Method and system for determining intra-session event correlation across network address translation devices
First Claim
1. A method of grouping network events, comprising:
- receiving a stream of network events, each network event including a set of event parameters in association with a network session that corresponds to a message being transmitted through a network;
for a network event in the stream, making an initial session determination by determining whether the event belongs to a same network session as any previously received event;
for the network event, identifying information of network address translations performed by one or more devices along a network transmission path associated with the network event;
categorizing the network event in accordance with at least one of the session determination and the network address translation information; and
at a predefined time, processing a categorized network event to identify another categorized network event, if any, belonging to a same network session as the categorized network event;
grouping the categorized network event and the identified other categorized network event, if any, into a set; and
assigning a unique identifier to the set of events that includes the categorized network event.
3 Assignments
0 Petitions
Accused Products
Abstract
An intra-session network correlation system receives a stream of network events and then group them into different network session according to each event'"'"'s event parameters and the corresponding network address translation (NAT) information. An event in the stream is first matched against any existing session, and then categorized using the information about a NAT device that translates a message the event is related to. Finally, at a predefined time, a categorized event is processed to identify other categorized events in accordance with a NAT message or an expiry timer associated with the categorized event, and the categorized event and identified other categorized events are grouped into the same network session.
-
Citations
36 Claims
-
1. A method of grouping network events, comprising:
-
receiving a stream of network events, each network event including a set of event parameters in association with a network session that corresponds to a message being transmitted through a network;
for a network event in the stream, making an initial session determination by determining whether the event belongs to a same network session as any previously received event;
for the network event, identifying information of network address translations performed by one or more devices along a network transmission path associated with the network event;
categorizing the network event in accordance with at least one of the session determination and the network address translation information; and
at a predefined time, processing a categorized network event to identify another categorized network event, if any, belonging to a same network session as the categorized network event;
grouping the categorized network event and the identified other categorized network event, if any, into a set; and
assigning a unique identifier to the set of events that includes the categorized network event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A network event grouping system, comprising:
-
one or more central processing units for executing programs;
an interface for receiving network events; and
a network event correlation engine module executable by the one or more central processing units, the module comprising;
a plurality of data structures for storing a stream of network events, each network event including a set of event parameters in association with a network session that corresponds to a message being transmitted through a network;
instructions for establishing a correlation when a network event in the stream belong to a same network session as another network event in the stream;
instructions for identifying information of network address translations performed by one or more devices along a network transmission path associated with a network event;
instructions for categorizing a network event in the stream in accordance with the event'"'"'s network session relationship and/or the event'"'"'s network address translation information; and
instructions for invoking a categorized network event at a predefined time, wherein invoking comprises processing the categorized network event to identify another categorized network event, if any, belonging to a same network session as the categorized network event, grouping the categorized network event and the identified other categorized network event, if any, into a set, and assigning a unique identifier to the set of events that includes the categorized network event. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer program product for use in conjunction with a computer system, the computer program product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising:
-
instructions for receiving and storing a stream of network events, each network event including a set of event parameters in association with a network session that corresponds to a message being transmitted through a network;
instructions for establishing a correlation when a network event in the stream belong to a same network session as another network event in the stream;
instructions for identifying information of network address translations performed by one or more devices along a network transmission path associated with a network event;
instructions for categorizing a network event in the stream in accordance with the event'"'"'s network session relationship and/or the event'"'"'s network address translation information; and
instructions for invoking a categorized network event at a predefined time, wherein invoking comprises processing the categorized network event to identify another categorized network event, if any, belonging to a same network session as the categorized network event, grouping the categorized network event and the identified other categorized network event, if any, into a set, and assigning a unique identifier to the set of events that includes the categorized network event. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
Specification