US 11,924,072 B2
Technologies for annotating process and user information for network flows
Navindra Yadav, Cupertino, CA (US); Abhishek Ranjan Singh, Pleasanton, CA (US); Anubhav Gupta, Fremont, CA (US); Shashidhar Gandham, Fremont, CA (US); Jackson Ngoc Ki Pang, Sunnyvale, CA (US); Shih-Chun Chang, San Jose, CA (US); and Hai Trong Vu, San Jose, CA (US)
Assigned to Cisco Technology, Inc., San Jose, CA (US)
Filed by Cisco Technology, Inc., San Jose, CA (US)
Filed on Jan. 29, 2021, as Appl. No. 17/161,968.
Application 17/161,968 is a continuation of application No. 16/237,187, filed on Dec. 31, 2018.
Application 16/237,187 is a continuation of application No. 15/152,163, filed on May 11, 2016, granted, now 10,171,319.
Claims priority of provisional application 62/171,899, filed on Jun. 5, 2015.
Prior Publication US 2021/0152443 A1, May 20, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 9/455 (2018.01); G06F 3/0482 (2013.01); G06F 3/04842 (2022.01); G06F 3/04847 (2022.01); G06F 16/11 (2019.01); G06F 16/13 (2019.01); G06F 16/16 (2019.01); G06F 16/17 (2019.01); G06F 16/174 (2019.01); G06F 16/23 (2019.01); G06F 16/2457 (2019.01); G06F 16/248 (2019.01); G06F 16/28 (2019.01); G06F 16/29 (2019.01); G06F 16/9535 (2019.01); G06F 21/53 (2013.01); G06F 21/55 (2013.01); G06F 21/56 (2013.01); G06N 20/00 (2019.01); G06N 99/00 (2019.01); G06T 11/20 (2006.01); H04J 3/06 (2006.01); H04J 3/14 (2006.01); H04L 1/24 (2006.01); H04L 9/08 (2006.01); H04L 9/32 (2006.01); H04L 9/40 (2022.01); H04L 41/046 (2022.01); H04L 41/0668 (2022.01); H04L 41/0803 (2022.01); H04L 41/0806 (2022.01); H04L 41/0816 (2022.01); H04L 41/0893 (2022.01); H04L 41/12 (2022.01); H04L 41/16 (2022.01); H04L 41/22 (2022.01); H04L 43/02 (2022.01); H04L 43/026 (2022.01); H04L 43/04 (2022.01); H04L 43/045 (2022.01); H04L 43/062 (2022.01); H04L 43/08 (2022.01); H04L 43/0805 (2022.01); H04L 43/0811 (2022.01); H04L 43/0829 (2022.01); H04L 43/0852 (2022.01); H04L 43/0864 (2022.01); H04L 43/0876 (2022.01); H04L 43/0882 (2022.01); H04L 43/0888 (2022.01); H04L 43/10 (2022.01); H04L 43/106 (2022.01); H04L 43/12 (2022.01); H04L 43/16 (2022.01); H04L 45/00 (2022.01); H04L 45/302 (2022.01); H04L 45/50 (2022.01); H04L 45/74 (2022.01); H04L 47/11 (2022.01); H04L 47/20 (2022.01); H04L 47/2441 (2022.01); H04L 47/2483 (2022.01); H04L 47/28 (2022.01); H04L 47/31 (2022.01); H04L 47/32 (2022.01); H04L 61/5007 (2022.01); H04L 67/01 (2022.01); H04L 67/10 (2022.01); H04L 67/1001 (2022.01); H04L 67/12 (2022.01); H04L 67/51 (2022.01); H04L 67/75 (2022.01); H04L 69/16 (2022.01); H04L 69/22 (2022.01); H04W 72/54 (2023.01); H04W 84/18 (2009.01); H04L 67/50 (2022.01)
CPC H04L 43/045 (2013.01) [G06F 3/0482 (2013.01); G06F 3/04842 (2013.01); G06F 3/04847 (2013.01); G06F 9/45558 (2013.01); G06F 16/122 (2019.01); G06F 16/137 (2019.01); G06F 16/162 (2019.01); G06F 16/17 (2019.01); G06F 16/173 (2019.01); G06F 16/174 (2019.01); G06F 16/1744 (2019.01); G06F 16/1748 (2019.01); G06F 16/2322 (2019.01); G06F 16/235 (2019.01); G06F 16/2365 (2019.01); G06F 16/24578 (2019.01); G06F 16/248 (2019.01); G06F 16/285 (2019.01); G06F 16/288 (2019.01); G06F 16/29 (2019.01); G06F 16/9535 (2019.01); G06F 21/53 (2013.01); G06F 21/552 (2013.01); G06F 21/556 (2013.01); G06F 21/566 (2013.01); G06N 20/00 (2019.01); G06N 99/00 (2013.01); G06T 11/206 (2013.01); H04J 3/0661 (2013.01); H04J 3/14 (2013.01); H04L 1/242 (2013.01); H04L 9/0866 (2013.01); H04L 9/3239 (2013.01); H04L 9/3242 (2013.01); H04L 41/046 (2013.01); H04L 41/0668 (2013.01); H04L 41/0803 (2013.01); H04L 41/0806 (2013.01); H04L 41/0816 (2013.01); H04L 41/0893 (2013.01); H04L 41/12 (2013.01); H04L 41/16 (2013.01); H04L 41/22 (2013.01); H04L 43/02 (2013.01); H04L 43/026 (2013.01); H04L 43/04 (2013.01); H04L 43/062 (2013.01); H04L 43/08 (2013.01); H04L 43/0805 (2013.01); H04L 43/0811 (2013.01); H04L 43/0829 (2013.01); H04L 43/0841 (2013.01); H04L 43/0858 (2013.01); H04L 43/0864 (2013.01); H04L 43/0876 (2013.01); H04L 43/0882 (2013.01); H04L 43/0888 (2013.01); H04L 43/10 (2013.01); H04L 43/106 (2013.01); H04L 43/12 (2013.01); H04L 43/16 (2013.01); H04L 45/306 (2013.01); H04L 45/38 (2013.01); H04L 45/46 (2013.01); H04L 45/507 (2013.01); H04L 45/66 (2013.01); H04L 45/74 (2013.01); H04L 47/11 (2013.01); H04L 47/20 (2013.01); H04L 47/2441 (2013.01); H04L 47/2483 (2013.01); H04L 47/28 (2013.01); H04L 47/31 (2013.01); H04L 47/32 (2013.01); H04L 61/5007 (2022.05); H04L 63/0227 (2013.01); H04L 63/0263 (2013.01); H04L 63/06 (2013.01); H04L 63/0876 (2013.01); H04L 63/1408 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/1441 (2013.01); H04L 63/145 (2013.01); H04L 63/1458 (2013.01); H04L 63/1466 (2013.01); H04L 63/16 (2013.01); H04L 63/20 (2013.01); H04L 67/01 (2022.05); H04L 67/10 (2013.01); H04L 67/1001 (2022.05); H04L 67/12 (2013.01); H04L 67/51 (2022.05); H04L 67/75 (2022.05); H04L 69/16 (2013.01); H04L 69/22 (2013.01); H04W 72/54 (2023.01); H04W 84/18 (2013.01); G06F 2009/4557 (2013.01); G06F 2009/45587 (2013.01); G06F 2009/45591 (2013.01); G06F 2009/45595 (2013.01); G06F 2221/033 (2013.01); G06F 2221/2101 (2013.01); G06F 2221/2105 (2013.01); G06F 2221/2111 (2013.01); G06F 2221/2115 (2013.01); G06F 2221/2145 (2013.01); H04L 67/535 (2022.05)] 30 Claims
OG exemplary drawing
 
1. A non-transitory computer-readable media encoding a set of non-transitory computer-readable instructions, which when executed on one or more processors on devices connected to a network, cause one or more devices to:
at a first device, receive a stream of network flow data via an attached communications network;
evaluate the stream of network flow data to derive a directed control flow graph corresponding to a distributed application, the control flow graph including a plurality of nodes and a plurality of edges between various nodes, wherein:
the nodes of the graph correspond to network-addressable application components connected to the communications network, each application component sending and receiving network traffic including one or more packets at a network interface;
one or more of the application components includes a workload creating and/or processing a data stream as part of the distributed application; and
one or more first edges of the plurality of edges between the nodes of the graph correspond to data streams between source nodes and destination nodes;
annotate one or more flows associated with one or more nodes plurality of nodes and/or one or more second edges plurality of edges in the control flow graph with one or more tags, the tags relating to a functioning of the distributed application;
identify patterns of normal behavior of the distributed application; and
display a representation of the distributed application.