US20230283520A1 - Intent driven network policy platform - Google Patents
Intent driven network policy platform Download PDFInfo
- Publication number
- US20230283520A1 US20230283520A1 US18/314,025 US202318314025A US2023283520A1 US 20230283520 A1 US20230283520 A1 US 20230283520A1 US 202318314025 A US202318314025 A US 202318314025A US 2023283520 A1 US2023283520 A1 US 2023283520A1
- Authority
- US
- United States
- Prior art keywords
- network
- policies
- entities
- data
- user intent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000009471 action Effects 0.000 claims abstract description 40
- 238000000034 method Methods 0.000 claims description 29
- 238000005516 engineering process Methods 0.000 abstract description 23
- 230000008569 process Effects 0.000 description 20
- 230000015654 memory Effects 0.000 description 19
- 238000003860 storage Methods 0.000 description 14
- 238000004891 communication Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 7
- 238000007726 management method Methods 0.000 description 6
- 230000008520 organization Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000011160 research Methods 0.000 description 3
- 230000004075 alteration Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000013439 planning Methods 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000007596 consolidation process Methods 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/085—Retrieval of network configuration; Tracking network configuration history
- H04L41/0853—Retrieval of network configuration; Tracking network configuration history by actively collecting configuration information or by backing up configuration information
- H04L41/0856—Retrieval of network configuration; Tracking network configuration history by actively collecting configuration information or by backing up configuration information by backing up or archiving configuration information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0894—Policy-based network configuration management
Definitions
- the subject matter of this disclosure relates in general to the field of computer networks, and more specifically for management of entities and resources within a computer network.
- a managed network such as an enterprise private network (EPN) may contain a large number of entities distributed across the network. These entities include, for example, nodes, endpoints, machines, virtual machines, containers (an instance of container-based virtualization), and applications. In addition to being different types, these entities may be grouped in different departments, located in different geographical locations, and/or serve different functions.
- ERP enterprise private network
- An expansive or thorough understanding of the network can be critical for network management tasks such as anomaly detection (e.g., network attacks and misconfiguration), network security (e.g., preventing network breaches and reducing network vulnerabilities), asset management (e.g., monitoring, capacity planning, consolidation, migration, and continuity planning), and compliance (e.g. conformance with governmental regulations, industry standards, and corporate policies).
- anomaly detection e.g., network attacks and misconfiguration
- network security e.g., preventing network breaches and reducing network vulnerabilities
- asset management e.g., monitoring, capacity planning, consolidation, migration, and continuity planning
- compliance e.g. conformance with governmental regulations, industry standards, and corporate policies.
- FIG. 1 is a conceptual block diagram illustrating an example of an intent driven network policy platform, in accordance with various embodiments of the subject technology
- FIG. 2 is an illustration showing contents of an inventory store, in accordance with various embodiments of the subject technology
- FIG. 3 illustrates two examples of inventory filters, in accordance with various embodiments of the subject technology
- FIG. 4 illustrates an example flow filter incorporating two inventory filters, in accordance with various embodiments of the subject technology
- FIG. 5 shows an example process for managing a network using user intent statements, in accordance with various embodiments of the subject technology
- FIG. 6 is a diagram illustrating an example of a scope hierarchy, in accordance with various embodiments of the subject technology
- FIG. 7 is a conceptual block diagram illustrating an example of a policy store, in accordance with various embodiments of the subject technology
- FIG. 8 shows an example process for accessing a record in the distributed file system, in accordance with various embodiments of the subject technology
- FIG. 9 shows an example process for storing a record in the distributed file system, in accordance with various embodiments of the subject technology
- FIGS. 10 A and 10 B illustrate examples of systems in accordance with some embodiments.
- ACLs access control lists
- routers and switches to permit and restrict data flow within the network.
- ACLs access control lists
- the network device examines data packets passing through the interface to determine whether to forward or drop the packet based on the criteria specified within the ACLs.
- Each ACL includes entries where each entry includes a destination target internet protocol (IP) address, a source target IP address, and a statement of permission or denial for that entry.
- IP internet protocol
- a development team that builds a particular application, set of applications, or function(s) (e.g., an “application owner”) is typically not responsible for managing an enterprise network and are not expected to have a deep understanding of the network.
- the application owner understands at a high level how certain applications or functions should operate, which entities should be allowed or restricted from communicating with other entities, and how entities should be allowed or restricted from communicating with other entities (e.g., which ports and/or communication protocols are allowed or restricted).
- the application owner In order to implement desired network policies, the application owner must contact a network operator and communicate their objectives to the network operator. The network operator tries to understand the objectives and then creates ACL entries that satisfy the application owner's objectives.
- ACL entries Even relatively simple network policies take hundreds, thousands, or more ACL entries to implement and ACLs often end up containing millions of entries. For example, to implement a simple network rule where a first subnet of machines cannot communicate with a second subnet of machines requires 2(m ⁇ n) ACL entries for a number of m endpoints in the first subnet and a number of n endpoints in the second subnet to explicitly list out each IP address in the first subnet that cannot send data to each IP address in the second subnet and each IP address in the second subnet cannot send data to each IP address in the first subnet.
- the size of the ACLs can further complicate matters making intelligently altering the ACLs increasingly difficult.
- ACL entries permit and restrict data flow within the network at the machine level.
- ACL entries permit or restrict communication based on a destination target internet protocol (IP) address and a source target IP address.
- IP internet protocol
- applications on one network entity e.g., a physical server, virtual machine, container, etc.
- Other communications between the entities should be restricted for security reasons (e.g., some hackers may take advantage of broad traditional ACL entries and use applications to gain access to other areas of the network).
- Traditional ACL entries are unable to accommodate for more tailored control of network traffic.
- Various embodiments of the subject technology address these and other technical problems by providing an intent driven network policy platform that allows both application owner and network operators to define network policies in a more understandable manner and provides these users with finer levels of controls.
- Various embodiments relate to an intent driven network policy platform configured to ingest network data and generate an inventory of network entities.
- the network policy platform receives a user intent statement, translates the intent into network policies, and enforces the network policies.
- FIG. 1 is a conceptual block diagram illustrating an example network environment 100 that includes an intent driven network policy platform 110 , in accordance with various embodiments of the subject technology.
- Various embodiments are discussed with respect to an enterprise private network (EPN) for illustrative purposes. However, these embodiments and others may be applied to other types of networks.
- the network environment 100 may be implemented by any type of network and may include, for example, any one or more of a cellular network, a satellite network, a personal area network (PAN), a local area network (LAN), a wide area network (WAN), a broadband network (BBN), the Internet, and the like.
- PAN personal area network
- LAN local area network
- WAN wide area network
- BBN broadband network
- the network environment 100 can be a public network, a private network, or a combination thereof.
- the network environment 100 may be implemented using any number of communications links associated with one or more service providers, including one or more wired communication links, one or more wireless communication links, or any combination thereof. Additionally, the network environment 100 can be configured to support the transmission of data formatted using any number of protocols.
- the network environment 100 includes one or more network agents 105 configured to communicate with an intent driven network policy platform 110 via enforcement front end modules (EFEs) 115 .
- the intent driven network policy platform 110 is shown with one or more EFEs 115 , a user interface module 120 , a coordinator module 125 , an intent service module 130 , an inventory store 150 , and a policy store 155 .
- the intent driven network policy platform 110 may include additional components, fewer components, or alternative components.
- the network policy platform 110 may be implemented as a single machine or distributed across a number of machines in the network.
- Each network agent 105 may be installed on a network entity and configured to receive network policies (e.g., enforcement policies, configuration policies, etc.) from the network policy platform 110 via the enforcement front end modules 115 .
- network policies e.g., enforcement policies, configuration policies, etc.
- a network agent 105 can register with the network policy platform 110 and communicate with one or more EFEs to receive network policies that are configured to be applied to the host on which the network agent 105 is running.
- the network policies may be received in a high-level, platform independent format.
- the network agent 105 may convert the high-level network policies into platform specific policies and apply any number of optimizations before applying the network policies to the host network entity.
- the high-level network policies may be converted at the network policy platform 110 .
- Each network agent 105 may further be configured to observe and collect data and report the collected data to the intent driven network policy platform 110 via the EFEs 115 .
- the network agent 105 may collect policy enforcement related data associated with the host entity such as a number of policies being enforced, a number of rules being enforced, a number of data packets being allowed, dropped, forwarded, redirected, or copied, or any other data related to the enforcement of network policies.
- the network agent 105 may also collect data related to host entity performance such as CPU usage, memory usage, a number of TCP connections, a number of failed connection, etc.
- the network agent 105 may also collect other data related to the host such as an entity name, operating system, entity interface information, file system information, applications or processes installed or running, or disks that are mounted.
- the enforcement front end modules (EFEs) 115 are configured to handle the registration of the network agents 105 with the network policy platform 110 , receive collected data from the network agents 105 , and store the collected data in inventory store 150 .
- the EFEs may be further configured to store network policies (high-level platform independent policies or platform specific policies) in memory, periodically scan a policy store 155 for updates to network policies, and notify and update network agents 105 with respect to changes in the network policies.
- the user interface 120 receives input from users of the network policy platform 110 .
- the user interface 120 may be configured to receive user configured data for entities in the network from a network operator.
- the user configured data may include IP addresses, host names, geographic locations, departments, functions, a VPN routing/forwarding (VRF) table, or other data for entities in the network.
- the user interface 120 may be configured to collect the user configured data and store the data in the inventory store 150 .
- the user interface 120 may also be configured to receive one or more user intent statements.
- the user intent statements may be received from a network operator, application owner, or other administrator or through another entity via an application programming interface (API).
- API application programming interface
- a user intent statement is a high-level expression of one or more network rules that may be translated into a network policy.
- the user interface 120 may pass a received user intent statement to the intent service 130 where the intent service 130 is configured to format the user intent statements and transform the user intent statement into network policies that may be applied to entities in the network.
- the intent service 130 may be configured to store the user intent statements, either in formatted or non-formatted form, in an intent store. After the user intent statements are translated into network policies, the intent service 130 may store the network policies in policy store 155 .
- the policy store 155 is configured to store network policies.
- the network policies may be high-level platform independent network policies or platform specific policies.
- the policy store 155 is implemented as a NoSQL database.
- the intent service 130 may also track changes to intent statements and make sure the network policies in the policy store are up-to-date with the intent statements in the intent store. For example, if a user intent statement in the intent store is deleted or changed, the intent service 130 may be configured to located network policies associated with the deleted user intent statement and delete or update the network policies as appropriate.
- the coordinator module 125 is configured to assign network agents 105 to EFEs. For example, the coordinator 125 may use a sharding technique to balance load and improve efficiency of the network policy platform 110 . The coordinator 125 may also be configured to determine if an update to the policy store is needed and update the policy store accordingly. The coordinator 125 may further be configured to receive data periodically from the network agents 105 via the EFEs 115 , store the data in the inventory store 150 , and update the inventory store 150 if necessary.
- FIG. 2 is an illustration showing contents of an inventory store 200 , in accordance with various embodiments of the subject technology.
- the inventory store 200 is configured to contain data and attributes for each network entity managed by the intent driven network policy platform 110 .
- the network entities may include machines (e.g., servers, personal computers, laptops), virtual machines, containers, mobile devices (e.g., tablets or smart phones), smart devices (e.g., set top boxes, smart appliances, smart televisions, internet-of-things devices), or network equipment, among other computing devices.
- the inventory store 200 is implemented as a conventional relational database in this example, other embodiments may utilize other types of databases (e.g., NoSQL, NewSQL, etc.).
- the inventory store 200 may receive user configured data from the user interface 120 and data received from the network agents 105 via the EFEs 115 and store the data in records or entries associated with network entities managed by the network policy platform 110 .
- Each record in the inventory store 200 may include attribute data for a network entity such as one or more entity identifiers (e.g., a host name, IP address, MAC addresses, hash value, etc.), a geographic location, an operating system, a department, interface data, functionality, a list of one or more annotations, file system information, disk mount information, top-of-rack (ToR) location, and a scope.
- entity identifiers e.g., a host name, IP address, MAC addresses, hash value, etc.
- the inventory store 200 may also include entity performance and network enforcement data either together with the attribute data or separately in one or more separate data stores.
- the performance and network enforcement data may include CPU usage, memory usage, a number of TCP connections, a number of failed connections, a number of network policies, or a number of data packets that have been allowed, dropped, forwarded, or redirected.
- the inventory store 200 may include historical performance or enforcement data associated with network entities or metrics calculated based on historical data.
- a user intent statement is a high-level expression of that may be translated into one or more network policies.
- a user intent statement may be composed of one or more filters and at least one action.
- the filters may include inventory filters that identify network entities on which the action is to be applied and flow filters that identify network data flows on which the action is to be applied.
- a flow filter identifies network data flows. For example, if a user wished to identify all data flows from network entities in Mountain View to network entities in the Research Triangle Park facility, the following flow filter may be used:
- Each filter may further be defined beforehand and assigned a name for more convenient use.
- actions applicable to inventory filters may include annotation and configuration actions.
- Annotating actions adds tags or labels to network items in the inventory store or flow data. Annotations may help network operators identify network entities.
- Configuration actions may be used to configure network entities. For example, some configuration actions may be used to set a CPU quota for certain applications, processes, or virtual machines. Other configuration actions may enable or disable monitoring of certain metrics, collection and transmittal of certain data, or enforcement of certain network policies. Some configuration actions may also be able to enable or disable certain modes within a network entity.
- some entities may be configured to run in a “high visibility mode” in which most metrics and data (e.g., full time series data) are collected and transmitted to the network policy platform for analysis or in “low visibility mode” in which only a small subset of the available metrics and data are collected and transmitted.
- “high visibility mode” in which most metrics and data (e.g., full time series data) are collected and transmitted to the network policy platform for analysis
- “low visibility mode” in which only a small subset of the available metrics and data are collected and transmitted.
- Actions applicable to flow filters may include annotation or network enforcement actions.
- Network enforcement actions include, for example, allowing data packets, dropping data packets, copying data packets, redirecting data packets, encrypting data packets, or load balance across network entities.
- User intent statements may further specify types of communications or communication protocols used, ports used, or use any other filter to identify a network entity or network flow on which to apply an action. For example, if the user only wishes to drop transmission control protocol (TCP) communications out of port 80 for these network entities, the following user intent statement may be used instead:
- TCP transmission control protocol
- a user can utilize the following user intent statement:
- FIG. 3 illustrates two example inventory filters, in accordance with various embodiments of the subject technology.
- the first inventory filter 300 is named “Inventory_Filter_1” and is configured to identify all network entities in the inventory store that run on a Linux operating system and have a VRF ID of 676767.
- the second inventory filter 350 is named “Inventory_Filter_2” and is configured to identify all network entities in the inventory store that represent the 10.0.0.0/8 and 1.1.11.0/24 subnets.
- FIG. 4 illustrates an example flow filter incorporating two inventory filters, in accordance with various embodiments of the subject technology.
- the flow filter 400 is configured to identify TCP data flows between the 10.0.0.0/8 and 11.0.0.1 subnets.
- the flow filter 400 further uses two inventory filters 405 and 410 to help identify the subnets.
- FIG. 5 shows an example process 500 for managing a network using inventory filters, in accordance with various embodiments of the subject technology. It should be understood that, for any process discussed herein, there can be additional, fewer, or alternative steps performed in similar or alternative orders, or in parallel, within the scope of the various embodiments unless otherwise stated.
- the process 500 can be performed by a network, and particularly, a network policy system (e.g., the network policy platform 110 of FIG. 1 ) or similar system.
- the system may generate an inventory store that includes records for network entities in the network.
- the records may be created or updated based on configuration data received from a network operator.
- the configuration data may include various attributes of certain network entities.
- the attributes may include, for example, an internet protocol (IP) address, a host name, a geographic location, or a department.
- IP internet protocol
- the configuration data may also include annotations, labels, VPN routing/forwarding (VRF) information, interface information, or any other data that may be used to identify one or more network entities.
- VRF VPN routing/forwarding
- the records may further be created, updated, or supplemented with information observed by network agents and reported to the network policy system by the network agents.
- This information may include operating system information, hostnames, interface information, entity identifiers, policy enforcement information, or data related to entity performance.
- Policy enforcement information may include a number of policies being enforced, a number of rules being enforced, a number of data packets being allowed, dropped, forwarded, redirected, or copied, or any other data related to the enforcement of network policies.
- Data related to entity performance may include CPU usage, memory usage, a number of TCP connections, a number of failed connection, applications or processes installed or running, disks that are mounted, or other time series data.
- the system receives a user intent statement that includes at least one filter and an action.
- the user intent statement may be received from a network operator, application owner, or other administrator via a user interface or through another party or service via an application program interface (API).
- the filter may be an inventory filter configured to help identify network entities on which the action is to be applied or a flow filter configured to help identify network data flows on which the action is to be applied.
- the action may be an enforcement action, a configuration action, or an annotation action.
- the system may query the inventory store to identify network entities to which the user intent statement applies at operation 515 .
- system may query the inventory store using the one or more filters found in the user intent statement to identify network entities that match the conditions of the filters.
- the filters may include one or more attributes that can be used to narrow down the network entities to only those to which the action is to be applied.
- the attributes may be, for example, an entity type (e.g., machine, virtual machine, container, process, etc.), an IP subnet, an operating system, or any other information that may be found in the inventory store and used to identify network entities.
- the system generates network policies that apply the action to the network entities identified by the query.
- the network policies for user intent statements that include a flow filter or an enforcement action may be implemented in the form of one or more access control lists (ACLs).
- network policies for user intent statements that include an annotation action or configuration action may be implemented in the form of instructions to the network entity or a network agent to implement the actions.
- the system then enforces the network policies at operation 525 .
- some network policies may be enforced on the system.
- the system transmits the network policies to one or more network agents configured to implement the network policies on the network entities.
- a user or service is able to provide a user intent statement that the system uses to generate multiple network policies. Accordingly, the user need not spend time and resources explicitly crafting each network policy. Instead, the user may specify a reduced number of user intent statements that express the user's network management desires. Furthermore, the user intent statements are more understandable to network operators and application owners and the system is configured to take the user intent statements and translate the statements into network policies that network agents or network entities may use to implement the user's network management desires.
- Some networks may be quite large and include a large number of network entities serving several departments and several functions within those departments. In some cases, more than one network operator may be tasked with managing the network and each network operator may be responsible for certain portions of the network which may or may not overlap.
- Various embodiments of the subject technology enable network operators to apply user intent statements to network entities (e.g., servers) and network flows that the network operator is authorized to manage, prevent network operators from applying user intent statements to network entities and network flows that the network operator is not authorized to manage, and address conflicting user intent statements if they exist.
- the network policy platform may include a user database that includes entries for each network operator authorized to manage the network.
- Each entry in the user database may reference a network operator any specify one or more scopes that the network operator is authorized to manage.
- These scopes may correspond to the one or more scopes associated with a network entity as specified in the network entity's record stored in the inventory store.
- the scopes may be assigned to the network entity by a network operator as part of the configuration data received by the user interface of the network policy platform.
- the scopes in the entry associated with a network operator may be tied to a privilege. For example, each privilege that a network operator has (e.g., read, write, modify, create, delete, enforce a network policy, etc.) may be associated with a scope for that privilege.
- the scopes may be organized into a hierarchy.
- FIG. 6 is a diagram illustrating an example of a scope hierarchy, in accordance with various embodiments of the subject technology.
- the hierarchy may mirror an organizational hierarchy or org chart, as is illustrated in FIG. 6 .
- other organization models or hierarchies may be used.
- the organization is split between 3 first tier scopes of human resources (HR), infrastructure (Infra), and finance (Fin).
- HR is further split between database network entities (HR_DB) and web network entities (HR_Web).
- Infra is split between production network entities (Infra_Prod) and development network entities (Infra_Dev).
- Finance is split between database network entities (Fin_DB) and web network entities (Fin_Web).
- a user that is assigned a scope may have permission to manage all child scopes for that scope. For example, if a network operator is assigned the root “Organization” scope, the network operator is able to manage all network entities and flows in the entire organization. If, on the other hand, the network operator is assigned to the “Fin” scope, the network operator is able to manage all network entities and flow associated with the “Fin” scope, i.e., the “Fin_DB” scope, and the “Fin_Web” scope. In other embodiments, a network operator must explicitly be assigned to all scopes that they are authorized to manage and if the scope is not explicitly assigned to the network operator, the network operator is not authorized to manage network entities or flows associated with that scope.
- the network policy platform may access the user database, locate the user's entry, and identify the one or more scopes that the user is authorized to manage.
- the network policy platform queries the inventory store to identify network entities or network flows to which the user intent statement applies, the one or more scopes assigned to the user and to the network entities (e.g., in the scope column of the inventory store) are used to filer the network entities and network flows in order to select only the network entities and network flows that the user is authorized to manage.
- the network policy platform may then generate network policies that only apply to identified network entities or network flows that the user is authorized to manage.
- two or more user intent statements may conflict and apply to the same network entities or network flows.
- managers may create user intent statements to manage large sets of resources in the network while a lower level network operator may create one or more conflicting user intent statements for the subset of network resources for which they are responsible.
- the manager may want their user intent statements to override the lower level network operator user intent statements, while other times, the manager may want to defer to the lower level network operator with more specific knowledge of the resources they are responsible for and have the network operator's user intent statements override.
- prioritizing the user intent statements and dealing with conflicting user intent statements is difficult and confusing, especially with a large number of network policies and network resources.
- Various embodiments relate to resolving conflicts between user intent statements by using an enforcement hierarchy that includes a user defined order of precedence.
- a user may specify whether a user intent statement is associated with an “absolute” priority or a “default” priority.
- a user intent statement assigned an absolute priority is one that the creator wishes to override other conflicting user intent statements that the creator is permitted to override.
- a user intent statement assigned a default priority may be overridden by other user intent statements.
- the different priority levels e.g., an “absolute” priority or a “default” priority
- the network policy platform may also allow a network administrator to set an ordering scopes in which user intent statements directed to network entities or network flows are processed and enforced based on the ordering of the scopes associated with the network entities or network flows.
- an ordering of scopes and different priority levels may be used together to process and enforce user intent statements.
- a network administrator may set an ordering of scopes to be S1, S2, S3, and S4, where S1 through S4 are scopes. Additionally, some user intent statements may be prioritized as “absolute” or “default.”
- the network policy platform may process and enforce the user intent statements according to the following order:
- Various embodiments of the subject technology discussed herein relate to a more intuitive way to manage a network and a way to manage the network in a more targeted manner.
- user intent statements allow users to define network rules in a more understandable manner. These user intent statements may be translated into network policies and stored in a policy store such as policy store 155 illustrated in FIG. 1 . Depending on the use case, in some cases, the number of network policies may grow to a point at which it is difficult to store and inefficient to process read and write operations.
- a distributed file system such as a Hadoop distributed file system (HDFS) may be used to store the network policies.
- HDFS Hadoop distributed file system
- the network policies may be split into a number of large blocks which are then distributed across nodes.
- the HDFS storage is able to handle very large amounts of data, scalable as additional nodes may be easily added to the framework, and resilient to failure.
- FIG. 7 is a conceptual block diagram illustrating an example of a policy store 775 , in accordance with various embodiments of the subject technology.
- the policy store 775 in FIG. 7 is implemented using an index 760 and a distributed file system 765 .
- the index 760 may be any type of database such as a NoSQL database like MongoDBTM.
- the distributed file system 765 may be a Hadoop Distributed File System (HDFS) or any other distributed file system or clustered file system.
- HDFS Hadoop Distributed File System
- the index 760 in FIG. 7 is configured to store information that allows the network policy system to locate policies associated with particular network entities on the distributed file system 765 .
- the index 760 in FIG. 7 is shown containing one or more entries for network entities 770 .
- Each entry may include a network entity identifier, a file identifier, and an offset.
- the information in the entry allows the network policy system to locate policies associated with particular network entities on the distributed file system 765 .
- network policies may be grouped based on the network entities on which the network policies are to be applied. Each set of network policies applicable to a particular network entity may be stored together in a record for the network entity. The record is then stored in a file in the distributed file system 765 .
- the file may also include records for other network entities.
- the distributed file system 765 may consist of several data blocks. Each data block may include one or more files (e.g., file 775 ) and each file may include one or more records containing network policies for network entities. According to some embodiments, each data block may include a single file and the file may contain as many records as can fit within the data block, however, the file size is not to exceed the block size for the distributed file system 765 .
- network policies may be split among separate files.
- a network policy system To access policies for a particular network entity, whether it be to enforce the policies, add policies to the record, remove policies to the record, or update policies, a network policy system identifies an entry for the network entity in the index 760 using an entity identifier.
- the entity identifier may be a host name, IP address, a hash value, label, or any other identifying data. In the example shown in FIG. 7 , the entity identifier for the network identifier is “Machine1.” Based on the entry, the network policy system determines a file identifier for a file containing the record for the network entity and an offset indicating a location of the record in the file.
- the file identifier may be a file name, a label, a hash value, a location, or any other data that may be used to identify a file in the distributed file system.
- the file identifier is the file name “File_XYZ” and the offset is 32 megabytes.
- the network policy system uses the file name (“File_XYZ”) to identify the file 775 where the record for the network entity is located and uses the offset to quickly determine the location of the record for the network entity in the file.
- the offset allows the network policy system to jump to the desired data instead of needing to read unnecessary portions of the file 775 in order to find the record.
- the size of each record may be different and the size of the record may be stored in a specified location so that the network policy system may quickly determine how large the record is and how much data needs to be retrieved in order to retrieve the entire record. In other embodiments, however, records may be the same size and/or a specified location is not used.
- the network policy system may jump to the location of the record and read a first portion (e.g., a header portion) of data that contains information regarding the size of the record. The network policy system may read the header portion 780 , determine the size of the record, and retrieve the record data 785 for use.
- the location that contains size information may be in other locations in the file, in the entry stored in the index, or in another location.
- the record data includes the network policies for the entity and can be viewed or altered.
- FIG. 8 shows an example process for accessing a record in the distributed file system, in accordance with various embodiments of the subject technology. It should be understood that, for any process discussed herein, there can be additional, fewer, or alternative steps performed in similar or alternative orders, or in parallel, within the scope of the various embodiments unless otherwise stated.
- the process 800 can be performed by a network, and particularly, a network policy system (e.g., the network policy platform 110 of FIG. 1 ) or similar system.
- the system may wish to access the record for a network entity in order to enforce network policies located therein, update network policies for the network entity, or for any other reason.
- at network policy system may locate, in an index, an entry for a desired network entity.
- the network policy system may read the entry and determine a file identifier for a file containing a record for the network entity and an offset indicating a location of the record in the file at operation 815 .
- the network policy system may locate the file in a distributed file system using the file identifier at operation 820 and locate the record in the file using the offset at 825 .
- the network policy system retrieves the record.
- FIG. 9 shows an example process for storing a record in the distributed file system, in accordance with various embodiments of the subject technology. It should be understood that, for any process discussed herein, there can be additional, fewer, or alternative steps performed in similar or alternative orders, or in parallel, within the scope of the various embodiments unless otherwise stated.
- the process 900 can be performed by a network, and particularly, a network policy system (e.g., the network policy platform 110 of FIG. 1 ) or similar system.
- a network policy system may store a record in the distributed file system after updating an existing record or creating a new record.
- the network policy system may receive a user intent statement, query an inventory store to identify the network entity to which the user intent statement applies, and generate network policies based on the user intent statement and instructions to update the policies stored in a distributed file system.
- the network policy system organizes the network policies based on the network entities that they operate on and identifies a set of policies applicable to a particular network entity.
- the network policy system determines if there is an existing record for the network entity in the distributed file system or if a new record needs to be created to store the set of policies. If a record exists and, therefore, a new record does not need to be created, at operation 915 , the network policy system may retrieve the record (as is illustrated in, for example, FIG. 8 ) and update the record with the set of policies.
- the network policy system creates a new record for the network entity and stores the set of policies applicable to the network entity in the record.
- the network policy system stores the new record in a file in the distributed file system at operation 925 .
- the network policy system may determine the size of the record and locate a file in the distributed file system that the record may fit such that the record is not split between two files and the file can fit into the maximum block size of the distributed file system.
- the size of the record may further be stored in a header of the record, in a portion immediately preceding or following the record, or in another location accessible to the network policy system.
- the network policy system stores a file identifier for the file in that the record was stored in and an offset for the location of the record in an entry located in an index database that is separate from the distributed file system.
- the policies may be enforced by the network policy system.
- the network policy system may enforce the network policies in the network by, for example, transmitting the record for the network entity to a network agent configured to implement the set of policies on the network entity.
- FIG. 10 A and FIG. 10 B illustrate systems in accordance with various embodiments. The more appropriate system will be apparent to those of ordinary skill in the art when practicing the various embodiments. Persons of ordinary skill in the art will also readily appreciate that other systems are possible.
- FIG. 10 A illustrates an example architecture for a conventional bus computing system 1000 wherein the components of the system are in electrical communication with each other using a bus 1005 .
- the computing system 1000 can include a processing unit (CPU or processor) 1010 and a system bus 1005 that may couple various system components including the system memory 1015 , such as read only memory (ROM) in a storage device 1020 and random access memory (RAM) 1025 , to the processor 1010 .
- the computing system 1000 can include a cache 1012 of high-speed memory connected directly with, in close proximity to, or integrated as part of the processor 1010 .
- the computing system 1000 can copy data from the memory 1015 and/or the storage device 1030 to the cache 1012 for quick access by the processor 1010 .
- the cache 1012 can provide a performance boost that avoids processor delays while waiting for data.
- These and other modules can control or be configured to control the processor 1010 to perform various actions.
- Other system memory 1015 may be available for use as well.
- the memory 1015 can include multiple different types of memory with different performance characteristics.
- the processor 1010 can include any general purpose processor and a hardware module or software module, such as module 1 1032 , module 2 1034 , and module 3 1036 stored in storage device 1030 , configured to control the processor 1010 as well as a special-purpose processor where software instructions are incorporated into the actual processor design.
- the processor 1010 may essentially be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc.
- a multi-core processor may be symmetric or asymmetric.
- an input device 1045 can represent any number of input mechanisms, such as a microphone for speech, a touch-protected screen for gesture or graphical input, keyboard, mouse, motion input, speech and so forth.
- An output device 1035 can also be one or more of a number of output mechanisms known to those of skill in the art.
- multimodal systems can enable a user to provide multiple types of input to communicate with the computing system 1000 .
- the communications interface 1040 can govern and manage the user input and system output. There may be no restriction on operating on any particular hardware arrangement and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed.
- Storage device 1030 can be a non-volatile memory and can be a hard disk or other types of computer readable media which can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs) 1025 , read only memory (ROM) 1020 , and hybrids thereof.
- RAMs random access memories
- ROM read only memory
- the storage device 1030 can include software modules 1032 , 1034 , 1036 for controlling the processor 1010 .
- Other hardware or software modules are contemplated.
- the storage device 1030 can be connected to the system bus 1005 .
- a hardware module that performs a particular function can include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as the processor 1010 , bus 1005 , output device 1035 , and so forth, to carry out the function.
- FIG. 10 B illustrates an example architecture for a conventional chipset computing system 1050 that can be used in accordance with an embodiment.
- the computing system 1050 can include a processor 1055 , representative of any number of physically and/or logically distinct resources capable of executing software, firmware, and hardware configured to perform identified computations.
- the processor 1055 can communicate with a chipset 1060 that can control input to and output from the processor 1055 .
- the chipset 1060 can output information to an output device 1065 , such as a display, and can read and write information to storage device 1070 , which can include magnetic media, and solid state media, for example.
- the chipset 1060 can also read data from and write data to RAM 1075 .
- a bridge 1080 for interfacing with a variety of user interface components 1085 can be provided for interfacing with the chipset 1060 .
- the user interface components 1085 can include a keyboard, a microphone, touch detection and processing circuitry, a pointing device, such as a mouse, and so on.
- Inputs to the computing system 1050 can come from any of a variety of sources, machine generated and/or human generated.
- the chipset 1060 can also interface with one or more communication interfaces 1090 that can have different physical interfaces.
- the communication interfaces 1090 can include interfaces for wired and wireless LANs, for broadband wireless networks, as well as personal area networks.
- Some applications of the methods for generating, displaying, and using the GUI disclosed herein can include receiving ordered datasets over the physical interface or be generated by the machine itself by processor 1055 analyzing data stored in the storage device 1070 or the RAM 1075 .
- the computing system 1000 can receive inputs from a user via the user interface components 1085 and execute appropriate functions, such as browsing functions by interpreting these inputs using the processor 1055 .
- computing systems 1000 and 1050 can have more than one processor 1010 and 1055 , respectively, or be part of a group or cluster of computing devices networked together to provide greater processing capability.
- the computer-readable storage devices, mediums, and memories can include a cable or wireless signal containing a bit stream and the like.
- non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.
- Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network.
- the computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.
- Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, small form factor personal computers, personal digital assistants, rackmount devices, standalone devices, and so on. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.
- the instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.
Abstract
The disclosed technology relates to intent driven network management. A system is configured to maintain an inventory store comprising records for a set of network entities in a network, wherein each network entity in the set of network entities is associated with a record in the inventory store. The system receives a user intent statement comprising an action and a flow filter representing network data flows on which the action is to be applied and queries, based on the flow filter, the inventory store to identify a plurality of network entities in the set of network entities to which the user intent statement applies. The system generates a plurality of network policies that implement the user intent statement based on the plurality of network entities and the action and enforces the plurality network policies.
Description
- This application is a continuation of U.S. Non-Provisional patent application Ser. No. 17/482,411, filed on Sep. 22, 2021, which is a continuation of U.S. Non-Provisional patent application Ser. No. 16/820,404, filed Mar. 16, 2020, now U.S. Pat. No. 11,146,454, which is a continuation of U.S. Non-Provisional patent application Ser. No. 15/470,410, filed Mar. 23, 2017, now U.S. Pat. No. 10,594,560, the full disclosures of each are incorporated herein by reference in their entireties.
- The subject matter of this disclosure relates in general to the field of computer networks, and more specifically for management of entities and resources within a computer network.
- A managed network, such as an enterprise private network (EPN), may contain a large number of entities distributed across the network. These entities include, for example, nodes, endpoints, machines, virtual machines, containers (an instance of container-based virtualization), and applications. In addition to being different types, these entities may be grouped in different departments, located in different geographical locations, and/or serve different functions.
- An expansive or thorough understanding of the network can be critical for network management tasks such as anomaly detection (e.g., network attacks and misconfiguration), network security (e.g., preventing network breaches and reducing network vulnerabilities), asset management (e.g., monitoring, capacity planning, consolidation, migration, and continuity planning), and compliance (e.g. conformance with governmental regulations, industry standards, and corporate policies). Traditional approaches for managing large networks require comprehensive knowledge on the part of highly specialized human operators because of the complexities of the interrelationships among the entities.
- In order to describe the manner in which the above-recited and other advantages and features of the disclosure can be obtained, a more particular description of the principles briefly described above will be rendered by reference to specific embodiments that are illustrated in the appended drawings. Understanding that these drawings depict only embodiments of the disclosure and are not therefore to be considered to be limiting of its scope, the principles herein are described and explained with additional specificity and detail through the use of the accompanying drawings in which:
-
FIG. 1 is a conceptual block diagram illustrating an example of an intent driven network policy platform, in accordance with various embodiments of the subject technology; -
FIG. 2 is an illustration showing contents of an inventory store, in accordance with various embodiments of the subject technology; -
FIG. 3 illustrates two examples of inventory filters, in accordance with various embodiments of the subject technology; -
FIG. 4 illustrates an example flow filter incorporating two inventory filters, in accordance with various embodiments of the subject technology; -
FIG. 5 shows an example process for managing a network using user intent statements, in accordance with various embodiments of the subject technology; -
FIG. 6 is a diagram illustrating an example of a scope hierarchy, in accordance with various embodiments of the subject technology; -
FIG. 7 is a conceptual block diagram illustrating an example of a policy store, in accordance with various embodiments of the subject technology; -
FIG. 8 shows an example process for accessing a record in the distributed file system, in accordance with various embodiments of the subject technology; -
FIG. 9 shows an example process for storing a record in the distributed file system, in accordance with various embodiments of the subject technology; -
FIGS. 10A and 10B illustrate examples of systems in accordance with some embodiments. - The detailed description set forth below is intended as a description of various configurations of embodiments and is not intended to represent the only configurations in which the subject matter of this disclosure can be practiced. The appended drawings are incorporated herein and constitute a part of the detailed description. The detailed description includes specific details for the purpose of providing a more thorough understanding of the subject matter of this disclosure. However, it will be clear and apparent that the subject matter of this disclosure is not limited to the specific details set forth herein and may be practiced without these details. In some instances, structures and components are shown in block diagram form in order to avoid obscuring the concepts of the subject matter of this disclosure.
- Large networks often require comprehensive knowledge on the part of highly specialized human operators (e.g., network administrators) to effectively manage. However, controls available to the human operators are not very flexible and the human operators with the specialized knowledge able to manage the network(s) are often not the individuals with a higher level understanding of how the network should operate with respect to certain applications or functionalities. Furthermore, once a change in network management is executed, it is often difficult to roll back the changes, make alterations, or understand the changes, even for network operators.
- The disclosed technology addresses the need in the art for a more intuitive way to manage a network and a way to manage the network in a more targeted manner. For example, many networks may be secured using access control lists (ACLs) implemented by routers and switches to permit and restrict data flow within the network. When an ACL is configured on an interface, the network device examines data packets passing through the interface to determine whether to forward or drop the packet based on the criteria specified within the ACLs. Each ACL includes entries where each entry includes a destination target internet protocol (IP) address, a source target IP address, and a statement of permission or denial for that entry.
- The ACLs, however, may be difficult for application developers and other users with limited knowledge of network engineering to understand and use. A development team that builds a particular application, set of applications, or function(s) (e.g., an “application owner”) is typically not responsible for managing an enterprise network and are not expected to have a deep understanding of the network. The application owner understands at a high level how certain applications or functions should operate, which entities should be allowed or restricted from communicating with other entities, and how entities should be allowed or restricted from communicating with other entities (e.g., which ports and/or communication protocols are allowed or restricted). In order to implement desired network policies, the application owner must contact a network operator and communicate their objectives to the network operator. The network operator tries to understand the objectives and then creates ACL entries that satisfy the application owner's objectives.
- Even relatively simple network policies take hundreds, thousands, or more ACL entries to implement and ACLs often end up containing millions of entries. For example, to implement a simple network rule where a first subnet of machines cannot communicate with a second subnet of machines requires 2(m×n) ACL entries for a number of m endpoints in the first subnet and a number of n endpoints in the second subnet to explicitly list out each IP address in the first subnet that cannot send data to each IP address in the second subnet and each IP address in the second subnet cannot send data to each IP address in the first subnet. The size of the ACLs can further complicate matters making intelligently altering the ACLs increasingly difficult. For example, if an application owner wants to alter the implemented network policies, it is difficult for the application owner or the network operator to know which ACL entries were created based on the original network policy and, as a result, difficult to identify ACL entries to add, delete, or modify based on the alteration of the network policies.
- Furthermore, traditional ACLs permit and restrict data flow within the network at the machine level. For example, ACL entries permit or restrict communication based on a destination target internet protocol (IP) address and a source target IP address. However, in some cases, applications on one network entity (e.g., a physical server, virtual machine, container, etc.) should be able to communicate with other applications on a different network entity, but other communications between the entities should be restricted for security reasons (e.g., some hackers may take advantage of broad traditional ACL entries and use applications to gain access to other areas of the network). Traditional ACL entries are unable to accommodate for more tailored control of network traffic.
- Various embodiments of the subject technology address these and other technical problems by providing an intent driven network policy platform that allows both application owner and network operators to define network policies in a more understandable manner and provides these users with finer levels of controls.
- Various embodiments of the disclosure are discussed in detail below. While specific implementations are discussed, it should be understood that this is done for illustrative purposes only. A person skilled in the relevant art will recognize that other components and configurations may be used without departing from the spirit and scope of the disclosure.
- Various embodiments relate to an intent driven network policy platform configured to ingest network data and generate an inventory of network entities. The network policy platform receives a user intent statement, translates the intent into network policies, and enforces the network policies.
-
FIG. 1 is a conceptual block diagram illustrating anexample network environment 100 that includes an intent drivennetwork policy platform 110, in accordance with various embodiments of the subject technology. Various embodiments are discussed with respect to an enterprise private network (EPN) for illustrative purposes. However, these embodiments and others may be applied to other types of networks. For example, thenetwork environment 100 may be implemented by any type of network and may include, for example, any one or more of a cellular network, a satellite network, a personal area network (PAN), a local area network (LAN), a wide area network (WAN), a broadband network (BBN), the Internet, and the like. Thenetwork environment 100 can be a public network, a private network, or a combination thereof. Thenetwork environment 100 may be implemented using any number of communications links associated with one or more service providers, including one or more wired communication links, one or more wireless communication links, or any combination thereof. Additionally, thenetwork environment 100 can be configured to support the transmission of data formatted using any number of protocols. - The
network environment 100 includes one ormore network agents 105 configured to communicate with an intent drivennetwork policy platform 110 via enforcement front end modules (EFEs) 115. The intent drivennetwork policy platform 110 is shown with one or more EFEs 115, a user interface module 120, acoordinator module 125, anintent service module 130, an inventory store 150, and apolicy store 155. In other embodiments, the intent drivennetwork policy platform 110 may include additional components, fewer components, or alternative components. Thenetwork policy platform 110 may be implemented as a single machine or distributed across a number of machines in the network. - Each
network agent 105 may be installed on a network entity and configured to receive network policies (e.g., enforcement policies, configuration policies, etc.) from thenetwork policy platform 110 via the enforcementfront end modules 115. After an initial installation on a network entity (e.g., a machine, virtual machine, or container, etc.), anetwork agent 105 can register with thenetwork policy platform 110 and communicate with one or more EFEs to receive network policies that are configured to be applied to the host on which thenetwork agent 105 is running. In some embodiments, the network policies may be received in a high-level, platform independent format. Thenetwork agent 105 may convert the high-level network policies into platform specific policies and apply any number of optimizations before applying the network policies to the host network entity. In some embodiments, the high-level network policies may be converted at thenetwork policy platform 110. - Each
network agent 105 may further be configured to observe and collect data and report the collected data to the intent drivennetwork policy platform 110 via theEFEs 115. Thenetwork agent 105 may collect policy enforcement related data associated with the host entity such as a number of policies being enforced, a number of rules being enforced, a number of data packets being allowed, dropped, forwarded, redirected, or copied, or any other data related to the enforcement of network policies. Thenetwork agent 105 may also collect data related to host entity performance such as CPU usage, memory usage, a number of TCP connections, a number of failed connection, etc. Thenetwork agent 105 may also collect other data related to the host such as an entity name, operating system, entity interface information, file system information, applications or processes installed or running, or disks that are mounted. - The enforcement front end modules (EFEs) 115 are configured to handle the registration of the
network agents 105 with thenetwork policy platform 110, receive collected data from thenetwork agents 105, and store the collected data in inventory store 150. The EFEs may be further configured to store network policies (high-level platform independent policies or platform specific policies) in memory, periodically scan apolicy store 155 for updates to network policies, and notify and updatenetwork agents 105 with respect to changes in the network policies. - The user interface 120 receives input from users of the
network policy platform 110. For example, the user interface 120 may be configured to receive user configured data for entities in the network from a network operator. The user configured data may include IP addresses, host names, geographic locations, departments, functions, a VPN routing/forwarding (VRF) table, or other data for entities in the network. The user interface 120 may be configured to collect the user configured data and store the data in the inventory store 150. - The user interface 120 may also be configured to receive one or more user intent statements. The user intent statements may be received from a network operator, application owner, or other administrator or through another entity via an application programming interface (API). A user intent statement is a high-level expression of one or more network rules that may be translated into a network policy.
- The user interface 120 may pass a received user intent statement to the
intent service 130 where theintent service 130 is configured to format the user intent statements and transform the user intent statement into network policies that may be applied to entities in the network. According to some embodiments, theintent service 130 may be configured to store the user intent statements, either in formatted or non-formatted form, in an intent store. After the user intent statements are translated into network policies, theintent service 130 may store the network policies inpolicy store 155. Thepolicy store 155 is configured to store network policies. The network policies may be high-level platform independent network policies or platform specific policies. In some embodiments, thepolicy store 155 is implemented as a NoSQL database. - The
intent service 130 may also track changes to intent statements and make sure the network policies in the policy store are up-to-date with the intent statements in the intent store. For example, if a user intent statement in the intent store is deleted or changed, theintent service 130 may be configured to located network policies associated with the deleted user intent statement and delete or update the network policies as appropriate. - The
coordinator module 125 is configured to assignnetwork agents 105 to EFEs. For example, thecoordinator 125 may use a sharding technique to balance load and improve efficiency of thenetwork policy platform 110. Thecoordinator 125 may also be configured to determine if an update to the policy store is needed and update the policy store accordingly. Thecoordinator 125 may further be configured to receive data periodically from thenetwork agents 105 via theEFEs 115, store the data in the inventory store 150, and update the inventory store 150 if necessary. -
FIG. 2 is an illustration showing contents of aninventory store 200, in accordance with various embodiments of the subject technology. Theinventory store 200 is configured to contain data and attributes for each network entity managed by the intent drivennetwork policy platform 110. The network entities may include machines (e.g., servers, personal computers, laptops), virtual machines, containers, mobile devices (e.g., tablets or smart phones), smart devices (e.g., set top boxes, smart appliances, smart televisions, internet-of-things devices), or network equipment, among other computing devices. Although theinventory store 200 is implemented as a conventional relational database in this example, other embodiments may utilize other types of databases (e.g., NoSQL, NewSQL, etc.). - The
inventory store 200 may receive user configured data from the user interface 120 and data received from thenetwork agents 105 via theEFEs 115 and store the data in records or entries associated with network entities managed by thenetwork policy platform 110. Each record in theinventory store 200 may include attribute data for a network entity such as one or more entity identifiers (e.g., a host name, IP address, MAC addresses, hash value, etc.), a geographic location, an operating system, a department, interface data, functionality, a list of one or more annotations, file system information, disk mount information, top-of-rack (ToR) location, and a scope. - In some embodiments, the
inventory store 200 may also include entity performance and network enforcement data either together with the attribute data or separately in one or more separate data stores. The performance and network enforcement data may include CPU usage, memory usage, a number of TCP connections, a number of failed connections, a number of network policies, or a number of data packets that have been allowed, dropped, forwarded, or redirected. Theinventory store 200 may include historical performance or enforcement data associated with network entities or metrics calculated based on historical data. - A user intent statement is a high-level expression of that may be translated into one or more network policies. A user intent statement may be composed of one or more filters and at least one action. The filters may include inventory filters that identify network entities on which the action is to be applied and flow filters that identify network data flows on which the action is to be applied.
- For example, if a user wished to identify all network entities located in Mountain View, Calif. (abbreviated MTV in the location column of the inventory store), the inventory filter “Location==MTV” may be used. If a user wished to identify all network entities located in a Research Triangle Park facility in North Carolina (abbreviated RTP in the location column of the inventory store), the inventory filter “Location==RTP” may be used. Inventory filters may also identify relationships between two or more sets of entities (e.g., a union or intersection of sets). For example, if a user wished to identify all network entities located in Mountain View, Calif. and running Windows 8 operating system, the inventory filter “Location==MTV and OS==Windows8” may be used.
- A flow filter identifies network data flows. For example, if a user wished to identify all data flows from network entities in Mountain View to network entities in the Research Triangle Park facility, the following flow filter may be used:
-
Source:Location==MTV Destination:Location==RTP - Each filter may further be defined beforehand and assigned a name for more convenient use. For example, the inventory filter “Location==MTV” may be assigned the name “MTV_entities” and the inventory filter “Location==RTP” may be assigned the name “RTP_entities.” As a result, a user may use the following to achieve the same result as the above example flow filter:
-
Source:MTV_entities Destination:RTP_entities - Different actions may be applied to different filters. For example, actions applicable to inventory filters may include annotation and configuration actions. Annotating actions adds tags or labels to network items in the inventory store or flow data. Annotations may help network operators identify network entities. Configuration actions may be used to configure network entities. For example, some configuration actions may be used to set a CPU quota for certain applications, processes, or virtual machines. Other configuration actions may enable or disable monitoring of certain metrics, collection and transmittal of certain data, or enforcement of certain network policies. Some configuration actions may also be able to enable or disable certain modes within a network entity. For example, some entities may be configured to run in a “high visibility mode” in which most metrics and data (e.g., full time series data) are collected and transmitted to the network policy platform for analysis or in “low visibility mode” in which only a small subset of the available metrics and data are collected and transmitted. Some configuration actions are able to enable or disable these modes.
- Actions applicable to flow filters may include annotation or network enforcement actions. Network enforcement actions include, for example, allowing data packets, dropping data packets, copying data packets, redirecting data packets, encrypting data packets, or load balance across network entities.
- Using the above examples, a user that wishes to drop all data flowing from entities in Mountain View to entities in Research Triangle Park may use the following user intent statement:
-
Source:MTV_entities Destination:RTP_entities Action:Drop - User intent statements may further specify types of communications or communication protocols used, ports used, or use any other filter to identify a network entity or network flow on which to apply an action. For example, if the user only wishes to drop transmission control protocol (TCP) communications out of port 80 for these network entities, the following user intent statement may be used instead:
-
Source:MTV_entities Destination:RTP_entities Action:Drop Protocol:TCP Port:80 - In another example, to disable all incoming connections to network entities running a Windows 8 operating system, a user can utilize the following user intent statement:
-
Source:* Destination:Win8_Filter Action:Drop -
- In the above user intent statement, “Win_Filter” is the name of an inventory filter that includes “OS==Windows8.”
- The example user intent statements above are presented for illustrative purposes. In some embodiments, user intent statements, inventory filters, flow filters, or actions may appear in different formats or even in a natural language format. For example,
FIG. 3 illustrates two example inventory filters, in accordance with various embodiments of the subject technology. Thefirst inventory filter 300 is named “Inventory_Filter_1” and is configured to identify all network entities in the inventory store that run on a Linux operating system and have a VRF ID of 676767. Thesecond inventory filter 350 is named “Inventory_Filter_2” and is configured to identify all network entities in the inventory store that represent the 10.0.0.0/8 and 1.1.11.0/24 subnets. -
FIG. 4 illustrates an example flow filter incorporating two inventory filters, in accordance with various embodiments of the subject technology. Theflow filter 400 is configured to identify TCP data flows between the 10.0.0.0/8 and 11.0.0.1 subnets. Theflow filter 400 further uses twoinventory filters -
FIG. 5 shows anexample process 500 for managing a network using inventory filters, in accordance with various embodiments of the subject technology. It should be understood that, for any process discussed herein, there can be additional, fewer, or alternative steps performed in similar or alternative orders, or in parallel, within the scope of the various embodiments unless otherwise stated. Theprocess 500 can be performed by a network, and particularly, a network policy system (e.g., thenetwork policy platform 110 ofFIG. 1 ) or similar system. - At
operation 505, the system may generate an inventory store that includes records for network entities in the network. The records may be created or updated based on configuration data received from a network operator. The configuration data may include various attributes of certain network entities. The attributes may include, for example, an internet protocol (IP) address, a host name, a geographic location, or a department. The configuration data may also include annotations, labels, VPN routing/forwarding (VRF) information, interface information, or any other data that may be used to identify one or more network entities. - The records may further be created, updated, or supplemented with information observed by network agents and reported to the network policy system by the network agents. This information may include operating system information, hostnames, interface information, entity identifiers, policy enforcement information, or data related to entity performance. Policy enforcement information may include a number of policies being enforced, a number of rules being enforced, a number of data packets being allowed, dropped, forwarded, redirected, or copied, or any other data related to the enforcement of network policies. Data related to entity performance may include CPU usage, memory usage, a number of TCP connections, a number of failed connection, applications or processes installed or running, disks that are mounted, or other time series data.
- At
operation 510, the system receives a user intent statement that includes at least one filter and an action. The user intent statement may be received from a network operator, application owner, or other administrator via a user interface or through another party or service via an application program interface (API). The filter may be an inventory filter configured to help identify network entities on which the action is to be applied or a flow filter configured to help identify network data flows on which the action is to be applied. The action may be an enforcement action, a configuration action, or an annotation action. - The system may query the inventory store to identify network entities to which the user intent statement applies at
operation 515. For example, system may query the inventory store using the one or more filters found in the user intent statement to identify network entities that match the conditions of the filters. The filters may include one or more attributes that can be used to narrow down the network entities to only those to which the action is to be applied. The attributes may be, for example, an entity type (e.g., machine, virtual machine, container, process, etc.), an IP subnet, an operating system, or any other information that may be found in the inventory store and used to identify network entities. - At
operation 520, the system generates network policies that apply the action to the network entities identified by the query. According to some embodiments, the network policies for user intent statements that include a flow filter or an enforcement action may be implemented in the form of one or more access control lists (ACLs). In some embodiments, network policies for user intent statements that include an annotation action or configuration action may be implemented in the form of instructions to the network entity or a network agent to implement the actions. - The system then enforces the network policies at
operation 525. According to some embodiments, some network policies may be enforced on the system. However, in some embodiments, the system transmits the network policies to one or more network agents configured to implement the network policies on the network entities. - According to various embodiments of the disclosure, a user or service is able to provide a user intent statement that the system uses to generate multiple network policies. Accordingly, the user need not spend time and resources explicitly crafting each network policy. Instead, the user may specify a reduced number of user intent statements that express the user's network management desires. Furthermore, the user intent statements are more understandable to network operators and application owners and the system is configured to take the user intent statements and translate the statements into network policies that network agents or network entities may use to implement the user's network management desires.
- Some networks may be quite large and include a large number of network entities serving several departments and several functions within those departments. In some cases, more than one network operator may be tasked with managing the network and each network operator may be responsible for certain portions of the network which may or may not overlap. Various embodiments of the subject technology enable network operators to apply user intent statements to network entities (e.g., servers) and network flows that the network operator is authorized to manage, prevent network operators from applying user intent statements to network entities and network flows that the network operator is not authorized to manage, and address conflicting user intent statements if they exist.
- For example, the network policy platform may include a user database that includes entries for each network operator authorized to manage the network. Each entry in the user database may reference a network operator any specify one or more scopes that the network operator is authorized to manage. These scopes may correspond to the one or more scopes associated with a network entity as specified in the network entity's record stored in the inventory store. The scopes may be assigned to the network entity by a network operator as part of the configuration data received by the user interface of the network policy platform. In some embodiments the scopes in the entry associated with a network operator may be tied to a privilege. For example, each privilege that a network operator has (e.g., read, write, modify, create, delete, enforce a network policy, etc.) may be associated with a scope for that privilege.
- According to some embodiments, the scopes may be organized into a hierarchy.
FIG. 6 is a diagram illustrating an example of a scope hierarchy, in accordance with various embodiments of the subject technology. In some embodiments, the hierarchy may mirror an organizational hierarchy or org chart, as is illustrated inFIG. 6 . However, in other embodiments, other organization models or hierarchies may be used. In the simplified example ofFIG. 6 , the organization is split between 3 first tier scopes of human resources (HR), infrastructure (Infra), and finance (Fin). HR is further split between database network entities (HR_DB) and web network entities (HR_Web). Infra is split between production network entities (Infra_Prod) and development network entities (Infra_Dev). Finance is split between database network entities (Fin_DB) and web network entities (Fin_Web). - In some embodiments, a user that is assigned a scope may have permission to manage all child scopes for that scope. For example, if a network operator is assigned the root “Organization” scope, the network operator is able to manage all network entities and flows in the entire organization. If, on the other hand, the network operator is assigned to the “Fin” scope, the network operator is able to manage all network entities and flow associated with the “Fin” scope, i.e., the “Fin_DB” scope, and the “Fin_Web” scope. In other embodiments, a network operator must explicitly be assigned to all scopes that they are authorized to manage and if the scope is not explicitly assigned to the network operator, the network operator is not authorized to manage network entities or flows associated with that scope.
- When the user submits a user intent statement to the network policy platform, the network policy platform may access the user database, locate the user's entry, and identify the one or more scopes that the user is authorized to manage. When the network policy platform queries the inventory store to identify network entities or network flows to which the user intent statement applies, the one or more scopes assigned to the user and to the network entities (e.g., in the scope column of the inventory store) are used to filer the network entities and network flows in order to select only the network entities and network flows that the user is authorized to manage. The network policy platform may then generate network policies that only apply to identified network entities or network flows that the user is authorized to manage.
- In some situations, two or more user intent statements may conflict and apply to the same network entities or network flows. For example, managers may create user intent statements to manage large sets of resources in the network while a lower level network operator may create one or more conflicting user intent statements for the subset of network resources for which they are responsible. In some situations, the manager may want their user intent statements to override the lower level network operator user intent statements, while other times, the manager may want to defer to the lower level network operator with more specific knowledge of the resources they are responsible for and have the network operator's user intent statements override. However, prioritizing the user intent statements and dealing with conflicting user intent statements is difficult and confusing, especially with a large number of network policies and network resources.
- Various embodiments relate to resolving conflicts between user intent statements by using an enforcement hierarchy that includes a user defined order of precedence. When creating user intent statements, a user may specify whether a user intent statement is associated with an “absolute” priority or a “default” priority. A user intent statement assigned an absolute priority is one that the creator wishes to override other conflicting user intent statements that the creator is permitted to override. A user intent statement assigned a default priority may be overridden by other user intent statements. In some embodiments, the different priority levels (e.g., an “absolute” priority or a “default” priority) may be named differently or more than two priority levels may be used. Accordingly, various embodiments allow user intent statements to be processed and enforced based on a priority level.
- According to some embodiments, the network policy platform may also allow a network administrator to set an ordering scopes in which user intent statements directed to network entities or network flows are processed and enforced based on the ordering of the scopes associated with the network entities or network flows. In some embodiments, an ordering of scopes and different priority levels may be used together to process and enforce user intent statements.
- In an illustrative example, a network administrator may set an ordering of scopes to be S1, S2, S3, and S4, where S1 through S4 are scopes. Additionally, some user intent statements may be prioritized as “absolute” or “default.” The network policy platform may process and enforce the user intent statements according to the following order:
-
- 1. Absolute user intent statements directed towards network entities or flows associated with the S1 scope;
- 2. Absolute user intent statements directed towards network entities or flows associated with the S2 scope;
- 3. Absolute user intent statements directed towards network entities or flows associated with the S3 scope;
- 4. Absolute user intent statements directed towards network entities or flows associated with the S4 scope;
- 5. Default user intent statements directed towards network entities or flows associated with the S4 scope;
- 6. Default user intent statements directed towards network entities or flows associated with the S3 scope;
- 7. Default user intent statements directed towards network entities or flows associated with the S2 scope; and
- 8. Default user intent statements directed towards network entities or flows associated with the S1 scope.
- Various embodiments of the subject technology discussed herein relate to a more intuitive way to manage a network and a way to manage the network in a more targeted manner. For example, user intent statements allow users to define network rules in a more understandable manner. These user intent statements may be translated into network policies and stored in a policy store such as
policy store 155 illustrated inFIG. 1 . Depending on the use case, in some cases, the number of network policies may grow to a point at which it is difficult to store and inefficient to process read and write operations. - Various embodiments relate to providing technical solutions to these technical problems. In some embodiments, a distributed file system such as a Hadoop distributed file system (HDFS) may be used to store the network policies. On a HDFS storage implementation, the network policies may be split into a number of large blocks which are then distributed across nodes. The HDFS storage is able to handle very large amounts of data, scalable as additional nodes may be easily added to the framework, and resilient to failure.
- However, searching through an entire HDFS store to find network policies directed to a particular network entity may be cumbersome, time consuming, and resource consuming. Grouping together network policies based on the network entities they act upon and storing those network policies into separate files may be done to increase efficiency, however this may result in a large number of smaller files, which is difficult for HDFS implementations to handle and inefficient as this results in many seek operations and hopping from node to node to retrieve each small file.
- Accordingly, in some embodiments, a network policy platform uses a distributed file system with an index to efficiently handle read and writes to network policies.
FIG. 7 is a conceptual block diagram illustrating an example of apolicy store 775, in accordance with various embodiments of the subject technology. Thepolicy store 775 inFIG. 7 is implemented using anindex 760 and a distributedfile system 765. Theindex 760 may be any type of database such as a NoSQL database like MongoDB™. The distributedfile system 765 may be a Hadoop Distributed File System (HDFS) or any other distributed file system or clustered file system. - The
index 760 inFIG. 7 is configured to store information that allows the network policy system to locate policies associated with particular network entities on the distributedfile system 765. Theindex 760 inFIG. 7 is shown containing one or more entries fornetwork entities 770. Each entry may include a network entity identifier, a file identifier, and an offset. As will be discussed in further detail, the information in the entry allows the network policy system to locate policies associated with particular network entities on the distributedfile system 765. - In some embodiments, network policies may be grouped based on the network entities on which the network policies are to be applied. Each set of network policies applicable to a particular network entity may be stored together in a record for the network entity. The record is then stored in a file in the distributed
file system 765. - Some implementations of distributed file systems operate best with large files. When there are many small files, the performance and efficiency of these distributed file systems may be reduced. Accordingly, in order to maximize the storage space and operating performance, the file may also include records for other network entities. As seen in
FIG. 7 , the distributedfile system 765 may consist of several data blocks. Each data block may include one or more files (e.g., file 775) and each file may include one or more records containing network policies for network entities. According to some embodiments, each data block may include a single file and the file may contain as many records as can fit within the data block, however, the file size is not to exceed the block size for the distributedfile system 765. In some embodiments, if an entire record cannot fit into one file, another file is created and the record is stored in the new file such that network policies for a particular network entity are in the same file and not split among different files. In some embodiments, network policies may be split among separate files. - To access policies for a particular network entity, whether it be to enforce the policies, add policies to the record, remove policies to the record, or update policies, a network policy system identifies an entry for the network entity in the
index 760 using an entity identifier. The entity identifier may be a host name, IP address, a hash value, label, or any other identifying data. In the example shown inFIG. 7 , the entity identifier for the network identifier is “Machine1.” Based on the entry, the network policy system determines a file identifier for a file containing the record for the network entity and an offset indicating a location of the record in the file. The file identifier may be a file name, a label, a hash value, a location, or any other data that may be used to identify a file in the distributed file system. In the example shown inFIG. 7 , the file identifier is the file name “File_XYZ” and the offset is 32 megabytes. - The network policy system uses the file name (“File_XYZ”) to identify the
file 775 where the record for the network entity is located and uses the offset to quickly determine the location of the record for the network entity in the file. The offset allows the network policy system to jump to the desired data instead of needing to read unnecessary portions of thefile 775 in order to find the record. - According to some embodiments, the size of each record may be different and the size of the record may be stored in a specified location so that the network policy system may quickly determine how large the record is and how much data needs to be retrieved in order to retrieve the entire record. In other embodiments, however, records may be the same size and/or a specified location is not used. In some embodiments, the network policy system may jump to the location of the record and read a first portion (e.g., a header portion) of data that contains information regarding the size of the record. The network policy system may read the
header portion 780, determine the size of the record, and retrieve therecord data 785 for use. In other embodiments, the location that contains size information may be in other locations in the file, in the entry stored in the index, or in another location. The record data includes the network policies for the entity and can be viewed or altered. -
FIG. 8 shows an example process for accessing a record in the distributed file system, in accordance with various embodiments of the subject technology. It should be understood that, for any process discussed herein, there can be additional, fewer, or alternative steps performed in similar or alternative orders, or in parallel, within the scope of the various embodiments unless otherwise stated. Theprocess 800 can be performed by a network, and particularly, a network policy system (e.g., thenetwork policy platform 110 ofFIG. 1 ) or similar system. - The system may wish to access the record for a network entity in order to enforce network policies located therein, update network policies for the network entity, or for any other reason. At
operation 805, at network policy system may locate, in an index, an entry for a desired network entity. Atoperation 810, the network policy system may read the entry and determine a file identifier for a file containing a record for the network entity and an offset indicating a location of the record in the file atoperation 815. The network policy system may locate the file in a distributed file system using the file identifier atoperation 820 and locate the record in the file using the offset at 825. Atoperation 830, the network policy system retrieves the record. -
FIG. 9 shows an example process for storing a record in the distributed file system, in accordance with various embodiments of the subject technology. It should be understood that, for any process discussed herein, there can be additional, fewer, or alternative steps performed in similar or alternative orders, or in parallel, within the scope of the various embodiments unless otherwise stated. Theprocess 900 can be performed by a network, and particularly, a network policy system (e.g., thenetwork policy platform 110 ofFIG. 1 ) or similar system. - A network policy system may store a record in the distributed file system after updating an existing record or creating a new record. For example, the network policy system may receive a user intent statement, query an inventory store to identify the network entity to which the user intent statement applies, and generate network policies based on the user intent statement and instructions to update the policies stored in a distributed file system.
- At
operation 905, the network policy system organizes the network policies based on the network entities that they operate on and identifies a set of policies applicable to a particular network entity. Atoperation 910, the network policy system determines if there is an existing record for the network entity in the distributed file system or if a new record needs to be created to store the set of policies. If a record exists and, therefore, a new record does not need to be created, atoperation 915, the network policy system may retrieve the record (as is illustrated in, for example,FIG. 8 ) and update the record with the set of policies. - If no record exists, at
operation 920, the network policy system creates a new record for the network entity and stores the set of policies applicable to the network entity in the record. The network policy system stores the new record in a file in the distributed file system atoperation 925. In some embodiments, the network policy system may determine the size of the record and locate a file in the distributed file system that the record may fit such that the record is not split between two files and the file can fit into the maximum block size of the distributed file system. According to some embodiments, the size of the record may further be stored in a header of the record, in a portion immediately preceding or following the record, or in another location accessible to the network policy system. - At
operation 930, the network policy system stores a file identifier for the file in that the record was stored in and an offset for the location of the record in an entry located in an index database that is separate from the distributed file system. Once the policies are stored in the distributed file system, they may be enforced by the network policy system. For example, atoperation 935, the network policy system may enforce the network policies in the network by, for example, transmitting the record for the network entity to a network agent configured to implement the set of policies on the network entity. -
FIG. 10A andFIG. 10B illustrate systems in accordance with various embodiments. The more appropriate system will be apparent to those of ordinary skill in the art when practicing the various embodiments. Persons of ordinary skill in the art will also readily appreciate that other systems are possible. -
FIG. 10A illustrates an example architecture for a conventionalbus computing system 1000 wherein the components of the system are in electrical communication with each other using abus 1005. Thecomputing system 1000 can include a processing unit (CPU or processor) 1010 and asystem bus 1005 that may couple various system components including thesystem memory 1015, such as read only memory (ROM) in astorage device 1020 and random access memory (RAM) 1025, to theprocessor 1010. Thecomputing system 1000 can include acache 1012 of high-speed memory connected directly with, in close proximity to, or integrated as part of theprocessor 1010. Thecomputing system 1000 can copy data from thememory 1015 and/or thestorage device 1030 to thecache 1012 for quick access by theprocessor 1010. In this way, thecache 1012 can provide a performance boost that avoids processor delays while waiting for data. These and other modules can control or be configured to control theprocessor 1010 to perform various actions.Other system memory 1015 may be available for use as well. Thememory 1015 can include multiple different types of memory with different performance characteristics. Theprocessor 1010 can include any general purpose processor and a hardware module or software module, such asmodule 1 1032,module 2 1034, andmodule 3 1036 stored instorage device 1030, configured to control theprocessor 1010 as well as a special-purpose processor where software instructions are incorporated into the actual processor design. Theprocessor 1010 may essentially be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc. A multi-core processor may be symmetric or asymmetric. - To enable user interaction with the
computing system 1000, aninput device 1045 can represent any number of input mechanisms, such as a microphone for speech, a touch-protected screen for gesture or graphical input, keyboard, mouse, motion input, speech and so forth. Anoutput device 1035 can also be one or more of a number of output mechanisms known to those of skill in the art. In some instances, multimodal systems can enable a user to provide multiple types of input to communicate with thecomputing system 1000. Thecommunications interface 1040 can govern and manage the user input and system output. There may be no restriction on operating on any particular hardware arrangement and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed. -
Storage device 1030 can be a non-volatile memory and can be a hard disk or other types of computer readable media which can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs) 1025, read only memory (ROM) 1020, and hybrids thereof. - The
storage device 1030 can includesoftware modules processor 1010. Other hardware or software modules are contemplated. Thestorage device 1030 can be connected to thesystem bus 1005. In one aspect, a hardware module that performs a particular function can include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as theprocessor 1010,bus 1005,output device 1035, and so forth, to carry out the function. -
FIG. 10B illustrates an example architecture for a conventionalchipset computing system 1050 that can be used in accordance with an embodiment. Thecomputing system 1050 can include aprocessor 1055, representative of any number of physically and/or logically distinct resources capable of executing software, firmware, and hardware configured to perform identified computations. Theprocessor 1055 can communicate with achipset 1060 that can control input to and output from theprocessor 1055. In this example, thechipset 1060 can output information to anoutput device 1065, such as a display, and can read and write information tostorage device 1070, which can include magnetic media, and solid state media, for example. Thechipset 1060 can also read data from and write data toRAM 1075. Abridge 1080 for interfacing with a variety ofuser interface components 1085 can be provided for interfacing with thechipset 1060. Theuser interface components 1085 can include a keyboard, a microphone, touch detection and processing circuitry, a pointing device, such as a mouse, and so on. Inputs to thecomputing system 1050 can come from any of a variety of sources, machine generated and/or human generated. - The
chipset 1060 can also interface with one ormore communication interfaces 1090 that can have different physical interfaces. The communication interfaces 1090 can include interfaces for wired and wireless LANs, for broadband wireless networks, as well as personal area networks. Some applications of the methods for generating, displaying, and using the GUI disclosed herein can include receiving ordered datasets over the physical interface or be generated by the machine itself byprocessor 1055 analyzing data stored in thestorage device 1070 or theRAM 1075. Further, thecomputing system 1000 can receive inputs from a user via theuser interface components 1085 and execute appropriate functions, such as browsing functions by interpreting these inputs using theprocessor 1055. - It will be appreciated that
computing systems processor - For clarity of explanation, in some instances the various embodiments may be presented as including individual functional blocks including functional blocks comprising devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software.
- In some embodiments the computer-readable storage devices, mediums, and memories can include a cable or wireless signal containing a bit stream and the like. However, when mentioned, non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.
- Methods according to the above-described examples can be implemented using computer-executable instructions that are stored or otherwise available from computer readable media. Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.
- Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, small form factor personal computers, personal digital assistants, rackmount devices, standalone devices, and so on. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.
- The instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.
- Although a variety of examples and other information was used to explain aspects within the scope of the appended claims, no limitation of the claims should be implied based on particular features or arrangements in such examples, as one of ordinary skill would be able to use these examples to derive a wide variety of implementations. Further and although some subject matter may have been described in language specific to examples of structural features and/or method steps, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to these described features or acts. For example, such functionality can be distributed differently or performed in components other than those identified herein. Rather, the described features and steps are disclosed as examples of components of systems and methods within the scope of the appended claims.
Claims (1)
1. A method comprising:
receiving a user intent statement including an action that is capable of being performed in a network environment through one or more network policies for the network environment;
querying an inventory store to identify a network entity associated with the user intent statement;
generating the one or more network policies that apply the action to the network entity based on the action included in the user intent statement; and
enforcing the one or more network policies on the network entity.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US18/314,025 US20230283520A1 (en) | 2017-03-27 | 2023-05-08 | Intent driven network policy platform |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/470,410 US10594560B2 (en) | 2017-03-27 | 2017-03-27 | Intent driven network policy platform |
US16/820,404 US11146454B2 (en) | 2017-03-27 | 2020-03-16 | Intent driven network policy platform |
US17/482,411 US11646940B2 (en) | 2017-03-27 | 2021-09-22 | Intent driven network policy platform |
US18/314,025 US20230283520A1 (en) | 2017-03-27 | 2023-05-08 | Intent driven network policy platform |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/482,411 Continuation US11646940B2 (en) | 2017-03-27 | 2021-09-22 | Intent driven network policy platform |
Publications (1)
Publication Number | Publication Date |
---|---|
US20230283520A1 true US20230283520A1 (en) | 2023-09-07 |
Family
ID=63581246
Family Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/470,410 Active 2037-06-18 US10594560B2 (en) | 2017-03-27 | 2017-03-27 | Intent driven network policy platform |
US16/820,404 Active US11146454B2 (en) | 2017-03-27 | 2020-03-16 | Intent driven network policy platform |
US17/482,411 Active US11646940B2 (en) | 2017-03-27 | 2021-09-22 | Intent driven network policy platform |
US18/314,025 Pending US20230283520A1 (en) | 2017-03-27 | 2023-05-08 | Intent driven network policy platform |
Family Applications Before (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/470,410 Active 2037-06-18 US10594560B2 (en) | 2017-03-27 | 2017-03-27 | Intent driven network policy platform |
US16/820,404 Active US11146454B2 (en) | 2017-03-27 | 2020-03-16 | Intent driven network policy platform |
US17/482,411 Active US11646940B2 (en) | 2017-03-27 | 2021-09-22 | Intent driven network policy platform |
Country Status (1)
Country | Link |
---|---|
US (4) | US10594560B2 (en) |
Families Citing this family (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11128520B2 (en) * | 2018-08-31 | 2021-09-21 | Tata Communications Transformation Services (US) Inc. | System and method for real-time network engineering control |
US11038889B2 (en) | 2018-11-20 | 2021-06-15 | Cisco Technology, Inc. | System and method for migrating existing access control list policies to intent based policies and vice versa |
US11159384B2 (en) | 2019-04-30 | 2021-10-26 | Hewlett Packard Enterprise Development Lp | Runtime monitoring in intent-based networking |
CN110765759B (en) * | 2019-10-21 | 2023-05-19 | 普信恒业科技发展(北京)有限公司 | Intention recognition method and device |
CN113055206B (en) * | 2019-12-27 | 2022-06-17 | 中国电信股份有限公司 | Method, device and storage medium for service configuration of network based on intention |
CN111277442B (en) * | 2020-01-21 | 2023-04-07 | 赣江新区智慧物联研究院有限公司 | Management method, device and system of wireless intention driven network |
WO2021164878A1 (en) * | 2020-02-20 | 2021-08-26 | Nokia Solutions And Networks Oy | Intent specification for automated control of communication networks |
US11336504B2 (en) | 2020-08-24 | 2022-05-17 | Juniper Networks, Inc. | Intent-based distributed alarm service |
CN112565193B (en) * | 2020-11-06 | 2021-12-28 | 西安电子科技大学 | Network security policy conflict resolution method, system, storage medium and equipment |
US11799725B2 (en) * | 2020-12-22 | 2023-10-24 | Nokia Solutions And Networks Oy | Intent-based networking using reconstruction of intents |
US20220197728A1 (en) * | 2020-12-22 | 2022-06-23 | Nokia Solutions And Networks Oy | Intent-based networking using partitioning for scalability |
WO2022165723A1 (en) * | 2021-02-04 | 2022-08-11 | 华为技术有限公司 | Communication method and apparatus |
WO2022267070A1 (en) | 2021-06-26 | 2022-12-29 | Huawei Technologies Co., Ltd. | Devices and methods for supporting intent driven networking |
CN114172814B (en) * | 2021-10-23 | 2023-02-07 | 西安电子科技大学 | Method for constructing intention-driven satellite network resource management triple-cooperation model and application |
CN114513404B (en) * | 2021-12-30 | 2023-11-03 | 网络通信与安全紫金山实验室 | Method and device for configuring time-sensitive network and computer-readable storage medium |
CN115484166B (en) * | 2022-08-30 | 2024-04-19 | 海尔优家智能科技(北京)有限公司 | Method and device for backing up configuration information, server and storage medium |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180152884A1 (en) * | 2016-11-30 | 2018-05-31 | At&T Intellectual Property I, L.P. | Intent-based service engine for a 5g or other next generation mobile core network |
Family Cites Families (636)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5086385A (en) | 1989-01-31 | 1992-02-04 | Custom Command Systems | Expandable home automation system |
US5400246A (en) | 1989-05-09 | 1995-03-21 | Ansan Industries, Ltd. | Peripheral data acquisition, monitor, and adaptive control system via personal computer |
DE69132280T2 (en) | 1990-09-17 | 2001-01-18 | Cabletron Systems Inc | System and method for modeling a computer network |
US5319754A (en) | 1991-10-03 | 1994-06-07 | Compaq Computer Corporation | Data transfer system between a computer and a host adapter using multiple arrays |
US6850252B1 (en) | 1999-10-05 | 2005-02-01 | Steven M. Hoffberg | Intelligent electronic appliance system and method |
EP0592079A2 (en) | 1992-09-20 | 1994-04-13 | Sun Microsystems, Inc. | Automated software installation and operating environment configuration on a computer system |
US5742829A (en) | 1995-03-10 | 1998-04-21 | Microsoft Corporation | Automatic software installation on heterogeneous networked client computer systems |
IT1285179B1 (en) | 1995-04-24 | 1998-06-03 | Motorola Inc | PROCEDURE AND APPARATUS FOR THE CONTROL OF SENSITIVE ADDRESSING FOR COMMUNICATIONS SYSTEMS. |
US5726644A (en) | 1995-06-30 | 1998-03-10 | Philips Electronics North America Corporation | Lighting control system with packet hopping communication |
US5822731A (en) | 1995-09-15 | 1998-10-13 | Infonautics Corporation | Adjusting a hidden Markov model tagger for sentence fragments |
US6249241B1 (en) | 1995-09-21 | 2001-06-19 | The United States Of America As Represented By The Secretary Of The Navy | Marine vessel traffic system |
US5831848A (en) | 1995-11-17 | 1998-11-03 | Phoenix Controls Corporation | Distributed environmental process control system |
US6151643A (en) | 1996-06-07 | 2000-11-21 | Networks Associates, Inc. | Automatic updating of diverse software products on multiple client computer systems by downloading scanning application to client computer and generating software list on client computer |
US6144962A (en) | 1996-10-15 | 2000-11-07 | Mercury Interactive Corporation | Visualization of web sites and hierarchical data structures |
US5964841A (en) | 1997-03-03 | 1999-10-12 | Cisco Technology, Inc. | Technique for handling forwarding transients with link state routing protocol |
US6247058B1 (en) | 1998-03-30 | 2001-06-12 | Hewlett-Packard Company | Method and apparatus for processing network packets using time stamps |
US6141595A (en) | 1998-04-03 | 2000-10-31 | Johnson Controls Technology Company | Common object architecture supporting application-centric building automation systems |
US6012096A (en) | 1998-04-23 | 2000-01-04 | Microsoft Corporation | Method and system for peer-to-peer network latency measurement |
US6185566B1 (en) | 1998-05-05 | 2001-02-06 | Robert A. Adams | Network management system having an embedded network database |
WO1999059059A1 (en) | 1998-05-13 | 1999-11-18 | Glaxo Group Limited | Remote installation of computer operating systems |
US6157955A (en) | 1998-06-15 | 2000-12-05 | Intel Corporation | Packet processing system including a policy engine having a classification unit |
US6353775B1 (en) | 1998-07-28 | 2002-03-05 | Honeywell International Inc. | Multiple instance single value identifiers environmental control communication method and system |
US6628304B2 (en) | 1998-12-09 | 2003-09-30 | Cisco Technology, Inc. | Method and apparatus providing a graphical user interface for representing and navigating hierarchical networks |
US20070162420A1 (en) | 2004-01-21 | 2007-07-12 | Oracle International Corporation | Techniques for automatically discovering a database device on a network |
US6330562B1 (en) | 1999-01-29 | 2001-12-11 | International Business Machines Corporation | System and method for managing security objects |
US6484315B1 (en) | 1999-02-01 | 2002-11-19 | Cisco Technology, Inc. | Method and system for dynamically distributing updates in a network |
US6239699B1 (en) | 1999-03-03 | 2001-05-29 | Lucent Technologies Inc. | Intelligent alarm filtering in a telecommunications network |
US8272875B1 (en) * | 1999-03-09 | 2012-09-25 | Realityworks, Inc. | Educational device for simulating addictive behavior and method of using |
US6546420B1 (en) | 1999-03-31 | 2003-04-08 | Cisco Technology, Inc. | Aggregating information about network message flows |
US6801878B1 (en) | 1999-04-08 | 2004-10-05 | George Mason University | System and method for managing sensors of a system |
US8179809B1 (en) | 1999-08-23 | 2012-05-15 | Oracle America, Inc. | Approach for allocating resources to an apparatus based on suspendable resource requirements |
US6611896B1 (en) | 1999-08-25 | 2003-08-26 | Emc Corporation | Dynamic mirror service policy with seek adjustment in a non-physical mirrored storage environment |
AU1075101A (en) | 1999-10-05 | 2001-05-10 | Ejasent Inc. | Virtual resource id mapping |
US7484008B1 (en) | 1999-10-06 | 2009-01-27 | Borgia/Cummins, Llc | Apparatus for vehicle internetworks |
US6728779B1 (en) | 1999-12-01 | 2004-04-27 | Lucent Technologies Inc. | Method and apparatus for exchanging routing information in a packet-based data network |
GB2357390B (en) | 1999-12-16 | 2002-09-25 | 3Com Corp | Ethernet units adapted for loop configuration and method of operating same |
US7203740B1 (en) | 1999-12-22 | 2007-04-10 | Intel Corporation | Method and apparatus for allowing proprietary forwarding elements to interoperate with standard control elements in an open architecture for network devices |
US6871284B2 (en) | 2000-01-07 | 2005-03-22 | Securify, Inc. | Credential/condition assertion verification optimization |
US7120934B2 (en) | 2000-03-30 | 2006-10-10 | Ishikawa Mark M | System, method and apparatus for detecting, identifying and responding to fraudulent requests on a network |
EP1146766A1 (en) | 2000-04-11 | 2001-10-17 | Alcatel | Connection control module |
US7024468B1 (en) | 2000-04-27 | 2006-04-04 | Hewlett-Packard Development Company, L.P. | Internet usage data recording system and method with configurable data collector system |
US6847993B1 (en) | 2000-05-31 | 2005-01-25 | International Business Machines Corporation | Method, system and program products for managing cluster configurations |
US6925490B1 (en) | 2000-05-31 | 2005-08-02 | International Business Machines Corporation | Method, system and program products for controlling system traffic of a clustered computing environment |
US6816461B1 (en) | 2000-06-16 | 2004-11-09 | Ciena Corporation | Method of controlling a network element to aggregate alarms and faults of a communications network |
US7693976B2 (en) | 2000-07-11 | 2010-04-06 | Ciena Corporation | Granular management of network resources |
US20020103793A1 (en) | 2000-08-02 | 2002-08-01 | Daphne Koller | Method and apparatus for learning probabilistic relational models having attribute and link uncertainty and for performing selectivity estimation using probabilistic relational models |
US7181769B1 (en) | 2000-08-25 | 2007-02-20 | Ncircle Network Security, Inc. | Network security system having a device profiler communicatively coupled to a traffic monitor |
US9800608B2 (en) | 2000-09-25 | 2017-10-24 | Symantec Corporation | Processing data flows with a data flow processor |
US8010469B2 (en) | 2000-09-25 | 2011-08-30 | Crossbeam Systems, Inc. | Systems and methods for processing data flows |
US7080161B2 (en) | 2000-10-17 | 2006-07-18 | Avaya Technology Corp. | Routing information exchange |
US20030097439A1 (en) | 2000-10-23 | 2003-05-22 | Strayer William Timothy | Systems and methods for identifying anomalies in network data streams |
US8875116B2 (en) | 2000-11-17 | 2014-10-28 | Hewlett-Packard Development Company, L.P. | Network for updating firmware and / or software in wireless communication devices |
US7133923B2 (en) | 2000-12-11 | 2006-11-07 | Acme Packet, Inc. | System and method for assisting in controlling real-time transport protocol flow through multiple networks via screening |
US6973023B1 (en) | 2000-12-30 | 2005-12-06 | Cisco Technology, Inc. | Method for routing information over a network employing centralized control |
US7065569B2 (en) | 2001-01-09 | 2006-06-20 | Turin Networks, Inc. | System and method for remote traffic management in a communication network |
US20040213221A1 (en) | 2001-01-16 | 2004-10-28 | Seyhan Civanlar | System and method for soft bandwidth |
US6938122B2 (en) | 2001-01-23 | 2005-08-30 | Emc Corporation | Remote mirroring in a switched environment |
US7444404B2 (en) | 2001-02-05 | 2008-10-28 | Arbor Networks, Inc. | Network traffic regulation including consistency based detection and filtering of packets with spoof source addresses |
FI20010596A0 (en) | 2001-03-22 | 2001-03-22 | Ssh Comm Security Oyj | Security system for a data communication network |
US7139242B2 (en) | 2001-03-28 | 2006-11-21 | Proficient Networks, Inc. | Methods, apparatuses and systems facilitating deployment, support and configuration of network routing policies |
US7096273B1 (en) | 2001-04-25 | 2006-08-22 | Cisco Technology, Inc. | DHCP over mobile IP |
US20030023601A1 (en) | 2001-05-08 | 2003-01-30 | Fortier Joseph W. | System and method for intercommunication among disparate communication networks |
US6738933B2 (en) | 2001-05-09 | 2004-05-18 | Mercury Interactive Corporation | Root cause analysis of server system performance degradations |
US6525658B2 (en) | 2001-06-11 | 2003-02-25 | Ensco, Inc. | Method and device for event detection utilizing data from a multiplicity of sensor sources |
US7162643B1 (en) | 2001-06-15 | 2007-01-09 | Informatica Corporation | Method and system for providing transfer of analytic application data over a network |
WO2003003210A2 (en) | 2001-06-27 | 2003-01-09 | Arbor Networks | Method and system for monitoring control signal traffic over a computer network |
US6958998B2 (en) | 2001-07-09 | 2005-10-25 | International Business Machines Corporation | Traffic management in packet-based networks |
US7540031B2 (en) | 2001-08-01 | 2009-05-26 | Mcafee, Inc. | Wireless architecture with malware scanning component manager and associated API |
US9836424B2 (en) | 2001-08-24 | 2017-12-05 | Intel Corporation | General input/output architecture, protocol and related methods to implement flow control |
US7111055B2 (en) | 2001-08-30 | 2006-09-19 | Sun Microsystems, Inc. | Method and apparatus to facilitate automated software installation on remote computers over a network |
US7633942B2 (en) | 2001-10-15 | 2009-12-15 | Avaya Inc. | Network traffic generation and monitoring systems and methods for their use in testing frameworks for determining suitability of a network for target applications |
AU2002351911A1 (en) | 2001-11-07 | 2003-05-19 | Harald Kuck | Providing isolation through process attachable virtual machines |
US7603440B1 (en) | 2001-11-09 | 2009-10-13 | Persystent Technology Corporation | System and method for management of end user computing devices |
US7437762B2 (en) | 2001-11-29 | 2008-10-14 | International Business Machines Corporation | Method, computer program element and a system for processing alarms triggered by a monitoring system |
US6996817B2 (en) | 2001-12-12 | 2006-02-07 | Valve Corporation | Method and system for upgrading and rolling back versions |
US20030126242A1 (en) | 2001-12-28 | 2003-07-03 | Chang Albert H. | Network boot system and method using remotely-stored, client-specific boot images created from shared, base snapshot image |
US20030151513A1 (en) | 2002-01-10 | 2003-08-14 | Falk Herrmann | Self-organizing hierarchical wireless network for surveillance and control |
JP3963728B2 (en) | 2002-01-22 | 2007-08-22 | 富士通株式会社 | Spanning tree bypass method and apparatus |
US7743415B2 (en) | 2002-01-31 | 2010-06-22 | Riverbed Technology, Inc. | Denial of service attacks characterization |
US7349761B1 (en) | 2002-02-07 | 2008-03-25 | Cruse Mike B | System and method for distributed facility management and operational control |
US8370936B2 (en) | 2002-02-08 | 2013-02-05 | Juniper Networks, Inc. | Multi-method gateway-based network security systems and methods |
US7693947B2 (en) | 2002-03-08 | 2010-04-06 | Mcafee, Inc. | Systems and methods for graphically displaying messaging traffic |
US7346672B2 (en) | 2002-03-12 | 2008-03-18 | Hewlett-Packard Development Company, L.P. | Automatic TFTP firmware download |
US20040243533A1 (en) | 2002-04-08 | 2004-12-02 | Wsi Corporation | Method for interactively creating real-time visualizations of traffic information |
US7747729B2 (en) | 2002-06-14 | 2010-06-29 | Hanoch Levy | Determining client latencies over a network |
US7337206B1 (en) | 2002-07-15 | 2008-02-26 | Network Physics | Method for detecting congestion in internet traffic |
EP1383261A1 (en) | 2002-07-15 | 2004-01-21 | Alcatel | Protection method and system for traffic of different service classes |
JP2004056604A (en) | 2002-07-23 | 2004-02-19 | Fujitsu Ltd | Network operation supervisory device |
US6983323B2 (en) | 2002-08-12 | 2006-01-03 | Tippingpoint Technologies, Inc. | Multi-level packet screening with dynamically selected filtering criteria |
US7185103B1 (en) | 2002-09-10 | 2007-02-27 | Juniper Networks, Inc. | Rate-controlled transmission of traffic flow information |
US7370092B2 (en) | 2002-09-12 | 2008-05-06 | Computer Sciences Corporation | System and method for enhanced software updating and revision |
US8407798B1 (en) | 2002-10-01 | 2013-03-26 | Skybox Secutiry Inc. | Method for simulation aided security event management |
US8191136B2 (en) | 2002-11-04 | 2012-05-29 | Riverbed Technology, Inc. | Connection based denial of service detection |
US7340674B2 (en) | 2002-12-16 | 2008-03-04 | Xerox Corporation | Method and apparatus for normalizing quoting styles in electronic mail messages |
US9818136B1 (en) | 2003-02-05 | 2017-11-14 | Steven M. Hoffberg | System and method for determining contingent relevance |
EP1450511A1 (en) | 2003-02-18 | 2004-08-25 | Alcatel | Device and method for simulating network traffic treatments of a network using policy rules |
WO2004084471A2 (en) | 2003-03-19 | 2004-09-30 | Home Data Source, Llc | Relative timing mechanism for event sequencing without clock synchronization |
US7360072B1 (en) | 2003-03-28 | 2008-04-15 | Cisco Technology, Inc. | iSCSI system OS boot configuration modification |
US8171551B2 (en) | 2003-04-01 | 2012-05-01 | Mcafee, Inc. | Malware detection using external call characteristics |
US7895649B1 (en) | 2003-04-04 | 2011-02-22 | Raytheon Company | Dynamic rule generation for an enterprise intrusion detection system |
US8209680B1 (en) | 2003-04-11 | 2012-06-26 | Vmware, Inc. | System and method for disk imaging on diverse computers |
US7317693B1 (en) | 2003-05-12 | 2008-01-08 | Sourcefire, Inc. | Systems and methods for determining the network topology of a network |
US7281126B2 (en) | 2003-05-30 | 2007-10-09 | Sun Microsystems, Inc. | Method of installing an image on a client over a network securely using a wanboot binary and a kernel to install the image |
US7420931B2 (en) | 2003-06-05 | 2008-09-02 | Nvidia Corporation | Using TCP/IP offload to accelerate packet filtering |
US7827602B2 (en) | 2003-06-30 | 2010-11-02 | At&T Intellectual Property I, L.P. | Network firewall host application identification and authentication |
US8296847B2 (en) | 2003-07-25 | 2012-10-23 | Hewlett-Packard Development Company, L.P. | Method of managing utilization of network intrusion detection systems in a dynamic data center |
US7266754B2 (en) | 2003-08-14 | 2007-09-04 | Cisco Technology, Inc. | Detecting network denial of service attacks |
US7568107B1 (en) | 2003-08-20 | 2009-07-28 | Extreme Networks, Inc. | Method and system for auto discovery of authenticator for network login |
US7522596B2 (en) | 2003-08-25 | 2009-04-21 | Alcatel Lucent | Enhanced DVMRP for destination-based forwarding of multicast data |
US7483384B2 (en) | 2003-09-22 | 2009-01-27 | Hewlett-Packard Development Company, L.P. | System and method for monitoring network traffic |
WO2005031659A2 (en) * | 2003-09-25 | 2005-04-07 | Gary Williams Retail Solutions, Inc. | Money dispensing system |
WO2005034446A1 (en) | 2003-10-03 | 2005-04-14 | Fujitsu Limited | Network system based on policy rule |
US20050198629A1 (en) | 2003-10-10 | 2005-09-08 | Vipul Vishwanath | Method and system for provisioning servers based on a policy and rule hierarchy |
US20050177829A1 (en) | 2003-10-10 | 2005-08-11 | Vipul Vishwanath | Method of applying constraints against discovered attributes in provisioning computers |
US8560671B1 (en) | 2003-10-23 | 2013-10-15 | Netapp, Inc. | Systems and methods for path-based management of virtual servers in storage network environments |
US20050108331A1 (en) | 2003-10-31 | 2005-05-19 | Osterman Lawrence W. | Presence tracking for datagram based protocols with search |
US7885197B2 (en) | 2003-11-17 | 2011-02-08 | Intel Corporation | System and method for measuring per node packet loss in a wireless network |
CA2547630A1 (en) | 2003-11-26 | 2005-06-16 | Hewlett-Packard Development Company, L.P. | System and method for management and installation of operating system images for computers |
US7975035B2 (en) | 2003-12-01 | 2011-07-05 | International Business Machines Corporation | Method and apparatus to support application and network awareness of collaborative applications using multi-attribute clustering |
US7385605B2 (en) | 2003-12-04 | 2008-06-10 | International Business Machines Corporation | Computer display system for dynamically modifying stacked area line graphs to change the order or presence of a set of stacked areas in the graph respectively representative of the proportions contributed to a total by each of a set of time dependent variables |
US20050138157A1 (en) * | 2003-12-23 | 2005-06-23 | Ken-Ju Jung | Network device discovery system and method thereof |
US7930540B2 (en) | 2004-01-22 | 2011-04-19 | Mcafee, Inc. | Cryptographic policy enforcement |
WO2005079534A2 (en) | 2004-02-19 | 2005-09-01 | Georgia Tech Research Corporation | Systems and methods for parallel communication |
US8990430B2 (en) | 2004-02-19 | 2015-03-24 | Cisco Technology, Inc. | Interface bundles in virtual network devices |
US7466681B2 (en) | 2004-03-19 | 2008-12-16 | Nortel Networks Limited | Method and apparatus for sensor network routing |
US8584239B2 (en) | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
EP1589716A1 (en) | 2004-04-20 | 2005-10-26 | Ecole Polytechnique Fédérale de Lausanne (EPFL) | Method of detecting anomalous behaviour in a computer network |
US7484237B2 (en) | 2004-05-13 | 2009-01-27 | Hewlett-Packard Development Company, L.P. | Method and apparatus for role-based security policy management |
US7961637B2 (en) | 2004-06-07 | 2011-06-14 | Spirent Communications Of Rockville, Inc. | Method and apparatus for monitoring latency, jitter, packet throughput and packet loss ratio between two points on a network |
US20050289244A1 (en) | 2004-06-28 | 2005-12-29 | Himansu Sahu | Method for service chaining in a communication network |
KR100608821B1 (en) | 2004-07-22 | 2006-08-08 | 엘지전자 주식회사 | A method and a apparatus of measuring round trip delay time for mobile phone |
EP1771998B1 (en) | 2004-07-23 | 2015-04-15 | Citrix Systems, Inc. | Systems and methods for optimizing communications between network nodes |
US20070195794A1 (en) | 2004-08-11 | 2007-08-23 | Nec Corporation | Virtual lan system and node device |
US8572734B2 (en) | 2004-08-12 | 2013-10-29 | Verizon Patent And Licensing Inc. | Geographical intrusion response prioritization mapping through authentication and flight data correlation |
US7475424B2 (en) | 2004-09-02 | 2009-01-06 | International Business Machines Corporation | System and method for on-demand dynamic control of security policies/rules by a client computing device |
US7490235B2 (en) | 2004-10-08 | 2009-02-10 | International Business Machines Corporation | Offline analysis of packets |
US7760653B2 (en) | 2004-10-26 | 2010-07-20 | Riverbed Technology, Inc. | Stackable aggregation for connection based anomaly detection |
US7644438B1 (en) | 2004-10-27 | 2010-01-05 | Arcsight, Inc. | Security event aggregation at software agent |
US7610375B2 (en) | 2004-10-28 | 2009-10-27 | Cisco Technology, Inc. | Intrusion detection in a data center environment |
US7681131B1 (en) | 2004-11-10 | 2010-03-16 | InternetPerils, Inc. | Method and apparatus for aggregating, condensing, supersetting, and displaying network topology and performance data |
US9489496B2 (en) | 2004-11-12 | 2016-11-08 | Apple Inc. | Secure software updates |
US7496575B2 (en) | 2004-11-22 | 2009-02-24 | Verdasys, Inc. | Application instrumentation and monitoring |
US9160755B2 (en) | 2004-12-21 | 2015-10-13 | Mcafee, Inc. | Trusted communication network |
US20060173912A1 (en) | 2004-12-27 | 2006-08-03 | Eric Lindvall | Automated deployment of operating system and data space to a server |
US7395195B2 (en) | 2004-12-27 | 2008-07-01 | Sap Aktiengesellschaft | Sensor network modeling and deployment |
US7398382B2 (en) | 2004-12-29 | 2008-07-08 | Intel Corporation | Method and apparatus to enhance platform boot efficiency |
US7657942B2 (en) | 2005-01-11 | 2010-02-02 | International Business Machines Corporation | Method of assuring enterprise security standards compliance |
US7729284B2 (en) | 2005-01-19 | 2010-06-01 | Emulex Design & Manufacturing Corporation | Discovery and configuration of devices across an Ethernet interface |
US7657536B2 (en) | 2005-02-28 | 2010-02-02 | International Business Machines Corporation | Application of resource-dependent policies to managed resources in a distributed computing system |
US7808897B1 (en) | 2005-03-01 | 2010-10-05 | International Business Machines Corporation | Fast network security utilizing intrusion prevention systems |
US8589530B2 (en) | 2005-03-28 | 2013-11-19 | Riverbed Technology, Inc. | Method and system for managing a distributed network of network monitoring devices |
US20060274659A1 (en) | 2005-05-06 | 2006-12-07 | Battelle Memorial Institute | Method and system for generating synthetic digital network traffic |
US20070097976A1 (en) | 2005-05-20 | 2007-05-03 | Wood George D | Suspect traffic redirection |
US20060272018A1 (en) | 2005-05-27 | 2006-11-30 | Mci, Inc. | Method and apparatus for detecting denial of service attacks |
US7609625B2 (en) | 2005-07-06 | 2009-10-27 | Fortinet, Inc. | Systems and methods for detecting and preventing flooding attacks in a network environment |
US7580351B2 (en) | 2005-07-12 | 2009-08-25 | Cisco Technology, Inc | Dynamically controlling the rate and internal priority of packets destined for the control plane of a routing device |
US7874001B2 (en) | 2005-07-15 | 2011-01-18 | Microsoft Corporation | Detecting user-mode rootkits |
US9871767B2 (en) | 2005-07-18 | 2018-01-16 | Mutualink, Inc. | Enabling ad hoc trusted connections among enclaved communication communities |
US7567805B2 (en) | 2005-08-01 | 2009-07-28 | Cisco Technology, Inc. | Method and system for dynamic assignment of wireless LAN access point identity |
KR100716620B1 (en) | 2005-08-17 | 2007-05-09 | 고려대학교 산학협력단 | Apparatus and method for monitoring network using the parallel coordinate system |
US8429630B2 (en) | 2005-09-15 | 2013-04-23 | Ca, Inc. | Globally distributed utility computing cloud |
US8001610B1 (en) | 2005-09-28 | 2011-08-16 | Juniper Networks, Inc. | Network defense system utilizing endpoint health indicators and user identity |
US20110314148A1 (en) | 2005-11-12 | 2011-12-22 | LogRhythm Inc. | Log collection, structuring and processing |
US7930752B2 (en) | 2005-11-18 | 2011-04-19 | Nexthink S.A. | Method for the detection and visualization of anomalous behaviors in a computer network |
EP1788752A1 (en) | 2005-11-21 | 2007-05-23 | Alcatel Lucent | Network node with control plane processor overload protection |
US7600005B2 (en) | 2005-11-23 | 2009-10-06 | Sun Microsystems, Inc. | Method and apparatus for provisioning heterogeneous operating systems onto heterogeneous hardware systems |
WO2007070711A2 (en) | 2005-12-15 | 2007-06-21 | Malloy Patrick J | Interactive network monitoring and analysis |
KR100772394B1 (en) | 2006-02-09 | 2007-11-01 | 삼성전자주식회사 | Method and apparatus for updating ant-reply window of IPSec |
US20070195729A1 (en) | 2006-02-17 | 2007-08-23 | Hongbing Li | System and method for self-configuring adaptive wireless router network |
US7873025B2 (en) | 2006-02-23 | 2011-01-18 | Cisco Technology, Inc. | Network device that determines application-level network latency by monitoring option values in a transport layer message |
JP4634320B2 (en) | 2006-02-28 | 2011-02-16 | 株式会社日立製作所 | Device and network system for anti-abnormal communication protection |
US8266697B2 (en) | 2006-03-04 | 2012-09-11 | 21St Century Technologies, Inc. | Enabling network intrusion detection by representing network activity in graphical form utilizing distributed data sensors to detect and transmit activity data |
US7546450B2 (en) | 2006-03-07 | 2009-06-09 | Sun Microsystems, Inc. | Method and apparatus for operating system deployment |
GB2435980A (en) | 2006-03-09 | 2007-09-12 | Agilent Technologies Inc | Optimizing routing of demands in a network |
US7530105B2 (en) | 2006-03-21 | 2009-05-05 | 21St Century Technologies, Inc. | Tactical and strategic attack detection and prediction |
US7610330B1 (en) | 2006-03-30 | 2009-10-27 | Packeteer, Inc. | Multi-dimensional computation distribution in a packet processing device having multiple processing architecture |
US20070230415A1 (en) | 2006-03-31 | 2007-10-04 | Symbol Technologies, Inc. | Methods and apparatus for cluster management using a common configuration file |
KR20070099201A (en) | 2006-04-03 | 2007-10-09 | 삼성전자주식회사 | Method of security management for mobile wireless device and apparatus for security management using the same |
US20080082662A1 (en) | 2006-05-19 | 2008-04-03 | Richard Dandliker | Method and apparatus for controlling access to network resources based on reputation |
US8966018B2 (en) | 2006-05-19 | 2015-02-24 | Trapeze Networks, Inc. | Automated network device configuration and network deployment |
US8429746B2 (en) | 2006-05-22 | 2013-04-23 | Neuraliq, Inc. | Decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems |
US7873074B1 (en) | 2006-06-01 | 2011-01-18 | Avaya Inc. | Adaptive selection of bandwidth parameters to meet a service provider pricing model |
US7592906B1 (en) | 2006-06-05 | 2009-09-22 | Juniper Networks, Inc. | Network policy evaluation |
US7783457B2 (en) | 2006-06-15 | 2010-08-24 | Oracle America, Inc. | Sensor localization using lateral inhibition |
KR100799302B1 (en) | 2006-06-21 | 2008-01-29 | 한국전자통신연구원 | A system and method for detection of a hidden process using system event |
US8239915B1 (en) | 2006-06-30 | 2012-08-07 | Symantec Corporation | Endpoint management using trust rating data |
US8365286B2 (en) | 2006-06-30 | 2013-01-29 | Sophos Plc | Method and system for classification of software using characteristics and combinations of such characteristics |
US8151337B2 (en) | 2006-06-30 | 2012-04-03 | Microsoft Corporation | Applying firewalls to virtualized environments |
US7894434B2 (en) | 2006-07-03 | 2011-02-22 | Hewlett-Packard Development Company, L.P. | Method, apparatus, and system for capturing traffic statistics between two sites of MPLS based VPN |
US7748000B2 (en) | 2006-07-27 | 2010-06-29 | International Business Machines Corporation | Filtering a list of available install items for an install program based on a consumer's install policy |
JP4126707B2 (en) | 2006-07-28 | 2008-07-30 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Technology for analyzing the state of information systems |
US7788250B2 (en) * | 2006-08-04 | 2010-08-31 | Mohammad Salman | Flexible request and response communications interfaces |
US7957934B2 (en) | 2007-05-15 | 2011-06-07 | Dynatrace Software Gmbh | Method and system for processing application performance data ouside of monitored applications to limit overhead caused by monitoring |
US8345561B2 (en) | 2006-08-22 | 2013-01-01 | Rueters America Inc. | Time monitor |
KR100793057B1 (en) | 2006-09-01 | 2008-01-10 | 한국전자통신연구원 | Usn middleware apparatus for generating information service based on heterogeneous sensor networks and its method, system for providing information service using that |
US8056134B1 (en) | 2006-09-10 | 2011-11-08 | Ogilvie John W | Malware detection and identification via malware spoofing |
US8407164B2 (en) | 2006-10-02 | 2013-03-26 | The Trustees Of Columbia University In The City Of New York | Data classification and hierarchical clustering |
US7743242B2 (en) | 2006-10-16 | 2010-06-22 | Scalent Systems Inc. | Method and system for automatic generation of operating system boot images |
CN1937623A (en) | 2006-10-18 | 2007-03-28 | 华为技术有限公司 | Method and system for controlling network business |
US7768921B2 (en) | 2006-10-30 | 2010-08-03 | Juniper Networks, Inc. | Identification of potential network threats using a distributed threshold random walk |
US7861933B2 (en) | 2006-11-06 | 2011-01-04 | Ikan Technologies Inc. | Methods and systems for network configuration |
US7774498B1 (en) | 2006-11-06 | 2010-08-10 | Cisco Technology, Inc. | Methods and apparatus for trusted application centric QoS provisioning |
US8181248B2 (en) | 2006-11-23 | 2012-05-15 | Electronics And Telecommunications Research Institute | System and method of detecting anomaly malicious code by using process behavior prediction technique |
US8769120B2 (en) | 2006-11-28 | 2014-07-01 | Sap Ag | Method and system to monitor parameters of a data flow path in a communication system |
WO2008069439A1 (en) | 2006-12-05 | 2008-06-12 | Electronics And Telecommunications Research Institute | Method for grouping sensor nodes in heterogeneous wireless sensor networks |
US9280337B2 (en) | 2006-12-18 | 2016-03-08 | Adobe Systems Incorporated | Secured distribution of software updates |
US8312115B2 (en) | 2006-12-21 | 2012-11-13 | 1E Limited | Network booting apparatus and method |
US8640086B2 (en) | 2006-12-29 | 2014-01-28 | Sap Ag | Graphical user interface system and method for presenting objects |
US8250657B1 (en) | 2006-12-29 | 2012-08-21 | Symantec Corporation | Web site hygiene-based computer security |
US7788477B1 (en) | 2007-01-31 | 2010-08-31 | Hewlett-Packard Development Company, L.P. | Methods, apparatus and articles of manufacture to control operating system images for diskless servers |
US8762951B1 (en) | 2007-03-21 | 2014-06-24 | Oracle America, Inc. | Apparatus and method for profiling system events in a fine grain multi-threaded multi-core processor |
US8572735B2 (en) | 2007-03-29 | 2013-10-29 | George Mason Research Foundation, Inc. | Attack resistant continuous network service trustworthiness controller |
US9083712B2 (en) | 2007-04-04 | 2015-07-14 | Sri International | Method and apparatus for generating highly predictive blacklists |
US8005935B2 (en) | 2007-04-05 | 2011-08-23 | International Business Machines Corporation | Methods and computer program products for managing application performance on a network |
US8706914B2 (en) | 2007-04-23 | 2014-04-22 | David D. Duchesneau | Computing infrastructure |
US9405585B2 (en) | 2007-04-30 | 2016-08-02 | International Business Machines Corporation | Management of heterogeneous workloads |
US8256003B2 (en) | 2007-05-10 | 2012-08-28 | Microsoft Corporation | Real-time network malware protection |
US8209738B2 (en) | 2007-05-31 | 2012-06-26 | The Board Of Trustees Of The University Of Illinois | Analysis of distributed policy rule-sets for compliance with global policy |
WO2008151321A2 (en) | 2007-06-08 | 2008-12-11 | The Trustees Of Columbia University In The City Of New York | Systems, methods, and media for enforcing a security policy in a network including a plurality of components |
WO2008152554A1 (en) | 2007-06-14 | 2008-12-18 | Koninklijke Philips Electronics N.V. | A network device for use in a network |
US7934248B1 (en) | 2007-06-27 | 2011-04-26 | Emc Corporation | Network policy enforcement dashboard views |
JP2009016906A (en) | 2007-06-29 | 2009-01-22 | Toshiba Corp | Information processor, its reproduction method |
US9014047B2 (en) | 2007-07-10 | 2015-04-21 | Level 3 Communications, Llc | System and method for aggregating and reporting network traffic data |
US8451731B1 (en) | 2007-07-25 | 2013-05-28 | Xangati, Inc. | Network monitoring using virtual packets |
KR100862971B1 (en) | 2007-07-26 | 2008-10-13 | 강릉대학교산학협력단 | Method for updating firmware of sensor nodes on the wireless sensor network |
US8291495B1 (en) | 2007-08-08 | 2012-10-16 | Juniper Networks, Inc. | Identifying applications for intrusion detection systems |
US20090059934A1 (en) | 2007-08-30 | 2009-03-05 | Motorola, Inc. | Method and device for providing a bridge in a network |
US8613084B2 (en) | 2007-09-18 | 2013-12-17 | Mcafee, Inc. | System, method, and computer program product for detecting at least potentially unwanted activity based on execution profile monitoring |
DE602007003733D1 (en) | 2007-09-28 | 2010-01-21 | Zimory Gmbh | Method and system for automatically deploying a server remotely via virtual appliance applications |
US8248928B1 (en) | 2007-10-09 | 2012-08-21 | Foundry Networks, Llc | Monitoring server load balancing |
US8442073B2 (en) | 2007-10-25 | 2013-05-14 | Siemens Aktiengesellschaft | Method and an apparatus for analyzing a communication network |
US8305896B2 (en) | 2007-10-31 | 2012-11-06 | Cisco Technology, Inc. | Selective performance enhancement of traffic flows |
KR101394338B1 (en) | 2007-10-31 | 2014-05-30 | 삼성전자주식회사 | Method and apparatus for displaying topology information of a wireless sensor network and system therefor |
KR100938672B1 (en) | 2007-11-20 | 2010-01-25 | 한국전자통신연구원 | The method and apparatus for detecting dll inserted by malicious code |
KR100974888B1 (en) | 2007-11-26 | 2010-08-11 | 한국전자통신연구원 | Device and Method for Detecting Anomalous Traffic |
US7970946B1 (en) | 2007-11-27 | 2011-06-28 | Google Inc. | Recording and serializing events |
US8775577B1 (en) | 2007-12-18 | 2014-07-08 | Amazon Technologies, Inc. | System and method for configuration management service |
US20090168648A1 (en) | 2007-12-29 | 2009-07-02 | Arbor Networks, Inc. | Method and System for Annotating Network Flow Information |
US20090182818A1 (en) | 2008-01-11 | 2009-07-16 | Fortinet, Inc. A Delaware Corporation | Heuristic detection of probable misspelled addresses in electronic communications |
JP2009171194A (en) | 2008-01-16 | 2009-07-30 | Oki Electric Ind Co Ltd | Packet sampling method, packet sampling device, and network monitoring device |
CN101933003B (en) | 2008-01-31 | 2015-09-09 | 惠普开发有限公司 | Automated application dependency maps |
US8719936B2 (en) | 2008-02-01 | 2014-05-06 | Northeastern University | VMM-based intrusion detection system |
US9240945B2 (en) | 2008-03-19 | 2016-01-19 | Citrix Systems, Inc. | Access, priority and bandwidth management based on application identity |
US8793117B1 (en) | 2008-04-16 | 2014-07-29 | Scalable Network Technologies, Inc. | System and method for virtualization of networking system software via emulation |
US7844744B2 (en) | 2008-04-25 | 2010-11-30 | International Business Machines Corporation | Providing server security via a security sensor application shared by multiple operating system partitions |
US8224936B2 (en) | 2008-05-21 | 2012-07-17 | Cisco Technology, Inc. | Configuration file override |
US9270477B2 (en) | 2008-05-28 | 2016-02-23 | Airmagnet, Inc. | Method and apparatus of measuring and reporting data gap from within an analysis tool |
US9152789B2 (en) | 2008-05-28 | 2015-10-06 | Zscaler, Inc. | Systems and methods for dynamic cloud-based malware behavior analysis |
US8713177B2 (en) | 2008-05-30 | 2014-04-29 | Red Hat, Inc. | Remote management of networked systems using secure modular platform |
US8255972B2 (en) | 2008-06-06 | 2012-08-28 | International Business Machines Corporation | Method to automatically map business function level policies to it management policies |
US8160063B2 (en) | 2008-06-09 | 2012-04-17 | Microsoft Corporation | Data center interconnect and traffic engineering |
US9369299B2 (en) | 2008-06-10 | 2016-06-14 | Bradford Networks, Inc. | Network access control system and method for devices connecting to network using remote access control methods |
EP2134057B1 (en) | 2008-06-12 | 2013-05-01 | Alcatel Lucent | Method for protecting a packet-based network from attacks, as well as security border node |
US8630316B2 (en) | 2008-06-19 | 2014-01-14 | Microsoft Corporation | Clock synchronization using correlation events |
US8930828B2 (en) | 2008-06-22 | 2015-01-06 | Microsoft Corporation | Distinguishing conference participants |
US8856926B2 (en) | 2008-06-27 | 2014-10-07 | Juniper Networks, Inc. | Dynamic policy provisioning within network security devices |
JP5590825B2 (en) | 2008-06-30 | 2014-09-17 | キヤノン株式会社 | Communication device and method for determining round trip time |
US8046443B2 (en) | 2008-08-21 | 2011-10-25 | Red Hat, Inc. | Rapid deployment remote network monitor |
US7904420B2 (en) | 2008-08-26 | 2011-03-08 | Raytheon Company | Identification and verification of common cluster files residing on nodes in a cluster |
US8023504B2 (en) | 2008-08-27 | 2011-09-20 | Cisco Technology, Inc. | Integrating security server policies with optimized routing control |
US8752042B2 (en) | 2008-08-27 | 2014-06-10 | Cardinalcommerce Corporation | Intelligent server routing |
US8755396B2 (en) | 2008-09-11 | 2014-06-17 | Juniper Networks, Inc. | Methods and apparatus related to flow control within a data center switch fabric |
US9495538B2 (en) | 2008-09-25 | 2016-11-15 | Symantec Corporation | Graduated enforcement of restrictions according to an application's reputation |
US8572717B2 (en) | 2008-10-09 | 2013-10-29 | Juniper Networks, Inc. | Dynamic access control policy with port restrictions for a network security appliance |
WO2010050932A1 (en) | 2008-10-28 | 2010-05-06 | Hewlett-Packard Development Company, L.P. | Data center manager |
US7902973B2 (en) | 2008-11-17 | 2011-03-08 | Cisco Technology, Inc. | Alarm reordering to handle alarm storms in large networks |
US8775578B2 (en) | 2008-11-28 | 2014-07-08 | Red Hat, Inc. | Providing hardware updates in a software environment |
JP4629768B2 (en) | 2008-12-03 | 2011-02-09 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Parallelization processing method, system, and program |
US8462212B1 (en) | 2008-12-04 | 2013-06-11 | Stoplift, Inc. | Correlating detected events with image data |
EP2364543B1 (en) | 2008-12-08 | 2017-02-15 | Telefonaktiebolaget LM Ericsson (publ) | Broadband network access |
US8566571B2 (en) | 2008-12-12 | 2013-10-22 | Novell, Inc. | Pre-boot securing of operating system (OS) for endpoint evaluation |
US9258217B2 (en) | 2008-12-16 | 2016-02-09 | At&T Intellectual Property I, L.P. | Systems and methods for rule-based anomaly detection on IP network flow |
CN101770551A (en) | 2008-12-30 | 2010-07-07 | 中国科学院软件研究所 | Method for processing hidden process based on hardware simulator |
JP2012515491A (en) | 2009-01-16 | 2012-07-05 | メインライン ネット ホールディングス リミテッド | Maximize bandwidth utilization in networks with packet loss and high latency using transmission control protocols |
US20100306176A1 (en) | 2009-01-28 | 2010-12-02 | Digitiliti, Inc. | Deduplication of files |
US8866821B2 (en) | 2009-01-30 | 2014-10-21 | Microsoft Corporation | Depth map movement tracking via optical flow and velocity prediction |
US7864707B2 (en) | 2009-02-24 | 2011-01-04 | International Business Machines Corporation | Determination of network topology using flow-based traffic information |
EP2224357A1 (en) | 2009-02-27 | 2010-09-01 | BRITISH TELECOMMUNICATIONS public limited company | Video segmentation |
US8667096B2 (en) | 2009-02-27 | 2014-03-04 | Red Hat, Inc. | Automatically generating system restoration order for network recovery |
US7787480B1 (en) | 2009-03-04 | 2010-08-31 | Juniper Networks, Inc. | Routing frames in a trill network using service VLAN identifiers |
US20100235915A1 (en) | 2009-03-12 | 2010-09-16 | Nasir Memon | Using host symptoms, host roles, and/or host reputation for detection of host infection |
US8838804B2 (en) | 2009-03-12 | 2014-09-16 | Novell, Inc. | Securing a network connection by way of an endpoint computing device |
US8904520B1 (en) | 2009-03-19 | 2014-12-02 | Symantec Corporation | Communication-based reputation system |
US8667121B2 (en) | 2009-03-25 | 2014-03-04 | Mcafee, Inc. | System and method for managing data and policies |
US8381289B1 (en) | 2009-03-31 | 2013-02-19 | Symantec Corporation | Communication-based host reputation system |
US8516590B1 (en) | 2009-04-25 | 2013-08-20 | Dasient, Inc. | Malicious advertisement detection and remediation |
EP2249525B1 (en) | 2009-05-06 | 2012-10-31 | Alcatel Lucent | Traffic-engineered connection establishment across resource domains for data transport |
US8918531B2 (en) | 2009-05-07 | 2014-12-23 | Cisco Technology, Inc. | Automated network device provisioning using dynamic host configuration protocol |
US8787182B2 (en) * | 2009-05-18 | 2014-07-22 | Comcast Cable Holdings, Llc | Configuring network devices |
US8588422B2 (en) | 2009-05-28 | 2013-11-19 | Novell, Inc. | Key management to protect encrypted data of an endpoint computing device |
US8040822B2 (en) | 2009-06-04 | 2011-10-18 | Alcatel Lucent | Configuring communication services using policy groups |
US9778953B2 (en) | 2009-06-16 | 2017-10-03 | International Business Machines Corporation | Process and system for comprehensive IT discovery without credentials |
US8918380B2 (en) * | 2009-07-09 | 2014-12-23 | Norsync Technology As | Methods, systems and devices for performing incremental updates of partial databases |
US9210050B2 (en) | 2009-07-09 | 2015-12-08 | Centurylink Intellectual Property Llc | System and method for a testing vector and associated performance map |
US8832013B1 (en) | 2009-07-24 | 2014-09-09 | Decision Lens, Inc. | Method and system for analytic network process (ANP) total influence analysis |
US8996659B2 (en) | 2009-07-24 | 2015-03-31 | Plumchoice, Inc. | Systems and methods for providing remote services using a cross-device database |
KR101548021B1 (en) | 2009-08-06 | 2015-08-28 | 주식회사 케이티 | Method For Managing Network |
US9158649B2 (en) | 2009-08-14 | 2015-10-13 | Microsoft Technology Licensing, Llc | Methods and computer program products for generating a model of network application health |
CN101998629B (en) | 2009-08-28 | 2014-05-21 | 国际商业机器公司 | Method, device and system for searching for virtual resources |
WO2011027352A1 (en) | 2009-09-03 | 2011-03-10 | Mcafee, Inc. | Network access control |
US9049617B2 (en) | 2009-09-23 | 2015-06-02 | At&T Intellectual Property I, L.P. | Signaling-less dynamic call setup and teardown by utilizing observed session state information |
US8489717B2 (en) | 2009-09-24 | 2013-07-16 | Hitachi, Ltd. | Accelerated cable modem restart service |
US20110087771A1 (en) | 2009-10-05 | 2011-04-14 | Vss Monitoring, Inc. | Method, apparatus and system for a layer of stacked network captured traffic distribution devices |
JP4931978B2 (en) | 2009-10-06 | 2012-05-16 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Parallelization processing method, system, and program |
US8572739B1 (en) | 2009-10-27 | 2013-10-29 | Trend Micro Incorporated | Detection of malicious modules injected on legitimate processes |
EP2495916A4 (en) | 2009-10-30 | 2014-10-01 | Mitsubishi Electric Corp | Gateway apparatus, communication system and communication method |
TWI507985B (en) | 2009-11-02 | 2015-11-11 | Wistron Corp | Electronic device capable of automatically setting up operating systems and related method and system |
US8621460B2 (en) | 2009-11-02 | 2013-12-31 | International Business Machines Corporation | Endpoint-hosted hypervisor management |
US8442048B2 (en) | 2009-11-04 | 2013-05-14 | Juniper Networks, Inc. | Methods and apparatus for configuring a virtual network switch |
US20110126197A1 (en) | 2009-11-25 | 2011-05-26 | Novell, Inc. | System and method for controlling cloud and virtualized data centers in an intelligent workload management system |
US8965981B2 (en) | 2009-11-25 | 2015-02-24 | At&T Intellectual Property I, L.P. | Method and apparatus for botnet analysis and visualization |
US20110145885A1 (en) | 2009-12-10 | 2011-06-16 | Bank Of America Corporation | Policy Adherence And Compliance Model |
US20110153811A1 (en) | 2009-12-18 | 2011-06-23 | Hyun Cheol Jeong | System and method for modeling activity patterns of network traffic to detect botnets |
US20110153039A1 (en) | 2009-12-23 | 2011-06-23 | Viktor Gvelesiani | System and method for providing diagnostic information and graphical user interface therefor |
US8310950B2 (en) | 2009-12-28 | 2012-11-13 | Oracle America, Inc. | Self-configuring networking devices for providing services in a nework |
US8291258B2 (en) | 2010-01-08 | 2012-10-16 | Juniper Networks, Inc. | High availability for network security devices |
US8774232B2 (en) | 2010-01-08 | 2014-07-08 | Ciena Corporation | Systems and methods of measuring latency and routing thereon in optical networks |
US8819826B2 (en) | 2010-01-27 | 2014-08-26 | Mcafee, Inc. | Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation |
US20110196957A1 (en) | 2010-02-05 | 2011-08-11 | International Business Machines Corporation | Real-Time Policy Visualization by Configuration Item to Demonstrate Real-Time and Historical Interaction of Policies |
US9160737B2 (en) | 2010-02-26 | 2015-10-13 | Microsoft Technology Licensing, Llc | Statistical security for anonymous mesh-up oriented online services |
US8869138B2 (en) | 2011-11-11 | 2014-10-21 | Wyse Technology L.L.C. | Robust firmware update with recovery logic |
US9413649B2 (en) | 2010-03-12 | 2016-08-09 | Force10 Networks, Inc. | Virtual network device architecture |
US20110228696A1 (en) | 2010-03-19 | 2011-09-22 | Navneet Agarwal | Dynamic directed acyclic graph (dag) topology reporting |
US8489765B2 (en) | 2010-03-19 | 2013-07-16 | Cisco Technology, Inc. | Dynamic directed acyclic graph (DAG) adjustment |
US8560658B2 (en) | 2010-03-23 | 2013-10-15 | Juniper Networks, Inc. | Managing distributed address pools within network devices |
KR101122650B1 (en) | 2010-04-28 | 2012-03-09 | 한국전자통신연구원 | Apparatus, system and method for detecting malicious code injected with fraud into normal process |
US8281397B2 (en) | 2010-04-29 | 2012-10-02 | Telcordia Technologies, Inc. | Method and apparatus for detecting spoofed network traffic |
US9270663B2 (en) | 2010-04-30 | 2016-02-23 | T-Central, Inc. | System and method to enable PKI- and PMI-based distributed locking of content and distributed unlocking of protected content and/or scoring of users and/or scoring of end-entity access means—added |
US8549650B2 (en) | 2010-05-06 | 2013-10-01 | Tenable Network Security, Inc. | System and method for three-dimensional visualization of vulnerability and asset data |
WO2011137935A1 (en) | 2010-05-07 | 2011-11-10 | Ulysses Systems (Uk) Limited | System and method for identifying relevant information for an enterprise |
US20110283277A1 (en) | 2010-05-11 | 2011-11-17 | International Business Machines Corporation | Virtualization and dynamic resource allocation aware storage level reordering |
EP2569711A4 (en) | 2010-05-13 | 2017-03-15 | VeriSign, Inc. | Systems and methods for identifying malicious domains using internet-wide dns lookup patterns |
US20110302652A1 (en) | 2010-06-07 | 2011-12-08 | Novell, Inc. | System and method for detecting real-time security threats in a network datacenter |
US8433790B2 (en) | 2010-06-11 | 2013-04-30 | Sourcefire, Inc. | System and method for assigning network blocks to sensors |
WO2011159842A2 (en) | 2010-06-15 | 2011-12-22 | Nimbula, Inc. | Virtual computing infrastructure |
US8832461B2 (en) | 2010-06-25 | 2014-09-09 | Microsoft Corporation | Trusted sensors |
US8570861B1 (en) | 2010-06-29 | 2013-10-29 | Amazon Technologies, Inc. | Reputation-based networking |
US9384112B2 (en) | 2010-07-01 | 2016-07-05 | Logrhythm, Inc. | Log collection, structuring and processing |
US8588081B2 (en) | 2010-07-14 | 2013-11-19 | Cisco Technology, Inc. | Monitoring a flow set to detect faults |
US8489775B2 (en) | 2010-07-21 | 2013-07-16 | Dell Products L.P. | System-wide time synchronization across power management interfaces and sensor data |
US8849926B2 (en) | 2010-08-06 | 2014-09-30 | Simon Fraser University | System and method for self-calibrating, self-organizing and localizing sensors in wireless sensor networks |
CN102387169B (en) | 2010-08-26 | 2014-07-23 | 阿里巴巴集团控股有限公司 | Delete method, system and delete server for distributed cache objects |
US8661544B2 (en) | 2010-08-31 | 2014-02-25 | Cisco Technology, Inc. | Detecting botnets |
US8683389B1 (en) | 2010-09-08 | 2014-03-25 | The New England Complex Systems Institute, Inc. | Method and apparatus for dynamic information visualization |
US8413235B1 (en) | 2010-09-10 | 2013-04-02 | Symantec Corporation | Malware detection using file heritage data |
US8707275B2 (en) | 2010-09-14 | 2014-04-22 | Microsoft Corporation | Simulation environment for distributed programs |
AU2011305214B2 (en) | 2010-09-24 | 2014-12-11 | Verisign, Inc. | IP prioritization and scoring system for DDoS detection and mitigation |
US8351430B2 (en) | 2010-09-30 | 2013-01-08 | Microsoft Corporation | Routing using global address pairs |
US8838830B2 (en) | 2010-10-12 | 2014-09-16 | Sap Portals Israel Ltd | Optimizing distributed computer networks |
US20120102361A1 (en) | 2010-10-25 | 2012-04-26 | Computer Associates Think, Inc. | Heuristic policy analysis |
US20120102543A1 (en) | 2010-10-26 | 2012-04-26 | 360 GRC, Inc. | Audit Management System |
US20150222939A1 (en) | 2010-10-28 | 2015-08-06 | Avvasi Inc. | System for monitoring a video network and methods for use therewith |
US8832835B1 (en) | 2010-10-28 | 2014-09-09 | Symantec Corporation | Detecting and remediating malware dropped by files |
JP5568776B2 (en) | 2010-11-05 | 2014-08-13 | 株式会社日立製作所 | Computer monitoring system and monitoring method |
TWI453624B (en) | 2010-11-09 | 2014-09-21 | Inst Information Industry | Information security protection host |
US9117075B1 (en) | 2010-11-22 | 2015-08-25 | Trend Micro Inc. | Early malware detection by cross-referencing host data |
CN103221921B (en) | 2010-11-23 | 2016-06-22 | 国际商业机器公司 | Utilize the Direct Transfer of the software image of Flow Technique |
KR20120057066A (en) | 2010-11-26 | 2012-06-05 | 한국전자통신연구원 | Method and system for providing network security operation system, security event processing apparatus and visual processing apparatus for network security operation |
US20120137278A1 (en) | 2010-11-30 | 2012-05-31 | International Business Machines Corporation | Generating a customized set of tasks for migration of a deployed software solution |
US9660940B2 (en) | 2010-12-01 | 2017-05-23 | Juniper Networks, Inc. | Methods and apparatus for flow control associated with a switch fabric |
US9128803B2 (en) | 2010-12-15 | 2015-09-08 | Microsoft Technology Licensing, Llc | Application model for implementing composite applications |
US8499348B1 (en) | 2010-12-28 | 2013-07-30 | Amazon Technologies, Inc. | Detection of and responses to network attacks |
US20120197856A1 (en) | 2011-01-28 | 2012-08-02 | Cisco Technology, Inc. | Hierarchical Network for Collecting, Aggregating, Indexing, and Searching Sensor Data |
US9225793B2 (en) | 2011-01-28 | 2015-12-29 | Cisco Technology, Inc. | Aggregating sensor data |
US20120195198A1 (en) | 2011-01-31 | 2012-08-02 | Joseph Regan | Method and apparatus providing protocol policing |
US20120198541A1 (en) | 2011-02-02 | 2012-08-02 | Reeves Randall E | Methods and apparatus for preventing network intrusion |
ES2902644T3 (en) | 2011-02-11 | 2022-03-29 | Siemens Healthcare Diagnostics Inc | System and method for secure software update |
US9112830B2 (en) | 2011-02-23 | 2015-08-18 | Mcafee, Inc. | System and method for interlocking a host and a gateway |
US8665883B2 (en) | 2011-02-28 | 2014-03-04 | Alcatel Lucent | Generalized multi-homing for virtual private LAN services |
US20120233473A1 (en) | 2011-03-08 | 2012-09-13 | Cisco Technology, Inc. | Power Management in Networks |
US8538926B2 (en) | 2011-03-08 | 2013-09-17 | Rackspace Us, Inc. | Massively scalable object storage system for storing object replicas |
US9118637B2 (en) | 2011-03-09 | 2015-08-25 | Arris Enterprises, Inc. | Dual-mode download manager |
JP5678751B2 (en) | 2011-03-18 | 2015-03-04 | 株式会社リコー | Quarantine network system |
US9122877B2 (en) | 2011-03-21 | 2015-09-01 | Mcafee, Inc. | System and method for malware and network reputation correlation |
US20120246303A1 (en) | 2011-03-23 | 2012-09-27 | LogRhythm Inc. | Log collection, structuring and processing |
US9571354B2 (en) | 2011-03-28 | 2017-02-14 | Citrix Systems, Inc. | Systems and methods for tracking application layer flow via a multi-connection intermediary device |
US20120254109A1 (en) | 2011-03-28 | 2012-10-04 | Microsoft Corporation | Distributed component runtime |
US9170917B2 (en) | 2011-04-01 | 2015-10-27 | Paypal, Inc. | Flow tracing though diverse logical and physical application and infrastructure layers/dependencies |
US9465589B2 (en) | 2011-04-05 | 2016-10-11 | Microsoft Technology Licensing, Llc | Stateful component authoring and execution |
US9071575B2 (en) | 2011-04-21 | 2015-06-30 | Robert K. Lemaster | Method and system for abuse route aggregation and distribution |
US8612169B2 (en) | 2011-04-26 | 2013-12-17 | International Business Machines Corporation | Method and system for detecting anomalies in a bipartite graph |
US9270572B2 (en) | 2011-05-02 | 2016-02-23 | Brocade Communications Systems Inc. | Layer-3 support in TRILL networks |
US9049259B2 (en) * | 2011-05-03 | 2015-06-02 | Onepatont Software Limited | System and method for dynamically providing visual action or activity news feed |
US9396327B2 (en) | 2011-05-16 | 2016-07-19 | D2L Corporation | Systems and methods for security verification in electronic learning systems and other systems |
US8966625B1 (en) | 2011-05-24 | 2015-02-24 | Palo Alto Networks, Inc. | Identification of malware sites using unknown URL sites and newly registered DNS addresses |
US20120300628A1 (en) | 2011-05-26 | 2012-11-29 | Dan Prescott | Method and apparatus to passively determine the state of a flow including determining flow state in the event of missing data on one or both sides of the flow |
US9465696B2 (en) | 2011-06-03 | 2016-10-11 | Apple Inc. | Methods and apparatus for multi-phase multi-source backup |
US8719835B2 (en) | 2011-06-07 | 2014-05-06 | Telefonaktiebolaget L M Ericsson (Publ) | Ranking service units to provide and protect highly available services using the Nway redundancy model |
US9450873B2 (en) | 2011-06-28 | 2016-09-20 | Microsoft Technology Licensing, Llc | Performance isolation for clouds |
US9407533B2 (en) | 2011-06-28 | 2016-08-02 | Brocade Communications Systems, Inc. | Multicast in a trill network |
US8370407B1 (en) | 2011-06-28 | 2013-02-05 | Go Daddy Operating Company, LLC | Systems providing a network resource address reputation service |
US9250918B2 (en) | 2011-06-30 | 2016-02-02 | Bmc Software, Inc. | Server management with dynamic construction of pre-boot images |
US9116968B2 (en) | 2011-06-30 | 2015-08-25 | Bmc Software, Inc. | Methods and apparatus related to graph transformation and synchronization |
US9185127B2 (en) | 2011-07-06 | 2015-11-10 | Nominum, Inc. | Network protection service |
US8726379B1 (en) | 2011-07-15 | 2014-05-13 | Norse Corporation | Systems and methods for dynamic protection from electronic attacks |
EP2737404A4 (en) | 2011-07-26 | 2015-04-29 | Light Cyber Ltd | A method for detecting anomaly action within a computer network |
EP2737427A4 (en) | 2011-07-29 | 2015-04-15 | Hewlett Packard Development Co | Systems and methods for distributed rule-based correlation of events |
US8719452B1 (en) | 2011-07-29 | 2014-05-06 | Google Inc. | Correction of client-assigned timestamps |
US20130038358A1 (en) | 2011-08-10 | 2013-02-14 | David M. Cook | Wireless sensor node and method |
US8881258B2 (en) | 2011-08-24 | 2014-11-04 | Mcafee, Inc. | System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy |
US9037642B2 (en) | 2011-08-29 | 2015-05-19 | Fiberlink Communications Corporation | Platform for deployment and distribution of modules to endpoints |
WO2013030830A1 (en) | 2011-08-31 | 2013-03-07 | Daniel Levy | Automatic ranking of entities based on interactions therebetween |
US8311973B1 (en) | 2011-09-24 | 2012-11-13 | Zadeh Lotfi A | Methods and systems for applications for Z-numbers |
US9916538B2 (en) | 2012-09-15 | 2018-03-13 | Z Advanced Computing, Inc. | Method and system for feature detection |
US8694644B2 (en) | 2011-09-29 | 2014-04-08 | Nec Laboratories America, Inc. | Network-aware coordination of virtual machine migrations in enterprise data centers and clouds |
US20130085889A1 (en) * | 2011-09-29 | 2013-04-04 | Sears Brands, Llc | Systems and methods for managing returns or exchanges made via a computer network |
US8683548B1 (en) * | 2011-09-30 | 2014-03-25 | Emc Corporation | Computing with policy engine for multiple virtual machines |
US8677487B2 (en) | 2011-10-18 | 2014-03-18 | Mcafee, Inc. | System and method for detecting a malicious command and control channel |
CN102387608B (en) | 2011-10-21 | 2014-12-10 | 大唐移动通信设备有限公司 | Access method of WiFi (Wireless Fidelity) access point (AP), WiFi AP and WiFi system |
US9148381B2 (en) | 2011-10-21 | 2015-09-29 | Qualcomm Incorporated | Cloud computing enhanced gateway for communication networks |
US8773999B2 (en) | 2011-10-26 | 2014-07-08 | International Business Machines Corporation | Distributed chassis architecture having integrated service appliances |
CN103095597B (en) | 2011-10-28 | 2017-04-26 | 华为技术有限公司 | Load balancing method and device |
US8812448B1 (en) | 2011-11-09 | 2014-08-19 | Access Sciences Corporation | Computer implemented method for accelerating electronic file migration from multiple sources to multiple destinations |
US8447851B1 (en) | 2011-11-10 | 2013-05-21 | CopperEgg Corporation | System for monitoring elastic cloud-based computing systems as a service |
US9003141B2 (en) | 2011-11-14 | 2015-04-07 | Ca, Inc. | Enhanced software application platform |
EP2748714B1 (en) | 2011-11-15 | 2021-01-13 | Nicira, Inc. | Connection identifier assignment and source network address translation |
US9614914B2 (en) | 2011-11-18 | 2017-04-04 | Thomson Licensing | System comprising a publish/subscribe broker for a remote management of end-user devices, and respective end-user device |
CN102521537B (en) | 2011-12-06 | 2015-05-20 | 北京航空航天大学 | Detection method and device for hidden process based on virtual machine monitor |
EP2777220B1 (en) | 2011-12-07 | 2016-08-17 | Huawei Technologies Co., Ltd. | Method to carry fcoe frames over a trill based network |
US8887238B2 (en) | 2011-12-07 | 2014-11-11 | Time Warner Cable Enterprises Llc | Mechanism for establishing reputation in a network environment |
US8881145B2 (en) | 2011-12-15 | 2014-11-04 | Industrial Technology Research Institute | System and method for generating application-level dependencies in one or more virtual machines |
US8914497B1 (en) | 2011-12-15 | 2014-12-16 | Amazon Technologies, Inc. | System and method for throttling service requests having non-uniform workloads |
EP2605453B1 (en) | 2011-12-16 | 2014-11-12 | Alcatel Lucent | Method and apparatus for monitoring transmission characteristics in a network |
US8966021B1 (en) | 2011-12-20 | 2015-02-24 | Amazon Technologies, Inc. | Composable machine image |
US8973147B2 (en) | 2011-12-29 | 2015-03-03 | Mcafee, Inc. | Geo-mapping system security events |
US9083741B2 (en) | 2011-12-29 | 2015-07-14 | Architecture Technology Corporation | Network defense system and framework for detecting and geolocating botnet cyber attacks |
US10514937B2 (en) | 2012-01-05 | 2019-12-24 | Vmware, Inc. | Auto-discovery service and method of discovering applications within a virtual network |
US9575809B2 (en) | 2012-01-10 | 2017-02-21 | Microsoft Technology Licensing, Llc | Distributed stochastic clustering for automated formation of connected networks of agents |
JP5923846B2 (en) | 2012-01-16 | 2016-05-25 | ノキア ソリューションズ アンド ネットワークス オサケユキチュア | Vendor-specific base station autoconfiguration framework |
US9246702B1 (en) | 2012-01-31 | 2016-01-26 | Cisco Technology, Inc. | System and method for configuring service appliances as virtual line cards in a network environment |
US9612814B2 (en) | 2012-02-02 | 2017-04-04 | Sungard Availability Services, Lp | Network topology-aware recovery automation |
US9088517B2 (en) | 2012-02-08 | 2015-07-21 | Cisco Technology, Inc. | Stitching multicast trees |
US9372213B2 (en) | 2012-02-15 | 2016-06-21 | Alpha and Omega, Inc. | Sensors for electrical connectors |
US8640239B2 (en) | 2012-02-20 | 2014-01-28 | International Business Machines Corporation | Network intrusion detection in a network that includes a distributed virtual switch fabric |
US9426068B2 (en) | 2012-02-24 | 2016-08-23 | Futurewei Technologies, Inc. | Balancing of forwarding and address resolution in overlay networks |
US8997227B1 (en) | 2012-02-27 | 2015-03-31 | Amazon Technologies, Inc. | Attack traffic signature generation using statistical pattern recognition |
WO2013129055A1 (en) | 2012-03-02 | 2013-09-06 | ソニー株式会社 | Information processing device, information processing method, and programme |
US9052961B2 (en) | 2012-03-02 | 2015-06-09 | Vmware, Inc. | System to generate a deployment plan for a cloud infrastructure according to logical, multi-tier application blueprint |
RU2486588C1 (en) | 2012-03-14 | 2013-06-27 | Закрытое акционерное общество "Лаборатория Касперского" | System and method for efficient treatment of computer from malware and effects of its work |
US8789164B2 (en) | 2012-03-16 | 2014-07-22 | International Business Machines Corporation | Scalable virtual appliance cloud (SVAC) and devices usable in an SVAC |
US8825848B1 (en) | 2012-03-20 | 2014-09-02 | Emc Corporation | Ordering of event records in an electronic system for forensic analysis |
US8832831B2 (en) | 2012-03-21 | 2014-09-09 | Radware, Ltd. | Method and system for detecting and mitigating attacks performed using cryptographic protocols |
US9621413B1 (en) | 2012-03-29 | 2017-04-11 | Arris Enterprises, Inc. | Displaying dynamic host configuration protocol (DHCP) transaction states using a DHCP relay agent |
US8931043B2 (en) | 2012-04-10 | 2015-01-06 | Mcafee Inc. | System and method for determining and using local reputations of users and hosts to protect information in a network environment |
US9608881B2 (en) | 2012-04-13 | 2017-03-28 | International Business Machines Corporation | Service compliance enforcement using user activity monitoring and work request verification |
US9210180B2 (en) | 2012-04-18 | 2015-12-08 | Radware Ltd. | Techniques for separating the processing of clients' traffic to different zones in software defined networks |
US8776180B2 (en) | 2012-05-01 | 2014-07-08 | Taasera, Inc. | Systems and methods for using reputation scores in network services and transactions to calculate security risks to computer systems and platforms |
US9674589B2 (en) | 2012-05-04 | 2017-06-06 | Itron, Inc. | Coordinated collection of metering data |
US8867367B2 (en) | 2012-05-10 | 2014-10-21 | Telefonaktiebolaget L M Ericsson (Publ) | 802.1aq support over IETF EVPN |
US20130304900A1 (en) | 2012-05-14 | 2013-11-14 | Sap Ag | Reputation management using evolving reputation scores |
US9503463B2 (en) | 2012-05-14 | 2016-11-22 | Zimperium, Inc. | Detection of threats to networks, based on geographic location |
US8812725B2 (en) | 2012-05-18 | 2014-08-19 | Cisco Technology Inc. | System and method for latency reduction in a network environment |
US10116696B2 (en) | 2012-05-22 | 2018-10-30 | Sri International | Network privilege manager for a dynamically programmable computer network |
CN102722563B (en) | 2012-05-31 | 2014-12-03 | 优视科技有限公司 | Method and device for displaying page |
KR101587959B1 (en) | 2012-06-05 | 2016-01-25 | 엠파이어 테크놀로지 디벨롭먼트 엘엘씨 | Cross-user correlation for detecting server-side multi-target intrusion |
US9779260B1 (en) | 2012-06-11 | 2017-10-03 | Dell Software Inc. | Aggregation and classification of secure data |
US9055006B2 (en) | 2012-06-11 | 2015-06-09 | Radware, Ltd. | Techniques for traffic diversion in software defined networks for mitigating denial of service attacks |
US9501744B1 (en) | 2012-06-11 | 2016-11-22 | Dell Software Inc. | System and method for classifying data |
US9280788B2 (en) * | 2012-06-13 | 2016-03-08 | Oracle International Corporation | Information retrieval and navigation using a semantic layer |
US8989049B2 (en) | 2012-06-15 | 2015-03-24 | Cisco Technology, Inc. | System and method for virtual portchannel load balancing in a trill network |
US20130347103A1 (en) | 2012-06-21 | 2013-12-26 | Mark Veteikis | Packet capture for error tracking |
US8959325B2 (en) | 2012-06-21 | 2015-02-17 | Breakingpoint Systems, Inc. | Systems and methods for booting devices using assigned servers in a multiple-card computing system |
US9038178B1 (en) | 2012-06-25 | 2015-05-19 | Emc Corporation | Detection of malware beaconing activities |
US9213590B2 (en) | 2012-06-27 | 2015-12-15 | Brocade Communications Systems, Inc. | Network monitoring and diagnostics |
US9686169B2 (en) | 2012-07-02 | 2017-06-20 | Ixia | Real-time highly accurate network latency measurement with low generated traffic or data requirements |
US9792320B2 (en) | 2012-07-06 | 2017-10-17 | Box, Inc. | System and method for performing shard migration to support functions of a cloud-based service |
US8868030B2 (en) | 2012-07-30 | 2014-10-21 | General Motors Llc | Automated vehicle intrusion device |
US9852073B2 (en) | 2012-08-07 | 2017-12-26 | Dell Products L.P. | System and method for data redundancy within a cache |
WO2014025472A1 (en) | 2012-08-09 | 2014-02-13 | Itron, Inc. | Interface for clustered utility nodes |
US9548908B2 (en) | 2012-08-21 | 2017-01-17 | Cisco Technology, Inc. | Flow de-duplication for network monitoring |
US8792380B2 (en) | 2012-08-24 | 2014-07-29 | Accedian Networks Inc. | System for establishing and maintaining a clock reference indicating one-way latency in a data network |
US8984331B2 (en) | 2012-09-06 | 2015-03-17 | Triumfant, Inc. | Systems and methods for automated memory and thread execution anomaly detection in a computer network |
US20150067786A1 (en) | 2013-09-04 | 2015-03-05 | Michael Stephen Fiske | Visual image authentication and transaction authorization using non-determinism |
US10194284B2 (en) | 2012-09-12 | 2019-01-29 | Digit International Inc. | Embedded communication in message based transports |
US20140089494A1 (en) | 2012-09-27 | 2014-03-27 | Hewlett-Packard Development Company, L.P. | Managing compliance across information technology components |
US9164965B2 (en) | 2012-09-28 | 2015-10-20 | Oracle International Corporation | Interactive topological views of combined hardware and software systems |
US9231820B2 (en) | 2012-09-28 | 2016-01-05 | Juniper Networks, Inc. | Methods and apparatus for controlling wireless access points |
WO2014055680A2 (en) | 2012-10-03 | 2014-04-10 | Spark Integration Technologies Inc. | Systems and methods for adaptive load balanced communications, routing, filtering, and access control in distributed networks |
WO2014055400A1 (en) | 2012-10-05 | 2014-04-10 | Nec Laboratories America, Inc. | Network management |
US9083613B2 (en) | 2012-10-16 | 2015-07-14 | Cisco Technology, Inc. | Detection of cabling error in communication network |
CN103023970B (en) | 2012-11-15 | 2015-07-22 | 中国科学院计算机网络信息中心 | Method and system for storing mass data of Internet of Things (IoT) |
US9178912B2 (en) | 2012-11-15 | 2015-11-03 | Cisco Technology, Inc. | Virtual device context (VDC) integration for network services |
US9171151B2 (en) | 2012-11-16 | 2015-10-27 | Microsoft Technology Licensing, Llc | Reputation-based in-network filtering of client event information |
US9253140B2 (en) | 2012-11-20 | 2016-02-02 | Cisco Technology, Inc. | System and method for optimizing within subnet communication in a network environment |
US9535871B2 (en) | 2012-11-27 | 2017-01-03 | Red Hat Israel, Ltd. | Dynamic routing through virtual appliances |
US9960974B2 (en) | 2012-11-30 | 2018-05-01 | International Business Machines Corporation | Dependency mapping among a system of servers, analytics and visualization thereof |
US9742877B2 (en) | 2012-12-04 | 2017-08-22 | International Business Machines Corporation | Clustering support across geographical boundaries |
US9313096B2 (en) | 2012-12-04 | 2016-04-12 | International Business Machines Corporation | Object oriented networks |
US20140173623A1 (en) | 2012-12-17 | 2014-06-19 | Mediatek Inc. | Method for controlling task migration of task in heterogeneous multi-core system based on dynamic migration threshold and related computer readable medium |
US8813236B1 (en) | 2013-01-07 | 2014-08-19 | Narus, Inc. | Detecting malicious endpoints using network connectivity and flow information |
WO2014111922A1 (en) | 2013-01-21 | 2014-07-24 | B.G. Negev Technologies And Applications Ltd. | Method and system for protecting computerized systems from malicious code |
US9191402B2 (en) | 2013-01-25 | 2015-11-17 | Opendns, Inc. | Domain classification based on client request behavior |
US9332028B2 (en) | 2013-01-25 | 2016-05-03 | REMTCS Inc. | System, method, and apparatus for providing network security |
US20140215573A1 (en) | 2013-01-31 | 2014-07-31 | Desire2Learn Incorporated | System and method for application accounts |
US9130836B2 (en) | 2013-02-04 | 2015-09-08 | Cisco Technology, Inc. | Provisoning of a new node joining an existing cluster in a data center environment |
US9369431B1 (en) | 2013-02-07 | 2016-06-14 | Infoblox Inc. | Security device controller |
US9080707B2 (en) * | 2013-02-12 | 2015-07-14 | Bayer Medical Care Inc. | Intelligent contrast warmer and contrast holder |
US9286047B1 (en) | 2013-02-13 | 2016-03-15 | Cisco Technology, Inc. | Deployment and upgrade of network devices in a network environment |
US9813433B2 (en) | 2013-02-22 | 2017-11-07 | Adaptive Mobile Security Limited | System and method for embedded mobile (EM)/machine to machine (M2M) security, pattern detection, mitigation |
US9143582B2 (en) | 2013-03-08 | 2015-09-22 | International Business Machines Corporation | Interoperability for distributed overlay virtual environments |
US9378068B2 (en) | 2013-03-13 | 2016-06-28 | International Business Machines Corporation | Load balancing for a virtual networking system |
US9237111B2 (en) | 2013-03-14 | 2016-01-12 | International Business Machines Corporation | Credit-based flow control in lossless ethernet networks |
US9407519B2 (en) | 2013-03-15 | 2016-08-02 | Vmware, Inc. | Virtual network flow monitoring |
US9043912B2 (en) | 2013-03-15 | 2015-05-26 | Mehdi Mahvi | Method for thwarting application layer hypertext transport protocol flood attacks focused on consecutively similar application-specific data packets |
US8848744B1 (en) | 2013-03-15 | 2014-09-30 | Extrahop Networks, Inc. | Resynchronization of passive monitoring of a flow based on hole detection |
US9483286B2 (en) | 2013-03-15 | 2016-11-01 | Avi Networks | Distributed network services |
US9721086B2 (en) | 2013-03-15 | 2017-08-01 | Advanced Elemental Technologies, Inc. | Methods and systems for secure and reliable identity-based computing |
US9380066B2 (en) | 2013-03-29 | 2016-06-28 | Intel Corporation | Distributed traffic pattern analysis and entropy prediction for detecting malware in a network environment |
KR101394424B1 (en) | 2013-04-22 | 2014-05-13 | 한국인터넷진흥원 | Hypervisor-based intrusion prevention platform and virtual network intrusion prevention system |
EP2797291A1 (en) | 2013-04-22 | 2014-10-29 | Telefonaktiebolaget L M Ericsson (publ) | Traffic analysis for http user agent based device category mapping |
US9015716B2 (en) | 2013-04-30 | 2015-04-21 | Splunk Inc. | Proactive monitoring tree with node pinning for concurrent node comparisons |
US10728284B2 (en) | 2013-05-03 | 2020-07-28 | Vmware, Inc. | Methods and apparatus to assess compliance of a computing resource in a virtual computing environment |
US9294483B2 (en) | 2013-05-03 | 2016-03-22 | John Wong | Method and system for mitigation of distributed denial of service (DDOS) attacks |
US10977229B2 (en) | 2013-05-21 | 2021-04-13 | Facebook, Inc. | Database sharding with update layer |
US20140348182A1 (en) | 2013-05-22 | 2014-11-27 | Iii Holdings 2, Llc | Time synchronization between nodes of a switched interconnect fabric |
US20140351415A1 (en) | 2013-05-24 | 2014-11-27 | PacketSled Inc. | Selective packet capture |
US9246945B2 (en) | 2013-05-29 | 2016-01-26 | International Business Machines Corporation | Techniques for reconciling permission usage with security policy for policy optimization and monitoring continuous compliance |
US9191400B1 (en) | 2013-06-12 | 2015-11-17 | The United States Of America, As Represented By The Secretary Of The Navy | Cyphertext (CT) analytic engine and method for network anomaly detection |
US9769174B2 (en) | 2013-06-14 | 2017-09-19 | Catbird Networks, Inc. | Systems and methods for creating and modifying access control lists |
US11196636B2 (en) | 2013-06-14 | 2021-12-07 | Catbird Networks, Inc. | Systems and methods for network data flow aggregation |
US20150006714A1 (en) | 2013-06-28 | 2015-01-01 | Microsoft Corporation | Run-time verification of middlebox routing and traffic processing |
US9197654B2 (en) | 2013-06-28 | 2015-11-24 | Mcafee, Inc. | Rootkit detection by using HW resources to detect inconsistencies in network traffic |
US20150009840A1 (en) | 2013-07-03 | 2015-01-08 | Niksun, Inc. | Packet time stamp processing methods, systems, and apparatus |
IL227598B (en) | 2013-07-22 | 2018-05-31 | Verint Systems Ltd | Systems and methods for identifying malicious hosts |
US9246773B2 (en) | 2013-07-30 | 2016-01-26 | Draios Inc. | System, method, and graphical user interface for application topology mapping in hosted computing environments |
US9319293B2 (en) | 2013-07-31 | 2016-04-19 | Calix, Inc. | Methods and apparatuses for network flow analysis and control |
US9450810B2 (en) | 2013-08-02 | 2016-09-20 | Cisco Technoogy, Inc. | Policy-driven automatic redundant fabric placement mechanism for virtual data centers |
US20150039751A1 (en) | 2013-08-02 | 2015-02-05 | PacketSled Inc. | Dynamic parallel coordinates visualization of network flows |
US20150046882A1 (en) | 2013-08-07 | 2015-02-12 | Siemens Product Lifecycle Management Software Inc. | User interaction and display of tree hierarchy data on limited screen space |
US20150052028A1 (en) * | 2013-08-15 | 2015-02-19 | Ippsys Llc | Systems and Methods for Recommending Providers and for Processing Product Inventories of Providers |
US9197666B2 (en) | 2013-08-26 | 2015-11-24 | Verizon Patent And Licensing Inc. | Method and apparatus for mitigating distributed denial of service attacks |
CN104424013B (en) | 2013-08-26 | 2018-03-09 | 国际商业机器公司 | The method and apparatus for disposing virtual machine in a computing environment |
US9811435B2 (en) | 2013-09-03 | 2017-11-07 | Cisco Technology, Inc. | System for virtual machine risk monitoring |
US20160212021A1 (en) | 2013-09-18 | 2016-07-21 | Jolata, Inc. | Highly probable identification of related messages using sparse hash function sets |
US9607146B2 (en) | 2013-09-18 | 2017-03-28 | Qualcomm Incorporated | Data flow based behavioral analysis on mobile devices |
US9385959B2 (en) | 2013-09-26 | 2016-07-05 | Acelio, Inc. | System and method for improving TCP performance in virtualized environments |
US9507847B2 (en) | 2013-09-27 | 2016-11-29 | International Business Machines Corporation | Automatic log sensor tuning |
US9418222B1 (en) | 2013-09-27 | 2016-08-16 | Symantec Corporation | Techniques for detecting advanced security threats |
US9369435B2 (en) | 2013-09-30 | 2016-06-14 | Cisco Technology, Inc. | Method for providing authoritative application-based routing and an improved application firewall |
EP3053041B1 (en) | 2013-10-03 | 2019-03-06 | Telefonaktiebolaget LM Ericsson (publ) | Method, system, computer program and computer program product for monitoring data packet flows between virtual machines, vms, within a data centre |
EP2860912A1 (en) | 2013-10-11 | 2015-04-15 | Telefonica Digital España, S.L.U. | A method for correlating network traffic data from distributed systems and computer program thereof |
US9330156B2 (en) | 2013-10-18 | 2016-05-03 | Cisco Technology, Inc. | System and method for software defined network aware data replication |
AU2014340233B2 (en) | 2013-10-21 | 2018-07-26 | VMware LLC | A system and method for observing and controlling a programmable network using a remote network manager |
US9405903B1 (en) | 2013-10-31 | 2016-08-02 | Palo Alto Networks, Inc. | Sinkholing bad network domains by registering the bad network domains on the internet |
US9973534B2 (en) | 2013-11-04 | 2018-05-15 | Lookout, Inc. | Methods and systems for secure network connections |
US9634938B2 (en) | 2013-11-05 | 2017-04-25 | International Business Machines Corporation | Adaptive scheduling of data flows in data center networks for efficient resource utilization |
US9502111B2 (en) | 2013-11-05 | 2016-11-22 | Cisco Technology, Inc. | Weighted equal cost multipath routing |
US9513938B2 (en) | 2013-11-07 | 2016-12-06 | Sap Se | Virtual appliance integration with cloud management software |
US9088598B1 (en) | 2013-11-14 | 2015-07-21 | Narus, Inc. | Systematic mining of associated server herds for uncovering malware and attack campaigns |
US9819551B2 (en) | 2013-11-20 | 2017-11-14 | Big Switch Networks, Inc. | Systems and methods for testing networks with a controller |
US9454324B1 (en) | 2013-12-18 | 2016-09-27 | Emc Corporation | Methods and apparatus for data lifecycle analysis |
US9507686B2 (en) | 2013-12-20 | 2016-11-29 | Netapp, Inc. | System, method, and computer program product for monitoring health of computer system assets |
EP2887595B8 (en) | 2013-12-23 | 2019-10-16 | Rohde & Schwarz GmbH & Co. KG | Method and node for retransmitting data packets in a tcp connection |
WO2015099778A1 (en) | 2013-12-27 | 2015-07-02 | Mcafee, Inc. | Segregating executable files exhibiting network activity |
US9563517B1 (en) | 2013-12-30 | 2017-02-07 | EMC IP Holding Company LLC | Cloud snapshots |
CN103716137B (en) | 2013-12-30 | 2017-02-01 | 上海交通大学 | Method and system for identifying reasons of ZigBee sensor network packet loss |
US10142259B2 (en) | 2014-03-03 | 2018-11-27 | Ericsson Ab | Conflict detection and resolution in an ABR network |
US9294486B1 (en) | 2014-03-05 | 2016-03-22 | Sandia Corporation | Malware detection and analysis |
KR101889500B1 (en) | 2014-03-07 | 2018-09-20 | 한국전자통신연구원 | Method and System for Network Connection-Chain Traceback using Network Flow Data |
US9886521B2 (en) | 2014-03-13 | 2018-02-06 | International Business Machines Corporation | Adaptive sampling schemes for clustering streaming graphs |
US20150261842A1 (en) | 2014-03-15 | 2015-09-17 | International Business Machines Corporation | Conformance specification and checking for hosting services |
US10263836B2 (en) | 2014-03-24 | 2019-04-16 | Microsoft Technology Licensing, Llc | Identifying troubleshooting options for resolving network failures |
US9853997B2 (en) | 2014-04-14 | 2017-12-26 | Drexel University | Multi-channel change-point malware detection |
US9762443B2 (en) | 2014-04-15 | 2017-09-12 | Splunk Inc. | Transformation of network data at remote capture agents |
US9319384B2 (en) | 2014-04-30 | 2016-04-19 | Fortinet, Inc. | Filtering hidden data embedded in media files |
US9659079B2 (en) | 2014-05-30 | 2017-05-23 | Wal-Mart Stores, Inc. | Shard determination logic for scalable order and inventory management architecture with a sharded transactional database |
US9531589B2 (en) | 2014-05-30 | 2016-12-27 | Cisco Technology, Inc. | Automating monitoring using configuration event triggers in a network environment |
WO2016004075A1 (en) | 2014-06-30 | 2016-01-07 | Amazon Technologies, Inc. | Interactive interfaces for machine learning model evaluations |
EP3164971A1 (en) | 2014-07-01 | 2017-05-10 | Telefonaktiebolaget LM Ericsson (publ) | Methods and nodes for congestion control |
CN104065518A (en) | 2014-07-07 | 2014-09-24 | 北京市博汇科技股份有限公司 | Determining method and device for network data packet loss position |
US9645892B1 (en) | 2014-07-08 | 2017-05-09 | EMC IP Holding Company LLC | Recording file events in change logs while incrementally backing up file systems |
US9887886B2 (en) * | 2014-07-15 | 2018-02-06 | Sap Se | Forensic software investigation |
US10659478B2 (en) | 2014-07-21 | 2020-05-19 | David Paul Heilig | Identifying stealth packets in network communications through use of packet headers |
JP6419967B2 (en) | 2014-07-30 | 2018-11-07 | フォワード・ネットワークス・インコーポレテッド | System and method for network management |
US20160036837A1 (en) | 2014-08-04 | 2016-02-04 | Microsoft Corporation | Detecting attacks on data centers |
CN105517668B (en) | 2014-08-06 | 2019-05-28 | 华为技术有限公司 | Identify the method and device of network transmission congestion |
US20160050132A1 (en) | 2014-08-18 | 2016-02-18 | Telefonaktiebolaget L M Ericsson (Publ) | Method and system to dynamically collect statistics of traffic flows in a software-defined networking (sdn) system |
US10044570B2 (en) * | 2014-08-22 | 2018-08-07 | Vmware, Inc. | Policy management system with proactive and reactive monitoring and enforcement |
US9992225B2 (en) | 2014-09-12 | 2018-06-05 | Topspin Security Ltd. | System and a method for identifying malware network activity using a decoy environment |
US9537841B2 (en) | 2014-09-14 | 2017-01-03 | Sophos Limited | Key management for compromised enterprise endpoints |
US9935854B2 (en) | 2014-09-23 | 2018-04-03 | Uila Networks, Inc. | Infrastructure performance monitoring |
US10091174B2 (en) | 2014-09-29 | 2018-10-02 | Dropbox, Inc. | Identifying related user accounts based on authentication data |
US10270658B2 (en) | 2014-09-30 | 2019-04-23 | Cisco Technology, Inc. | Zero touch configuration and synchronization of a service appliance in a network environment |
US9524173B2 (en) | 2014-10-09 | 2016-12-20 | Brocade Communications Systems, Inc. | Fast reboot for a switch |
US11159599B2 (en) | 2014-10-10 | 2021-10-26 | Dynatrace Llc | Method and system for real-time modeling of communication, virtualization and transaction execution related topological aspects of monitored software applications and hardware entities |
US9781004B2 (en) | 2014-10-16 | 2017-10-03 | Cisco Technology, Inc. | Discovering and grouping application endpoints in a network environment |
US10171318B2 (en) | 2014-10-21 | 2019-01-01 | RiskIQ, Inc. | System and method of identifying internet-facing assets |
US9762490B2 (en) | 2014-10-27 | 2017-09-12 | Telefonaktiebolaget L M Ericsson (Publ) | Content filtering for information centric networks |
US9832213B2 (en) | 2014-10-31 | 2017-11-28 | Cyber Crucible Inc. | System and method for network intrusion detection of covert channels based on off-line network traffic |
US10992520B2 (en) * | 2014-11-06 | 2021-04-27 | Hewlett Packard Enterprise Development Lp | Network policy graphs |
EP3021217A1 (en) | 2014-11-14 | 2016-05-18 | Semmle Limited | Distributed analysis and attribution of source code |
US9904584B2 (en) | 2014-11-26 | 2018-02-27 | Microsoft Technology Licensing, Llc | Performance anomaly diagnosis |
US9495193B2 (en) | 2014-12-05 | 2016-11-15 | International Business Machines Corporation | Monitoring hypervisor and provisioned instances of hosted virtual machines using monitoring templates |
US9584536B2 (en) | 2014-12-12 | 2017-02-28 | Fortinet, Inc. | Presentation of threat history associated with network activity |
US9667653B2 (en) | 2014-12-15 | 2017-05-30 | International Business Machines Corporation | Context-aware network service policy management |
US9253206B1 (en) | 2014-12-18 | 2016-02-02 | Docusign, Inc. | Systems and methods for protecting an online service attack against a network-based attack |
US9609517B2 (en) | 2014-12-19 | 2017-03-28 | Intel Corporation | Cooperative security in wireless sensor networks |
US10261851B2 (en) | 2015-01-23 | 2019-04-16 | Lightbend, Inc. | Anomaly detection using circumstance-specific detectors |
US10893100B2 (en) | 2015-03-12 | 2021-01-12 | International Business Machines Corporation | Providing agentless application performance monitoring (APM) to tenant applications by leveraging software-defined networking (SDN) |
US10193929B2 (en) | 2015-03-13 | 2019-01-29 | Varmour Networks, Inc. | Methods and systems for improving analytics in distributed networks |
US9819689B2 (en) | 2015-03-13 | 2017-11-14 | Microsoft Technology Licensing, Llc | Large scale malicious process detection |
US9438618B1 (en) | 2015-03-30 | 2016-09-06 | Amazon Technologies, Inc. | Threat detection and mitigation through run-time introspection and instrumentation |
US10291473B2 (en) | 2015-03-31 | 2019-05-14 | Ca, Inc. | Routing policy impact simulation |
US9462013B1 (en) | 2015-04-29 | 2016-10-04 | International Business Machines Corporation | Managing security breaches in a networked computing environment |
US10374904B2 (en) | 2015-05-15 | 2019-08-06 | Cisco Technology, Inc. | Diagnostic network visualization |
US9800497B2 (en) | 2015-05-27 | 2017-10-24 | Cisco Technology, Inc. | Operations, administration and management (OAM) in overlay data center environments |
US20160359695A1 (en) | 2015-06-04 | 2016-12-08 | Cisco Technology, Inc. | Network behavior data collection and analytics for anomaly detection |
US9967158B2 (en) | 2015-06-05 | 2018-05-08 | Cisco Technology, Inc. | Interactive hierarchical network chord diagram for application dependency mapping |
US10536357B2 (en) | 2015-06-05 | 2020-01-14 | Cisco Technology, Inc. | Late data detection in data center |
US10033766B2 (en) | 2015-06-05 | 2018-07-24 | Cisco Technology, Inc. | Policy-driven compliance |
US10142353B2 (en) | 2015-06-05 | 2018-11-27 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US10089099B2 (en) | 2015-06-05 | 2018-10-02 | Cisco Technology, Inc. | Automatic software upgrade |
US9553885B2 (en) | 2015-06-08 | 2017-01-24 | Illusive Networks Ltd. | System and method for creation, deployment and management of augmented attacker map |
US10063446B2 (en) | 2015-06-26 | 2018-08-28 | Intel Corporation | Netflow collection and export offload using network silicon |
US10362113B2 (en) | 2015-07-02 | 2019-07-23 | Prasenjit Bhadra | Cognitive intelligence platform for distributed M2M/ IoT systems |
US10091087B2 (en) | 2015-07-20 | 2018-10-02 | Cisco Technology, Inc. | Methods and systems for load balancing based on data shard leader |
US20170032310A1 (en) * | 2015-07-28 | 2017-02-02 | Charles Mimnaugh | Inventory management and marketplace |
US10498588B2 (en) | 2015-08-13 | 2019-12-03 | Level 3 Communications, Llc | Systems and methods for managing network health |
US20170070582A1 (en) | 2015-09-03 | 2017-03-09 | Alcatel Lucent | Network entity discovery and service stitching |
US9733973B2 (en) | 2015-09-16 | 2017-08-15 | Cisco Technology, Inc. | Automatically determining sensor location in a virtualized computing environment |
KR102156303B1 (en) * | 2015-11-12 | 2020-09-15 | 딥마인드 테크놀로지스 리미티드 | Asynchronous deep reinforcement learning |
US10306490B2 (en) | 2016-01-20 | 2019-05-28 | Netscout Systems Texas, Llc | Multi KPI correlation in wireless protocols |
EP3424196A1 (en) | 2016-02-29 | 2019-01-09 | Level 3 Communications, LLC | Systems and methods for dynamic firewall policy configuration |
US10284444B2 (en) | 2016-02-29 | 2019-05-07 | Airmagnet, Inc. | Visual representation of end user response time in a multi-tiered network application |
WO2017168202A1 (en) | 2016-03-27 | 2017-10-05 | Yogesh Chunilal Rathod | Identifying & storing followers, following users, viewers, users and connections for user |
US10523598B2 (en) | 2016-04-04 | 2019-12-31 | Futurewei Technologies, Inc. | Multi-path virtual switching |
US10243926B2 (en) | 2016-04-08 | 2019-03-26 | Cisco Technology, Inc. | Configuring firewalls for an industrial automation network |
US9961099B2 (en) | 2016-04-18 | 2018-05-01 | Acalvio Technologies, Inc. | Systems and methods for detecting and tracking adversary trajectory |
US10153977B2 (en) | 2016-05-12 | 2018-12-11 | Cisco Technology, Inc. | Adapting control plane policing parameters dynamically |
US10171357B2 (en) | 2016-05-27 | 2019-01-01 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10289438B2 (en) | 2016-06-16 | 2019-05-14 | Cisco Technology, Inc. | Techniques for coordination of application components deployed on distributed virtual machines |
US20180007115A1 (en) | 2016-07-01 | 2018-01-04 | Cisco Technology, Inc. | Fog enabled telemetry embedded in real time multimedia applications |
DE202016004628U1 (en) * | 2016-07-27 | 2016-09-23 | Google Inc. | Traversing an environment state structure using neural networks |
US10972388B2 (en) | 2016-11-22 | 2021-04-06 | Cisco Technology, Inc. | Federated microburst detection |
US10523512B2 (en) * | 2017-03-24 | 2019-12-31 | Cisco Technology, Inc. | Network agent for generating platform specific network policies |
CN107196807A (en) | 2017-06-20 | 2017-09-22 | 清华大学深圳研究生院 | Network intermediary device and its dispositions method |
-
2017
- 2017-03-27 US US15/470,410 patent/US10594560B2/en active Active
-
2020
- 2020-03-16 US US16/820,404 patent/US11146454B2/en active Active
-
2021
- 2021-09-22 US US17/482,411 patent/US11646940B2/en active Active
-
2023
- 2023-05-08 US US18/314,025 patent/US20230283520A1/en active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180152884A1 (en) * | 2016-11-30 | 2018-05-31 | At&T Intellectual Property I, L.P. | Intent-based service engine for a 5g or other next generation mobile core network |
Also Published As
Publication number | Publication date |
---|---|
US20220014436A1 (en) | 2022-01-13 |
US10594560B2 (en) | 2020-03-17 |
US11146454B2 (en) | 2021-10-12 |
US20180278480A1 (en) | 2018-09-27 |
US20200220780A1 (en) | 2020-07-09 |
US11646940B2 (en) | 2023-05-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11646940B2 (en) | Intent driven network policy platform | |
US10250446B2 (en) | Distributed policy store | |
US11252038B2 (en) | Network agent for generating platform specific network policies | |
US10897403B2 (en) | Distributed network management using a logical multi-dimensional label-based policy model | |
US10148511B2 (en) | Managing servers based on pairing keys to implement an administrative domain-wide policy | |
US10397273B1 (en) | Threat intelligence system | |
US20180278459A1 (en) | Sharding Of Network Resources In A Network Policy Platform | |
US20230147790A1 (en) | Network agent for reporting to a network policy system | |
US10565372B1 (en) | Subscription-based multi-tenant threat intelligence service | |
US10887333B1 (en) | Multi-tenant threat intelligence service | |
US20220247786A1 (en) | Security policy generation and enforcement for device clusters | |
US10230802B2 (en) | Providing stateless network services | |
US8589589B2 (en) | Method and system for creating an overlay structure for management information bases | |
US10938902B2 (en) | Dynamic routing of file system objects | |
US10320617B2 (en) | Representation of servers in a distributed network information management system for efficient aggregation of information | |
US11374979B2 (en) | Graph-based policy representation system for managing network devices | |
US11816119B2 (en) | System and methods for querying and updating databases | |
US20230319115A1 (en) | Systems and methods for validating, maintaining, and visualizing security policies | |
US20230011588A1 (en) | Relationship-Based Search in a Computing Environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:PRASAD, ROHIT;GANDHAM, SHASHI;NGUYEN, HOANG;AND OTHERS;SIGNING DATES FROM 20170309 TO 20170326;REEL/FRAME:063570/0804 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |