It is common design practice for networks to be designed hierarchically, for example as shown in FIG. 1A.
A hierarchical network design such as that shown in FIG. 1A involves dividing the network into discrete layers. Each layer, or tier, in the hierarchy provides specific functions that define its role within the overall network. A typical enterprise hierarchical LAN campus network design, for example, includes the following three layers:                Access Layer 10: Provides workgroup/user access to the network;        Distribution Layer 20: Provides policy-based connectivity and controls the boundary between the access and core layer; and        Core Layer 30: Provides fast transport between distribution switches within the enterprise campus.        
The network illustrated above has also been divided into three separate broadcast domains 40A-C, indicated from left to right. The benefit of this arrangement is that traffic within a broadcast domain 40A-C is not passed up to a higher-level of the network. Accordingly, local traffic remains local.
Many information technology organizations monitor network flows to improve network security. One such example of such technology is NETFLOW, which is a feature introduced on CISCO routers that provides the ability to collect Internet Protocol (IP) traffic as it enters or exits an interface of a network device. Various devices in the network may facilitate the collection and analysis of network flow data, including flow collectors and flow analyzers. This collection process allows a network administrator to determine information such as the source and destination of network traffic, class of service, and causes of network congestion. The analysis of flow data may also help in the early detection of cyber-attacks, including malware, Denial of Service (DoS) attacks, and Advanced Persistent Threats. One method for collecting and saving network flow information is by using an IP Flow Information Export (IPFIX) format promulgated by the Internet Assigned Numbers Authority (IANA). This collection of data may be useful in capturing data pertinent to layers 2, 3, and 4 of the OSI reference model (data link, network, and transport layers, respectively).
Another recent trend in computing, particularly enterprise computing, is the shift to cloud infrastructure, such as those provided by AMAZON, MICROSOFT, RACKSPACE, and others. Much of the impetus for the shift is to reduce expenditures and streamline IT and security operations. One recent report found that there had been 1,900% growth in adoption of cloud computing between 2011 and 2014.
Cloud computing is a kind of Internet-based computing in which shared resources, data and information are provided to computers and other devices on-demand. It is a model for enabling ubiquitous, on-demand access to a shared pool of configurable computing resources. Cloud computing and storage solutions provide users and enterprises with various capabilities to store and process their data in third-party data centers. It relies on sharing of resources to achieve coherence and economies of scale.
One concept closely associated with cloud computing is virtualization, which provides a layer of abstraction for computing resources. One type of virtualization involves running programs within a container known as a virtual machine. A virtual machine may allow an application developed for a particular hardware platform to run on the underlying (potentially different) hardware of the cloud computing environment, without any need for modification of the application. It is very common for applications running in the cloud to execute within a virtual machine.
This specification includes references to various embodiments, to indicate that the present disclosure is not intended to refer to one particular implementation, but rather a range of embodiments that fall within the spirit of the present disclosure, including the appended claims. Particular features, structures, or characteristics may be combined in any suitable manner consistent with this disclosure.
Within this disclosure, different entities (which may variously be referred to as “units,” “circuits,” other components, etc.) may be described or claimed as “configured” to perform one or more tasks or operations. This formulation—[entity] configured to [perform one or more tasks]—is used herein to refer to structure (i.e., something physical, such as an electronic circuit). More specifically, this formulation is used to indicate that this structure is arranged to perform the one or more tasks during operation. A structure can be said to be “configured to” perform some task even if the structure is not currently being operated. An “endpoint computer system that is configured to collect information about computing activity” is intended to cover, for example, a device or system that performs this function during operation, even if the device/system in question is not currently being used (e.g., power is not connected to it). Thus, an entity described or recited as “configured to” perform some task refers to something physical, such as a device, circuit, memory storing program instructions executable to implement the task, etc. This phrase is not used herein to refer to something intangible.
The term “configured to” is not intended to mean “configurable to.” An unprogrammed FPGA, for example, would not be considered to be “configured to” perform some specific function, although it may be “configurable to” perform that function. After appropriate programming, the FPGA may then be configured to perform that function.
Reciting in the appended claims that a structure is “configured to” perform one or more tasks is expressly intended not to invoke 35 U.S.C. § 112(f) for that claim element. Accordingly, none of the claims in this application as filed are intended to be interpreted as having means-plus-function elements. Should Applicant wish to invoke Section 112(f) during prosecution, it will recite claim elements using the “means for” [performing a function] construct.
As used herein, the term “based on” is used to describe one or more factors that affect a determination. This term does not foreclose the possibility that additional factors may affect the determination. That is, a determination may be solely based on specified factors or based on the specified factors as well as other, unspecified factors. Consider the phrase “determine A based on B.” This phrase specifies that B is a factor is used to determine A or that affects the determination of A. This phrase does not foreclose that the determination of A may also be based on some other factor, such as C. This phrase is also intended to cover an embodiment in which A is determined based solely on B. As used herein, the phrase “based on” is synonymous with the phrase “based at least in part on.”