US 11,700,190 B2
Technologies for annotating process and user information for network flows
Navindra Yadav, Cupertino, CA (US); Abhishek Ranjan Singh, Pleasanton, CA (US); Anubhav Gupta, Fremont, CA (US); Shashidhar Gandham, Fremont, CA (US); Jackson Ngoc Ki Pang, Sunnyvale, CA (US); Shih-Chun Chang, San Jose, CA (US); and Hai Trong Vu, San Jose, CA (US)
Assigned to Cisco Technology, Inc., San Jose, CA (US)
Filed by Cisco Technology, Inc., San Jose, CA (US)
Filed on Oct. 15, 2021, as Appl. No. 17/503,097.
Application 17/503,097 is a continuation of application No. 16/237,187, filed on Dec. 31, 2018, granted, now 11,153,184.
Application 16/237,187 is a continuation of application No. 15/152,163, filed on May 11, 2016, granted, now 10,171,319, issued on Jan. 1, 2019.
Claims priority of provisional application 62/171,899, filed on Jun. 5, 2015.
Prior Publication US 2022/0038353 A1, Feb. 3, 2022
Int. Cl. G06F 16/23 (2019.01); H04L 43/045 (2022.01); H04L 9/40 (2022.01); G06F 9/455 (2018.01); G06N 20/00 (2019.01); G06F 21/55 (2013.01); G06F 21/56 (2013.01); G06F 16/28 (2019.01); G06F 16/2457 (2019.01); G06F 16/248 (2019.01); G06F 16/29 (2019.01); G06F 16/16 (2019.01); G06F 16/17 (2019.01); G06F 16/11 (2019.01); G06F 16/13 (2019.01); G06F 16/174 (2019.01); G06F 16/9535 (2019.01); G06N 99/00 (2019.01); H04L 9/32 (2006.01); H04L 41/0668 (2022.01); H04L 43/0805 (2022.01); H04L 43/0811 (2022.01); H04L 43/0852 (2022.01); H04L 43/106 (2022.01); H04L 45/00 (2022.01); H04L 45/50 (2022.01); H04L 67/12 (2022.01); H04L 43/026 (2022.01); H04L 61/5007 (2022.01); H04L 67/01 (2022.01); H04L 67/51 (2022.01); H04L 67/75 (2022.01); H04L 67/1001 (2022.01); H04W 72/54 (2023.01); H04L 43/062 (2022.01); H04L 43/10 (2022.01); H04L 47/2441 (2022.01); H04L 41/0893 (2022.01); H04L 43/08 (2022.01); H04L 43/04 (2022.01); H04W 84/18 (2009.01); H04L 67/10 (2022.01); H04L 41/046 (2022.01); H04L 43/0876 (2022.01); H04L 41/12 (2022.01); H04L 41/16 (2022.01); H04L 41/0816 (2022.01); G06F 21/53 (2013.01); H04L 41/22 (2022.01); G06F 3/04842 (2022.01); G06F 3/04847 (2022.01); H04L 41/0803 (2022.01); H04L 43/0829 (2022.01); H04L 43/16 (2022.01); H04L 1/24 (2006.01); H04L 9/08 (2006.01); H04J 3/06 (2006.01); H04J 3/14 (2006.01); H04L 47/20 (2022.01); H04L 47/32 (2022.01); H04L 43/0864 (2022.01); H04L 47/11 (2022.01); H04L 69/22 (2022.01); H04L 45/74 (2022.01); H04L 47/2483 (2022.01); H04L 43/0882 (2022.01); H04L 41/0806 (2022.01); H04L 43/0888 (2022.01); H04L 43/12 (2022.01); H04L 47/31 (2022.01); G06F 3/0482 (2013.01); G06T 11/20 (2006.01); H04L 43/02 (2022.01); H04L 47/28 (2022.01); H04L 69/16 (2022.01); H04L 45/302 (2022.01); H04L 67/50 (2022.01)
CPC H04L 43/045 (2013.01) [G06F 3/0482 (2013.01); G06F 3/04842 (2013.01); G06F 3/04847 (2013.01); G06F 9/45558 (2013.01); G06F 16/122 (2019.01); G06F 16/137 (2019.01); G06F 16/162 (2019.01); G06F 16/17 (2019.01); G06F 16/173 (2019.01); G06F 16/174 (2019.01); G06F 16/1744 (2019.01); G06F 16/1748 (2019.01); G06F 16/235 (2019.01); G06F 16/2322 (2019.01); G06F 16/2365 (2019.01); G06F 16/248 (2019.01); G06F 16/24578 (2019.01); G06F 16/285 (2019.01); G06F 16/288 (2019.01); G06F 16/29 (2019.01); G06F 16/9535 (2019.01); G06F 21/53 (2013.01); G06F 21/552 (2013.01); G06F 21/556 (2013.01); G06F 21/566 (2013.01); G06N 20/00 (2019.01); G06N 99/00 (2013.01); G06T 11/206 (2013.01); H04J 3/0661 (2013.01); H04J 3/14 (2013.01); H04L 1/242 (2013.01); H04L 9/0866 (2013.01); H04L 9/3239 (2013.01); H04L 9/3242 (2013.01); H04L 41/046 (2013.01); H04L 41/0668 (2013.01); H04L 41/0803 (2013.01); H04L 41/0806 (2013.01); H04L 41/0816 (2013.01); H04L 41/0893 (2013.01); H04L 41/12 (2013.01); H04L 41/16 (2013.01); H04L 41/22 (2013.01); H04L 43/02 (2013.01); H04L 43/026 (2013.01); H04L 43/04 (2013.01); H04L 43/062 (2013.01); H04L 43/08 (2013.01); H04L 43/0805 (2013.01); H04L 43/0811 (2013.01); H04L 43/0829 (2013.01); H04L 43/0841 (2013.01); H04L 43/0858 (2013.01); H04L 43/0864 (2013.01); H04L 43/0876 (2013.01); H04L 43/0882 (2013.01); H04L 43/0888 (2013.01); H04L 43/10 (2013.01); H04L 43/106 (2013.01); H04L 43/12 (2013.01); H04L 43/16 (2013.01); H04L 45/306 (2013.01); H04L 45/38 (2013.01); H04L 45/46 (2013.01); H04L 45/507 (2013.01); H04L 45/66 (2013.01); H04L 45/74 (2013.01); H04L 47/11 (2013.01); H04L 47/20 (2013.01); H04L 47/2441 (2013.01); H04L 47/2483 (2013.01); H04L 47/28 (2013.01); H04L 47/31 (2013.01); H04L 47/32 (2013.01); H04L 61/5007 (2022.05); H04L 63/0227 (2013.01); H04L 63/0263 (2013.01); H04L 63/06 (2013.01); H04L 63/0876 (2013.01); H04L 63/145 (2013.01); H04L 63/1408 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/1441 (2013.01); H04L 63/1458 (2013.01); H04L 63/1466 (2013.01); H04L 63/16 (2013.01); H04L 63/20 (2013.01); H04L 67/01 (2022.05); H04L 67/10 (2013.01); H04L 67/1001 (2022.05); H04L 67/12 (2013.01); H04L 67/51 (2022.05); H04L 67/75 (2022.05); H04L 69/16 (2013.01); H04L 69/22 (2013.01); H04W 72/54 (2023.01); H04W 84/18 (2013.01); G06F 2009/4557 (2013.01); G06F 2009/45587 (2013.01); G06F 2009/45591 (2013.01); G06F 2009/45595 (2013.01); G06F 2221/033 (2013.01); G06F 2221/2101 (2013.01); G06F 2221/2105 (2013.01); G06F 2221/2111 (2013.01); G06F 2221/2115 (2013.01); G06F 2221/2145 (2013.01); H04L 67/535 (2022.05)] 20 Claims
OG exemplary drawing
 
1. A network traffic monitoring system comprising:
a plurality of distributed sensors, each sensor associated with a particular device of a plurality of physical or virtual devices, wherein:
each sensor generates network flow data based upon packets sent and/or received via a network interface local to the particular device associated with that sensor;
a first device of the plurality of physical or virtual devices is associated with at least one first sensor of the plurality of distributed sensors and comprises a virtual machine;
a second device of the plurality of physical or virtual devices is associated with at least one second sensor and comprises a container; and
a third device of the plurality of physical or virtual devices is associated with at least one third sensor comprises a network switch; and
a backend comprising a collector, an analytics module, and a presentation module, wherein the collector includes a storage, and wherein the presentation module includes one or more application programming interface (API) segments;
wherein the collector is communicably attached to a communications network and receives a plurality of network flow data from the plurality of distributed sensors via the attached communications network,
wherein the analytics module evaluates the plurality of network flow data to establish patterns of a particular behavior of the plurality of physical or virtual devices, and uses a machine learning model to evaluate received information from the plurality of network flow data, and
wherein upon identifying received information that varies from the machine learning model of the particular behavior of the plurality of physical or virtual devices, the system provides, via the presentation module, a report of anomalous flow data.