US20090168648A1 - Method and System for Annotating Network Flow Information - Google Patents

Method and System for Annotating Network Flow Information Download PDF

Info

Publication number
US20090168648A1
US20090168648A1 US11/967,130 US96713007A US2009168648A1 US 20090168648 A1 US20090168648 A1 US 20090168648A1 US 96713007 A US96713007 A US 96713007A US 2009168648 A1 US2009168648 A1 US 2009168648A1
Authority
US
United States
Prior art keywords
flow
information
annotated
annotator
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/967,130
Inventor
Craig Labovitz
Joseph Eggleston
Scott Iekel-Johnson
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Arbor Networks Inc
Original Assignee
Arbor Networks Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Arbor Networks Inc filed Critical Arbor Networks Inc
Priority to US11/967,130 priority Critical patent/US20090168648A1/en
Assigned to ARBOR NETWORKS, INC. reassignment ARBOR NETWORKS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: EGGLESTON, JOSEPH, IEKEL-JOHNSON, SCOTT, LABOVITZ, CRAIG
Publication of US20090168648A1 publication Critical patent/US20090168648A1/en
Priority to US13/782,776 priority patent/US8879415B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Definitions

  • Host computers including servers and client computers, are typically interconnected to form computer networks.
  • a computer network and more generally a communications network, is a group of devices or network entities that are interconnected by one or more segments of transmission media on which communications are exchanged between those network entities.
  • the communications can be transmitted electrically, including wireless links, or optically.
  • the computer networks typically further comprise separate network communications devices, such as routers, switches, bridges, and hubs, for transmitting and relaying the communications between the network entities through the network's mesh.
  • Computer networks are typically classified by their size or by the type of entity that owns the network. Often, business organizations maintain large computer networks. These computer networks are referred to as enterprise networks. Enterprise networks are typically connected to other enterprise networks or home networks via service provider and public networks.
  • network management systems are used to monitor networks. These systems can exist as stand-alone, dedicated systems or be embedded in network communications devices such as routers and switches.
  • network communications devices such as routers and switches.
  • NetFlow technology offered by Cisco Systems.
  • Other tools include special-purpose systems, such as firewalls and other network security devices, that are typically used to manage the communications at boundaries between the networks.
  • flow information This is defined as “a unidirectional sequence of packets with some common properties that pass through a network device.”
  • IP internet protocol
  • ToS Type of Service
  • IP internet protocol
  • ToS Type of Service
  • computer network devices that generate flow records include, for example, routers, switches, firewalls, and hubs.
  • packet scanners/analyzers e.g. Arbor Networks PEAKFLOW® threat management system (TMS)
  • TMS threat management system
  • Flows may be collected and exported for analysis. Flow analysis is a central component of large-scale network management and service systems.
  • Network management systems allow the network administrators to apply policies.
  • Policies are typically used to govern or dictate how entities are allowed to communicate over the network, generally called security policies. These policies can be applied to entities individually, by setting operating parameters of devices separately.
  • Policy-based management systems have simplified configuration of devices by allowing administrators to define a policy and apply this policy across groups of network entities, generally.
  • a policy is a collection of rules.
  • a rule for example, can be defined to govern what traffic a particular firewall ignores or prevents a given address or device from accessing a particular service or network resource.
  • the rules can be applied by routers that decide whether to forward packets from or to a particular address.
  • Network policies are often defined and applied based on flow information.
  • many products are available that attempt to correlate flow information with other data sources to provide value-added analysis.
  • These types of analysis tools are now a central component of administering large communication networks. Such analysis facilitates the creation of higher level policies that facilitate the management of the network.
  • the process for abstracting the dataflow between the network entities is typically articulated in the context of the OSI (Open Systems Interconnection) model communications stack.
  • the lowest layer 1 describes physical layer functions such as the transmission of bits over the communication medium, activation/deactivation of the physical connection, use of idle conditions, control bit generation/detection, start and stop, and zero bit insertion.
  • These functions are requested by data link layer 2 functions, which control the transmission of packets over a logical communications link.
  • Other data link functions include establishing/releasing logical connections, error detection, correction, and recovery, in conjunction with the delimiting of transmitted packets.
  • the network layer 3 Functions here include the transfer of units or packets between two transport entities. Further, at this layer, routing through the network is determined, including segmenting or combining packets into smaller and larger data units, the establishment, maintenance, and relinquishment of end-to-end logical circuits, and the detection and recovery from errors. Network management activities often take place at the network layer and data link layer.
  • transport layer 4 functions handle the transmission of complete messages between network entities.
  • sessions between the network entities are established and then taken down.
  • This layer ensures the correct sequence of packets, partition, and combination of messages into packets, and the control of data flow to avoid network overload.
  • the session layer 5 organizes and synchronizes the dialog that takes place between applications running on network entities. This provides a one-to-one correspondence between a session connection and a presentation connection at a given time. It provides for session continuity, even when transport connections may fail.
  • the presentation layer provides independence from differences between data presentations, such as encryption, by translating from application to network format, and back.
  • the application layers support application and end user processes. However, user authentication and privacy are also considered and any constraints on data syntax are identified.
  • communication is application-specific.
  • the standard flow information that is available from network devices is limited, however. It would be desirable in computer networks to be able to add intelligence to standard network flow monitoring to implement new types of detection and analysis based on flow data.
  • the present invention can be used to facilitate the creation of scalable flow monitoring solutions.
  • the invention also demonstrates that there can be a reasonably low overhead for this approach.
  • An embodiment of the present invention takes in standard flow records exported from network devices such as routers, switches, firewalls, hubs, etc., and annotates the flow with additional information.
  • This information is derived from a number of sources, including Border Gateway Protocol (BGP), Simple Network Management Protocol (SNMP), user configuration, and other, intelligent flow analysis.
  • BGP Border Gateway Protocol
  • SNMP Simple Network Management Protocol
  • user configuration user configuration
  • other, intelligent flow analysis add information to the flow data, and can be used to perform value-added flow analysis.
  • the annotated flow is then resent to a configurable set of destinations using standard flow formatting, e.g., Cisco System Inc.'s NetFlow technology, version 9, in one implementation. This allows the annotated flow to be processed and the enhanced information to be used by other flow analysis tools and existing flow analysis infrastructure.
  • Various data sources may be used to annotate the flow. These can include but are not limited to BGP, SNMP, user configuration, raw packet analysis information (e.g. from Peakflow TMS), and other flow analysis information.
  • the added information can be incorporated into existing flow monitoring tools.
  • Existing tools need not even be able to make sense of the information added to the flow by the present invention—they can still access the original data put in the flow record by the router.
  • the invention features a method of processing network flow information.
  • the method comprises receiving a flow record exported from a network device and annotating the flow with additional information.
  • the network device is any of: a router, a switch, a firewall and a packet scanner/analyzer.
  • the method includes sending the annotated flow to a configurable set of destinations using standard flow formatting.
  • the additional information is derived, at least in part, from a BGP source, in one example.
  • the source and destination addresses identified in the received flow record are looked up in the BGP routing information and the BGP attributes for the matching routes are added to the flow.
  • the additional information is derived, at least in part, from a SNMP source.
  • the flow record is annotated with information describing interfaces which saw the flow, including interface name and description, and a unique identifier that maps into a database of additional interface information.
  • the additional information can be derived, at least in part, from user configuration information.
  • the flow record is annotated with information about traffic attributes which match user configuration.
  • the additional information can also be derived, at least in part, from raw packet analysis.
  • the flow record is annotated with information derived from raw traffic.
  • the invention features a flow annotator.
  • This annotator comprises a flow analysis engine which receives flow data from a network device, and which selects information from at least one source to be added to the flow data.
  • a flow encoding and distribution engine is provided that annotates the flow data with the selected data to create an annotated flow, and that transmits the annotated flow to a configurable set of destinations comprising at least one of an additional flow annotator and a flow consumer.
  • FIG. 1 is a block diagram of the inventive flow annotation system deployed within a network
  • FIG. 2 is a schematic diagram of the flow annotating network monitor according to the present invention.
  • FIG. 3 is a flowchart showing the operation of flow annotating network monitor according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram illustrating a packet for transporting flow information
  • FIG. 5 is a schematic diagram illustrating flow information in a packet
  • FIG. 6 is a schematic diagram illustrating flowset information in a packet according to an embodiment of the present invention.
  • FIG. 7 shows one concrete example of an annotated flow packet according to an embodiment of the present invention.
  • FIG. 1 is a block diagram of a flow annotation system 100 deployed within a network 10 according to the principles of the present invention.
  • network communication devices such as routers 12 a , 12 b and/or switches 18 collect flow information from the packet information that is transmitted through the network 10 between other network communications devices, network nodes, and host computers. Flow information is also collected, in some examples from packet monitors or taps 14 that are installed usually solely to monitor packet traffic.
  • An example here is the Netflow Analyzer offered by Cisco Systems, Inc.
  • Other exemplary sources of flow information include network security devices, e.g., firewalls 16 , that apply security policies and monitor for malicious code/packets.
  • the flow information 103 from these collectors is forwarded to one or more network monitors 100 a , 100 b .
  • these network monitors 100 a , 100 b and other network monitors in the network, 100 c , 100 d , 100 e function in a peer-to-peer relationship. Such a relationship is used to provide redundancy such that failure of any network monitor does not undermine the operation of other monitors.
  • master-slave relationships are defined in which one of the monitors 100 functions as master to other slave monitors.
  • a separate monitor controller 102 is deployed.
  • the network monitors 100 are used to monitor network activity based on the received flow information 103 .
  • the network monitors 100 a , 100 b analyze the flow to determine whether the network activity is in compliance with policies for the network 10 .
  • policies include network management policies related to traffic levels, for example, and network security policies related to maintaining the security of the network and protecting it against attacks, such as denial of service attacks, viruses, or worms.
  • the network monitors 100 a , 100 b further annotate the flow information with additional information derived from analysis of the flow information or internally generated information, such as configuration.
  • the network monitors 100 a , 100 b annotate the flow information and send the annotated flow information 107 to each other and also various flow consumers 109 , which include additional flow annotating network monitors 100 c , 100 d and also possibly the controller 102 .
  • the additional flow annotators 100 c for example, output one or more further annotated flows 113 to further flow consumers and/or annotators 100 e , in one example.
  • FIG. 2 is a schematic diagram of the flow annotating network monitors 100 of FIG. 1 .
  • the monitor 100 is logically broken down into two functions: a flow analysis engine 201 and a flow encoding and distribution engine 203 . Although shown separately, these two functions are often combined into a single operating module, implemented in hardware, software, or a combination thereof.
  • the network monitor 100 applies available policies to the flow and analyzes the flow in term of BGP, SNMP, its own configuration information, and other data sources including one or more internally maintained databases 205 .
  • the annotated flow is then encoded and distributed by the distribution engine 203 to various consumers of the flow information.
  • a distribution list 207 identifies the entities that will receive the annotated flow information.
  • FIG. 3 is a flowchart showing the operation flow analysis engine 201 and the encoding and distribution engine 203 of the network monitor 100 .
  • a given input e.g., BGP, SNMP, etc.
  • steps relating to annotating flow according to a given input could be performed in a different order.
  • step 301 flow data are received. This is, in examples, standard flow records, for example from network communication devices such as routers 12 and switch 18 or other network device 14 , 16 ; or alternatively, it is annotated flow records from another flow annotating monitor.
  • step 303 if BGP information is available, then the source and destination addresses of the flow are looked up in the BGP routing information by the flow analysis engine 201 and the BGP attributes for the matching routes are added to the flow by the flow encoding and distribution engine 203 .
  • step 305 if SNMP is available, then the flow analysis engine 201 identifies information about the interfaces that saw the flow in one example, including interface name and description, and a unique identifier that maps into a database of additional interface information. The flow encoding and distribution engine 203 then annotates the flow with the identified interface information.
  • the flow data are preferably annotated with information about the raw traffic, including application identifier(s) based on layer 4 - 7 payload analysis, virtual local area network (VLAN) identifiers, and other information from the packet that would not normally be available in the original flow record.
  • application identifier(s) based on layer 4 - 7 payload analysis
  • VLAN virtual local area network
  • step 308 if user configuration is available, then the flow is annotated with information about traffic attributes that matched user configuration. For example, if the network administrator configured the network monitor 100 to match a specified IP address range to a user-readable identifier (name), then the source and/or destination of the flow is annotated to indicate that it matches that user-defined identifier.
  • the system performs its own flow analysis and annotates the flow with useful information in step 3 10 .
  • This information can include, for example, network topology information and/or signature detection.
  • network topology information potentially includes information as to whether the flow is entering or leaving the network 10 at this point; whether the flow is entering or leaving through a peering edge or customer-facing interface; whether the flow is entering or leaving a customer site or other user-defined part of the network, etc.
  • the network topology information includes: 1) whether the flow belongs to a VPN (virtual private network); 2) if so, to which VPN the flow belongs; and 3) whether the flow is leaving or entering the VPN.
  • VPN virtual private network
  • the flow information is annotated with contents of the actual packets from raw packet inspection, including but not limited to universal resource locators (URLs) and other hypertext transport protocol (http) post information, voice and/or video call endpoints and setup information for voice over internet protocol (VOIP) and/or session initiation protocol (SIP) traffic, filenames or other information from peer to peer (P2P) and bittorrent traffic.
  • URLs universal resource locators
  • http hypertext transport protocol
  • VOIP voice over internet protocol
  • SIP session initiation protocol
  • P2P peer to peer
  • bittorrent traffic bittorrent traffic.
  • the annotation data includes whether the flow belongs to a VPN and is entering or leaving a particular VPN Site, whether the flow is entering or leaving through a paid transit or complementary peering link, for example.
  • the flow information is annotated with policy information.
  • the annotated data describes whether the flow matches a configured network traffic policy signature, or not, and identifies that signature.
  • Signature detection includes flags that indicate if the flow matches a known worm or denial of service (DOS) attack signature, or other signatures either auto-learned by the system or configured by the user.
  • DOS denial of service
  • any given flow may be annotated by any combination of the above information.
  • the information chosen for annotation can be based on user configuration or automatically determined by the system based on that data that are available for the flow.
  • step 312 the annotated flow is sent to a configurable set of destinations that often make use of both the original flow information and the flow annotations to do useful work, either by reporting on the flow information, detecting network problems, generating alerts, or other analysis.
  • the annotated flows further preferably use a standard flow representation method to encode and send the annotated flows, such as the industry-standard NetFlow version 9 format, which is maintained by Cisco Systems Inc. and which has also been implemented by Juniper, and which is related to ipfix (RFC 3955).
  • Annotated flows can thus be processed by both standard flow analysis tools as well as flow analyzers enhanced to make use of the additional annotations.
  • the packets includes the annotated flow information are implemented using Netflow.
  • new “field type definitions” are added and populated with the exported annotated flow information.
  • Netflow v9 information is sent in packets that contain header information and then one or more flow records.
  • All version 9 flow packets (including annotated flow packets) preferably use a standard header format, which is defined by the Netflow v9, in one implementation.
  • the packet headers include the protocol (Netflow) version, record count, system uptime, a time stamp, sequence number and source identification.
  • FIG. 5 shows the flow information. That is, after the header, each packet then contains one or more flow records in a FlowSet.
  • the FlowSets use the following format: flowset template identification indicating the format for the flowset, and the length. Then a series of records are attached, each record containing N field values.
  • Netflow v9 The content and format of these records is defined by a Netflow v9 template, which is sent periodically by the flow source using the Template FlowSet packet format.
  • This is a standard packet format for NetFlow v9.
  • Each template sent by a flow source is given a unique ID, which must be placed in the FlowSet Template ID field of a FlowSet packet, so that the receiver can know how to decode the FlowSet records.
  • the template defines which data fields are present in each FlowSet and in which order, what values represent, and what size values are.
  • Some example field types that might be defined in a standard NetFlow v9 Template include:
  • IPV4 SRC ADDR 8 4 IPv4 Source Address IPV4 DST ADDR 12 4 IPv4 Destination Address L4 SRC PORT 7 2 TCP/UDP source port number L4 DST PORT 11 2 TCP/UDP dest. port number PROTOCOL 4 1 IP Protocol INPUT SNMP 10 2 Input interface SNMP index OUTPUT SNMP 14 2 Output interface SNMP index
  • FIG. 6 shows a sample FlowSet packet. (For readability, the size of the fields has been rounded up to 4 bytes, even though in actuality they may use different sizes).
  • annotated flow adds new field type definitions to represent the new information being added to the annotated flows.
  • An annotated flow sender (see reference 100 ) sends out an annotated flow template using the standard flow template format and incorporating these new field types. The sender then sends annotated flows using the standard FlowSet format and incorporating the new information defined by the template definition.
  • Example, additional template field types are show in the following table:
  • identifications are well-known references to either a public or private database record, or based on a user-configured mapping (e.g. to a customer name).
  • FIG. 7 shows one concrete example of an annotated flow packet. It uses a flow template that was the concatenation of all template fields defined above, i.e. the “standard” flow template plus the example flow annotation fields. (Note that again, field sizes are shown in 4-byte multiples for readability, even though the actual packet may store some fields as a different size.)

Abstract

A scalable flow monitoring solution takes in standard flow records exported from network devices such as routers, switches, firewalls, hubs, etc., and annotates the flow with additional information. This information is derived from a number of sources, including Border Gateway Protocol (BGP), Simple Network Management Protocol (SNMP), user configuration, and other, intelligent flow analysis. These annotations add information to the flow data, and can be used to perform value-added flow analysis. The annotated flow is then resent to a configurable set of destinations using standard flow formatting, e.g., Cisco System Inc.'s NetFlow, in one implementation. This allows the annotated flow to be processed and the enhanced information to be used by other flow analysis tools and existing flow analysis infrastructure.

Description

    BACKGROUND OF THE INVENTION
  • Host computers, including servers and client computers, are typically interconnected to form computer networks. A computer network, and more generally a communications network, is a group of devices or network entities that are interconnected by one or more segments of transmission media on which communications are exchanged between those network entities. The communications can be transmitted electrically, including wireless links, or optically. The computer networks typically further comprise separate network communications devices, such as routers, switches, bridges, and hubs, for transmitting and relaying the communications between the network entities through the network's mesh.
  • Computer networks are typically classified by their size or by the type of entity that owns the network. Often, business organizations maintain large computer networks. These computer networks are referred to as enterprise networks. Enterprise networks are typically connected to other enterprise networks or home networks via service provider and public networks.
  • At the enterprise, service provider, and public network scale, network management systems are used to monitor networks. These systems can exist as stand-alone, dedicated systems or be embedded in network communications devices such as routers and switches. One specific example is NetFlow technology offered by Cisco Systems. Other tools include special-purpose systems, such as firewalls and other network security devices, that are typically used to manage the communications at boundaries between the networks.
  • One source of information for monitoring networks is flow information. This is defined as “a unidirectional sequence of packets with some common properties that pass through a network device.” Internet Engineering Task Force, RFC 3954. Flow records are often generated by the network devices. These are often digested information concerning individual network flows or groups of network flows sharing some common characteristic(s). The flow records often include, for example, internet protocol (IP) addresses, packet and byte counts, timestamps, Type of Service (ToS), application ports, input and output interfaces, to list a few examples. This information is available from Netflow technology, for example. Generally, computer network devices that generate flow records include, for example, routers, switches, firewalls, and hubs. In other examples, packet scanners/analyzers (e.g. Arbor Networks PEAKFLOW® threat management system (TMS)) are used. Flows may be collected and exported for analysis. Flow analysis is a central component of large-scale network management and service systems.
  • Network management systems allow the network administrators to apply policies. Policies are typically used to govern or dictate how entities are allowed to communicate over the network, generally called security policies. These policies can be applied to entities individually, by setting operating parameters of devices separately. Policy-based management systems have simplified configuration of devices by allowing administrators to define a policy and apply this policy across groups of network entities, generally.
  • A policy is a collection of rules. A rule, for example, can be defined to govern what traffic a particular firewall ignores or prevents a given address or device from accessing a particular service or network resource. The rules can be applied by routers that decide whether to forward packets from or to a particular address.
  • Network policies are often defined and applied based on flow information. Moreover, many products are available that attempt to correlate flow information with other data sources to provide value-added analysis. These types of analysis tools are now a central component of administering large communication networks. Such analysis facilitates the creation of higher level policies that facilitate the management of the network.
  • By way of additional background, the process for abstracting the dataflow between the network entities is typically articulated in the context of the OSI (Open Systems Interconnection) model communications stack. The lowest layer 1 describes physical layer functions such as the transmission of bits over the communication medium, activation/deactivation of the physical connection, use of idle conditions, control bit generation/detection, start and stop, and zero bit insertion. These functions are requested by data link layer 2 functions, which control the transmission of packets over a logical communications link. Other data link functions include establishing/releasing logical connections, error detection, correction, and recovery, in conjunction with the delimiting of transmitted packets.
  • At the next higher level of abstraction is the network layer 3. Functions here include the transfer of units or packets between two transport entities. Further, at this layer, routing through the network is determined, including segmenting or combining packets into smaller and larger data units, the establishment, maintenance, and relinquishment of end-to-end logical circuits, and the detection and recovery from errors. Network management activities often take place at the network layer and data link layer.
  • Then, transport layer 4 functions handle the transmission of complete messages between network entities. At this layer, sessions between the network entities are established and then taken down. This layer ensures the correct sequence of packets, partition, and combination of messages into packets, and the control of data flow to avoid network overload.
  • The session layer 5 organizes and synchronizes the dialog that takes place between applications running on network entities. This provides a one-to-one correspondence between a session connection and a presentation connection at a given time. It provides for session continuity, even when transport connections may fail.
  • Finally, at the two highest levels of abstraction, layers 6 and 7, the presentation layer provides independence from differences between data presentations, such as encryption, by translating from application to network format, and back. The application layers support application and end user processes. However, user authentication and privacy are also considered and any constraints on data syntax are identified. At this layer, communication is application-specific.
    • SUMMARY OF THE INVENTION
  • The standard flow information that is available from network devices is limited, however. It would be desirable in computer networks to be able to add intelligence to standard network flow monitoring to implement new types of detection and analysis based on flow data.
  • The challenge has in the past been addressed, for example, by employing multiple flow analysis engines. Any additional information calculated about each flow is simply used internally by the flow analysis engine, however. This locally calculated flow information is not re-exported as part of the flow record. Alternatively, some products maintain separate data stores (e.g. a border gateway protocol (BGP) routing table) that is distributed separately from the flow records. Nevertheless, any receivers then have to redo the work of correlating the flow and the BGP data since available systems either distribute the original flow records and separately distribute additional data, as described above, or simply keep the flow and other databases internally. Queries are allowed that will perform flow matching against other data at query time. A report containing the resulting information about the flows can then be generated.
  • These solutions do not provide real-time flow information, nor is their information made available using existing flow export methods. Thus, these solutions are not nearly as scalable, and are much more restricted in the type of data they can provide. It also means that accessing the data they provide requires writing custom software, rather than being able to reuse existing flow collection and analysis infrastructure.
  • The present invention can be used to facilitate the creation of scalable flow monitoring solutions. The invention also demonstrates that there can be a reasonably low overhead for this approach.
  • An embodiment of the present invention takes in standard flow records exported from network devices such as routers, switches, firewalls, hubs, etc., and annotates the flow with additional information. This information is derived from a number of sources, including Border Gateway Protocol (BGP), Simple Network Management Protocol (SNMP), user configuration, and other, intelligent flow analysis. These annotations add information to the flow data, and can be used to perform value-added flow analysis. The annotated flow is then resent to a configurable set of destinations using standard flow formatting, e.g., Cisco System Inc.'s NetFlow technology, version 9, in one implementation. This allows the annotated flow to be processed and the enhanced information to be used by other flow analysis tools and existing flow analysis infrastructure.
  • Various data sources may be used to annotate the flow. These can include but are not limited to BGP, SNMP, user configuration, raw packet analysis information (e.g. from Peakflow TMS), and other flow analysis information.
  • Advantages over existing systems include real-time data collection, scalability and intelligence. In contrast, currently used systems require data to be collected and analyzed after the fact, often accompanied by long delays between the sending of the original flow information from the network devices and the availability of the additional information generated by the flow analysis tools.
  • Furthermore, by reusing the existing flow export protocol and resending the flow with additional annotations, the added information can be incorporated into existing flow monitoring tools. Existing tools need not even be able to make sense of the information added to the flow by the present invention—they can still access the original data put in the flow record by the router.
  • Third, by resending flow to a configurable set of destinations, the same data are reused multiple times in different network monitors for different applications.
  • In general, according to one aspect, the invention features a method of processing network flow information. The method comprises receiving a flow record exported from a network device and annotating the flow with additional information.
  • In a common implementation, the network device is any of: a router, a switch, a firewall and a packet scanner/analyzer. Also, the method includes sending the annotated flow to a configurable set of destinations using standard flow formatting.
  • The additional information is derived, at least in part, from a BGP source, in one example. The source and destination addresses identified in the received flow record are looked up in the BGP routing information and the BGP attributes for the matching routes are added to the flow. In the same or other examples, the additional information is derived, at least in part, from a SNMP source. The flow record is annotated with information describing interfaces which saw the flow, including interface name and description, and a unique identifier that maps into a database of additional interface information.
  • The additional information can be derived, at least in part, from user configuration information. The flow record is annotated with information about traffic attributes which match user configuration. The additional information can also be derived, at least in part, from raw packet analysis. The flow record is annotated with information derived from raw traffic.
  • In general according to another aspect, the invention features a flow annotator. This annotator comprises a flow analysis engine which receives flow data from a network device, and which selects information from at least one source to be added to the flow data. A flow encoding and distribution engine is provided that annotates the flow data with the selected data to create an annotated flow, and that transmits the annotated flow to a configurable set of destinations comprising at least one of an additional flow annotator and a flow consumer.
  • The above and other features of the invention including various novel details of construction and combinations of parts, and other advantages, will now be more particularly described with reference to the accompanying drawings and pointed out in the claims. It will be understood that the particular method and device embodying the invention are shown by way of illustration and not as a limitation of the invention. The principles and features of this invention may be employed in various and numerous embodiments without departing from the scope of the invention.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • In the accompanying drawings, reference characters refer to the same parts throughout the different views. The drawings are not necessarily to scale; emphasis has instead been placed upon illustrating the principles of the invention. Of the drawings:
  • FIG. 1 is a block diagram of the inventive flow annotation system deployed within a network;
  • FIG. 2 is a schematic diagram of the flow annotating network monitor according to the present invention;
  • FIG. 3 is a flowchart showing the operation of flow annotating network monitor according to an embodiment of the present invention;
  • FIG. 4 is a schematic diagram illustrating a packet for transporting flow information;
  • FIG. 5 is a schematic diagram illustrating flow information in a packet;
  • FIG. 6 is a schematic diagram illustrating flowset information in a packet according to an embodiment of the present invention; and
  • FIG. 7 shows one concrete example of an annotated flow packet according to an embodiment of the present invention.
    •  DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • FIG. 1 is a block diagram of a flow annotation system 100 deployed within a network 10 according to the principles of the present invention.
  • In more detail, network communication devices such as routers 12 a, 12 b and/or switches 18 collect flow information from the packet information that is transmitted through the network 10 between other network communications devices, network nodes, and host computers. Flow information is also collected, in some examples from packet monitors or taps 14 that are installed usually solely to monitor packet traffic. An example here is the Netflow Analyzer offered by Cisco Systems, Inc. Other exemplary sources of flow information include network security devices, e.g., firewalls 16, that apply security policies and monitor for malicious code/packets.
  • The flow information 103 from these collectors is forwarded to one or more network monitors 100 a, 100 b. In some examples, these network monitors 100 a, 100 b and other network monitors in the network, 100 c, 100 d, 100 e, function in a peer-to-peer relationship. Such a relationship is used to provide redundancy such that failure of any network monitor does not undermine the operation of other monitors. On the other hand, in some examples, master-slave relationships are defined in which one of the monitors 100 functions as master to other slave monitors. In still other examples, a separate monitor controller 102 is deployed.
  • Primarily, the network monitors 100 are used to monitor network activity based on the received flow information 103. In a general sense, the network monitors 100 a, 100 b analyze the flow to determine whether the network activity is in compliance with policies for the network 10. Such policies include network management policies related to traffic levels, for example, and network security policies related to maintaining the security of the network and protecting it against attacks, such as denial of service attacks, viruses, or worms.
  • According to aspects of the invention, the network monitors 100 a, 100 b further annotate the flow information with additional information derived from analysis of the flow information or internally generated information, such as configuration.
  • The network monitors 100 a, 100 b annotate the flow information and send the annotated flow information 107 to each other and also various flow consumers 109, which include additional flow annotating network monitors 100 c, 100 d and also possibly the controller 102.
  • The additional flow annotators 100 c, for example, output one or more further annotated flows 113 to further flow consumers and/or annotators 100 e, in one example.
  • FIG. 2 is a schematic diagram of the flow annotating network monitors 100 of FIG. 1. Here the monitor 100 is logically broken down into two functions: a flow analysis engine 201 and a flow encoding and distribution engine 203. Although shown separately, these two functions are often combined into a single operating module, implemented in hardware, software, or a combination thereof.
  • When the flow data 103 are received from the network devices 14, 16, 18, the network monitor 100 applies available policies to the flow and analyzes the flow in term of BGP, SNMP, its own configuration information, and other data sources including one or more internally maintained databases 205.
  • The annotated flow is then encoded and distributed by the distribution engine 203 to various consumers of the flow information. A distribution list 207 identifies the entities that will receive the annotated flow information.
  • FIG. 3 is a flowchart showing the operation flow analysis engine 201 and the encoding and distribution engine 203 of the network monitor 100. One skilled in the art would recognize, however, that the steps relating to annotating flow according to a given input, e.g., BGP, SNMP, etc., could be performed in a different order.
  • In step 301, flow data are received. This is, in examples, standard flow records, for example from network communication devices such as routers 12 and switch 18 or other network device 14, 16; or alternatively, it is annotated flow records from another flow annotating monitor.
  • In step 303, if BGP information is available, then the source and destination addresses of the flow are looked up in the BGP routing information by the flow analysis engine 201 and the BGP attributes for the matching routes are added to the flow by the flow encoding and distribution engine 203.
  • Similarly, in step 305, if SNMP is available, then the flow analysis engine 201 identifies information about the interfaces that saw the flow in one example, including interface name and description, and a unique identifier that maps into a database of additional interface information. The flow encoding and distribution engine 203 then annotates the flow with the identified interface information.
  • In step 307, if raw packet analysis is available, then the flow data are preferably annotated with information about the raw traffic, including application identifier(s) based on layer 4-7 payload analysis, virtual local area network (VLAN) identifiers, and other information from the packet that would not normally be available in the original flow record.
  • In step 308, if user configuration is available, then the flow is annotated with information about traffic attributes that matched user configuration. For example, if the network administrator configured the network monitor 100 to match a specified IP address range to a user-readable identifier (name), then the source and/or destination of the flow is annotated to indicate that it matches that user-defined identifier.
  • In addition to the above data sources, the system performs its own flow analysis and annotates the flow with useful information in step 3 10. This information can include, for example, network topology information and/or signature detection.
  • For example, network topology information potentially includes information as to whether the flow is entering or leaving the network 10 at this point; whether the flow is entering or leaving through a peering edge or customer-facing interface; whether the flow is entering or leaving a customer site or other user-defined part of the network, etc. In other examples, the network topology information includes: 1) whether the flow belongs to a VPN (virtual private network); 2) if so, to which VPN the flow belongs; and 3) whether the flow is leaving or entering the VPN.
  • In other examples, the flow information is annotated with contents of the actual packets from raw packet inspection, including but not limited to universal resource locators (URLs) and other hypertext transport protocol (http) post information, voice and/or video call endpoints and setup information for voice over internet protocol (VOIP) and/or session initiation protocol (SIP) traffic, filenames or other information from peer to peer (P2P) and bittorrent traffic.
  • In examples where the flow information is annotated with network topology information, the annotation data includes whether the flow belongs to a VPN and is entering or leaving a particular VPN Site, whether the flow is entering or leaving through a paid transit or complementary peering link, for example.
  • In still other examples, the flow information is annotated with policy information. For example, the annotated data describes whether the flow matches a configured network traffic policy signature, or not, and identifies that signature.
  • Signature detection includes flags that indicate if the flow matches a known worm or denial of service (DOS) attack signature, or other signatures either auto-learned by the system or configured by the user.
  • Generally, any given flow may be annotated by any combination of the above information. The information chosen for annotation can be based on user configuration or automatically determined by the system based on that data that are available for the flow.
  • In step 312, the annotated flow is sent to a configurable set of destinations that often make use of both the original flow information and the flow annotations to do useful work, either by reporting on the flow information, detecting network problems, generating alerts, or other analysis.
  • This annotation and flow redistribution is preferably performed in real-time. The annotated flows further preferably use a standard flow representation method to encode and send the annotated flows, such as the industry-standard NetFlow version 9 format, which is maintained by Cisco Systems Inc. and which has also been implemented by Juniper, and which is related to ipfix (RFC 3955). Annotated flows can thus be processed by both standard flow analysis tools as well as flow analyzers enhanced to make use of the additional annotations.
  • In one embodiment, the packets includes the annotated flow information are implemented using Netflow. According to one implementation, new “field type definitions” are added and populated with the exported annotated flow information.
  • In more detail, Netflow v9 information is sent in packets that contain header information and then one or more flow records.
  • All version 9 flow packets (including annotated flow packets) preferably use a standard header format, which is defined by the Netflow v9, in one implementation.
  • In more detail, as shown in FIG. 4, the packet headers include the protocol (Netflow) version, record count, system uptime, a time stamp, sequence number and source identification.
  • FIG. 5 shows the flow information. That is, after the header, each packet then contains one or more flow records in a FlowSet. The FlowSets use the following format: flowset template identification indicating the format for the flowset, and the length. Then a series of records are attached, each record containing N field values.
  • The content and format of these records is defined by a Netflow v9 template, which is sent periodically by the flow source using the Template FlowSet packet format. This is a standard packet format for NetFlow v9. Each template sent by a flow source is given a unique ID, which must be placed in the FlowSet Template ID field of a FlowSet packet, so that the receiver can know how to decode the FlowSet records.
  • The template defines which data fields are present in each FlowSet and in which order, what values represent, and what size values are. Some example field types that might be defined in a standard NetFlow v9 Template include:
  • Field
    Field Type Field ID Length Description
    IPV4 SRC ADDR 8 4 IPv4 Source Address
    IPV4 DST ADDR 12 4 IPv4 Destination Address
    L4 SRC PORT 7 2 TCP/UDP source port number
    L4 DST PORT 11 2 TCP/UDP dest. port number
    PROTOCOL 4 1 IP Protocol
    INPUT SNMP
    10 2 Input interface SNMP index
    OUTPUT SNMP
    14 2 Output interface SNMP index
  • Based on the above template, FIG. 6 shows a sample FlowSet packet. (For readability, the size of the fields has been rounded up to 4 bytes, even though in actuality they may use different sizes).
  • According to one embodiment, annotated flow adds new field type definitions to represent the new information being added to the annotated flows. An annotated flow sender (see reference 100) sends out an annotated flow template using the standard flow template format and incorporating these new field types. The sender then sends annotated flows using the standard FlowSet format and incorporating the new information defined by the template definition. Example, additional template field types are show in the following table:
  • Field Field
    Field Type ID Length Description
    SRC_PEER_AS 66 2 AS Number of source BGP
    peer
    INPUT_IFACE_GID 67 4 Reference ID of input
    interface in an interface
    database
    OUTPUT_IFACE_GID 68 2 Reference ID of output
    interface in an interface
    database
    CUSTOMER_MATCH_4 69 8 List of 4 customer IDs that
    matched the flow
    APPLICATION_ID 90 4 ID of flow's application
    based on packet inspection
    WORM_MATCH 91 4 ID of a worm signature
    which matched the flow
    HTTP_URL 92 256 URL contained by HTTP
    packets, based on packet
    inspection
  • Note that in many cases the value is defined as an identification. It is assumed that these identifications are well-known references to either a public or private database record, or based on a user-configured mapping (e.g. to a customer name).
  • FIG. 7 shows one concrete example of an annotated flow packet. It uses a flow template that was the concatenation of all template fields defined above, i.e. the “standard” flow template plus the example flow annotation fields. (Note that again, field sizes are shown in 4-byte multiples for readability, even though the actual packet may store some fields as a different size.)
  • The benefit of the above-described flow annotation approach is that all standard flow template fields can now be incorporated into annotated flow, and then additional template fields added to provide arbitrary information. When the flow is re-exported with the additional information, the ability of existing flow analysis software to decode and read the standard flow fields is not impacted. On the other hand, a scalable and flexible way to support new analysis software is provided, which can make use of both the standard and new flow annotation fields, from the same NetFlow v9 packet.
  • While this invention has been particularly shown and described with references to preferred embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the invention encompassed by the appended claims.

Claims (27)

1. A method of processing network flow information, comprising:
receiving a flow record exported from a network device; and
annotating the flow with additional information.
2. The method of claim 1, wherein the network device is any of: a router, a switch, a firewall and a packet scanner/analyzer.
3. The method of claim 1, further comprising sending the annotated flow to a configurable set of destinations.
4. The method of claim 1, wherein the additional information is derived, at least in part, from a BGP source.
5. The method of claim 4 wherein source and destination addresses identified in the received flow record are looked up in BGP routing information and BGP attributes for the matching routes are added to the flow.
6. The method of claim 1, wherein the additional information is derived, at least in part, from a SNMP source.
7. The method of claim 6 wherein the flow record is annotated with information describing interfaces which saw the flow, including interface name and description, and a unique identifier that maps into a database of additional interface information.
8. The method of claim 1, wherein the additional information is derived, at least in part, from user configuration information.
9. The method of claim 8 wherein the flow record is annotated with information about traffic attributes which match user configuration.
10. The method of claim 1, wherein the additional information is derived, at least in part, from raw packet analysis.
11. The method of claim 10 wherein the flow record is annotated with information derived from raw traffic.
12. The method of claim 11, wherein the information about raw traffic comprises at least one of: an application identifier based on payload analysis; and VLAN identifiers.
13. The method of claim 1, further comprising:
performing flow analysis;
annotating the received flow record, based on the flow analysis, with at least one of network topology information and signature detection.
14. The method of claim 1, wherein the method is performed in real-time.
15. A flow annotator comprising:
a flow analysis engine which receives flow data from a network device, and which selects information from at least one source to be added to the flow data; and
a flow encoding and distribution engine which annotates the flow data with the selected data to create an annotated flow, and which transmits the annotated flow to a configurable set of destinations comprising at least one of an additional flow annotator and a flow consumer.
16. The flow annotator of claim 15, wherein the network device is any of: a router, a switch, a firewall and a packet scanner/analyzer.
17. The flow annotator of claim 15, wherein the additional information is derived, at least in part, from a BGP source.
18. The flow annotator of claim 17 wherein source and destination addresses identified in the received flow record are looked up in BGP routing information and BGP attributes for the matching routes are added to the flow.
19. The flow annotator of claim 15, wherein the additional information is derived, at least in part, from a SNMP source.
20. The flow annotator of claim 19, wherein the flow record is annotated with information about interfaces which saw the flow, including interface name and description, and a unique identifier that maps into a database of additional interface information.
21. The flow annotator of claim 15, wherein the additional information is derived, at least in part, from user configuration information.
22. The flow annotator of claim 21 wherein the flow record is annotated with information about traffic attributes which match user configuration.
23. The flow annotator of claim 15, wherein the additional information is derived, at least in part, from raw packet analysis.
24. The flow annotator of claim 23 wherein the flow record is annotated with information derived from raw traffic.
25. The flow annotator of claim 24, wherein the information about raw traffic comprises at least one of: an application identifier based on layer 4-7 payload analysis; and VLAN identifiers.
26. The flow annotator of claim 15, wherein the received flow record is annotated, based on the flow analysis, with at least one of network topology information and signature detection.
27. The flow annotator of claim 15, wherein flow analysis and annotation are performed in real-time.
US11/967,130 2007-12-29 2007-12-29 Method and System for Annotating Network Flow Information Abandoned US20090168648A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US11/967,130 US20090168648A1 (en) 2007-12-29 2007-12-29 Method and System for Annotating Network Flow Information
US13/782,776 US8879415B2 (en) 2007-12-29 2013-03-01 Method and system for annotating network flow information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11/967,130 US20090168648A1 (en) 2007-12-29 2007-12-29 Method and System for Annotating Network Flow Information

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/782,776 Continuation US8879415B2 (en) 2007-12-29 2013-03-01 Method and system for annotating network flow information

Publications (1)

Publication Number Publication Date
US20090168648A1 true US20090168648A1 (en) 2009-07-02

Family

ID=40798280

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/967,130 Abandoned US20090168648A1 (en) 2007-12-29 2007-12-29 Method and System for Annotating Network Flow Information
US13/782,776 Active 2028-01-13 US8879415B2 (en) 2007-12-29 2013-03-01 Method and system for annotating network flow information

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/782,776 Active 2028-01-13 US8879415B2 (en) 2007-12-29 2013-03-01 Method and system for annotating network flow information

Country Status (1)

Country Link
US (2) US20090168648A1 (en)

Cited By (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090228586A1 (en) * 2008-03-10 2009-09-10 Cisco Technology, Inc. Periodic exporting of information over a flow protocol
US20090327903A1 (en) * 2006-07-06 2009-12-31 Referentia Systems, Inc. System and Method for Network Topology and Flow Visualization
US20100138555A1 (en) * 2008-12-01 2010-06-03 At&T Corp. System and Method to Guide Active Participation in Peer-to-Peer Systems with Passive Monitoring Environment
US20100211668A1 (en) * 2009-02-13 2010-08-19 Alcatel-Lucent Optimized mirror for p2p identification
US20100271973A1 (en) * 2007-04-05 2010-10-28 Yong Lee System and method for estimating flow-specific traffic volumes
US20100325419A1 (en) * 2009-06-22 2010-12-23 Tushar Kanekar Systems and methods for encoding the core identifier in the session identifier
US20110058481A1 (en) * 2009-09-09 2011-03-10 Lee Chang-Yong Device and method for generating statistical information for voip traffic analysis and abnormal voip detection
US20110125748A1 (en) * 2009-11-15 2011-05-26 Solera Networks, Inc. Method and Apparatus for Real Time Identification and Recording of Artifacts
US20110149734A1 (en) * 2009-12-21 2011-06-23 Electronics And Telecommunications Research Institute Smart border router and method for transmitting flow using the same
US20110167149A1 (en) * 2010-01-06 2011-07-07 The Industry & Academic Cooperation In Chungnam National University Internet flow data analysis method using parallel computations
US8521732B2 (en) 2008-05-23 2013-08-27 Solera Networks, Inc. Presentation of an extracted artifact based on an indexing technique
US8614946B1 (en) 2013-06-07 2013-12-24 Sideband Networks Inc. Dynamic switch port monitoring
US8625642B2 (en) 2008-05-23 2014-01-07 Solera Networks, Inc. Method and apparatus of network artifact indentification and extraction
US8666985B2 (en) 2011-03-16 2014-03-04 Solera Networks, Inc. Hardware accelerated application-based pattern matching for real time classification and recording of network traffic
US20140126396A1 (en) * 2012-11-05 2014-05-08 Broadcom Corporation Annotated Tracing Driven Network Adaptation
US20140136680A1 (en) * 2012-11-09 2014-05-15 Citrix Systems, Inc. Systems and methods for appflow for datastream
US8849991B2 (en) 2010-12-15 2014-09-30 Blue Coat Systems, Inc. System and method for hypertext transfer protocol layered reconstruction
US20150043570A1 (en) * 2013-08-08 2015-02-12 Cisco Technology, Inc. Discovery of connectivity and compatibility in a communication network
US9100430B1 (en) 2014-12-29 2015-08-04 Palantir Technologies Inc. Systems for network risk assessment including processing of user access rights associated with a network of devices
US9276957B2 (en) 2009-06-22 2016-03-01 Citrix Systems, Inc. Systems and methods for handling SSL session not reusable across multiple cores
US20160105462A1 (en) * 2008-12-16 2016-04-14 At&T Intellectual Property I, L.P. Systems and Methods for Rule-Based Anomaly Detection on IP Network Flow
US20160255000A1 (en) * 2015-02-27 2016-09-01 Arista Networks, Inc. System and method for bgp sflow export
US9467455B2 (en) 2014-12-29 2016-10-11 Palantir Technologies Inc. Systems for network risk assessment including processing of user access rights associated with a network of devices
US9485263B2 (en) 2014-07-16 2016-11-01 Microsoft Technology Licensing, Llc Volatility-based classifier for security solutions
US9569232B1 (en) * 2013-02-19 2017-02-14 Amazon Technologies, Inc. Network traffic data in virtualized environments
US9619648B2 (en) 2014-07-16 2017-04-11 Microsoft Technology Licensing, Llc Behavior change detection system for services
US9648036B2 (en) 2014-12-29 2017-05-09 Palantir Technologies Inc. Systems for network risk assessment including processing of user access rights associated with a network of devices
US9680916B2 (en) 2013-08-01 2017-06-13 Flowtraq, Inc. Methods and systems for distribution and retrieval of network traffic records
US9906542B2 (en) 2015-03-30 2018-02-27 Microsoft Technology Licensing, Llc Testing frequency control using a volatility score
CN107864110A (en) * 2016-09-22 2018-03-30 中国电信股份有限公司 Botnet main control end detection method and device
WO2018122640A1 (en) * 2016-12-30 2018-07-05 Redsocks Security Holdings Bv System for preparing network traffic for fast analysis
US10110622B2 (en) 2015-02-13 2018-10-23 Microsoft Technology Licensing, Llc Security scanner
US20190104144A1 (en) * 2017-09-29 2019-04-04 Cisco Technology, Inc. Enhanced flow-based computer network threat detection
GB2567334A (en) * 2016-02-25 2019-04-10 Sas Inst Inc Cybersecurity system
US10554515B2 (en) * 2015-12-31 2020-02-04 Bright House Networks, Llc Customer premises network access device for displaying data usage
CN111131041A (en) * 2019-11-28 2020-05-08 中盈优创资讯科技有限公司 VPN flow obtaining method and device based on NetFlow and BGP
US20210152660A1 (en) * 2019-11-18 2021-05-20 International Business Machines Corporation Communication with an application flow in an integration system
RU2757597C1 (en) * 2018-07-18 2021-10-19 БИТДЕФЕНДЕР АйПиАр МЕНЕДЖМЕНТ ЛТД Systems and methods for reporting computer security incidents
US20210377133A1 (en) * 2020-05-28 2021-12-02 Axellio Inc. High Performance Packet Capture and Analytics Architecture
EP3934176A1 (en) * 2020-06-30 2022-01-05 Juniper Networks, Inc. Application flow monitoring
US11444855B2 (en) 2020-07-07 2022-09-13 Juniper Networks, Inc. System and method for determining a data flow path in an overlay network
US11658909B2 (en) * 2018-04-10 2023-05-23 Kentik Technologies, Inc. Analyzing network traffic by enriching inbound network flows with exit data
US11888738B2 (en) 2019-08-15 2024-01-30 Juniper Networks, Inc. System and method for determining a data flow path in an overlay network

Families Citing this family (40)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8964763B2 (en) * 2009-02-09 2015-02-24 Hewlett-Packard Development Company, L.P. Inter-router communication method and module
US10412550B2 (en) 2012-10-29 2019-09-10 T-Mobile Usa, Inc. Remote driving of mobile device diagnostic applications
US10313905B2 (en) 2012-10-29 2019-06-04 T-Mobile Usa, Inc. Contextual quality of user experience analysis using equipment dynamics
US10237144B2 (en) 2012-10-29 2019-03-19 T-Mobile Usa, Inc. Quality of user experience analysis
US9237474B2 (en) * 2012-10-29 2016-01-12 T-Mobile Usa, Inc. Network device trace correlation
US10952091B2 (en) 2012-10-29 2021-03-16 T-Mobile Usa, Inc. Quality of user experience analysis
US9538409B2 (en) 2012-10-29 2017-01-03 T-Mobile Usa, Inc. Quality of user experience analysis
US9286047B1 (en) 2013-02-13 2016-03-15 Cisco Technology, Inc. Deployment and upgrade of network devices in a network environment
US10374904B2 (en) 2015-05-15 2019-08-06 Cisco Technology, Inc. Diagnostic network visualization
US9800497B2 (en) 2015-05-27 2017-10-24 Cisco Technology, Inc. Operations, administration and management (OAM) in overlay data center environments
US10033766B2 (en) * 2015-06-05 2018-07-24 Cisco Technology, Inc. Policy-driven compliance
US9967158B2 (en) 2015-06-05 2018-05-08 Cisco Technology, Inc. Interactive hierarchical network chord diagram for application dependency mapping
US10089099B2 (en) 2015-06-05 2018-10-02 Cisco Technology, Inc. Automatic software upgrade
US10142353B2 (en) 2015-06-05 2018-11-27 Cisco Technology, Inc. System for monitoring and managing datacenters
US10536357B2 (en) 2015-06-05 2020-01-14 Cisco Technology, Inc. Late data detection in data center
US10171357B2 (en) 2016-05-27 2019-01-01 Cisco Technology, Inc. Techniques for managing software defined networking controller in-band communications in a data center network
US10931629B2 (en) 2016-05-27 2021-02-23 Cisco Technology, Inc. Techniques for managing software defined networking controller in-band communications in a data center network
US10289438B2 (en) 2016-06-16 2019-05-14 Cisco Technology, Inc. Techniques for coordination of application components deployed on distributed virtual machines
US10708183B2 (en) 2016-07-21 2020-07-07 Cisco Technology, Inc. System and method of providing segment routing as a service
US10904203B2 (en) * 2016-09-09 2021-01-26 Arbor Networks, Inc. Augmenting network flow with passive DNS information
US10972388B2 (en) 2016-11-22 2021-04-06 Cisco Technology, Inc. Federated microburst detection
US10708152B2 (en) 2017-03-23 2020-07-07 Cisco Technology, Inc. Predicting application and network performance
US10523512B2 (en) 2017-03-24 2019-12-31 Cisco Technology, Inc. Network agent for generating platform specific network policies
US10594560B2 (en) 2017-03-27 2020-03-17 Cisco Technology, Inc. Intent driven network policy platform
US10250446B2 (en) 2017-03-27 2019-04-02 Cisco Technology, Inc. Distributed policy store
US10764141B2 (en) 2017-03-27 2020-09-01 Cisco Technology, Inc. Network agent for reporting to a network policy system
US10873794B2 (en) 2017-03-28 2020-12-22 Cisco Technology, Inc. Flowlet resolution for application performance monitoring and management
US10680887B2 (en) 2017-07-21 2020-06-09 Cisco Technology, Inc. Remote device status audit and recovery
US10554501B2 (en) 2017-10-23 2020-02-04 Cisco Technology, Inc. Network migration assistant
US10523541B2 (en) 2017-10-25 2019-12-31 Cisco Technology, Inc. Federated network and application data analytics platform
US10594542B2 (en) 2017-10-27 2020-03-17 Cisco Technology, Inc. System and method for network root cause analysis
US11233821B2 (en) 2018-01-04 2022-01-25 Cisco Technology, Inc. Network intrusion counter-intelligence
US11765046B1 (en) 2018-01-11 2023-09-19 Cisco Technology, Inc. Endpoint cluster assignment and query generation
US10826803B2 (en) 2018-01-25 2020-11-03 Cisco Technology, Inc. Mechanism for facilitating efficient policy updates
US10798015B2 (en) 2018-01-25 2020-10-06 Cisco Technology, Inc. Discovery of middleboxes using traffic flow stitching
US10574575B2 (en) 2018-01-25 2020-02-25 Cisco Technology, Inc. Network flow stitching using middle box flow stitching
US10999149B2 (en) 2018-01-25 2021-05-04 Cisco Technology, Inc. Automatic configuration discovery based on traffic flow data
US10873593B2 (en) 2018-01-25 2020-12-22 Cisco Technology, Inc. Mechanism for identifying differences between network snapshots
US10917438B2 (en) 2018-01-25 2021-02-09 Cisco Technology, Inc. Secure publishing for policy updates
US11128700B2 (en) 2018-01-26 2021-09-21 Cisco Technology, Inc. Load balancing configuration based on traffic flow telemetry

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030039212A1 (en) * 2000-10-17 2003-02-27 Lloyd Michael A. Method and apparatus for the assessment and optimization of network traffic
US20050071469A1 (en) * 2003-09-26 2005-03-31 Mccollom William G. Method and system for controlling egress traffic load balancing between multiple service providers
US20070058631A1 (en) * 2005-08-12 2007-03-15 Microsoft Corporation Distributed network management
US20070168505A1 (en) * 2006-01-19 2007-07-19 Hewlett-Packard Development Company, L.P. Performance monitoring in a network
US20070226802A1 (en) * 2006-03-21 2007-09-27 Prem Gopalan Exploit-based worm propagation mitigation
US20090222924A1 (en) * 2006-03-02 2009-09-03 International Business Machines Corporation Operating a network monitoring entity
US7664114B1 (en) * 2001-10-30 2010-02-16 At&T Corp. Traffic matrix computation for packet networks
US20100110902A1 (en) * 2002-02-13 2010-05-06 At&T Intellectual Property Ii, L.P. Traffic Matrix Computation for a Backbone Network Supporting Virtual Private Networks

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7133365B2 (en) * 2001-11-02 2006-11-07 Internap Network Services Corporation System and method to provide routing control of information over networks
US7738859B2 (en) * 2005-03-10 2010-06-15 Interdigital Technology Corporation Multi-node communication system and method of requesting, reporting and collecting destination-node-based measurements and route-based measurements

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030039212A1 (en) * 2000-10-17 2003-02-27 Lloyd Michael A. Method and apparatus for the assessment and optimization of network traffic
US7664114B1 (en) * 2001-10-30 2010-02-16 At&T Corp. Traffic matrix computation for packet networks
US20100110902A1 (en) * 2002-02-13 2010-05-06 At&T Intellectual Property Ii, L.P. Traffic Matrix Computation for a Backbone Network Supporting Virtual Private Networks
US20050071469A1 (en) * 2003-09-26 2005-03-31 Mccollom William G. Method and system for controlling egress traffic load balancing between multiple service providers
US20070058631A1 (en) * 2005-08-12 2007-03-15 Microsoft Corporation Distributed network management
US20070168505A1 (en) * 2006-01-19 2007-07-19 Hewlett-Packard Development Company, L.P. Performance monitoring in a network
US20090222924A1 (en) * 2006-03-02 2009-09-03 International Business Machines Corporation Operating a network monitoring entity
US20070226802A1 (en) * 2006-03-21 2007-09-27 Prem Gopalan Exploit-based worm propagation mitigation

Cited By (88)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9350622B2 (en) * 2006-07-06 2016-05-24 LiveAction, Inc. Method and system for real-time visualization of network flow within network device
US9246772B2 (en) 2006-07-06 2016-01-26 LiveAction, Inc. System and method for network topology and flow visualization
US9240930B2 (en) * 2006-07-06 2016-01-19 LiveAction, Inc. System for network flow visualization through network devices within network topology
US20130159865A1 (en) * 2006-07-06 2013-06-20 John Kei Smith Method and System for Real-Time Visualization of Network Flow within Network Device
US20130159864A1 (en) * 2006-07-06 2013-06-20 John Kei Smith System for Network Flow Visualization through Network Devices within Network Topology
US20090327903A1 (en) * 2006-07-06 2009-12-31 Referentia Systems, Inc. System and Method for Network Topology and Flow Visualization
US9003292B2 (en) * 2006-07-06 2015-04-07 LiveAction, Inc. System and method for network topology and flow visualization
US8284697B2 (en) * 2007-04-05 2012-10-09 Samsung Electronics Co. Ltd System and method for estimating flow-specific traffic volumes
US20100271973A1 (en) * 2007-04-05 2010-10-28 Yong Lee System and method for estimating flow-specific traffic volumes
US7941529B2 (en) * 2008-03-10 2011-05-10 Cisco Technology, Inc. Periodic exporting of information over a flow protocol
US20090228586A1 (en) * 2008-03-10 2009-09-10 Cisco Technology, Inc. Periodic exporting of information over a flow protocol
US8625642B2 (en) 2008-05-23 2014-01-07 Solera Networks, Inc. Method and apparatus of network artifact indentification and extraction
US8521732B2 (en) 2008-05-23 2013-08-27 Solera Networks, Inc. Presentation of an extracted artifact based on an indexing technique
US8959243B2 (en) * 2008-12-01 2015-02-17 At&T Intellectual Property Ii, L.P. System and method to guide active participation in peer-to-peer systems with passive monitoring environment
US20100138555A1 (en) * 2008-12-01 2010-06-03 At&T Corp. System and Method to Guide Active Participation in Peer-to-Peer Systems with Passive Monitoring Environment
US20160105462A1 (en) * 2008-12-16 2016-04-14 At&T Intellectual Property I, L.P. Systems and Methods for Rule-Based Anomaly Detection on IP Network Flow
US9680877B2 (en) * 2008-12-16 2017-06-13 At&T Intellectual Property I, L.P. Systems and methods for rule-based anomaly detection on IP network flow
US20100211668A1 (en) * 2009-02-13 2010-08-19 Alcatel-Lucent Optimized mirror for p2p identification
US8051167B2 (en) * 2009-02-13 2011-11-01 Alcatel Lucent Optimized mirror for content identification
US9654505B2 (en) 2009-06-22 2017-05-16 Citrix Systems, Inc. Systems and methods for encoding the core identifier in the session identifier
US20100325419A1 (en) * 2009-06-22 2010-12-23 Tushar Kanekar Systems and methods for encoding the core identifier in the session identifier
US9906556B2 (en) 2009-06-22 2018-02-27 Citrix Systems, Inc. Systems and methods for encoding the core identifier in the session identifier
US9276957B2 (en) 2009-06-22 2016-03-01 Citrix Systems, Inc. Systems and methods for handling SSL session not reusable across multiple cores
US20110058481A1 (en) * 2009-09-09 2011-03-10 Lee Chang-Yong Device and method for generating statistical information for voip traffic analysis and abnormal voip detection
US8259723B2 (en) * 2009-09-09 2012-09-04 Korea Internet & Security Agency Device and method for generating statistical information for VoIP traffic analysis and abnormal VoIP detection
US20110125748A1 (en) * 2009-11-15 2011-05-26 Solera Networks, Inc. Method and Apparatus for Real Time Identification and Recording of Artifacts
US20110149734A1 (en) * 2009-12-21 2011-06-23 Electronics And Telecommunications Research Institute Smart border router and method for transmitting flow using the same
US20110167149A1 (en) * 2010-01-06 2011-07-07 The Industry & Academic Cooperation In Chungnam National University Internet flow data analysis method using parallel computations
US8849991B2 (en) 2010-12-15 2014-09-30 Blue Coat Systems, Inc. System and method for hypertext transfer protocol layered reconstruction
US8666985B2 (en) 2011-03-16 2014-03-04 Solera Networks, Inc. Hardware accelerated application-based pattern matching for real time classification and recording of network traffic
US9178782B2 (en) * 2012-11-05 2015-11-03 Broadcom Corporation Annotated tracing driven network adaptation
US20140126396A1 (en) * 2012-11-05 2014-05-08 Broadcom Corporation Annotated Tracing Driven Network Adaptation
US20140136680A1 (en) * 2012-11-09 2014-05-15 Citrix Systems, Inc. Systems and methods for appflow for datastream
US9438488B2 (en) * 2012-11-09 2016-09-06 Citrix Systems, Inc. Systems and methods for appflow for datastream
US9569232B1 (en) * 2013-02-19 2017-02-14 Amazon Technologies, Inc. Network traffic data in virtualized environments
US10133591B2 (en) 2013-02-19 2018-11-20 Amazon Technologies, Inc. Network traffic data in virtualized environments
US8614946B1 (en) 2013-06-07 2013-12-24 Sideband Networks Inc. Dynamic switch port monitoring
US9917901B2 (en) 2013-08-01 2018-03-13 Flowtraq, Inc. Methods and systems for distribution and retrieval of network traffic records
US10397329B2 (en) 2013-08-01 2019-08-27 Riverbed Technology, Inc. Methods and systems for distribution and retrieval of network traffic records
US9680916B2 (en) 2013-08-01 2017-06-13 Flowtraq, Inc. Methods and systems for distribution and retrieval of network traffic records
US9590850B2 (en) * 2013-08-08 2017-03-07 Cisco Technology, Inc. Discovery of connectivity and compatibility in a communication network
US20150043570A1 (en) * 2013-08-08 2015-02-12 Cisco Technology, Inc. Discovery of connectivity and compatibility in a communication network
US9619648B2 (en) 2014-07-16 2017-04-11 Microsoft Technology Licensing, Llc Behavior change detection system for services
US9485263B2 (en) 2014-07-16 2016-11-01 Microsoft Technology Licensing, Llc Volatility-based classifier for security solutions
US9882925B2 (en) 2014-12-29 2018-01-30 Palantir Technologies Inc. Systems for network risk assessment including processing of user access rights associated with a network of devices
US9100430B1 (en) 2014-12-29 2015-08-04 Palantir Technologies Inc. Systems for network risk assessment including processing of user access rights associated with a network of devices
US9648036B2 (en) 2014-12-29 2017-05-09 Palantir Technologies Inc. Systems for network risk assessment including processing of user access rights associated with a network of devices
US9467455B2 (en) 2014-12-29 2016-10-11 Palantir Technologies Inc. Systems for network risk assessment including processing of user access rights associated with a network of devices
US10721263B2 (en) 2014-12-29 2020-07-21 Palantir Technologies Inc. Systems for network risk assessment including processing of user access rights associated with a network of devices
US9985983B2 (en) 2014-12-29 2018-05-29 Palantir Technologies Inc. Systems for network risk assessment including processing of user access rights associated with a network of devices
US10462175B2 (en) 2014-12-29 2019-10-29 Palantir Technologies Inc. Systems for network risk assessment including processing of user access rights associated with a network of devices
US10110622B2 (en) 2015-02-13 2018-10-23 Microsoft Technology Licensing, Llc Security scanner
US10574574B2 (en) 2015-02-27 2020-02-25 Arista Networks, Inc. System and method for BGP sFlow export
US20160255000A1 (en) * 2015-02-27 2016-09-01 Arista Networks, Inc. System and method for bgp sflow export
US9722925B2 (en) * 2015-02-27 2017-08-01 Arista Networks, Inc. System and method for BGP sFlow export
US9906542B2 (en) 2015-03-30 2018-02-27 Microsoft Technology Licensing, Llc Testing frequency control using a volatility score
US10554515B2 (en) * 2015-12-31 2020-02-04 Bright House Networks, Llc Customer premises network access device for displaying data usage
GB2567334A (en) * 2016-02-25 2019-04-10 Sas Inst Inc Cybersecurity system
GB2567335B (en) * 2016-02-25 2019-12-04 Sas Inst Inc Cybersecurity system
GB2567334B (en) * 2016-02-25 2019-12-04 Sas Inst Inc Cybersecurity system
GB2567335A (en) * 2016-02-25 2019-04-10 Sas Inst Inc Cybersecurity system
CN107864110A (en) * 2016-09-22 2018-03-30 中国电信股份有限公司 Botnet main control end detection method and device
JP2020503753A (en) * 2016-12-30 2020-01-30 ビットディフェンダー ネザーランズ ビー.ブイ. System to prepare network traffic for fast analysis
KR20190101374A (en) * 2016-12-30 2019-08-30 비트디펜더 네덜란드 비.브이. Network traffic preparation system for high speed analysis
US11184255B2 (en) * 2016-12-30 2021-11-23 Bitdefender Netherlands B.V. System for preparing network traffic for fast analysis
CN110100415A (en) * 2016-12-30 2019-08-06 比特梵德荷兰私人有限责任公司 System for network flow to be ready for quickly analyzing
WO2018122640A1 (en) * 2016-12-30 2018-07-05 Redsocks Security Holdings Bv System for preparing network traffic for fast analysis
IL267453B2 (en) * 2016-12-30 2023-05-01 Bitdefender Netherlands B V System for preparing network traffic for fast analysis
IL267453A (en) * 2016-12-30 2019-08-29 Bitdefender Netherlands B V System for preparing network traffic for fast analysis
KR102476126B1 (en) * 2016-12-30 2022-12-12 비트디펜더 네덜란드 비.브이. Network traffic preparation system for high-speed analysis
AU2017385032B2 (en) * 2016-12-30 2022-11-03 Bitdefender Netherlands B.V. System for preparing network traffic for fast analysis
JP7069173B2 (en) 2016-12-30 2022-05-17 ビットディフェンダー ネザーランズ ビー.ブイ. A system that prepares network traffic for fast analysis
RU2753189C2 (en) * 2016-12-30 2021-08-12 Битдефендер Незерлендс Б.В. System for preparing network traffic for quick analysis
US20190104144A1 (en) * 2017-09-29 2019-04-04 Cisco Technology, Inc. Enhanced flow-based computer network threat detection
US10855705B2 (en) * 2017-09-29 2020-12-01 Cisco Technology, Inc. Enhanced flow-based computer network threat detection
US11658909B2 (en) * 2018-04-10 2023-05-23 Kentik Technologies, Inc. Analyzing network traffic by enriching inbound network flows with exit data
RU2757597C1 (en) * 2018-07-18 2021-10-19 БИТДЕФЕНДЕР АйПиАр МЕНЕДЖМЕНТ ЛТД Systems and methods for reporting computer security incidents
US11184368B2 (en) * 2018-07-18 2021-11-23 Bitdefender IPR Management Ltd. Systems and methods for reporting computer security incidents
US11888738B2 (en) 2019-08-15 2024-01-30 Juniper Networks, Inc. System and method for determining a data flow path in an overlay network
US11082531B2 (en) * 2019-11-18 2021-08-03 International Business Machines Corporation Communication with an application flow in an integration system
US20210152660A1 (en) * 2019-11-18 2021-05-20 International Business Machines Corporation Communication with an application flow in an integration system
CN111131041A (en) * 2019-11-28 2020-05-08 中盈优创资讯科技有限公司 VPN flow obtaining method and device based on NetFlow and BGP
US11855861B2 (en) * 2020-05-28 2023-12-26 Axellio Inc. High performance packet capture and analytics architecture
US20210377133A1 (en) * 2020-05-28 2021-12-02 Axellio Inc. High Performance Packet Capture and Analytics Architecture
EP3934176A1 (en) * 2020-06-30 2022-01-05 Juniper Networks, Inc. Application flow monitoring
USD980845S1 (en) 2020-07-07 2023-03-14 Juniper Networks, Inc. Display screen with graphical user interface for a data flow path
US11444855B2 (en) 2020-07-07 2022-09-13 Juniper Networks, Inc. System and method for determining a data flow path in an overlay network
USD1018571S1 (en) 2020-07-07 2024-03-19 Juniper Networks, Inc. Display screen with graphical user interface for a data flow path

Also Published As

Publication number Publication date
US20130290521A1 (en) 2013-10-31
US8879415B2 (en) 2014-11-04

Similar Documents

Publication Publication Date Title
US8879415B2 (en) Method and system for annotating network flow information
US10904203B2 (en) Augmenting network flow with passive DNS information
EP3695568B1 (en) Systems and methods for controlling switches to record network packets using a traffice monitoring network
US7937755B1 (en) Identification of network policy violations
EP3151470B1 (en) Analytics for a distributed network
US10454891B2 (en) Context-aware network and situation management for crypto-partitioned networks
US7769851B1 (en) Application-layer monitoring and profiling network traffic
US7810151B1 (en) Automated change detection within a network environment
Arregoces et al. Data center fundamentals
US8146160B2 (en) Method and system for authentication event security policy generation
EP2241058B1 (en) Method for configuring acls on network device based on flow information
US11546266B2 (en) Correlating discarded network traffic with network policy events through augmented flow
US20110296005A1 (en) Method and system for monitoring control signal traffic over a computer network
US11190417B2 (en) Methods, systems, and computer readable media for processing network flow metadata at a network packet broker
Kobayashi et al. IP flow information export (IPFIX) mediation: Problem statement
Lu et al. A novel path‐based approach for single‐packet IP traceback
US9055113B2 (en) Method and system for monitoring flows in network traffic
US20100202466A1 (en) Inter-router communication method and module
CN108040007A (en) A kind of alternate routing link-quality monitoring method and system
CN111698110A (en) Network equipment performance analysis method, system, equipment and computer medium
Kobayashi et al. IP flow information export (IPFIX) mediation: Framework
Schudel et al. Router security strategies: Securing IP network traffic planes
KR101200875B1 (en) Method and system for light-weight soap transport for web services based management
Hadem et al. I-SMITE: an IP traceback mechanism for inter-AS SDN networks using BGP
Bao et al. Scalable application-specific measurement framework for high performance network video

Legal Events

Date Code Title Description
AS Assignment

Owner name: ARBOR NETWORKS, INC., MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LABOVITZ, CRAIG;EGGLESTON, JOSEPH;IEKEL-JOHNSON, SCOTT;REEL/FRAME:020531/0761

Effective date: 20080212

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION