Systems and methods for extracting media from network traffic having unknown protocols
First Claim
Patent Images
1. A method comprising:
- receiving, in a computerized analysis system, a segment of network traffic that is exchanged between network users, wherein the segment of network traffic complies with an unknown protocol and carries part of a data item of a respective media type, wherein the unknown protocol is associated with a layer that is higher than layer 4 of the Open System Interconnection (OSI) reference model, wherein the computerized analysis system is not a designated participant in the network traffic;
automatically identifying the media type by processing the segment of network traffic as a sequence of bytes without decoding the unknown protocol and detecting in the sequence of bytes a characteristic that is indicative of the respective media type; and
extracting at least the part of the data item responsively to the identified media type, wherein extracting the data item comprises selecting a modality for presenting the data item responsively to the identified media type, and presenting the extracted data item to an operator using the selected modality, wherein automatically identifying the media type comprises one of identifying that the sequence of bytes comprises valid text or identifying in the network traffic a file type that is associated with the media type.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for analyzing network traffic. An analysis system receives network traffic, which complies with a certain protocol. The received network traffic carries a data item, which may be of value to an analyst. In order to access the data item in question, the analysis system automatically identifies the media type of the data item, by processing the network traffic without decoding the protocol. The analysis system identifies the media type irrespective of the protocol in order to avoid the computational complexity involved in decoding the protocol.
-
Citations
16 Claims
-
1. A method comprising:
-
receiving, in a computerized analysis system, a segment of network traffic that is exchanged between network users, wherein the segment of network traffic complies with an unknown protocol and carries part of a data item of a respective media type, wherein the unknown protocol is associated with a layer that is higher than layer 4 of the Open System Interconnection (OSI) reference model, wherein the computerized analysis system is not a designated participant in the network traffic; automatically identifying the media type by processing the segment of network traffic as a sequence of bytes without decoding the unknown protocol and detecting in the sequence of bytes a characteristic that is indicative of the respective media type; and extracting at least the part of the data item responsively to the identified media type, wherein extracting the data item comprises selecting a modality for presenting the data item responsively to the identified media type, and presenting the extracted data item to an operator using the selected modality, wherein automatically identifying the media type comprises one of identifying that the sequence of bytes comprises valid text or identifying in the network traffic a file type that is associated with the media type. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus, comprising:
-
an interface configured to receive a segment of network traffic that is exchanged between network users, wherein the segment of network traffic complies with an unknown protocol and carries part of a data item of a respective media type, and wherein the unknown protocol is associated with a layer that is higher than layer 4 of the Open System Interconnection (OSI) reference model, wherein the apparatus is not a designated participant in the network traffic; and a processor, which is configured to automatically identify the media type by processing the segment of network traffic as a sequence of bytes without decoding the unknown protocol, detect in the sequence of bytes a characteristic that is indicative of the respective media type, to extract at least the part of the data item responsively to the identified media type, and present the extracted data item to the operator using the selected modality, wherein the processor configured to automatically identify the media type comprises one of the processor conjured to identify that the sequence of bytes comprises valid text or the processor conjured to identify in the network traffic a file type that is associated with the media type. - View Dependent Claims (11, 12, 13)
-
-
14. A non-transitory computer-readable medium having stored thereon instructions that, when executed by a computerized analysis system, direct the analysis system to execute the process comprising the steps of:
-
receiving, in the computerized analysis system, a segment of network traffic that is exchanged between network users, wherein the segment of network traffic complies with an unknown protocol and carries part of a data item of a respective media type, and wherein the unknown protocol is associated with a layer that is higher than layer 4 of the Open System Interconnection (OSI) reference model, wherein the computerized analysis system is not a designated participant in the network traffic; automatically identifying the media type by processing the segment of network traffic as a sequence of bytes without decoding the the unknown protocol and detecting in the sequence of bytes a characteristic that is indicative of the respective media type; and extracting at least the part of the data item responsively to the identified media type, wherein extracting the data item comprises selecting a modality for presenting the data item responsively to the identified media type, and presenting the extracted data item to an operator using the selected modality, wherein automatically identifying the media type comprises one of identifying that the sequence of bytes comprises valid text or identifying in the network traffic a file type that is associated with the media type. - View Dependent Claims (15, 16)
-
Specification