technology, Inc. | Late data detection in data center |
US10171357B2 (en) | 2016-05-27 | 2019-01-01 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10931629B2 (en) | 2016-05-27 | 2021-02-23 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10289438B2 (en) | 2016-06-16 | 2019-05-14 | Cisco Technology, Inc. | Techniques for coordination of application components deployed on distributed virtual machines |
US10708183B2 (en) | 2016-07-21 | 2020-07-07 | Cisco Technology, Inc. | System and method of providing segment routing as a service |
US10904203B2 (en) * | 2016-09-09 | 2021-01-26 | Arbor Networks, Inc. | Augmenting network flow with passive DNS information |
US10972388B2 (en) | 2016-11-22 | 2021-04-06 | Cisco Technology, Inc. | Federated microburst detection |
US10708152B2 (en) | 2017-03-23 | 2020-07-07 | Cisco Technology, Inc. | Predicting application and network performance |
US10523512B2 (en) | 2017-03-24 | 2019-12-31 | Cisco Technology, Inc. | Network agent for generating platform specific network policies |
US10594560B2 (en) | 2017-03-27 | 2020-03-17 | Cisco Technology, Inc. | Intent driven network policy platform |
US10250446B2 (en) | 2017-03-27 | 2019-04-02 | Cisco Technology, Inc. | Distributed policy store |
US10764141B2 (en) | 2017-03-27 | 2020-09-01 | Cisco Technology, Inc. | Network agent for reporting to a network policy system |
US10873794B2 (en) | 2017-03-28 | 2020-12-22 | Cisco Technology, Inc. | Flowlet resolution for application performance monitoring and management |
US10680887B2 (en) | 2017-07-21 | 2020-06-09 | Cisco Technology, Inc. | Remote device status audit and recovery |
US10554501B2 (en) | 2017-10-23 | 2020-02-04 | Cisco Technology, Inc. | Network migration assistant |
US10523541B2 (en) | 2017-10-25 | 2019-12-31 | Cisco Technology, Inc. | Federated network and application data analytics platform |
US10594542B2 (en) | 2017-10-27 | 2020-03-17 | Cisco Technology, Inc. | System and method for network root cause analysis |
US11233821B2 (en) | 2018-01-04 | 2022-01-25 | Cisco Technology, Inc. | Network intrusion counter-intelligence |
US11765046B1 (en) | 2018-01-11 | 2023-09-19 | Cisco Technology, Inc. | Endpoint cluster assignment and query generation |
US10826803B2 (en) | 2018-01-25 | 2020-11-03 | Cisco Technology, Inc. | Mechanism for facilitating efficient policy updates |
US10798015B2 (en) | 2018-01-25 | 2020-10-06 | Cisco Technology, Inc. | Discovery of middleboxes using traffic flow stitching |
US10574575B2 (en) | 2018-01-25 | 2020-02-25 | Cisco Technology, Inc. | Network flow stitching using middle box flow stitching |
US10999149B2 (en) | 2018-01-25 | 2021-05-04 | Cisco Technology, Inc. | Automatic configuration discovery based on traffic flow data |
US10873593B2 (en) | 2018-01-25 | 2020-12-22 | Cisco Technology, Inc. | Mechanism for identifying differences between network snapshots |
US10917438B2 (en) | 2018-01-25 | 2021-02-09 | Cisco Technology, Inc. | Secure publishing for policy updates |
US11128700B2 (en) | 2018-01-26 | 2021-09-21 | Cisco Technology, Inc. | Load balancing configuration based on traffic flow telemetry |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030039212A1 (en) * | 2000-10-17 | 2003-02-27 | Lloyd Michael A. | Method and apparatus for the assessment and optimization of network traffic |
US20050071469A1 (en) * | 2003-09-26 | 2005-03-31 | Mccollom William G. | Method and system for controlling egress traffic load balancing between multiple service providers |
US20070058631A1 (en) * | 2005-08-12 | 2007-03-15 | Microsoft Corporation | Distributed network management |
US20070168505A1 (en) * | 2006-01-19 | 2007-07-19 | Hewlett-Packard Development Company, L.P. | Performance monitoring in a network |
US20070226802A1 (en) * | 2006-03-21 | 2007-09-27 | Prem Gopalan | Exploit-based worm propagation mitigation |
US20090222924A1 (en) * | 2006-03-02 | 2009-09-03 | International Business Machines Corporation | Operating a network monitoring entity |
US7664114B1 (en) * | 2001-10-30 | 2010-02-16 | At&T Corp. | Traffic matrix computation for packet networks |
US20100110902A1 (en) * | 2002-02-13 | 2010-05-06 | At&T Intellectual Property Ii, L.P. | Traffic Matrix Computation for a Backbone Network Supporting Virtual Private Networks |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7133365B2 (en) * | 2001-11-02 | 2006-11-07 | Internap Network Services Corporation | System and method to provide routing control of information over networks |
US7738859B2 (en) * | 2005-03-10 | 2010-06-15 | Interdigital Technology Corporation | Multi-node communication system and method of requesting, reporting and collecting destination-node-based measurements and route-based measurements |
-
2007
- 2007-12-29 US US11/967,130 patent/US20090168648A1/en not_active Abandoned
-
2013
- 2013-03-01 US US13/782,776 patent/US8879415B2/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030039212A1 (en) * | 2000-10-17 | 2003-02-27 | Lloyd Michael A. | Method and apparatus for the assessment and optimization of network traffic |
US7664114B1 (en) * | 2001-10-30 | 2010-02-16 | At&T Corp. | Traffic matrix computation for packet networks |
US20100110902A1 (en) * | 2002-02-13 | 2010-05-06 | At&T Intellectual Property Ii, L.P. | Traffic Matrix Computation for a Backbone Network Supporting Virtual Private Networks |
US20050071469A1 (en) * | 2003-09-26 | 2005-03-31 | Mccollom William G. | Method and system for controlling egress traffic load balancing between multiple service providers |
US20070058631A1 (en) * | 2005-08-12 | 2007-03-15 | Microsoft Corporation | Distributed network management |
US20070168505A1 (en) * | 2006-01-19 | 2007-07-19 | Hewlett-Packard Development Company, L.P. | Performance monitoring in a network |
US20090222924A1 (en) * | 2006-03-02 | 2009-09-03 | International Business Machines Corporation | Operating a network monitoring entity |
US20070226802A1 (en) * | 2006-03-21 | 2007-09-27 | Prem Gopalan | Exploit-based worm propagation mitigation |
Cited By (88)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9350622B2 (en) * | 2006-07-06 | 2016-05-24 | LiveAction, Inc. | Method and system for real-time visualization of network flow within network device |
US9246772B2 (en) | 2006-07-06 | 2016-01-26 | LiveAction, Inc. | System and method for network topology and flow visualization |
US9240930B2 (en) * | 2006-07-06 | 2016-01-19 | LiveAction, Inc. | System for network flow visualization through network devices within network topology |
US20130159865A1 (en) * | 2006-07-06 | 2013-06-20 | John Kei Smith | Method and System for Real-Time Visualization of Network Flow within Network Device |
US20130159864A1 (en) * | 2006-07-06 | 2013-06-20 | John Kei Smith | System for Network Flow Visualization through Network Devices within Network Topology |
US20090327903A1 (en) * | 2006-07-06 | 2009-12-31 | Referentia Systems, Inc. | System and Method for Network Topology and Flow Visualization |
US9003292B2 (en) * | 2006-07-06 | 2015-04-07 | LiveAction, Inc. | System and method for network topology and flow visualization |
US8284697B2 (en) * | 2007-04-05 | 2012-10-09 | Samsung Electronics Co. Ltd | System and method for estimating flow-specific traffic volumes |
US20100271973A1 (en) * | 2007-04-05 | 2010-10-28 | Yong Lee | System and method for estimating flow-specific traffic volumes |
US7941529B2 (en) * | 2008-03-10 | 2011-05-10 | Cisco Technology, Inc. | Periodic exporting of information over a flow protocol |
US20090228586A1 (en) * | 2008-03-10 | 2009-09-10 | Cisco Technology, Inc. | Periodic exporting of information over a flow protocol |
US8625642B2 (en) | 2008-05-23 | 2014-01-07 | Solera Networks, Inc. | Method and apparatus of network artifact indentification and extraction |
US8521732B2 (en) | 2008-05-23 | 2013-08-27 | Solera Networks, Inc. | Presentation of an extracted artifact based on an indexing technique |
US8959243B2 (en) * | 2008-12-01 | 2015-02-17 | At&T Intellectual Property Ii, L.P. | System and method to guide active participation in peer-to-peer systems with passive monitoring environment |
US20100138555A1 (en) * | 2008-12-01 | 2010-06-03 | At&T Corp. | System and Method to Guide Active Participation in Peer-to-Peer Systems with Passive Monitoring Environment |
US20160105462A1 (en) * | 2008-12-16 | 2016-04-14 | At&T Intellectual Property I, L.P. | Systems and Methods for Rule-Based Anomaly Detection on IP Network Flow |
US9680877B2 (en) * | 2008-12-16 | 2017-06-13 | At&T Intellectual Property I, L.P. | Systems and methods for rule-based anomaly detection on IP network flow |
US20100211668A1 (en) * | 2009-02-13 | 2010-08-19 | Alcatel-Lucent | Optimized mirror for p2p identification |
US8051167B2 (en) * | 2009-02-13 | 2011-11-01 | Alcatel Lucent | Optimized mirror for content identification |
US9654505B2 (en) | 2009-06-22 | 2017-05-16 | Citrix Systems, Inc. | Systems and methods for encoding the core identifier in the session identifier |
US20100325419A1 (en) * | 2009-06-22 | 2010-12-23 | Tushar Kanekar | Systems and methods for encoding the core identifier in the session identifier |
US9906556B2 (en) | 2009-06-22 | 2018-02-27 | Citrix Systems, Inc. | Systems and methods for encoding the core identifier in the session identifier |
US9276957B2 (en) | 2009-06-22 | 2016-03-01 | Citrix Systems, Inc. | Systems and methods for handling SSL session not reusable across multiple cores |
US20110058481A1 (en) * | 2009-09-09 | 2011-03-10 | Lee Chang-Yong | Device and method for generating statistical information for voip traffic analysis and abnormal voip detection |
US8259723B2 (en) * | 2009-09-09 | 2012-09-04 | Korea Internet & Security Agency | Device and method for generating statistical information for VoIP traffic analysis and abnormal VoIP detection |
US20110125748A1 (en) * | 2009-11-15 | 2011-05-26 | Solera Networks, Inc. | Method and Apparatus for Real Time Identification and Recording of Artifacts |
US20110149734A1 (en) * | 2009-12-21 | 2011-06-23 | Electronics And Telecommunications Research Institute | Smart border router and method for transmitting flow using the same |
US20110167149A1 (en) * | 2010-01-06 | 2011-07-07 | The Industry & Academic Cooperation In Chungnam National University | Internet flow data analysis method using parallel computations |
US8849991B2 (en) | 2010-12-15 | 2014-09-30 | Blue Coat Systems, Inc. | System and method for hypertext transfer protocol layered reconstruction |
US8666985B2 (en) | 2011-03-16 | 2014-03-04 | Solera Networks, Inc. | Hardware accelerated application-based pattern matching for real time classification and recording of network traffic |
US9178782B2 (en) * | 2012-11-05 | 2015-11-03 | Broadcom Corporation | Annotated tracing driven network adaptation |
US20140126396A1 (en) * | 2012-11-05 | 2014-05-08 | Broadcom Corporation | Annotated Tracing Driven Network Adaptation |
US20140136680A1 (en) * | 2012-11-09 | 2014-05-15 | Citrix Systems, Inc. | Systems and methods for appflow for datastream |
US9438488B2 (en) * | 2012-11-09 | 2016-09-06 | Citrix Systems, Inc. | Systems and methods for appflow for datastream |
US9569232B1 (en) * | 2013-02-19 | 2017-02-14 | Amazon Technologies, Inc. | Network traffic data in virtualized environments |
US10133591B2 (en) | 2013-02-19 | 2018-11-20 | Amazon Technologies, Inc. | Network traffic data in virtualized environments |
US8614946B1 (en) | 2013-06-07 | 2013-12-24 | Sideband Networks Inc. | Dynamic switch port monitoring |
US9917901B2 (en) | 2013-08-01 | 2018-03-13 | Flowtraq, Inc. | Methods and systems for distribution and retrieval of network traffic records |
US10397329B2 (en) | 2013-08-01 | 2019-08-27 | Riverbed Technology, Inc. | Methods and systems for distribution and retrieval of network traffic records |
US9680916B2 (en) | 2013-08-01 | 2017-06-13 | Flowtraq, Inc. | Methods and systems for distribution and retrieval of network traffic records |
US9590850B2 (en) * | 2013-08-08 | 2017-03-07 | Cisco Technology, Inc. | Discovery of connectivity and compatibility in a communication network |
US20150043570A1 (en) * | 2013-08-08 | 2015-02-12 | Cisco Technology, Inc. | Discovery of connectivity and compatibility in a communication network |
US9619648B2 (en) | 2014-07-16 | 2017-04-11 | Microsoft Technology Licensing, Llc | Behavior change detection system for services |
US9485263B2 (en) | 2014-07-16 | 2016-11-01 | Microsoft Technology Licensing, Llc | Volatility-based classifier for security solutions |
US9882925B2 (en) | 2014-12-29 | 2018-01-30 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US9100430B1 (en) | 2014-12-29 | 2015-08-04 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US9648036B2 (en) | 2014-12-29 | 2017-05-09 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US9467455B2 (en) | 2014-12-29 | 2016-10-11 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US10721263B2 (en) | 2014-12-29 | 2020-07-21 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US9985983B2 (en) | 2014-12-29 | 2018-05-29 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US10462175B2 (en) | 2014-12-29 | 2019-10-29 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US10110622B2 (en) | 2015-02-13 | 2018-10-23 | Microsoft Technology Licensing, Llc | Security scanner |
US10574574B2 (en) | 2015-02-27 | 2020-02-25 | Arista Networks, Inc. | System and method for BGP sFlow export |
US20160255000A1 (en) * | 2015-02-27 | 2016-09-01 | Arista Networks, Inc. | System and method for bgp sflow export |
US9722925B2 (en) * | 2015-02-27 | 2017-08-01 | Arista Networks, Inc. | System and method for BGP sFlow export |
US9906542B2 (en) | 2015-03-30 | 2018-02-27 | Microsoft Technology Licensing, Llc | Testing frequency control using a volatility score |
US10554515B2 (en) * | 2015-12-31 | 2020-02-04 | Bright House Networks, Llc | Customer premises network access device for displaying data usage |
GB2567334A (en) * | 2016-02-25 | 2019-04-10 | Sas Inst Inc | Cybersecurity system |
GB2567335B (en) * | 2016-02-25 | 2019-12-04 | Sas Inst Inc | Cybersecurity system |
GB2567334B (en) * | 2016-02-25 | 2019-12-04 | Sas Inst Inc | Cybersecurity system |
GB2567335A (en) * | 2016-02-25 | 2019-04-10 | Sas Inst Inc | Cybersecurity system |
CN107864110A (en) * | 2016-09-22 | 2018-03-30 | 中国电信股份有限公司 | Botnet main control end detection method and device |
JP2020503753A (en) * | 2016-12-30 | 2020-01-30 | ビットディフェンダー ネザーランズ ビー.ブイ. | System to prepare network traffic for fast analysis |
KR20190101374A (en) * | 2016-12-30 | 2019-08-30 | 비트디펜더 네덜란드 비.브이. | Network traffic preparation system for high speed analysis |
US11184255B2 (en) * | 2016-12-30 | 2021-11-23 | Bitdefender Netherlands B.V. | System for preparing network traffic for fast analysis |
CN110100415A (en) * | 2016-12-30 | 2019-08-06 | 比特梵德荷兰私人有限责任公司 | System for network flow to be ready for quickly analyzing |
WO2018122640A1 (en) * | 2016-12-30 | 2018-07-05 | Redsocks Security Holdings Bv | System for preparing network traffic for fast analysis |
IL267453B2 (en) * | 2016-12-30 | 2023-05-01 | Bitdefender Netherlands B V | System for preparing network traffic for fast analysis |
IL267453A (en) * | 2016-12-30 | 2019-08-29 | Bitdefender Netherlands B V | System for preparing network traffic for fast analysis |
KR102476126B1 (en) * | 2016-12-30 | 2022-12-12 | 비트디펜더 네덜란드 비.브이. | Network traffic preparation system for high-speed analysis |
AU2017385032B2 (en) * | 2016-12-30 | 2022-11-03 | Bitdefender Netherlands B.V. | System for preparing network traffic for fast analysis |
JP7069173B2 (en) | 2016-12-30 | 2022-05-17 | ビットディフェンダー ネザーランズ ビー.ブイ. | A system that prepares network traffic for fast analysis |
RU2753189C2 (en) * | 2016-12-30 | 2021-08-12 | Битдефендер Незерлендс Б.В. | System for preparing network traffic for quick analysis |
US20190104144A1 (en) * | 2017-09-29 | 2019-04-04 | Cisco Technology, Inc. | Enhanced flow-based computer network threat detection |
US10855705B2 (en) * | 2017-09-29 | 2020-12-01 | Cisco Technology, Inc. | Enhanced flow-based computer network threat detection |
US11658909B2 (en) * | 2018-04-10 | 2023-05-23 | Kentik Technologies, Inc. | Analyzing network traffic by enriching inbound network flows with exit data |
RU2757597C1 (en) * | 2018-07-18 | 2021-10-19 | БИТДЕФЕНДЕР АйПиАр МЕНЕДЖМЕНТ ЛТД | Systems and methods for reporting computer security incidents |
US11184368B2 (en) * | 2018-07-18 | 2021-11-23 | Bitdefender IPR Management Ltd. | Systems and methods for reporting computer security incidents |
US11888738B2 (en) | 2019-08-15 | 2024-01-30 | Juniper Networks, Inc. | System and method for determining a data flow path in an overlay network |
US11082531B2 (en) * | 2019-11-18 | 2021-08-03 | International Business Machines Corporation | Communication with an application flow in an integration system |
US20210152660A1 (en) * | 2019-11-18 | 2021-05-20 | International Business Machines Corporation | Communication with an application flow in an integration system |
CN111131041A (en) * | 2019-11-28 | 2020-05-08 | 中盈优创资讯科技有限公司 | VPN flow obtaining method and device based on NetFlow and BGP |
US11855861B2 (en) * | 2020-05-28 | 2023-12-26 | Axellio Inc. | High performance packet capture and analytics architecture |
US20210377133A1 (en) * | 2020-05-28 | 2021-12-02 | Axellio Inc. | High Performance Packet Capture and Analytics Architecture |
EP3934176A1 (en) * | 2020-06-30 | 2022-01-05 | Juniper Networks, Inc. | Application flow monitoring |
USD980845S1 (en) | 2020-07-07 | 2023-03-14 | Juniper Networks, Inc. | Display screen with graphical user interface for a data flow path |
US11444855B2 (en) | 2020-07-07 | 2022-09-13 | Juniper Networks, Inc. | System and method for determining a data flow path in an overlay network |
USD1018571S1 (en) | 2020-07-07 | 2024-03-19 | Juniper Networks, Inc. | Display screen with graphical user interface for a data flow path |
Also Published As
Publication number | Publication date |
---|---|
US20130290521A1 (en) | 2013-10-31 |
US8879415B2 (en) | 2014-11-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8879415B2 (en) | Method and system for annotating network flow information | |
US10904203B2 (en) | Augmenting network flow with passive DNS information | |
EP3695568B1 (en) | Systems and methods for controlling switches to record network packets using a traffice monitoring network | |
US7937755B1 (en) | Identification of network policy violations | |
EP3151470B1 (en) | Analytics for a distributed network | |
US10454891B2 (en) | Context-aware network and situation management for crypto-partitioned networks | |
US7769851B1 (en) | Application-layer monitoring and profiling network traffic | |
US7810151B1 (en) | Automated change detection within a network environment | |
Arregoces et al. | Data center fundamentals | |
US8146160B2 (en) | Method and system for authentication event security policy generation | |
EP2241058B1 (en) | Method for configuring acls on network device based on flow information | |
US11546266B2 (en) | Correlating discarded network traffic with network policy events through augmented flow | |
US20110296005A1 (en) | Method and system for monitoring control signal traffic over a computer network | |
US11190417B2 (en) | Methods, systems, and computer readable media for processing network flow metadata at a network packet broker | |
Kobayashi et al. | IP flow information export (IPFIX) mediation: Problem statement | |
Lu et al. | A novel path‐based approach for single‐packet IP traceback | |
US9055113B2 (en) | Method and system for monitoring flows in network traffic | |
US20100202466A1 (en) | Inter-router communication method and module | |
CN108040007A (en) | A kind of alternate routing link-quality monitoring method and system | |
CN111698110A (en) | Network equipment performance analysis method, system, equipment and computer medium | |
Kobayashi et al. | IP flow information export (IPFIX) mediation: Framework | |
Schudel et al. | Router security strategies: Securing IP network traffic planes | |
KR101200875B1 (en) | Method and system for light-weight soap transport for web services based management | |
Hadem et al. | I-SMITE: an IP traceback mechanism for inter-AS SDN networks using BGP | |
Bao et al. | Scalable application-specific measurement framework for high performance network video |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: ARBOR NETWORKS, INC., MASSACHUSETTS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LABOVITZ, CRAIG;EGGLESTON, JOSEPH;IEKEL-JOHNSON, SCOTT;REEL/FRAME:020531/0761 Effective date: 20080212 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |