(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT)
`(19) World Intellectual Property
`Organization
`International Bureau
`
`(43) International Publication Date
`6 August 2015 (06.08.2015)
`
`WI PO 1 P C T
`
`%
`
`(51)
`
`International Patent Classification:
`H04L 12/26 (2006.01)
`
`(21)
`
`International Application Number:
`
`PCT/US2015/012915
`
`(22)
`
`International Filing Date:
`
`26 January 2015 (26.01.2015)
`
`(25)
`
`(26)
`
`(30)
`
`(71)
`
`(72)
`
`Filing Language:
`
`Publication Language:
`
`Priority Data:
`61/932,650
`61/994,693
`62/088,434
`14/603,304
`
`28 January 2014 (28.01.2014)
`16 May 2014 (16.05.2014)
`5 December 2014 (05.12.2014)
`22 January 2015 (22.01.2015)
`
`(74)
`
`(81)
`
`English
`
`English
`
`US
`US
`US
`US
`
`Applicant: BROCADE COMMUNICATIONS SYS-
`TEMS, INC. [US/US]; 130 Holger Way, San Jose, Cali-
`fornia 95134 (US).
`
`Inventors: HSU, Ivy Pei-Shan; 3723 Edgeeomb Court,
`Dublin, California 94568 (US). CHHABRIA, Sanjeev
`
`(10) International Publication Number
`
`WO 2015/116538 Al
`
`Nand; 22769 Lakemont Place, Castro Valley, California
`94552 (US). CHEN, Xiaochu; 193 Lucy Lane, San Ra-
`mon, California 94582 (US). MUNSHI. Sanjay; 715
`Bowen Court, San Ramon, California 94582 (US).
`NARASIMHAN, Arvindsrinivasan Lakshmi;
`4355
`Renaissance Drive, Apt 320, San Jose, California 95134
`(US).
`
`Agents: LEE, Andrew, J. et a1; Fountainhead Law Group
`PC, 900 Lafayette Street, suite 301, Santa Clara, CA
`95050 (us).
`
`Designated States (unless otherwise indicated, for every
`kind of national protection available): AE, AG, AL, AM,
`AO, AT, AU, AZ, BA, BB, BG, BH, BN, BR, BW, BY,
`BZ, CA, CH, CL, CN, CO, CR, CU, CZ, DE, DK, DM,
`DO, DZ, EC, EE, EG, ES, FI, GB, GD, GE, GH, GM, GT,
`IIN, IIR, IIU, ID, IL, 1N, IR, IS, JP, KE, KG, KN, KP, KR,
`KZ, LA, LC, LK, LR, LS, LU, LY, MA, MD, ME, MG,
`MK, MN, MW, MX, MY, MZ, NA, NG, NI, NO, NZ, OM,
`PA, PE, PG, PH, PL, PT, QA, RO, RS, RU, RW, SA, SC,
`SD, SE, SG, SK, SL, SM, ST, SV, SY, TH, TJ, TM, TN,
`TR, TT, TZ, UA, UG, US, UZ, VC, VN, ZA, ZM, ZW.
`
`[Continued on nextpage]
`
`(54) Title: SESSION-BASED PACKET ROUTING FOR FACILITATH\IG ANALYTICS
`
`
`
`4m (57) Abstract: A GTP correlation cluster (GCC) (120) can automatic—
`ally program a network element to forward copies of packets originating
`from a mobile device and having a shared attribute to the same analytic
`server, regardless of the regions into which the mobile device moves.
`The GCC can monitor attributes of copies of control packets that the
`network element (118) receives. In response to detecting a changed at-
`tribute within a control packet originating from a mobile device, the
`GCC can update a session map specific to that mobile device in order to
`cause packets having that changed attribute to be forwarded to the same
`port to which packets having the former attribute were being forwarded
`prior to the change. As a result, the network element can ensure that
`packets belonging to a particular session still are forwarded to the same
`analytic server (130A, 130B, 130N) even if the mobile device has
`moved to a different region.
`
`
`
`
`
`
`
`
`
`21.2W cam
`21¢
`
`FIG. 4
`
`
`
`W02015/116538A1|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
`
`

`

`WO 2015/116538 A1 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
`
`(84) Designated States (unless otherwise indicated, for every
`kind of regional protection available): ARIPO (BW, GH,
`
`SI, SK, SM, TR), OAPI (BF, BJ, CF, CG, CI, CM, GA,
`GN, GQ, GW, KM, ML, MR, NE, SN, TD, TG).
`
`P bl' h d'
`GM, KE, LR, LS, MW, MZ, NA, RW, SD, SL, ST, 82,
`“ ‘s e ‘
`TZ, UG, ZM, ZW), Eurasian (AM, AZ, BY, KG, KZ, RU,
`TJ, TNI), European (AL, AT, BE, BG, CH, CY, CZ, DE, — with international search report art. 21(3))
`DK, EE, ES, FI, FR, GB, GR, HR, HU, IE, IS, IT, LT,
`LU, LV, MC, MK, MT, NL, NO, PL, PT, RO, RS, SE,
`
`

`

`WO 2015/116538
`
`PCT/US2015/012915
`
`SESSEONmBASED PAQKE'I‘ R0 UTENG PQR FACELETA’E‘1N Gr ANALYI‘ECS
`
`CLAIR/1 0F PRIQRI’E‘Y
`
`{000”
`
`The present application claims priority under 35 USC. § 1 Wife) to US. Provisional
`
`{)1
`
`Patent Application No. 6i/932g650 filed January 225', 2014,
`
`titled GT? CORRELATION
`
`CLUSTER; US. Provisional Patent Application No.
`
`(st/9945693 filed May l6, 20H,
`
`titled
`
`GENERAL PACKET RADlO SERVICE TlWFllNG PROTOCOL CORRELATION
`
`CLUSTER; U .S, Provisional Patent Application No” 62"088,434 tiled December 5 20149 titled,
`
`SESSlON~BASED PACKET ROUTTNG FOR FACIUTATR‘JG ANALYHCS; and to US
`
`l0
`
`Patent Application No l4/603,304 filed January 22", 201:5”, titled SESSION—BASED PACKET
`
`ROUTlNG FOR FACll..l'l‘A'l‘lNG ANALYTECS;
`
`the entire contents of each of which are
`
`incorporated herein by reference for all purposes.
`
`BACKGRQUNB
`
`l5
`
`{0002}
`
`The disclosure herein pertains genera/ll] to the field of telecommunications; anal more
`
`specifically to techniques for rooting duplicates of data packets to analytic servers.
`
`{0003} General Packet Radio Service {GPRS} is a standard for Wireless communications which
`
`enables data to be transmitted at speeds up to l l5 kilobits per second, compared with Global
`
`Systei’rt for Mobile Communications (GSM) systems’ 9.6 kilobits per second. GPRS, which
`
`20
`
`suppoits a wide range ot‘bandwidths intakes effi cient use ot‘liniited, bandwidth and is suitable for
`
`sending; and receiving small bursts of data? such as email and Welt browsing,“ as well as large
`
`volatiles of data.
`
`{0004} GPRS Tunneling Protocol
`
`(GTE?)
`
`is
`
`a group of
`
`loternet Protocol
`
`(lPlfioased
`
`communications protocols used to carry packets conforming to the GPRS standard within GSM,
`
`{\2 (I!
`
`UMTS anti, LTE netttrorks.
`
`lo Third Generation Partnership Project architectures, (HP and
`
`Proxy Mobile vao—based interfaces are specified on various interface points. GTP can be
`
`decomposed into separate protocols, including GTP-C and (:ETP-U.
`
`lo 3G and 46 Wireless
`
`networks, GTE—C messages are control messages used between the network elements to activate
`
`and die-activate sessions orginatiog from mobile user endpoints. As an example, in :5G networks,
`
`

`

`VVO 2015/116538
`
`PCT/US2015/012915
`
`G'l'P—C is. used Within a (EE’RS core network for signaling between gateway GPRS support nodes
`
`lGGSN) and sewing GPRS support nodes {SGSN}. This allows the SGSN to activate a session
`
`on a user's behalf. to deactivate the same session, to adjust quality of service parameters, or to
`
`update a session for a subscriber who has just arrived from another SGSN. Gill-U is used for
`
`carrying user data within a GPRS core network and between a radio access network and the core
`
`network. The user data transported can he packets in any of {Pi/Ll, use, or Pointnto—l’oint
`
`Frotocol (PP?) forniats.
`
`{GGOSE An operator of a telecommunication network can find it henetieial to analyze the traffic
`
`that flows through that network. Such analysis niight be performed for a variety of different
`
`reasons. For example, the operator might want to obtain information that could he used as
`
`business intelligence. For another example» the operator might want to detect and pre—empt
`
`attacks being made through the network.
`
`in order to help prevent such attacks, the operator
`
`might want to analyze traffic to determine he sources from which different types of traffic
`
`‘Ji
`
`l0
`
`originate.
`
`{suns}
`
`Such traffic analysis can he performed at an analytic server that the operator maintains.
`
`Data packets flowing through the network, can be duplicated, and the duplicate packets can be
`
`diverted to such an analytic server. Due to the vast amount of traffic that flows through the
`
`network, the operator niight maintain numerous separate analytic servers that are capable of
`
`analyzing dil‘l'crcnt Jortions of the total traffic concurrently
`
`{0007}
`
`The traffic flowing through a teleconnnunicatiens network often will represent multiple
`
`separate and distinct communication sessions. Such sessions can originate from different mobile
`
`devices. Regarding GPRS.‘ a session is a tunnel that is established between two endpoints in a
`
`communication network.
`
`Communications between those endpoints passes through this
`
`established tunnel.
`
`ln a 3G network the session is established through the creation of a packet
`
`data protocol (PD?) context»»»»»» a data structure»»»»»»on both an SGSN endpoint and a (EGSN
`
`endpoint. This data structure contains session information, contents of which are described
`
`further below. The establishment of the session allocates a l-‘DP context in the SGSN with which
`
`the mobile device is currently in communication. The establishrttent of the session fiirther
`
`allocates that PD? context in the (EGSN that serving the mobile device user’s access point. The
`
`ix)
`
`

`

`VVO 2015/116538
`
`PCT/US2015/012915
`
`Uh
`
`‘Ji
`
`3“} U1
`
`data recorded in the PD? context includes: the mobile device’s: lnternct Protocol ill"; address. the
`
`mobile device’s international Mobile Subscriber identity (lMSl), a Tunnel Endpoint lD tTElD)
`
`at the GGSN, and a 'l‘unnel Endpoint ll) {’l'ElD) at the SGSN.
`
`llllllllii As is mentioned above, traffic analysis can he performed at an analytic server that an
`
`operator maintains.
`
`in order for the analysis to be complete,
`
`it
`
`is desirable that all traffic
`
`helonging to a particular communication session be diverted to the same analytic server under
`
`circumstances in which multiple analytic servers are analyzing the network traffic.
`
`llllllli‘ll Achieving this result can be difficult due to the fact that
`
`the traffic in a mobile
`
`telecommunications networlr can originate from ntohile devices that, by their nature, tend to
`
`move about geographically. As a mobile device moves from one region to another, the mobile
`
`device may leave the range of one cellular telephone tower and come into the range of another
`
`cellular
`
`telephone tower. The point
`
`through which the mobile device
`
`accesses
`
`the
`
`telecommunication network can thus change, as the device moves, from one point leg, a first
`
`cellular telephone tower) to another point (cg a, second cellular telephone tower), When such a
`
`change occurs,
`
`the parameters
`
`associated with the mohile device’s
`
`currently active
`
`communication sessions are likely to change as well.
`
`{Will}
`
`The change in these communication session parameters complicates the task ot
`
`ensuring that, for each communication session, all of that communication scssion’s tratl'ic will he
`
`sent to the same analytic server in a group of such servers.
`
`if the parameters associated with a,
`
`particular communication session change tine to the mohile device moving,
`
`then network
`
`elements that select the analytic server to which duplicate packets should be forwarded might
`
`accidentally send subsequent traffic belonging to that particular communication session to a
`
`different analytic server than the one to which those network elements had been sending that
`
`traitic prior to the change.
`
`SUMl‘t/IARY
`
`llltllll
`
`ln certain cmhotlimcnts, a GT? correlation cluster {:GCC’) can automatically program a,
`
`network element, such as a switch, to fort lard copies ofpacltets originating from a mobile device
`
`LA)
`
`

`

`VVO 2015/116538
`
`PCT/US2015/012915
`
`’Ji
`
`Va
`
`and having a shared attribute to the same port of that ncti 'orl: element. The network: element
`
`thereby sends the packet copies having the shared attribute to the saline analytic server, regardless
`
`of the regions into which the mobile device rnoves.
`
`{MHZE
`
`To accomplish this, the GCC can monitor attributes of copies of control packets that the
`
`network elernent receives. F or example, the GCC can observe source and destination attributes
`
`within control packet copies“ in response to detecting a changed source attribute (eg, SGSN)
`
`Within a control packet originating from a mobile device, the GCC can update a session map
`
`specific to that mobile device in order to cause packets having that changed source attribute to be
`
`forwarded to the same port to which packets having the former source attribute were being
`
`forwarded prior to the change. As a result“,
`
`the network element can ensure that packets
`
`belonging to a particular session still are forwarded, to the same analytic server even if the mobile
`
`device has moved, to a different region.
`
`{WES}
`
`\IVhen the network element receives a copy of a control packet originating from a
`
`mobile device,
`
`the network element can forward that control packet copy to the GCC
`
`information within the control packet copy uniquely identities the mohile device. The GCC can
`
`maintain a separate session map for each separate mobile device.
`
`{WM} Using attributes contained in the control packet” the GCC can create a new session map
`
`specifically for the mobile device if one does not already exist. The new session map can
`
`associate an identifier of a particular port of the network element with a combination of source
`
`and destination attributes (ego SGSN and GGSN) contained within the control packet. The
`
`{SCC can choose the particular port by inputting the combination of source and destination
`
`attribute values into a specified function.
`
`{@615} By determining whether the output of the specified function produces a same port
`
`identifier as the. one specified within an existing session map for the mobile device? the GCC can
`
`3“} U1
`
`determine whether a part of that session rnap has become invalid. Such in 'alidity can result
`
`from. the mobile device moving from one area to another, consequently producing a control
`
`{IQ
`packet having the same destination attribute (cg, GGSN) but a (inherent source attribute (e. .7
`
`sosm
`
`

`

`VVO 2015/116538
`
`PCT/US2015/012915
`
`N016}
`
`ln response to determining that a part of the session map has become invalid, the GCC
`
`can update its session map for the mobile device by changing the source attribute in that part of
`0
`the srssion niap. Such changing can involve replacing that part of the session map’s former
`
`source attribute with the control packet’s source attribute, while retaining the port that was
`
`already specified in that part. of the session map.
`
`In coniunetion with updating the session map,
`
`the GCC can program forwarding rules (egg an access control list) within the network element.
`
`The network element follows these “orwarding rules to forward packet copies having this
`
`updated attribute combination to the sarne port to which packet copies having the previous
`
`attribute combination were previously forwarded.
`
`BREE}? BESCEHPHQN (Hi THE BRAW’ENGS
`
`{atria
`
`FlG.
`
`l
`
`is a system diagram illustrating an example of a mobile telecommunication
`
`network including a GI? correlation cluster (GCC), according to some embodiments.
`
`{00ml
`
`FlG. 2 is a system diagram illustrating an example of a system including a network
`
`switch that includes a GT? services card that forwards control packets to a GCC, according to
`
`some embodiments.
`
`{0019}
`
`FIG. 3A is a flow diagram illustrating a parts of a tee tnique that a network switch can
`
`perform relative to duplicate GT? packets in order to ensure that such packets belonging to a
`
`particular communication session will continue to he directed to the same analytic server
`
`regardless of the sub-network from which those packets arrive at the network switch, according
`
`some embodiments.
`
`l0020§ HG. 3B is a flow diagram illustrating parts of a technique that a network switch can
`
`perform specifically relative to duplicate GTP—C packets in order to determine whether a,
`
`communication session has moved, to a different suh~networlc and to program a network switch"s
`
`GCL accordingly to ensure consistent forwarding of the communication session’s duplicate
`
`packets to a particular analytic server: according to some enthodimentsi
`
`‘Ji
`
`l
`
`0
`
`U}
`
`2
`
`0
`
`{‘4}
`
`(J1
`
`'Ji
`
`

`

`VVO 2015/116538
`
`PCT/US2015/012915
`
`£0021}
`
`FIG. 4 is a system diagram illustrating an example of a system including a GCC that
`
`stores multiple different session maps for multiple different communication sessions, according
`
`to some embodiments.
`
`ifltlZZE
`
`FIG. 5 is a diagram illustrating an example of a populated session map. according to
`
`Uh
`
`some embodiments.
`
`illt323i
`
`FIG. 6 depicts a simplified block diagram of a network device that may incorporate
`
`some embodiments.
`
`ifltlZdE
`
`FIG. 7 is a flow diagram illustrating an overview of a technique by which a network
`
`node. such as a network switch, can forward packets belonging to a same session to a same
`
`analytic server regarding of the diverse network entry points at which those packets entered a
`
`telecommunication network, according to some embodiments.
`
`ifitlZfiE
`
`FIG. 8 is a system diagram illustrating an example if a network switch that contains a
`
`GCIC‘. and analytic modules. according to some embodiments.
`
`mazes
`
`FIG. 9 is a diagram illustrating another example of a populated session map, according
`
`uh
`
`to some embodiments.
`
`BETAELED BESCREPTEQN
`
`illtlIZ7E
`
`In the following description. for the purposes of explanation, specific details are set
`
`forth in order to provide a thorough understanding of embodiments of the invention. However, it
`
`will be apparent that various embodiments may he practiced without these specific details. The
`
`figures and description are not intended to be restrictive.
`
`ifitlZfiE
`
`'l‘echniques disclosed herein can he used to ensure that a net‘‘ ’ork element, such as a
`
`network switch, continues to forward copies or" packets originating from a mobile device and
`
`having a common attribute reg, destination attribute) value to a same port of that network
`
`(\2
`
`(.li
`
`element, therely to be sent to the same analytic server, regardless ot‘the regions into which the
`
`mobile device moves. These techniques can he used to ensure that the network element will not
`
`cause copies ofoackets originating from a mobile device and having a common attribute value to
`
`O“
`
`

`

`VVO 2015/116538
`
`PCT/US2015/012915
`
`be forwarded to different analytic servers as a result of the mo bile device interfacing with
`
`different network entry points as the mobile device moves from region to region.
`
`£00233}
`
`Fit}. 7 is a flow diagram illustrating an overview of a technique by which a network
`
`node? such as a network switch, can forward packets belonging to a same session to a same
`
`analytic server regarding of the diverse network entry points at which those packets entered a
`
`telecommunication network, according to some embodiments. Although Fit}. 7 illustrates
`
`certain operations being performed in a certain order, some embodiments can involve additional,
`
`fewer, or different operations being performed in potentially different orders.
`
`{0030}
`
`in block 702, a network. node receives a first packet from a first network entry point.
`
`For example», a network switch can receive the first packet via, a first cellular telephone tower
`
`through which a mobile device was interfacing with a telecommunications network when the
`
`Uh
`
`it)
`
`mobile device originated the first packet.
`
`{MESH
`
`in block 7'04, the network node receives a second packet from a second network entry
`
`point; Continuing the example the network switch can receive the second packet via a second
`
`cellular telephone tower through which the niohile device was interfacing with the
`
`telecommunications network when the mobile device originated the second packet. The second
`
`cellular telephone tower may be in a different location than the first, cellular telephone tower.
`
`in
`
`between the times that the mobile device originated the first and second packets, the mobile
`
`device might have moved out oli‘cornrnunication ran go ot‘the first cellular telephone tower and
`
`into communication range of the second cellular telephone tower.
`
`liltiSZE
`
`in block 7536, the network node determines w tether the second packet belongs to a
`
`same session to which the tirst packet belongs. Continuing the example, the network switch can
`
`make this determination based on a session mapping between an identifier of the mobile device
`
`and attributes ot‘the second packet. Techniques for generating this mapping are descrihed in
`
`greater detail below.
`
`{$033}
`
`in block 708, in response to determining that the second packet belongs to the same
`
`session to which the first packet belongs. the network node forwards the second packet to an
`
`analytic server to which the first packet was forwarded. Continuing the example, based on the
`’1]
`ses ion mapping. the network switch can determine that the second packetis attributes are
`
`35)
`
`mapped to a same identifier to which the first naeket’s attrihntes were formerly manned, and can
`
`

`

`VVO 2015/116538
`
`PCT/US2015/012915
`
`‘Ji
`
`ll)
`
`consequently conclude that the second packet belongs to the same session to which the first
`
`packet belongs. Consequently. the network: switch can forward the second packet to a same
`
`analytic server to which the network: switch previously fiatwarded the first packet! thereby
`
`ensuring that packets from the same session will not be diverted, to different analytic servers even
`
`if the originating mobile device has accessed the telecommunications network from different
`
`network entry points.
`
`DlVERTLNG DUPLICATE GT? TRAFFIC TO ANALYTIC SERVERS
`
`{@934}
`
`in a telecommunications network a network switch can receive packets that originated,
`
`from different niohile devices and llowxl through dillerent cellular towers and network entry
`
`points
`
`Such pac 'ets can belong to different sessions? with each session identified by a,
`
`combination of attributes (eg, an lMSl and, a destination attribute value; The network swite
`
`can forward copies ol’these packets to various separate analytic servers The network switch can
`
`also fonyarrl
`
`the original packets on toward their intended destinations. Using values of
`
`attributes specified within the packet copies,
`
`the network switch can choose the ports of the
`
`network switch to which the. packet copies are to he lorwarded. Sonic embodiments described
`
`herein ensure that copies of packets belonging to a particular session continue to be forwarded to
`
`the same port, antl therefore analytic server, even ii’ a value of some attribute of the packets (ergo
`
`a source attribute value) changes ln sonie eiribodirnents described below, a network switch can
`
`use a Gill? correlation cluster (GCC) in order to achieve this result.
`
`lllllS‘SE
`
`FIG:
`
`l
`
`is a system diagram illustrating an example of a mobile teleconiirrnnication
`
`network lOO including a (ll? correlation cluster (GCC), according to some embodiments. A
`
`GCC can he a device or program that maintains separate session maps for separate mobile
`
`devices, that uses; information contained in copies of control packets to update the session maps,
`
`and that automatically programs data structures in a network element based on the session maps
`
`in order to cause the network element to forward copies of packets to analytic servers in a
`
`consistent manner. Network liltl includes both a 36 network and. a ilG/L’l‘li network. The 36
`
`network includes a mobile device 102, a support GPRS support node (SGSN)
`
`lilo, and a
`
`gateway (EPRS support node ((EGSN) lllltf. The le/LTE networl; includes an mobile device l ll),
`
`35)
`
`an Evolved Node 8 (eNodeB) 112, a mobile management entity (MIME)
`
`l3, a serving gateway
`
`

`

`VVO 2015/116538
`
`PCT/US2015/012915
`
`(SSW) H4, and a packet data networlt gateway ('E’GW) ll6.
`
`'l'rat‘tie from both networks flows
`
`into a network switch switch 118. An example of network switch 1 18 is the MLXe L2/LS switch
`
`from Brocade Communications Systems, lnc. of San lose. Network switch llS interfaces with a
`
`(31‘? correlation cluster (QCC) EEO. Network switch US also stores a set of flow rules 132.
`
`Uh
`
`it)
`
`{0036} A tunnel through the network, defined hy values within data structures established at
`
`network endpoints during a communication session’s creation, can he generated for each
`
`communication session. Each communication session can be identified by a combination of
`
`values of attributes contained within a control packet
`
`that
`
`is transmitted to establish the
`
`communication session (such control packets also can he transmitted when a mobile device
`
`hegins to interface with a, different network entry point (cg, cell towerfi. in some embodiments,
`
`each time that a mobile device interthees with a different cellular tower or other wireless network
`
`access point,
`
`the rnohile device transmits a new control packet
`
`identifying a source
`
`corresponding to that wireless no work access point The attributes whose values define a
`
`session can includcj for example an lMESl and a destination attribute (egg, GGSN). {Jackets that
`
`travel through a tunnel generated for a session helong to that session.
`
`i0037§
`
`The communication sessions to which different subsets of traffic entering network
`
`switch l is belong can he identified using GTP correlation cluster (GCC) lZG. Based on these
`
`identified communication sessions, network switch 1 l8 i'brwards copies ot’pacltets helonging to
`
`the subsets through its ports on toward the various ones of analytic servers lEGA—N that are
`
`20
`
`performing ai'ialysis relative to the traffic associated with ll'h’JSC sessions” Network switch ll8
`
`forwards the original packets on towards their intended destinations. Each of analytic servers
`
`lEQA—N can he associated with a ditt‘crcnt set of communication sessions. Each of analytic
`
`servers MBA—N can perform al‘litinlS relative to the packet copies helonging for its associated
`
`communication sessions. As a result: no communication session is divided among separate ones
`
`of analytic servers l30A—N.
`
`in one embodiment, there are 48 separate analytic servers BOA-N,
`
`each connected to a separate port or" network switcl‘i
`
`l l8. Each of analytic servers l3ilA~N can
`
`receive packet copies, classify those packet copies into dit‘terent types based on rules and packet
`
`attribute values, and determine network sources from which different types of traffic originate,
`
`in this manner; for example, network traffic. that appears to he associated with an attaelr, such as
`
`3t)
`
`a denial—of-servicc attack, can he identified, and the sources of the attack can he ascertained.
`
`9
`
`

`

`VVO 2015/116538
`
`PCT/US2015/012915
`
`£0038}
`
`in some telecommunications networks {one example being the SG network depicted in
`
`FIG. 1), traffic originating from mobile devices such as mobile device 102 can flow from the
`
`mobile device to cell phone tower 1104 to SGSN 106 to GGSN Hill to network switch 118.
`
`Network switch 118 can forward this original
`
`traffic on to its
`
`intended destinations.
`
`Additionally. a tap can be inserted on the connection between SGSN l06 and GGSN 108. A part
`
`of the traffic signal flowing through that connection is thereby duplicated and diverted to
`
`network switch l18 for analytic purposes. This duplicate data includes G’l‘P-C (control packets)
`
`and G'l‘P—U (data packets) l26. Traffic flowing hack front network switch 118 toward the
`
`mobile devices passes hetwecn GGSN 108 to SGSN l06 in the opposite direction.
`
`l'hc tap on
`
`the connection therefore additionally duplicates a part of the trailic signal flowing back through
`
`that connection and also diverts that traffi c signal to network switch lit? for analytic purposes.
`
`‘Ji
`
`10
`
`llltl39§
`
`The traffic that network switch l 13- receives can include packets front multiple different
`
`coinmunication sessions. Multiple communication sessions. each involving packets belonging to
`
`a particular one ot‘those sessionsq can be assigned to a particular one of analytic servers l30A—N.
`
`The several communication sessions that may he. assigned to a particular analytic server
`
`constitute a subset of the total traffic that network switch l l8 receives. Each of analytic servers
`
`l30A»N can be assigned a ditt‘crent subset of the total traffic, with each subset including multiple
`
`communication sessions, Potentially tl‘iroagh consultation with GCC l20 (possibly through the.
`
`application of a hash algoritlnn), network switch llii can identity a communication session to
`
`which a subset of duplicated traffic, and its constituent packets, belongs. For each implicated
`
`packet? network switch llli can select, front its ports? the particular port that is; associated with
`
`the communication session to which that packet belongs. Network switch l l 8 can then forward
`
`the duplicate packet thro ugh that selected port to the proper one of analytic servers lfitlA—N that
`
`is handling ai‘ialyties for that particular C(ti'lll‘lllll‘liilallflll session.
`
`lilthllli
`
`ln some teleconnnunications networks (one example being the 463 network depicted in
`
`Flt}. ll? traffic originating from inohile devices; can flow from mobile device l l 0 to cNodeB l 12
`
`to serving gateway (SGW) ll4 to packet data network gateway {PGW} llo to network switch
`
`llS.
`
`'l‘ramic also can flow from eNodeB £12 to MME 113 to SGVV’
`
`l l4. Network switch 118
`
`can forward this original traffic on to its intended destinations. Additionally, a duplication
`
`30
`
`mechanism along the path from mobile dev'cc lit) to network switch llél can generate
`
`10
`
`

`

`VVO 2015/116538
`
`PCT/US2015/012915
`
`‘Ji
`
`ll)
`
`duplicates of the packets flowing along that path. One example of such a duplication mechanism
`
`is a tap that can be inserted on the connection between SGW H4 and PGW llo. Packets
`
`flowing through that connection are therehy duplicated, and diverted to network switch ll8 for
`
`analytic purposes. These duplicate packets may include Gilli-C ( control packets) and Gill's-U
`
`(data packets) data l28, Packets flowing hack toward the mobile devices passes between SGW
`
`114 to mobile device ill) in the opposite direction. The duplication mechanism (eg, a tap on
`
`the connection) therefore additionally duplicates packets flowing back through that connection
`
`and also diverts those duplicated packets to network switch ill? for analytic purposes.
`
`Additionally or alternatively, duplication mechanisms can include taps elsewhere along paths
`
`between mobile device ill) and network switch l ll} For example, a tap can be inserted on a
`
`connection between eNodeB life and SGW ll4n GTPsU packets l2? flowing through that
`
`connection are therchd' duplicated, and diveitcd to network switch llh’ for analytic purposes. For
`
`another example, a tap can be inserted on a connection between MMF ll3 and SGW l l4. GT?
`
`C packets l25 flowing through that connection are thereby duplicated and diverted to network
`
`switch ll8 for analytic purposes.
`
`{0041} Again,
`
`through consultation with GCC lZO, network switch llll can identify a
`
`communication session to which a duplicate packet belongs.
`
`l”or each duplicate packet? network
`
`switch llS can select, from, its ports: the particular port that is associated with that packet°s
`
`communication session. Network switch l l 8 can then forward the duplicate packet through that
`
`'3
`
`port to the proper one of analytic servers lEllA—N that is handling all duplicate data packets for
`
`the communication session to which those packets belong.
`
`{004% if a particular thobic device is executing an application that is associated with a
`
`particular cornn‘iunication session,
`
`then during the course of that particular coniirninication
`
`session the mobile device i'nay travel out of range of one cellular telephone tower and into the
`
`range of another cellular telephone tower. This change in access point can cause at least some of
`
`the parameters (eg, source) of the particular coinnninication session to change l-lowever, using
`
`techniques described herein, in spite ot'tliis change, network switch l l 8 can continue to send, to
`
`the same one of analytic servers BSA—N, the duplicated traffic for that communication session
`
`hoth before and after the movement.
`
`ll
`
`

`

`VVO 2015/116538
`
`PCT/US2015/012915
`
`l0043l
`
`Each mobile device is typically associated with a unique international Mobile
`
`Subscriber identity (lMSl) number.
`
`‘When a mobile device establishes a new communication
`
`session, the mobile device includes its unique lMSl within the first control packet that the mobile
`
`device sends through the telecommunication network. Each communication session can be
`
`identified based on a combination of atttihutes, such as IMSI and destination address, for
`
`example, The control packet indicates the source I? address from which subsequent nonwcontrol
`
`data packets belonging to the same communication session as the control packet will originate.
`
`However, although those subsequent nonwcontrol data packets typically do indicate the source ll’
`
`address, they typically do not indicate the llVlSl number.
`
`Sonic embodiments may use an
`
`international Mobile Station Equipment identity (lit/{El} of a mobile device in conjunction with
`
`‘Ji
`
`10
`
`or in place of the IMSI as described herein.
`
`Hill-44E Due to potential changes in source ll) address caused by a mobile device travelling
`
`from region to region as discussed above, the non—control data packets belonging to a particular
`
`communication. session may o