`
`
`
`(10) Patent No.:
`US 7,296,288 B1
`a2) United States Patent
`
`
`
`
`
`
`
`
`
`
`
`
`
`(45) Date of Patent:
`Hill et al.
`Nov. 13, 2007
`
`
`US007296288B1
`
`
`
`
`
`
`
`
`(54) METHODS, APPARATUSES, AND SYSTEMS
`
`
`
`ALLOWING FOR BANDWIDTH
`
`
`
`MANAGEMENT SCHEMES RESPONSIVE TO
`UTILIZATION CHARACTERISTICS
`
`
`
`
`
`
`ASSOCIATED WITH INDIVIDUAL USERS
`Inventors: Mark Hill, Los Gatos, CA (US); Guy
`
`
`
`
`
`
`
`
`Riddle, Los Gatos, CA (US); Robert E.
`
`
`
`
`
`
`Purvy, San Jose, CA (US)
`
`
`
`
`
`
`
`
`
`
`
`(73) Assignee: Packeteer, Inc., Cupertino, CA (US)
`disclai
`thet
`Fthi
`Subject t
`*)
`Notice:
`
`
`
`
`
`
`
`
`this
`ubject to any disclaimer,
`the
`term OF
`(*)
`Notice:
`
`
`
`
`patent is extended or adjusted under 35
`
`
`
`
`U.S.C. 154(b) by 788 days.
`.
`
`
`
`
`(21) Appl. No.: 10/295,391
`4.
`
`
`
`
`(22)
`Filed:
`Nov. 15, 2002
`(51)
`Int. Cl.
`
`
`
`(2006.01)
`GO6F 21/00
`
`7126/2: 713/194
`(52) US. Cl
`
`
`
`
`° 13/1
`Fi ld rcoe.ficati ue5 ereshvere
`58
`
`
`
`
`
`
`(58)
`Field
`0
`13/0.188|wer93-380/200.201 355,
`
`
`
`
`
`
`
`?
`?
`380377: 7262 3 1 Li 5
`
`
`
`file
`h hist oo
`,
`f
`lication
`let
`
`
`
`
`
`
`
`TOF COMIPICEE SeArCN.
`MSTOTY:
`C8 APPNCATON
`ANE
`
`
`References Cited
`
`
`
`U.S. PATENT DOCUMENTS
`1/2002 Morris et al. oe. 709/204
`6,339,784 B1*
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`6,484,203 B1* 11/2002 Porras etal.
`........0.. 709/224
`
`(75)
`
`
`
`S
`
`(56)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`2/2004 Brucket al. we 709/227
`6,691,165 BL*
`
`
`
`
`8/2005 Krautkremer.....
`... 709/223
`6,934,745 B2*
`
`
`
`
`
`
`.. 713/153
`1/2003 Burnett et al.
`2003/0018889 Al*
`.
`
`
`
`
`
`
`2003/0235209 AL* 12/2003 Garg etal. ww... 370/468
`
`
`
`* cited by examiner
`
`
`Primary Examiner—Kim Vu
`
`
`
` 49sistant Examiner—Joseph Pan
`
`
`
`
`
`(74) Attorney, Agent, or Firm—Mark J. Spolyar
`
`
`
`
`
`(57)
`ABSTRACT
`
`
`
`
`
`
`
`Methods, apparatuses and systems allowing for bandwidth
`management schemes responsive to utilization characteris-
`
`
`
`
`
`tics associated with individual users. In one embodiment, the
`
`
`
`
`
`
`
`
`present invention allows network administrators to penalize
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`users who carry out specific questionable or suspicious
`activities, such as the use of proxy tunnels to disguise the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`true nature of the data flows in order to evadeclassification
`and control by bandwidth management devices. In one
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`embodiment, each individual user may be accordedan initial
`
`
`
`
`
`
`
`
`suspicion score. Each time the user is associated with a
`
`
`
`
`
`
`questionable or suspicious activity (for example, detecting
`
`
`
`
`
`
`
`
`
`the set up of a connection to an outside HTTP tunnel, or
`peer-to-peer application flow), his or her suspicion score is
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`downgraded. Data flows corresponding to users with sufli-
`
`
`
`
`
`
`
`
`ciently low suspicion scores, in one embodiment, can be
`
`
`
`
`
`
`
`
`treated in a different manner from data flows associated with
`
`
`
`
`
`
`
`
`other users. For example, different or more rigorous classi-
`
`
`
`
`
`
`
`
`
`fication rules and policies can be applied to the data flows
`
`
`
`
`associated with suspicious users.
`
`
`
`
`34 Claims, 7 Drawing Sheets
`
`
`
`
`
`
`
`
`
`
`
`Computer
`Network
`
`
` (Outside) |
`(inside)
`
`os
`
`
`
`eat |
`
`
`
`
`
`
`42
`
`42
`
`Splunk Inc.
`
`Exhibit 1026
`
`Page 1
`
`Splunk Inc. Exhibit 1026 Page 1
`
`

`

`U.S. Patent
`
`
`
`
`Nov. 13, 2007
`
`
`
`
`
`Sheet 1 of 7
`
`
`
`US 7,296,288 B1
`
`
`
` Computer
`
`Network
`
`Splunk Inc.
`
`Exhibit1026
`
`Page 2
`
`Splunk Inc. Exhibit 1026 Page 2
`
`

`

`
`U.S. Patent
`
`
`
`Nov. 13, 2007
`
`
`
`
`
`Sheet 2 of 7
`
`
`
`US 7,296,288 B1
`
`
`
`
`
`Administrator
`
`Interface
`
`150
`
`137
`
`
`
`
`
`
`Flow
`Database
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Traffic SoMeasurement
`
`
`
`140
`
`
`
`
`
`
`
`
`Classification
`Engine
`
`
`Database
`
`138
`
` Suspicion
`
`
`
`
`Scoring Module
`
`
`
`
`
`Data Packet
`
`
`Out
`
`
`
`[32
`m
`Fig.2
`
`
`Host
`
`Database
`
`
`Flow Control
`
`Module
`
`
`Data Packet
`
`In
`
`
`
`Packet
`
`
`Processor
`
`
`
`
`
`
`
`Splunk Inc.
`
`Exhibit1026
`
`Page 3
`
`Splunk Inc. Exhibit 1026 Page 3
`
`

`

`U.S. Patent
`
`
`
`Nov.13, 2007
`
`
`
`
`
`
`
`
`
`
`US 7,296,288 B1
`
`
`
`Receive Data
`
`Packet
`
`
`
`
`New Data
`
`Flow?
`
`
`
`Control
`Block?
`
`
`
`Fetch/Update
`
`
`Control Block
`
`
`
`
`Changes
`
`
`To Flow?
`
`
`Construct
`
`Control Block
`
`
`
`
`
`
`
`
`
`Identify
`
`
`Traffic Class
`
`
`
`
`
`
`
`
`Traffic Class Sheet 3 of 7
`
`
`
`P = getControls
`
`
`(Traffic Class)
`
`
`
`
`
`Pass Packetto
`
`
`Flow Control
`
`Module (P)
`
`
`
`
`
`
`
`Record Bandwidth
`
`
`Utilization Data In
`
`
`Association with
`
`
`
`
`
`Splunk Inc.
`
`Exhibit1026
`
`Page 4
`
`Splunk Inc. Exhibit 1026 Page 4
`
`

`

`U.S. Patent
`
`
`
`
`Nov.13, 2007
`
`
`
`
`
`
`Sheet 4 of 7
`
`
`
`US 7,296,288 B1
`
`
`
`
`AccessLink
`
`
`
`
`
`
`Inbound
`
`
`
`
`
`
`
`Gy LocalHost
`
`SuspiciousUsers
`
`
`a (PAddrl
`Ql IPAddr2
`
`|QIPAdar3
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Inbound
`
`
`
`AccessLink
`
`
`Ql LocalHost
`
`‘Qi SuspiciousUsers
`'Q HTIP
`
`
`Q Telnet
`
`
`
`
`ia Default
`
`
`'@LocalHost
`
`
`{4 SuspiciousUsers
`4) HTTP
`
`
`Gl Telnet
`
`ag
`
`‘Qi Default
`
`
`
`
`
`
`
`
`Outbound
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Fig.4A
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Outbound
`_
`| LocalHost
`
`SuspiciousUsers
`
`
`a IPAddri
`a IPAddr2
`
`
`QQIPAddr3
`
`
`Q HTTP
`GQ Telnet
`
`
`gq Fr
`‘a Default
`Fig.4B
`
`
`
`
`
`
`
`
`
`
`
`Splunk Inc.
`
`Exhibit1026
`
`Page5
`
`Splunk Inc. Exhibit 1026 Page 5
`
`

`

`U.S. Patent
`
`
`
`
`Nov.13, 2007
`
`
`
`
`
`Sheet 5 of 7
`
`
`
`US 7,296,288 B1
`
`
`
`
`
`
`
`
`
`
`
`
` Instantiate
`
`
`
`Suspicion Scoring
`
`Object
`
`302
`
`
`
`
`
`Un-Pickle
`
` Pickled
`
`
`Suspicion Scoring
`
`
`Object?
`
`Object
`
`
`
`
`
`
`
`Pass Packet to
`
`
`Suspicion Scoring
`
`Object
`
`
`
`
`
`
`Fig.5
`
`Splunk Inc.
`
`Exhibit1026
`
`Page6é
`
`Splunk Inc. Exhibit 1026 Page 6
`
`

`

`U.S. Patent
`
`
`
`Nov. 13, 2007
`
`
`
`
`Sheet 6 of 7
`
`
`US 7,296,288 B1
`
`
`
`
`
`
`
`42
`
`
`71
`
`PtoP App
`
`
`
`
`
`
`Tunnel
`
`Client
`
`
`
`
`
`
` Computer
`
`
`
`
` Client Device
`
`
`Network
`
`
` Network
`Computer
`
`Network
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Resource
`
`Fig.6
`
`Splunk Inc.
`
`Exhibit1026
`
`Page 7
`
`Splunk Inc. Exhibit 1026 Page 7
`
`

`

`U.S. Patent
`
`
`
`
`Nov.13, 2007
`
`
`
`Sheet 7 of 7
`
`
`
`
`US 7,296,288 B1
`
`
`
`**New Flows Per Minute
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Conn
`IP Address
`Failed
`Server
`Client
`RTTtoPS Curr Rate 1 Min Avg Peak Rate
`~ 0
`216.203.49.219
`92~C~—«ié‘“tC:*”
`g0ms.
`2730 - 420 |
`2730. #0
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`216.148.237.158
`235k
`14ms
`235k 19. 1k
`0
`84
`0
`
`
`
`
`
`
`
`
`
`
`5
`216.148.237.145
`| 0
`48ms
`2303
`4871
`49%
`64
`0
`420 0
`“310k=—«58.9k 310k
`1
`107.158 —
`3ms
`
`
`
`
`
`
`
`
`
`
`3464 17.6k
`3397
`10.255.255.255
`28
`2
`sale
`0
`0
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`~~
`10.7.15.4
`0
`ae
`654
`190
`1112
`6
`0
`10.1.1.40 oO 643188 W12,,~—~C<~*“(‘(‘CSCi‘C‘2N”d 0.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`0
`15.2k
`20.5k
`14
`207.46.249.64
`25ms
`220k
`0
`0
`
`
`
`
`
`
`
`
`1
`17.7k
`3657
`|
`2905
`1
`10.1.1.16
`te
`0
`0
`1 a
`1735
`430 5357 0
`4
`255.255.255.255
`0
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`0
`141.1k
`0
`10.7.11.2
`ae
`0
`3
`0
`0
`
`
`
`
`
`
`
`
`
`2
`549 252
`'10.7.15.13
`cad
`11.3k
`0
`3
`0
`4217
`492
`2
`on
`90.6k
`0
`66.218.71.83.
`i24ms_
`2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`|
`0
`oO Qo
`0
`0
`:10.2.1.10
`343
`1
`|
`25
`39
`1305
`0
`2
`239.255.255.253
`1
`0
`
`
`
`
`
`
`
`
`
`10.7155 oO
`"'485——si318—Sst*«é«é7B.
`0
`0)
`4
`
`
`
`
`
`
`
`
`
`
`
`1349
`712091
`10.1.1.18
`1
`1
`0
`0
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`0
`0
`54
`345
`-10.10.254.74
`1
`0
`0
`
`
`
`
`
`
`
`0
`o o..|}©=—SCO
`0
`0.
`'10.10.253.70
`0
`
`
`
`
`
`
`
`
`0
`0
`10.7.31.22
`0
`2
`0
`0
`0
`
`
`
`ts
`oe"
`we
`ve
`
`ae
`ne
`
`kok
`
`
`
`
`Table 7
`
`Splunk Inc.
`
`Exhibit1026
`
`Page8
`
`Splunk Inc. Exhibit 1026 Page 8
`
`

`

`
`
`US 7,296,288 B1
`
`
`1
`
`
`
`
`METHODS, APPARATUSES, AND SYSTEMS
`ALLOWING FOR BANDWIDTH
`
`
`
`MANAGEMENT SCHEMES RESPONSIVE TO
`
`
`
`UTILIZATION CHARACTERISTICS
`
`
`ASSOCIATED WITH INDIVIDUAL USERS
`
`
`
`
`
`COPYRIGHT NOTICE
`
`
`
`
`
`
`
`
`
`
`
`
`A portion of the disclosure of this patent document
`
`
`
`
`
`
`contains material which is subject to copyright protection.
`
`
`
`
`
`
`
`
`
`The copyright owner has no objection to the facsimile
`
`
`
`
`
`
`
`reproduction by anyone of the patent documentor the patent
`
`
`
`
`
`
`
`disclosure as it appears in the Patent and Trademark Office
`
`
`
`
`
`
`
`
`patent file or records, but otherwise reserves all copyright
`
`
`rights whatsoever.
`
`CROSS-REFERENCE TO RELATED
`
`
`APPLICATIONS
`
`
`
`
`
`
`
`
`
`This application makes reference to the following com-
`
`
`
`
`
`
`
`
`monly owned U.S. patent applications and patents, which
`
`
`
`
`
`
`
`
`are incorporated herein by reference in their entirety forall
`
`purposes:
`
`
`
`
`
`
`
`
`
`USS. patent application Ser. No. 08/762,828 now U.S. Pat.
`
`
`
`
`
`
`
`No. 5,802,106 in the name of Robert L. Packer, entitled
`
`
`
`
`
`
`
`
`“Method for Rapid Data Rate Detection in a Packet Com-
`
`
`
`
`
`
`munication Environment Without Data Rate Supervision;”
`
`
`
`
`
`
`
`
`
`USS. patent application Ser. No. 08/970,693 now U.S. Pat.
`
`
`
`
`
`
`
`
`No. 6,018,516, in the name of Robert L. Packer, entitled
`
`
`
`
`
`“Method for Minimizing Unneeded Retransmission of Pack-
`
`
`
`
`
`
`ets in a Packet Communication Environment Supporting a
`
`
`
`
`Plurality of Data Link Rates;”
`
`
`
`
`
`
`
`
`
`USS. patent application Ser. No. 08/742,994 now U.S. Pat.
`
`
`
`
`
`
`
`
`No. 6,038,216, in the name of Robert L. Packer, entitled
`
`
`
`
`
`
`
`
`“Method for Explicit Data Rate Control in a Packet Com-
`
`
`
`
`
`
`munication Environment without Data Rate Supervision;”
`
`
`
`
`
`
`
`
`
`USS. patent application Ser. No. 09/977,642 now U.S. Pat.
`
`
`
`
`
`
`
`
`No. 6,046,980, in the name of Robert L. Packer, entitled
`
`
`
`
`
`
`
`“System for Managing Flow Bandwidth Utilization at Net-
`
`
`
`
`
`
`
`
`work, Transport and Application Layers in Store and For-
`
`
`ward Network;”
`
`
`
`
`
`
`
`
`
`USS. patent application Ser. No. 09/106,924 now U.S. Pat.
`
`
`
`
`
`
`
`
`No. 6,115,357, in the name of Robert L. Packer and Brett D.
`
`
`
`
`
`
`
`Galloway, entitled “Method for Pacing Data Flow in a
`
`
`Packet-based Network;”
`
`
`
`
`
`
`
`
`
`USS. patent application Ser. No. 09/046,776 now U.S. Pat.
`
`
`
`
`
`
`
`
`No. 6,205,120, in the name of Robert L. Packer and Guy
`
`
`
`
`
`
`Riddle, entitled “Method for Transparently Determining and
`
`
`
`
`
`
`
`Setting an Optimal Minimum Required TCP Window Size;”
`
`
`
`
`
`
`
`
`
`USS. patent application Ser. No. 09/479,356 now U.S. Pat.
`
`
`
`
`
`
`
`
`No. 6,285,658, in the name of Robert L. Packer, entitled
`
`
`
`
`
`
`
`“System for Managing Flow Bandwidth Utilization at Net-
`
`
`
`
`
`
`
`
`work, Transport and Application Layers in Store and For-
`
`
`ward Network;”
`
`
`
`
`
`
`
`
`
`USS. patent application Ser. No. 09/198,090 now U.S. Pat.
`
`
`
`
`
`
`
`
`
`No. 6,412,000, in the name of Guy Riddle and Robert L.
`
`
`
`
`
`
`Packer, entitled “Method for Automatically Classifying
`
`
`
`
`Traffic in a Packet Communications Network;”
`
`
`
`
`
`
`
`
`USS. patent application Ser. No. 09/198,051, in the name
`
`
`
`
`
`
`
`
`of Guy Riddle, entitled “Method for Automatically Deter-
`
`
`
`
`
`
`mining a Traffic Policy in a Packet Communications Net-
`
`work;”
`
`
`
`
`
`
`
`
`USS. patent application Ser. No. 09/206,772, in the name
`
`
`
`
`
`
`
`
`
`of Robert L. Packer, Brett D. Galloway and Ted Thi, entitled
`
`
`
`
`
`
`
`
`“Method for Data Rate Control for Heterogeneous or Peer
`
`Internetworking;”
`
`20
`
`
`
`25
`
`
`30
`
`
`
`35
`
`
`40
`
`
`
`45
`
`
`50
`
`
`
`55
`
`
`60
`
`
`
`65
`
`
`
`
`
`
`
`
`
`
`2
`
`
`
`
`
`
`
`US'S. patent application Ser. No. 09/885,750, in the name
`
`
`
`
`
`
`
`
`of Scott Hankins and Brett Galloway, entitled “System and
`
`
`
`
`
`Method For Dynamically Controlling a Rogue Application
`
`
`
`
`Through Incremental Bandwidth Restrictions;”
`
`
`
`
`
`
`
`U.S. patent application Ser. No. 09/966,538, in the name
`
`
`
`
`
`
`of Guy Riddle, entitled “Dynamic Partitioning of Network
`
`Resources;”
`
`
`
`
`
`
`
`in the
`U.S. patent application Ser. No. 10/039,992,
`
`
`
`
`
`
`
`Michael J. Quinn and Mary L. Laier, entitled “Method and
`
`
`
`
`
`
`Apparatus for Fast Lookup of Related Classification Entities
`
`
`
`
`in a Tree-Ordered Classification Hierarchy;”
`
`
`
`
`
`
`
`
`USS. patent application Ser. No. 10/015,826, in the name
`
`
`
`
`
`
`
`of Guy Riddle, entitled “Dynamic Tunnel Probing in a
`
`
`Communications Network;”
`
`
`
`
`
`
`
`U.S. patent application Ser. No. 10/108,085, in the name
`
`
`
`
`
`
`
`
`of Wei-Lung Lai, Jon Eric Okholm, and Michael J. Quinn,
`
`
`
`
`
`entitled “Output Scheduling Data Structure Facilitating
`
`
`
`
`
`Hierarchical Network Resource Allocation Scheme;”
`
`
`
`
`
`
`
`
`USS. patent application Ser. No. 10/155,936, in the name
`
`
`
`
`
`
`
`
`
`of Guy Riddle, Robert L. Packer and Mark Hill, entitled
`
`
`
`
`
`
`“Method for Automatically Classifying ‘Traffic with
`
`
`
`
`
`
`Enhanced Hierarchy in a Packet Communications Net-
`
`work;”
`
`
`
`
`
`
`
`
`US'S. patent application Ser. No. 10/177,518, in the name
`
`
`
`
`
`
`
`
`of Guy Riddle, entitled “Methods, Apparatuses and Systems
`
`
`
`
`
`
`Allowing for Progressive Network Resource Utilization
`
`
`
`Control Scheme;” and
`
`
`
`
`
`
`
`
`US'S. patent application Ser. No. 10/178,617, in the name
`
`
`
`
`
`
`
`of Robert E. Purvy, entitled “Methods, Apparatuses and
`
`
`
`
`
`
`
`Systems Facilitating Analysis of Network Device Perfor-
`mance.”
`
`
`
`
`
`
`
`
`
`
`FIELD OF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`
`
`
`The present invention relates to computer networks and
`
`
`
`
`
`
`bandwidth management, and, moreparticularly, to methods,
`
`
`
`
`
`
`
`apparatuses and systems allowing for bandwidth manage-
`
`
`
`
`
`
`ment schemes responsive to the utilization characteristics
`associated with individual users.
`
`
`
`
`
`BACKGROUND OF THE INVENTION
`
`
`
`
`
`In order to understand the context of certain embodiments
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`of the invention, the following provides an explanation of
`
`
`
`
`
`
`certain technical aspects of a packet based telecommunica-
`
`
`
`
`
`tions network environment. Internet/Intranet technology is
`
`
`
`
`
`
`
`
`based largely on the TCP/IP protocol suite. At the network
`
`
`
`
`
`
`level, IP provides a “datagram” delivery service—thatis, IP
`
`
`
`
`
`
`
`is a protocol allowing for delivery of a datagram or packet
`
`
`
`
`
`
`
`
`between two hosts. By contrast, TCP provides a transport
`
`
`
`
`
`
`
`
`
`
`level service on top of the datagram service allowing for
`
`
`
`
`
`
`
`guaranteed delivery of a byte stream between twoIP hosts.
`
`
`
`
`
`
`
`
`
`In other words, TCP is responsible for ensuring at the
`
`
`
`
`
`
`
`
`transmitting host that message datais divided into packets to
`
`
`
`
`
`
`
`
`
`be sent, and for reassembling, at the receiving host, the
`
`
`
`
`
`
`packets back into the complete message.
`
`
`
`
`
`
`
`TCP has“flow control” mechanismsoperative at the end
`
`
`
`
`
`
`
`
`
`stations only to limit the rate at which a TCP endpoint will
`
`
`
`
`
`
`
`
`
`
`emit data, but it does not employ explicit data rate control.
`
`
`
`
`
`
`
`The basic flow control mechanism is a “sliding window”, a
`
`
`
`
`
`
`
`window which byits sliding operation essentially limits the
`
`
`
`
`
`
`amount of unacknowledged transmit data that a transmitter
`is allowed to emit. Another flow control mechanism is a
`
`
`
`
`
`
`
`
`
`
`
`
`
`congestion window, which is a refinement of the sliding
`
`
`
`
`
`
`window schemeinvolving a conservative expansion to make
`
`
`
`
`
`use of the full, allowable window.
`
`Splunk Inc.
`
`Exhibit 1026
`
`Page 9
`
`Splunk Inc. Exhibit 1026 Page 9
`
`

`

`
`
`US 7,296,288 B1
`
`
`3
`
`
`
`
`
`
`
`The sliding window flow control mechanism works in
`
`
`
`
`
`
`conjunction with the Retransmit Timeout Mechanism
`
`
`
`
`
`
`(RTO), which is a timeout to prompt a retransmission of
`
`
`
`
`
`
`
`unacknowledged data. The timeout length is based on a
`
`
`
`
`
`
`
`
`running average of the Round Trip Time (RTT)for acknow!]-
`
`
`
`
`
`
`
`edgmentreceipt, i.e. if an acknowledgmentis not received
`
`
`
`
`
`
`within (typically) the smoothed RTT+4*mean deviation,
`
`
`
`
`
`
`
`
`
`then packet loss is inferred and the data pending acknow!-
`
`
`
`
`
`
`
`edgment is re-transmitted. Data rate flow control mecha-
`
`
`
`
`
`
`
`
`nisms which are operative end-to-end without explicit data
`
`
`
`
`
`
`
`
`rate control draw a strong inference of congestion from
`
`
`
`
`
`
`
`packet loss (inferred, typically, by RTO). TCP end systems,
`
`
`
`
`
`
`for example, will “back-off,”—1.e., inhibit transmission in
`
`
`
`
`
`
`
`increasing multiples of the base RTT average as a reaction
`
`
`
`
`to consecutive packet loss.
`
`
`
`
`
`
`
`A crude form of bandwidth management in TCP/IP net-
`
`
`
`
`
`
`
`
`works(that is, policies operable to allocate available band-
`
`
`
`
`
`
`
`
`width from a single logical link to network flows) is accom-
`
`
`
`
`
`
`plished by a combination of TCP end systems and routers
`
`
`
`
`
`
`
`
`
`which queue packets and discard packets when some con-
`
`
`
`
`
`
`
`gestion threshold is exceeded. The discarded and therefore
`
`
`
`
`
`unacknowledged packet serves as a feedback mechanism to
`
`
`
`
`
`
`
`the TCP transmitter. Routers
`support various queuing
`
`
`
`
`
`
`
`
`options to provide for some level of bandwidth manage-
`
`
`
`
`
`
`
`
`ment. These options generally provide a rough ability to
`
`
`
`
`
`
`
`partition and prioritize separate classes oftraffic. However,
`
`
`
`
`
`
`
`
`configuring these queuing options with any precision or
`
`
`
`
`
`
`
`
`
`
`without side effects is in fact very difficult, and in some
`
`
`
`
`
`
`
`
`cases, not possible. Seemingly simple things, such as the
`
`
`
`
`
`
`
`
`
`length of the queue, have a profound effect on traflic
`
`
`
`
`
`characteristics. Discarding packets as a feedback mechanism
`
`
`
`
`
`
`
`
`
`
`to TCP end systems may cause large, uneven delays per-
`
`
`
`
`
`
`
`
`ceptible to interactive users. Moreover, while routers can
`
`
`
`
`
`
`
`slow down inbound networktraffic by dropping packets as
`
`
`
`
`
`
`
`a feedback mechanism to a TCP transmitter, this method
`
`
`
`
`
`
`
`
`often results in retransmission of data packets, wasting
`
`
`
`
`
`
`
`networktraffic and, especially, inbound capacity of a WAN
`
`
`
`
`
`
`
`
`
`link. In addition, routers can only explicitly control out-
`
`
`
`
`
`
`
`
`
`boundtraffic and cannot prevent inboundtraffic from over-
`
`
`
`
`
`
`utilizing a WAN link. A 5% load or less on outboundtraffic
`
`
`
`
`
`
`
`
`can correspond to a 100% load on inboundtraffic, due to the
`
`
`
`
`
`
`typical imbalance between an outbound stream of acknow!]-
`
`
`
`
`
`edgments and an inbound stream ofdata.
`
`
`
`
`
`
`
`
`In response, certain data flow rate control mechanisms
`
`
`
`
`
`
`
`have been developed to provide a means to control and
`
`
`
`
`
`
`
`
`
`optimize efficiency of data transfer as well as allocate
`
`
`
`
`
`
`available bandwidth among a variety of business enterprise
`
`
`
`
`
`
`
`
`functionalities. For example, U.S. Pat. No. 6,038,216 dis-
`
`
`
`
`
`
`
`
`
`closes a method for explicit data rate control in a packet-
`
`
`
`
`
`
`
`based network environment without data rate supervision.
`
`
`
`
`
`
`
`
`
`
`Data rate control directly moderates the rate of data trans-
`
`
`
`
`
`
`
`
`mission from a sending host, resulting in just-in-time data
`transmission to contro] inboundtraffic and reduce the inef-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ficiencies associated with dropped packets. Bandwidth man-
`
`
`
`
`
`
`
`
`
`
`agementdevices allow for explicit data rate control for flows
`
`
`
`
`
`
`associated with a particular
`traflic classification. For
`
`
`
`
`
`
`
`
`example, U.S. Pat. No. 6,412,000, above, discloses auto-
`matic classification of network traffic for use in connection
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`with bandwidth allocation mechanisms. U.S. Pat. No. 6,046,
`
`
`
`
`
`
`
`
`980 discloses systems and methods allowing for application
`
`
`
`
`
`
`layer control of bandwidth utilization in packet-based com-
`
`
`
`
`
`
`puter networks. For example, bandwidth management
`
`
`
`
`
`
`
`devices allow network administrators to specify policies
`
`
`
`
`
`
`
`operative to control and/orprioritize the bandwidth allocated
`
`
`
`
`
`
`
`to individual data flows accordingtotraffic classifications. In
`
`
`
`
`
`
`addition, certain bandwidth management devices, as well as
`
`
`
`
`
`
`
`certain routers, allow network administrators to specify
`
`50
`
`
`
`55
`
`
`60
`
`
`
`65
`
`
`20
`
`
`
`25
`
`
`30
`
`
`
`35
`
`
`40
`
`
`
`45
`
`
`
`4
`
`
`
`
`
`
`aggregate bandwidth utilization controls to divide available
`
`
`
`
`
`
`
`
`bandwidth into partitions. With some network devices, these
`
`
`
`
`
`
`partitions can be configured to ensure a minimum bandwidth
`
`
`
`
`
`
`
`and/or cap bandwidth as to a particular class oftraffic. An
`
`
`
`
`
`
`
`
`administrator specifies a traffic class (such as FTP data, or
`
`
`
`
`
`
`
`
`
`
`data flows involving a specific user) and the size of the
`
`
`
`
`
`
`reserved virtual link—.e., minimum guaranteed bandwidth
`
`
`
`
`
`
`
`and/or maximum bandwidth. Such partitions can be applied
`
`
`
`
`
`
`
`on a per-application basis (protecting and/or capping band-
`
`
`
`
`
`
`
`
`
`width for all
`traffic associated with an application) or a
`
`
`
`
`
`
`per-user basis (controlling, prioritizing, protecting and/or
`
`
`
`
`
`
`
`capping bandwidth for a particular user). In addition, certain
`
`
`
`
`
`
`bandwidth management devices allow administrators to
`
`
`
`
`
`
`
`define a partition hierarchy by configuring one or more
`
`
`
`
`
`
`
`
`
`partitions dividing the access link and further dividing the
`
`
`
`
`
`
`
`parent partitions into one or more child partitions.
`
`
`
`
`
`
`
`
`While the systems and methods discussed above that
`
`
`
`
`
`
`
`allow for traffic classification and application of bandwidth
`
`
`
`
`
`utilization controls on a per-traffic-classification basis oper-
`
`
`
`
`
`
`
`
`ate effectively for their intended purposes,
`they possess
`
`
`
`
`
`
`
`certain limitations. As discussed more fully below, identifi-
`
`
`
`
`
`
`
`
`cation of traflic types associated with data flows traversing
`
`
`
`
`
`
`
`
`an access link involves the application of matching criteria
`or rules to various characteristics of the data flows. Such
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`matching criteria can include source and destination IP
`
`
`
`
`
`
`
`
`addresses, port numbers, MIMEtypes, etc. After identifica-
`
`
`
`
`
`
`
`tion of a traflic type corresponding to a data flow, a band-
`
`
`
`
`
`
`width management device associates and subsequently
`
`
`
`
`
`
`
`applies bandwidth utilization controls (e.g., a policy or
`
`
`
`
`
`
`
`
`partition) to the data flow corresponding to the identified
`
`
`
`
`
`
`traffic classification or type. A common use of bandwidth
`
`
`
`
`
`
`
`
`management devices is to limit the bandwidth being con-
`
`
`
`
`
`sumed by unruly, bandwidth-intensive applications, such as
`
`
`
`
`
`
`
`peer-to-peer applications (e.g., Kazaa, Napster, etc.). Net-
`
`
`
`
`
`
`
`worksavvyusers (such as students in a campusor university
`
`
`
`
`
`
`
`
`environment), however, have become aware that such band-
`
`
`
`
`
`
`
`
`width management devices have been deployed to limit or
`
`
`
`
`
`
`
`restrict such unauthorized network traffic. As a result, users
`
`
`
`
`
`
`
`often attempt to bypass or thwart the bandwidth manage-
`
`
`
`
`
`
`
`ment scheme effected by such bandwidth management
`
`
`
`
`
`
`devices by creating communications tunnels (proxy tunnels)
`
`
`
`
`
`
`through which unauthorized or restricted network traffic is
`sent. The attributes discernible from the content of these
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`tunneled data flows, however, often reveal little information
`
`
`
`
`
`
`
`
`about its true nature. For example, commercial HTTP tunnel
`
`
`
`
`
`services (such as loopholesoftware.com, TotalRc.net, and
`
`
`
`
`
`
`
`http-tunnel.com,etc.) allow users to send all networktraffic
`
`
`
`
`
`
`
`
`
`in the form of HTTPtraffic through a HTTP tunnel between
`
`
`
`
`
`
`
`
`a tunnel client and an HTTP proxy server maintained by the
`
`
`
`
`
`
`
`tunnel services provider. FIG. 6 illustrates the functionality
`
`
`
`
`
`
`
`
`and operation of a typical HTTP proxy tunnel. Client device
`
`
`
`
`
`
`
`42 includes a client application (such as a peer-to-peer
`
`
`
`
`
`
`
`
`
`application 71) and a tunnel client 72. The client application
`sendsdata to the tunnel client 72 which tunnels the data over
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`HTTPto a tunnel proxy server 74. The tunnel proxy server
`
`
`
`
`
`
`
`
`
`74 then forwards the data to the intended destination (here,
`
`
`
`
`
`
`
`
`
`network resource 75), and vice versa. Such HTTP tunnels
`
`
`
`
`
`
`typically feature encryption; accordingly, a bandwidth man-
`
`
`
`
`
`
`
`
`agement device 30, encountering the tunneledtraffic in this
`
`
`
`
`
`
`
`
`
`form, may not detect the exact nature of the traffic and, in
`
`
`
`
`
`
`
`
`fact, classify such data flows as legitimate or regular HTTP
`
`
`
`
`
`
`
`traffic. Accordingly, these tunneling mechanisms and other
`
`
`
`
`
`
`
`techniques for evading bandwidth utilization controls imple-
`
`
`
`
`
`
`
`mented by bandwidth management devices present new
`
`
`
`
`
`
`challenges to network administrators and bandwidth device
`
`
`
`
`
`manufacturers desiring to effectively control unauthorized
`or restricted networktraflic.
`
`
`
`
`
`SplunkInc.
`
`Exhibit 1026
`
`Page 10
`
`Splunk Inc. Exhibit 1026 Page 10
`
`

`

`
`
`US 7,296,288 B1
`
`
`5
`
`
`
`
`
`
`
`
`
`
`In light of the foregoing, a need in the art exists for
`
`
`
`
`
`
`
`methods, apparatuses and systems allowing for bandwidth
`
`
`
`
`
`
`
`management schemesthat are responsive to the utilization
`characteristics associated with individual users. A need in
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the art further exists for methods, apparatuses and systems
`
`
`
`
`
`
`
`
`allowing for detection of questionable or other activities
`
`
`
`
`
`
`designed to evade bandwidth management control schemes
`
`
`
`
`
`
`
`
`and, thus, enabling application of more rigorous network
`
`
`
`
`
`
`traffic classification mechanismsand/or disparate bandwidth
`
`
`
`
`
`
`utilization controls. Embodiments of the present invention
`
`
`
`
`substantially fulfill these needs.
`SUMMARY OF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`
`The present invention provides methods, apparatuses and
`
`
`
`
`
`
`systems allowing for bandwidth management
`schemes
`
`
`
`
`
`
`responsive to utilization characteristics associated with indi-
`
`
`
`
`
`
`
`
`vidual users. In one embodiment,
`the present
`invention
`
`
`
`
`
`
`
`allows network administrators to penalize users who carry
`
`
`
`
`
`
`
`out specific questionable or suspicious activities, such as the
`
`
`
`
`
`
`
`
`
`use of proxy tunnels to disguise the true nature of the data
`
`
`
`
`
`
`
`flows in order to evade classification and control by band-
`
`
`
`
`
`
`
`
`width management devices. In one embodiment, each indi-
`
`
`
`
`
`
`
`
`vidual user may be accordedaninitial suspicion level. Each
`
`
`
`
`
`
`
`time the user is associated with a questionable or suspicious
`
`
`
`
`
`
`
`activity (for example, detecting the setup of a connection to
`
`
`
`
`
`
`
`
`an outside HTTP tunnel, or peer-to-peer application flow),
`
`
`
`
`
`
`
`
`his or her suspicion level is adjusted. Data flows correspond-
`
`
`
`
`
`
`
`
`
`ing to users with sufficiently high suspicion levels, in one
`
`
`
`
`
`
`
`embodiment, can be treated in a different manner from data
`
`
`
`
`
`
`
`
`flows associated with other users. For example, different or
`
`
`
`
`
`
`
`more rigorous classification rules and bandwidth manage-
`
`
`
`
`
`
`
`
`ment policies can be applied to the data flows associated
`
`
`
`
`
`
`
`
`with suspicious users. For example, data flows associated
`
`
`
`
`
`
`
`
`with suspicious users may be examined more closely in
`
`
`
`
`
`
`order to determine more thoroughly or accurately appropri-
`
`
`
`
`
`
`
`ate classification rules and/or bandwidth managementpoli-
`cies.
`
`
`DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`
`FIG. 1 is a functional block diagram illustrating a com-
`
`
`
`
`
`
`puter network environment including a bandwidth manage-
`
`
`
`
`
`
`
`ment device according to an embodiment of the present
`invention.
`
`
`
`
`
`
`
`
`FIG. 2 is a functional block diagram setting forth the
`
`
`
`
`
`functionality in a bandwidth management device according
`
`
`
`
`
`
`to an embodimentof the present invention.
`
`
`
`
`
`
`FIG. 3 is a flow chart providing a method directed to
`
`
`
`
`
`
`
`processing data packets to allow for enforcement of band-
`width utilization and other controls on network data flows.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 4A is a diagram illustrating a traffic classification
`
`
`
`
`
`
`
`
`configuration for a given access link according to an
`
`
`
`
`embodiment of the present invention.
`
`
`
`
`
`
`FIG. 4B is a diagram illustrating a traffic classification
`
`
`
`
`
`
`
`configuration for a given access link according to another
`
`
`
`
`embodiment of the present invention.
`
`
`
`
`
`
`
`FIG. 5 is a flow chart diagram setting forth a method
`
`
`
`
`
`
`directed to the management of suspicion scoring objects
`
`
`
`
`
`
`according to an embodiment of the present invention.
`
`
`
`
`
`
`FIG.6 is a functional block diagram illustrating a proxy
`
`
`
`
`
`
`
`tunnel which may be used in attempts to circumvent the
`
`
`
`
`
`bandwidth utilization controls implemented by bandwidth
`
`
`management devices.
`
`
`
`
`
`
`
`
`
`Table 7 sets forth the data flow metrics, according to an
`
`
`
`
`
`
`
`embodimentof the present invention, maintained for each
`
`
`
`
`
`
`
`host associated with data flows traversing a bandwidth
`
`
`managementdevice.
`
`20
`
`
`
`25
`
`
`30
`
`
`
`35
`
`
`40
`
`
`
`45
`
`
`50
`
`
`
`55
`
`
`60
`
`
`
`65
`
`
`
`6
`DESCRIPTION OF PREFERRED
`
`
`EMBODIMENT(S)
`
`
`
`
`
`
`J. Exemplary Operating Environment
`
`
`
`
`
`
`
`
`
`
`FIG.1 sets forth a packet-based computer network envi-
`
`
`
`
`
`
`ronment including a bandwidth management device 30. As
`
`
`
`
`
`
`
`FIG. 1 shows, local area computer network 40 interconnects
`
`
`
`
`
`
`
`
`several TCP/IP end systems, including client devices 42 and
`
`
`
`
`
`
`
`
`server device 44, and provides access to resources operably
`
`
`
`
`
`
`
`connected to computer network 50 via router 22 and access
`
`
`
`
`
`
`
`
`link 21. Access link 21 is a physical and/or logical connec-
`
`
`
`
`
`
`
`tion between two networks, such as computer network 50
`
`
`
`
`
`
`
`
`and local area network 40. Server 28 is a TCP end system
`
`
`
`
`
`
`
`connected to computer network 50 through router 26 and
`access link 25. Client devices 24 are additional TCP end
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`systems operably connected to computer network 50 by any
`
`
`
`
`
`
`
`suitable means, such as through an Internet Services Pro-
`
`
`
`
`
`
`
`vider (ISP). The computer network environment, including
`
`
`
`
`
`computer network 50 is a packet-based communications
`
`
`
`
`
`
`environment, employing TCP/IP protocols, and/or other
`
`
`
`
`
`
`
`suitable protocols, and has a plurality of interconnected
`
`
`
`
`
`
`
`digital packet transmission stations or routing nodes. Band-
`
`
`
`
`
`
`width management device 30 is provided between router 22
`
`
`
`
`
`
`
`
`and local area computer network 40. Bandwidth manage-
`
`
`
`
`
`
`
`
`
`ment device 30 is operative to classify data flows and,
`
`
`
`
`
`
`
`depending on the classification, enforce respective band-
`width utilization controls on the data flows to control
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`bandwidth utilization and optimize network application per-
`formance across access link 21.
`
`
`
`
`
`
`
`
`
`
`
`A. Bandwidth Management Device
`
`
`
`
`
`
`FIG. 2 is a block diagram illustrating functionality,
`
`
`
`
`
`
`
`
`invention,
`according to one embodiment of the present
`
`
`
`
`
`
`
`
`included in bandwidth management device 30.
`In one
`
`
`
`
`
`embodiment, bandwidth management device 30 comprises
`
`
`
`
`
`
`
`
`packet processor 131, flow control module 132, measure-
`
`
`
`
`
`
`
`
`ment engine 140, traffic classification engine 137, suspicion
`
`
`
`
`
`
`
`
`scoring module 138, and administrator interface 150. Packet
`
`
`
`
`
`
`
`
`processor 131 is operative to detect new data flows and
`
`
`
`
`
`
`construct data structures including attributes characterizing
`
`
`
`
`
`
`
`
`
`the data flow. Flow control module 132 is operative to
`enforce bandwidth utilization controls on data