US 11,894,996 B2
Technologies for annotating process and user information for network flows
Navindra Yadav, Cupertino, CA (US); Abhishek Ranjan Singh, Pleasanton, CA (US); Anubhav Gupta, Fremont, CA (US); Shashidhar Gandham, Fremont, CA (US); Jackson Ngoc Ki Pang, Sunnyvale, CA (US); Shih-Chun Chang, San Jose, CA (US); and Hai Trong Vu, San José, CA (US)
Assigned to Cisco Technology, Inc., San Jose, CA (US)
Filed by Cisco Technology, Inc., San Jose, CA (US)
Filed on Jan. 29, 2021, as Appl. No. 17/161,903.
Application 17/161,903 is a continuation of application No. 16/237,187, filed on Dec. 31, 2018.
Application 16/237,187 is a continuation of application No. 15/152,163, filed on May 11, 2016, granted, now 10,171,319.
Claims priority of provisional application 62/171,899, filed on Jun. 5, 2015.
Prior Publication US 2021/0160157 A1, May 27, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 9/455 (2018.01); H04L 43/045 (2022.01); H04L 9/40 (2022.01); G06N 20/00 (2019.01); G06F 21/55 (2013.01); G06F 21/56 (2013.01); G06F 16/28 (2019.01); G06F 16/2457 (2019.01); G06F 16/248 (2019.01); G06F 16/29 (2019.01); G06F 16/16 (2019.01); G06F 16/17 (2019.01); G06F 16/11 (2019.01); G06F 16/13 (2019.01); G06F 16/174 (2019.01); G06F 16/23 (2019.01); G06F 16/9535 (2019.01); G06N 99/00 (2019.01); H04L 9/32 (2006.01); H04L 41/0668 (2022.01); H04L 43/0805 (2022.01); H04L 43/0811 (2022.01); H04L 43/0852 (2022.01); H04L 43/106 (2022.01); H04L 45/00 (2022.01); H04L 45/50 (2022.01); H04L 67/12 (2022.01); H04L 43/026 (2022.01); H04L 61/5007 (2022.01); H04L 67/01 (2022.01); H04L 67/51 (2022.01); H04L 67/75 (2022.01); H04L 67/1001 (2022.01); H04W 72/54 (2023.01); H04L 43/062 (2022.01); H04L 43/10 (2022.01); H04L 47/2441 (2022.01); H04L 41/0893 (2022.01); H04L 43/08 (2022.01); H04L 43/04 (2022.01); H04W 84/18 (2009.01); H04L 67/10 (2022.01); H04L 41/046 (2022.01); H04L 43/0876 (2022.01); H04L 41/12 (2022.01); H04L 41/16 (2022.01); H04L 41/0816 (2022.01); G06F 21/53 (2013.01); H04L 41/22 (2022.01); G06F 3/04842 (2022.01); G06F 3/04847 (2022.01); H04L 41/0803 (2022.01); H04L 43/0829 (2022.01); H04L 43/16 (2022.01); H04L 1/24 (2006.01); H04L 9/08 (2006.01); H04J 3/06 (2006.01); H04J 3/14 (2006.01); H04L 47/20 (2022.01); H04L 47/32 (2022.01); H04L 43/0864 (2022.01); H04L 47/11 (2022.01); H04L 69/22 (2022.01); H04L 45/74 (2022.01); H04L 47/2483 (2022.01); H04L 43/0882 (2022.01); H04L 41/0806 (2022.01); H04L 43/0888 (2022.01); H04L 43/12 (2022.01); H04L 47/31 (2022.01); G06F 3/0482 (2013.01); G06T 11/20 (2006.01); H04L 43/02 (2022.01); H04L 47/28 (2022.01); H04L 69/16 (2022.01); H04L 45/302 (2022.01); H04L 67/50 (2022.01)
CPC H04L 43/045 (2013.01) [G06F 3/0482 (2013.01); G06F 3/04842 (2013.01); G06F 3/04847 (2013.01); G06F 9/45558 (2013.01); G06F 16/122 (2019.01); G06F 16/137 (2019.01); G06F 16/162 (2019.01); G06F 16/17 (2019.01); G06F 16/173 (2019.01); G06F 16/174 (2019.01); G06F 16/1744 (2019.01); G06F 16/1748 (2019.01); G06F 16/235 (2019.01); G06F 16/2322 (2019.01); G06F 16/2365 (2019.01); G06F 16/248 (2019.01); G06F 16/24578 (2019.01); G06F 16/285 (2019.01); G06F 16/288 (2019.01); G06F 16/29 (2019.01); G06F 16/9535 (2019.01); G06F 21/53 (2013.01); G06F 21/552 (2013.01); G06F 21/556 (2013.01); G06F 21/566 (2013.01); G06N 20/00 (2019.01); G06N 99/00 (2013.01); G06T 11/206 (2013.01); H04J 3/0661 (2013.01); H04J 3/14 (2013.01); H04L 1/242 (2013.01); H04L 9/0866 (2013.01); H04L 9/3239 (2013.01); H04L 9/3242 (2013.01); H04L 41/046 (2013.01); H04L 41/0668 (2013.01); H04L 41/0803 (2013.01); H04L 41/0806 (2013.01); H04L 41/0816 (2013.01); H04L 41/0893 (2013.01); H04L 41/12 (2013.01); H04L 41/16 (2013.01); H04L 41/22 (2013.01); H04L 43/02 (2013.01); H04L 43/026 (2013.01); H04L 43/04 (2013.01); H04L 43/062 (2013.01); H04L 43/08 (2013.01); H04L 43/0805 (2013.01); H04L 43/0811 (2013.01); H04L 43/0829 (2013.01); H04L 43/0841 (2013.01); H04L 43/0858 (2013.01); H04L 43/0864 (2013.01); H04L 43/0876 (2013.01); H04L 43/0882 (2013.01); H04L 43/0888 (2013.01); H04L 43/10 (2013.01); H04L 43/106 (2013.01); H04L 43/12 (2013.01); H04L 43/16 (2013.01); H04L 45/306 (2013.01); H04L 45/38 (2013.01); H04L 45/46 (2013.01); H04L 45/507 (2013.01); H04L 45/66 (2013.01); H04L 45/74 (2013.01); H04L 47/11 (2013.01); H04L 47/20 (2013.01); H04L 47/2441 (2013.01); H04L 47/2483 (2013.01); H04L 47/28 (2013.01); H04L 47/31 (2013.01); H04L 47/32 (2013.01); H04L 61/5007 (2022.05); H04L 63/0227 (2013.01); H04L 63/0263 (2013.01); H04L 63/06 (2013.01); H04L 63/0876 (2013.01); H04L 63/145 (2013.01); H04L 63/1408 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/1441 (2013.01); H04L 63/1458 (2013.01); H04L 63/1466 (2013.01); H04L 63/16 (2013.01); H04L 63/20 (2013.01); H04L 67/01 (2022.05); H04L 67/10 (2013.01); H04L 67/1001 (2022.05); H04L 67/12 (2013.01); H04L 67/51 (2022.05); H04L 67/75 (2022.05); H04L 69/16 (2013.01); H04L 69/22 (2013.01); H04W 72/54 (2023.01); H04W 84/18 (2013.01); G06F 2009/4557 (2013.01); G06F 2009/45587 (2013.01); G06F 2009/45591 (2013.01); G06F 2009/45595 (2013.01); G06F 2221/033 (2013.01); G06F 2221/2101 (2013.01); G06F 2221/2105 (2013.01); G06F 2221/2111 (2013.01); G06F 2221/2115 (2013.01); G06F 2221/2145 (2013.01); H04L 67/535 (2022.05)] 29 Claims
OG exemplary drawing
 
1. A network traffic monitoring system comprising:
a collector comprising one or more processors and a non-transitory computer-readable medium, an analytics module, a policy engine, and an alerting module, wherein the collector is communicably attached to a communications network and receives a stream of network flow data via the attached communications network;
wherein the analytics module evaluates the stream of network flow data to generate a directed control flow graph corresponding to components of a distributed application, the control flow graph including a plurality of nodes and a plurality of directed edges between various nodes;
wherein the nodes of the graph correspond to network-addressable application components connected to the communications network, each application component sending and receiving network traffic including one or more packets at a network interface local to the application component;
wherein one or more of the application components includes a workload creating and/or processing a data stream as part of the distributed application;
wherein the edges between the nodes of the graph correspond to data streams between source nodes and destination nodes;
wherein one or more flows associated with one or more nodes and/or edges in the control flow graph are annotated with one or more tags, the one or more tags relating to a functioning of the distributed application; and
wherein the analytics module further evaluates the stream of network flow data to identify patterns of normal behavior of the distributed application, uses the patterns to evaluate newly received information from the stream of network flow data, and upon identifying newly received information that varies from the patterns of normal behavior, responds via an alerting module.