US20100085891A1 - Apparatus and method for analysing a network - Google Patents

Apparatus and method for analysing a network Download PDF

Info

Publication number
US20100085891A1
US20100085891A1 US12/520,114 US52011407A US2010085891A1 US 20100085891 A1 US20100085891 A1 US 20100085891A1 US 52011407 A US52011407 A US 52011407A US 2010085891 A1 US2010085891 A1 US 2010085891A1
Authority
US
United States
Prior art keywords
flow
unit
programmable controller
network
metering
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/520,114
Inventor
Andreas Kind
Jan van Lunteren
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: KIND, ANDREAS, LUNTEREN, JAN VAN
Publication of US20100085891A1 publication Critical patent/US20100085891A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/20Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • the invention relates to an apparatus, a method and a computer program for analysing a network flow.
  • IP Internet Protocol
  • IPFIX IP Flow Information Export
  • the NetFlow protocol provides technology for network accounting, bandwidth usage analysis, network anomaly detection, traffic engineering and capacity management.
  • NetFlow is supported at routers, switches, metering appliances and software-based traffic meters. Some high-end routers and switches support NetFlow with dedicated hardware extensions.
  • the present invention is directed to an apparatus, a computer system, a computer program and a method as defined in independent claims. Further embodiments of the invention are provided in the appended dependent claims.
  • an apparatus for analysing to a network flow comprising
  • the architecture of the apparatus according to this aspect of the invention allows for an efficient, flexible and fast implementation of a flow metering function that is able to support a large number of configuration options. Such configuration options might cover different versions of today's or future standards.
  • This architecture provides the benefits of high performance without the drawback of fixed metering functionality and interfaces which only support a single standard.
  • the modular approach of this architecture comprises a parser that is provided for receiving a network flow and for extracting flow identification information from this network flow.
  • the parser can be programmed to extract any desirable combination of flow identification information from the network flow.
  • the flow identification information might e.g. be contained in fields of packet headers of a network flow.
  • the parser can be programmed to extract the corresponding header fields that are relevant for a specific protocol standard.
  • the flow identification information might comprise e.g. the source and destination IP address, the source and destination port and the IP protocol of the analysed network flow.
  • the network flow identified by the flow identification information is metered by a flow metering unit.
  • the metering of the flow identification information might e.g. comprise timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
  • Both the flow metering unit and the parser are controlled in parallel by a programmable controller.
  • the programmable controller can be individually programmed for the respective application environment, the used protocol standards of to the network flow (e.g. NetFlow v5, v7, v9, IPFIX), the number of flows to be supported and the speed of the respective network.
  • the parser and the flow metering unit are generic units. The specific functionality of these generic units is determined by the programmable controller.
  • the flow metering unit is provided for sending flow status information to the programmable controller and the programmable controller is provided for sending flow metering instructions to the flow metering unit in dependence on the flow status information.
  • Such a control loop between the flow metering unit and the programmable controller facilitates an efficient, fast and flexible flow metering process and processing.
  • the parser is provided for sending parsing information to the programmable controller and the programmable controller is provided for sending parsing instructions to the parser in dependence on the parsing information.
  • Such a control loop between the parser and the programmable controller facilitates an efficient, fast and flexible parsing process and processing.
  • Such a parallel processing structure further facilitates an efficient, fast and flexible flow metering process and processing.
  • the programmable controller comprises a program memory comprising two or more flow metering to programs.
  • the two or more flow metering programs can e.g. be programmed for different versions of network analysis protocols, for different application environments, for different numbers of flows to be supported and for different speeds of the network.
  • the programmable controller is implemented as programmable state machine.
  • the implementation of the programmable controller as programmable state machine is a flexible and cost effective solution.
  • the programmable state machine comprises a transition rule memory, a rule selector and a state register, wherein the rule selector is provided for receiving an external input signal and an internal input signal from the state register indicating the current state and wherein the rule selector is provided for observing the internal and external input signal by means of the transition rule memory for transition rules and for changing the state of the state register and generation of an output signal comprising parsing and/or flow metering instructions when a transition rule applies.
  • This embodiment is an efficient way of implementing the programmable state machine.
  • the transition rule memory is provided for storing a set of transition rules.
  • a set of transition rules may establish a flow metering program. For different versions of network analysis protocols, for different application environments, for different numbers of flows to be supported and for different speeds of the network a plurality of sets of transition rules might be loaded into the transition rule memory.
  • the rule selector is provided for receiving an external input signal and an internal input signal from the state register.
  • the internal input signal from the state register indicates the current state of the programmable state machine.
  • the external input signal or the external input signals are received from the flow metering unit and/or the parser.
  • the external input signal of the state machine may comprise flow status information, parser information and various other information.
  • the rule selector observes the internal and external input signal by means of the transition rule memory for transition rules. If a predefined transition rules applies, the programmable state machine changes the state of the state register and generation an output signal comprising parsing and/or flow metering instructions
  • the programmable state machine observes the flow status information and/or the parsing information for predefined states.
  • the state machine changes its state, when such a predefined state is detected. Then the changing state of the state machine triggers control actions for the parser and/or the flow metering unit.
  • the flow table unit comprises a memory for storing information about the network flows that are analysed by the apparatus.
  • the flow table might e.g. use the 5-tuple definition to characterise a specific network flow.
  • the flow table may provide an entry for each specific network flow characterized by the 5-tuple definition.
  • a network flow is defined as a unidirectional sequence of packets that have the same source and destination IP address, the same source and destination port and the same IP protocol.
  • the flow table may store flow metering information, e.g. to timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
  • flow metering information e.g. to timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
  • the flow table management unit is provided for managing the entries of the flow table.
  • the flow table management unit is controlled by the programmable controller.
  • This flow table management unit may be provided to execute various flow metering instructions received from the programmable controller.
  • Such flow metering instructions may include instructions for updating the flow table unit, creating a new entry in the flow table unit and checking the status or specific entries of the flow table unit.
  • the flow table management unit may be implemented using a conventional hard-wired state machine.
  • the flow table management unit may check upon reception of a check-command from the programmable controller if the flow table already contains an entry for an identified network flow. As a result it could provide an indication (implemented as a single-bit flag) back to programmable controller that indicates if an entry for this identified network flow already exists or that the identified network flow is a new flow that is not present in the flow table of the flow table unit.
  • the programmable controller may dispatch further flow metering instructions to the table management unit to either update an existing flow table entry, to create a new flow table entry or to create a complete new flow table with a corresponding “update”, “create new flow table entry” or “create new flow table” command.
  • the flow information export unit is provided for exporting flow information to another location or entity.
  • the flow information export unit is controlled by the programmable controller as well.
  • the programmable controller may trigger the export of flow metering information by dispatching an export-command to the flow information export unit.
  • the flow table management unit comprises a programmable hash function unit provided with two or more selectable hash functions for mapping the flow identification information on a hash index, wherein the programmable controller is provided for selecting one of the selectable hash functions.
  • Hash functions are widely used to improve the efficiency of network flow analysis and network flow metering.
  • different standards and different protocol versions of flow metering standards use different hash functions.
  • the apparatus according to this embodiment of the invention can support these different standards and protocol versions.
  • the programmable controller is provided for sending table management commands to the table management unit.
  • Such table management commands may be e.g. an update-command, a create-command or a check-command.
  • the apparatus is implemented as hardware assist device.
  • the implementation of the apparatus as hardware assist device has the advantage that it can be implemented in a system without requiring processor or processing load of this system.
  • a second aspect of the invention relates to a computer system comprising a central processing unit, a memory and a computer networking device, comprising an apparatus according to the first aspect of the invention for analysing the network flow in the computer networking device.
  • the computer networking device may be e.g. a switch or a router.
  • the apparatus works as hardware assist device for the central processing unit of the computer system. This allows for an analysis of the network flow without loading the central processor.
  • a third aspect of the invention relates to a computer system comprising two or more virtual computing systems, further comprising an apparatus according to the first aspect of the invention, wherein the apparatus is provided for analysing the network flow between the virtual computing systems and/or between the virtual computing systems and an external device.
  • This architecture allows for an efficient implementation of a network flow function within a virtualized environment.
  • the software networking device may be e.g. a software switch, i.e. a switch implemented in software.
  • the hardware networking device may be e.g. a hardware switch, i.e. a switch implemented in hardware.
  • the external device can be e.g. another computer system, a network, the internet or any other destination.
  • the apparatus is arranged in the hardware networking device.
  • a fourth aspect of the invention relates to a method for analysing a network flow, comprising the steps of
  • a fifth aspect of the invention relates to a flow metering computer program comprising instructions for carrying out a flow metering program on a programmable controller, the flow metering computer program being provided for controlling the flow metering unit and the parser of an apparatus according to the first aspect of the invention.
  • FIG. 1 is a schematic drawing of an apparatus for analyzing a network flow according to an embodiment of the invention, comprising a programmable controller, a parser and a flow metering unit,
  • FIG. 2 shows a schematic computer system comprising a computer networking to device and an apparatus for analysing the network flow in the computer networking device
  • FIG. 3 is a schematic drawing of a programmable controller implemented as state machine
  • FIG. 4 is a schematic drawing of the apparatus of FIG. 1 in more detail
  • FIG. 5 shows a flow chart illustrating a flow table update function of the flow metering unit
  • FIG. 6 shows a flow chart illustrating the determination of expired table entries of a flow table unit
  • FIG. 7 shows a flow chart illustrating the exportation of expired table entries of the flow table unit
  • FIG. 8 shows a schematic drawing of a computer system comprising virtual computing systems and an apparatus for analysing the network flow between the virtual computing systems.
  • FIG. 1 shows an apparatus 100 for analysing a network flow 105 according to an exemplary embodiment of the invention.
  • the apparatus 100 comprises a parser 110 for extracting flow identification information from the network flow 105 .
  • the network flow 105 may be any kind of communication traffic in a network, in particular end to end network traffic.
  • the network flow 105 may comprise a sequence of data packets, wherein each data packet is part of a communication between two distinct network addresses.
  • the apparatus 100 comprises a flow metering unit 130 for metering the network flow 105 and a programmable controller 140 for controlling the flow metering unit 130 and the parser 110 .
  • the flow metering unit 130 is provided for sending flow status information to the programmable controller 140 and the programmable controller 140 is provided for sending flow metering instructions to the flow metering unit 130 in dependence on the flow status information. Furthermore, the parser 110 is provided for sending parsing information to the programmable controller 140 and the programmable controller 140 is provided for sending parsing instructions to the parser 110 in dependence on the parsing information.
  • the programmable controller 140 comprises a central processing unit 150 and a program memory 160 .
  • program memory 160 In the program memory 160 one or more flow metering programs 170 can be stored.
  • the apparatus 100 is preferably implemented in hardware and may be used as hardware assist device. This is further illustrated with reference to FIG. 2 .
  • FIG. 2 shows a computer system 200 comprising a central processing unit 210 , a memory 220 and a computer networking device 230 . Furthermore it comprises the apparatus 100 for analysing a network flow.
  • the apparatus 100 is implemented in hardware as hardware assist device for the central processing unit 210 .
  • the central processing unit 210 , the memory 220 , the computer networking device 230 and the apparatus 100 are coupled via an internal bus system 240 .
  • the computer networking device 230 may be any kind of Input/Output device, e.g. a router or a switch.
  • the computer networking device 230 serves as router between a first Local Area Network (LAN) 250 , a second LAN 260 and the Internet 270 .
  • the computer networking device 230 is provided for routing network flows 280 between the first LAN 250 , the second LAN 260 and the Internet 270 .
  • the apparatus 100 is provided for analysing and meter the network flow in the computer networking device 230 .
  • FIG. 3 shows a schematic block diagram of a programmable controller 300 according to another exemplary embodiment of the invention.
  • the programmable controller 300 is implemented as programmable state machine.
  • the programmable controller 300 comprises a transition rule memory 310 , a rule selector 320 and a state register 330 .
  • the rule selector 320 is provided for receiving as external input signal 340 parsing information from the parser 110 and flow status information from the flow metering unit 130 of FIG. 1 .
  • the rule selector 320 is provided for receiving an internal input signal 350 from the state register 330 . This internal input signal 350 indicates the current state of the state register 330 .
  • the rule selector 320 observes the internal input signal 350 and the external input signal 340 by means of the transition rule memory 310 for transition rules.
  • the rule selector 320 is provided for changing the state of the state register 330 and sending parsing instructions to the parser 110 and/or flow metering instructions to the flow metering unit 130 of FIG. 1 .
  • FIG. 4 is a schematic drawing of the apparatus of FIG. 1 in more detail.
  • the parser 110 can be programmed by means of the programmable controller 140 to extract any desirable flow identification information from the network flow 105 .
  • the network flow 105 comprises packets including a packet header and the parser 110 uses the packet headers to extract the flow identification information.
  • the parser 110 may be programmed to extract any desirable combination of header fields from the packet header that will be used for flow identification. Examples of such header fields include IP source and destination addresses, Transmission Control Protocol (TCP) source and destination port numbers, Multi-Protocol Label Switching (MPLS) and Virtual Local to Area Network (VLAN) tags etc.
  • TCP Transmission Control Protocol
  • MPLS Multi-Protocol Label Switching
  • VLAN Virtual Local to Area Network
  • the parser 110 can be programmed to extract the corresponding header fields that are relevant for that protocol standard.
  • the parser 110 is provided for writing the flow identification information of these header fields into a register unit 400 .
  • the register unit 400 comprises registers with flow identification information derived from packet headers.
  • This flow identifying information is provided as input to a programmable hash function unit 410 .
  • the programmable hash function unit 410 maps the flow identification information stored in the register unit 400 on a hash index. In other words, the programmable hash function unit 410 maps the actual values of the selected header fields upon a hash index.
  • the programmable hash function unit 410 may provide a variety of hash functions that cover all desired functions for the protocol versions that the apparatus 100 shall support.
  • the programmable controller 140 is provided for selecting one of the available hash functions. The selection of one of the hash functions may be implemented by sending a hash identifier corresponding to that hash function from the programmable controller 140 to the programmable hash function unit 410 .
  • Such a hash identifier can consist of a short bit vector that uniquely corresponds to one of the implemented hash functions.
  • the flow metering unit 130 further comprises a flow table management unit 420 .
  • the flow table management unit 420 is provided to receive the hash index of the respective flow identification information of the respective packet header from the programmable hash function unit 410 .
  • the flow table management unit 420 manages and controls a flow table unit 430 .
  • the flow table management unit 420 can execute as flow metering instructions flow table management commands.
  • Such flow table management commands may include e.g. commands for updating the flow table unit 430 , for creating a new entry in the flow table unit 430 , for checking entries of the flow table unit 430 , for removing entries from the flow table unit 430 and for scanning the entries of the flow table unit 430 .
  • the flow table management unit 420 is implemented by means of a hardwired state machine.
  • the flow table management commands are sent from the programmable controller 140 to the flow table management unit 420 .
  • the flow table unit 430 comprises a memory that stores network flow entries for network flows identified by the respective hash index.
  • the network flow entries comprise key fields that define the flow and content fields that comprise information about the defined flow.
  • the content fields are updated with every new packet of the network flow.
  • the flow table unit 430 might e.g. use the 5-tuple definition to characterise and define the network flow in the key fields.
  • the key fields would comprise the source and destination IP address, the source and destination port and the IP protocol of the respective network flow.
  • the flow table may store in the corresponding content fields flow metering information, e.g. timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
  • flow metering information e.g. timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
  • the flow table management unit 420 upon reception of check-command from the programmable controller 140 , the flow table management unit 420 will check if the flow table unit 430 already contains an entry for the network flow identified by the respective hash index. In return it will provide as flow status information an indication to the programmable controller 140 that indicates that the respective network flow exists or that the hash index corresponds to a new network flow that is not present in the flow table unit 430 .
  • the flow table management unit 420 can also have direct access to the actual register values of the register unit 400 , i.e. to the flow identification information stored in the register unit 400 .
  • the programmable controller 140 may dispatch as flow metering instructions table management commands to the flow table management unit 420 to either update an existing flow table entry or to create a new flow table entry by means of an update or a create command.
  • the programmable controller 140 is provided for controlling the scanning of the flow table unit 430 for expired flow table entries.
  • the to programmable controller 140 will test the value of a programmable timer 450 which can be configured to meet the characteristics of the supported protocol versions of the respective network analysis protocol. This will trigger the programmable controller 140 to send as table management command a scan instruction to the flow table management unit 420 after certain periods and/or at regular configurable intervals.
  • the flow table management unit 420 will then scan the flow table unit 430 and report any expired flow table entries to the programmable controller 140 .
  • the programmable controller 140 can send a remove-command to remove these flow table entries to the flow table management unit 420 .
  • the programmable controller 140 can trigger the export of these expired flow table entries. In the latter case, the programmable controller 140 triggers the creation of a flow information packet containing information on the expired network flow.
  • the programmable controller 140 sends a “generate packet” command to a flow information export unit 440 .
  • the flow information export unit 440 is also denoted as packet generator.
  • the flow information export unit 440 can be implemented using a hardwired state machine.
  • the flow information export unit 440 exports a flow information packet containing network flow information to a central server or any other destination.
  • the flow metering functions of the flow metering unit 130 can be implemented, configured and executed differently depending on the application environment, the used protocol standards (e.g. NetFlow v5, v7, v9, IPFIX), the number of network flows to be supported or the speed of the respective network.
  • the used protocol standards e.g. NetFlow v5, v7, v9, IPFIX
  • NetFlow v9 and IPFIX do not use fixed record fields, but a variable number of fields defined in flow templates.
  • a template determines the content of the flow table and the amount of exported network flow information.
  • multiple network flows can be aggregated and mapped on the same flow table entry.
  • the flow table might contain various types of information for each network flow.
  • the rules that determine when network flow information will be exported can vary.
  • FIG. 5 shows a flow chart illustrating a flow table update function of the flow to metering unit 130 .
  • a step 510 the apparatus 100 receives a data packet of a network flow that is observed.
  • the parser 110 parses the header of the data packet, extracts the flow identification information and writes it in the register unit 400 .
  • the programmable hash function unit 410 calculates the hash index of the flow identification information and the flow table management unit 420 performs a flow table (hash table) lookup in the flow table unit 430 .
  • the flow table management unit 420 evaluates whether a flow table entry already exists for the respective hash index. If this is the case, the flow table management unit 420 updates in step 550 the respective flow table entry in the flow table unit 430 . If this is not the case, the flow table management unit 420 creates in step 560 a new flow table entry in the flow table unit 430 .
  • FIG. 6 shows a flow chart illustrating the determination of expired flow table entries in the flow table unit 430 .
  • step 600 the programmable controller 140 sends as flow metering instruction a scan-command to the flow table management unit 420 . This can happen after certain time periods and/or at regular configurable intervals.
  • the flow table management unit 420 will then scan the flow table unit 430 .
  • step 610 the flow table management unit 420 selects an initial entry of the flow table unit 430 and determines in step 620 the time t since the last update. If the time t is larger than a predefined time, e.g. determined by the timer 450 , the respective entry of the flow table unit 430 is marked as expired.
  • step 650 it is checked whether all entries of the flow table unit 430 have been processed, i.e. have been checked for expiration.
  • step 650 If this is not the case, the flow table management unit 420 will select the next entry and continue with step 620 . If the result of step 650 is that all entries of the flow table unit 430 have been processed, the scanning has been completed. The scanning function of the flow table management unit 420 waits then in step 670 for a time t' until it receives a new scan-command from the programmable controller 140 .
  • FIG. 7 shows a flow chart illustrating the export of expired table entries to a server or another destination.
  • step 700 the programmable controller 140 triggers the export process by sending a “generate packet” command to the flow information export unit (packet generator) 440 .
  • flow information export unit 440 selects an initial entry of the flow table unit 430 and checks in step 720 if the respective entry is marked as expired. If this is the case, the flow information export unit 440 creates and transmits in step 730 a flow information packet containing network flow information of the expired network flow of the respective flow table entry.
  • the flow information export unit 440 may export a flow information packet to a central server or any other destination.
  • the respective table entry is removed from the flow table unit 430 .
  • step 750 the flow information export unit 440 checks if all table entries have been processed, i.e. checked for flows that are marked as expired. If the result of step 720 is that the respective flow table entry is not marked as expired, the export process continues with step 750 as well. If the checking of step 750 is negative, in step 760 the next flow table entry is selected for processing and the export process is continued with step 720 . If the checking of step 750 is positive, the export process is finished for the meantime. The exportation function of the flow information export unit 440 waits then in step 770 for a time t′′ until it receives a new generate packet command from the programmable controller 140 .
  • FIG. 8 shows a schematic drawing of a virtualized server environment comprising an apparatus for analyzing the network flow between virtual computing systems.
  • the virtualized server environment comprises a computer system 800 comprising two or more virtual computing systems 810 that run on a central processing unit 820 of the computer system 800 .
  • the computer system 800 comprises further a software networking device 830 for internal communication between the virtual computing systems 810 and a hardware networking device 840 for external communication between the virtual computing systems 810 and an external device 850 .
  • the software networking device 830 is provided for managing and controlling the internal communication between the virtual computing systems 810 . It may be e.g. a software switch, i.e. a switch implemented in software.
  • the hardware networking device 840 may be e.g. a network adapter or a hardware switch. It is provided for managing and controlling the external communication between the virtual computing systems 810 and an external device 850 .
  • the external device 850 can be e.g. another computer system, a network, the internet or any other destination the computer system 800 would like to communicate with.
  • the hardware networking device 840 comprises the apparatus 100 for analysing a network flow.
  • the apparatus 100 is implemented in hardware as hardware assist device for the central processing unit 820 of the computer system 800 .
  • the virtual computing systems 810 may communicate with each other via the software networking device 830 and a virtual local network 860 .
  • the virtual local network 860 could be e.g. a Virtual Local Area Network (VLAN).
  • VLAN Virtual Local Area Network
  • the hardware networking device 840 can communicate with the virtual computing systems 810 and with the software networking device 830 by means of a virtual Input/Output (I/O) server partition 870
  • the software networking device 830 is provided for forwarding the network flow or parts of the network flow occurring in the software networking device 830 to the apparatus 100 .
  • the hardware networking device 840 is provided for forwarding the network flow or parts of the network flow occurring in the hardware networking device 840 to the apparatus 100 .
  • the software networking device 830 may use the virtual Input/Output (I/O) server partition 870 for forwarding the network flow or parts of the network flow to the apparatus 100 .
  • the hardware networking device 840 may use a hardware bus 880 for forwarding the network flow or parts of the network flow to the apparatus 100 .
  • the computer system 800 allows for monitoring and analysing the network flow between the virtual computing systems 810 and/or between the virtual computing systems 810 and the external device 850 in a scalable way. There is no additional software needed on the computer system 800 and on the virtual computing systems 810 .
  • the described techniques may be implemented as a method, apparatus or article of manufacture involving software, firmware, micro-code, hardware and/or any combination thereof.
  • article of manufacture refers to code or logic implemented in a medium, where such medium may comprise hardware logic [e.g., an integrated circuit chip, Programmable Gate Array (PGA), Application Specific Integrated Circuit (ASIC), etc.] or a computer readable medium, such as magnetic storage medium (e.g., hard disk drives, floppy disks, tape, etc.), optical storage (CD-ROMs, optical disks, etc.), volatile and non-volatile memory devices [e.g., Electrically Erasable Programmable Read Only Memory (EEPROM), Read Only Memory (ROM), Programmable Read Only Memory (PROM), Random Access Memory (RAM), Dynamic Random Access Memory (DRAM), Static Random Access Memory (SRAM), flash, firmware, programmable logic, etc.].
  • EEPROM Electrically Erasable Programmable Read Only Memory
  • ROM Read Only Memory
  • PROM Programmable Read Only Memory
  • RAM
  • Code in the computer readable medium is accessed and executed by a processor.
  • the medium in which the code or logic is encoded may also comprise transmission signals propagating through space or a transmission media, such as an optical fiber, copper wire, etc.
  • the transmission signal in which the code or logic is encoded may further comprise a wireless signal, satellite transmission, radio waves, infrared signals, Bluetooth, etc.
  • the transmission signal in which the code or logic is encoded is capable of being transmitted by a transmitting station and received by a receiving station, where the code or logic encoded in the transmission signal may be decoded and stored in hardware or a computer readable medium at the receiving and transmitting stations or devices.
  • the “article of manufacture” may comprise a combination of hardware and software components in which the code is embodied, processed, and executed.
  • the article of manufacture may comprise any information bearing medium.
  • the article of manufacture comprises a storage medium having stored therein instructions that when executed by a machine results in operations being performed.
  • Certain embodiments can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment containing both hardware and software elements.
  • the invention is implemented in software, which includes but is not limited to firmware, resident software, microcode, etc.
  • certain embodiments can take the form of a computer program product accessible from a computer usable or computer readable medium providing program code for use by or in connection with a computer or any instruction execution system.
  • a computer usable or computer readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
  • the medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium.
  • Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk. Current examples of optical disks include compact disk—read only memory (CD-ROM), compact disk—read/write (CD-R/W) and DVD.
  • Devices that are in communication with each other need not be in continuous communication with each other, unless expressly specified otherwise.
  • devices that are in communication with each other may communicate directly or indirectly through one or more intermediaries.
  • a description of an embodiment with several components in communication with each other does not imply that all such components are required.
  • a variety of optional components are described to illustrate the wide variety of possible embodiments.
  • process steps, method steps, algorithms or the like may be described in a sequential order, such processes, methods and algorithms may be configured to work in alternate orders. In other words, any sequence or order of steps that may be described does not necessarily indicate a requirement that the steps be performed in that order.
  • the steps of processes described herein may be performed in any order practical. Further, some steps may be performed simultaneously, in parallel, or concurrently.
  • Computer program means or computer program in the present context mean any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or notation; b) reproduction in a different material form.

Abstract

The invention relates to an apparatus for analysing a network flow, comprising—a parser for extracting flow identification information from the network flow, —a flow metering unit for metering the network flow, —a programmable controller for controlling the flow metering unit and the parser.

Description

    TECHNICAL FIELD
  • The invention relates to an apparatus, a method and a computer program for analysing a network flow.
    • BACKGROUND OF THE INVENTION
  • Communication networks, e.g. networks according to the Internet Protocol (IP) are complex and difficult to analyse and to monitor with respect to the end-to-end network traffic flows, also denoted as network flows. A known protocol for analyzing a network flow is the NetFlow protocol that is currently being standardized by the Internet Engineering Task Force (IETF). Details are provided in IETF IP Flow Information Export (IPFIX) at http://www.ietf.org/html.charters/ipfix-charter.html.
  • The NetFlow protocol provides technology for network accounting, bandwidth usage analysis, network anomaly detection, traffic engineering and capacity management.
  • NetFlow is supported at routers, switches, metering appliances and software-based traffic meters. Some high-end routers and switches support NetFlow with dedicated hardware extensions.
  • The realization of extensions in a router or switch for NetFlow or for other network analysis protocols is typically expensive because the extension has to be well integrated into the specific forwarding and routing architecture of the router or switch.
  • It is an object of the invention to provide improved solutions for network flow analysis. It is a further object of the invention to provide an improved apparatus, an improved method, an improved computer system and an improved computer program for analysing a network flow.
    • SUMMARY AND ADVANTAGES OF THE INVENTION
  • The present invention is directed to an apparatus, a computer system, a computer program and a method as defined in independent claims. Further embodiments of the invention are provided in the appended dependent claims.
  • According to a first aspect of the invention there is provided an apparatus for analysing to a network flow, comprising
      • a parser for extracting flow identification information from the network flow,
      • a flow metering unit for metering the network flow,
      • a programmable controller for controlling the flow metering unit and the parser.
  • The architecture of the apparatus according to this aspect of the invention allows for an efficient, flexible and fast implementation of a flow metering function that is able to support a large number of configuration options. Such configuration options might cover different versions of today's or future standards. This architecture provides the benefits of high performance without the drawback of fixed metering functionality and interfaces which only support a single standard.
  • The modular approach of this architecture comprises a parser that is provided for receiving a network flow and for extracting flow identification information from this network flow. The parser can be programmed to extract any desirable combination of flow identification information from the network flow. The flow identification information might e.g. be contained in fields of packet headers of a network flow. As an example, the parser can be programmed to extract the corresponding header fields that are relevant for a specific protocol standard. The flow identification information might comprise e.g. the source and destination IP address, the source and destination port and the IP protocol of the analysed network flow.
  • The network flow identified by the flow identification information is metered by a flow metering unit. The metering of the flow identification information might e.g. comprise timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
  • Both the flow metering unit and the parser are controlled in parallel by a programmable controller. The programmable controller can be individually programmed for the respective application environment, the used protocol standards of to the network flow (e.g. NetFlow v5, v7, v9, IPFIX), the number of flows to be supported and the speed of the respective network. Hence the parser and the flow metering unit are generic units. The specific functionality of these generic units is determined by the programmable controller.
  • According to an embodiment of this aspect of the invention the flow metering unit is provided for sending flow status information to the programmable controller and the programmable controller is provided for sending flow metering instructions to the flow metering unit in dependence on the flow status information.
  • Such a control loop between the flow metering unit and the programmable controller facilitates an efficient, fast and flexible flow metering process and processing.
  • According to another embodiment of this aspect of the invention the parser is provided for sending parsing information to the programmable controller and the programmable controller is provided for sending parsing instructions to the parser in dependence on the parsing information.
  • Such a control loop between the parser and the programmable controller facilitates an efficient, fast and flexible parsing process and processing.
  • According to another embodiment of this aspect of the invention the programmable controller is provided for
      • evaluating in parallel two or more flow status information values of the flow metering unit,
      • sending two or more flow metering instructions in parallel to the flow metering unit.
  • Such a parallel processing structure further facilitates an efficient, fast and flexible flow metering process and processing.
  • According to another embodiment of this aspect of the invention the programmable controller comprises a program memory comprising two or more flow metering to programs.
  • The two or more flow metering programs can e.g. be programmed for different versions of network analysis protocols, for different application environments, for different numbers of flows to be supported and for different speeds of the network.
  • This allows for changing the configuration and application of the apparatus very quickly and easily. Furthermore, it is a flexible and cost effective solution.
  • According to another embodiment of this aspect of the invention the programmable controller is implemented as programmable state machine.
  • The implementation of the programmable controller as programmable state machine is a flexible and cost effective solution.
  • According to another embodiment of this aspect of the invention the programmable state machine comprises a transition rule memory, a rule selector and a state register, wherein the rule selector is provided for receiving an external input signal and an internal input signal from the state register indicating the current state and wherein the rule selector is provided for observing the internal and external input signal by means of the transition rule memory for transition rules and for changing the state of the state register and generation of an output signal comprising parsing and/or flow metering instructions when a transition rule applies.
  • This embodiment is an efficient way of implementing the programmable state machine.
  • The transition rule memory is provided for storing a set of transition rules. A set of transition rules may establish a flow metering program. For different versions of network analysis protocols, for different application environments, for different numbers of flows to be supported and for different speeds of the network a plurality of sets of transition rules might be loaded into the transition rule memory.
  • The rule selector is provided for receiving an external input signal and an internal input signal from the state register. The internal input signal from the state register indicates the current state of the programmable state machine. The external input signal or the external input signals are received from the flow metering unit and/or the parser. The external input signal of the state machine may comprise flow status information, parser information and various other information.
  • The rule selector observes the internal and external input signal by means of the transition rule memory for transition rules. If a predefined transition rules applies, the programmable state machine changes the state of the state register and generation an output signal comprising parsing and/or flow metering instructions
  • In other words, the programmable state machine observes the flow status information and/or the parsing information for predefined states. The state machine changes its state, when such a predefined state is detected. Then the changing state of the state machine triggers control actions for the parser and/or the flow metering unit.
  • According to another embodiment of this aspect of the invention the flow-metering unit comprises
      • a flow table unit
      • a flow table management unit and
      • a flow information export unit.
  • The flow table unit comprises a memory for storing information about the network flows that are analysed by the apparatus. The flow table might e.g. use the 5-tuple definition to characterise a specific network flow. In other words, the flow table may provide an entry for each specific network flow characterized by the 5-tuple definition. According to the example of the 5-tuple definition, a network flow is defined as a unidirectional sequence of packets that have the same source and destination IP address, the same source and destination port and the same IP protocol.
  • For each such entry the flow table may store flow metering information, e.g. to timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
  • The flow table management unit is provided for managing the entries of the flow table. The flow table management unit is controlled by the programmable controller. This flow table management unit may be provided to execute various flow metering instructions received from the programmable controller. Such flow metering instructions may include instructions for updating the flow table unit, creating a new entry in the flow table unit and checking the status or specific entries of the flow table unit. The flow table management unit may be implemented using a conventional hard-wired state machine.
  • As an example, the flow table management unit may check upon reception of a check-command from the programmable controller if the flow table already contains an entry for an identified network flow. As a result it could provide an indication (implemented as a single-bit flag) back to programmable controller that indicates if an entry for this identified network flow already exists or that the identified network flow is a new flow that is not present in the flow table of the flow table unit.
  • In response to receiving the indication that a network flow either exists or not, the programmable controller may dispatch further flow metering instructions to the table management unit to either update an existing flow table entry, to create a new flow table entry or to create a complete new flow table with a corresponding “update”, “create new flow table entry” or “create new flow table” command.
  • The flow information export unit is provided for exporting flow information to another location or entity. The flow information export unit is controlled by the programmable controller as well. The programmable controller may trigger the export of flow metering information by dispatching an export-command to the flow information export unit.
  • According to another embodiment of this aspect of the invention the flow table management unit comprises a programmable hash function unit provided with two or more selectable hash functions for mapping the flow identification information on a hash index, wherein the programmable controller is provided for selecting one of the selectable hash functions.
  • Hash functions are widely used to improve the efficiency of network flow analysis and network flow metering. However, different standards and different protocol versions of flow metering standards use different hash functions. By means of providing a programmable hash function unit, the apparatus according to this embodiment of the invention can support these different standards and protocol versions.
  • According to another embodiment of this aspect of the invention the programmable controller is provided for sending table management commands to the table management unit.
  • Such table management commands may be e.g. an update-command, a create-command or a check-command.
  • According to another embodiment of this aspect of the invention the apparatus is implemented as hardware assist device.
  • The implementation of the apparatus as hardware assist device has the advantage that it can be implemented in a system without requiring processor or processing load of this system.
  • A second aspect of the invention relates to a computer system comprising a central processing unit, a memory and a computer networking device, comprising an apparatus according to the first aspect of the invention for analysing the network flow in the computer networking device.
  • The computer networking device may be e.g. a switch or a router. The apparatus works as hardware assist device for the central processing unit of the computer system. This allows for an analysis of the network flow without loading the central processor.
  • A third aspect of the invention relates to a computer system comprising two or more virtual computing systems, further comprising an apparatus according to the first aspect of the invention, wherein the apparatus is provided for analysing the network flow between the virtual computing systems and/or between the virtual computing systems and an external device.
  • This allows for monitoring and analysing the network flow between the virtual computing systems in a scalable way without any additional software to be available on the computer system and on the virtual computing systems.
  • According to a further embodiment of this aspect of the invention the computer system comprises
      • a software networking device for internal communication between the virtual computing systems,
      • a hardware networking device for external communication between the virtual computing systems and an external device,
        wherein the software networking device and the hardware networking device are provided for forwarding the network flow between the virtual computing systems and/or between the virtual computing systems and an external device for an analysis to the apparatus according to the first aspect of the invention.
  • This architecture allows for an efficient implementation of a network flow function within a virtualized environment.
  • The software networking device may be e.g. a software switch, i.e. a switch implemented in software. The hardware networking device may be e.g. a hardware switch, i.e. a switch implemented in hardware.
  • The external device can be e.g. another computer system, a network, the internet or any other destination.
  • According to a further embodiment of this aspect of the invention the apparatus is arranged in the hardware networking device.
  • A fourth aspect of the invention relates to a method for analysing a network flow, comprising the steps of
      • extracting flow identification information from the network flow by means of a parser,
      • metering the network flow by means of a flow metering unit,
      • controlling the flow metering unit and the parser by means of a programmable controller.
  • A fifth aspect of the invention relates to a flow metering computer program comprising instructions for carrying out a flow metering program on a programmable controller, the flow metering computer program being provided for controlling the flow metering unit and the parser of an apparatus according to the first aspect of the invention.
  • Preferred embodiments of the present invention are described in detail below, by way of example only, with reference to the following schematic drawings, in which:
    • DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a schematic drawing of an apparatus for analyzing a network flow according to an embodiment of the invention, comprising a programmable controller, a parser and a flow metering unit,
  • FIG. 2 shows a schematic computer system comprising a computer networking to device and an apparatus for analysing the network flow in the computer networking device,
  • FIG. 3 is a schematic drawing of a programmable controller implemented as state machine,
  • FIG. 4 is a schematic drawing of the apparatus of FIG. 1 in more detail,
  • FIG. 5 shows a flow chart illustrating a flow table update function of the flow metering unit,
  • FIG. 6 shows a flow chart illustrating the determination of expired table entries of a flow table unit,
  • FIG. 7 shows a flow chart illustrating the exportation of expired table entries of the flow table unit,
  • FIG. 8 shows a schematic drawing of a computer system comprising virtual computing systems and an apparatus for analysing the network flow between the virtual computing systems.
    •
  • The drawings are provided for illustrative purposes only and do not necessarily represent practical examples of the present invention to scale. In the figures, same reference signs are used to denote the same or like parts.
  • FIG. 1 shows an apparatus 100 for analysing a network flow 105 according to an exemplary embodiment of the invention. The apparatus 100 comprises a parser 110 for extracting flow identification information from the network flow 105. The network flow 105 may be any kind of communication traffic in a network, in particular end to end network traffic. The network flow 105 may comprise a sequence of data packets, wherein each data packet is part of a communication between two distinct network addresses. The apparatus 100 comprises a flow metering unit 130 for metering the network flow 105 and a programmable controller 140 for controlling the flow metering unit 130 and the parser 110.
  • The flow metering unit 130 is provided for sending flow status information to the programmable controller 140 and the programmable controller 140 is provided for sending flow metering instructions to the flow metering unit 130 in dependence on the flow status information. Furthermore, the parser 110 is provided for sending parsing information to the programmable controller 140 and the programmable controller 140 is provided for sending parsing instructions to the parser 110 in dependence on the parsing information.
  • The programmable controller 140 comprises a central processing unit 150 and a program memory 160. In the program memory 160 one or more flow metering programs 170 can be stored.
  • The apparatus 100 is preferably implemented in hardware and may be used as hardware assist device. This is further illustrated with reference to FIG. 2.
  • FIG. 2 shows a computer system 200 comprising a central processing unit 210, a memory 220 and a computer networking device 230. Furthermore it comprises the apparatus 100 for analysing a network flow. The apparatus 100 is implemented in hardware as hardware assist device for the central processing unit 210. The central processing unit 210, the memory 220, the computer networking device 230 and the apparatus 100 are coupled via an internal bus system 240.
  • The computer networking device 230 may be any kind of Input/Output device, e.g. a router or a switch. In the example of FIG. 2 the computer networking device 230 serves as router between a first Local Area Network (LAN) 250, a second LAN 260 and the Internet 270. Accordingly, the computer networking device 230 is provided for routing network flows 280 between the first LAN 250, the second LAN 260 and the Internet 270. The apparatus 100 is provided for analysing and meter the network flow in the computer networking device 230.
  • FIG. 3 shows a schematic block diagram of a programmable controller 300 according to another exemplary embodiment of the invention. The programmable controller 300 is implemented as programmable state machine. The programmable controller 300 comprises a transition rule memory 310, a rule selector 320 and a state register 330. The rule selector 320 is provided for receiving as external input signal 340 parsing information from the parser 110 and flow status information from the flow metering unit 130 of FIG. 1. Furthermore, the rule selector 320 is provided for receiving an internal input signal 350 from the state register 330. This internal input signal 350 indicates the current state of the state register 330. The rule selector 320 observes the internal input signal 350 and the external input signal 340 by means of the transition rule memory 310 for transition rules. When a transition rule applies, the rule selector 320 is provided for changing the state of the state register 330 and sending parsing instructions to the parser 110 and/or flow metering instructions to the flow metering unit 130 of FIG. 1.
  • More details for implementation of a programmable state machine as shown in FIG. 3 are described in US 2005/0132342A1 which is herewith incorporated by reference.
  • FIG. 4 is a schematic drawing of the apparatus of FIG. 1 in more detail.
  • The parser 110 can be programmed by means of the programmable controller 140 to extract any desirable flow identification information from the network flow 105. According to an exemplary embodiment of the invention the network flow 105 comprises packets including a packet header and the parser 110 uses the packet headers to extract the flow identification information. Accordingly, the parser 110 may be programmed to extract any desirable combination of header fields from the packet header that will be used for flow identification. Examples of such header fields include IP source and destination addresses, Transmission Control Protocol (TCP) source and destination port numbers, Multi-Protocol Label Switching (MPLS) and Virtual Local to Area Network (VLAN) tags etc. Based on the protocol standard of the respective network analysis protocol, the parser 110 can be programmed to extract the corresponding header fields that are relevant for that protocol standard. The parser 110 is provided for writing the flow identification information of these header fields into a register unit 400. Hence the register unit 400 comprises registers with flow identification information derived from packet headers.
  • This flow identifying information is provided as input to a programmable hash function unit 410. The programmable hash function unit 410 maps the flow identification information stored in the register unit 400 on a hash index. In other words, the programmable hash function unit 410 maps the actual values of the selected header fields upon a hash index. The programmable hash function unit 410 may provide a variety of hash functions that cover all desired functions for the protocol versions that the apparatus 100 shall support. The programmable controller 140 is provided for selecting one of the available hash functions. The selection of one of the hash functions may be implemented by sending a hash identifier corresponding to that hash function from the programmable controller 140 to the programmable hash function unit 410. Such a hash identifier can consist of a short bit vector that uniquely corresponds to one of the implemented hash functions.
  • The flow metering unit 130 further comprises a flow table management unit 420. The flow table management unit 420 is provided to receive the hash index of the respective flow identification information of the respective packet header from the programmable hash function unit 410. The flow table management unit 420 manages and controls a flow table unit 430. The flow table management unit 420 can execute as flow metering instructions flow table management commands. Such flow table management commands may include e.g. commands for updating the flow table unit 430, for creating a new entry in the flow table unit 430, for checking entries of the flow table unit 430, for removing entries from the flow table unit 430 and for scanning the entries of the flow table unit 430. Preferably the flow table management unit 420 is implemented by means of a hardwired state machine. The flow table management commands are sent from the programmable controller 140 to the flow table management unit 420. The flow table unit 430 comprises a memory that stores network flow entries for network flows identified by the respective hash index. The network flow entries comprise key fields that define the flow and content fields that comprise information about the defined flow. The content fields are updated with every new packet of the network flow. The flow table unit 430 might e.g. use the 5-tuple definition to characterise and define the network flow in the key fields. In this example the key fields would comprise the source and destination IP address, the source and destination port and the IP protocol of the respective network flow.
  • For each such key field the flow table may store in the corresponding content fields flow metering information, e.g. timestamps for the respective network flow start and finish time, the number of bytes and packets observed in the respective network flow and various other features of the observed network flow.
  • As an example, upon reception of check-command from the programmable controller 140, the flow table management unit 420 will check if the flow table unit 430 already contains an entry for the network flow identified by the respective hash index. In return it will provide as flow status information an indication to the programmable controller 140 that indicates that the respective network flow exists or that the hash index corresponds to a new network flow that is not present in the flow table unit 430. Dependent on the hash function the flow table management unit 420 can also have direct access to the actual register values of the register unit 400, i.e. to the flow identification information stored in the register unit 400.
  • In response to receiving the flow status information that an identified network flow either exists or not, the programmable controller 140 may dispatch as flow metering instructions table management commands to the flow table management unit 420 to either update an existing flow table entry or to create a new flow table entry by means of an update or a create command.
  • Furthermore, the programmable controller 140 is provided for controlling the scanning of the flow table unit 430 for expired flow table entries. For this purpose, the to programmable controller 140 will test the value of a programmable timer 450 which can be configured to meet the characteristics of the supported protocol versions of the respective network analysis protocol. This will trigger the programmable controller 140 to send as table management command a scan instruction to the flow table management unit 420 after certain periods and/or at regular configurable intervals. The flow table management unit 420 will then scan the flow table unit 430 and report any expired flow table entries to the programmable controller 140. In response the programmable controller 140 can send a remove-command to remove these flow table entries to the flow table management unit 420. Furthermore, the programmable controller 140 can trigger the export of these expired flow table entries. In the latter case, the programmable controller 140 triggers the creation of a flow information packet containing information on the expired network flow. The programmable controller 140 sends a “generate packet” command to a flow information export unit 440. The flow information export unit 440 is also denoted as packet generator. The flow information export unit 440 can be implemented using a hardwired state machine. The flow information export unit 440 exports a flow information packet containing network flow information to a central server or any other destination.
  • By means of this programmable concept of the apparatus 100 the flow metering functions of the flow metering unit 130 can be implemented, configured and executed differently depending on the application environment, the used protocol standards (e.g. NetFlow v5, v7, v9, IPFIX), the number of network flows to be supported or the speed of the respective network.
  • For example, NetFlow v9 and IPFIX do not use fixed record fields, but a variable number of fields defined in flow templates. A template determines the content of the flow table and the amount of exported network flow information. In addition, multiple network flows can be aggregated and mapped on the same flow table entry. The flow table might contain various types of information for each network flow. Furthermore, the rules that determine when network flow information will be exported can vary.
  • FIG. 5 shows a flow chart illustrating a flow table update function of the flow to metering unit 130.
  • In a step 510 the apparatus 100 receives a data packet of a network flow that is observed. In step 520 the parser 110 parses the header of the data packet, extracts the flow identification information and writes it in the register unit 400. In step 530 the programmable hash function unit 410 calculates the hash index of the flow identification information and the flow table management unit 420 performs a flow table (hash table) lookup in the flow table unit 430. In step 540 the flow table management unit 420 evaluates whether a flow table entry already exists for the respective hash index. If this is the case, the flow table management unit 420 updates in step 550 the respective flow table entry in the flow table unit 430. If this is not the case, the flow table management unit 420 creates in step 560 a new flow table entry in the flow table unit 430.
  • FIG. 6 shows a flow chart illustrating the determination of expired flow table entries in the flow table unit 430.
  • In step 600 the programmable controller 140 sends as flow metering instruction a scan-command to the flow table management unit 420. This can happen after certain time periods and/or at regular configurable intervals. The flow table management unit 420 will then scan the flow table unit 430. In step 610 the flow table management unit 420 selects an initial entry of the flow table unit 430 and determines in step 620 the time t since the last update. If the time t is larger than a predefined time, e.g. determined by the timer 450, the respective entry of the flow table unit 430 is marked as expired. In step 650 it is checked whether all entries of the flow table unit 430 have been processed, i.e. have been checked for expiration. If this is not the case, the flow table management unit 420 will select the next entry and continue with step 620. If the result of step 650 is that all entries of the flow table unit 430 have been processed, the scanning has been completed. The scanning function of the flow table management unit 420 waits then in step 670 for a time t' until it receives a new scan-command from the programmable controller 140.
  • FIG. 7 shows a flow chart illustrating the export of expired table entries to a server or another destination.
  • In step 700 the programmable controller 140 triggers the export process by sending a “generate packet” command to the flow information export unit (packet generator) 440. In step 710 flow information export unit 440 selects an initial entry of the flow table unit 430 and checks in step 720 if the respective entry is marked as expired. If this is the case, the flow information export unit 440 creates and transmits in step 730 a flow information packet containing network flow information of the expired network flow of the respective flow table entry. The flow information export unit 440 may export a flow information packet to a central server or any other destination. In a following step 740 the respective table entry is removed from the flow table unit 430. In a following step 750 the flow information export unit 440 checks if all table entries have been processed, i.e. checked for flows that are marked as expired. If the result of step 720 is that the respective flow table entry is not marked as expired, the export process continues with step 750 as well. If the checking of step 750 is negative, in step 760 the next flow table entry is selected for processing and the export process is continued with step 720. If the checking of step 750 is positive, the export process is finished for the meantime. The exportation function of the flow information export unit 440 waits then in step 770 for a time t″ until it receives a new generate packet command from the programmable controller 140.
  • FIG. 8 shows a schematic drawing of a virtualized server environment comprising an apparatus for analyzing the network flow between virtual computing systems.
  • The virtualized server environment comprises a computer system 800 comprising two or more virtual computing systems 810 that run on a central processing unit 820 of the computer system 800. The computer system 800 comprises further a software networking device 830 for internal communication between the virtual computing systems 810 and a hardware networking device 840 for external communication between the virtual computing systems 810 and an external device 850.
  • The software networking device 830 is provided for managing and controlling the internal communication between the virtual computing systems 810. It may be e.g. a software switch, i.e. a switch implemented in software.
  • The hardware networking device 840 may be e.g. a network adapter or a hardware switch. It is provided for managing and controlling the external communication between the virtual computing systems 810 and an external device 850. The external device 850 can be e.g. another computer system, a network, the internet or any other destination the computer system 800 would like to communicate with.
  • The hardware networking device 840 comprises the apparatus 100 for analysing a network flow. The apparatus 100 is implemented in hardware as hardware assist device for the central processing unit 820 of the computer system 800.
  • The virtual computing systems 810 may communicate with each other via the software networking device 830 and a virtual local network 860. The virtual local network 860 could be e.g. a Virtual Local Area Network (VLAN).
  • The hardware networking device 840 can communicate with the virtual computing systems 810 and with the software networking device 830 by means of a virtual Input/Output (I/O) server partition 870
  • The software networking device 830 is provided for forwarding the network flow or parts of the network flow occurring in the software networking device 830 to the apparatus 100. The hardware networking device 840 is provided for forwarding the network flow or parts of the network flow occurring in the hardware networking device 840 to the apparatus 100. The software networking device 830 may use the virtual Input/Output (I/O) server partition 870 for forwarding the network flow or parts of the network flow to the apparatus 100. The hardware networking device 840 may use a hardware bus 880 for forwarding the network flow or parts of the network flow to the apparatus 100.
  • The computer system 800 allows for monitoring and analysing the network flow between the virtual computing systems 810 and/or between the virtual computing systems 810 and the external device 850 in a scalable way. There is no additional software needed on the computer system 800 and on the virtual computing systems 810.
  • The disclosed embodiments may be combined with one or several of the other embodiments shown and/or described. This is also possible for one or more features of the embodiments.
    • ADDITIONAL EMBODIMENT DETAILS
  • The described techniques may be implemented as a method, apparatus or article of manufacture involving software, firmware, micro-code, hardware and/or any combination thereof. The term “article of manufacture” as used herein refers to code or logic implemented in a medium, where such medium may comprise hardware logic [e.g., an integrated circuit chip, Programmable Gate Array (PGA), Application Specific Integrated Circuit (ASIC), etc.] or a computer readable medium, such as magnetic storage medium (e.g., hard disk drives, floppy disks, tape, etc.), optical storage (CD-ROMs, optical disks, etc.), volatile and non-volatile memory devices [e.g., Electrically Erasable Programmable Read Only Memory (EEPROM), Read Only Memory (ROM), Programmable Read Only Memory (PROM), Random Access Memory (RAM), Dynamic Random Access Memory (DRAM), Static Random Access Memory (SRAM), flash, firmware, programmable logic, etc.]. Code in the computer readable medium is accessed and executed by a processor. The medium in which the code or logic is encoded may also comprise transmission signals propagating through space or a transmission media, such as an optical fiber, copper wire, etc. The transmission signal in which the code or logic is encoded may further comprise a wireless signal, satellite transmission, radio waves, infrared signals, Bluetooth, etc. The transmission signal in which the code or logic is encoded is capable of being transmitted by a transmitting station and received by a receiving station, where the code or logic encoded in the transmission signal may be decoded and stored in hardware or a computer readable medium at the receiving and transmitting stations or devices. Additionally, the “article of manufacture” may comprise a combination of hardware and software components in which the code is embodied, processed, and executed. Of course, those skilled in the art will recognize that many modifications may be made without departing from the scope of embodiments, and that the article of manufacture may comprise any information bearing medium. For example, the article of manufacture comprises a storage medium having stored therein instructions that when executed by a machine results in operations being performed.
  • Certain embodiments can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment containing both hardware and software elements. In a preferred embodiment, the invention is implemented in software, which includes but is not limited to firmware, resident software, microcode, etc.
  • Furthermore, certain embodiments can take the form of a computer program product accessible from a computer usable or computer readable medium providing program code for use by or in connection with a computer or any instruction execution system. For the purposes of this description, a computer usable or computer readable medium can be any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium. Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk. Current examples of optical disks include compact disk—read only memory (CD-ROM), compact disk—read/write (CD-R/W) and DVD.
  • The terms “certain embodiments”, “an embodiment”, “embodiment”, “embodiments”, “the embodiment”, “the embodiments”, “one or more embodiments”, “some embodiments”, and “one embodiment” mean one or more (but not all) embodiments to unless expressly specified otherwise. The terms “including”, “comprising”, “having” and variations thereof mean “including but not limited to”, unless expressly specified otherwise. The enumerated listing of items does not imply that any or all of the items are mutually exclusive, unless expressly specified otherwise. The terms “a”, “an” and “the” mean “one or more”, unless expressly specified otherwise.
  • Devices that are in communication with each other need not be in continuous communication with each other, unless expressly specified otherwise. In addition, devices that are in communication with each other may communicate directly or indirectly through one or more intermediaries. Additionally, a description of an embodiment with several components in communication with each other does not imply that all such components are required. On the contrary a variety of optional components are described to illustrate the wide variety of possible embodiments. Further, although process steps, method steps, algorithms or the like may be described in a sequential order, such processes, methods and algorithms may be configured to work in alternate orders. In other words, any sequence or order of steps that may be described does not necessarily indicate a requirement that the steps be performed in that order. The steps of processes described herein may be performed in any order practical. Further, some steps may be performed simultaneously, in parallel, or concurrently.
  • When a single device or article is described herein, it will be apparent that more than one device/article (whether or not they cooperate) may be used in place of a single device/article. Similarly, where more than one device or article is described herein (whether or not they cooperate), it will be apparent that a single device/article may be used in place of the more than one device or article. The functionality and/or the features of a device may be alternatively embodied by one or more other devices which are not explicitly described as having such functionality/features. Thus, other embodiments need not include the device itself.
  • Computer program means or computer program in the present context mean any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or notation; b) reproduction in a different material form.

Claims (18)

1. An apparatus for analysing a network flow, the apparatus comprising:
a parser for extracting flow identification information from the network flow;
a flow metering unit for metering the network flow; and
a programmable controller for controlling the flow metering unit and the parser.
2. The apparatus according to claim 1, wherein the flow metering unit is configured for sending flow status information to the programmable controller and wherein the programmable controller is configured for sending flow metering instructions to the flow metering unit in dependence on the flow status information.
3. The apparatus according to claim 1, wherein the parser is configured for sending parsing information to the programmable controller and wherein the programmable controller is configured for sending parsing instructions to the parser in dependence on the parsing information.
4. The apparatus according to claim 1, wherein the programmable controller is configured for:
evaluating in parallel two or more flow status information values of the flow metering unit; and
sending two or more flow metering instructions in parallel to the flow metering unit.
5. The apparatus according to claim 1, wherein the programmable controller comprises a program memory having two or more flow metering programs.
6. The apparatus according to claim 1, wherein the programmable controller is implemented as state machine.
7. The apparatus according to claim 6, wherein the state machine comprises:
a transition rule memory;
a rule selector; and
a state register;
wherein the rule selector is configured for receiving an external input signal and an internal input signal from the state register indicating the current state and wherein the rule selector is configured for observing the internal and external input signal by means of the transition rule memory for transition rules and for changing the state of the state register and generation of an output signal having parsing and/or flow metering instructions when a transition rule applies.
8. The apparatus according to claim 1, wherein the flow metering unit comprises:
a flow table unit;
a flow table management unit; and
a flow information export unit.
9. The apparatus according to claim 8, wherein the flow table management unit comprises a programmable hash function unit provided with two or more selectable hash functions for mapping the flow identification information on a hash index, wherein the programmable controller is configured for selecting one of the selectable hash functions.
10. The apparatus according to claim 8, wherein the programmable controller is configured for sending table management commands to the table management unit.
11. The apparatus according to claim 1, wherein the apparatus is implemented as hardware assist device.
12. The apparatus according to claim 1, further comprising:
a central processing unit;
a memory; and
a computer networking device.
13. The apparatus according to claim 12, wherein the apparatus is implemented in hardware as hardware assist device for the central processing unit.
14. The apparatus according to claim 1, further comprising:
two or more virtual computing systems;
wherein the apparatus is provided for analysing the network flow between the virtual computing systems and/or between the virtual computing systems and an external device.
15. The apparatus according to claim 14, further comprising:
a software networking device for internal communication between the virtual computing systems; and
a hardware networking device for external communication between the virtual computing systems and an external device;
wherein the software networking device and the hardware networking device are provided for forwarding the network flow between the virtual computing systems and/or between the virtual computing systems and an external device for an analysis to the apparatus.
16. The apparatus according to claim 15, wherein the apparatus is arranged in the hardware networking device.
17. A method for analysing a network flow, comprising the steps of:
extracting flow identification information from the network flow using a parser;
metering the network flow using a flow metering unit; and
controlling the flow metering unit and the parser using a programmable controller.
18. A computer readable program product tangibly embodying computer executable instructions which when implemented, causes the computer to carry out an analysis of a network flow according to the steps of the method according to claim 17.
US12/520,114 2006-12-19 2007-11-02 Apparatus and method for analysing a network Abandoned US20100085891A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP06126520.3 2006-12-19
EP06126520 2006-12-19
PCT/IB2007/054447 WO2008075224A1 (en) 2006-12-19 2007-11-02 Apparatus and method for analysing a network flow

Publications (1)

Publication Number Publication Date
US20100085891A1 true US20100085891A1 (en) 2010-04-08

Family

ID=39322548

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/520,114 Abandoned US20100085891A1 (en) 2006-12-19 2007-11-02 Apparatus and method for analysing a network
US13/868,402 Expired - Fee Related US8861397B2 (en) 2006-12-19 2013-04-23 Apparatus and method for analyzing a network

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/868,402 Expired - Fee Related US8861397B2 (en) 2006-12-19 2013-04-23 Apparatus and method for analyzing a network

Country Status (6)

Country Link
US (2) US20100085891A1 (en)
JP (1) JP5102844B2 (en)
KR (1) KR20090099519A (en)
CN (1) CN101563908B (en)
CA (1) CA2669932A1 (en)
WO (1) WO2008075224A1 (en)

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100226282A1 (en) * 2009-03-04 2010-09-09 Cisco Technology, Inc. System and method for exporting structured data in a network environment
US20110058481A1 (en) * 2009-09-09 2011-03-10 Lee Chang-Yong Device and method for generating statistical information for voip traffic analysis and abnormal voip detection
US20110154132A1 (en) * 2009-12-23 2011-06-23 Gunes Aybay Methods and apparatus for tracking data flow based on flow state values
US20120072737A1 (en) * 2009-03-06 2012-03-22 Geert Jan Schrijen System for establishing a cryptographic key depending on a physical system
US20130262703A1 (en) * 2012-04-03 2013-10-03 Cisco Technology, Inc. System and method for reducing netflow traffic in a network environment
US8593970B2 (en) 2008-09-11 2013-11-26 Juniper Networks, Inc. Methods and apparatus for defining a flow control signal related to a transmit queue
US8717889B2 (en) 2008-12-29 2014-05-06 Juniper Networks, Inc. Flow-control in a switch fabric
US8724487B1 (en) 2010-02-15 2014-05-13 Cisco Technology, Inc. System and method for synchronized reporting in a network environment
US8811183B1 (en) 2011-10-04 2014-08-19 Juniper Networks, Inc. Methods and apparatus for multi-path flow control within a multi-stage switch fabric
US8811163B2 (en) 2008-09-11 2014-08-19 Juniper Networks, Inc. Methods and apparatus for flow control associated with multi-staged queues
US8854972B1 (en) * 2013-01-25 2014-10-07 Palo Alto Networks, Inc. Security device implementing flow lookup scheme for improved performance
US20140307736A1 (en) * 2013-04-16 2014-10-16 Suresh Krishnan Method for providing a parser to extract information from fields of a data packet header
US9032089B2 (en) 2011-03-09 2015-05-12 Juniper Networks, Inc. Methods and apparatus for path selection within a network based on flow duration
US9065773B2 (en) 2010-06-22 2015-06-23 Juniper Networks, Inc. Methods and apparatus for virtual channel flow control associated with a switch fabric
US20150277882A1 (en) * 2014-03-26 2015-10-01 Telefonaktiebolaget L M Ericsson (Publ) Processing packets by generating machine code from pre-compiled code fragments
US20170063690A1 (en) * 2015-08-26 2017-03-02 Barefoot Networks, Inc. Packet header field extraction
US9660940B2 (en) 2010-12-01 2017-05-23 Juniper Networks, Inc. Methods and apparatus for flow control associated with a switch fabric
EP2667545A4 (en) * 2011-01-17 2017-08-23 Nec Corporation Network system, controller, switch, and traffic monitoring method
US10225381B1 (en) 2015-08-26 2019-03-05 Barefoot Networks, Inc. Configuring a switch for extracting packet header fields
US10356115B2 (en) * 2017-03-31 2019-07-16 Level 3 Communications, Llc Creating aggregate network flow time series in network anomaly detection systems
CN110059904A (en) * 2017-12-13 2019-07-26 罗伯特·博世有限公司 The automatic method for working out the rule of rule-based anomalous identification in a stream
US10686735B1 (en) 2017-04-23 2020-06-16 Barefoot Networks, Inc. Packet reconstruction at deparser
US11146468B1 (en) * 2021-03-08 2021-10-12 Pensando Systems Inc. Intelligent export of network information
US11223520B1 (en) 2017-01-31 2022-01-11 Intel Corporation Remote control plane directing data plane configurator
US11362967B2 (en) 2017-09-28 2022-06-14 Barefoot Networks, Inc. Expansion of packet data within processing pipeline
US20220200876A1 (en) * 2016-06-13 2022-06-23 Hewlett Packard Enterprise Development Lp Hierarchical aggregation of select network traffic statistics
US11388053B2 (en) 2014-12-27 2022-07-12 Intel Corporation Programmable protocol parser for NIC classification and queue assignments
WO2022193196A1 (en) * 2021-03-17 2022-09-22 华为技术有限公司 Network message handling device and method, and electronic device
US11503141B1 (en) 2017-07-23 2022-11-15 Barefoot Networks, Inc. Stateful processing unit with min/max capability
US11677851B2 (en) 2015-12-22 2023-06-13 Intel Corporation Accelerated network packet processing

Families Citing this family (42)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2484878B (en) * 2009-08-13 2015-01-07 Ibm Automatic address range detection for IP networks
EP2478677B1 (en) * 2009-09-15 2013-07-10 Napatech A/S An apparatus for analyzing a data packet, a data packet processing system and a method
CN101841436B (en) * 2010-03-02 2012-06-27 北京星网锐捷网络技术有限公司 Method for testing performance of IPFIX (Internet Protocol Flow Information Export) server, device and system thereof
JP5560936B2 (en) * 2010-06-16 2014-07-30 富士通株式会社 Configuration information acquisition method, virtual probe, and configuration information acquisition control device
US8897134B2 (en) * 2010-06-25 2014-11-25 Telefonaktiebolaget L M Ericsson (Publ) Notifying a controller of a change to a packet forwarding configuration of a network element over a communication channel
IL210897A (en) 2011-01-27 2017-12-31 Verint Systems Ltd Systems and methods for flow table management
US9825884B2 (en) 2013-12-30 2017-11-21 Cavium, Inc. Protocol independent programmable switch (PIPS) software defined data center networks
US9516145B2 (en) 2014-06-19 2016-12-06 Cavium, Inc. Method of extracting data from packets and an apparatus thereof
US9497294B2 (en) 2014-06-19 2016-11-15 Cavium, Inc. Method of using a unique packet identifier to identify structure of a packet and an apparatus thereof
US9438703B2 (en) 2014-06-19 2016-09-06 Cavium, Inc. Method of forming a hash input from packet contents and an apparatus thereof
US10050833B2 (en) 2014-06-19 2018-08-14 Cavium, Inc. Method of reducing latency in a flexible parser and an apparatus thereof
US9628385B2 (en) 2014-06-19 2017-04-18 Cavium, Inc. Method of identifying internal destinations of networks packets and an apparatus thereof
US9531848B2 (en) 2014-06-19 2016-12-27 Cavium, Inc. Method of using generic modification instructions to enable flexible modifications of packets and an apparatus thereof
US9961167B2 (en) * 2014-06-19 2018-05-01 Cavium, Inc. Method of modifying packets to a generic format for enabling programmable modifications and an apparatus thereof
US9742694B2 (en) 2014-06-19 2017-08-22 Cavium, Inc. Method of dynamically renumbering ports and an apparatus thereof
US9473601B2 (en) 2014-06-19 2016-10-18 Cavium, Inc. Method of representing a generic format header using continuous bytes and an apparatus thereof
US9635146B2 (en) 2014-06-19 2017-04-25 Cavium, Inc. Method of using bit vectors to allow expansion and collapse of header layers within packets for enabling flexible modifications and an apparatus thereof
US10616380B2 (en) 2014-06-19 2020-04-07 Cavium, Llc Method of handling large protocol layers for configurable extraction of layer information and an apparatus thereof
US9531849B2 (en) 2014-06-19 2016-12-27 Cavium, Inc. Method of splitting a packet into individual layers for modification and intelligently stitching layers back together after modification and an apparatus thereof
US9606781B2 (en) * 2014-11-14 2017-03-28 Cavium, Inc. Parser engine programming tool for programmable network devices
US9582251B2 (en) * 2014-11-14 2017-02-28 Cavium, Inc. Algorithm to achieve optimal layout of decision logic elements for programmable network devices
US9660879B1 (en) * 2016-07-25 2017-05-23 Extrahop Networks, Inc. Flow deduplication across a cluster of network monitoring devices
CN110100415B (en) * 2016-12-30 2024-04-05 比特梵德荷兰私人有限责任公司 System for preparing network traffic for rapid analysis
US10476673B2 (en) 2017-03-22 2019-11-12 Extrahop Networks, Inc. Managing session secrets for continuous packet capture systems
US9967292B1 (en) 2017-10-25 2018-05-08 Extrahop Networks, Inc. Inline secret sharing
US10389574B1 (en) 2018-02-07 2019-08-20 Extrahop Networks, Inc. Ranking alerts based on network monitoring
US10038611B1 (en) 2018-02-08 2018-07-31 Extrahop Networks, Inc. Personalization of alerts based on network monitoring
US10270794B1 (en) 2018-02-09 2019-04-23 Extrahop Networks, Inc. Detection of denial of service attacks
US10411978B1 (en) 2018-08-09 2019-09-10 Extrahop Networks, Inc. Correlating causes and effects associated with network activity
US10594718B1 (en) 2018-08-21 2020-03-17 Extrahop Networks, Inc. Managing incident response operations based on monitored network activity
CN111400025B (en) * 2019-01-03 2023-05-26 阿里巴巴集团控股有限公司 Traffic scheduling method, device and system
US10965702B2 (en) 2019-05-28 2021-03-30 Extrahop Networks, Inc. Detecting injection attacks using passive network monitoring
US11165814B2 (en) 2019-07-29 2021-11-02 Extrahop Networks, Inc. Modifying triage information based on network monitoring
US10742530B1 (en) 2019-08-05 2020-08-11 Extrahop Networks, Inc. Correlating network traffic that crosses opaque endpoints
US11388072B2 (en) 2019-08-05 2022-07-12 Extrahop Networks, Inc. Correlating network traffic that crosses opaque endpoints
US10742677B1 (en) 2019-09-04 2020-08-11 Extrahop Networks, Inc. Automatic determination of user roles and asset types based on network monitoring
US11165823B2 (en) 2019-12-17 2021-11-02 Extrahop Networks, Inc. Automated preemptive polymorphic deception
WO2022066910A1 (en) 2020-09-23 2022-03-31 Extrahop Networks, Inc. Monitoring encrypted network traffic
US11463466B2 (en) 2020-09-23 2022-10-04 Extrahop Networks, Inc. Monitoring encrypted network traffic
US11349861B1 (en) 2021-06-18 2022-05-31 Extrahop Networks, Inc. Identifying network entities based on beaconing activity
US11296967B1 (en) 2021-09-23 2022-04-05 Extrahop Networks, Inc. Combining passive network analysis and active probing
US11843606B2 (en) 2022-03-30 2023-12-12 Extrahop Networks, Inc. Detecting abnormal data access based on data similarity

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5781729A (en) * 1995-12-20 1998-07-14 Nb Networks System and method for general purpose network analysis
US20030061401A1 (en) * 2001-09-25 2003-03-27 Luciani Luis E. Input device virtualization with a programmable logic device of a server
US6665725B1 (en) * 1999-06-30 2003-12-16 Hi/Fn, Inc. Processing protocol specific information in packets specified by a protocol description language
US20050132342A1 (en) * 2003-12-10 2005-06-16 International Business Machines Corporation Pattern-matching system
US20050238022A1 (en) * 2004-04-26 2005-10-27 Rina Panigrahy Stateful flow of network packets within a packet parsing processor
US20070115825A1 (en) * 2000-04-19 2007-05-24 Caspian Networks, Inc. Micro-Flow Management
US20070140128A1 (en) * 2001-11-02 2007-06-21 Eric Klinker System and method to provide routing control of information over networks
US20070237079A1 (en) * 2006-03-30 2007-10-11 Alcatel Binned duration flow tracking
US20070248084A1 (en) * 2006-04-20 2007-10-25 Alcatel Symmetric connection detection
US8239565B2 (en) * 2006-11-21 2012-08-07 Nippon Telegraph And Telephone Corporation Flow record restriction apparatus and the method

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6304903B1 (en) * 1997-08-01 2001-10-16 Agilent Technologies, Inc. State machine for collecting information on use of a packet network
US6606301B1 (en) * 1999-03-01 2003-08-12 Sun Microsystems, Inc. Method and apparatus for early random discard of packets
US6738349B1 (en) * 2000-03-01 2004-05-18 Tektronix, Inc. Non-intrusive measurement of end-to-end network properties
JP2002374251A (en) * 2001-06-14 2002-12-26 Nec Corp Network monitoring system, data amount count method used for the same, and program thereof
US7519070B2 (en) * 2002-09-12 2009-04-14 International Business Machines Corporation Method and apparatus for deep packet processing
US7760719B2 (en) * 2004-06-30 2010-07-20 Conexant Systems, Inc. Combined pipelined classification and address search method and apparatus for switching environments
US7529191B2 (en) * 2005-02-18 2009-05-05 Broadcom Corporation Programmable metering behavior based on table lookup
US20060271870A1 (en) * 2005-05-31 2006-11-30 Picsel Research Limited Systems and methods for navigating displayed content
US8074011B2 (en) 2006-12-06 2011-12-06 Fusion-Io, Inc. Apparatus, system, and method for storage space recovery after reaching a read count limit

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5781729A (en) * 1995-12-20 1998-07-14 Nb Networks System and method for general purpose network analysis
US6665725B1 (en) * 1999-06-30 2003-12-16 Hi/Fn, Inc. Processing protocol specific information in packets specified by a protocol description language
US20070115825A1 (en) * 2000-04-19 2007-05-24 Caspian Networks, Inc. Micro-Flow Management
US20030061401A1 (en) * 2001-09-25 2003-03-27 Luciani Luis E. Input device virtualization with a programmable logic device of a server
US20070140128A1 (en) * 2001-11-02 2007-06-21 Eric Klinker System and method to provide routing control of information over networks
US20050132342A1 (en) * 2003-12-10 2005-06-16 International Business Machines Corporation Pattern-matching system
US20050238022A1 (en) * 2004-04-26 2005-10-27 Rina Panigrahy Stateful flow of network packets within a packet parsing processor
US20070237079A1 (en) * 2006-03-30 2007-10-11 Alcatel Binned duration flow tracking
US20070248084A1 (en) * 2006-04-20 2007-10-25 Alcatel Symmetric connection detection
US8239565B2 (en) * 2006-11-21 2012-08-07 Nippon Telegraph And Telephone Corporation Flow record restriction apparatus and the method

Cited By (70)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8964556B2 (en) 2008-09-11 2015-02-24 Juniper Networks, Inc. Methods and apparatus for flow-controllable multi-staged queues
US9876725B2 (en) 2008-09-11 2018-01-23 Juniper Networks, Inc. Methods and apparatus for flow-controllable multi-staged queues
US8811163B2 (en) 2008-09-11 2014-08-19 Juniper Networks, Inc. Methods and apparatus for flow control associated with multi-staged queues
US10931589B2 (en) 2008-09-11 2021-02-23 Juniper Networks, Inc. Methods and apparatus for flow-controllable multi-staged queues
US8593970B2 (en) 2008-09-11 2013-11-26 Juniper Networks, Inc. Methods and apparatus for defining a flow control signal related to a transmit queue
US8717889B2 (en) 2008-12-29 2014-05-06 Juniper Networks, Inc. Flow-control in a switch fabric
US20100226282A1 (en) * 2009-03-04 2010-09-09 Cisco Technology, Inc. System and method for exporting structured data in a network environment
US8125920B2 (en) * 2009-03-04 2012-02-28 Cisco Technology, Inc. System and method for exporting structured data in a network environment
US20120072737A1 (en) * 2009-03-06 2012-03-22 Geert Jan Schrijen System for establishing a cryptographic key depending on a physical system
US9252960B2 (en) * 2009-03-06 2016-02-02 Intrinsic Id B.V. System for establishing a cryptographic key depending on a physical system
US8259723B2 (en) * 2009-09-09 2012-09-04 Korea Internet & Security Agency Device and method for generating statistical information for VoIP traffic analysis and abnormal VoIP detection
US20110058481A1 (en) * 2009-09-09 2011-03-10 Lee Chang-Yong Device and method for generating statistical information for voip traffic analysis and abnormal voip detection
US11323350B2 (en) 2009-12-23 2022-05-03 Juniper Networks, Inc. Methods and apparatus for tracking data flow based on flow state values
US9967167B2 (en) 2009-12-23 2018-05-08 Juniper Networks, Inc. Methods and apparatus for tracking data flow based on flow state values
US20110154132A1 (en) * 2009-12-23 2011-06-23 Gunes Aybay Methods and apparatus for tracking data flow based on flow state values
US10554528B2 (en) 2009-12-23 2020-02-04 Juniper Networks, Inc. Methods and apparatus for tracking data flow based on flow state values
US9264321B2 (en) 2009-12-23 2016-02-16 Juniper Networks, Inc. Methods and apparatus for tracking data flow based on flow state values
US8724487B1 (en) 2010-02-15 2014-05-13 Cisco Technology, Inc. System and method for synchronized reporting in a network environment
US9065773B2 (en) 2010-06-22 2015-06-23 Juniper Networks, Inc. Methods and apparatus for virtual channel flow control associated with a switch fabric
US9705827B2 (en) 2010-06-22 2017-07-11 Juniper Networks, Inc. Methods and apparatus for virtual channel flow control associated with a switch fabric
US11711319B2 (en) 2010-12-01 2023-07-25 Juniper Networks, Inc. Methods and apparatus for flow control associated with a switch fabric
US10616143B2 (en) 2010-12-01 2020-04-07 Juniper Networks, Inc. Methods and apparatus for flow control associated with a switch fabric
US9660940B2 (en) 2010-12-01 2017-05-23 Juniper Networks, Inc. Methods and apparatus for flow control associated with a switch fabric
EP2667545A4 (en) * 2011-01-17 2017-08-23 Nec Corporation Network system, controller, switch, and traffic monitoring method
US9716661B2 (en) 2011-03-09 2017-07-25 Juniper Networks, Inc. Methods and apparatus for path selection within a network based on flow duration
US9032089B2 (en) 2011-03-09 2015-05-12 Juniper Networks, Inc. Methods and apparatus for path selection within a network based on flow duration
US9426085B1 (en) 2011-10-04 2016-08-23 Juniper Networks, Inc. Methods and apparatus for multi-path flow control within a multi-stage switch fabric
US8811183B1 (en) 2011-10-04 2014-08-19 Juniper Networks, Inc. Methods and apparatus for multi-path flow control within a multi-stage switch fabric
US9065767B2 (en) * 2012-04-03 2015-06-23 Cisco Technology, Inc. System and method for reducing netflow traffic in a network environment
US20130262703A1 (en) * 2012-04-03 2013-10-03 Cisco Technology, Inc. System and method for reducing netflow traffic in a network environment
US8854972B1 (en) * 2013-01-25 2014-10-07 Palo Alto Networks, Inc. Security device implementing flow lookup scheme for improved performance
US9848068B2 (en) * 2013-04-16 2017-12-19 Telefonaktiebolaget L M Ericsson (Publ) Method for providing a parser to extract information from fields of a data packet header
US20140307736A1 (en) * 2013-04-16 2014-10-16 Suresh Krishnan Method for providing a parser to extract information from fields of a data packet header
US9189218B2 (en) * 2014-03-26 2015-11-17 Telefonaktiebolaget L M Ericsson (Publ) Processing packets by generating machine code from pre-compiled code fragments
US20150277882A1 (en) * 2014-03-26 2015-10-01 Telefonaktiebolaget L M Ericsson (Publ) Processing packets by generating machine code from pre-compiled code fragments
US11394611B2 (en) 2014-12-27 2022-07-19 Intel Corporation Programmable protocol parser for NIC classification and queue assignments
US11394610B2 (en) 2014-12-27 2022-07-19 Intel Corporation Programmable protocol parser for NIC classification and queue assignments
US11388053B2 (en) 2014-12-27 2022-07-12 Intel Corporation Programmable protocol parser for NIC classification and queue assignments
US20170063690A1 (en) * 2015-08-26 2017-03-02 Barefoot Networks, Inc. Packet header field extraction
US11425038B2 (en) 2015-08-26 2022-08-23 Barefoot Networks, Inc. Packet header field extraction
US11425039B2 (en) 2015-08-26 2022-08-23 Barefoot Networks, Inc. Packet header field extraction
US11411870B2 (en) 2015-08-26 2022-08-09 Barefoot Networks, Inc. Packet header field extraction
US10432527B1 (en) 2015-08-26 2019-10-01 Barefoot Networks, Inc. Packet header field extraction
US11245778B1 (en) 2015-08-26 2022-02-08 Barefoot Networks, Inc. Configuring a switch for extracting packet header fields
US9825862B2 (en) * 2015-08-26 2017-11-21 Barefoot Networks, Inc. Packet header field extraction
US10225381B1 (en) 2015-08-26 2019-03-05 Barefoot Networks, Inc. Configuring a switch for extracting packet header fields
US11677851B2 (en) 2015-12-22 2023-06-13 Intel Corporation Accelerated network packet processing
US20220200876A1 (en) * 2016-06-13 2022-06-23 Hewlett Packard Enterprise Development Lp Hierarchical aggregation of select network traffic statistics
US11757740B2 (en) 2016-06-13 2023-09-12 Hewlett Packard Enterprise Development Lp Aggregation of select network traffic statistics
US11757739B2 (en) 2016-06-13 2023-09-12 Hewlett Packard Enterprise Development Lp Aggregation of select network traffic statistics
US11223520B1 (en) 2017-01-31 2022-01-11 Intel Corporation Remote control plane directing data plane configurator
US11463385B2 (en) 2017-01-31 2022-10-04 Barefoot Networks, Inc. Messaging between remote controller and forwarding element
US11245572B1 (en) 2017-01-31 2022-02-08 Barefoot Networks, Inc. Messaging between remote controller and forwarding element
US11606318B2 (en) 2017-01-31 2023-03-14 Barefoot Networks, Inc. Messaging between remote controller and forwarding element
US11271956B2 (en) 2017-03-31 2022-03-08 Level 3 Communications, Llc Creating aggregate network flow time series in network anomaly detection systems
US11757913B2 (en) 2017-03-31 2023-09-12 Level 3 Communications, Llc Creating aggregate network flow time series in network anomaly detection systems
US10356115B2 (en) * 2017-03-31 2019-07-16 Level 3 Communications, Llc Creating aggregate network flow time series in network anomaly detection systems
US11606381B2 (en) 2017-03-31 2023-03-14 Level 3 Communications, Llc Creating aggregate network flow time series in network anomaly detection systems
US10757028B1 (en) 2017-04-23 2020-08-25 Barefoot Networks, Inc. Configurable forwarding element deparser
US11425058B2 (en) 2017-04-23 2022-08-23 Barefoot Networks, Inc. Generation of descriptive data for packet fields
US10694006B1 (en) 2017-04-23 2020-06-23 Barefoot Networks, Inc. Generation of descriptive data for packet fields
US10686735B1 (en) 2017-04-23 2020-06-16 Barefoot Networks, Inc. Packet reconstruction at deparser
US11503141B1 (en) 2017-07-23 2022-11-15 Barefoot Networks, Inc. Stateful processing unit with min/max capability
US11750526B2 (en) 2017-07-23 2023-09-05 Barefoot Networks, Inc. Using stateful traffic management data to perform packet processing
US11362967B2 (en) 2017-09-28 2022-06-14 Barefoot Networks, Inc. Expansion of packet data within processing pipeline
US11700212B2 (en) 2017-09-28 2023-07-11 Barefoot Networks, Inc. Expansion of packet data within processing pipeline
US10958675B2 (en) * 2017-12-13 2021-03-23 Robert Bosch Gmbh Method for the automated creation of rules for a rule-based anomaly recognition in a data stream
CN110059904A (en) * 2017-12-13 2019-07-26 罗伯特·博世有限公司 The automatic method for working out the rule of rule-based anomalous identification in a stream
US11146468B1 (en) * 2021-03-08 2021-10-12 Pensando Systems Inc. Intelligent export of network information
WO2022193196A1 (en) * 2021-03-17 2022-09-22 华为技术有限公司 Network message handling device and method, and electronic device

Also Published As

Publication number Publication date
US8861397B2 (en) 2014-10-14
CN101563908A (en) 2009-10-21
WO2008075224A1 (en) 2008-06-26
US20130238792A1 (en) 2013-09-12
CA2669932A1 (en) 2008-06-26
KR20090099519A (en) 2009-09-22
JP5102844B2 (en) 2012-12-19
CN101563908B (en) 2013-01-09
JP2010514313A (en) 2010-04-30

Similar Documents

Publication Publication Date Title
US8861397B2 (en) Apparatus and method for analyzing a network
US11876883B2 (en) Packet processing method, network node, and system
JP7035227B2 (en) Data packet detection methods, devices, and systems
EP2429128B1 (en) Flow statistics aggregation
US9065767B2 (en) System and method for reducing netflow traffic in a network environment
US20200021512A1 (en) Methods, systems, and computer readable media for testing a network node using source code
JP4774357B2 (en) Statistical information collection system and statistical information collection device
JP5660198B2 (en) Network system and switching method
CN103004158A (en) Network device with a programmable core
US20220407791A1 (en) Network performance detection method and apparatus, and network device
CN110324198A (en) Loss treating method and packet loss processing unit
CN109547288B (en) Programmable flow measuring method for protocol independent forwarding network
CN107070719B (en) Equipment management method and device
CN110071843B (en) Fault positioning method and device based on flow path analysis
KR20120062174A (en) Apparatus and method for dynamic processing a variety of characteristics packet
US7715317B2 (en) Flow generation method for internet traffic measurement
CN114500354A (en) Switch control method, device, control equipment and storage medium
US20230327983A1 (en) Performance measurement in a segment routing network
US20050169277A1 (en) Label switched data unit content evaluation
François et al. Bpp over p4: exploring frontiers and limits in programmable packet processing
CN114157595B (en) Communication system, data processing method and related equipment
CN115225545B (en) Message transmission method and device
JP7359299B2 (en) Packet identification device, packet identification method, and packet identification program
JP4669453B2 (en) Flow information processing apparatus and method
CN108075939B (en) Network quality detection system and method

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION,NEW YO

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KIND, ANDREAS;LUNTEREN, JAN VAN;REEL/FRAME:022848/0519

Effective date: 20090615

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION