Apparatus and method for network analysis

US 20020163934A1
Filed: 04/29/2002
Published: 11/07/2002
Est. Priority Date: 04/30/2001
Status: Active Grant

First Claim

Patent Images

1. A method of parsing sessions in disparate protocols into a common language comprising the steps of:

receiving sessions in disparate protocols;

parsing the sessions in disparate protocols into sessions of a common language; and

communicating the common-language sessions to an analyzer.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for and method of extracting information from multiple sessions of disparate protocols into a common language is disclosed. A method of creating a record conforming to an event-based language is also disclosed. A system configured to create a record conforming to an event-based language is also disclosed.

Citations

25 Claims

1. A method of parsing sessions in disparate protocols into a common language comprising the steps of:
- receiving sessions in disparate protocols;
  
  parsing the sessions in disparate protocols into sessions of a common language; and
  
  communicating the common-language sessions to an analyzer.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising the steps of:
    - collecting packets of network traffic; and
      
      assembling the packets into the sessions in disparate protocols.
  - 3. The method of claim 2 further comprising the steps of:
    - communicating the packets to an assembler.
  - 4. The method of claim 1 further comprising the steps of:
    - communicating the sessions in disparate protocols to a protocol director; and
      
      directing each of the sessions in disparate protocols to an appropriate parser.
  - 5. The method of claim 1 further comprising the step of:
    - analyzing the common-language sessions.

6. A system for parsing sessions in disparate protocols into a common language comprising:
- a parser director;
  
  parsers; and
  
  an analyzer, wherein the parser director is configured to direct a session of a particular protocol to a parser configured to parse sessions of the particular protocol, wherein each of the parsers is configured to parse sessions of a particular protocol into sessions of a common language, and wherein the analyzer is configured to analyze the common-language sessions.
- View Dependent Claims (7)
- - 7. The system of claim 6 further comprising:
    - a packet generator configured to copy packets communicated as part of communications within a network; and
      
      an assembler configured to group the packets related to a single communication between two or more entities into one session.

8. A method of extracting information from a session to create a record conforming to an event-based language comprising the steps of:
- receiving a session;
  
  extracting information from the session;
  
  translating the information into an event statement describing an event between a first entity and a second entity; and
  
  creating a record containing the event statement.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 24, 25)
- - 9. The method of claim 8, wherein the first entity and the second entity comprise one of the following entities:
    - IP, IP-port, IP-user, IP-resource, host, host-port, host-user, or host-resource.
  - 10. The method of claim 8, wherein the event statement describes the first entity, the second entity, an application used for the event, and an action describing the event.
  - 11. The method of claim 10, wherein the record conforms to the following structure:
    - “
      
      <
      
      the first entity>
      
      was seen <
      
      the action>
      
      to <
      
      the second entity>
      
      with <
      
      the application>
      
      .”
  - 12. The method of claim 10, wherein the application is one of the following application types:
    - FTP, Telnet, SMTP, Domain Name Service, DHCP, AOL™
      
      Instant Messenger, Yahoo™
      
      Instant Messenger, HTTP, POP-2, POP-3, NNTP, Microsoft RPC, Netbios, MS File Access, SNMP, RIP, MS Instant Messenger, Lotus Notes™
      
      , Sybase™
      
      Database, MSSQL™
      
      Database, Oracle™
      
      Database, Lotus Sametime™
      
      , UniX™
      
      File Access, or IRC.
  - 13. The method of claim 10, wherein the event statement further contains one of the following content types:
    - Mail, HTML, DCARD, SMIME, or PGP.
  - 14. The method of claim 10, wherein the action includes at least one of the following action types:
    - IP Transaction, User Login, User Logoff, Get Resource, Put Resource, Delete Resource, Send Message, Receive Message, Read Message, Delete Message, Database Query, User Login Response, User Logoff Response, Get Resource Response, Delete Resource Response, Send Message Response, Read Message Response, or Database Query Response.
  - 15. The method of claim 8 further comprising the step of translating the information into a session statement describing a communication of which the event is a part, wherein the record also contains the session statement.
  - 16. The method of claim 8 further comprising the step of translating the information into a property statement describing properties of the event, wherein the record also contains the property statement.
  - 17. The method of claim 16, wherein the properties of the event include at least one of the following property types:
    - an application used, a subject of the event, or a database queried.
  - 18. The method of claim 8 further comprising the step of translating the information into a route statement describing a route through a network traveled by the event, wherein the record also contains the route statement.
  - 19. The method of claim 8 further comprising the step of translating the information into an alias statement describing additional information related to an identity of the first entity or the second entity, wherein the record also contains the alias statement.
  - 20. The method of claim 19, wherein the alias statement contains at least one of the following alias types:
    - IP-Alias or User-Alias.
  - 21. The method of claim 8 further comprising the step of translating the information into a session statement describing a communication of which the event is a part, a property statement describing properties of the event, a route statement describing a route through a network traveled by the session or part of the session, and an alias statement describing additional information related to an identity of the first entity or the second entity, wherein the record also contains the session statement, the property statement, the route statement, and the alias statement.
  - 22. The method of claim 8 further comprising the step of translating the information into a property statement describing properties of the event, wherein the record also contains the property statement and wherein the record is a condense and simple representation of the session from which the information was extracted.
  - 24. The event-based language of claim 23 further comprising:
    - a route statement configured to describe a route through a network traveled by the session or the event; and
      
      an alias statement configured to describe an alias related to an identity of the first entity or an identity of the second entity.
  - 25. The event-based language of claim 23 wherein the event statement conforms to the following structure:
    - “
      
      <
      
      the first entity>
      
      was seen <
      
      the action>
      
      to <
      
      the second entity>
      
      with <
      
      the application>
      
      .”

23. An event-based language for use in network security comprising:
- a session statement configured to describe a session of which an event is a part;
  
  an event statement configured to describe the event through an action between a first entity and a second entity using an application; and
  
  a properties statement configured to describe properties of the event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Netwitness Corporation (Dell Technologies Inc.)
Inventors
Moore, Todd A., Longworth, Mark E., Love, Damon, Girardi, Brian

Granted Patent

US 7,634,557 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/465
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 43/18   Protocol analysers

H04L 69/06   Notations for structuring o...

H04L 69/08   Protocols for interworking;...

H04L 69/10   Streamlined, light-weight o...

H04L 69/18   Multiprotocol handlers, e.g...

H04L 9/40   Network security protocols

Apparatus and method for network analysis

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for network analysis

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links