`2005/0157647 AL*
`2006/0023709 Al*
`
`
`2006/0218302 Al*
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`...sesseeeee 370/235
`7/2005 Sterne et al.
`. 370/389
`2/2006 Halletal.
`......
`
`
`
`
`
`
`
`9/2006 Chiaetal. ......0. 709/245
`
`
`
`
`
`
`
`OTHER PUBLICATIONS
`
`
`
`
`
`
`Matthew M.Williamson,et al., “Virus Throttling”, Virus Bulletin,
`
`
`
`
`
`
`
`
`
`Mar. 2003, pp. 8-11, Virus Bulletin Ltd., Oxfordshire, England.
`
`
`
`
`
`
`
`
`Matthew M. Williamson,etal., “Virus Throttling for Instant Messag-
`
`
`
`
`
`
`
`
`
`
`ing”, Virus Bulletin Conference, Sep. 2004, Chicago, Illinois, pp. 1-9,
`Hewlett-Packard Company.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Jamie Twycrossetal., “Implementing and Testing a Virus Throttle”,
`
`
`
`
`
`
`
`
`Proceedings 12th USENIX Security Symposium, Aug. 4-8, 2003,
`
`
`
`
`
`Washington, DC, 11 pages, Hewlett-Packard Company.
`
`
`
`
`
`
`
`Matthew M.Williamson,et al., “Design, Implementation and Test of
`
`
`
`
`
`
`
`
`
`
`
`an Email Virus Throttle”, Jun. 2003, pp. 1-9, Hewlett Packard Com-
`
`pany.
`
`
`
`
`
`
`
`Matthew M. Williamson, et al., “Throttling Viruses: Restricting
`
`
`
`
`
`
`
`
`
`Propagation to Defeat Malicious Mobile Code”, Jun. 2002,pp. 1-6,
`
`
`Hewlett-Packard Company.
`
`
`
`
`
`
`
`Matthew M. Williamson, et al., “Throttling Viruses: Restricting
`
`
`
`
`
`
`
`Propagation to Defeat Malicious Mobile Code”, ACSAC Conference,
`
`
`
`
`
`
`
`
`
`
`Dec. 2002, Las Vegas, Nevada, pp. 1-8, Hewlett Packard Company.
`
`
`
`* cited by examiner
`
`
`
`
`Primary Examiner—Ricky Ngo
`
`
`
`Assistant Examiner—Kibrom T Hailu
`
`
`
`
`
`
`
`(74) Attorney, Agent, or Firm—Blakely, Sokoloff, Taylor &
`
`
`Zafman LLP
`
`
`
`(57)
`
`
`
`ABSTRACT
`
`
`
`
`
`
`
`
`
`Traffic flow rate control in a network device. Traffic flow may
`
`
`
`
`
`
`
`be permitted/restricted based on the role of a device in a
`
`
`
`
`
`
`
`
`
`
`network. The traffic flow may be limited on the basis of
`
`
`
`
`
`packets per time period, the limits to be applied on a per-
`
`
`
`
`
`protocol, per-port, and/or per-packetbasis.
`
`
`
`
`
`
`
`
`
`
`17 Claims, 4 Drawing Sheets
`
`
`
`
`
`
`(21) Appl. No.: 10/951,393
`
`
`
`
`(65)
`
`
`
`
`
`(51)
`
`
`
`
`
`(22)
`
`Filed:
`
`
`
`Sep. 27, 2004
`
`
`
`
`
`
`
`Prior Publication Data
`
`
`
`
`US 2006/0072451 Al
`Apr. 6, 2006
`
`Int. Cl.
`
`(2006.01)
`GOIR 31/08
`
`
`
`
`
`
`(52) U.S.Ccee 370/232; 370/230; 370/235;
`370/229
`
`
`
`
`
`
`
`
`
`(58) Field of Classification Search ................. 370/230,
`370/232, 235; 709/229
`
`
`
`
`
`
`
`
`
`
`See application file for complete search history.
`
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`
`
`9/1999 Stockwell et al... T07/4
`5,950,195 A *
`
`
`
`
`
`10/1999 Nessett et al.
`5,968,176 A
`
`
`
`
`
`
`
`
`3/2008 Huangetal. 0... 713/153
`7,343,485 B1*
`2003/0191853 AL* 10/2003 Ono wee
`eeeeeeee 709/232
`
`
`
`
`
`
`
`2004/0028059 Al*
`2/2004 Josyulaetal. ......... 370/396
`2004/0039924 Al
`2/2004 Baldwin etal.
`
`
`
`
`
`2005/0027837 Al*
`2/2005 Roeseetal. wo... 709/223
`
`
`
`
`
`
`
`
`
`(56)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`US 7,561,515 B2
`(10) Patent No.:
`a2) United States Patent
`
`
`
`
`
`
`
`Ross
`Jul. 14, 2009
`(45) Date of Patent:
`
`
`
`
`US007561515B2
`
`
`
`
`
`
`(54) ROLE-BASED NETWORK TRAFFIC-FLOW
`RATE CONTROL
`
`
`
`
`
`(75)
`
`nventor:
`
`I
`
`
`
`(73) Assignee:
`
`
`
`
`Alan
`
`Ross,
`
`
`
`
`
`Springs,
`Shingle
`an D.
`Shingle Springs, CA (US
`D.
`Ross,
`
`
`
`
`Intel Corporation, Santa Clara, CA
`
`(US)
`
`
`
`
`(*) Notice:
`
`
`
`
`
`
`
`
`
`Subject to any disclaimer, the term ofthis
`
`
`
`
`patent is extended or adjusted under 35
`
`
`
`
`U.S.C. 154(b) by 876 days.
`
`
`
`FEATURE POLICY
`
`
`
`
`
`RATE CONTROL AGENT
`
`
`
`
`
`APP(S)
`
`320
`
`CONTROL
`
`310
`
`
`
`MEMORY
`
`330
`
`
`
`
`COMPLIANCE ENGINE
`
`
`
`
`POLICY
`DETERMINATION
`
`
`
`342
`FEATURE
`3441
`
`
`POLICY UPDATE
`
`FEATURE
`
`
`
`
`
`
`INTERFACE
`
`
`350
`
`
`
`PACKET
`
`MONITORING
`
`
`
`
`
`343
`
`
`ENFORCEMENT
`
`
`
`FEATURE
`
`344
`
`
`
`
`
`Splunk Inc.—Exhibit 1012 Page 1
`
`Splunk Inc. Exhibit 1012 Page 1
`
`
`
`
`U.S. Patent
`
`
`
`
`
`Jul. 14, 2009
`
`
`
`
`
`Sheet 1 of 4
`
`
`
`US 7,561,515 B2
`
`
`
`HOST SYSTEM
`
`
`HOST
`PLATFORM
`
`
`
`NETWORK
`
`
`INTERFACE
`
`
`
`
`
`
`
`
`
`
`
`
`NETWORK DEVICE
`
`
`
`
`
`
`
`
`
`
`FLOW
`
`POLICY
`
`SERVER
`131
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 1
`
`
`
`HOST SYSTEM
`
`
`HOST PLATFORM
`
`
`
`
`RATE
`
`CONTROL
`
`AGENT
`
`
`NETWORK
`
`INTERFACE
`
`
`
`
`220
`
`NETWORK
`
`DEVICE
`
`
`
`
`240
`
`
`TRAFFIC POLICY
`
`SERVER
`
`
`
`
`
`
`FIG. 2
`
`Splunk Inc.
`
`Exhibit1012
`
`Page 2
`
`Splunk Inc. Exhibit 1012 Page 2
`
`
`
`
`U.S. Patent
`
`
`
`
`
`Jul. 14, 2009
`
`
`
`
`Sheet 2 of 4
`
`
`
`US 7,561,515 B2
`
`
`
`
`
`RATE CONTROL AGENT
`
`
`
`CONTROL
`
`310
`
`
`
`
`
`MEMORY
`
`
`330
`
`
`
`
`COMPLIANCE ENGINE
`
`
`
`
`POLICY
`DETERMINATION
`
`
`341
`FEATURE
`
`
`
`
`POLICY UPDATE
`
`FEATURE
`
`
`
`342
`
`
`
`
`PACKET
`MONITORING
`
`
`FEATURE
`
`
`
`343
`
`
`POLICY
`ENFORCEMENT
`
`
`344
`FEATURE
`
`
`
`INTERFACE
`
`
`
`350
`
`
`
`
`FIG. 3
`
`Splunk Inc.
`
`Exhibit1012
`
`Page 3
`
`Splunk Inc. Exhibit 1012 Page 3
`
`
`
`
`U.S. Patent
`
`
`
`
`
`Jul. 14, 2009
`
`
`
`
`Sheet 3 of 4
`
`
`
`US 7,561,515 B2
`
`NETWORK ACCESS
`
`INITIALIZATION
`
`
`
`
`
`02
`
`
`TRAFFIC
`
`REQUEST
`
`
`
`04
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`TRAFFIC FLOW
`DEVICE IDENTIFICATION
`
`
`
`
`
`
`
`POLICY SERVER?
`PROCESS
`A1
`
`
`
`410
`
`
`
`
`
`
`
`DETERMINE USER ROLE IN
`
`NETWORK
`416
`
`
`
`
`
`
`
`
`
`IMPLEMENT DEFAULT TRAFFIC
`
`
`FLOW POLICY
`449
`
`
`
`
`
`
`
`
`
`
`TRAFFIC FLOW POLICY
`
`ASSIGNMENT
`
`
`
`
`
`
`
`18
`
`
`
`
`
`
`
`
`
`
`
`
`
`REQUEST
`
`PERMISSIBLE?
`
`
`420
`
`YES
`
`
`
`
`
`ALLOW NORMAL TRAFFIC
`
`
`PROCESSES
`499
`— NO
`
`
`
`
`REQUEST DENIED
`
`
`
`424
`
`
`
`
`FIG. 4
`
`Splunk Inc.
`
`Exhibit1012
`
`Page 4
`
`Splunk Inc. Exhibit 1012 Page 4
`
`
`
`
`U.S. Patent
`
`
`
`
`
`Jul. 14, 2009
`
`
`
`
`Sheet 4 of 4
`
`
`
`US 7,561,515 B2
`
`
`
`
`
`
`
`
`NETWORKPOLICY 521
`
`
`
`FOR PUBLIC FACING
`
`INTERFACE
`
`
` CLIENT1 ON
`
`
`
`PUBLIC FACING
`
`
`
`
`
`LAN
`540
`510 WEBSERVER
`
`
`
`
`
`
`
`
`
`NETWORKPOLICY 551
`
`
`
`FOR LAN CLIENT2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`PERMIT
`
`
`
`port] Ww Jo
`
`
`ewe|
` rePy
`
`
`
`
`
`
`
`
`
`
`
`
` NETWORKPOLICY 531
`
`
`
`
`
`
`
`FOR PRIVATE FACING
`
`
`INTERFACE
`
`
`
`
`
`
`
`Splunk Inc.
`
`Exhibit1012
`
`Page5
`
`Splunk Inc. Exhibit 1012 Page 5
`
`
`
`
`
`US 7,561,515 B2
`
`
`1
`ROLE-BASED NETWORK TRAFFIC-FLOW
`
`
`RATE CONTROL
`
`
`
`
`
`FIELD
`
`
`
`
`2
`
`
`
`
`FIG.5 is a representation of permittedtraffic allowances
`for various network devices in accordance with an embodi-
`
`
`
`
`
`
`mentof the invention.
`
`
`
`
`
`
`DETAILED DESCRIPTION
`
`
`
`
`Embodimentsofthe invention relate to networktraffic flow
`
`
`
`
`
`
`
`
`
`
`control, andparticularly to packet-based control at a network-
`connected device.
`
`
`
`
`
`
`BACKGROUND
`
`
`
`20
`
`25
`
`30
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Spread of malware and other computer attacks has
`
`
`
`
`
`
`
`increased focus on network security. Malware may include
`
`
`
`
`
`
`
`viruses, worms, or other malicious code meant to disrupt
`
`
`
`
`
`
`
`network service, impair computer performance, open holes
`
`
`
`
`
`
`
`
`for intrusion, etc. Computer attacks may include flooding a
`
`
`
`
`
`
`
`server with traffic/requests and/or other actions to overload a
`
`
`
`
`
`
`
`
`server or network andcausea denial of service (DoS)attack.
`
`
`
`
`
`
`Traditional approaches
`to mitigating malware have
`
`
`
`
`
`
`
`focused on preventing infection of networked machines.
`
`
`
`
`
`
`Antivirus software is typically concerned with recognizing
`
`
`
`
`
`
`
`viruses by examining software for particular known signa-
`
`
`
`
`
`
`
`tures. Recognized viruses can be quarantined and/or
`
`
`
`
`
`
`
`destroyed. Traditional malwareprotection suffers many limi-
`
`
`
`
`
`
`
`
`
`tationsin that new viruses are able to spread uncheckeduntil
`
`
`
`
`
`
`
`
`
`the virus can be analyzed for a signature, and antivirus defi-
`
`
`
`
`
`
`
`
`nitions can be updated on each individual machine. This may
`
`
`
`
`
`
`
`
`
`require considerable time and effort. Those who do not take
`
`
`
`
`
`
`
`advantage ofthe almost constant updates are more vulnerable
`
`
`
`
`
`
`
`
`
`to attack by viruses that are not in the outdated definitions.
`
`
`
`
`
`
`
`
`
`Manynewvirusesare also adaptable, and alter themselves as
`
`
`
`
`
`
`
`they spread, causing difficulty for antivirus software.
`
`
`
`
`
`
`Another approach is virus throttling,
`introduced by
`
`
`
`
`
`
`
`researchers of HP Laboratories Bristol. See, e.g., Jamie Twy-
`35
`
`
`
`
`
`
`cross, Matthew M.Williamson, “Implementing and Testing a
`
`
`
`
`
`
`Virus Throttle,’ Trusted Systems Laboratory, HP Laborato-
`
`
`
`
`
`
`
`
`ries Bristol, HPL-2003-103, May 21, 2003. Thevirus throttle
`
`
`
`
`
`
`
`approach recognizes that viruses typically spread by engag-
`
`
`
`
`
`
`ing in “abnormal” computer behavior, or behavior that is
`
`
`
`
`
`
`
`
`outside the expected norm ofcomputer conduct. For example,
`
`
`
`
`
`
`
`
`an infected computer may attempt to establish many connec-
`
`
`
`
`
`
`
`
`tions per second to increase the possibility of spreading. The
`
`
`
`
`
`
`
`
`
`virus throttle limits the number of new connections per sec-
`ond that can be made.
`
`
`
`
`Onelimitation of the virus throttle described aboveis that
`
`
`
`
`
`
`
`
`
`
`
`
`the approachis specifically connection-based. Only new,out-
`bound connections are restricted. The virus throttle as
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`described does not protect connectionsthat are already open,
`
`
`
`
`
`
`
`
`nor doesit address inboundtraffic. Thus, the described virus
`
`
`
`
`
`
`throttle is limited both in scope andflexibility.
`
`40
`
`45
`
`50
`
`
`
`
`
`
`
`
`
`
`
`
`
`In one embodimentthe flow of traffic may be rate-limited
`
`
`
`
`
`
`
`
`at a network device. Restricting the packet flow of ingress
`
`
`
`
`
`
`
`
`traffic may operate to reducethe risk of DoS attacks. Restrict-
`
`
`
`
`
`
`
`
`
`ing the packetflow ofegresstraffic from a device may operate
`
`
`
`
`
`
`
`
`to reduce the risk of infection, or the spread of malware from
`
`
`
`
`
`
`
`
`one machineto another. With rate limits at each machine, the
`
`
`
`
`
`
`spread within a subnet is reduced with respect to traditional
`
`
`
`
`wide open network connections.
`Various references herein to an “embodiment” are to be
`
`
`
`
`
`
`
`
`
`
`
`
`understood as describing a particular feature, structure, or
`characteristic included in at least one embodiment of the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`invention. Thus, the appearance of phrases such as “in one
`
`
`
`
`
`
`embodiment,”or “in alternate an embodiment” may describe
`
`
`
`
`
`
`
`various embodiments ofthe invention, and may not necessar-
`
`
`
`
`
`
`ily all refer to the same embodiment.
`
`
`
`
`
`
`FIG. 1 is a block diagram of a system with a network
`
`
`
`
`
`
`
`interface having a rate control agent in accordance with an
`
`
`
`
`
`
`
`embodiment of the invention. Host system 100 interfaces
`
`
`
`
`
`
`
`
`
`with network device 130 through networkinterface 120. Host
`
`
`
`
`
`
`
`system 100 represents a variety of electronic systems,
`
`
`
`
`
`
`
`
`devices, or apparatuses. For example, host system 100 may
`
`
`
`
`
`
`include a personal computer (desktop, laptop, palmtop), a
`
`
`
`
`
`
`
`server, a handheld computing device, personal digital assis-
`
`
`
`
`
`
`
`
`tant (PDA), wireless computing device, cellular phone, game
`
`
`
`
`
`
`
`
`
`console, set-top box, etc. Host system 100 may bea termi-
`
`
`
`
`
`
`nating device of a network, or a user device of the network.
`
`
`
`
`
`
`
`
`
`Note that even in a case where system 100is a server, it may
`be considered a “user” of the network.
`
`
`
`
`
`
`
`
`
`
`
`
`
`Host system 100 includes host platform 110, which repre-
`
`
`
`
`
`
`sents hardware and/or software to perform operation of sys-
`
`
`
`
`
`
`
`
`tem 100. Host platform 110 may include various hardware
`
`
`
`
`
`
`modules, subsystems, and/or circuits, as well as various soft-
`
`
`
`
`
`
`ware modules, applications, subroutines, etc. Host platform
`
`
`
`
`
`
`110 includes an operating system or equivalent, and may
`
`
`
`
`include a motherboard/maincircuit board, or equivalent. Host
`
`
`
`
`
`
`platform 110 provides the environment on which to execute
`
`
`
`
`
`user applications and system functions.
`
`
`
`
`
`
`
`
`In one embodiment host system 100 includes network
`
`
`
`
`
`
`interface 120to interact (e.g., transmit/receive/exchangetraf-
`
`
`
`
`
`
`
`
`
`fic) over the network with devices external to system 100.
`
`
`
`
`
`
`
`Traffic transmitted, received, and/or exchanged maybe con-
`
`
`
`
`
`
`sidered to go through, or pass through a networked device.
`
`
`
`
`
`
`
`
`Network interface 120 may include a network interface card,
`
`
`
`
`
`
`
`
`a networkinterface circuit built onto a computing platform, a
`
`
`
`
`
`
`wireless or wireline communicationtransceiver, etc. Network
`
`
`
`
`
`
`
`
`interface 120 may support multiple mechanismsthat provide
`
`
`
`
`
`
`
`interface to the network, including multiple ports, various
`
`
`
`
`
`
`
`
`protocols (e.g., Internet protocol (IP), Internet control mes-
`
`
`
`
`
`
`
`sage protocol ICMP), transmission control protocol (TCP),
`
`
`
`
`
`
`
`user datagram protocol (UDP), simple network management
`
`
`
`
`
`
`
`
`protocol (SNMP), Telnet, file transfer protocol (FTP), hyper-
`
`
`
`
`
`
`
`
`
`text transfer protocol (HTTP), etc.), and may include various
`
`
`
`
`
`
`
`open connections. In one embodimenteachport, connection,
`
`
`
`
`
`
`
`protocol, etc. may be considered a network interface from
`
`
`
`
`
`
`system 100 to another system on the network.
`
`
`
`
`
`
`
`
`In one embodiment system 100 communicates with net-
`
`
`
`
`
`
`
`
`work device 130 through network interface 120. Network
`
`
`
`
`
`
`
`device 130 represents a hardware and/or software entity at a
`
`
`
`
`
`
`
`network node, e.g., a switch, a gateway, a router, a network
`
`
`
`
`
`
`
`access point, or other item of a network infrastructure. Net-
`
`
`
`
`
`
`
`
`work device 130 may be considered an edge device that
`
`Splunk Inc.—Exhibit 1012 Page 6
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`
`
`The description of embodimentsof the invention includes
`
`
`
`
`
`
`
`various illustrations by way of example, and not by way of
`
`
`
`
`
`
`limitation in the figures and accompanying drawings.
`
`
`
`
`
`
`FIG. 1 is a block diagram of a system with a network
`
`
`
`
`
`
`
`interface having a rate control agent in accordance with an
`embodimentofthe invention.
`
`
`
`
`
`
`
`
`FIG.2 is a block diagram of a system with a rate control
`
`
`
`
`
`
`agent in accordance with an embodimentof the invention.
`
`
`
`
`
`
`FIG. 3 is a block diagram ofa rate control agent in accor-
`dance with an embodimentof the invention.
`
`
`
`
`
`
`
`
`
`
`FIG.4 is a flow diagram of a system implementinga traffic
`
`
`
`
`
`flow policy in accordance with an embodimentofthe inven-
`tion.
`
`
`
`
`
`
`
`
`
`60
`
`
`
`65
`
`
`
`Splunk Inc. Exhibit 1012 Page 6
`
`
`
`
`
`US 7,561,515 B2
`
`
`
`
`
`
`
`
`
`
`
`3
`4
`
`
`
`
`
`
`
`firmware elementin a hardware element of network interface
`
`
`
`
`
`provides a path to the network. In one embodiment network
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`120 mayprovide added security to host system 100.
`device 130 performs authentication services to verify the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Rate control agent 121 represents the agent/module to
`identity of system 100 prior to granting authorization to sys-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`implement/enforce the policy received from flow policy
`tem 100 to access the network, or determining what type of
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`server 131. Rate control agent 121 mayoperate byrestricting
`service may be allocated to host system 100. Alternatively,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the traffic flow of various ports, protocols, connections, etc.,
`authentication services could be performed separately from
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`network device 130, or network device 130 could be in com-
`ofnetwork interface 120. Rate control agent 121 may monitor
`
`
`
`
`
`
`
`
`munication over the network with an authentication server.
`
`
`
`
`
`
`
`a numberof packets on ingress and/or egress for an interface,
`
`
`
`
`
`
`
`
`In one embodiment network device 130 includes flow
`
`
`
`
`
`
`
`
`and determine whether the numberof packets has reached or
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`exceededa threshold numberspecifiedin the flow policy, ora
`policy server 131, which represents a hardware and/or soft-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`maximum numberallotted in the flow policy. In the context of
`ware module/node to providea traffic flow policy. A traffic
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the traffic flow policy, the expression maximum may or may
`flow policy may include a description/listing of traffic flow
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`not be understoodto be an absolute maximum.For example,
`rates permissible, and/ortraffic flow limits imposed on host
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`a certain numberof packets may be specified as a maximum,
`system 100. In one embodimentthe traffic flow policy is part
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`and when the numberhas been reached, certain actions may
`of a network policy describing the service available, the per-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`be performedtorestrict the packets in excess of the number.
`mitted use by, and/or the conditions under which host system
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`For example, the packets may be dropped, or they may be
`100 communicates over the network. The type of use permit-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`buffered and delayed. The delay would operate to allow the
`ted for system 100 may depend uponthe role system 100 has
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`packets to be sent, but at a rate slower than that at which they
`in the network. For example, authentication credentials may
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`are received or prepared for transmission.If packets are buff-
`reveal that system 100 is a server, and is responsiblefortraffic
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ered and delayed, a buffer overrun may cause additional pack-
`to and from a local area network (LAN). The permitted use of
`
`
`
`
`
`
`
`
`
`
`
`ets to be dropped.
`a server may be different than, for example, a corporate user,
`
`
`
`
`
`
`
`
`
`
`
`
`Note that the packet restricting is performedby rate control
`a personal user, etc.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`agent 121 at host system 100. Whereas quality of service
`Flow policy server 131 may indicate conditions for each
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(QoS)is performed at an enforcing network node,thetraffic
`interface of host system 100. For example, particular ports,
`
`
`
`
`
`
`
`
`
`
`
`
`
`flow limiting is performed at an individual network user.
`protocols, and/or connections may be differentiated in the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Thus, QoS does not operate to prevent a user from overload-
`service allocated for each. A network policy/flow policy may
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ing the network, because QoS deals on a macro level with
`indicate a permissible frequency,or packetflow for individual
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`traffic from multiple sources. In contrast, the traffic flow
`interfaces. Thus, one port may belimited to a certain number
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`limiting described herein operates at the user device, and may
`of packets per second, and another port may be limited to a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`prevent an individual machine from engaging in negative
`different number of packets per second. Certain protocols
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`network behavior. Note also that rate control agent 121 may
`mayberestricted to a certain numberof packets per second.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`restrict connections that are already open, as well as imple-
`Likewise, connectionsto particular network destinations may
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`menting restrictions on new connections. Additionally, as
`be limited to a certain frequency of packets. The policy may
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`discussed morebelow,the flow restrictions can be made to be
`indicate the packet flow restrictions based on, for example,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`dynamic, and/or the policy may be periodically checked to
`the extent to which the connection/port is trusted, an expected
`
`
`
`
`
`
`
`
`
`
`
`
`provide updated limits, making the flow limiting described
`behaviorof the port/protocol, in response to a perceived or a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`herein dynamic and adaptable to changes in the network
`previous security violation on the interface, etc. By limiting
`
`
`
`
`
`
`
`
`environment.
`
`the traffic flow, the spread of malware can be significantly
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`slowed, and DoSattacks can renderedless effective or inef-
`FIG.2 is a block diagram of a system with a rate control
`
`
`
`
`
`fective.
`
`agent in accordance with an embodimentof the invention.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Host system 200, host platform 210, and network interface
`The policy or policies may be stored in database 140,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`220 are similar to the corresponding elements of FIG. 1
`whichis accessible to flow policy server 131, either remotely,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`above, and will not be discussed in detail here. In one embodi-
`or locally. In one embodimentdatabase 140 stores more than
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ment host system 200 communicates through network inter-
`the network policies, such as authentication information. In
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`face 220 with network device 240. Network device 240 rep-
`one embodiment database 140 is a policy decision maker.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`resents a gateway, router, firewall, access point, etc., and may
`Note that the policies may be established that apply restric-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`bea network edge device, interconnecting host system 100 to
`tions equally across all interfaces, or differentiate between the
`
`
`
`
`
`
`
`
`a network.
`
`
`interfaces. A policy may indicate a rate limit for a protocol,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`In one embodiment host system 200 communicates
`and rate limits for certain ports. In the case of overlapping
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`through network interface 220 withtraffic policy server 250.
`policies, the lower flow limit may be used.
`
`
`
`
`
`
`
`
`
`In one embodiment network interface 120 includes rate
`
`
`
`
`
`
`
`
`Traffic policy server 250 may be a separate entity from net-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`work device 240 and may communicate with host system 200
`control agent 121. Rate control agent 121 may be amodule on
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`through network device 240. Alternatively,
`traffic policy
`network interface 120. For example, rate control agent 121
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`server 250 may have a connection with host system 200
`may be software/firmware running on hardware(e.g., a pro-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`through network interface 220,
`independent of network
`cessor) on network interface 120. Alternatively, rate control
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`device 240. Traffic policy server 250 may include database
`agent 121 may include an embedded processor having pro-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`251 oftraffic policies and/or networkpolicies. In one embodi-
`gramming information and/or data stored in a local memory
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`menttraffic policy server 251 monitors networktraffic flow of
`subsystem. The memory subsystem mayinclude non-volatile
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`one or more interfaces ofhost system 200 and may determine
`memory, random access memory (RAM), Flash, a memory
`
`
`
`
`
`
`
`
`
`
`
`to update policies.
`controller, etc. On network interface 120, rate control agent
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`In one embodimenthostplatform 210 includesrate control
`121 may be independentof, and transparent to, a host oper-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`agent 121, which represents a monitoring and/or enforcing
`ating system (OS). Because software and hardware visible to
`
`
`
`
`
`
`
`
`
`
`
`
`
`mechanism for network/traffic policies. Rate control agent
`the OS maybesubject to being compromised, if an intruder
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`121 may bea software/firmware module ina processor ofhost
`compromisedthe OS, rate control agent 121 transparentto the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`platform 210. In one embodiment, rate control agent 121 is
`OS maybeless likely to be compromised by attack. Thus,
`
`
`
`
`
`
`
`
`
`
`
`implemented as an embedded system/subsystem in a proces-
`having flow agent as a hardware element and/or as a software/
`
`Splunk Inc.—Exhibit 1012 Page 7
`
`40
`
`20
`
`25
`
`
`
`30
`
`
`
`35
`
`
`
`
`
`45
`
`
`
`50
`
`
`
`55
`
`
`
`60
`
`
`
`65
`
`
`
`Splunk Inc. Exhibit 1012 Page 7
`
`
`
`
`
`US 7,561,515 B2
`
`
`
`
`
`
`
`20
`
`
`
`
`
`
`
`6
`5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Policy determination feature 341 enables agent 300 to
`sor on host platform 210. In another embodiment, rate control
`
`
`
`
`
`
`
`
`
`
`
`
`
`ascertain a policy that will be enforced on a network interface
`agent 121 may be, in whole or in part, a software module
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`with which the policy is associated. In one embodiment
`operating between the host OS andthe interface drivers for
`
`
`
`
`
`
`
`
`network interface 220.
`
`
`
`policy decision feature 341 obtains a policy from a remote
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`location, such as from a node/entity on the network, for
`FIG. 3 is a block diagram ofa rate control agent in accor-
`
`
`
`
`
`
`
`
`dance with an embodiment of the invention. Rate control
`
`
`
`
`
`
`
`example, from a policy server. The policy may be obtained at
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`agent 300 represents a circuit, a combination oflogic, firm- one point and usedatalater point, and/or used upon obtaining
`
`
`
`
`
`
`
`
`
`
`
`
`
`ware and/or group/series of instructions for execution on a
`the policy. A policy server may be queried/polled to deter-
`
`
`
`
`
`
`
`
`
`
`
`
`
`computation/logic device, a subsystem, or a virtual sub-
`mine if a policy update exists. Policy determination feature
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`system that is configured, enabled, or otherwise able to per-
`341 may enable agent 300 to periodically update thepolicy, or
`
`
`
`
`
`
`
`
`
`
`
`
`
`form operations related to integration of authentication and
`obtain a new policy upon an indication of a policy update by
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`policy enforcement services. Control logic 310 directs the
`a policy server. The policy may indicate restrictions on packet
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`flow of operation of agent 300. In one embodiment, control
`flow frequency for a port, a group of ports, one or more
`
`
`
`
`
`
`
`
`
`
`
`
`logic 310 is a series of software/firmware instructions to
`protocols, connectionsto particular addresses, or connections
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`perform logic operations. In another embodiment, control
`to devices that have any address other than specified
`
`
`
`
`
`
`
`
`
`addresses/subnets, etc.
`logic 310 can be implemented by hardware controllogic, or a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`combination of hardware-based control logic and software
`In one embodimentthe policy may indicate a lock-down
`
`
`
`
`
`
`
`
`instructions.
`
`mode, or equivalent. Such a modeof operation mayoccur, for
`
`
`
`
`
`
`
`
`
`
`
`
`
`Interface 350 provides a communication interface between
`example, if the policy decision point is aware of a particular
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`malware or hacker threat. In a lock-down mode,all traffic
`agent 300 and an external electronic system (not shown)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`and/or network. For example, agent 300 as part of a host
`may be halted. Alternatively, particular traffic to/from a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`computing system may haveinterface 350 to provide a com-
`knowntrusted source may be permitted andall other traffic
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`munication interface between agent 300 and the host com-
`restricted. In one embodiment a policy may indicate, for
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`puting system via a system bus, for example, on a host plat-
`example port, protocol, and or connection combinations to
`25
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`form, or on a network card/circuit. In one embodiment
`prevent the kazaatraffic, peer-to-peer (P2P)traffic, etc. Traf-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`interface 350 includes a communication path to a network.
`fic associated with a known remote server may be allowed
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`For example, interface 350 may include an interface to an
`unrestricted access. The policy may be different based on the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Ethernet, Internet, wireless communication channel, etc. The
`role of the device to which the policy applies. In one embodi-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`communication path maybeprivate to agent 300, shared with
`ment a degraded level of service may be allowed, where one
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`other agents, or an access path allocated by a system/sub-
`or moreinterfaces may be allowed access, but underrestricted
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`system of which agent 300 is a part. If the communication
`traffic flow constraints (possibly resulting in noticeable delay
`
`
`
`
`
`
`
`
`
`
`
`path is shared, it could be arbitrated, as is understood in the
`to the user on those interfaces).
`art.
`
`
`
`
`
`
`
`
`
`Policy update feature 342 enables agent 300 to indicate a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Agent 300 mayinclude applications 320. Applications 320
`change in operation to a policy decision maker. In one
`
`
`
`
`
`
`
`
`
`
`
`
`
`represent one or more programsand/orother series ofinstruc-
`embodimentthis includes a routine/algorithm to determine
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`tion sequencesthat are executed on control logic 310. In one
`based on gathered statistics whether a policy change would be
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`embodiment agent 300 may execute part of all of a user
`advisable for a particular interface. For example,traffic asso-
`
`
`
`
`
`
`
`
`
`
`
`
`
`application or a system application. Applications 320 may
`ciated with a particular interface could be monitored, and a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`provide instructions to control logic 310 to cause agent 300 to
`sudden large increase in traffic observed. Based on the pro-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`perform operations. Instructions may also be provided to
`tocol, the connection, a history of use of the interface,etc.,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`control logic 310 by memory 330. For example, control logic
`policy update feature 342 may determinethat the increase in
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`310 may access, or read a portion of memory 330 to obtain
`traffic flow exceeds a trigger level and may request a policy
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`instructions to perform a series of operations and/or data for
`update ofa policy decision point. Alternatively, policy update
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`use with operations. Thus, control logic 310 can receive one
`feature 342 mayalter a local copy of the policy and indicate
`
`
`
`
`
`
`
`
`
`
`
`
`or moreinstructions from internal application software run-
`the changeto a policy server.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ning locally on rate control agent 300, such as applications
`Changesin traffic policy may be madeat a policy server
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`320, from memory 330, and/or from external applications,
`from which rate control agent 300 obtains the policy to
`
`
`
`
`
`
`
`
`
`
`
`
`
`storage media, etc., through interface 350.
`enforce on the network interfaces. Policy changes may occur
`
`
`
`
`
`
`
`
`
`
`
`
`
`Agent 300 includes compliance engine 340.
`In one
`when an information technology administrator makes a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`embodiment compliance engine 340 may be considered an
`change and pushes the new policy to the policy server. The
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`enforcement module. In one embodiment