US20180077110A1 - Augmenting network flow with passive dns information - Google Patents

Augmenting network flow with passive dns information Download PDF

Info

Publication number
US20180077110A1
US20180077110A1 US15/261,474 US201615261474A US2018077110A1 US 20180077110 A1 US20180077110 A1 US 20180077110A1 US 201615261474 A US201615261474 A US 201615261474A US 2018077110 A1 US2018077110 A1 US 2018077110A1
Authority
US
United States
Prior art keywords
flow
network
domain name
flow record
recited
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US15/261,474
Other versions
US10904203B2 (en
Inventor
Lawrence B. Huston, III
James E. Winquist
Alex Levine
Ronald G. Hay
Brett Higgins
Andrew D. Mortensen
William M. Northway, JR.
Eric Jackson
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Arbor Networks Inc
Original Assignee
Arbor Networks Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Arbor Networks Inc filed Critical Arbor Networks Inc
Priority to US15/261,474 priority Critical patent/US10904203B2/en
Assigned to ARBOR NETWORKS, INC. reassignment ARBOR NETWORKS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LEVINE, ALEX, NORTHWAY, WILLIAM M., JR., HAY, RONALD G., HIGGINS, BRETT, MORTENSEN, ANDREW D., WINQUIST, JAMES E., HUSTON, LAWRENCE B., III, JACKSON, ERIC
Publication of US20180077110A1 publication Critical patent/US20180077110A1/en
Application granted granted Critical
Publication of US10904203B2 publication Critical patent/US10904203B2/en
Assigned to JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT reassignment JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AIRMAGNET, INC., ARBOR NETWORKS, INC., NETSCOUT SYSTEMS TEXAS, LLC, NETSCOUT SYSTEMS, INC.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • H04L61/1511
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • H04L43/062Generation of reports related to network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers

Definitions

  • Embodiments of the present invention relate generally to the processing of network packets, and specifically to augmenting network flow with passive Domain Name System (DNS) information.
  • DNS passive Domain Name System
  • Various network management systems are used to monitor networks. These systems can exist as stand-alone, dedicated systems or be embedded in network communications devices such as routers and switches. Other tools include special-purpose systems, such as firewalls and other network security devices that are typically used to manage the communications at boundaries between the networks.
  • a “flow” is defined as “a unidirectional sequence of packets with some common properties that pass through a network device.”
  • Another type of network metadata referred to by various vendors as NetFlow, jFlow, sFlow, etc., has also been introduced as a part of standard network traffic (hereafter generally referred to as “flow records”.)
  • Flow records are often generated by the network devices. These are often digested information concerning individual network flows or groups of network flows sharing some common characteristic(s).
  • the flow records often include, for example, internet protocol (IP) addresses, packet and byte counts, timestamps, Type of Service (ToS), application ports, input and output interfaces, to list a few examples.
  • IP internet protocol
  • ToS Type of Service
  • Flow analysis is a central component of large-scale network management and service systems.
  • a method for encoding domain name information into flow records includes receiving a flow record.
  • the flow record includes initial network flow information in a standard flow record format including at least a source address and a destination address. Domain name information associated with each of the source address and destination address is retrieved from a database.
  • the domain name information is encoded into the received flow record while maintaining the initial network flow information to yield an enhanced flow record.
  • a monitoring system in another aspect, includes a monitored network consisting of a plurality of devices.
  • the monitoring system further includes a database for storing DNS information.
  • the monitoring system also includes one or more network monitoring devices communicatively coupled to the monitored network and to the database.
  • the monitoring device(s) are configured and operable to receive a flow record. Domain name information associated with each of the source address and destination address is retrieved from a database by the monitoring device(s).
  • the domain name information is encoded, by the monitoring device(s), with the received flow record while maintaining the initial network flow information to yield an enhanced flow record.
  • FIG. 1 is a block diagram of the inventive flow augmentation system deployed within a network
  • FIG. 2 is a schematic diagram of the network monitor, according to an embodiment of the present invention.
  • FIG. 3 is a flowchart showing the operation of the flow analysis engine and the encoding and distribution engine of the network monitor, according to an embodiment of the present invention
  • FIG. 4 is a flowchart showing the operation of the enhanced flow reporting engine of the network monitor, according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram illustrating a packet for transporting flow information according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram illustrating enhanced flow information in a packet, according to an embodiment of the present invention.
  • the embodiments of this invention as discussed below are preferably a software algorithm, program or code residing on computer useable medium having control logic for enabling execution on a machine having a computer processor.
  • the machine typically includes memory storage configured to provide output from execution of the computer algorithm or program.
  • the term “software” is meant to be synonymous with any code or program that can be in a processor of a host computer, regardless of whether the implementation is in hardware, firmware or as a software computer product available on a disc, a memory storage device, or for download from a remote machine.
  • the embodiments described herein include such software to implement the equations, relationships and algorithms described below.
  • One skilled in the art will appreciate further features and advantages of the invention based on the below-described embodiments. Accordingly, the invention is not to be limited by what has been particularly shown and described, except as indicated by the appended claims.
  • a computer system component may constitute a “module” that is configured and operates to perform certain operations as described herein below.
  • module should be understood to encompass a tangible entity, be that an entity that is physically constructed, permanently configured (e.g., hardwired) or temporarily configured (e.g. programmed) to operate in a certain manner and to perform certain operations described herein.
  • Various embodiments of the present invention can be used to facilitate the creation of scalable flow monitoring solutions.
  • the embodiments of the invention also demonstrate that there can be a reasonably low overhead for this lightweight approach.
  • An embodiment of the present invention takes in standard flow records exported from network devices such as routers, switches, firewalls, hubs, etc., and annotates the flow with passive DNS information.
  • This information is derived from a number of sources, including, for example, a passive domain name system database.
  • These annotations add DNS information to the flow data, and can be used to perform further data flow analysis that is not available without the DNS information.
  • the annotated flow is then resent to a configurable set of destinations using standard flow formatting. For example, Netflow v9 format with user defined fields or IPFIX format with enterprise specific information elements may be used in some implementations.
  • This embodiment allows the enhanced flow record to be processed and the enhanced data flow information to be used by other flow analysis tools and existing flow analysis infrastructure.
  • a “data source,” as used herein, may include any entity initiating or providing data through a data flow.
  • a single data flow may have multiple collaborating data sources.
  • Advantages over existing systems include real-time data gathering on the state of existing network traffic flows and real-time mapping of domain traffic directly at the flow level.
  • DNS data collection and analysis of existing systems are performed after identifying traffic points of interest, often accompanied by long delays between the sending of the original flow information from the network devices and the availability of the additional DNS information generated by various network tools.
  • performing mapping of domain traffic at the flow level affords number of advantages.
  • mapping of domain traffic at the flow level enables identification of higher-level growth trends in the observed network traffic characteristics and classification of the identified higher-level trends while the overall traffic volume is still small. This allows the monitoring system to detect small but rapidly growing traffic trends before they become large.
  • embodiments of the present invention feature a method of processing network flow information.
  • the method comprises receiving a flow record exported from a network device element and augmenting the flow record with passive DNS information.
  • the network device element is any of: a server, a router, a switch, a hub, a firewall, a packet scanner/analyzer, or any other computing device.
  • the method includes sending the enhanced flow record to a configurable set of destinations using customized flow formatting.
  • the additional information is derived, at least in part, from a passive DNS data source, in one example.
  • the source and destination addresses identified in the received flow record are looked up using the passive DNS information data source and the associated domain names are augmented to the flow record.
  • the embodiments of the invention feature a flow augmentation module.
  • This flow augmentation module comprises a flow analysis engine which receives flow record from a network device and which selects information from at least one DNS source to be added to the flow record.
  • a flow encoding and distribution engine is provided that augments the flow record with the selected DNS information to create an enhanced flow record, and that transmits the enhanced flow record to a configurable set of destinations comprising at least one of an additional flow augmentation module and a flow consumer.
  • An enhanced flow reporting engine is configured to provide the enhanced flow information responsive to users' requests.
  • FIG. 1 illustrates a block diagram of a flow augmentation system 100 deployed within a network 102 according to the principles of the present invention.
  • network communication devices such as routers 104 a , 104 b and/or switches 106 collect flow information from the packet information that is transmitted through the network 102 between other network communications devices, network nodes, and host computers. Flow information is also collected, in some examples from packet monitors or taps 108 that are installed usually solely to monitor packet traffic.
  • packet monitors or taps 108 A non-limiting example here is the Netflow Analyzer offered by Cisco Systems, Inc.
  • Other exemplary sources of flow information include network security devices, e.g., firewalls 110 , which apply security policies and monitor for malicious code/packets.
  • the flow information 103 from these collectors is forwarded to one or more network monitors 112 a , 112 b .
  • these network monitors 112 a , 112 b and other network monitors in the network, 112 c , 112 d , 112 e function in a peer-to-peer relationship. Such a relationship is used to provide redundancy such that failure of any network monitor does not undermine the operation of other monitors.
  • master-slave relationships are defined in which one of the monitors 112 functions as master to other slave monitors.
  • a separate monitor controller 114 is deployed.
  • the network monitors 112 are used to monitor network activity based on the received flow information 103 .
  • the network monitors 112 a , 112 b analyze the flow to determine whether the network activity is in compliance with policies for the network 102 .
  • policies include network management policies related to traffic levels, for example, and network security policies related to maintaining the security of the network and protecting it against attacks, such as denial of service attacks, viruses, or worms.
  • the network monitors 112 a , 112 b further augment the flow information with additional information derived from passive DNS traffic analysis.
  • the network 102 may further include a passive DNS database 118 . It should be noted that data stored in the passive DNS database 118 may be either internally-generated or third party-sourced, in various embodiments.
  • the passive DNS database 118 may also store additional information, such as a list or multiple lists of known malicious domain names. These lists of known malicious domain names may be created or updated by running known malware samples in a controlled environment, and then classifying all the domain names contacted by the malware samples that do not match a pre-compiled white list (e.g., a large list of popular, legitimate domain names from Alexa.com). In addition, domain names, which do not match a pre-compiled white list, may be extracted from spam emails collected using a spam-trap.
  • a pre-compiled white list e.g., a large list of popular, legitimate domain names from Alexa.com
  • the network monitors 112 a , 112 b may utilize the information stored in the passive DNS database 118 to augment the flow information 103 with the DNS information. Additional information about how the network monitors 112 are utilized is described below.
  • the network monitors 112 a , 112 b augment the flow information and send the enhanced flow information 107 to each other and various flow consumers 109 , which include additional flow augmenting network monitors 112 c , 112 d and also possibly the controller 114 .
  • the additional flow augmentation modules 112 c for example, output one or more further enhanced flows 113 to further flow consumers and/or augmentation modules 112 e , in one example.
  • FIG. 2 is a schematic diagram of the flow augmenting network monitors 112 of FIG. 1 .
  • the monitor 112 is logically broken down into three functions: a flow analysis engine 201 , a flow encoding and distribution engine 203 and an enhanced flow reporting engine 202 . Although shown separately, these three functions are often combined into a single operating module, implemented in hardware, software, or a combination thereof.
  • the network monitor 112 applies available policies to the flow and analyzes the flow in terms of passive DNS information, and other information received from other data sources including one or more internally maintained databases 205 .
  • the enhanced flow is then encoded and distributed by the distribution engine 203 to various consumers of the flow information.
  • a distribution list 207 identifies the entities that will receive the enhanced flow information.
  • the distributed enhanced flow information may be stored in an enhanced flow information database 211 .
  • the enhanced flow reporting engine 202 may be configured to provide reporting functionally related to the enhanced flow information responsive to users' requests.
  • the enhanced flow reporting engine 202 may provide augmented network flow information of interest broken down by domain names. Additional information about the enhanced flow reporting engine 202 is provided below.
  • FIG. 3 is a flowchart showing the operation of the flow analysis engine 201 and the encoding and distribution engine 203 of the network monitor 112
  • FIG. 4 is a flowchart showing the operation of the enhanced flow reporting engine 202 of the network monitor 112 according to an embodiment of the present invention.
  • the flow diagrams in FIGS. 3 and 4 show examples in which operational steps are carried out in a particular order, as indicated by the lines connecting the blocks, but the various steps shown in these diagrams can be performed in any order, or in any combination or sub-combination. It should be appreciated that in some embodiments some of the steps described below may be combined into a single step. In some embodiments, one or more additional steps may be included.
  • step 302 flow data are received by the flow analysis engine 201 .
  • This received data comprises, in examples, standard flow records, for example from network communication devices such as routers 104 and switch 106 or other network devices 108 , 110 .
  • step 304 if passive DNS information is available, the flow analysis engine 201 retrieves a list of names related to the IP address(es) extracted the received flow records from the passive DNS database 118 .
  • the flow analysis engine 201 maps the retrieved domain name information to the source and destination address information contained in the received standard flow records.
  • the standard flow record comprises the 5-tuple association of values including source IP address, source port number, destination IP address, destination port number, and protocol. It should be noted that some DNS servers could store multiple IP address entries for a host, and deliver successive mappings based on a round-robin scheme. In this case, the flow analysis engine 201 maps a host name to one of many IP addresses. In other words, in step 306 , the flow analysis engine 201 generates a mapping that associates the received standard flow records with corresponding domain name information and sends both the mappings and the standard flow records to the encoding and distribution engine 203 . At least in some embodiments, the flow analysis engine 201 may store the mapped domain names and addresses as the domain name information in the passive DNS database 118 .
  • the encoding and distribution engine 203 preferably encodes the domain name information in the associated flow record to yield an enhanced flow record, while maintaining the initial network flow information contained in the received standard flow records.
  • the standard flow information may additionally be augmented with policy information.
  • the enhanced flow record may describe whether the flow matches a configured network traffic policy signature, or not, and may identify that signature.
  • Signature detection includes flags that indicate if the flow matches a known worm or denial of service (DOS) attack signature, or other signatures either auto-learned by the system or configured by the user.
  • DOS denial of service
  • any given flow may be augmented by any combination of the above passive DNS information.
  • the DNS information chosen for augmentation by the encoding and distribution engine 203 can be based on user configuration or automatically determined by the system based on the domain name data that are available for the flow.
  • the encoding and distribution engine 203 may store the augmented data flow record in a centralized enhanced flow record repository 211 (shown in FIG. 2 ).
  • the repository 211 may be a conventional, fault tolerant, relational, scalable, secure database such as Oracle or Sybase. Relational databases are an extension of a flat file. Relational databases consist of a series of related tables. The tables are interconnected via a key field.
  • the enhanced flow record repository 211 may be implemented using various standard data-structures, such as an array, hash, (linked) list, struct, structured text file (e.g., XML), table, and/or the like.
  • the repository 211 may be implemented as a mix of data structures, objects, and relational structures. Repositories 211 maintained by each network monitor 112 may be consolidated and/or distributed in countless variations through standard data processing techniques. Portions of repositories 211 , e.g., tables, may be exported and/or imported and thus decentralized and/or integrated.
  • the augmented flow records may be sent by the encoding and distribution engine 203 to a configurable set of destinations that often make use of both the original flow information and the enhanced flow information to do useful work, either by reporting on the flow information, detecting network problems, generating alerts, or other analysis.
  • the augmented flow records further preferably use a standard flow representation method to encode and send the augmented DNS information, such as the industry-standard NetFlow version 9 format, which is maintained by Cisco Systems Inc. and which has been implemented by Juniper. Augmented flow records can thus be processed by both standard flow analysis tools as well as flow analyzers enhanced to make use of the additional domain name information.
  • a standard flow representation method to encode and send the augmented DNS information, such as the industry-standard NetFlow version 9 format, which is maintained by Cisco Systems Inc. and which has been implemented by Juniper.
  • Augmented flow records can thus be processed by both standard flow analysis tools as well as flow analyzers enhanced to make use of the additional domain name information.
  • the packets include the augmented flow information implemented using Netflow.
  • the encoding and distribution engine 203 adds new “field type definitions” and populates these new fields with the retrieved DNS information. More specifically, Netflow (version 9) information may be sent in packets that contain header information and then one or more enhanced flow records. All version 9 flow packets (including augmented flow packets) preferably use a standard header format, which is defined by the Netflow v9, in one implementation.
  • the packet headers include the protocol (Netflow) version, record count, system uptime, a time stamp, sequence number and source identification.
  • the content and format of these records is defined by a Netflow v9 template, which may be sent periodically by the flow sources using the Template FlowSet packet format, for example.
  • This is a standard packet format for NetFlow v9.
  • Each template sent by a flow source is given a unique ID, which must be placed in the FlowSet Template ID field of a packet, so that the receiver can know how to decode the received flow records.
  • the template defines which data fields are present in each flow record and in which order, what values represent, and what size values are.
  • Some exemplary field types that might be defined in a standard NetFlow v9 Template are illustrated in Table (1) below:
  • IPV4 SRC ADDR 8 4 IPv4 Source Address IPV4 DST ADDR 12 4 IPv4 Destination Address L4 SRC PORT 7 2 TCP/UDP source port number L4 DST PORT 11 2 TCP/UDP dest. port number PROTOCOL 4 1 IP Protocol SRC HOST FQDN 10 16 FQDN of source host DST HOST FQDN 14 16 FQDN of destination host
  • FIG. 6 shows a sample packet containing an enhanced flow record.
  • the size of the fields has been rounded up to 4 bytes, even though in actuality they may use different sizes).
  • the encoding and distribution engine 203 of the network monitor 112 adds new field type definitions to represent the new DNS information being added to the augmented flow records.
  • the encoding and distribution engine 203 sends out an annotated flow template using the standard flow template format and incorporating these new field types.
  • the encoding and distribution engine 203 then sends annotated flows using the standard flow format and incorporating the new DNS information defined by the template definition.
  • network monitors 112 may be further configured and operable to analyze the plurality of the enhanced flow records stored in the flow record repository 211 according to a user specified criteria and to provide reporting functionality based on the performed analysis.
  • FIG. 4 is a flowchart showing the operation of the enhanced flow reporting engine 202 of the network monitor 112 according to an embodiment of the present invention.
  • a user interface component e.g. a graphical user interface (GUI) of the flow reporting engine 202 receives, from a user, a set of selectable reporting criteria, which the flow reporting engine 202 uses to select specific enhanced flow records meeting such criteria.
  • GUI graphical user interface
  • a user may be interested in identifying particular domains that are top sources of observed network traffic growth.
  • a user can interact with the user interface component to define traffic of interest, for example, by selecting the domains, defining one or more regular expressions matching on domains or by specifying a collection of network resources or services.
  • users may utilize the reporting criteria to ask the flow reporting engine 202 to monitor growth of respective traffic to domains over time.
  • step 404 the flow reporting engine 202 retrieves data matching the user-specified reporting criteria from the enhanced flow record repository 211 .
  • the flow reporting engine 202 determines whether data aggregation is required based on the specified criteria. Such aggregation may be required if network traffic is distributed across a wide range of IP addresses.
  • DNS names are structured in a way that allows flexibility on matching the traffic.
  • two forms of DNS service may be supported: an Internet-facing DNS service that allows the rest of the world to resolve host names to Internet-allocated IP addresses, and an internal DNS service that resolves host names to internal network addresses.
  • an enhanced flow record may contain “host1.engineering.example.com” as FQDN of the source host and “host 2.engineering.example.com” as FQDN of the destination host.
  • enhanced flow record information can be aggregated and tabular results presented by grouping data on a single host (or collection of hosts sharing the same name). If the reporting criteria included one or more domain name suffix strings, such as “engineering.example.com”, then the flow reporting engine 202 should aggregate and filter the retrieved domain name information matching this exemplary suffix string, for example. As yet another example, the flow reporting engine 202 may need to aggregate and tabulate results for all records associated with the “example.com” registered domain, which would correspond to all network traffic related to the company.
  • the flow reporting engine 202 In response to determining that data aggregation is required (decision block 406 , “Yes” branch), the flow reporting engine 202 preferably aggregates the respective enhanced flow records in step 408 .
  • the flow reporting engine 202 Responsive to a determination that the aggregation is not required (decision block 406 , “no” branch), or after performing the data aggregation, in step 410 , the flow reporting engine 202 generates a report and provides results for all enhanced data flow records matching the criteria. For example, if the user requested monitoring growth of traffic to domains over time, the report generated in step 410 may identify fast growing sources of traffic that may lead to the worsening traffic issues in the future. This enables users, for example, to detect new attacks well before they become a significant problem.
  • various embodiments of the present invention disclose a novel approach to augment network flow records with passive DNS information.
  • the disclosed approach provides a number of advantages.
  • One benefit of the above-described flow augmentation approach is that all standard flow template fields can now be incorporated into augmented flow records, and then additional template fields added to provide arbitrary DNS information.
  • the ability of existing flow analysis software to decode and read the standard flow fields is not impacted.
  • a scalable and flexible way to support new analysis software is provided, which can make use of both the standard and new flow annotation fields, from the same NetFlow v9 packet.
  • providing information breakdowns by domains can improve understanding on how the network is being used. Monitoring growth of domains enables identification of new popular applications and could indicate new trends that have a potential of affecting the growth and management of the network.
  • the various embodiments disclosed herein can be implemented as any combination of hardware, firmware, and software.
  • the software is preferably implemented as an application program tangibly embodied on a program storage unit or computer readable medium.
  • the application program may be uploaded to, and executed by, a machine comprising any suitable architecture.
  • the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs”), a memory, and input/output interfaces.
  • CPUs central processing units
  • the computer platform may also include an operating system and microinstruction code.
  • the various processes and functions described herein may be either part of the microinstruction code or part of the application program, or any combination thereof, which may be executed by a CPU, whether or not such computer or processor is explicitly shown.
  • various other peripheral units may be connected to the computer platform such as an additional data storage unit and a printing unit.
  • a non-transitory computer readable medium is any computer readable medium except for a transitory propagating signal.
  • each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
  • the functions noted in the block might occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Environmental & Geological Engineering (AREA)

Abstract

A method for encoding domain name information into flow records includes receiving a flow record. The flow record includes initial network flow information in a standard flow record format including at least a source address and a destination address. Domain name information associated with each of the source address and destination address is retrieved from a database. The domain name information is encoded into the received flow record while maintaining the initial network flow information to yield an enhanced flow record.

Description

    FIELD OF THE INVENTION
  • Embodiments of the present invention relate generally to the processing of network packets, and specifically to augmenting network flow with passive Domain Name System (DNS) information.
    • BACKGROUND OF THE INVENTION
  • Various network management systems are used to monitor networks. These systems can exist as stand-alone, dedicated systems or be embedded in network communications devices such as routers and switches. Other tools include special-purpose systems, such as firewalls and other network security devices that are typically used to manage the communications at boundaries between the networks.
  • One source of information for monitoring networks is flow information. A “flow” is defined as “a unidirectional sequence of packets with some common properties that pass through a network device.” Internet Engineering Task Force, RFC 3954. More recently, another type of network metadata, referred to by various vendors as NetFlow, jFlow, sFlow, etc., has also been introduced as a part of standard network traffic (hereafter generally referred to as “flow records”.) Flow records are often generated by the network devices. These are often digested information concerning individual network flows or groups of network flows sharing some common characteristic(s). The flow records often include, for example, internet protocol (IP) addresses, packet and byte counts, timestamps, Type of Service (ToS), application ports, input and output interfaces, to list a few examples. This information is available from Netflow technology, for example. Generally, computer network devices that generate flow records include, for example, routers, switches, firewalls, and hubs. In other examples, packet scanners/analyzers (e.g., Arbor Networks PEAKFLOW® threat management system (TMS)) are used. Flows may be collected and exported for analysis. Flow analysis is a central component of large-scale network management and service systems.
    • SUMMARY OF THE INVENTION
  • The purpose and advantages of the illustrated embodiments will be set forth in and apparent from the description that follows. Additional advantages of the illustrated embodiments will be realized and attained by the devices, systems and methods particularly pointed out in the written description and claims hereof, as well as from the appended drawings.
  • In accordance with a purpose of the illustrated embodiments, in one aspect, a method for encoding domain name information into flow records is provided. The method includes receiving a flow record. The flow record includes initial network flow information in a standard flow record format including at least a source address and a destination address. Domain name information associated with each of the source address and destination address is retrieved from a database. The domain name information is encoded into the received flow record while maintaining the initial network flow information to yield an enhanced flow record.
  • In another aspect, a monitoring system includes a monitored network consisting of a plurality of devices. The monitoring system further includes a database for storing DNS information. The monitoring system also includes one or more network monitoring devices communicatively coupled to the monitored network and to the database. The monitoring device(s) are configured and operable to receive a flow record. Domain name information associated with each of the source address and destination address is retrieved from a database by the monitoring device(s). The domain name information is encoded, by the monitoring device(s), with the received flow record while maintaining the initial network flow information to yield an enhanced flow record.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The accompanying appendices and/or drawings illustrate various, non-limiting, examples, inventive aspects in accordance with the present disclosure:
  • FIG. 1 is a block diagram of the inventive flow augmentation system deployed within a network;
  • FIG. 2 is a schematic diagram of the network monitor, according to an embodiment of the present invention;
  • FIG. 3 is a flowchart showing the operation of the flow analysis engine and the encoding and distribution engine of the network monitor, according to an embodiment of the present invention;
  • FIG. 4 is a flowchart showing the operation of the enhanced flow reporting engine of the network monitor, according to an embodiment of the present invention;
  • FIG. 5 is a schematic diagram illustrating a packet for transporting flow information according to an embodiment of the present invention, and
  • FIG. 6 is a schematic diagram illustrating enhanced flow information in a packet, according to an embodiment of the present invention.
    •  DETAILED DESCRIPTION OF CERTAIN EMBODIMENTS
  • The present invention is now described more fully with reference to the accompanying drawings, in which illustrated embodiments of the present invention are shown wherein like reference numerals identify like elements. The present invention is not limited in any way to the illustrated embodiments as the illustrated embodiments described below are merely exemplary of the invention, which can be embodied in various forms, as appreciated by one skilled in the art. Therefore, it is to be understood that any structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative for teaching one skilled in the art to variously employ the present invention. Furthermore, the terms and phrases used herein are not intended to be limiting but rather to provide an understandable description of the invention.
  • Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Although any methods and materials similar or equivalent to those described herein can also be used in the practice or testing of the present invention, exemplary methods and materials are now described. It must be noted that as used herein and in the appended claims, the singular forms “a”, “an,” and “the” include plural referents unless the context clearly dictates otherwise. Thus, for example, reference to “a stimulus” includes a plurality of such stimuli and reference to “the signal” includes reference to one or more signals and equivalents thereof known to those skilled in the art, and so forth.
  • It is to be appreciated the embodiments of this invention as discussed below are preferably a software algorithm, program or code residing on computer useable medium having control logic for enabling execution on a machine having a computer processor. The machine typically includes memory storage configured to provide output from execution of the computer algorithm or program.
  • As used herein, the term “software” is meant to be synonymous with any code or program that can be in a processor of a host computer, regardless of whether the implementation is in hardware, firmware or as a software computer product available on a disc, a memory storage device, or for download from a remote machine. The embodiments described herein include such software to implement the equations, relationships and algorithms described below. One skilled in the art will appreciate further features and advantages of the invention based on the below-described embodiments. Accordingly, the invention is not to be limited by what has been particularly shown and described, except as indicated by the appended claims.
  • In exemplary embodiments, a computer system component may constitute a “module” that is configured and operates to perform certain operations as described herein below. Accordingly, the term “module” should be understood to encompass a tangible entity, be that an entity that is physically constructed, permanently configured (e.g., hardwired) or temporarily configured (e.g. programmed) to operate in a certain manner and to perform certain operations described herein.
  • For many computer networks, the standard flow information that is typically transmitted from network devices is somewhat limited. It is desirable in computer networks to add intelligence to standard network flow monitoring to implement new types of detection and analysis based on flow data.
  • Various embodiments of the present invention can be used to facilitate the creation of scalable flow monitoring solutions. The embodiments of the invention also demonstrate that there can be a reasonably low overhead for this lightweight approach.
  • An embodiment of the present invention takes in standard flow records exported from network devices such as routers, switches, firewalls, hubs, etc., and annotates the flow with passive DNS information. This information is derived from a number of sources, including, for example, a passive domain name system database. These annotations add DNS information to the flow data, and can be used to perform further data flow analysis that is not available without the DNS information. The annotated flow is then resent to a configurable set of destinations using standard flow formatting. For example, Netflow v9 format with user defined fields or IPFIX format with enterprise specific information elements may be used in some implementations. This embodiment allows the enhanced flow record to be processed and the enhanced data flow information to be used by other flow analysis tools and existing flow analysis infrastructure.
  • Various data sources may be used to annotate the flow. A “data source,” as used herein, may include any entity initiating or providing data through a data flow. In some embodiments, a single data flow may have multiple collaborating data sources.
  • Advantages over existing systems include real-time data gathering on the state of existing network traffic flows and real-time mapping of domain traffic directly at the flow level. Of note, DNS data collection and analysis of existing systems are performed after identifying traffic points of interest, often accompanied by long delays between the sending of the original flow information from the network devices and the availability of the additional DNS information generated by various network tools. Thus, performing mapping of domain traffic at the flow level affords number of advantages.
  • First, many existing systems fail to exploit the potential value of the fully qualified domain name, which could provide a natural level of aggregation for reporting purposes. Some traffic to domains can be distributed across a wide range of IP addresses (e.g., in content delivery systems). If the traffic is widely distributed then it might not be included in the top talker report, unless the administrator identifies the range of IP addresses that are related and groups them together manually. Performing aggregation by the fully qualified domain name automatically groups all related traffic without any additional manual configuration.
  • Second, performing mapping of domain traffic at the flow level enables identification of higher-level growth trends in the observed network traffic characteristics and classification of the identified higher-level trends while the overall traffic volume is still small. This allows the monitoring system to detect small but rapidly growing traffic trends before they become large.
  • Third, by resending enhanced flow records to a configurable set of destinations, the same data are reused multiple times in different network monitors for different applications.
  • In general, according to one aspect, embodiments of the present invention feature a method of processing network flow information. The method comprises receiving a flow record exported from a network device element and augmenting the flow record with passive DNS information.
  • In a common implementation, the network device element is any of: a server, a router, a switch, a hub, a firewall, a packet scanner/analyzer, or any other computing device. In addition, the method includes sending the enhanced flow record to a configurable set of destinations using customized flow formatting.
  • The additional information is derived, at least in part, from a passive DNS data source, in one example. The source and destination addresses identified in the received flow record are looked up using the passive DNS information data source and the associated domain names are augmented to the flow record.
  • In general, according to another aspect, the embodiments of the invention feature a flow augmentation module. This flow augmentation module comprises a flow analysis engine which receives flow record from a network device and which selects information from at least one DNS source to be added to the flow record. A flow encoding and distribution engine is provided that augments the flow record with the selected DNS information to create an enhanced flow record, and that transmits the enhanced flow record to a configurable set of destinations comprising at least one of an additional flow augmentation module and a flow consumer. An enhanced flow reporting engine is configured to provide the enhanced flow information responsive to users' requests.
  • Turning now descriptively to the drawings, in which similar reference characters denote similar elements throughout the several views, FIG. 1 illustrates a block diagram of a flow augmentation system 100 deployed within a network 102 according to the principles of the present invention.
  • In more detail, network communication devices such as routers 104 a, 104 b and/or switches 106 collect flow information from the packet information that is transmitted through the network 102 between other network communications devices, network nodes, and host computers. Flow information is also collected, in some examples from packet monitors or taps 108 that are installed usually solely to monitor packet traffic. A non-limiting example here is the Netflow Analyzer offered by Cisco Systems, Inc. Other exemplary sources of flow information include network security devices, e.g., firewalls 110, which apply security policies and monitor for malicious code/packets.
  • The flow information 103 from these collectors is forwarded to one or more network monitors 112 a, 112 b. In some examples, these network monitors 112 a, 112 b and other network monitors in the network, 112 c, 112 d, 112 e, function in a peer-to-peer relationship. Such a relationship is used to provide redundancy such that failure of any network monitor does not undermine the operation of other monitors. On the other hand, in some examples, master-slave relationships are defined in which one of the monitors 112 functions as master to other slave monitors. In still other examples, a separate monitor controller 114 is deployed.
  • Primarily, the network monitors 112 are used to monitor network activity based on the received flow information 103. In a general sense, the network monitors 112 a, 112 b analyze the flow to determine whether the network activity is in compliance with policies for the network 102. Such policies include network management policies related to traffic levels, for example, and network security policies related to maintaining the security of the network and protecting it against attacks, such as denial of service attacks, viruses, or worms.
  • According to embodiments of the invention, the network monitors 112 a, 112 b further augment the flow information with additional information derived from passive DNS traffic analysis. As shown in FIG. 1, the network 102 may further include a passive DNS database 118. It should be noted that data stored in the passive DNS database 118 may be either internally-generated or third party-sourced, in various embodiments.
  • In addition to storing the historical information collected by various DNS servers and passive DNS collectors 122, the passive DNS database 118 may also store additional information, such as a list or multiple lists of known malicious domain names. These lists of known malicious domain names may be created or updated by running known malware samples in a controlled environment, and then classifying all the domain names contacted by the malware samples that do not match a pre-compiled white list (e.g., a large list of popular, legitimate domain names from Alexa.com). In addition, domain names, which do not match a pre-compiled white list, may be extracted from spam emails collected using a spam-trap.
  • The network monitors 112 a, 112 b may utilize the information stored in the passive DNS database 118 to augment the flow information 103 with the DNS information. Additional information about how the network monitors 112 are utilized is described below.
  • The network monitors 112 a, 112 b augment the flow information and send the enhanced flow information 107 to each other and various flow consumers 109, which include additional flow augmenting network monitors 112 c, 112 d and also possibly the controller 114.
  • The additional flow augmentation modules 112 c, for example, output one or more further enhanced flows 113 to further flow consumers and/or augmentation modules 112 e, in one example.
  • FIG. 2 is a schematic diagram of the flow augmenting network monitors 112 of FIG. 1. Here the monitor 112 is logically broken down into three functions: a flow analysis engine 201, a flow encoding and distribution engine 203 and an enhanced flow reporting engine 202. Although shown separately, these three functions are often combined into a single operating module, implemented in hardware, software, or a combination thereof.
  • When the flow data 103 are received from the network devices 106, 108, 110, the network monitor 112 applies available policies to the flow and analyzes the flow in terms of passive DNS information, and other information received from other data sources including one or more internally maintained databases 205.
  • The enhanced flow is then encoded and distributed by the distribution engine 203 to various consumers of the flow information. A distribution list 207 identifies the entities that will receive the enhanced flow information. At least in some embodiments, the distributed enhanced flow information may be stored in an enhanced flow information database 211.
  • According to an embodiment of the present invention, the enhanced flow reporting engine 202 may be configured to provide reporting functionally related to the enhanced flow information responsive to users' requests. For example, the enhanced flow reporting engine 202 may provide augmented network flow information of interest broken down by domain names. Additional information about the enhanced flow reporting engine 202 is provided below.
  • FIG. 3 is a flowchart showing the operation of the flow analysis engine 201 and the encoding and distribution engine 203 of the network monitor 112 and FIG. 4 is a flowchart showing the operation of the enhanced flow reporting engine 202 of the network monitor 112 according to an embodiment of the present invention. Before turning to descriptions of FIGS. 3 and 4, it is noted that the flow diagrams in FIGS. 3 and 4 show examples in which operational steps are carried out in a particular order, as indicated by the lines connecting the blocks, but the various steps shown in these diagrams can be performed in any order, or in any combination or sub-combination. It should be appreciated that in some embodiments some of the steps described below may be combined into a single step. In some embodiments, one or more additional steps may be included.
  • Starting with FIG. 3, in step 302, flow data are received by the flow analysis engine 201. This received data comprises, in examples, standard flow records, for example from network communication devices such as routers 104 and switch 106 or other network devices 108, 110.
  • In step 304, if passive DNS information is available, the flow analysis engine 201 retrieves a list of names related to the IP address(es) extracted the received flow records from the passive DNS database 118.
  • In step 306, the flow analysis engine 201 maps the retrieved domain name information to the source and destination address information contained in the received standard flow records. In one embodiment, the standard flow record comprises the 5-tuple association of values including source IP address, source port number, destination IP address, destination port number, and protocol. It should be noted that some DNS servers could store multiple IP address entries for a host, and deliver successive mappings based on a round-robin scheme. In this case, the flow analysis engine 201 maps a host name to one of many IP addresses. In other words, in step 306, the flow analysis engine 201 generates a mapping that associates the received standard flow records with corresponding domain name information and sends both the mappings and the standard flow records to the encoding and distribution engine 203. At least in some embodiments, the flow analysis engine 201 may store the mapped domain names and addresses as the domain name information in the passive DNS database 118.
  • In step 308, if domain name information is received, then the encoding and distribution engine 203 preferably encodes the domain name information in the associated flow record to yield an enhanced flow record, while maintaining the initial network flow information contained in the received standard flow records. In other examples, the standard flow information may additionally be augmented with policy information. For example, the enhanced flow record may describe whether the flow matches a configured network traffic policy signature, or not, and may identify that signature. Signature detection includes flags that indicate if the flow matches a known worm or denial of service (DOS) attack signature, or other signatures either auto-learned by the system or configured by the user. Generally, any given flow may be augmented by any combination of the above passive DNS information. The DNS information chosen for augmentation by the encoding and distribution engine 203 can be based on user configuration or automatically determined by the system based on the domain name data that are available for the flow.
  • According to an embodiment of the present invention, in step 310, the encoding and distribution engine 203 may store the augmented data flow record in a centralized enhanced flow record repository 211 (shown in FIG. 2). The repository 211 may be a conventional, fault tolerant, relational, scalable, secure database such as Oracle or Sybase. Relational databases are an extension of a flat file. Relational databases consist of a series of related tables. The tables are interconnected via a key field. Alternatively, the enhanced flow record repository 211 may be implemented using various standard data-structures, such as an array, hash, (linked) list, struct, structured text file (e.g., XML), table, and/or the like. Also, the repository 211 may be implemented as a mix of data structures, objects, and relational structures. Repositories 211 maintained by each network monitor 112 may be consolidated and/or distributed in countless variations through standard data processing techniques. Portions of repositories 211, e.g., tables, may be exported and/or imported and thus decentralized and/or integrated.
  • In step 312, the augmented flow records may be sent by the encoding and distribution engine 203 to a configurable set of destinations that often make use of both the original flow information and the enhanced flow information to do useful work, either by reporting on the flow information, detecting network problems, generating alerts, or other analysis.
  • This augmentation and flow records redistribution is preferably performed in real-time. The augmented flow records further preferably use a standard flow representation method to encode and send the augmented DNS information, such as the industry-standard NetFlow version 9 format, which is maintained by Cisco Systems Inc. and which has been implemented by Juniper. Augmented flow records can thus be processed by both standard flow analysis tools as well as flow analyzers enhanced to make use of the additional domain name information.
  • In one embodiment, the packets include the augmented flow information implemented using Netflow. According to one implementation, the encoding and distribution engine 203 adds new “field type definitions” and populates these new fields with the retrieved DNS information. More specifically, Netflow (version 9) information may be sent in packets that contain header information and then one or more enhanced flow records. All version 9 flow packets (including augmented flow packets) preferably use a standard header format, which is defined by the Netflow v9, in one implementation.
  • In more detail, as shown in FIG. 5, the packet headers include the protocol (Netflow) version, record count, system uptime, a time stamp, sequence number and source identification.
  • According to an embodiment of the present invention, the content and format of these records is defined by a Netflow v9 template, which may be sent periodically by the flow sources using the Template FlowSet packet format, for example. This is a standard packet format for NetFlow v9. Each template sent by a flow source is given a unique ID, which must be placed in the FlowSet Template ID field of a packet, so that the receiver can know how to decode the received flow records.
  • The template defines which data fields are present in each flow record and in which order, what values represent, and what size values are. Some exemplary field types that might be defined in a standard NetFlow v9 Template are illustrated in Table (1) below:
  • TABLE 1
    Field
    Field Type ID Field Length Description
    IPV4 SRC ADDR 8 4 IPv4 Source Address
    IPV4 DST ADDR 12 4 IPv4 Destination Address
    L4 SRC PORT 7 2 TCP/UDP source port number
    L4 DST PORT 11 2 TCP/UDP dest. port number
    PROTOCOL 4 1 IP Protocol
    SRC HOST FQDN 10 16 FQDN of source host
    DST HOST FQDN 14 16 FQDN of destination host
  • Referring now to FIG. 6, based on the above template, FIG. 6 shows a sample packet containing an enhanced flow record. (For readability, the size of the fields has been rounded up to 4 bytes, even though in actuality they may use different sizes).
  • According to one embodiment, the encoding and distribution engine 203 of the network monitor 112 adds new field type definitions to represent the new DNS information being added to the augmented flow records. The encoding and distribution engine 203 sends out an annotated flow template using the standard flow template format and incorporating these new field types. The encoding and distribution engine 203 then sends annotated flows using the standard flow format and incorporating the new DNS information defined by the template definition.
  • As noted above, network monitors 112 may be further configured and operable to analyze the plurality of the enhanced flow records stored in the flow record repository 211 according to a user specified criteria and to provide reporting functionality based on the performed analysis. FIG. 4 is a flowchart showing the operation of the enhanced flow reporting engine 202 of the network monitor 112 according to an embodiment of the present invention.
  • In step 402, a user interface component (e.g. a graphical user interface (GUI)) of the flow reporting engine 202 receives, from a user, a set of selectable reporting criteria, which the flow reporting engine 202 uses to select specific enhanced flow records meeting such criteria. In one example, a user may be interested in identifying particular domains that are top sources of observed network traffic growth. As another example, a user can interact with the user interface component to define traffic of interest, for example, by selecting the domains, defining one or more regular expressions matching on domains or by specifying a collection of network resources or services. As yet another example, users may utilize the reporting criteria to ask the flow reporting engine 202 to monitor growth of respective traffic to domains over time.
  • In step 404, the flow reporting engine 202 retrieves data matching the user-specified reporting criteria from the enhanced flow record repository 211.
  • In step 406, the flow reporting engine 202 determines whether data aggregation is required based on the specified criteria. Such aggregation may be required if network traffic is distributed across a wide range of IP addresses. Generally, DNS names are structured in a way that allows flexibility on matching the traffic. In some embodiments, two forms of DNS service may be supported: an Internet-facing DNS service that allows the rest of the world to resolve host names to Internet-allocated IP addresses, and an internal DNS service that resolves host names to internal network addresses. Continuing with the example shown in FIG. 6, an enhanced flow record may contain “host1.engineering.example.com” as FQDN of the source host and “host 2.engineering.example.com” as FQDN of the destination host. By using FQDN, enhanced flow record information can be aggregated and tabular results presented by grouping data on a single host (or collection of hosts sharing the same name). If the reporting criteria included one or more domain name suffix strings, such as “engineering.example.com”, then the flow reporting engine 202 should aggregate and filter the retrieved domain name information matching this exemplary suffix string, for example. As yet another example, the flow reporting engine 202 may need to aggregate and tabulate results for all records associated with the “example.com” registered domain, which would correspond to all network traffic related to the company.
  • In response to determining that data aggregation is required (decision block 406, “Yes” branch), the flow reporting engine 202 preferably aggregates the respective enhanced flow records in step 408.
  • Responsive to a determination that the aggregation is not required (decision block 406, “no” branch), or after performing the data aggregation, in step 410, the flow reporting engine 202 generates a report and provides results for all enhanced data flow records matching the criteria. For example, if the user requested monitoring growth of traffic to domains over time, the report generated in step 410 may identify fast growing sources of traffic that may lead to the worsening traffic issues in the future. This enables users, for example, to detect new attacks well before they become a significant problem.
  • In summary, various embodiments of the present invention disclose a novel approach to augment network flow records with passive DNS information. The disclosed approach provides a number of advantages. One benefit of the above-described flow augmentation approach is that all standard flow template fields can now be incorporated into augmented flow records, and then additional template fields added to provide arbitrary DNS information. When the flow is re-exported with the additional DNS information, the ability of existing flow analysis software to decode and read the standard flow fields is not impacted. On the other hand, a scalable and flexible way to support new analysis software is provided, which can make use of both the standard and new flow annotation fields, from the same NetFlow v9 packet. As yet another advantage, providing information breakdowns by domains can improve understanding on how the network is being used. Monitoring growth of domains enables identification of new popular applications and could indicate new trends that have a potential of affecting the growth and management of the network.
  • Most preferably, the various embodiments disclosed herein can be implemented as any combination of hardware, firmware, and software. Moreover, the software is preferably implemented as an application program tangibly embodied on a program storage unit or computer readable medium. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs”), a memory, and input/output interfaces. The computer platform may also include an operating system and microinstruction code. The various processes and functions described herein may be either part of the microinstruction code or part of the application program, or any combination thereof, which may be executed by a CPU, whether or not such computer or processor is explicitly shown. In addition, various other peripheral units may be connected to the computer platform such as an additional data storage unit and a printing unit. Furthermore, a non-transitory computer readable medium is any computer readable medium except for a transitory propagating signal.
  • The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block might occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
  • The descriptions of the various embodiments of the present invention have been presented for purposes of illustration, but are not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen to best explain the principles of the embodiments, the practical application or technical improvement over technologies found in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (20)

What is claimed is:
1. A method for encoding domain name information in flow records, the method comprising:
receiving a flow record, the flow record including initial network flow information in a flow record format comprising at least a source address and a destination address;
retrieving domain name information associated with each of the source address and destination address from a database; and
encoding the domain name information in the received flow record while maintaining the initial network flow information to yield an enhanced flow record.
2. The method as recited in claim 1, further comprising distributing the enhanced flow record having the encoded domain name information to one or more network devices and storing the enhanced flow record in a flow record repository.
3. The method as recited in claim 1, wherein the retrieved domain name information comprises one or more fully qualified domain names.
4. The method as recited in claim 1, wherein the enhanced flow record is a flow record following customized Netflow format.
5. The method as recited in claim 2, wherein the domain name information includes a domain name suffix string and wherein retrieving the domain name information comprises filtering the retrieved domain name information based on one or more domain name suffix strings.
6. The method as recited in claim 5, further comprising analyzing a plurality of the enhanced flow records stored in the flow record repository according to a user specified criteria.
7. The method as recited in claim 2, further comprising analyzing a plurality of the enhanced flow records stored in the flow record repository to identify one or more domain names associated with sources of network traffic growth.
8. The method as recited in claim 6, wherein the user specified criteria is associated with a user-specified collection of network resources or services.
9. The method as recited in claim 2, wherein the enhanced flow record is distributed to one or more network devices identified in a distribution list.
10. The method as recited in claim 6, wherein analyzing the plurality of the enhanced flow records further comprises aggregating two or more of the enhanced flow records based on one or more domain name suffix strings.
11. A monitoring system comprising:
a monitored network comprising a plurality of devices;
a database for storing domain name system (DNS) information; and
one or more network monitoring devices communicatively coupled to the monitored network and to the database, wherein the one or more network monitoring devices are configured and operable to:
receive a flow record, the flow record including initial network flow information in a flow record format comprising at least a source address and a destination address;
retrieve domain name information associated with each of the source address and destination address from the database; and
encode the domain name information in the received flow record while maintaining the initial network flow information to yield an enhanced flow record.
12. The monitoring system as recited in claim 11, further comprising a flow record repository communicatively coupled to the one or more network monitoring devices, wherein the one or more network monitoring devices are further configured and operable to distribute the enhanced flow record having the encoded domain name information to one or more network devices and to store the enhanced flow record in the flow record repository.
13. The monitoring system as recited in claim 11, wherein the enhanced flow record is a flow record following customized Netflow format.
14. The monitoring system as recited in claim 12, further comprising a user interface communicatively coupled to the one or more monitoring devices, the user interface configured to obtain traffic analysis criteria from a user.
15. The monitoring system as recited in claim 14, wherein the domain name information includes a domain name suffix string and wherein the one or more network monitoring devices configured and operable to retrieve the domain name information are further configured and operable to filter the retrieved domain name information based on one or more domain name suffix strings.
16. The monitoring system as recited in claim 15, wherein the one or more network monitoring devices are further configured and operable to analyze a plurality of the enhanced flow records stored in the flow record repository according to the traffic analysis criteria.
17. The monitoring system as recited in claim 12, wherein the one or more network monitoring devices are further configured and operable to analyze a plurality of the enhanced flow records stored in the flow record repository to identify one or more domain names associated with sources of network traffic growth.
18. The monitoring system as recited in claim 16, wherein the traffic analysis criteria is associated with a user-specified collection of network resources or services.
19. The monitoring system as recited in claim 11, wherein the one or more network monitoring devices are further configured and operable to periodically distribute an annotated flow template defining a plurality of fields comprising the enhanced flow record.
20. The monitoring system as recited in claim 16, wherein the one or more network monitoring devices configured and operable to analyze the plurality of the enhanced flow records are further configured and operable to aggregate two or more of the enhanced flow records based on one or more domain name suffix strings.
US15/261,474 2016-09-09 2016-09-09 Augmenting network flow with passive DNS information Active 2037-05-27 US10904203B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/261,474 US10904203B2 (en) 2016-09-09 2016-09-09 Augmenting network flow with passive DNS information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US15/261,474 US10904203B2 (en) 2016-09-09 2016-09-09 Augmenting network flow with passive DNS information

Publications (2)

Publication Number Publication Date
US20180077110A1 true US20180077110A1 (en) 2018-03-15
US10904203B2 US10904203B2 (en) 2021-01-26

Family

ID=61561084

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/261,474 Active 2037-05-27 US10904203B2 (en) 2016-09-09 2016-09-09 Augmenting network flow with passive DNS information

Country Status (1)

Country Link
US (1) US10904203B2 (en)

Cited By (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180115469A1 (en) * 2016-10-21 2018-04-26 Forward Networks, Inc. Systems and methods for an interactive network analysis platform
US20190012322A1 (en) * 2017-07-04 2019-01-10 Chronicle Llc Passive dns system
US10348639B2 (en) 2015-12-18 2019-07-09 Amazon Technologies, Inc. Use of virtual endpoints to improve data transmission rates
US10372499B1 (en) 2016-12-27 2019-08-06 Amazon Technologies, Inc. Efficient region selection system for executing request-driven code
US10447648B2 (en) 2017-06-19 2019-10-15 Amazon Technologies, Inc. Assignment of a POP to a DNS resolver based on volume of communications over a link between client devices and the POP
US10467042B1 (en) 2011-04-27 2019-11-05 Amazon Technologies, Inc. Optimized deployment based upon customer locality
US10469442B2 (en) 2016-08-24 2019-11-05 Amazon Technologies, Inc. Adaptive resolution of domain name requests in virtual private cloud network environments
US10469513B2 (en) 2016-10-05 2019-11-05 Amazon Technologies, Inc. Encrypted network addresses
US10469355B2 (en) 2015-03-30 2019-11-05 Amazon Technologies, Inc. Traffic surge management for points of presence
US10491534B2 (en) 2009-03-27 2019-11-26 Amazon Technologies, Inc. Managing resources and entries in tracking information in resource cache components
US10503613B1 (en) 2017-04-21 2019-12-10 Amazon Technologies, Inc. Efficient serving of resources during server unavailability
US10506029B2 (en) 2010-01-28 2019-12-10 Amazon Technologies, Inc. Content distribution network
US10511567B2 (en) 2008-03-31 2019-12-17 Amazon Technologies, Inc. Network resource identification
US10516590B2 (en) 2016-08-23 2019-12-24 Amazon Technologies, Inc. External health checking of virtual private cloud network environments
US10523783B2 (en) 2008-11-17 2019-12-31 Amazon Technologies, Inc. Request routing utilizing client location information
US10521348B2 (en) 2009-06-16 2019-12-31 Amazon Technologies, Inc. Managing resources using resource expiration data
US10530874B2 (en) 2008-03-31 2020-01-07 Amazon Technologies, Inc. Locality based content distribution
US10542079B2 (en) 2012-09-20 2020-01-21 Amazon Technologies, Inc. Automated profiling of resource usage
US10554748B2 (en) 2008-03-31 2020-02-04 Amazon Technologies, Inc. Content management
US10574787B2 (en) 2009-03-27 2020-02-25 Amazon Technologies, Inc. Translation of resource identifiers using popularity information upon client request
US10592578B1 (en) 2018-03-07 2020-03-17 Amazon Technologies, Inc. Predictive content push-enabled content delivery network
US10623408B1 (en) 2012-04-02 2020-04-14 Amazon Technologies, Inc. Context sensitive object management
US10645056B2 (en) 2012-12-19 2020-05-05 Amazon Technologies, Inc. Source-dependent address resolution
US10645149B2 (en) 2008-03-31 2020-05-05 Amazon Technologies, Inc. Content delivery reconciliation
US10666756B2 (en) 2016-06-06 2020-05-26 Amazon Technologies, Inc. Request management for hierarchical cache
CN111224891A (en) * 2019-12-24 2020-06-02 北京百卓网络技术有限公司 Traffic application identification system and method based on dynamic learning triples
US10691752B2 (en) 2015-05-13 2020-06-23 Amazon Technologies, Inc. Routing based request correlation
US10728133B2 (en) 2014-12-18 2020-07-28 Amazon Technologies, Inc. Routing mode and point-of-presence selection service
US10742550B2 (en) 2008-11-17 2020-08-11 Amazon Technologies, Inc. Updating routing information based on client location
US10778554B2 (en) 2010-09-28 2020-09-15 Amazon Technologies, Inc. Latency measurement in resource requests
US10785037B2 (en) 2009-09-04 2020-09-22 Amazon Technologies, Inc. Managing secure content in a content delivery network
US10797995B2 (en) 2008-03-31 2020-10-06 Amazon Technologies, Inc. Request routing based on class
US10831549B1 (en) 2016-12-27 2020-11-10 Amazon Technologies, Inc. Multi-region request-driven code execution system
US10862852B1 (en) 2018-11-16 2020-12-08 Amazon Technologies, Inc. Resolution of domain name requests in heterogeneous network environments
US10931738B2 (en) 2010-09-28 2021-02-23 Amazon Technologies, Inc. Point of presence management in request routing
US10938884B1 (en) 2017-01-30 2021-03-02 Amazon Technologies, Inc. Origin server cloaking using virtual private cloud network environments
US10951725B2 (en) 2010-11-22 2021-03-16 Amazon Technologies, Inc. Request routing processing
US10958501B1 (en) 2010-09-28 2021-03-23 Amazon Technologies, Inc. Request routing information based on client IP groupings
US11025747B1 (en) 2018-12-12 2021-06-01 Amazon Technologies, Inc. Content request pattern-based routing system
US11075987B1 (en) 2017-06-12 2021-07-27 Amazon Technologies, Inc. Load estimating content delivery network
US11108729B2 (en) 2010-09-28 2021-08-31 Amazon Technologies, Inc. Managing request routing information utilizing client identifiers
US11134134B2 (en) 2015-11-10 2021-09-28 Amazon Technologies, Inc. Routing for origin-facing points of presence
US11194719B2 (en) 2008-03-31 2021-12-07 Amazon Technologies, Inc. Cache optimization
US11290418B2 (en) 2017-09-25 2022-03-29 Amazon Technologies, Inc. Hybrid content request routing system
US11297140B2 (en) 2015-03-23 2022-04-05 Amazon Technologies, Inc. Point of presence based data uploading
US11303717B2 (en) 2012-06-11 2022-04-12 Amazon Technologies, Inc. Processing DNS queries to identify pre-processing information
CN114338437A (en) * 2022-01-13 2022-04-12 北京邮电大学 Network traffic classification method, device, electronic device and storage medium
US11336712B2 (en) 2010-09-28 2022-05-17 Amazon Technologies, Inc. Point of presence management in request routing
US11388107B2 (en) * 2019-07-18 2022-07-12 Huawei Technologies Co., Ltd. Method, apparatus, and system for locating root cause of network anomaly, and computer storage medium
US11411919B2 (en) 2019-10-01 2022-08-09 EXFO Solutions SAS Deep packet inspection application classification systems and methods
US11457088B2 (en) 2016-06-29 2022-09-27 Amazon Technologies, Inc. Adaptive transfer rate for retrieving content from a server
US20220337547A1 (en) * 2021-04-14 2022-10-20 OpenVPN, Inc. Domain routing for private networks
CN115277468A (en) * 2022-06-09 2022-11-01 药小鹿(成都)数字营销策划有限公司 Method for carrying out actual flow statistics on each second-level domain name of website based on Nginx
US12309048B2 (en) 2023-12-19 2025-05-20 Amazon Technologies, Inc. Routing mode and point-of-presence selection service

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090154363A1 (en) * 2007-12-18 2009-06-18 Josh Stephens Method of resolving network address to host names in network flows for network device
US20130290521A1 (en) * 2007-12-29 2013-10-31 Craig H. Labovitz Method and system for annotating network flow information
US8819227B1 (en) * 2012-03-19 2014-08-26 Narus, Inc. Discerning web content and services based on real-time DNS tagging
US20150195245A1 (en) * 2009-11-18 2015-07-09 Cisco Technology, Inc. System and method for inspecting domain name system flows in a network environment
US20150215177A1 (en) * 2014-01-27 2015-07-30 Vencore Labs, Inc. System and method for network traffic profiling and visualization
US20170208077A1 (en) * 2016-01-15 2017-07-20 Kentik Technologies, Inc. Network Monitoring, Detection, and Analysis System
US20170353486A1 (en) * 2016-06-06 2017-12-07 AVG Netherlands B.V. Method and System For Augmenting Network Traffic Flow Reports
US9967232B1 (en) * 2015-02-09 2018-05-08 Amazon Technologies, Inc. Network traffic management system using customer policy settings

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090154363A1 (en) * 2007-12-18 2009-06-18 Josh Stephens Method of resolving network address to host names in network flows for network device
US20130290521A1 (en) * 2007-12-29 2013-10-31 Craig H. Labovitz Method and system for annotating network flow information
US20150195245A1 (en) * 2009-11-18 2015-07-09 Cisco Technology, Inc. System and method for inspecting domain name system flows in a network environment
US8819227B1 (en) * 2012-03-19 2014-08-26 Narus, Inc. Discerning web content and services based on real-time DNS tagging
US20150215177A1 (en) * 2014-01-27 2015-07-30 Vencore Labs, Inc. System and method for network traffic profiling and visualization
US9967232B1 (en) * 2015-02-09 2018-05-08 Amazon Technologies, Inc. Network traffic management system using customer policy settings
US20170208077A1 (en) * 2016-01-15 2017-07-20 Kentik Technologies, Inc. Network Monitoring, Detection, and Analysis System
US20170353486A1 (en) * 2016-06-06 2017-12-07 AVG Netherlands B.V. Method and System For Augmenting Network Traffic Flow Reports

Cited By (80)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10645149B2 (en) 2008-03-31 2020-05-05 Amazon Technologies, Inc. Content delivery reconciliation
US11451472B2 (en) 2008-03-31 2022-09-20 Amazon Technologies, Inc. Request routing based on class
US11245770B2 (en) 2008-03-31 2022-02-08 Amazon Technologies, Inc. Locality based content distribution
US11194719B2 (en) 2008-03-31 2021-12-07 Amazon Technologies, Inc. Cache optimization
US10554748B2 (en) 2008-03-31 2020-02-04 Amazon Technologies, Inc. Content management
US10797995B2 (en) 2008-03-31 2020-10-06 Amazon Technologies, Inc. Request routing based on class
US10771552B2 (en) 2008-03-31 2020-09-08 Amazon Technologies, Inc. Content management
US10511567B2 (en) 2008-03-31 2019-12-17 Amazon Technologies, Inc. Network resource identification
US10530874B2 (en) 2008-03-31 2020-01-07 Amazon Technologies, Inc. Locality based content distribution
US11909639B2 (en) 2008-03-31 2024-02-20 Amazon Technologies, Inc. Request routing based on class
US11811657B2 (en) 2008-11-17 2023-11-07 Amazon Technologies, Inc. Updating routing information based on client location
US10742550B2 (en) 2008-11-17 2020-08-11 Amazon Technologies, Inc. Updating routing information based on client location
US11115500B2 (en) 2008-11-17 2021-09-07 Amazon Technologies, Inc. Request routing utilizing client location information
US10523783B2 (en) 2008-11-17 2019-12-31 Amazon Technologies, Inc. Request routing utilizing client location information
US11283715B2 (en) 2008-11-17 2022-03-22 Amazon Technologies, Inc. Updating routing information based on client location
US10491534B2 (en) 2009-03-27 2019-11-26 Amazon Technologies, Inc. Managing resources and entries in tracking information in resource cache components
US10574787B2 (en) 2009-03-27 2020-02-25 Amazon Technologies, Inc. Translation of resource identifiers using popularity information upon client request
US10521348B2 (en) 2009-06-16 2019-12-31 Amazon Technologies, Inc. Managing resources using resource expiration data
US10783077B2 (en) 2009-06-16 2020-09-22 Amazon Technologies, Inc. Managing resources using resource expiration data
US10785037B2 (en) 2009-09-04 2020-09-22 Amazon Technologies, Inc. Managing secure content in a content delivery network
US11205037B2 (en) 2010-01-28 2021-12-21 Amazon Technologies, Inc. Content distribution network
US10506029B2 (en) 2010-01-28 2019-12-10 Amazon Technologies, Inc. Content distribution network
US10931738B2 (en) 2010-09-28 2021-02-23 Amazon Technologies, Inc. Point of presence management in request routing
US10778554B2 (en) 2010-09-28 2020-09-15 Amazon Technologies, Inc. Latency measurement in resource requests
US11108729B2 (en) 2010-09-28 2021-08-31 Amazon Technologies, Inc. Managing request routing information utilizing client identifiers
US11336712B2 (en) 2010-09-28 2022-05-17 Amazon Technologies, Inc. Point of presence management in request routing
US11632420B2 (en) 2010-09-28 2023-04-18 Amazon Technologies, Inc. Point of presence management in request routing
US10958501B1 (en) 2010-09-28 2021-03-23 Amazon Technologies, Inc. Request routing information based on client IP groupings
US10951725B2 (en) 2010-11-22 2021-03-16 Amazon Technologies, Inc. Request routing processing
US11604667B2 (en) 2011-04-27 2023-03-14 Amazon Technologies, Inc. Optimized deployment based upon customer locality
US10467042B1 (en) 2011-04-27 2019-11-05 Amazon Technologies, Inc. Optimized deployment based upon customer locality
US10623408B1 (en) 2012-04-02 2020-04-14 Amazon Technologies, Inc. Context sensitive object management
US12273428B2 (en) 2012-06-11 2025-04-08 Amazon Technologies, Inc. Processing DNS queries to identify pre-processing information
US11303717B2 (en) 2012-06-11 2022-04-12 Amazon Technologies, Inc. Processing DNS queries to identify pre-processing information
US11729294B2 (en) 2012-06-11 2023-08-15 Amazon Technologies, Inc. Processing DNS queries to identify pre-processing information
US10542079B2 (en) 2012-09-20 2020-01-21 Amazon Technologies, Inc. Automated profiling of resource usage
US10645056B2 (en) 2012-12-19 2020-05-05 Amazon Technologies, Inc. Source-dependent address resolution
US10728133B2 (en) 2014-12-18 2020-07-28 Amazon Technologies, Inc. Routing mode and point-of-presence selection service
US11863417B2 (en) 2014-12-18 2024-01-02 Amazon Technologies, Inc. Routing mode and point-of-presence selection service
US11381487B2 (en) 2014-12-18 2022-07-05 Amazon Technologies, Inc. Routing mode and point-of-presence selection service
US11297140B2 (en) 2015-03-23 2022-04-05 Amazon Technologies, Inc. Point of presence based data uploading
US10469355B2 (en) 2015-03-30 2019-11-05 Amazon Technologies, Inc. Traffic surge management for points of presence
US10691752B2 (en) 2015-05-13 2020-06-23 Amazon Technologies, Inc. Routing based request correlation
US11461402B2 (en) 2015-05-13 2022-10-04 Amazon Technologies, Inc. Routing based request correlation
US11134134B2 (en) 2015-11-10 2021-09-28 Amazon Technologies, Inc. Routing for origin-facing points of presence
US10348639B2 (en) 2015-12-18 2019-07-09 Amazon Technologies, Inc. Use of virtual endpoints to improve data transmission rates
US10666756B2 (en) 2016-06-06 2020-05-26 Amazon Technologies, Inc. Request management for hierarchical cache
US11463550B2 (en) 2016-06-06 2022-10-04 Amazon Technologies, Inc. Request management for hierarchical cache
US11457088B2 (en) 2016-06-29 2022-09-27 Amazon Technologies, Inc. Adaptive transfer rate for retrieving content from a server
US10516590B2 (en) 2016-08-23 2019-12-24 Amazon Technologies, Inc. External health checking of virtual private cloud network environments
US10469442B2 (en) 2016-08-24 2019-11-05 Amazon Technologies, Inc. Adaptive resolution of domain name requests in virtual private cloud network environments
US10505961B2 (en) 2016-10-05 2019-12-10 Amazon Technologies, Inc. Digitally signed network address
US10469513B2 (en) 2016-10-05 2019-11-05 Amazon Technologies, Inc. Encrypted network addresses
US11330008B2 (en) 2016-10-05 2022-05-10 Amazon Technologies, Inc. Network addresses with encoded DNS-level information
US10616250B2 (en) * 2016-10-05 2020-04-07 Amazon Technologies, Inc. Network addresses with encoded DNS-level information
US20180115469A1 (en) * 2016-10-21 2018-04-26 Forward Networks, Inc. Systems and methods for an interactive network analysis platform
US12058015B2 (en) * 2016-10-21 2024-08-06 Forward Networks, Inc. Systems and methods for an interactive network analysis platform
US10831549B1 (en) 2016-12-27 2020-11-10 Amazon Technologies, Inc. Multi-region request-driven code execution system
US10372499B1 (en) 2016-12-27 2019-08-06 Amazon Technologies, Inc. Efficient region selection system for executing request-driven code
US11762703B2 (en) 2016-12-27 2023-09-19 Amazon Technologies, Inc. Multi-region request-driven code execution system
US10938884B1 (en) 2017-01-30 2021-03-02 Amazon Technologies, Inc. Origin server cloaking using virtual private cloud network environments
US12052310B2 (en) 2017-01-30 2024-07-30 Amazon Technologies, Inc. Origin server cloaking using virtual private cloud network environments
US10503613B1 (en) 2017-04-21 2019-12-10 Amazon Technologies, Inc. Efficient serving of resources during server unavailability
US11075987B1 (en) 2017-06-12 2021-07-27 Amazon Technologies, Inc. Load estimating content delivery network
US10447648B2 (en) 2017-06-19 2019-10-15 Amazon Technologies, Inc. Assignment of a POP to a DNS resolver based on volume of communications over a link between client devices and the POP
US11520851B2 (en) 2017-07-04 2022-12-06 Chronicle Llc Passive DNS system
US20190012322A1 (en) * 2017-07-04 2019-01-10 Chronicle Llc Passive dns system
US10936696B2 (en) * 2017-07-04 2021-03-02 Chronicle Llc Passive DNS system
US11290418B2 (en) 2017-09-25 2022-03-29 Amazon Technologies, Inc. Hybrid content request routing system
US10592578B1 (en) 2018-03-07 2020-03-17 Amazon Technologies, Inc. Predictive content push-enabled content delivery network
US10862852B1 (en) 2018-11-16 2020-12-08 Amazon Technologies, Inc. Resolution of domain name requests in heterogeneous network environments
US11362986B2 (en) 2018-11-16 2022-06-14 Amazon Technologies, Inc. Resolution of domain name requests in heterogeneous network environments
US11025747B1 (en) 2018-12-12 2021-06-01 Amazon Technologies, Inc. Content request pattern-based routing system
US11388107B2 (en) * 2019-07-18 2022-07-12 Huawei Technologies Co., Ltd. Method, apparatus, and system for locating root cause of network anomaly, and computer storage medium
US11411919B2 (en) 2019-10-01 2022-08-09 EXFO Solutions SAS Deep packet inspection application classification systems and methods
CN111224891A (en) * 2019-12-24 2020-06-02 北京百卓网络技术有限公司 Traffic application identification system and method based on dynamic learning triples
US20220337547A1 (en) * 2021-04-14 2022-10-20 OpenVPN, Inc. Domain routing for private networks
CN114338437A (en) * 2022-01-13 2022-04-12 北京邮电大学 Network traffic classification method, device, electronic device and storage medium
CN115277468A (en) * 2022-06-09 2022-11-01 药小鹿(成都)数字营销策划有限公司 Method for carrying out actual flow statistics on each second-level domain name of website based on Nginx
US12309048B2 (en) 2023-12-19 2025-05-20 Amazon Technologies, Inc. Routing mode and point-of-presence selection service

Also Published As

Publication number Publication date
US10904203B2 (en) 2021-01-26

Similar Documents

Publication Publication Date Title
US10904203B2 (en) Augmenting network flow with passive DNS information
US11297109B2 (en) System and method for cybersecurity reconnaissance, analysis, and score generation using distributed systems
US12267369B2 (en) Cybersecurity analysis and protection using distributed systems
AU2021209277B2 (en) Efficient packet capture for cyber threat analysis
US9860154B2 (en) Streaming method and system for processing network metadata
US9912638B2 (en) Systems and methods for integrating cloud services with information management systems
US8955091B2 (en) Systems and methods for integrating cloud services with information management systems
US10547674B2 (en) Methods and systems for network flow analysis
US10079846B2 (en) Domain name system (DNS) based anomaly detection
US8879415B2 (en) Method and system for annotating network flow information
US10079843B2 (en) Streaming method and system for processing network metadata
US9760283B2 (en) Systems and methods for a memory model for sparsely updated statistics
US11546266B2 (en) Correlating discarded network traffic with network policy events through augmented flow
US9215212B2 (en) Systems and methods for providing a visualizer for rules of an application firewall
WO2017122166A1 (en) Network monitoring, detection, and analysis system
Kim et al. Ontas: Flexible and scalable online network traffic anonymization system
CA2897664A1 (en) An improved streaming method and system for processing network metadata
US20230281204A1 (en) Monitoring network traffic to determine similar content
Lukashin et al. Distributed packet trace processing method for information security analysis
US20160112488A1 (en) Providing Information of Data Streams

Legal Events

Date Code Title Description
AS Assignment

Owner name: ARBOR NETWORKS, INC., MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HUSTON, LAWRENCE B., III;WINQUIST, JAMES E.;LEVINE, ALEX;AND OTHERS;SIGNING DATES FROM 20160901 TO 20160907;REEL/FRAME:039899/0993

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT, ILLINOIS

Free format text: SECURITY INTEREST;ASSIGNORS:NETSCOUT SYSTEMS, INC.;ARBOR NETWORKS, INC.;AIRMAGNET, INC.;AND OTHERS;REEL/FRAME:056997/0847

Effective date: 20210727

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4