System and method for real-time analysis of network traffic

US 10,250,755 B2
Filed: 03/19/2018
Issued: 04/02/2019
Est. Priority Date: 09/13/2013
Status: Active Grant

First Claim

Patent Images

1. A set of one or more tangible, non-transitory, machine-readable media storing instructions that when executed by one or more processors effectuate operations to monitor network traffic, the operations comprising:

obtaining, with one or more processors, a mirrored data flow of network traffic routed through a network element of a network, wherein;

the network traffic is transmitted as packets, via the network element, between respective endpoints in communication with the network;

respective portions of the packets are encoded according to a plurality of different respective protocols;

the network traffic includes packets having instructions by which network events are effectuated; and

the network events include network session events;

before a first network session event among the network session events completes, determining, with one or more processors, based on at least part of the mirrored data flow, that the first network session event is actionable, wherein determining that the first network session event is actionable comprises;

filtering the packets in the mirrored data flow to identify a subset of the packets pertaining to a type of network session events based on the subset of the packets being encoded in one or more protocols that are a specified subset of protocols among the plurality of protocols;

writing the subset of the packets from the mirrored data flow to a buffer;

decoding at least some of the subset of the packets to obtain decoded information by which the first network session event is requested to be effectuated;

comparing the decoded information of the first network session event to a plurality of conditions specified by a plurality of rules; and

based on at least part of the comparison, determining that the first network session event is actionable;

in response to the determining that the first network session event is actionable, with one or more processors, causing an intervention in the first network session before the first network session completes; and

determining, with one or more processors, that a second network session event among the network sessions is not actionable.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for monitoring a live-data flow through a network includes at least one server communicating with the network. A processor within each of the at least one server implements a first processing node for monitoring a mirrored live-data flow of the live-data flow passing through at least one selected point within the network in a non-intrusive manner that does not affect the live-data flow passing through the at least one selected point. The first processing node decodes data within the mirrored live-data flow according to each protocol associated with the data. The first processing node detects at least one predetermined or deduced condition defined by at least one of a plurality of applications implemented on a second processing node and executes at least one predetermined or deduced response responsive to an indication of occurrence of the at least one predetermined or deduced condition within the decoded data. The first processing node also forwards data from the first processing node to a second processing node data from at least one of the plurality of simultaneous live-data flows based upon occurrence of the at least one predetermined or deduced condition. The processor within the at least one server the processor further implements the second processing node for accessing from the second processing node, external data from an external data source. The second processing node also processes at least a portion of the data forwarded from the first processing node using at least one of the plurality of applications implemented on the second processing node and the external data. The processing of the data by the at least one of the plurality of applications and the external data causes execution of the at least one predetermined or deduced response to determine a manner for controlling an operation of the network at a same time the live-data flow is in active transmission between the endpoints in the network. The operation of the network is controlled in response to the executed at least one predetermined or deduced response while events associated with the live-data flow are occurring within the network.

Citations

31 Claims

1. A set of one or more tangible, non-transitory, machine-readable media storing instructions that when executed by one or more processors effectuate operations to monitor network traffic, the operations comprising:
- obtaining, with one or more processors, a mirrored data flow of network traffic routed through a network element of a network, wherein;
  
  the network traffic is transmitted as packets, via the network element, between respective endpoints in communication with the network;
  
  respective portions of the packets are encoded according to a plurality of different respective protocols;
  
  the network traffic includes packets having instructions by which network events are effectuated; and
  
  the network events include network session events;
  
  before a first network session event among the network session events completes, determining, with one or more processors, based on at least part of the mirrored data flow, that the first network session event is actionable, wherein determining that the first network session event is actionable comprises;
  
  filtering the packets in the mirrored data flow to identify a subset of the packets pertaining to a type of network session events based on the subset of the packets being encoded in one or more protocols that are a specified subset of protocols among the plurality of protocols;
  
  writing the subset of the packets from the mirrored data flow to a buffer;
  
  decoding at least some of the subset of the packets to obtain decoded information by which the first network session event is requested to be effectuated;
  
  comparing the decoded information of the first network session event to a plurality of conditions specified by a plurality of rules; and
  
  based on at least part of the comparison, determining that the first network session event is actionable;
  
  in response to the determining that the first network session event is actionable, with one or more processors, causing an intervention in the first network session before the first network session completes; and
  
  determining, with one or more processors, that a second network session event among the network sessions is not actionable.

2. A set of one or more tangible, non-transitory, machine-readable media storing instructions that when executed by one or more processors effectuate operations to monitor network traffic on a network by which phone calls are effectuated, the operations comprising:
- obtaining, with one or more processors, a mirrored data flow of network traffic routed through a network element of a network, wherein;
  
  the network traffic is transmitted as packets, via the network element, between respective endpoints in communication with the network;
  
  respective portions of the packets are encoded according to a plurality of different respective protocols;
  
  the network traffic includes packets having instructions by which network events are effectuated;
  
  the network events include phone call events; and
  
  at least some instructions included in the network traffic by which phone call network events are effectuated include an identifier of a respective called phone number and an identifier of a respective calling phone number of at least some respective phone call events;
  
  before a first phone call event among the network events completes, determining, with one or more processors, based on at least part of the mirrored data flow, that the first phone call event is actionable, wherein determining that the first phone call event is actionable comprises;
  
  filtering the packets in the mirrored data flow to identify a subset of the packets pertaining to phone call events based on the subset of the packets being encoded in one or more protocols that are a specified subset of protocols among the plurality of protocols;
  
  writing the subset of the packets from the mirrored data flow to a buffer;
  
  decoding at least some of the subset of the packets to obtain decoded information by which the first phone call event is requested to be effectuated;
  
  comparing the decoded information of the first phone call event to a plurality of conditions specified by a plurality of rules; and
  
  based on at least part of the comparison, determining that the first phone call event is actionable;
  
  in response to the determining that the first phone call event is actionable, with one or more processors, causing an intervention in the first phone call event before the first phone call event completes.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 3. The media of claim 2, wherein:
    - the mirrored data flow is obtained from a port mirror with a parallel observe and duplicate process and not by being a network element process of pass-through-stop-copy-and-forward.
  - 4. The media of claim 2, wherein:
    - the network traffic includes SS7 network traffic;
      
      the one or more protocols of the filtering include ISUP, TCAP, or MAP protocols; and
      
      the decoded information including an identifier of a called or calling phone number of the first phone call event.
  - 5. The media of claim 2, wherein:
    - the plurality of rules include a first rule specifying a first condition, the first condition being a specified calling phone number and the first rule specifying that phone call events are actionable based on phone call events designating the specified calling phone number as a caller; and
      
      the plurality of rules include a second rule specifying a second condition, the second condition being a specified called phone number and the second rule specifying that phone call events are actionable based on phone call events designating the specified called phone number as being called.
  - 6. The media of claim 5, wherein:
    - the first rule specifies a first action responsive to the first rule;
      
      the second rule specifies a second action responsive to the second rule; and
      
      the first action is different from the second action.
  - 7. The media of claim 2, wherein:
    - decoding comprises analyzing packets in the buffer by three or more protocol decoders operating independently in parallel and with no fixed ordering.
  - 8. The media of claim 2, wherein:
    - the buffer provides no-lock, variable time latency multiprocessing of individual packets.
  - 9. The media of claim 2, the operations comprising:
    - allocating, to the buffer, as a single block of memory non-contiguous blocks grouped as a virtual contiguous allocation of memory.
  - 10. The media of claim 2, wherein the operations comprise:
    - steps for simultaneous processing of data packets.
  - 11. The media of claim 2, wherein the operations comprise:
    - after comparing, releasing memory addresses of the buffer storing compared packets; and
      
      based on the comparing, determining to perform subsequent analysis after the comparing, the subsequent analysis comprising;
      
      storing the information by which the first phone call event is requested to be effectuated in an in-memory database that is different from the buffer; and
      
      after storing, executing the subsequent analysis of data in the in-memory database corresponding to a window of time specified by an application use case.
  - 12. The media of claim 11, wherein the subsequent analysis comprises relational processing language driven analysis.
  - 13. The media of claim 11, wherein the subsequent analysis comprises applying a statistical model to the data in the in-memory database corresponding to the window of time.
  - 14. The media of claim 11, wherein the operations comprise:
    - changing at least some of the rules in response to the subsequent analysis.
  - 15. The media of claim 2, wherein the operations comprise:
    - steps for detecting international roaming fraud.
  - 16. The media of claim 2, wherein the operations comprise:
    - steps for detecting Wangiri fraud.
  - 17. The media of claim 2, wherein the operations comprise:
    - steps for detecting a number callout scenario for international revenue share fraud.
  - 18. The media of claim 2, wherein the operations comprise:
    - steps for detecting country callout international revenue share fraud.
  - 19. The media of claim 2, wherein the operations comprise:
    - steps for detecting SMS fraud.
  - 20. The media of claim 2, wherein the operations comprise:
    - steps for detecting SMS spam.
  - 21. The media of claim 2, wherein the operations comprise:
    - steps for ensuring service level agreement compliance.
  - 22. The media of claim 2, wherein the operations comprise:
    - steps for live-data usage verification and notification.
  - 23. The media of claim 2, wherein the operations comprise:
    - instantiating an ingestor node; and
      
      instantiating a semantic node.
  - 24. The media of claim 23, wherein the operations comprise:
    - executing a first set of virtual machines configured to filtering the packets; and
      
      executing a second set of virtual machines configured to analyze filtered packets and determine whether to change the filtering, wherein the first set of virtual machines is different from the second set of virtual machines.
  - 25. The media of claim 2, wherein causing the intervention in the first phone call event before the first phone call event completes comprises:
    - causing the first phone call event to be shaped.
  - 26. The media of claim 2, wherein causing the intervention in the first phone call event before the first phone call event completes comprises:
    - causing the first phone call event to be truncated.
  - 27. The media of claim 2, wherein causing the intervention in the first phone call event before the first phone call event completes comprises:
    - causing the first phone call event to be redirected.
  - 28. The media of claim 2, wherein causing the intervention in the first phone call event before the first phone call event completes comprises:
    - causing the first phone call event to be trapped.
  - 29. The media of claim 2, wherein causing the intervention in the first phone call event before the first phone call event completes comprises:
    - causing the first phone call event to be stopped.
  - 30. The media of claim 2, wherein the one or more protocols include voice-over-Internet-Protocol.

31. A method, comprising:
- obtaining, with one or more processors, a mirrored data flow of network traffic routed through a network element of a network, wherein;
  
  the network traffic is transmitted as packets, via the network element, between respective endpoints in communication with the network;
  
  respective portions of the packets are encoded according to a plurality of different respective protocols;
  
  the network traffic includes packets having instructions by which network events are effectuated;
  
  the network events include phone call events; and
  
  at least some instructions included in the network traffic by which phone call network events are effectuated include an identifier of a respective called phone number and an identifier of a respective calling phone number of at least some respective phone call events;
  
  before a first phone call event among the network events completes, determining, with one or more processors, based on at least part of the mirrored data flow, that the first phone call event is actionable, wherein determining that the first phone call event is actionable comprises;
  
  filtering the packets in the mirrored data flow to identify a subset of the packets pertaining to phone call events based on the subset of the packets being encoded in one or more protocols that are a specified subset of protocols among the plurality of protocols;
  
  writing the subset of the packets from the mirrored data flow to a buffer;
  
  decoding at least some of the subset of the packets to obtain decoded information by which the first phone call event is requested to be effectuated;
  
  comparing the decoded information of the first phone call event to a plurality of conditions specified by a plurality of rules; and
  
  based on at least part of the comparison, determining that the first phone call event is actionable;
  
  in response to the determining that the first phone call event is actionable, with one or more processors, causing an intervention in the first phone call event before first the phone call event completes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Network Kinetix, Llc
Original Assignee
Network Kinetix, Llc
Inventors
Richards, Carissa, Richards, Peter
Primary Examiner(s)
Katsikis, Kostas J

Application Number

US15/925,357
Publication Number

US 20180213089A1
Time in Patent Office

379 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5016   the resource being the memory

H04L 41/0816   the condition being an adap...

H04L 41/142   using statistical or mathem...

H04L 41/16   using machine learning or a...

H04L 41/5009   Determining service level p...

H04L 41/5051   Service on demand, e.g. def...

H04L 43/08   Monitoring or testing based...

H04L 43/0894   Packet rate

H04L 43/16   Threshold monitoring

H04L 47/10   Flow control; Congestion co...

H04M 15/47   Fraud detection or preventi...

H04M 15/8214   Data or packet based

H04M 15/8228   Session based

H04M 3/2218   Call detail recording

H04W 12/128   Anti-malware arrangements, ...

System and method for real-time analysis of network traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for real-time analysis of network traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links