USING LEARNED FLOW REPUTATION AS A HEURISTIC TO CONTROL DEEP PACKET INSPECTION UNDER LOAD

摘要

A network appliance can adjust the amount of deep packet inspection performed by the network appliance as a function of load. In one example, the network appliance can be configured to utilize load (e.g., of its internal processors) and reputation of data flows to determine when selected trusted flows can bypass inspection performed using deep packet analysis. Reputation of data flows can be determined based on historical information regarding a particular flow in combination with a reputation service determining reputation scores based on properties of the data flow (e.g., source, type of data in flow, destination, Internet Protocol domains, etc.). In general, when the network appliance is under heavy load, the more trusted flows are allowed to pass through without in depth inspection.

主权项

1. A network device configured to perform analysis of network traffic, the network device comprising:
one or more processors; one or more network communication interfaces; and a memory communicatively coupled to the one or more processors, wherein the memory stores instructions to cause the one or more processors to:
receive network packets from the one or more communication interfaces, the network packets associated with a network flow;determine that current load of the network device is above a first pre-defined threshold;obtain an indication of a first trust level for the network flow; andallow the received network packets to proceed through the network device based upon a determination that current load and first flow trust level permit the received network packets to proceed without further analysis.