Apparatus and method to collect packets related to abnormal connection

US 10,305,754 B2
Filed: 11/04/2016
Issued: 05/28/2019
Est. Priority Date: 12/03/2015
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computer, the method comprising:

allocating a packet identifier to each of packets captured from a network, and storing the each packet in a buffer;

associating, with each of the packet identifiers, a connection identifier specifying a connection for a packet identified by the each packet identifier;

detecting a connection to which a primary abnormality is occurring by analyzing packets stored in the buffer;

storing, for each of connections to which the primary abnormality has occurred, a primary-abnormality group of packets to which the packet identifiers associated with the connection identifier of the each connection are allocated, in a first storage region;

detecting a connection to which a secondary abnormality is occurring, based on a statistical value related to results of analyses on packets captured in a sampling duration; and

writing, in a second storage region, secondary-abnormality groups of packets related to connections to which the secondary abnormality has occurred, among the primary-abnormality groups of packets stored in the first storage region.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus allocates a packet-identifier to each packet captured from a network, and stores the each packet in a buffer. The apparatus associates, with each of the packet-identifiers, a connection-identifier specifying a connection of a packet identified by the each packet-identifier, and detects a connection to which a primary abnormality is occurring by analyzing packets stored in the buffer. The apparatus stores, for each connection to which the primary abnormality has occurred, a primary-abnormality group of packets to which the packet-identifiers associated with the connection-identifier of the each connection are allocated, in a first storage-region, detects a connection to which a secondary abnormality is occurring, based on a statistical value related to results of analyses on packets captured in a sampling duration, and writes, in a second storage-region, packets related to connections to which the secondary abnormality has occurred, among the primary-abnormality groups stored in the first storage-region.

Citations

5 Claims

1. A method performed by a computer, the method comprising:
- allocating a packet identifier to each of packets captured from a network, and storing the each packet in a buffer;
  
  associating, with each of the packet identifiers, a connection identifier specifying a connection for a packet identified by the each packet identifier;
  
  detecting a connection to which a primary abnormality is occurring by analyzing packets stored in the buffer;
  
  storing, for each of connections to which the primary abnormality has occurred, a primary-abnormality group of packets to which the packet identifiers associated with the connection identifier of the each connection are allocated, in a first storage region;
  
  detecting a connection to which a secondary abnormality is occurring, based on a statistical value related to results of analyses on packets captured in a sampling duration; and
  
  writing, in a second storage region, secondary-abnormality groups of packets related to connections to which the secondary abnormality has occurred, among the primary-abnormality groups of packets stored in the first storage region.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprisingdeleting, from the first storage region, the secondary-abnormality groups of packets and groups of packets related to connections to which no secondary abnormality has occurred.
  - 3. The method of claim 1, whereinthe primary abnormality is an abnormality detected before detection of the secondary abnormality in an identical connection.

4. A non-transitory, computer-readable recording medium having stored therein a program for causing a computer to execute a process comprising:
- allocating a packet identifier to each of packets captured from a network, and storing the each packet in a buffer;
  
  associating, with each of the packet identifiers, a connection identifier specifying a connection for a packet identified by the each packet identifier;
  
  detecting a connection to which a primary abnormality is occurring by analyzing packets stored in the buffer;
  
  storing, for each of connections to which the primary abnormality has occurred, a primary-abnormality group of packets to which the packet identifiers associated with the connection identifier of the each connection are allocated, in a first storage region;
  
  detecting a connection to which a secondary abnormality is occurring, based on a statistical value related to results of analyses on packets captured in a sampling duration; and
  
  writing, in a second storage region, secondary-abnormality groups of packets related to connections to which the secondary abnormality has occurred, among the primary-abnormality groups of packets stored in the first storage region.

5. An apparatus comprising:
- a memory including a buffer, a first storage region, and a second storage region; and
  
  a processor coupled to the memory and configured to;
  
  allocate a packet identifier to each of packets captured from a network, and store the each packet in the buffer,associate, with each of the packet identifiers, a connection identifier specifying a connection for a packet identified by the each packet identifier,detect a connection to which a primary abnormality is occurring by analyzing packets stored in the buffer,store, for each of connections to which the primary abnormality has occurred, a primary-abnormality group of packets to which the packet identifiers associated with the connection identifier of the each connection are allocated, in the first storage region,detect a connection to which a secondary abnormality is occurring, based on a statistical value related to results of analyses on packets captured in a sampling duration, andwrite, in the second storage region, secondary-abnormality groups of packets related to connections to which the secondary abnormality has occurred, among the primary-abnormality groups stored in the first storage region.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Iizuka, Fumiyuki, Nomura, Yuji
Primary Examiner(s)
Katsikis, Kostas J

Application Number

US15/343,581
Publication Number

US 20170163499A1
Time in Patent Office

935 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/022   by sampling

H04L 43/04   Processing captured monitor...

H04L 43/08   Monitoring or testing based...

H04L 43/10   Active monitoring, e.g. hea...

Apparatus and method to collect packets related to abnormal connection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

5 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method to collect packets related to abnormal connection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

5 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links