Pattern-based correlation of non-translative network segments

US 20050078606A1
Filed: 09/13/2004
Published: 04/14/2005
Est. Priority Date: 09/11/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method for correlating non-translative network segments in a multi-protocol communications system, comprising:

providing at least two connected nodes within a network, wherein a first node is in a non-translative network segment with respect to a second node;

at the first node, generating and injecting a defined network pattern into network traffic and recording precisely the time stamp of the network pattern injection;

at the second node, listening to network traffic, taking a copy of the traffic passing by as a trace, and adding precise time stamp information to the trace;

correlating the generated defined network pattern to the traced traffic; and

from the correlation of the generated defined network pattern to the traced traffic, deriving protocol cause and effect correlation rules.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for correlating network traffic between non-translative network systems are provided. Generally, protocol cause and effect correlation rules are determined between devices in non-translative network segments by injecting a known network pattern at a first end of the network topology. Traces of the network traffic are then recorded over one or more nodes throughout the non-translative network. The generated network traffic is then compared to the traced network traffic by pattern matching to thereby determine protocol cause and effect correlation rules. Later, when it is desired to determine causality of network activity between non-translative network segments, the traced network patterns can be compared by pattern matching to the protocol cause and effect correlation rules to assist in determining the origin of a network operation that created an observed event.

49 Citations

View as Search Results

20 Claims

1. A method for correlating non-translative network segments in a multi-protocol communications system, comprising:
- providing at least two connected nodes within a network, wherein a first node is in a non-translative network segment with respect to a second node;
  
  at the first node, generating and injecting a defined network pattern into network traffic and recording precisely the time stamp of the network pattern injection;
  
  at the second node, listening to network traffic, taking a copy of the traffic passing by as a trace, and adding precise time stamp information to the trace;
  
  correlating the generated defined network pattern to the traced traffic; and
  
  from the correlation of the generated defined network pattern to the traced traffic, deriving protocol cause and effect correlation rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as defined in claim 1, further comprising the act, prior to deriving protocol cause and effect correlation rules, of presenting the generated traffic and the traced traffic in a visually comparative manner to a user, aligned based on major features which are pattern matched in the network traffic, to permit the user to make manual adjustments to the alignment.
  - 3. A method as defined in claim 1, wherein the act of correlating the generated defined network pattern to the traced traffic is performed by applying a method selected from the group consisting of:
    - pattern matching, expert systems, numerical analysis, and statistical analysis.
  - 4. A method as defined in claim 1, wherein the protocol cause and effect correlation rules are stored as pattern matching tables in a storage system.
  - 5. A method as defined in claim 1, wherein:
    - the defined network pattern is injected at a plurality of nodes within the network, the timestamp of each injection being recorded precisely at each point of injection; and
      
      the network traffic passing by each of the plurality of nodes is listened to and copied as a trace, with the trace including precise time stamp information.
  - 6. A method as defined in claim 1, wherein the first node is located in a local area network and the second node is located in a storage area network.
  - 7. A method as defined in claim 1, wherein the defined network pattern is injected as a stream.
  - 8. A method as defined in claim 1, wherein at least one of the nodes is selected from the group consisting of:
    - a computer, a device on a storage network, and an external element of equipment.
  - 9. A method as defined in claim 1, wherein at least one of the nodes comprises a network probe that records traces of network traffic.
  - 10. A method as defined in claim 1, wherein the first node and the second node represent at least two different communication protocols selected from the group consisting of:
    - TCP/IP, Infiniband, Ethernet, Gigabit Ethernet, SONET, Fibre Channel, and PCI Express.
  - 11. A method as defined in claim 1, wherein the defined network pattern corresponds to a specific action performed in a given protocol.
  - 12. A method as defined in claim 1, wherein the acts therein are performed repeatedly with different network patterns to obtain a plurality of protocol cause and effect correlation rules, each rule corresponding to a different specific action performed by a given protocol.

13. A method for correlating non-translative network segments in a multi-protocol communications system, comprising:
- providing a plurality of connected nodes within a network, wherein a first node is in a non-translative network segment with respect to a second node;
  
  providing pattern matching data which indicates protocol cause and effect correlation rules;
  
  at each of the plurality of nodes, listening to network traffic, taking a copy, as a trace, of the traffic passing by;
  
  applying a run-time process to the traced traffic using the stored pattern matching data to recognize correlations; and
  
  from the recognized correlations, deriving the causality, in a first network segment, of a network activity that is detected in a second network segment that is non-translative with the first network segment.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. A method as defined in claim 13, further comprising the act of presenting the generated traffic and the traced traffic in a visually comparative manner to a user, aligned based on major features which are pattern matched in the network traffic, and also with visual indications of the pattern matches discovered.
  - 15. A method as defined in claim 13, further comprising the act of adding precise time stamp information to the trace.
  - 16. A method as defined in claim 13, wherein at least one of the nodes is selected from the group consisting of:
    - a computer, a storage network, and an external element of equipment.
  - 17. A method as defined in claim 13, wherein at least one of the nodes comprises a network probe that records traces of network traffic.
  - 18. A method as defined in claim 13, wherein the first node and the second node represent at least two different communication protocols selected from the group consisting of:
    - TCP/IP, Infiniband, Ethernet, Gigabit Ethernet, SONET, Fibre Channel, and, PCI Express.

19. A computer program product for implementing a method for correlating non-translative network segments in a multi-protocol communications system, the computer program product comprising:
- a computer readable medium carrying computer executable instructions for performing the method, wherein the method comprises;
  
  providing at least two connected nodes within a network, wherein a first node is in a non-translative network segment with respect to a second node;
  
  at the first node, generating and injecting a defined network pattern into network traffic and recording precisely the time stamp of the network pattern injection;
  
  at the second node, listening to network traffic, taking a copy of the traffic passing by as a trace, and adding precise time stamp information to the trace;
  
  correlating the generated defined network pattern to the traced traffic; and
  
  from the correlation of the generated defined network pattern to the traced traffic, deriving protocol cause and effect correlation rules.

20. A computer program product for implementing a method for determining causality for network activity across non-translative network segments in a multi-protocol communications system, the computer program product comprising:
- a computer readable medium carrying computer executable instructions for performing the method, wherein the method comprises;
  
  providing a plurality of connected nodes within a network, wherein a first node is in a non-translative network segment with respect to a second node;
  
  providing pattern matching data which indicates protocol cause and effect correlation rules;
  
  at each of the plurality of nodes, listening to network traffic, taking a copy, as a trace, of the traffic passing by;
  
  applying a run-time process to the traced traffic using the stored pattern matching tables to recognize correlations; and
  
  from the recognized correlations, deriving the causality, in a first network segment, of a network activity that is detected in a second network segment that is non-translative with the first network segment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finisar Corporation (II-VI Incorporated)
Original Assignee
Finisar Corporation (II-VI Incorporated)
Inventors
Otis, Robert W., Bernstein, David R.

Application Number

US10/940,385
Publication Number

US 20050078606A1
Time in Patent Office

Days
Field of Search
US Class Current

370/241
CPC Class Codes

H04L 67/535 Tracking the activity of th...

H04L 69/329 in the application layer [O...

Pattern-based correlation of non-translative network segments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Pattern-based correlation of non-translative network segments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links