US 12,224,921 B2
Technologies for managing compromised sensors in virtualized environments
Navindra Yadav, Cupertino, CA (US); Abhishek Ranjan Singh, Pleasanton, CA (US); Anubhav Gupta, Fremont, CA (US); Shashidhar Gandham, Fremont, CA (US); Jackson Ngoc Ki Pang, Sunnyvale, CA (US); Shih-Chun Chang, San Jose, CA (US); and Hai Trong Vu, San Jose, CA (US)
Assigned to Cisco Technology, Inc., San Jose, CA (US)
Filed by Cisco Technology, Inc., San Jose, CA (US)
Filed on Jan. 31, 2024, as Appl. No. 18/429,022.
Application 18/429,022 is a continuation of application No. 18/054,095, filed on Nov. 9, 2022, granted, now 11,902,123.
Application 18/054,095 is a continuation of application No. 16/704,559, filed on Dec. 5, 2019, granted, now 11,502,922, issued on Nov. 15, 2022.
Application 16/704,559 is a continuation of application No. 15/171,763, filed on Jun. 2, 2016, granted, now 10,505,828, issued on Dec. 10, 2019.
Claims priority of provisional application 62/171,899, filed on Jun. 5, 2015.
Prior Publication US 2024/0380680 A1, Nov. 14, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/53 (2013.01); G06F 3/0482 (2013.01); G06F 3/04842 (2022.01); G06F 3/04847 (2022.01); G06F 9/455 (2018.01); G06F 16/11 (2019.01); G06F 16/13 (2019.01); G06F 16/16 (2019.01); G06F 16/17 (2019.01); G06F 16/174 (2019.01); G06F 16/23 (2019.01); G06F 16/2457 (2019.01); G06F 16/248 (2019.01); G06F 16/28 (2019.01); G06F 16/29 (2019.01); G06F 16/9535 (2019.01); G06F 21/55 (2013.01); G06F 21/56 (2013.01); G06N 20/00 (2019.01); G06N 99/00 (2019.01); G06T 11/20 (2006.01); H04J 3/06 (2006.01); H04J 3/14 (2006.01); H04L 1/24 (2006.01); H04L 7/10 (2006.01); H04L 9/08 (2006.01); H04L 9/32 (2006.01); H04L 9/40 (2022.01); H04L 41/046 (2022.01); H04L 41/0668 (2022.01); H04L 41/0803 (2022.01); H04L 41/0806 (2022.01); H04L 41/0816 (2022.01); H04L 41/0893 (2022.01); H04L 41/12 (2022.01); H04L 41/16 (2022.01); H04L 41/22 (2022.01); H04L 43/02 (2022.01); H04L 43/026 (2022.01); H04L 43/04 (2022.01); H04L 43/045 (2022.01); H04L 43/062 (2022.01); H04L 43/08 (2022.01); H04L 43/0805 (2022.01); H04L 43/0811 (2022.01); H04L 43/0829 (2022.01); H04L 43/0852 (2022.01); H04L 43/0864 (2022.01); H04L 43/0876 (2022.01); H04L 43/0882 (2022.01); H04L 43/0888 (2022.01); H04L 43/10 (2022.01); H04L 43/106 (2022.01); H04L 43/12 (2022.01); H04L 43/16 (2022.01); H04L 45/00 (2022.01); H04L 45/302 (2022.01); H04L 45/50 (2022.01); H04L 45/74 (2022.01); H04L 47/11 (2022.01); H04L 47/20 (2022.01); H04L 47/2441 (2022.01); H04L 47/2483 (2022.01); H04L 47/28 (2022.01); H04L 47/31 (2022.01); H04L 47/32 (2022.01); H04L 61/5007 (2022.01); H04L 67/01 (2022.01); H04L 67/10 (2022.01); H04L 67/1001 (2022.01); H04L 67/12 (2022.01); H04L 67/51 (2022.01); H04L 67/75 (2022.01); H04L 69/16 (2022.01); H04L 69/22 (2022.01); H04W 72/54 (2023.01); H04W 84/18 (2009.01); H04L 67/50 (2022.01)
CPC H04L 43/045 (2013.01) [G06F 3/0482 (2013.01); G06F 3/04842 (2013.01); G06F 3/04847 (2013.01); G06F 9/45558 (2013.01); G06F 16/122 (2019.01); G06F 16/137 (2019.01); G06F 16/162 (2019.01); G06F 16/17 (2019.01); G06F 16/173 (2019.01); G06F 16/174 (2019.01); G06F 16/1744 (2019.01); G06F 16/1748 (2019.01); G06F 16/2322 (2019.01); G06F 16/235 (2019.01); G06F 16/2365 (2019.01); G06F 16/24578 (2019.01); G06F 16/248 (2019.01); G06F 16/285 (2019.01); G06F 16/288 (2019.01); G06F 16/29 (2019.01); G06F 16/9535 (2019.01); G06F 21/53 (2013.01); G06F 21/552 (2013.01); G06F 21/556 (2013.01); G06F 21/566 (2013.01); G06N 20/00 (2019.01); G06N 99/00 (2013.01); G06T 11/206 (2013.01); H04J 3/0661 (2013.01); H04J 3/14 (2013.01); H04L 1/242 (2013.01); H04L 7/10 (2013.01); H04L 9/0866 (2013.01); H04L 9/3239 (2013.01); H04L 9/3242 (2013.01); H04L 41/046 (2013.01); H04L 41/0668 (2013.01); H04L 41/0803 (2013.01); H04L 41/0806 (2013.01); H04L 41/0816 (2013.01); H04L 41/0893 (2013.01); H04L 41/12 (2013.01); H04L 41/16 (2013.01); H04L 41/22 (2013.01); H04L 43/02 (2013.01); H04L 43/026 (2013.01); H04L 43/04 (2013.01); H04L 43/062 (2013.01); H04L 43/08 (2013.01); H04L 43/0805 (2013.01); H04L 43/0811 (2013.01); H04L 43/0829 (2013.01); H04L 43/0841 (2013.01); H04L 43/0858 (2013.01); H04L 43/0864 (2013.01); H04L 43/0876 (2013.01); H04L 43/0882 (2013.01); H04L 43/0888 (2013.01); H04L 43/10 (2013.01); H04L 43/106 (2013.01); H04L 43/12 (2013.01); H04L 43/16 (2013.01); H04L 45/306 (2013.01); H04L 45/38 (2013.01); H04L 45/46 (2013.01); H04L 45/507 (2013.01); H04L 45/66 (2013.01); H04L 45/74 (2013.01); H04L 47/11 (2013.01); H04L 47/20 (2013.01); H04L 47/2441 (2013.01); H04L 47/2483 (2013.01); H04L 47/28 (2013.01); H04L 47/31 (2013.01); H04L 47/32 (2013.01); H04L 61/5007 (2022.05); H04L 63/0227 (2013.01); H04L 63/0263 (2013.01); H04L 63/06 (2013.01); H04L 63/0876 (2013.01); H04L 63/1408 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/1441 (2013.01); H04L 63/145 (2013.01); H04L 63/1458 (2013.01); H04L 63/1466 (2013.01); H04L 63/16 (2013.01); H04L 63/20 (2013.01); H04L 67/01 (2022.05); H04L 67/10 (2013.01); H04L 67/1001 (2022.05); H04L 67/12 (2013.01); H04L 67/51 (2022.05); H04L 67/75 (2022.05); H04L 69/16 (2013.01); H04L 69/22 (2013.01); H04W 72/54 (2023.01); H04W 84/18 (2013.01); G06F 2009/4557 (2013.01); G06F 2009/45587 (2013.01); G06F 2009/45591 (2013.01); G06F 2009/45595 (2013.01); G06F 2221/033 (2013.01); G06F 2221/2101 (2013.01); G06F 2221/2105 (2013.01); G06F 2221/2111 (2013.01); G06F 2221/2115 (2013.01); G06F 2221/2145 (2013.01); H04L 67/535 (2022.05)] 20 Claims
OG exemplary drawing
 
1. A method comprising:
receiving, from a plurality of capturing agents deployed in a plurality of devices, data generated based on traffic at the plurality of devices, a first one of the plurality of devices including a leaf switch in a spine-leaf network fabric, and a second one of the plurality of devices includes a host of a hypervisor coupled with the spine-leaf network fabric via the leaf switch;
comparing characteristics of the data to determine a difference in the characteristics; and
based on the difference, determining a state of at least one of the plurality of capturing agents;
wherein the data is generated based on observed data, statistics, and/or metadata about one or more packets, flows, communications, processes, events, and/or activities at the plurality of devices;
wherein the determining the state includes:
determining a first traffic pattern for traffic captured during a first period of time;
determining a second traffic pattern for traffic captured during the first period of time;
determining a third traffic pattern for traffic during a second period of time before the first period of time;
determining a fourth traffic pattern for traffic during the second period of time;
comparing the first traffic pattern with the third traffic pattern to identify a first traffic pattern delta between the first traffic pattern and the third traffic pattern;
comparing the second traffic pattern with the fourth traffic pattern to identify a second traffic pattern delta between the second traffic pattern and the fourth traffic pattern;
determining whether the first traffic pattern delta or the second traffic pattern delta exceed a delta threshold;
when the first traffic pattern delta exceeds the delta threshold, determining a first one of the plurality of capturing agents is in the state; and
when the second traffic pattern delta exceeds the delta threshold, determining a second one of the plurality of capturing agents is in the state.