High-performance network content analysis platform

US 20050055399A1
Filed: 09/10/2003
Published: 03/10/2005
Est. Priority Date: 09/10/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving network data;

reassembling a client-server communications session from the network data; and

detecting, through the network data, leaks of information by analyzing the client-server communications session using at least one of (i) statistical and (ii) keyword-based detection.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One implementation of a method reassembles complete client-server conversation streams, applies decoders and/or decompressors, and analyzes the resulting data stream using multi-dimensional content profiling and/or weighted keyword-in-context. The method may detect the extrusion of the data, for example, even if the data has been modified from its original form and/or document type. The decoders may also uncover hidden transport mechanisms such as, for example, e-mail attachments. The method may further detect unauthorized (e.g., rogue) encrypted sessions and stop data transfers deemed malicious. The method allows, for example, for building 2 Gbps (Full-Duplex)-capable extrusion prevention machines.

Citations

23 Claims

1. A method comprising:
- receiving network data;
  
  reassembling a client-server communications session from the network data; and
  
  detecting, through the network data, leaks of information by analyzing the client-server communications session using at least one of (i) statistical and (ii) keyword-based detection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising decoding the client-server communications session to detect and inspect one or more application protocols, and wherein the client-server communications session includes the one or more application protocols.
  - 3. The method of claim 2, wherein the one or more application protocols includes at least one of (i) pdf, (ii) http, (iii) e-mail, (iv) e-mail attachment, (v) ftp, (vi) zip, (vii) ms word, (viii) ms excel, (ix) html, (x) xml, (xi) gzip, (xii) tar and (xiii) plain text.
  - 4. The method of claim 1, wherein the client-server communications session includes at least one of (i) TCP, (ii) IP and (iii) ethernet.
  - 5. The method of claim 1, wherein the statistical-based detection includes multi-dimensional content profiling.
  - 6. The method of claim 1, wherein the statistical-based detection includes domain-specific high-level features.
  - 7. The method of claim 6, wherein the domain-specific high-level features includes at least one of (i) social security numbers, (ii) credit card numbers, (iii) postal addresses and (iv) e-mail addresses.
  - 8. The method of claim 1, wherein the keyword-based detection includes one or more weighted keywords.
  - 9. The method of claim 1, wherein the information includes a digital asset.
  - 10. The method of claim 1, further including analyzing the network data so as to detect any unauthorized encrypted session.

11. A method comprising:
- receiving network communications; and
  
  preventing an unauthorized and/or malicious transfer, through the network communications, of data by providing at least content reassembly, scanning and recognition to the network communications in real time.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, wherein the content scanning and recognition includes multi-dimensional content profiling.
  - 13. The method of claim 11, wherein the content scanning and recognition is tailored to local data.
  - 14. The method of claim 11, wherein the method is capable of preventing the unauthorized and/or malicious transfer, through the network communications, of data on fully saturated Gigabit speeds.

15. A method comprising:
- receiving network data; and
  
  preventing, through the network data, leaks of information by at least applying multi-dimensional content profiling.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, wherein the information includes a digital asset.
  - 17. The method of claim 15, wherein the multi-dimensional content profiling takes into account the structure of the information.

18. A machine-readable medium having encoded information, which when read and executed by a machine causes a method comprising:
- receiving network data;
  
  reassembling a client-server communications session from the network data; and
  
  detecting, through the network data, leaks of information by analyzing the client-server communications session using at least one of (i) statistical and (ii) keyword-based detection.

19. A machine-readable medium having encoded information, which when read and executed by a machine causes a method comprising:
- receiving network communications; and
  
  preventing an unauthorized and/or malicious transfer, through the network communications, of data by providing at least content reassembly, scanning and recognition to the network communications in real time.

20. A machine-readable medium having encoded information, which when read and executed by a machine causes a method comprising:
- receiving network data; and
  
  preventing, through the network data, leaks of information by at least applying multi-dimensional content profiling.

21. An apparatus comprising:
- a receiver to receive network data;
  
  a processor, coupled to the receiver, to (i) reassemble a client-server communications session from the network data and (ii) detect, through the network data, leaks of information by analyzing the client-server communications session using at least one of (i) statistical and (ii) keyword-based detection.

22. An apparatus comprising:
- a receiver to receive network communications; and
  
  a processor, coupled to the receiver, to prevent an unauthorized and/or malicious transfer, through the network communications, of data by providing at least content reassembly, scanning and recognition to the network communications in real time.

23. An apparatus comprising:
- a receiver to receive network data; and
  
  a processor, coupled to the receiver, to prevent, through the network data, leaks of information by at least applying multi-dimensional content profiling.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Runway Growth Finance Corporation
Original Assignee
Fidelis Security Systems Incorporated
Inventors
Savchuk, Gene

Granted Patent

US 7,467,202 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/203
CPC Class Codes

H04L 63/0245 Filtering by information in...

H04L 63/1416 Event detection, e.g. attac...

High-performance network content analysis platform

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

High-performance network content analysis platform

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links