System and method for identifying communication session participants based on traffic patterns
First Claim
1. A method for identifying communication devices that serve as endpoints in the same communication session and for establishing correlations between the users of the communication devices, the method comprising:
- monitoring a plurality of traffic flows exchanged over a communication network;
determining respective temporal traffic features for the monitored traffic flows;
identifying communication devices that participate in a same communication session, by finding a match among respective temporal traffic features of the traffic flows exchanged by the communication devices;
wherein determining the temporal traffic features comprises generating a respective compressed-form signature for each of the traffic flows, and wherein finding the match comprises comparing among signatures of at least some of the traffic flows exchanged by the communication devices; and
wherein finding the match comprises matching the temporal traffic features between an inbound traffic flow of a first communication device and an outbound traffic flow of a second communication device.
3 Assignments
0 Petitions
Accused Products
Abstract
A monitoring system monitors traffic flows that are exchanged over a communication network. The system characterizes the flows in terms of their temporal traffic features, and uses this characterization to identify communication devices that participate in the same communication session. By identifying the communication devices that serve as endpoints in the same session, the system establishes correlations between the users of these communication devices. The monitoring system characterizes the flows using traffic features such as flow start time, flow end time, inter-burst time and burst size, and/or statistical properties of such features. The system typically generates compressed-form representations (“signatures”) for the traffic flows based on the temporal traffic features, and finds matching flows by finding similarities between signatures.
-
Citations
16 Claims
-
1. A method for identifying communication devices that serve as endpoints in the same communication session and for establishing correlations between the users of the communication devices, the method comprising:
-
monitoring a plurality of traffic flows exchanged over a communication network; determining respective temporal traffic features for the monitored traffic flows; identifying communication devices that participate in a same communication session, by finding a match among respective temporal traffic features of the traffic flows exchanged by the communication devices; wherein determining the temporal traffic features comprises generating a respective compressed-form signature for each of the traffic flows, and wherein finding the match comprises comparing among signatures of at least some of the traffic flows exchanged by the communication devices; and wherein finding the match comprises matching the temporal traffic features between an inbound traffic flow of a first communication device and an outbound traffic flow of a second communication device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. Apparatus for identifying communication devices that serve as endpoints in the same communication session and for establishing correlations between the users of the communication devices, the apparatus comprising:
-
an interface, which is configured to monitor a plurality of traffic flows exchanged over a communication network; a processor, which is configured to determine respective temporal traffic features for the monitored traffic flows, and to identify communication devices that participate in a same communication session, by finding a match among the temporal traffic features of the traffic flows exchanged by the communication devices; wherein the processor is configured to generate a respective compressed-form signature for each of the traffic flows, and to find the match by comparing among signatures of at least some of the traffic flows exchanged by the communication devices; and wherein the processor is configured to find the match by matching the temporal traffic features between an inbound traffic flow of a first communication device and an outbound traffic flow of a second communication device. - View Dependent Claims (12, 13, 14, 15, 16)
-
Specification