System and method for retrospective network traffic analysis

US 10,243,971 B2
Filed: 03/25/2016
Issued: 03/26/2019
Est. Priority Date: 03/25/2016
Status: Active Grant

First Claim

Patent Images

1. A network traffic monitoring system comprising:

a processing device;

a traffic intercept device configured to intercept and copy network traffic traversing a network;

a stream tracking device coupled to the traffic intercept device configured to receive the copied packets from the intercept network traffic device wherein the copied packets are associated with a plurality of respective traffic streams included in the network traffic;

a security device coupled to the stream tracking device configured to detect attacks in the network traffic traversing on the network;

a first memory storage for storing the copied packets of the intercepted network traffic for a first time period;

a second memory storage for storing at least a portion of the copied packets in the first memory for a second time period wherein the second time period is greater than the first time period; and

a processing device configured to;

store the copied packets in the first memory;

maintain an ordered list per traffic stream of copied packets that are stored in the first memory;

remove selected copied packets from first memory based on a storage constraint, the copied packets being selected based on their positions in the respective ordered lists in which they are included;

receive an attack alert from the security device identifying a packet that is involved in a network attack;

identify the traffic stream stored in the first memory storage that includes the packet identified; and

transfer stored copied packets that are included in the identified traffic stream from the first memory storage to the second memory storage wherein transferring the copied packets from the first memory storage includes removing the transferred copied packets from the first memory storage.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided to monitor network traffic, including reserving a portion of a system memory for short-term storage of copied network traffic, wherein the system memory is volatile, receiving copied packets of intercepted network traffic traversing a network, wherein the packets are associated with a plurality of respective traffic streams included in the network traffic, storing the copied packets in the portion of the system memory, maintaining an ordered list per traffic stream of copied packets that are stored, removing copied packets selected, based on their positions in their respective ordered lists, from the portion of the system memory based on a storage constraint, receiving an attack alert identifying a packet that is involved in a network attack, identifying the traffic stream that includes the packet identified, and transferring stored copied packets that are included in the identified traffic stream from the portion of the system memory to a long-term storage device.

Citations

13 Claims

1. A network traffic monitoring system comprising:
- a processing device;
  
  a traffic intercept device configured to intercept and copy network traffic traversing a network;
  
  a stream tracking device coupled to the traffic intercept device configured to receive the copied packets from the intercept network traffic device wherein the copied packets are associated with a plurality of respective traffic streams included in the network traffic;
  
  a security device coupled to the stream tracking device configured to detect attacks in the network traffic traversing on the network;
  
  a first memory storage for storing the copied packets of the intercepted network traffic for a first time period;
  
  a second memory storage for storing at least a portion of the copied packets in the first memory for a second time period wherein the second time period is greater than the first time period; and
  
  a processing device configured to;
  
  store the copied packets in the first memory;
  
  maintain an ordered list per traffic stream of copied packets that are stored in the first memory;
  
  remove selected copied packets from first memory based on a storage constraint, the copied packets being selected based on their positions in the respective ordered lists in which they are included;
  
  receive an attack alert from the security device identifying a packet that is involved in a network attack;
  
  identify the traffic stream stored in the first memory storage that includes the packet identified; and
  
  transfer stored copied packets that are included in the identified traffic stream from the first memory storage to the second memory storage wherein transferring the copied packets from the first memory storage includes removing the transferred copied packets from the first memory storage.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network traffic monitoring system of claim 1, wherein the ordered list for each traffic stream is ordered based on when the copied packets included in the list were stored in the portion of the system memory.
  - 3. The network traffic monitoring system of claim 2, wherein the storage constraint specifies at least one of a maximum number of copied packets allowed to be stored per traffic stream, a maximum amount of memory space in the system memory allowed to be used to store copied packets per traffic stream, and a maximum amount of time allowed to store a copied data packet.
  - 4. The network traffic monitoring system of claim 1, wherein at least a portion of the copied packets transferred to the long-term storage device were stored in the portion of the system memory before a copy of the identified packet was stored in the portion of the system memory.
  - 5. The network traffic monitoring system of claim 1, wherein the captured packets are captured at a zero-copy stage.
  - 6. The network traffic monitoring system of claim 1, wherein the copied packets transferred to the long-term storage device are removed from the portion of the system memory.
  - 7. The network traffic monitoring system of claim 1, wherein the portion of the system memory for short-term storage of copied network traffic is a majority of the system memory.

8. A method of monitoring a network comprising:
- reserving a first portion of system memory for short-term storage of copied network traffic, the system memory being volatile;
  
  reserving a second portion of the system memory for long-term storage of copied network traffic moved from the first portion of the system memory;
  
  receiving copied packets of intercepted network traffic traversing a network, the packets being associated with a plurality of respective traffic streams included in the network traffic;
  
  storing the copied packets in the first portion of the system memory;
  
  maintaining an ordered list per traffic stream of copied packets that are stored;
  
  removing selected copied packets from the first portion of the system memory based on a storage constraint, the copied packets being selected based on their positions in the respective ordered lists in which they are included;
  
  receiving an attack alert identifying a packet that is involved in a network attack;
  
  identifying the traffic stream that includes the packet identified; and
  
  transferring stored copied packets that are included in the identified traffic stream from the first portion of the system memory to the second portion of the system memory wherein transferring the copied packets to the second portion of the system memory includes removing the transferred copied packets from the first portion of the system memory.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8, wherein the ordered list for each traffic stream is ordered based on when the copied packets included in the list were stored in the first portion of the system memory.
  - 10. The method of claim 8, wherein the storage constraint specifies at least one of a maximum number of copied packets allowed to be stored per traffic stream, a maximum amount of memory space in the system memory allowed to be used to store copied packets per traffic stream, and a maximum amount of time allowed to store a copied data packet.
  - 11. The method of claim 8, wherein the captured packets are captured at a zero-copy stage.
  - 12. The method of claim 8, wherein the first portion of the system memory is a majority of the system memory.

13. A non-transitory computer readable storage medium and one or more computer programs embedded therein, the computer programs comprising instructions, which when executed by a computer system, cause the computer system to:
- reserve a first portion of a system memory of the computer system for short-term storage of copied network traffic, the system memory being volatile;
  
  reserve a second portion of the system memory for long-term storage of copied network traffic moved from the first portion of the system memory;
  
  receive copied packets of intercepted network traffic traversing a network, the packets being associated with a plurality of respective traffic streams included in the network traffic;
  
  store the copied packets in the portion of the system memory;
  
  maintain an ordered list per traffic stream of copied packets that are stored;
  
  remove selected copied packets from the portion of the system memory based on a storage constraint, the copied packets being selected based on their positions in the respective ordered lists in which they are included;
  
  receive an attack alert identifying a packet that is involved in a network attack;
  
  identify the traffic stream that includes the packet identified; and
  
  transfer stored copied packets that are included in the identified traffic stream from the first portion of the system memory to the second portion of the system memory wherein transferring the copied packets the second portion of the system memory includes removing the transferred copied packets from the first portion of the system memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Original Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Inventors
Campbell, Aaron, Hand, Christopher R., Murphy, Frank
Primary Examiner(s)
Vaughan, Michael R

Application Number

US15/081,198
Publication Number

US 20170279817A1
Time in Patent Office

1,096 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 43/022   by sampling

H04L 43/04   Processing captured monitor...

H04L 43/062   related to network traffic

H04L 43/12   Network monitoring probes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

System and method for retrospective network traffic analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for retrospective network traffic analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links