Apparatus and Method for Network Analysis

US 20100027430A1
Filed: 09/04/2007
Published: 02/04/2010
Est. Priority Date: 04/30/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method of extracting information from a session to create a record conforming to an event-based language, comprising:

fielding a plurality of packet collectors in a network that handles digital data in at least one protocol;

using the plurality of packet collectors to collect the digital data;

converting the digital data into at least one session;

generating metadata that is indicative of a nature of the at least one session;

sending the metadata, from at least two of the plurality of data collectors, to an aggregator; and

allowing the metadata received at the aggregator to be accessed by a user such that the metadata generated at the at least two of the plurality of packet collectors can be viewed at substantially the same time,wherein the metadata is converted to an event statement describing an event that occurred during the at least one session between a first entity and a second entity associated with the at least one session.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for, and method of, extracting information from multiple sessions and in accordance with disparate protocols, and transforming the same into a common language. Packets are collected by packet collectors distributed throughout a network and those packets, and/or metadata relating to those packets, are passed to an aggregator, which is made available via an application program interface to users/applications.

47 Citations

View as Search Results

21 Claims

1. A method of extracting information from a session to create a record conforming to an event-based language, comprising:
- fielding a plurality of packet collectors in a network that handles digital data in at least one protocol;
  
  using the plurality of packet collectors to collect the digital data;
  
  converting the digital data into at least one session;
  
  generating metadata that is indicative of a nature of the at least one session;
  
  sending the metadata, from at least two of the plurality of data collectors, to an aggregator; and
  
  allowing the metadata received at the aggregator to be accessed by a user such that the metadata generated at the at least two of the plurality of packet collectors can be viewed at substantially the same time,wherein the metadata is converted to an event statement describing an event that occurred during the at least one session between a first entity and a second entity associated with the at least one session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising sending to the aggregator all of the digital data.
  - 3. The method of claim 1, further comprising sending to the aggregator content of the at least one session.
  - 4. The method of claim 1, further comprising sending to the aggregator packets of digital data that are collected by the packet collectors.
  - 5. The method of claim 1, further comprising parsing the digital data into distinct sessions.
  - 6. The method of claim 5, further comprising parsing the digital data into distinct sessions in accordance with a common language.
  - 7. The method of claim 1, wherein the event statement conforms to the following structure:
    - <
      
      the first entity>
      
      was seen <
      
      the action>
      
      to <
      
      the second entity>
      
      with <
      
      the application>
      
      .
  - 8. The method of claim 1, wherein the step of sending comprises sending the metadata asynchronously.
  - 9. The method of claim 1, further comprising fielding a plurality of aggregators.
  - 10. The method of claim 9, further comprising enabling the plurality of aggregators to communicate directly with one another.
  - 11. The method of claim 1, wherein predetermined ones of the plurality of packet collectors communicate with respective ones of a plurality of aggregators.
  - 12. The method of claim 1, wherein the step of allowing comprises opening an application program interface (API) to the user.
  - 13. The method of claim 1, further comprising encrypting communications between at least one of the plurality of packet collectors and the aggregator.
  - 14. The method of claim 1, further comprising encrypting communications between a user application and the aggregator.
  - 15. The method of claim 1, further comprising encrypting communications between a user application and at least one of the plurality of packet collectors.

16. A method of capturing and analyzing network data, comprising:
- receiving, at an aggregator, a feed of data from a plurality of packet collectors distributed throughout an electronic data network,parsing the data in respective sessions in disparate protocols into sessions of a common language;
  
  communicating the common-language sessions to a forensics engine;
  
  providing access to the sessions of a common language via an application program interface; and
  
  controlling access to the sessions of a common language by licensing at least one plugin or application independently of a packet collector or aggregator.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The method of claim 16, wherein the common language comprises metadata that is then converted to an event statement describing an event that occurred between a first entity and a second entity associated.
  - 18. The method of claim 17, wherein the event statement conforms to the following structure:
    - <
      
      the first entity>
      
      was seen <
      
      the action>
      
      to <
      
      the second entity>
      
      with <
      
      the application>
      
      .
  - 19. The method of claim 16, further comprising fielding a plurality of aggregators, which at least two of the aggregators communicate with one another.
  - 20. The method of claim 19, wherein access to a first one of the aggregators is provided via a second one of the aggregators.
  - 21. The method of claim 16, further comprising providing an in-memory tree structure in individual ones of the plurality of packet collectors and periodically replicating the data store, or portions of, and the in-memory tree structure in the aggregator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
EMC Corporation (Dell Technologies Inc.)
Original Assignee
Netwitness Corporation (Dell Technologies Inc.)
Inventors
Moore, Scott, Menninger, Timothy, Washington, Erin, Moore, Todd, Girardi, Brian

Application Number

US11/849,507
Publication Number

US 20100027430A1
Time in Patent Office

Days
Field of Search
US Class Current

370/252
CPC Class Codes

H04L 43/12   Network monitoring probes

H04L 63/1416   Event detection, e.g. attac...

H04L 67/025   for remote control or remot...

H04L 67/14   Session management for real...

H04L 67/141   Setup of application sessio...

H04L 69/08   Protocols for interworking;...

H04L 69/085   specially adapted for inter...

H04L 69/18   Multiprotocol handlers, e.g...

Apparatus and Method for Network Analysis

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Apparatus and Method for Network Analysis

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others