Logging method, system, and device with analytical capabilities for the network traffic

US 20070050846A1
Filed: 08/30/2005
Published: 03/01/2007
Est. Priority Date: 08/30/2005
Status: Abandoned Application

First Claim

Patent Images

1. A logging device managing network packets, the logging device comprises:

a traffic capturing component receiving network packets and filtering the received network packets by selecting those network packets that satisfy a predefined criteria;

a storage component storing the selected network packets; and

an analyzing component organizing the stored network packets in accordance with at least one user specified parameters, wherein the traffic capturing component, the storage component, and the analyzing component are integrated in a single physical device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A logging device, system and a method for managing network packets. The logging device includes a traffic capturing device receiving the network packets and filtering the network packets by selecting some of the network packets based on a predefined criteria. The logging device also includes a storage device storing the selected network packets and an analyzing component organizing the stored network packets in accordance with a user specified parameters. The traffic capturing component, the storage component, and the analyzing component are integrated in a single physical device providing a user with an ability to monitor real-time network traffic on the fly. The traffic capturing component selects the network packets for storage based on source and destination addresses of the network packets, based on a protocol of the network packets, based on a port designated, and based on whether a particular traffic session matches a predetermined signature.

104 Citations

View as Search Results

27 Claims

1. A logging device managing network packets, the logging device comprises:
- a traffic capturing component receiving network packets and filtering the received network packets by selecting those network packets that satisfy a predefined criteria;
  
  a storage component storing the selected network packets; and
  
  an analyzing component organizing the stored network packets in accordance with at least one user specified parameters, wherein the traffic capturing component, the storage component, and the analyzing component are integrated in a single physical device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The logging device according to claim 1, wherein the traffic capturing component and the analyzing component, each comprises at least one processor.
  - 3. The logging device according to claim 1, wherein the storage component comprises a plurality of Redundant Arrays of Independent Disks (RAID) hard drives and a RAID controller determining to which of the plurality of RAID hard drives an incoming network packet should be saved.
  - 4. The logging device according to claim 3, wherein the storage component is connected to at least one of the traffic capturing component and the analyzing component and wherein the traffic capturing component is one of a firewall, a gateway computer, and a switch.
  - 5. The logging device according to claim 1, further comprises:
    - a display and a user interface, wherein the predefined criteria for filtering the network packets is specified via the user interface, and wherein said predefined criteria for selecting the network packets comprises designating at least one of;
      
      a source address, a destination address, a protocol, a port, and a predefined signature that corresponds to a specific traffic session.
  - 6. The logging device according to claim 5, wherein, when a user inputs the predefined criteria via the user interface, and the traffic capturing component automatically and on-the-fly adjusts the selection of the network packets based on the received user input.
  - 7. The logging device according to claim 1, wherein the selection of the network packets based on said predefined criteria comprises selecting network packets whose predefined signature matches a specific traffic session.
  - 8. The logging device according to claim 1, wherein the selection of the network packets based on said predefined criteria comprises selecting network packets whose predefined signature matches a specific traffic session, and wherein the predefined criteria further comprises designation at least one portion of the network packet for the storing in the storage component.
  - 9. The logging device according to claim 1, wherein the analyzing component provides a list of network packets from the stored network packets that matches the at least one user specified parameter that comprises at least one of:
    - a selection of alphanumeric characters present in a content of the network packet, a selection of alphanumeric characters absent from the content of the network packet, a network protocol, time, and date, and wherein the analyzing component provides the network packets that match the at least one user specified parameter with an indication of a security level for each of the presented network packets.
  - 10. The logging device according to claim 1, wherein the analyzing component generates at least one report based on the user specified parameters that comprise at least one of:
    - a time period when the at least one report is generated, a designation of at least one device for which the at least one report is generated, a designation of a rank of the at least one report and a designation of a report type.
  - 11. The logging device according to claim 10, wherein report types comprise all reports, a basic set of said all reports and a custom set of reports where a user selects at least one report from said all reports, wherein said all reports comprise network activity report, web activity report, file transfer protocol report, terminal activity report, mail activity report, intrusion activity report, anti-virus activity report, web filter activity report, mail filter activity report, virtual private network activity report, and content activity report and wherein for each report from said all reports a time period and a direction of the network packets is designated.
  - 12. The logging device according to claim 11, wherein the at least one user specified parameter further comprises designating output format of a report.
  - 13. The logging device according to claim 1, wherein the analyzing component sets up at least one alert based on the user specified parameters that comprise designating at least one device for monitoring, and designation a trigger event and a response.
  - 14. The logging device according to claim 13, wherein the trigger event comprises an event type and a ranking level and wherein the response comprises notifying a server or sending an email to a predefined destination.

15. A logging system managing network packets, the logging system comprises:
- a gateway computer receiving the network packets, the gateway computer is configured to select some the received network packets based on;
  
  a source address of a network packet, a destination addresses of the network packet, a protocol of the network packet, a port selection, and whether a specific traffic session matches a predefined signature of the network packet;
  
  a storage device storing the selected network packets; and
  
  an analyzing computer organizing the stored network packets in accordance with a user specified parameters.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The logging system according to claim 15, wherein:
    - the gateway computer is one of a switch and a firewall computer, the storage device comprises a plurality of Redundant Arrays of Independent Disks (RAID) hard drives and a RAID controller determining to which of the plurality of RAID hard drives an incoming network packet is saved, and the storage device is connected to at least one of the gateway computer and the analyzing computer.
  - 17. The logging system according to claim 15, wherein the user specified parameters comprise at least one of a keyword, a keyword to exclude, a network protocol, time, date, exact phrase to appear in a content the analyzing component, and wherein the analyzing component presents network packets that match the user specified parameters indicating a security level for each of the presented network packets.
  - 18. The logging system according to claim 15, wherein the analyzing computer generates at least one report based on the user specified parameters that comprise:
    - a time period when the at least one report is generated, a designation of at least one device for which the at least one report is generated, a designation of a rank of the at least one report and a designation of a report type.
  - 19. The logging system according to claim 18, wherein report types are all reports, a basic set of said all reports and a custom set of reports where a user selects at least one report from said all reports, wherein said all reports comprise network activity report, web activity report, file transfer protocol report, terminal activity report, mail activity report, intrusion activity report, anti-virus activity report, web filter activity report, mail filter activity report, virtual private network activity report, and content activity report and wherein for each report from said all reports a time period and a direction of the network packets is designated.
  - 20. The logging system according to claim 19, wherein the user specified parameters further comprise designating output format of a report.
  - 21. The logging system according to claim 15, wherein the analyzing computer sets up at least one alert based on the user specified parameters that comprise designating at least one device for monitoring, designating a trigger event and a response.
  - 22. The logging system according to claim 21, wherein the trigger event comprises an event type and a ranking level and wherein the response comprises notifying a server or sending an email to a predefined destination.
  - 23. The logging system according to claim 15, wherein the gateway computer is configured to select some of the received network packets based on a user input of at least one of:
    - the source address of the network packet, the destination addresses of the network packet, the protocol of the network packet, the port selection, and the predefined signature, and wherein, when the user input is received, the gateway computer adjusts in real-time the selection criteria based on the received user input.

24. A method for managing network packets comprising:
- receiving network packets from various sources at a gateway;
  
  selecting network packets from the received network packets; and
  
  storing the selected network packets in a storage, wherein the gateway is configured to select the network packets based on source and destination addresses of the network packets, based on a protocol of the network packets, based on a port designated, and based on whether a particular traffic session matches a predetermined signature.
- View Dependent Claims (25, 26, 27)
- - 25. The method according to claim 24, further comprising analyzing the stored network packets, wherein said analyzing comprises building up indexes for the stored network packets.
  - 26. The method according to claim 24, further comprising analyzing the stored network packets based on a user supplied criteria, wherein said analyzing comprises searching and browsing through the stored network packets, reproducing original content of the stored network packets, and generating reports of the network traffic based on the user supplied criteria, and setting up alarms in accordance with the user supplied criteria.
  - 27. The method according to claim 24, wherein parameters for selecting the network packets by the gateway are designated by a user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Xie, Michael, Xie, Bing, Xie, Ken

Application Number

US11/213,719
Publication Number

US 20070050846A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/0245 Filtering by information in...

H04L 63/1425 Traffic logging, e.g. anoma...

Logging method, system, and device with analytical capabilities for the network traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

104 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Logging method, system, and device with analytical capabilities for the network traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

104 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links