MAI MUUN MUNTANT UN DI MATURITANIA MAURITI
`
`US009813447B2
`
`( 12 ) United States Patent
`Rash et al .
`
`( 10 ) Patent No . :
`( 45 ) Date of Patent :
`
`US 9 , 813 , 447 B2
`Nov . 7 , 2017
`
`@ ( * ) Notice :
`
`( 54 ) DEVICE AND RELATED METHOD FOR
`ESTABLISHING NETWORK POLICY BASED
`ON APPLICATIONS
`@ ( 71 ) Applicant : Extreme Networks , Inc . , San Jose , CA
`( US )
`@ ( 72 ) Inventors : Michael Rash , Mount Airy , MD ( US ) ;
`Markus Nispel , Frankfurt ( DE ) ; Jamie
`Woodhead , Pelham , NH ( US ) ; Richard
`Graham , Derry , NH ( US )
`@ ( 73 ) Assignee : Extreme Networks , Inc . , San Jose , CA
`( US )
`Subject to any disclaimer , the term of this
`patent is extended or adjusted under 35
`U . S . C . 154 ( b ) by 108 days .
`( 21 ) Appl . No . : 13 / 836 , 048
`( 22 )
`Filed :
`Mar . 15 , 2013
`( 65 )
`Prior Publication Data
`US 2014 / 0282823 A1
`Sep . 18 , 2014
`( 51 ) Int . Ci .
`( 2006 . 01 )
`H04L 29 / 06
`( 52 )
`U . S . CI .
`. . . . . . . . . . . H04L 63 / 20 ( 2013 . 01 )
`CPC . . . . . .
`( 58 )
`Field of Classification Search
`CPC . . . . . . . . . H04L 29 / 06897 ; H04L 29 / 06591 ; H04L
`12 / 5689 ; H04L 29 / 08081
`USPC
`. . 726 / 1 , 12 – 13 ; 713 / 152
`See application file for complete search history .
`References Cited
`U . S . PATENT DOCUMENTS
`6 , 041 , 042 A
`3 / 2000 Bussiere
`6 , 128 , 654 A
`10 / 2000 Runaldue et al .
`
`( 56 )
`
`6 , 157 , 967 A
`6 , 484 , 204 B1
`6 , 839 , 349 B2
`6 , 976 , 055 B1
`7 , 002 , 977 B1 *
`7 , 020 , 139 B2
`7 , 188 , 292 B2
`7 , 249 , 191 B1 *
`
`WO
`
`370 / 410
`
`12 / 2000 Horst et al .
`11 / 2002 Rabinovich
`1 / 2005 Ambe et al .
`12 / 2005 Shaffer et al .
`2 / 2006 Jogalekar . . . . .
`3 / 2006 Kalkunte et al .
`. 3 / 2007 Cordina et al .
`7 / 2007 Hutchison et al . . . . . . . . . . . . 709 / 236
`( Continued )
`FOREIGN PATENT DOCUMENTS
`WO 01 / 63838
`8 / 2001
`OTHER PUBLICATIONS
`Ding et al , Application of Bayesian Network Knowledge Reasoning
`Based on CBR in ITS , 2010 , IEEE , pp . 123 - 127 . *
`( Continued )
`Primary Examiner – Luu Pham
`Assistant Examiner — Jenise Jackson
`( 74 ) Attorney , Agent , or Firm — Haley Guiliano LLP
`( 57 )
`ABSTRACT
`A function is provided in a network system for adjusting
`network policies associated with the operation of network
`infrastructure devices of the network system . Network poli
`cies are established on network devices including packet
`forwarding devices . The network has a capability to identify
`computer applications associated with traffic running on the
`network . A network policy controller of the network is
`arranged to change one or more policies of one or more
`network devices based on computer application information
`acquired . The policies changed may be network policies as
`well as mirroring policies . An example policy to change is
`direct a network device to mirror traffic to an application
`identification appliance for the purpose of identifying appli
`cations running on the network through a plurality of
`mechanisms . The function may be provided in one or more
`devices of the network .
`10 Claims , 17 Drawing Sheets
`
`1500
`
`Receive on a network device packets
`including frames associated with
`computer applications 1510
`
`Compare information of the frames
`with information derived from a
`plurality of mechanisms for
`identifying computer applications
`1520
`
`Establish a score for each computer
`application that may match from the
`mechanisms the information of the
`frames 1530
`
`Designate one or more computer
`applications as being associated with
`the frames based on the score ,
`optionally including a level of
`confidence about the designation
`1540
`
`- - - - - - - - - - -
`- -
`Weigh one or more computer
`applications as being associated with
`the frames based on the score
`
`Ex. 1007
`Juniper Networks, Inc. / Page 1 of 39
`
`

`

`US 9 , 813 , 447 B2
`Page 2
`
`726 / 13
`
`. . . . . . 709 / 229
`
`H04L 41 / 142
`370 / 229
`
`( 56 )
`
`References Cited
`U . S . PATENT DOCUMENTS
`7 , 292 , 573 B2
`11 / 2007 LaVigne et al .
`7 , 328 , 451 B2 *
`2 / 2008 Aaron
`. . . . . . . . . . .
`.
`7 , 391 , 739 B1
`6 / 2008 Taylor et al .
`7 , 486 , 674 B2
`2 / 2009 Regan
`7 , 690 , 040 B2
`3 / 2010 Frattura et al .
`7 , 720 , 980 B1 *
`5 / 2010 Hankins et al . . .
`7 , 730 , 237 B1
`6 / 2010 Veprinsky et al .
`7 , 796 , 596 B2
`9 / 2010 Sheppard et al .
`7 , 832 , 010 B2 11 / 2010 Higashikado et al .
`7 , 860 , 006 B1 12 / 2010 Kashyap et al .
`7 , 882 , 554 B2
`2 / 2011 Kay
`7 , 944 , 822 B1 *
`5 / 2011 Nucci
`
`7 , 948 , 889 B25 / 2011 Lalonde et al .
`8 , 054 , 833 B2 11 / 2011 Jorgensen et al .
`8 , 078 , 813 B2
`12 / 2011 LeCrone et al .
`8 , 095 , 683 B2
`1 / 2012 Balasubramaniam Chandra
`8 , 161 , 252 B14 / 2012 Case et al .
`8 , 185 , 663 B25 / 2012 Cochran et al .
`8 , 239 , 960 B2
`8 / 2012 Frattura et al .
`8 , 255 , 996 B28 / 2012 Elrod et al .
`8 , 261 , 317 B2 *
`9 / 2012 Litvin . . . . . . . . . . . . . . . . . . HO4L 63 / 0263
`370 / 230
`8 , 291 , 495 B1 10 / 2012 Burns et al .
`8 , 302 , 180 B1 10 / 2012 Gudov et al .
`8 , 307 , 115 B1 11 / 2012 Hughes
`8 , 346 , 918 B2 *
`1 / 2013 Kay . . . . . . .
`8 , 380 , 979 B2
`2 / 2013 Aaron et al .
`8 , 401 , 007 B2
`3 / 2013 Thavisri
`8 , 452 , 276 B2
`5 / 2013 Lauer
`8 , 693 , 353 B2
`4 / 2014 Long et al .
`8 , 767 , 549 B2
`7 / 2014 Kashyap et al .
`8 , 793 , 361 B1 .
`7 / 2014 Riddle
`8 , 819 , 213 B2
`8 / 2014 Frattura et al .
`8 , 850 , 591 B2
`9 / 2014 Ahuja et al .
`8 , 856 , 920 B2 10 / 2014 Khan et al .
`8 , 862 , 541 B1 10 / 2014 Cox et al .
`2001 / 0055274 Al 12 / 2001 Hegge et al .
`2002 / 0035681 AL
`3 / 2002 Maturana et al .
`
`709 / 224
`
`. . . . . . . . . . . 709 / 223
`. . . . . . . . . . . 709 / 230
`
`2004 / 0003094 A11 / 2004 See
`2004 / 0054766 A1 *
`3 / 2004 Vicente . . . .
`2004 / 0078418 AL 4 / 2004 Law et al .
`2004 / 0083299 A1 *
`4 / 2004 Dietz et al .
`2004 / 0210677 Al 10 / 2004 Ravindran et al .
`2004 / 0260736 Al 12 / 2004 Kern et al .
`2005 / 0220092 Al 10 / 2005 LaVigne et al .
`2005 / 0249125 A1 11 / 2005 Yoon et al .
`2005 / 0278565 Al 12 / 2005 Frattura et al .
`2006 / 0036904 Al
`2 / 2006 Yang
`2006 / 0059163 A1
`3 / 2006 Frattura et al .
`2006 / 0239219 A
`10 / 2006 Haffner et al .
`2007 / 0056028 A
`3 / 2007 Kay
`2007 / 0150950 A1 6 / 2007 Aaron et al .
`2008 / 0059631 A1 3 / 2008 Bergstrom et al .
`2008 / 0141379 A1 6 / 2008 Schmelzer
`726 / 11
`2008 / 0148381 A1 *
`6 / 2008 Aaron . . . . .
`. . . . . . . . .
`2008 / 0163333 A1 7 / 2008 Kasralikar
`2008 / 0239961 A1 * 10 / 2008 Hilerio et al . . . . . . . . . . . . . . . . . 370 / 235
`2008 / 0240128 A
`10 / 2008 Elrod
`2008 / 0247663 A1 10 / 2008 Jacobsen
`2009 / 0249472 A1 *
`10 / 2009 Litvin . . . . . . . . . . . . . . . . . HO4L 63 / 0263
`726 / 14
`
`2010 / 0268933 A1 10 / 2010 Frattura et al .
`2012 / 0069744 AL 3 / 2012 Krzanowski et al .
`2012 / 0269087 Al 10 / 2012 Guo et al .
`2013 / 0086399 A1 *
`4 / 2013 Tychon . . . . . . . . . . . . . . . . . G06F 1 / 3209
`713 / 320
`2013 / 0216094 AL
`8 / 2013 DeLean
`2013 / 0298191 A1 * 11 / 2013 Hoole et al .
`726 / 1
`707 / 748
`2014 / 0280211 A1 *
`9 / 2014 Rash et al .
`2014 / 0280889 A1 *
`9 / 2014 Nispel et al . . . . . . . . . . . . . . . . . . 709 / 224
`OTHER PUBLICATIONS
`Lai et al , Similarity Score for Information Filtering Thresholds in
`Business Processes , 2004 , IEEE , pp . 743 - 748 . *
`PCT International Search Report and Written Opinion for corre
`sponding PCT application serial No . PCT / US2014 / 026063 , dated
`Oct . 10 , 2014 , 17 pp .
`* cited by examiner
`
`Ex. 1007
`Juniper Networks, Inc. / Page 2 of 39
`
`

`

`U . S . Patent
`
`Nov . 7 , 2017
`
`Sheet 1 of 17
`
`US 9 , 813 , 447 B2
`
`160b
`
`160c
`
`160a
`
`Authentication Server 115
`Application Server 107
`
`FIG . 1
`
`-
`
`-
`
`-
`
`-
`
`-
`
`300
`
`IP Phone 140
`
`DODO
`DOOO
`DODO
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`102e
`
`
`
`Attached function ( VPN
`
`gateway ) 113
`
`
`
`Attached function ( server ) 1040
`
`-
`
`-
`
`-
`
`2001 -
`Data Center 172
`
`I have not
`
`
`Central switching device 106
`
`-
`
`-
`
`
`
`Policy Server 103
`
`125
`
`-
`
`200
`
`-
`
`-
`
`-
`
`-
`
`* *
`
`200
`
`APP ID 180
`
`-
`
`-
`
`-
`
`FW 118
`102b
`1022 , 0
`
`300
`
`300
`
`150
`-
`
`300
`
`
`
`
`
`Network entry device 105b
`
`
`
`
`
`Network entry device 105a
`
`1020 1
`
`102c - 102c
`
`
`
`Attached function ( internet / WAN ) 112
`
`l
`
`100
`100
`
`
`
`Attached function ( service ) 104a
`
`
`
`Attached function ( switch ) 104b
`
`
`
`Attached function ( laptop
`
`computer ) 190
`
`Ex. 1007
`Juniper Networks, Inc. / Page 3 of 39
`
`

`

`U . S . Patent
`
`Nov . 7 , 2017
`
`Sheet 2 of 17
`
`US 9 , 813 , 447 B2
`
`
`185 Signatures library
`Management
`engine
`Appliance
`
`
`
`180 App ID | 184
`
`186 App ID engine
`
`System control manager 125
`
`
`
`
`App ID config engine
`
`174
`
`
`
`
`
`103 Policy server
`
`
`
`Entry device 105c
`
`
`Entry device 105b
`
`
`here on the house on the student
`
`
`
`Entry device 105a
`
`FIG . 2
`
`Ex. 1007
`Juniper Networks, Inc. / Page 4 of 39
`
`

`

`U . S . Patent
`
`Nov . 7 , 2017
`
`Sheet 3 of 17
`
`US 9 , 813 , 447 B2
`
`194h Custom analysis
`194g Installed apps
`1946 History
`194e Heuri stics
`1940 Stats
`
`
`value | 1940 Port Proto value
`
`1946
`
`
`
`198 Scoring analysis engine
`
`
`
`
`
`
`
`186 App ID engine
`
`| Com pare
`| 194a
`interface
`
`
`
`190 Network
`
`management
`
`output interface
`
`192 Results
`
`has oven . com
`
`
`
`
`125 Network system central
`manager
`
`
`
`Entry device 105c
`
`
`Entry device 105b
`
`here the present
`105a Entry device
`
`
`FIG . 3
`
`E ENTRERERE
`
`Mirrored frames interface
`188
`
`App ID configuration engine
`
`174
`
`Ex. 1007
`Juniper Networks, Inc. / Page 5 of 39
`
`

`

`U . S . Patent
`
`Nov . 7 , 2017
`
`Sheet 4 of 17
`
`US 9 , 813 , 447 B2
`
`Other Methods
`
`API
`
`
`
`Signature Heuristics based
`based
`
`score
`
`score
`
`Application
`Group
`
`OOOOOOOOOOOOOOOOOOOOOOO
`
`0000 0000 00000000000000
`
`gogo OOOO SOOOOOOOOOO
`
`8 . Roo
`
`88
`80
`
`20
`
`Facebook Twitter G + LinkedIn
`
`Social
`
`Credit Card
`
`
`
`SSH OpenVPN IPSEC Metasploit Luhn
`Security
`
`poker League of legends Call of duty Battlefield 3
`III Online Diablo
`
`
`
`Boarderlands 2 Assassins
`Creed 3
`
`Halo 4
`
`Gaming
`
`Oracle SQL Postgres
`
`Bittorrent Donkey
`
`
`
`Data Base
`
`Peer - to - peer
`FIG . 4A
`
`Ex. 1007
`Juniper Networks, Inc. / Page 6 of 39
`
`

`

`U . S . Patent
`
`Nov . 7 , 2017
`
`Sheet 5 of 17
`
`US 9 , 813 , 447 B2
`
`Other Methods
`
`API
`
`
`
`Signature Heuristics based
`based score
`score
`
`oooooooooooooooooooooooooo
`
`0000000000000000000000000
`
`oooaoooooooooooooooo
`
`så goo
`
`ROSO
`
`Application
`Group
`
`Google Yahoo
`
`Bing Ask
`
`Search
`
`
`
`
`
`
`
`Virus update Microsoft OS updates Virus update other Virus update Malware Sophos Virus update ESET
`
`
`
`
`
`Lunix Patches
`
`
`
`Maps Google Mail Google
`
`
`
`Software Updates
`
`
`
`Web Apps
`
`Certificate Weather Road
`Flickr SSL
`Traffic
`
`DNS SMTP Radius OSPF RIP VRRP GRE
`Infrastructure
`Network
`
`FIG . 4B
`
`Ex. 1007
`Juniper Networks, Inc. / Page 7 of 39
`
`

`

`atent
`
`Nov . 7 , 2017
`
`Sheet 6 of 17
`
`US 9 , 813 , 447 B2
`
`Other Methods
`
`API
`
`o 999
`
`0
`
`0000
`
`oo
`
`
`
`score 0
`oooooo
`Signature Heuristics based
`based
`= =
`ooooooo
`score
`
`Application
`Group
`
`
`
`local protocols
`
`Custom
`
`
`Spanning Tree
`BootP
`Les e
`ARP
`Layer 2 Protocols
`
`
`
`
`
`AoE Ethernet Storage
`
`Routing Data
`transfer
`
`IPV6
`IPv6
`
`FIG . 4C
`
`Ex. 1007
`Juniper Networks, Inc. / Page 8 of 39
`
`

`

`U . S . Patent
`
`Nov . 7 , 2017
`
`Sheet 7 of 17
`
`US 9 , 813 , 447 B2
`
`Traffic destination
`
`406
`
`Traffic destination
`
`406
`
`destination 408 Mirrored traffic
`
`
`
`
`402
`
`Port
`
`402 Port
`
`
`
`402 Port
`
`minning
`
`- - - - - - - -
`
`- - -
`
`- -
`
`- -
`
`II
`I
`I11
`1
`IL
`I
`
`-
`
`-
`
`-
`
`- -
`- -
`
`- -
`- -
`
`- -
`- -
`
`- -
`- -
`
`
`
`
`
`412 Virtual portals -
`
`1 . .
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`L -
`
`
`
`Control engine
`
`416 Mirror send
`
`410
`point 414 Mirror source
`
`
`
`
`
`
`420 Packet forwarding function
`
`
`
`
`
`FIG . 5
`
`
`
`
`
`300 Dynamic traffic mirroring function
`
`
`
`
`
`400
`
`402 Port
`
`402 Port
`
`404 Traffic
`
`source
`
`404 Traffic
`
`source
`
`Ex. 1007
`Juniper Networks, Inc. / Page 9 of 39
`
`

`

`U . S . Patent
`
`Nov . 7 , 2017
`
`Sheet 8 of 17
`
`US 9 , 813 , 447 B2
`
`6007
`
`FCS
`
`DATA
`
`Flags
`
`
`
`TCP Header
`
`IP V4 Header
`
`802 . 3 Header
`
`Dest . Port
`
`Source Port
`
`Dest . Add .
`Source Add .
`Header Chk .
`Protocol
`Type Service
`Ether Type
`802 . 1Q Type
`802 . 1Q Type
`Dest . Add .
`
`Source Add .
`
`604
`
`602
`
`FIG . 6
`
`FCS
`FCS
`
`DATA
`
`606
`
`
`
`TCP Header
`
`IP v4 Header
`
`802 . 3 Header
`
`802 . 3 Header
`
`Flags
`Dest , Port
`Source Port
`Dest . Add .
`Source Add .
`Header Chk .
`Protocol
`Type
`Ether Type
`802 . 1Q Type
`802 . 1Q Type
`Dest . Add .
`Source Add .
`Ether Type
`802 . 1Q Type
`802 . 1Q Type
`Dest . Add .
`Source Add .
`
`"
`
`MAC in MAC Tunnel Encapsulation
`
`
`
`
`
`Ex. 1007
`Juniper Networks, Inc. / Page 10 of 39
`
`

`

`U . S . Patent
`
`Nov . 7 , 2017
`
`Sheet 9 of 17
`
`US 9 , 813 , 447 B2
`
`
`
`Policy Server
`
`103
`
`180 200
`APP ID
`
`
`Center 172
`Data
`
`125
`
`300
`
`
`
`
`Network entry device 105
`
`
`
`
`
`Central switching device 106
`
`Authentication Server 115
`Application Server 107
`
`FW 118
`
`"
`
`
`
`Attached function ( internet / WAN ) 112
`
`/
`
`700 700
`
`-
`
`-
`
`-
`
`* *
`17
`
`-
`
`-
`
`- www
`
`FIG . 7
`
`
`
`Attached function ( service ) 104a
`
`
`
`Attached function ( switch ) 104b
`
`
`
`Attached function ( server ) 1040
`
`Ex. 1007
`Juniper Networks, Inc. / Page 11 of 39
`
`

`

`atent
`
`Nov . 7 , 2017
`
`Sheet 10 of 17
`
`US 9 , 813 , 447 B2
`
`Data Server 175
`
`Data Server 175
`Data Center Switch 120
`
`
`
`
`
`Central switching device 106
`
`300
`
`Authentication Server 115
`Application Server 107
`
`125
`
`
`
`Policy Server
`
`103
`
`APP ID 180 200
`
`
`
`
`
`Network entry device 105a
`
`FW 118
`
`Network entry
`device 105b
`
`FIG . 8
`
`
`
`Attached function ( internet / WAN ) 112
`
`800
`
`
`
`Attached function ( server ) 104a
`
`
`
`Attached function ( switch ) 1046
`
`
`
`Attached function ( desktop ) 104c
`
`Ex. 1007
`Juniper Networks, Inc. / Page 12 of 39
`
`

`

`atent
`
`Nov . 7 , 2017
`
`Sheet 11 of 17
`
`US 9 , 813 , 447 B2
`
`Data Server 175
`
`Data Server 175
`Data Center Switch 120
`
`Authentication Server 115
`Application Server . 107
`
`
`
`Central switching device 106
`
`here second
`300
`Network entry
`device
`105b
`
`measuring & So $ 5
`
`
`
`
`
`Network entry device 105a
`
`FIG . 9
`
`
`
`Attached function ( service ) 104a
`
`
`
`Attached function ( switch ) 104b
`
`
`
`Attached function ( server ) 1040
`
`125
`
`
`
`Policy Server
`
`103
`
`111111
`
`APP D 180 200
`
`F? 118
`
`-
`
`
`
`Attached function ( internet / WAN ) 112
`
`900
`
`Ex. 1007
`Juniper Networks, Inc. / Page 13 of 39
`
`

`

`U . S . Patent
`
`Nov . 7 , 2017
`
`Sheet 12 of 17
`
`US 9 , 813 , 447 B2
`
`Data Server 175
`
`Data Server 175
`
`Data Center Switch 1002
`
`300a
`
`Data Center Switch 1002
`
`300b
`
`Authentication Server 115
`Application Server 107
`
`
`
`Central switching device 106
`
`Network entry
`device 105b
`
`
`
`105a Network entry device
`
`
`
`u
`
`.
`
`FIG . 10
`
`
`
`Attached function ( server ) 104a
`
`
`
`Attached function ( switch ) 104b
`
`
`
`Attached function ( desktop ) 104c
`
`
`
`Policy Server
`
`103
`
`1 : 4 125
`
`APP ID 180 200
`
`APP D 181 200
`
`FW 118
`
`
`
`Attached function ( internet / WAN ) 112
`
`1000
`
`Ex. 1007
`Juniper Networks, Inc. / Page 14 of 39
`
`

`

`U . S . Patent
`
`Nov . 7 , 2017
`
`Sheet 13 of 17
`
`US 9 , 813 , 447 B2
`
`1100
`
`Initial setup and
`input by network
`administrators
`
`Mm
`
`Provide one or more mirror
`policies to one or more
`network infrastructure
`devices 1110
`
`Establish one or more criteria
`to provide , install , enable ,
`select or change one or more
`mirror policies 1140
`
`Monitor network for events ,
`topology and status 1120
`
`Automatically install , enable ,
`select or change one or more
`traffic mirrors of the network
`1130
`- - - - - - -
`Select a portion of traffic
`to be mirrored
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`1 .
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`- - -
`
`Select a destination for
`mirroring traffic
`- - - - - -
`- - -
`Determine when to stop
`mirroring
`.
`
`1
`
`-
`
`- - 1 - 1 -
`
`1
`
`I -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- - - -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`
`
`
`
`L - - -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`FIG . 11
`
`Ex. 1007
`Juniper Networks, Inc. / Page 15 of 39
`
`

`

`U . S . Patent
`
`Nov . 7 , 2017
`
`Sheet 14 of 17
`
`US 9 , 813 , 447 B2
`
`Initial setup and
`input by network
`administrators
`
`1200
`
`Establish a first criterion for
`selecting frames for
`mirroring 1210
`
`Establish a second criterion
`for selecting portions of
`frames to mirror 1220
`
`Establish a third criterion for
`selecting portals through
`which to mirror 1230
`
`Establish a fourth criterion
`for establishing a mirroring
`destination 1240
`
`Establish a fifth criterion for
`establishing a mirror in a
`network device 1250
`
`Create one or more portals
`for mirroring traffic 1260
`
`Mirror selected traffic
`through the one or more
`portals 1270
`
`FIG . 12
`
`Ex. 1007
`Juniper Networks, Inc. / Page 16 of 39
`
`

`

`U . S . Patent
`
`Nov . 7 , 2017
`
`Sheet 15 of 17
`
`US 9 , 813 , 447 B2
`
`1300
`
`Initial setup and
`input by network
`administrators
`
`Establish network policies and / or
`rules on a network device based on
`computer applications running on the
`network 1310
`
`Monitor the network for computer
`applications running on the network
`that may require a change of one or
`more network policies and / or rules
`1320
`
`Change one or more network
`enforcement policies and / or rules on
`one or more network devices based
`on the detection of a computer
`application running on the network
`1330
`
`Change one or more
`mirroring criteria based
`on applications running
`on the network
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- . -
`
`n
`
`n
`
`n
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`- -
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`FIG . 13
`
`Ex. 1007
`Juniper Networks, Inc. / Page 17 of 39
`
`

`

`atent
`
`Nov . 7 , 2017
`
`Sheet 16 of 17
`
`US 9 , 813 , 447 B2
`
`1400
`
`Receive on a network device packets
`including frames associated with
`computer applications 1410
`
`Examine content of the frames and
`other information for the
`identification of one or more
`computer applications 1420
`
`Compare library signatures and
`information of the frames content
`with known information of computer
`applications 1430
`
`Establish a most likely match of the
`computer application associated with
`the frames based on the comparison
`1440
`
`Output information about the
`identified computer application based
`on the comparison and optionally
`include a level of confidence about
`the identification 1450
`
`FIG . 14
`
`Ex. 1007
`Juniper Networks, Inc. / Page 18 of 39
`
`

`

`U . S . Patent
`
`Nov . 7 , 2017
`
`Sheet 17 of 17
`
`US 9 , 813 , 447 B2
`
`1500
`
`Receive on a network device packets
`including frames associated with
`computer applications 1510
`
`Compare information of the frames
`with information derived from a
`plurality of mechanisms for
`identifying computer applications
`1520
`
`Establish a score for each computer
`application that may match from the
`mechanisms the information of the
`frames 1530
`
`Designate one or more computer
`applications as being associated with
`the frames based on the score ,
`optionally including a level of
`confidence about the designation
`1540
`
`-
`
`-
`
`-
`
`-
`
`Weigh one or more computer
`applications as being associated with
`the frames based on the score
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`FIG . 15
`
`Ex. 1007
`Juniper Networks, Inc. / Page 19 of 39
`
`

`

`US 9 , 813 , 447 B2
`
`DEVICE AND RELATED METHOD FOR
`ESTABLISHING NETWORK POLICY BASED
`ON APPLICATIONS
`
`Access to applications , files , databases , programs , and
`other capabilities associated with the entirety of a discrete
`network is restricted largely based on the identity of the user
`and / or the network attached functions . For the purpose of the
`description of the present invention , a " user " is a human
`CROSS REFERENCE TO RELATED
`being who interfaces via a computing device with the
`APPLICATIONS
`services associated with a network . For further purposes of
`clarity , a " network attached function ” or an " attached func
`This application is related to the following applications
`tion ” may be a user connected to the network through a
`owned by a common assignee and all of which were filed on
`the same date as the present application . All are incorporated 10 computing device and a network interface device , an
`attached device connected to the network , a function using
`herein by reference . The related applications are identified
`the services of or providing services to the network , or an
`by title and corresponding serial number as follows : A
`application associated with an attached device . Upon
`DEVICE AND RELATED METHOD FOR DYNAMIC
`authentication or other form of confirmation of the offered
`TRAFFIC MIRRORING POLICY , Ser . No . 13 / 835 , 679 , A
`15 attached function identity , the attached function may access
`DEVICE AND RELATED METHOD FOR DYNAMIC
`network services at the level permitted for that identifica
`TRAFFIC MIRRORING , Ser . No . 13 / 835 , 815 , A DEVICE
`tion . For purposes of the present description , “ network
`AND RELATED METHOD FOR APPLICATION IDEN
`services ” include , but are not limited to , access , Quality of
`TIFICATION , Ser . No . 13 / 836 , 195 , A SYSTEM AND
`Service ( QoS ) , bandwidth , priority , computer programs ,
`RELATED METHOD FOR NETWORK MONITORING 20 computer applications , databases , files , and network and
`server control systems that attached functions may use or
`AND CONTROL BASED ON APPLICATIONS , Ser . No .
`13 / 836 , 371 , and A DEVICE AND RELATED METHOD
`manipulate for the purpose of conducting the business of the
`FOR SCORING APPLICATIONS RUNNING ON A NET
`enterprise employing the network as an enterprise asset .
`WORK , Ser . No . 13 / 836 , 545 .
`A network administrator grants particular permissions to
`25 particular attached functions by establishing network use
`BACKGROUND OF THE INVENTION
`policies which are enforced at various points in the network .
`A network policy is an action ( or nonaction ) to be under
`1 . Field of the Invention
`taken based on the existence or occurrence of a defined
`condition or event . An " event " for purposes of describing the
`The present invention relates to computer - based networks
`and their components . More particularly , the present inven - 30 present invention , is a detectable or discernible occurrence
`tion relates to use , operation and control of the network
`that may be considered to have an impact on network
`operations or performance . Events may be defined by the
`2 . Description of the Prior Art
`Interconnected computing systems having some sort of
`network administrator . Some events warrant the undertaking
`commonality form the basis of a network . A network permits
`of an action to respond , address or otherwise account for
`communication or signal exchange through packet forward - 35 those events . Events that warrant the undertaking of some
`ing among computing systems of a common group in some
`action may be referred to herein as “ triggers . ” Examples of
`selectable way . The interconnection of those computing
`events that may be trigger events include , but are not limited
`systems , as well as the devices that regulate and facilitate the
`to , time outs , link changes up or down , link speed changes ,
`exchange among the systems , represent a network . Further ,
`user changes , device changes , device additions , network
`networks may be interconnected together to establish inter - 40 service changes , access device changes , location changes ,
`networks . For purposes of the description of the present
`Intrusion Detection System ( IDS ) or Firewall events , appli
`invention , the devices and functions that establish the inter -
`cation access requests , priority change requests , protocol
`connection represent the network infrastructure . The users ,
`changes , the addition of a wireless access user , policy
`computing devices and the like that use that network infra -
`changes made , bandwidth changes , routing link changes ;
`structure to communicate are referred to herein as attached 45 changes of monitored conditions , local and remote policy
`functions and will be further defined . The combination of the
`changes and network system changes . More generally for
`attached functions and the network infrastructure will be
`purposes of the description of the present invention , a
`referred to as a network system .
`" trigger " is any detected or observed event , activity , occur
`The process by which the various computing systems of
`rence , information or characteristic identified in a network
`a network or internetwork communicate is generally regu - 50 system by the network administrator as being of interest for
`lated by agreed - upon signal exchange standards and proto -
`the purpose of making a modification to an assigned set of
`cols embodied in network interface cards or circuitry and
`policies . The types of triggers that define usage restrictions
`software , firmware and microcoded algorithms . Such stan -
`may be of any type of interest to the network administrator .
`dards and protocols were borne out of the need and desire to
`Network policies are generally directed to administration ,
`provide interoperability among the array of computing sys - 55 management , and / or control of access to or usage of network
`tems available from a plurality of suppliers . Two organiza -
`services . A network policy may also be a policy abstraction
`tions that have been responsible for signal exchange stan
`that is the translation of one or more network policies to a
`dardization are the Institute of Electrical and Electronic
`different level of abstraction . For example , multiple network
`Engineers ( IEEE ) and the Internet Engineering Task Force
`use policies may be bundled into a higher - level abstract
`( IETF ) . In particular , the IEEE standards for internetwork 60 network policy for ease of handling and naming ; a network
`operability have been established , or are in the process of
`policy set is simply a policy composed of one or more
`being established , under the purview of the IEEE 802
`policies .
`committee on Local Area Networks ( LANs ) and Metropoli -
`The network policies are typically defined in and regu
`tan Area Networks ( MAN ) . The IEEE standards include
`lated through a network policy server device of the network
`many well defined methods of wired , fiber optic and Radio 65 infrastructure controlled by the administrator . The estab
`Frequency ( RF or wireless ) methods of network communi -
`lished policies are transmitted to network interface devices
`cations and are well known to those skilled in the art .
`of the network infrastructure , referred to herein as packet
`
`Ex. 1007
`Juniper Networks, Inc. / Page 20 of 39
`
`

`

`US 9 , 813 , 447 B2
`
`the network system includes , for example , denying access to
`forwarding devices , at a point of connection to an attached
`the network , denying access to the service , once access to
`function . That connection point is referred to herein as a port
`the network is allowed , intentionally tying up network
`of the packet forwarding device . As part of the authentica -
`computing resources , intentionally forcing bandwidth avail
`tion process , a particular set of policies are established by
`the administrator for that attached function . That is , the port 5 ability reduction , and restricting , denying or modifying
`at which that attached function is attached to the packet
`network - related information . Intrusion Detection Systems
`forwarding device is configured to effect those policies ,
`are used to monitor the traffic associated with network
`often by installing other policies or installing or enabling a
`sessions in an effort to detect harmful activity . However , IDS
`set of rules for the policy . For example , QoS , bandwidth , and
`functions normally only monitor traffic and analyze the
`priority levels may be set at certain values for one identified 10 traffic flow for harm , they do not analyze other information
`attached function and at different levels for another attached
`nor do they generate or enforce policies . They are designed
`function .
`to observe the packets , the state of the packets , and patterns
`A network session is the establishment of an association
`of usage of the packets entering or within the network
`between an attached function and one or more network
`infrastructure for harmful behavior . There is some limited
`services through the network infrastructure . The session 15 capability to respond automatically to a detected intrusion
`includes a series of electronic signal exchanges referred to as
`including through intrusion prevention systems . However ,
`packets and one or more packets to the same destination is
`these detection systems are configured to search for specific
`typically referred to as a flow . It is to be understood that a
`patterns of signals that represent harmful activity . The
`network system may be embodied in the combination or
`benefit of the IDS is dependent on the effectiveness of the
`interrelation between one or more attached functions and 20 library of signatures used to detect harmful transmissions .
`one or more network infrastructure devices . At the outset of
`IDSs frequently implement a signature language that
`a network session , often in relation to the authentication of
`includes functionality allowing a security analyst to describe
`the attached function seeking to initiate the session , an
`harmful activity on the network . Such signature languages
`association is created between the session and one or more
`are fairly complex in order to deal with application layer
`network services , constrained by one or more network 25 encodings , handle evasion techniques leveraged by attack
`policies established by the administrator through a network
`ers , reduce false positives and generally provide a reliable
`control manager device such as the network policy server
`way to describe the characteristics of current network harm
`and carried out or enforced by one or more of the packet
`efforts . Applications that may be harmful to the network or
`forwarding devices of the network infrastructure .
`at least that can slow down network processes that are not of
`Access to network services may be limited by conditions 30 sufficient importance to the enterprise can be difficult to
`other than attached function user authentication . For
`reliably characterize or “ fingerprint " due to efforts to evade
`example , an attached function seeking usage of a discrete
`such characterizations . Encrypted Bittorrent and Skype are
`network system through virtual private networking may be
`examples of such applications that are difficult to fingerprint .
`isolated from certain network services simply because pri
`It would be desirable to have a network function that can
`vate network entry is made through a public portal such as 35 fingerprint applications in an effective manner . To the extent
`the internet . It is also understood that in certain settings
`any IDS has some form of application detection function
`offering wireless connectivity , network usage may be lim -
`ality , it is limited to evaluating for malicious activity . The
`ited upon detection of attached function attempts to seek
`network administrator , in order to be more effective in
`unauthorized access to specified restricted network services .
`protecting network services and maximizing network effi
`However , these isolated efforts at network user control based 40 ciency , would prefer to have characterization of as many
`on something other than user identification authentication
`applications used on the network as possible , regardless of
`are insufficient for complete network control and security .
`whether any of the applications are malicious .
`From the security and usage efficiency perspectives , the
`What is needed is a comprehensive and integrated system
`for controlling network usage for all users and devices at all
`network systems industry has had some difficulty keeping
`times and to allow users to access the network services from 45 pace with the explosion in the number and types of appli
`alternate or unknown devices or device types . Additionally ,
`cations used on networks . This revolution is being powered
`authorized users may at times use the network in unauthor
`by new models for application avail