System and method for retrospective network traffic analysis
First Claim
1. A network traffic monitoring system comprising:
- a processing device;
a traffic intercept device configured to intercept and copy network traffic traversing a network;
a stream tracking device coupled to the traffic intercept device configured to receive the copied packets from the intercept network traffic device wherein the copied packets are associated with a plurality of respective traffic streams included in the network traffic;
a security device coupled to the stream tracking device configured to detect attacks in the network traffic traversing on the network;
a first memory storage for storing the copied packets of the intercepted network traffic for a first time period;
a second memory storage for storing at least a portion of the copied packets in the first memory for a second time period wherein the second time period is greater than the first time period; and
a processing device configured to;
store the copied packets in the first memory;
maintain an ordered list per traffic stream of copied packets that are stored in the first memory;
remove selected copied packets from first memory based on a storage constraint, the copied packets being selected based on their positions in the respective ordered lists in which they are included;
receive an attack alert from the security device identifying a packet that is involved in a network attack;
identify the traffic stream stored in the first memory storage that includes the packet identified; and
transfer stored copied packets that are included in the identified traffic stream from the first memory storage to the second memory storage wherein transferring the copied packets from the first memory storage includes removing the transferred copied packets from the first memory storage.
2 Assignments
0 Petitions
Accused Products
Abstract
A method is provided to monitor network traffic, including reserving a portion of a system memory for short-term storage of copied network traffic, wherein the system memory is volatile, receiving copied packets of intercepted network traffic traversing a network, wherein the packets are associated with a plurality of respective traffic streams included in the network traffic, storing the copied packets in the portion of the system memory, maintaining an ordered list per traffic stream of copied packets that are stored, removing copied packets selected, based on their positions in their respective ordered lists, from the portion of the system memory based on a storage constraint, receiving an attack alert identifying a packet that is involved in a network attack, identifying the traffic stream that includes the packet identified, and transferring stored copied packets that are included in the identified traffic stream from the portion of the system memory to a long-term storage device.
-
Citations
13 Claims
-
1. A network traffic monitoring system comprising:
-
a processing device; a traffic intercept device configured to intercept and copy network traffic traversing a network; a stream tracking device coupled to the traffic intercept device configured to receive the copied packets from the intercept network traffic device wherein the copied packets are associated with a plurality of respective traffic streams included in the network traffic; a security device coupled to the stream tracking device configured to detect attacks in the network traffic traversing on the network; a first memory storage for storing the copied packets of the intercepted network traffic for a first time period; a second memory storage for storing at least a portion of the copied packets in the first memory for a second time period wherein the second time period is greater than the first time period; and a processing device configured to; store the copied packets in the first memory; maintain an ordered list per traffic stream of copied packets that are stored in the first memory; remove selected copied packets from first memory based on a storage constraint, the copied packets being selected based on their positions in the respective ordered lists in which they are included; receive an attack alert from the security device identifying a packet that is involved in a network attack; identify the traffic stream stored in the first memory storage that includes the packet identified; and transfer stored copied packets that are included in the identified traffic stream from the first memory storage to the second memory storage wherein transferring the copied packets from the first memory storage includes removing the transferred copied packets from the first memory storage. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of monitoring a network comprising:
-
reserving a first portion of system memory for short-term storage of copied network traffic, the system memory being volatile; reserving a second portion of the system memory for long-term storage of copied network traffic moved from the first portion of the system memory; receiving copied packets of intercepted network traffic traversing a network, the packets being associated with a plurality of respective traffic streams included in the network traffic; storing the copied packets in the first portion of the system memory; maintaining an ordered list per traffic stream of copied packets that are stored; removing selected copied packets from the first portion of the system memory based on a storage constraint, the copied packets being selected based on their positions in the respective ordered lists in which they are included; receiving an attack alert identifying a packet that is involved in a network attack; identifying the traffic stream that includes the packet identified; and transferring stored copied packets that are included in the identified traffic stream from the first portion of the system memory to the second portion of the system memory wherein transferring the copied packets to the second portion of the system memory includes removing the transferred copied packets from the first portion of the system memory. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A non-transitory computer readable storage medium and one or more computer programs embedded therein, the computer programs comprising instructions, which when executed by a computer system, cause the computer system to:
-
reserve a first portion of a system memory of the computer system for short-term storage of copied network traffic, the system memory being volatile; reserve a second portion of the system memory for long-term storage of copied network traffic moved from the first portion of the system memory; receive copied packets of intercepted network traffic traversing a network, the packets being associated with a plurality of respective traffic streams included in the network traffic; store the copied packets in the portion of the system memory; maintain an ordered list per traffic stream of copied packets that are stored; remove selected copied packets from the portion of the system memory based on a storage constraint, the copied packets being selected based on their positions in the respective ordered lists in which they are included; receive an attack alert identifying a packet that is involved in a network attack; identify the traffic stream that includes the packet identified; and transfer stored copied packets that are included in the identified traffic stream from the first portion of the system memory to the second portion of the system memory wherein transferring the copied packets the second portion of the system memory includes removing the transferred copied packets from the first portion of the system memory.
-
Specification