公开(公告)号：US20110013525A1

公开(公告)日：2011-01-20

申请号：US12460113

申请日：2009-07-14

Applicant: Lee Breslau ,  Amogh Dhamdhere ,  Nicholas Duffield ,  Cheng Ee ,  Alexandre Gerber ,  Carsten Lund ,  Subhabrata Sen

Inventor： Lee Breslau ,  Amogh Dhamdhere ,  Nicholas Duffield ,  Cheng Ee ,  Alexandre Gerber ,  Carsten Lund ,  Subhabrata Sen

IPC: H04L12/26 ,  H04L12/56

CPC classification number: H04L43/18 ,  H04L43/062 ,  H04L45/70

Abstract: Statistical methods are used to observe packet flow arrival processes and to infer routing changes from those observations. Packet flow arrivals are monitored using NetFlow or another packet flow monitoring arrangement. Packet flow arrivals are quantified by counting arrivals per unit time, or by measuring an inter-arrival time between flows. When a change in packet flow arrivals is determined to be statistically significant, a change in network routing protocol is reported.

Abstract translation: 统计方法用于观察分组流到达过程，并从这些观察中推断出路由变化。 使用NetFlow或另一个分组流监视装置来监视分组流到达。 通过对每单位时间的到达时间进行计数，或通过测量流之间的到达之间的时间来量化分组流到达。 当分组流到达的变化被确定为具有统计学意义时，报告了网络路由协议的变化。

公开(公告)号：US08477772B2

公开(公告)日：2013-07-02

申请号：US12335868

申请日：2008-12-16

Applicant: Alexandre Gerber ,  Lee Breslau ,  Subhabrata Sen ,  Nicholas Duffield ,  Carsten Lund ,  Cheng Ee ,  Amogh Dhamdhere

Inventor： Alexandre Gerber ,  Lee Breslau ,  Subhabrata Sen ,  Nicholas Duffield ,  Carsten Lund ,  Cheng Ee ,  Amogh Dhamdhere

IPC: H04L12/56

CPC classification number: H04L12/56 ,  H04L41/12 ,  H04L45/70

Abstract: A system and method to use network flow records to generate information about changes in network routing and to understand the impact of these changes on network traffic. The inferences made can be determinative, if sufficient information is available. If sufficient information is not available to make determinative inferences, inferences may be made that narrow the range of possible changes that may have occurred to network traffic and the underlying network.

Abstract translation: 一种使用网络流记录生成有关网络路由更改的信息并了解这些更改对网络流量的影响的系统和方法。 如果有足够的信息可用，所做的推论可以是决定性的。 如果没有足够的信息可用于作出决定性推论，可以推测可能缩小网络流量和底层网络可能发生的可能变化的范围。

公开(公告)号：US08111626B2

公开(公告)日：2012-02-07

申请号：US12347444

申请日：2008-12-31

Applicant: Aman Shaikh ,  Cheng Ee ,  Ajay Mahimkar ,  Jia Wang ,  Jennifer Yates ,  Yin Zhang ,  Zihui Ge

Inventor： Aman Shaikh ,  Cheng Ee ,  Ajay Mahimkar ,  Jia Wang ,  Jennifer Yates ,  Yin Zhang ,  Zihui Ge

IPC: H04L12/26 ,  G01R31/08 ,  H04J1/16

CPC classification number: H04L41/0631

Abstract: A method and apparatus for providing event correlation in a network are disclosed. For example, the method extracts a plurality of events of interest from a database, and creates one or more event time series from the plurality of events of interest, wherein each of the one or more event time series comprises a set of events of a same type and of a same location that occur within a given time period. The method forms one or more composite events from the one or more event time series, and performs one or more pair-wise correlations for at least one of: the event time-series, or the one or more composite events. The method then identifies one or more pair-wise correlations that are statistically significant.

Abstract translation: 公开了一种在网络中提供事件相关性的方法和装置。 例如，该方法从数据库提取多个感兴趣的事件，并且从多个感兴趣的事件中创建一个或多个事件时间序列，其中一个或多个事件时间序列中的每一个包括相同的一组事件 类型和在给定时间段内发生的相同位置。 所述方法形成来自所述一个或多个事件时间序列的一个或多个复合事件，并且对于所述事件时间序列或所述一个或多个复合事件中的至少一个执行一个或多个成对相关。 然后，该方法识别统计学显着的一个或多个成对相关性。

公开(公告)号：US07957315B2

公开(公告)日：2011-06-07

申请号：US12342957

申请日：2008-12-23

Applicant: Nicholas Duffield ,  Lee M. Breslau ,  Cheng Ee ,  Alexandre Gerber ,  Carsten Lund ,  Subhabrata Sen

Inventor： Nicholas Duffield ,  Lee M. Breslau ,  Cheng Ee ,  Alexandre Gerber ,  Carsten Lund ,  Subhabrata Sen

IPC: H04L12/26

CPC classification number: H04L43/04 ,  H04L43/022 ,  H04L43/026 ,  H04L43/062

Abstract: Disclosed herein are systems, computer-implemented methods, and computer-readable media for sampling network traffic. The method includes receiving a plurality of flow records, calculating a hash for each flow record based on one or more invariant part of a respective flow, generating a quasi-random number from the calculated hash for each respective flow record, and sampling flow records having a quasi-random number below a probability P. Invariant parts of flow records include destination IP address, source IP address, TCP/UDP port numbers, TCP flags, and network protocol. A plurality of routers can uniformly calculate hashes for flow records. Each router in a plurality of routers can generate a same quasi-random number for each respective flow record and uses different values for probability P. The probability P can depend on a flow size. The method can divide the quasi-random number by a maximum possible hash value.

Abstract translation: 本文公开了系统，计算机实现的方法和用于对网络业务进行采样的计算机可读介质。 该方法包括：接收多个流记录，基于相应流的一个或多个不变部分计算每个流记录的散列，从针对每个相应流记录的计算出的散列生成准随机数，以及对具有 低于概率P的准随机数。流记录的不变部分包括目的地IP地址，源IP地址，TCP / UDP端口号，TCP标志和网络协议。 多个路由器可以统一计算流记录的哈希值。 多个路由器中的每个路由器可以为每个相应的流记录生成相同的准随机数，并对概率P使用不同的值。概率P可以取决于流量大小。 该方法可以将准随机数除以最大可能的哈希值。

公开(公告)号：US08165019B2

公开(公告)日：2012-04-24

申请号：US12460113

申请日：2009-07-14

Applicant: Lee Breslau ,  Amogh Dhamdhere ,  Nicholas Duffield ,  Cheng Ee ,  Alexandre Gerber ,  Carsten Lund ,  Subhabrata Sen

Inventor： Lee Breslau ,  Amogh Dhamdhere ,  Nicholas Duffield ,  Cheng Ee ,  Alexandre Gerber ,  Carsten Lund ,  Subhabrata Sen

IPC: H04L12/26 ,  H04L12/56

CPC classification number: H04L43/18 ,  H04L43/062 ,  H04L45/70

Abstract: Statistical methods are used to observe packet flow arrival processes and to infer routing changes from those observations. Packet flow arrivals are monitored using NetFlow or another packet flow monitoring arrangement. Packet flow arrivals are quantified by counting arrivals per unit time, or by measuring an inter-arrival time between flows. When a change in packet flow arrivals is determined to be statistically significant, a change in network routing protocol is reported.

Abstract translation: 统计方法用于观察分组流到达过程，并从这些观察中推断出路由变化。 使用NetFlow或另一个分组流监视装置来监视分组流到达。 通过对每单位时间的到达时间进行计数，或通过测量流之间的到达之间的时间来量化分组流到达。 当分组流到达的变化被确定为具有统计学意义时，报告了网络路由协议的变化。

公开(公告)号：US20100157809A1

公开(公告)日：2010-06-24

申请号：US12343007

申请日：2008-12-23

Applicant: Nicholas Duffield ,  Lee M. Breslau ,  Cheng Ee ,  Alexandre Gerber ,  Carsten Lund ,  Subhabrata Sen

Inventor： Nicholas Duffield ,  Lee M. Breslau ,  Cheng Ee ,  Alexandre Gerber ,  Carsten Lund ,  Subhabrata Sen

IPC: G06F11/30

CPC classification number: H04L43/026 ,  H04L43/024 ,  Y02D50/30

Abstract: Disclosed herein are systems, computer-implemented methods, and computer-readable media for sampling network traffic. The method includes receiving a desired quantity of flow record to sample, receiving a plurality of network flow record each summarizing a network flow of packets, calculating a hash for each flow record of based on one or more invariant part of a respective flow, generating a quasi-random number from the calculated hash for each respective flow record, generating a priority from the calculated hash for each respective flow record, and sampling exactly the desired quantity of flow records, selecting flow records having a highest priority first. In one aspect, the method further partitions the plurality of flow records into groups based on flow origin and destination, generates an individual priority for each partitioned group, and separately samples exactly the desired quantity of flow records from each partitioned group, selecting flows having a highest individual priority first.

Abstract translation: 本文公开了系统，计算机实现的方法和用于对网络业务进行采样的计算机可读介质。 该方法包括接收所需数量的流记录到采样中，接收多个网络流记录，每个汇总分组的网络流，基于相应流的一个或多个不变部分计算每个流记录的散列， 从每个相应流记录的计算散列中产生准随机数，从每个相应流记录的计算散列生成优先级，并精确地采样所需数量的流记录，首先选择具有最高优先级的流记录。 在一个方面，该方法还基于流源和目的地进一步将多个流记录划分为组，为每个分区组生成一个单独的优先级，并且从每个分区组中分别精确地采集所需数量的流记录，选择具有 最高个人优先。

公开(公告)号：US20100150005A1

公开(公告)日：2010-06-17

申请号：US12335868

申请日：2008-12-16

Applicant: Alexandre Gerber ,  Lee Breslau ,  Subhabrata Sen ,  Nicholas Duffield ,  Carsten Lund ,  Cheng Ee ,  Amogh Dhamdhere

Inventor： Alexandre Gerber ,  Lee Breslau ,  Subhabrata Sen ,  Nicholas Duffield ,  Carsten Lund ,  Cheng Ee ,  Amogh Dhamdhere

IPC: H04L12/26 ,  H04L12/56

CPC classification number: H04L12/56 ,  H04L41/12 ,  H04L45/70

Abstract: A system and method to use network flow records to generate information about changes in network routing and to understand the impact of these changes on network traffic. The inferences made can be determinative, if sufficient information is available. If sufficient information is not available to make determinative inferences, inferences may be made that narrow the range of possible changes that may have occurred to network traffic and the underlying network.

Abstract translation: 一种使用网络流记录生成有关网络路由更改的信息并了解这些更改对网络流量的影响的系统和方法。 如果有足够的信息可用，所做的推论可以是决定性的。 如果没有足够的信息可用于作出决定性推论，可以推测可能缩小网络流量和底层网络可能发生的可能变化的范围。

公开(公告)号：US20090262650A1

公开(公告)日：2009-10-22

申请号：US12347444

申请日：2008-12-31

Applicant: Aman Shaikh ,  Cheng Ee ,  Ajay Mahimkar ,  Jia Wang ,  Jennifer Yates ,  Yin Zhang ,  Zihui Ge

Inventor： Aman Shaikh ,  Cheng Ee ,  Ajay Mahimkar ,  Jia Wang ,  Jennifer Yates ,  Yin Zhang ,  Zihui Ge

IPC: H04L12/26

CPC classification number: H04L41/0631

Abstract: A method and apparatus for providing event correlation in a network are disclosed. For example, the method extracts a plurality of events of interest from a database, and creates one or more event time series from the plurality of events of interest, wherein each of the one or more event time series comprises a set of events of a same type and of a same location that occur within a given time period. The method forms one or more composite events from the one or more event time series, and performs one or more pair-wise correlations for at least one of: the event time-series, or the one or more composite events. The method then identifies one or more pair-wise correlations that are statistically significant.

Abstract translation: 公开了一种在网络中提供事件相关性的方法和装置。 例如，该方法从数据库提取多个感兴趣的事件，并且从多个感兴趣的事件中创建一个或多个事件时间序列，其中一个或多个事件时间序列中的每一个包括相同的一组事件 类型和在给定时间段内发生的相同位置。 所述方法形成来自所述一个或多个事件时间序列的一个或多个复合事件，并且对于所述事件时间序列或所述一个或多个复合事件中的至少一个执行一个或多个成对相关。 然后，该方法识别统计学显着的一个或多个成对相关性。

公开(公告)号：US08064359B2

公开(公告)日：2011-11-22

申请号：US12343007

申请日：2008-12-23

Applicant: Nicholas Duffield ,  Lee M. Breslau ,  Cheng Ee ,  Alexandre Gerber ,  Carsten Lund ,  Subhabrata Sen

Inventor： Nicholas Duffield ,  Lee M. Breslau ,  Cheng Ee ,  Alexandre Gerber ,  Carsten Lund ,  Subhabrata Sen

IPC: H04L12/26

CPC classification number: H04L43/026 ,  H04L43/024 ,  Y02D50/30

Abstract: Disclosed herein are systems, computer-implemented methods, and computer-readable media for sampling network traffic. The method includes receiving a desired quantity of flow record to sample, receiving a plurality of network flow record each summarizing a network flow of packets, calculating a hash for each flow record of based on one or more invariant part of a respective flow, generating a quasi-random number from the calculated hash for each respective flow record, generating a priority from the calculated hash for each respective flow record, and sampling exactly the desired quantity of flow records, selecting flow records having a highest priority first. In one aspect, the method further partitions the plurality of flow records into groups based on flow origin and destination, generates an individual priority for each partitioned group, and separately samples exactly the desired quantity of flow records from each partitioned group, selecting flows having a highest individual priority first.

Abstract translation: 本文公开了系统，计算机实现的方法和用于对网络业务进行采样的计算机可读介质。 该方法包括接收所需数量的流记录到采样中，接收多个网络流记录，每个汇总分组的网络流，基于相应流的一个或多个不变部分计算每个流记录的散列， 从每个相应流记录的计算散列中产生准随机数，从每个相应流记录的计算散列生成优先级，并精确地采样所需数量的流记录，首先选择具有最高优先级的流记录。 在一个方面，该方法还基于流源和目的地进一步将多个流记录划分为组，为每个分区组生成一个单独的优先级，并且从每个分区组中分别精确地采集所需数量的流记录，选择具有 最高个人优先。

公开(公告)号：US20100161791A1

公开(公告)日：2010-06-24

申请号：US12342957

申请日：2008-12-23

Applicant: Nicholas Duffield ,  Lee M. Breslau ,  Cheng Ee ,  Alexandre Gerber ,  Carsten Lund ,  Subhabrata Sen

Inventor： Nicholas Duffield ,  Lee M. Breslau ,  Cheng Ee ,  Alexandre Gerber ,  Carsten Lund ,  Subhabrata Sen

IPC: G06F15/173

CPC classification number: H04L43/04 ,  H04L43/022 ,  H04L43/026 ,  H04L43/062

Abstract: Disclosed herein are systems, computer-implemented methods, and computer-readable media for sampling network traffic. The method includes receiving a plurality of flow records, calculating a hash for each flow record based on one or more invariant part of a respective flow, generating a quasi-random number from the calculated hash for each respective flow record, and sampling flow records having a quasi-random number below a probability P. Invariant parts of flow records include destination IP address, source IP address, TCP/UDP port numbers, TCP flags, and network protocol. A plurality of routers can uniformly calculate hashes for flow records. Each router in a plurality of routers can generate a same quasi-random number for each respective flow record and uses different values for probability P. The probability P can depend on a flow size. The method can divide the quasi-random number by a maximum possible hash value.

Abstract translation: 本文公开了系统，计算机实现的方法和用于对网络业务进行采样的计算机可读介质。 该方法包括：接收多个流记录，基于相应流的一个或多个不变部分计算每个流记录的散列，从针对每个相应流记录的计算出的散列生成准随机数，以及对具有 低于概率P的准随机数。流记录的不变部分包括目的地IP地址，源IP地址，TCP / UDP端口号，TCP标志和网络协议。 多个路由器可以统一计算流记录的哈希值。 多个路由器中的每个路由器可以为每个相应的流记录生成相同的准随机数，并对概率P使用不同的值。概率P可以取决于流量大小。 该方法可以将准随机数除以最大可能的哈希值。