Method of determining intra-session event correlation across network address translation devices
First Claim
1. A method, comprising:
- receiving a network event with a set of event parameters;
determining whether the network event belongs to a network session associated with one or more previously received network events;
categorizing the incoming event into the same network session as the one or more previously received events;
comparing the network event to information representing one or more NAT devices and one or more network address translation rules respectively associated with the NAT devices;
associating the network event with a particular NAT rule of one of the NAT devices;
estimating one or more other events that are associated with the network event, based on the particular NAT rule;
determining whether the one or more other events belong to the same network session.
0 Assignments
0 Petitions
Accused Products
Abstract
An intra-session network correlation system receives a stream of network events and groups the events into different network sessions according to event parameters and corresponding network address translation (NAT) information. An event in the stream is first matched against any existing session, and then categorized using the information about a NAT device that translates a message to which the event is related. Finally, at a predefined time, a categorized event is processed to identify other categorized events in accordance with a NAT message or an expiry timer associated with the categorized event; the categorized event and identified other categorized events are grouped into the same network session.
76 Citations
20 Claims
-
1. A method, comprising:
-
receiving a network event with a set of event parameters;
determining whether the network event belongs to a network session associated with one or more previously received network events;
categorizing the incoming event into the same network session as the one or more previously received events;
comparing the network event to information representing one or more NAT devices and one or more network address translation rules respectively associated with the NAT devices;
associating the network event with a particular NAT rule of one of the NAT devices;
estimating one or more other events that are associated with the network event, based on the particular NAT rule;
determining whether the one or more other events belong to the same network session. - View Dependent Claims (2)
-
-
3. A method of grouping network events, comprising:
-
receiving a stream of network events, each network event including a set of event parameters in association with a network session that corresponds to a message being transmitted through a network;
making an initial session determination by determining whether a particular event belongs to a same network session as any previously received event;
identifying information of network address translations performed by one or more devices along a network transmission path associated with the particular network event;
categorizing the network event in accordance with at least one of the session determination and the network address translation information;
processing a categorized network event to identify another categorized network event, if any, belonging to a same network session as the categorized network event;
grouping the categorized network event and the identified other categorized network event, if any, into a set. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 17, 18, 19)
-
-
14. A method, comprising the computer-implemented steps of:
-
receiving a stream of network events;
matching a particular network event in the stream against any existing session;
categorizing the event based on corresponding network address translation (NAT) information about a NAT device that translates a message to which the event is related;
processing the event to identify other previously categorized events in accordance with a NAT message that is associated with the categorized event;
grouping the categorized event and the identified other categorized events into the same network session. - View Dependent Claims (15, 16)
-
-
20. A method of grouping network events that are emitted by one or more network routing or network switching devices in a packet-switched telecommunications network, the method comprising the computer-implemented steps of:
-
receiving a stream of network events, each network event including a set of event parameters in association with a network session that corresponds to a message being transmitted through a network, wherein the set of event parameters include source address, source port, destination address, destination, port, and network protocol;
making an initial session determination by determining whether a particular event belongs to a same network session as any previously received event;
wherein said network session is a communication channel established between a source host and a destination host over the network, wherein the initial session determination includes comparing the event parameters of a newly received network event with the event parameters of any previously received network event, and if there is a match, determining that the newly received event belongs to a same network session as those previously received matching events;
identifying information of network address translations performed by one or more of the devices that are logically located along a network transmission path associated with the particular network event, wherein each of said one or more devices is associated with at least one network address translation rule, each rule comprising a pre-mapping parameter domain and a post-mapping parameter domain for one or more event parameters, wherein the pre-mapping or post-mapping domains of two network address translation rules may overlap each other;
categorizing the network event in accordance with at least one of the session determination and the network address translation information;
processing a categorized network event to identify another categorized network event, if any, belonging to a same network session as the categorized network event;
grouping the categorized network event and the identified other categorized network event, if any, into a set;
wherein the categorized network event and the identified other categorized network event belong to different categories during said categorizing;
wherein said processing is performed in accordance with the identified network address translation information for the network transmission path associated with the network event;
wherein said processing is performed in accordance with network address translation information received after arrival of the categorized network event.
-
Specification