公开(公告)号：US11637762B2

公开(公告)日：2023-04-25

申请号：US17110100

申请日：2020-12-02

Applicant: Cisco Technology, Inc.

Inventor： Ellen Christine Scheib ,  Ali Parandehgheibi ,  Omid Madani ,  Vimalkumar Jeyakumar ,  Navindra Yadav ,  Mohammadreza Alizadeh Attar

IPC: H04L43/045 ,  G06F3/0482 ,  H04L41/046 ,  H04L9/40 ,  G06F9/455 ,  G06N20/00 ,  G06F21/55 ,  G06F21/56 ,  G06F16/28 ,  G06F16/2457 ,  G06F16/248 ,  G06F16/29 ,  G06F16/16 ,  G06F16/17 ,  G06F16/11 ,  G06F16/13 ,  G06F16/174 ,  G06F16/23 ,  G06F16/9535 ,  G06N99/00 ,  H04L9/32 ,  H04L41/0668 ,  H04L43/0805 ,  H04L43/0811 ,  H04L43/0852 ,  H04L43/106 ,  H04L45/00 ,  H04L45/50 ,  H04L67/12 ,  H04L43/026 ,  H04L61/5007 ,  H04L67/01 ,  H04L67/51 ,  H04L67/75 ,  H04L67/1001 ,  H04L43/062 ,  H04L43/10 ,  H04L47/2441 ,  H04L41/0893 ,  H04L43/08 ,  H04L43/04 ,  H04W84/18 ,  H04L67/10 ,  H04L43/0876 ,  H04L41/12 ,  H04L41/16 ,  H04L41/0816 ,  G06F21/53 ,  H04L41/22 ,  G06F3/04842 ,  G06F3/04847 ,  H04L41/0803 ,  H04L43/0829 ,  H04L43/16 ,  H04L1/24 ,  H04W72/08 ,  H04L9/08 ,  H04J3/06 ,  H04J3/14 ,  H04L47/20 ,  H04L47/32 ,  H04L43/0864 ,  H04L47/11 ,  H04L69/22 ,  H04L45/74 ,  H04L47/2483 ,  H04L43/0882 ,  H04L41/0806 ,  H04L43/0888 ,  H04L43/12 ,  H04L47/31 ,  G06T11/20 ,  H04L43/02 ,  H04L47/28 ,  H04L69/16 ,  H04L45/302 ,  H04L67/50

Abstract: Systems and methods are provided for automatically discovering applications/clusters in a network and mapping dependencies between the applications/clusters. A network monitoring system can capture network flow data using sensors executing on physical and/or virtual servers of the network and sensors executing on networking devices connected to the servers. The system can determine a graph including nodes, representing at least the servers, and edges, between pairs of the nodes of the graph indicating the network flow data includes one or more observed flows between pairs of the servers represented by the pairs of the nodes. The system can determine a dependency map, including representations of clusters of the servers and representations of dependencies between the clusters, based on the graph. The system can display a first representation of a first cluster of the dependency map and information indicating a confidence level of identifying the first cluster.

公开(公告)号：US11528228B2

公开(公告)日：2022-12-13

申请号：US17007526

申请日：2020-08-31

Applicant: Cisco Technology, Inc.

Inventor： Mohammadreza Alizadeh Attar ,  Thomas J. Edsall ,  Sarang M. Dharmapurikar ,  Janakiramanan Vaidyanathan

IPC: H04L47/125 ,  H04L45/00

Abstract: In accordance with one embodiment, a source leaf device receives a packet. The source leaf device identifies a flowlet associated with the packet and a destination leaf device to which the packet is to be transmitted. The source leaf device may determine whether the flowlet is a new flowlet. The source leaf device may select an uplink of the source leaf device via which to transmit the flowlet to the destination leaf device according to whether the flowlet is a new flowlet. The source leaf device may then transmit the packet to the destination leaf device via the uplink.

公开(公告)号：US11496377B2

公开(公告)日：2022-11-08

申请号：US16846149

申请日：2020-04-10

Applicant: Cisco Technology, Inc.

Inventor： Navindra Yadav ,  Mohammadreza Alizadeh Attar ,  Shashidhar Gandham ,  Jackson Ngoc Ki Pang ,  Roberto Fernando Spadaro

IPC: H04L29/06 ,  H04L43/045 ,  H04L9/40 ,  G06F9/455 ,  G06N20/00 ,  G06F21/55 ,  G06F21/56 ,  G06F16/28 ,  G06F16/2457 ,  G06F16/248 ,  G06F16/29 ,  G06F16/16 ,  G06F16/17 ,  G06F16/11 ,  G06F16/13 ,  G06F16/174 ,  G06F16/23 ,  G06F16/9535 ,  G06N99/00 ,  H04L9/32 ,  H04L41/0668 ,  H04L43/0805 ,  H04L43/0811 ,  H04L43/0852 ,  H04L43/106 ,  H04L45/00 ,  H04L45/50 ,  H04L67/12 ,  H04L43/026 ,  H04L61/5007 ,  H04L67/01 ,  H04L67/51 ,  H04L67/75 ,  H04L67/1001 ,  H04L43/062 ,  H04L43/10 ,  H04L47/2441 ,  H04L41/0893 ,  H04L43/08 ,  H04L43/04 ,  H04W84/18 ,  H04L67/10 ,  H04L41/046 ,  H04L43/0876 ,  H04L41/12 ,  H04L41/16 ,  H04L41/0816 ,  G06F21/53 ,  H04L41/22 ,  G06F3/04842 ,  G06F3/04847 ,  H04L41/0803 ,  H04L43/0829 ,  H04L43/16 ,  H04L1/24 ,  H04W72/08 ,  H04L9/08 ,  H04J3/06 ,  H04J3/14 ,  H04L47/20 ,  H04L47/32 ,  H04L43/0864 ,  H04L47/11 ,  H04L69/22 ,  H04L45/74 ,  H04L47/2483 ,  H04L43/0882 ,  H04L41/0806 ,  H04L43/0888 ,  H04L43/12 ,  H04L47/31 ,  G06F3/0482 ,  G06T11/20 ,  H04L43/02 ,  H04L47/28 ,  H04L69/16 ,  H04L45/302 ,  H04L67/50

Abstract: An approach for detecting anomalous flows in a network using header field entropy. This can be useful in detecting anomalous or malicious traffic that may attempt to “hide” or inject itself into legitimate flows. A malicious endpoint might attempt to send a control message in underutilized header fields or might try to inject illegitimate data into a legitimate flow. These illegitimate flows will likely demonstrate header field entropy that is higher than legitimate flows. Detecting anomalous flows using header field entropy can help detect malicious endpoints.

公开(公告)号：US10972388B2

公开(公告)日：2021-04-06

申请号：US15359511

申请日：2016-11-22

Applicant: Cisco Technology, Inc.

Inventor： Navindra Yadav ,  Mohammadreza Alizadeh Attar ,  Shashi Gandham ,  Abhishek Singh ,  Shih-Chun Chang

IPC: H04L12/721 ,  H04L12/26 ,  H04L12/24

Abstract: An example method includes a sensor detecting multiple packets of a flow during a specified total time period (e.g., a reporting time period). The total time period can be subdivided into multiple time periods. The sensor can analyze the detected packets to determine an amount of network utilization for each of the time periods. The sensor can then generate a flow summary based on the network utilization and the flow and send the flow summary to an analytics engine. Multiple other sensors can do similarly for their respective packets and flows. The analytics engine can receive the flow summaries from the various sensors and determine a correspondence between flow with high network utilization at a specific time period and a node or nodes. These nodes that experienced multiple flows with high network utilization for a certain period of time can be identified as experiencing a microburst.

公开(公告)号：US10516585B2

公开(公告)日：2019-12-24

申请号：US15140376

申请日：2016-04-27

Applicant: Cisco Technology, Inc.

Inventor： Ali Parandehgheibi ,  Omid Madani ,  Vimalkumar Jeyakumar ,  Ellen Christine Scheib ,  Navindra Yadav ,  Mohammadreza Alizadeh Attar

IPC: H04L12/24 ,  G06F17/30 ,  H04L12/26 ,  H04L29/06 ,  G06F9/455 ,  G06N20/00 ,  G06F16/29 ,  G06F16/248 ,  G06F16/28 ,  G06F16/9535 ,  G06F16/2457 ,  H04L12/851 ,  H04W84/18 ,  H04L29/08 ,  G06F21/53 ,  H04L12/723 ,  G06F3/0484 ,  H04L1/24 ,  H04W72/08 ,  H04L9/08 ,  H04L9/32 ,  H04J3/06 ,  H04J3/14 ,  H04L29/12 ,  H04L12/813 ,  H04L12/823 ,  H04L12/801 ,  H04L12/741 ,  H04L12/833 ,  H04L12/721 ,  G06F3/0482 ,  G06T11/20 ,  H04L12/841 ,  H04L12/725 ,  H04L12/715 ,  G06F21/55 ,  G06F21/56 ,  G06F16/16 ,  G06F16/17 ,  G06F16/11 ,  G06F16/13 ,  G06N99/00 ,  G06F16/174 ,  G06F16/23

Abstract: This disclosure generally relate to a method and system for mapping network information. The present technology relates techniques that enable full-scale, dynamic network mapping of a network system. By collecting network and computing data using built-in sensors, the present technology can provide network information for system monitoring and maintenance. According to some embodiments, the present technology enables generating and displaying of network connections and data processing statistics related to numerous nodes in a network. The present technology provides useful insights and actionable knowledge for network monitoring, security, and maintenance, via intelligently summarizing and effectively displaying the complex network communications and processes of a network.

公开(公告)号：US10230597B2

公开(公告)日：2019-03-12

申请号：US15174032

申请日：2016-06-06

Applicant: Cisco Technology, Inc.

Inventor： Ali Parandehgheibi ,  Mohammadreza Alizadeh Attar ,  Omid Madani ,  Vimalkumar Jeyakumar ,  Ellen Christine Scheib ,  Navindra Yadav

IPC: G06F15/167 ,  H04L12/26 ,  H04L29/06 ,  G06F9/455 ,  G06F17/30 ,  H04L12/851 ,  H04L12/24 ,  H04W84/18 ,  H04L29/08 ,  G06N99/00 ,  G06F21/53 ,  H04L12/723 ,  G06F3/0484 ,  H04L1/24 ,  H04W72/08 ,  H04L9/08 ,  H04L9/32 ,  H04J3/06 ,  H04J3/14 ,  H04L29/12 ,  H04L12/813 ,  H04L12/823 ,  H04L12/801 ,  H04L12/741 ,  H04L12/833 ,  H04L12/721 ,  G06F3/0482 ,  G06T11/20 ,  H04L12/841 ,  H04L12/725 ,  H04L12/715 ,  G06F21/55 ,  G06F21/56

Abstract: Application dependency mapping can be automated in a network. The network can capture traffic data for flows passing through the network using a sensor network that provides multiple perspectives for the traffic. The network can analyze the traffic data to identify endpoints of the network. The network can also identify particular network configurations from the traffic data, such as a load balancing schema or a subnetting schema. The network can partition the endpoints based on the network configuration(s) and perform similarity measurements of endpoints in each partition to determine clusters of each partition. The clusters can make up nodes of an application dependency map, and relationships between and among the clusters can make up edges of the application dependency map.

公开(公告)号：US10177998B2

公开(公告)日：2019-01-08

申请号：US15173210

申请日：2016-06-03

Applicant: Cisco Technology, Inc.

Inventor： Ali Parandehgheibi ,  Mohammadreza Alizadeh Attar ,  Omid Madani ,  Vimalkumar Jeyakumar ,  Ellen Christine Scheib ,  Navindra Yadav

IPC: H04L12/26 ,  H04L29/06 ,  G06F9/455 ,  G06F17/30 ,  H04L12/851 ,  H04L12/24 ,  H04W84/18 ,  H04L29/08 ,  G06N99/00 ,  G06F21/53 ,  H04L12/723 ,  G06F3/0484 ,  H04L1/24 ,  H04W72/08 ,  H04L9/08 ,  H04L9/32 ,  H04J3/06 ,  H04J3/14 ,  H04L29/12 ,  H04L12/813 ,  H04L12/823 ,  H04L12/801 ,  H04L12/741 ,  H04L12/833 ,  H04L12/721 ,  G06F3/0482 ,  G06T11/20 ,  H04L12/841 ,  H04L12/725 ,  H04L12/715 ,  G06F21/55 ,  G06F21/56

Abstract: Flow data can be augmented with features or attributes from other domains, such as attributes from a source host and/or destination host of a flow, a process initiating the flow, and/or a process owner or user. A network can be configured to capture network or packet header attributes of a first flow and determine additional attributes of the first flow using a sensor network. The sensor network can include sensors for networking devices (e.g., routers, switches, network appliances), physical servers, hypervisors or container engines, and virtual partitions (e.g., virtual machines or containers). The network can calculate a feature vector including the packet header attributes and additional attributes to represent the first flow. The network can compare the feature vector of the first flow to respective feature vectors of other flows to determine an applicable policy, and enforce that policy for subsequent flows.

公开(公告)号：US09832122B2

公开(公告)日：2017-11-28

申请号：US14490596

申请日：2014-09-18

Applicant: Cisco Technology, Inc.

Inventor： Sarang M. Dharmapurikar ,  Mohammadreza Alizadeh Attar ,  Kit Chiu Chu ,  Francisco M. Matus ,  Adam Hutchin ,  Janakiramanan Vaidyanathan

IPC: H04L12/743

CPC classification number: H04L45/7453

Abstract: Apparatus, systems and methods may be used to monitor data flows and to select and track particularly large data flows. A method of tracking data flows and identifying large-data (“elephant”) flows comprises extracting fields from a packet of data to construct a flow key, computing a hash value on the flow key to provide a hashed flow signature, entering and/or comparing the hashed flow signature with entries in a flow hash table. Each hash table entry includes a byte count for a respective flow. When the byte count for a flow exceeds a threshold value, the flow is added to a large-data flow (“elephant”) table and the flow is then tracked in the large-data flow table.

公开(公告)号：US09716665B2

公开(公告)日：2017-07-25

申请号：US14472148

申请日：2014-08-28

Applicant: Cisco Technology, Inc.

Inventor： Mohammadreza Alizadeh Attar ,  Navindra Yadav ,  Satyam Sinha ,  Thomas J. Edsall ,  Kit Chiu Chu

IPC: H04L12/863 ,  H04L12/937 ,  H04L29/08 ,  H04L29/12 ,  H04L29/06 ,  H04L12/413 ,  H04L12/741 ,  H04L12/947 ,  H04L12/803 ,  H04L12/743 ,  H04L12/875

CPC classification number: H04L47/50 ,  H04L45/74 ,  H04L45/7453 ,  H04L47/125 ,  H04L47/56 ,  H04L49/25 ,  H04L49/254 ,  H04L61/103 ,  H04L61/2084 ,  H04L61/6004 ,  H04L61/6095 ,  H04L67/22 ,  H04L67/322 ,  H04L69/167 ,  H04L69/22

Abstract: Various embodiments of the present disclosure provide methods for randomly mapping entries in a suitable lookup table across multiple switch devices and/or multiple switch chipsets in each of the multiple switch devices by using two or more independent hash functions. In some embodiments, the number of entries in the lookup table is equal to be the least common multiple of all possible M (i.e., a number of switch devices) choosing R values (i.e., a desired redundancy level).

公开(公告)号：US20160359881A1

公开(公告)日：2016-12-08

申请号：US15173489

申请日：2016-06-03

Applicant: Cisco Technology, Inc.

Inventor： Navindra Yadav ,  Mohammadreza Alizadeh Attar ,  Shashidhar Gandham ,  Jackson Ngoc Ki Pang ,  Roberto Fernando Spadaro

IPC: H04L29/06

CPC classification number: H04L43/045 ,  G06F3/0482 ,  G06F3/04842 ,  G06F3/04847 ,  G06F9/45558 ,  G06F16/122 ,  G06F16/137 ,  G06F16/162 ,  G06F16/17 ,  G06F16/173 ,  G06F16/174 ,  G06F16/1744 ,  G06F16/1748 ,  G06F16/2322 ,  G06F16/235 ,  G06F16/2365 ,  G06F16/24578 ,  G06F16/248 ,  G06F16/285 ,  G06F16/288 ,  G06F16/29 ,  G06F16/9535 ,  G06F21/53 ,  G06F21/552 ,  G06F21/566 ,  G06F2009/4557 ,  G06F2009/45587 ,  G06F2009/45591 ,  G06F2009/45595 ,  G06F2221/033 ,  G06F2221/2101 ,  G06F2221/2105 ,  G06F2221/2111 ,  G06F2221/2115 ,  G06F2221/2145 ,  G06N20/00 ,  G06N99/00 ,  G06T11/206 ,  H04J3/0661 ,  H04J3/14 ,  H04L1/242 ,  H04L9/0866 ,  H04L9/3239 ,  H04L9/3242 ,  H04L41/046 ,  H04L41/0668 ,  H04L41/0803 ,  H04L41/0806 ,  H04L41/0816 ,  H04L41/0893 ,  H04L41/12 ,  H04L41/16 ,  H04L41/22 ,  H04L43/02 ,  H04L43/04 ,  H04L43/062 ,  H04L43/08 ,  H04L43/0805 ,  H04L43/0811 ,  H04L43/0829 ,  H04L43/0841 ,  H04L43/0858 ,  H04L43/0864 ,  H04L43/0876 ,  H04L43/0882 ,  H04L43/0888 ,  H04L43/10 ,  H04L43/106 ,  H04L43/12 ,  H04L43/16 ,  H04L45/306 ,  H04L45/38 ,  H04L45/46 ,  H04L45/507 ,  H04L45/66 ,  H04L45/74 ,  H04L47/11 ,  H04L47/20 ,  H04L47/2441 ,  H04L47/2483 ,  H04L47/28 ,  H04L47/31 ,  H04L47/32 ,  H04L61/2007 ,  H04L63/0227 ,  H04L63/0263 ,  H04L63/06 ,  H04L63/0876 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/145 ,  H04L63/1458 ,  H04L63/1466 ,  H04L63/16 ,  H04L63/20 ,  H04L67/10 ,  H04L67/1002 ,  H04L67/12 ,  H04L67/16 ,  H04L67/22 ,  H04L67/36 ,  H04L67/42 ,  H04L69/16 ,  H04L69/22 ,  H04W72/08 ,  H04W84/18

Abstract: An approach for detecting anomalous flows in a network using header field entropy. This can be useful in detecting anomalous or malicious traffic that may attempt to “hide” or inject itself into legitimate flows. A malicious endpoint might attempt to send a control message in underutilized header fields or might try to inject illegitimate data into a legitimate flow. These illegitimate flows will likely demonstrate header field entropy that is higher than legitimate flows. Detecting anomalous flows using header field entropy can help detect malicious endpoints.

Abstract translation: 一种使用头域熵来检测网络中的异常流的方法。 这可以用于检测可能尝试“隐藏”或将其注入合法流中的异常或恶意流量。 恶意端点可能会尝试在未充分利用的标题字段中发送控制消息，或尝试将非法数据注入合法流。 这些非法流量可能会显示比合法流量高的头部场熵。 使用头域熵检测异常流可以帮助检测恶意端点。