APPARATUS AND METHOD FOR MULTI-USER NAT SESSION IDENTIFICATION AND TRACKING

US 20100161795A1
Filed: 12/22/2009
Published: 06/24/2010
Est. Priority Date: 12/22/2008
Status: Active Grant

First Claim

Patent Images

1. A method for identifying and tracking multiple computer user sessions associated with a network address translation (NAT) device coupled to a computer network, the method comprising:

receiving one or more data packets originating from the NAT device, the one or more data packets containing a request to a destination server coupled to the computer network;

determining a client source address associated with the one or more data packets, the source address associated with the NAT device;

determining one or more session entries associated with the client source address, wherein the session entries are stored in system state information;

determining a session signature based one or more characteristics defined by the data packet header information and/or request header information in the one or more data packets, the session signature uniquely identifying one of the multiple computer user sessions coupled to the NAT device; and

storing a new session entry in the system state information if the session signature is not associated with the one of the one or more sessions entries in the system state information.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus are provided for identifying and tracking multiple computer user sessions associated with a network address translation (NAT) device coupled to a computer network. Data packets originating from the NAT device containing a request to a destination server coupled to the computer network are received. A client source address associated with the data packets is determined where the source address associated with the NAT device. One or more session entries associated with the client source address can then be determined, wherein the session entries are stored in system state information. A session signature can then be determined based one or more characteristics defined by the data packet header information and/or request header information in the one or more data packets, the session signature uniquely identifying one of the multiple computer user sessions coupled to the NAT device.

Citations

20 Claims

1. A method for identifying and tracking multiple computer user sessions associated with a network address translation (NAT) device coupled to a computer network, the method comprising:
- receiving one or more data packets originating from the NAT device, the one or more data packets containing a request to a destination server coupled to the computer network;
  
  determining a client source address associated with the one or more data packets, the source address associated with the NAT device;
  
  determining one or more session entries associated with the client source address, wherein the session entries are stored in system state information;
  
  determining a session signature based one or more characteristics defined by the data packet header information and/or request header information in the one or more data packets, the session signature uniquely identifying one of the multiple computer user sessions coupled to the NAT device; and
  
  storing a new session entry in the system state information if the session signature is not associated with the one of the one or more sessions entries in the system state information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1 wherein performing the lookup of the source address in the system state information further comprises storing a new session entry for the client source address in the system state information when an associated session entry is not found.
  - 3. The method of claim 1 wherein determining the session signature further comprises determining the operating system (OS) fingerprint using the received one or more packets, wherein the OS fingerprint forms a unique identifier for the operating system of the client computer associated with the one or more data packets.
  - 4. The method of claim 3 wherein determining OS fingerprint detection further comprises storing a new session entry in the system state information when an associated session entry is not found for the client source address and OS fingerprint.
  - 5. The method of claim 1 wherein determining the session signature further comprises performing flow detection based upon data packet header data of the received one or more data packets, the flow detection identifying a path between the client device and the destination server.
  - 6. The method of claim 5 wherein performing flow detection further comprises updating an associated session entry in the system state information based upon the received one or more data packets and the request information if the flow is associated with one of the one or more session entries in the system state information.
  - 7. The method of claim 6 wherein determining the session signature is performed if the flow is not associated with any of the one or more sessions in the system state information.
  - 8. The method of claim 1 wherein determining the session signature further comprises updating a session entry in the system state information based upon the received one or more data packets and the request header information if the session signature is associated with the one of the one or more sessions in the session table.
  - 9. The method of claim 1 wherein the OS fingerprint forms an identifier for a computer operating system based upon the operating system version and its subsidiary software components, the value of which is unique for the given operating system version and subsidiary software components.
  - 10. The method of claim 1 wherein the data packets are transmission control protocol/Internet Protocol (TCP/IP) packets.
  - 11. The method of claim 10 wherein determining the session signature further comprises:
    - performing link-chain detection by comparing HTTP referrer field against browsing history associated with HTTP header in session and assigning a score to the detected links;
      
      performing refresh detection if the Referrer field is absent, the requested URL is compared against the browsing history to detect a page refresh and assigning a score to detected refreshes;
      
      determining an activity score wherein the score is determined based upon a frequency with which events are associated with a given session;
      
      determining an IPID trendline score based upon the IPID parameter;
      
      assigning a user agent score based upon a determined web-browser identified in the HTTP request;
      
      calculating a weighted score comprising the link chain detection, the refresh detection, the activity score, the IPID score and the user agent score;
      
      wherein the weighted score is compared to one or more weighted scores each associated with a session entry in the session table to determine the session with the best matching score.
  - 12. The method of claim 11 wherein when the weighted score exceeds a pre-determined threshold, the HTTP request is matched to a corresponding session.
  - 13. The method of claim 12 wherein when the weighted scores does not exceed a pre-determined threshold, a new session is created.
  - 14. The method of claim 10 wherein the session signature is determined by comparing the TCP packet TCP timestamp to a previously known TCP timestamp in one or more session entries in the system state information, and wherein when the TCP timestamp matches a previously known TCP timestamp, the HTTP request is consistent with a corresponding session and when the TCP timestamp does not match a previously known TCP timestamp, a new session entry is added to the system state information.
  - 15. The method of claim 10 wherein creating the session entry comprises:
    - assigning a session ID;
      
      storing a 5-tuple associated with the received one or more data packets;
      
      storing the determined OS fingerprint;
      
      storing the determined session signature; and
      
      storing session activity data comprising request information.
  - 16. The method of claim 15 wherein the 5-tuple comprises a protocol, a source address, a source port, a destination address, and a destination port.
  - 17. The method of claim 1 further comprising assigning the session identifier to the request header information and forwarding the session request header information and session identifier to another system.

18. An apparatus for identifying and tracking multiple computer user sessions associated with a network address translation (NAT) device coupled to a computer network, the system comprising:
- a processor;
  
  a memory for storing instructions for execution by the processor, the instructions comprising;
  
  a system state information repository for storing a plurality of session entries associated identifying sessions associated with NAT devices;
  
  a session detection module for;
  
  receiving one or more data packets originating from the NAT device, the one or more data packets containing a request to a destination server coupled to the computer network;
  
  determining a client source address associated with the one or more data packets, the source address associated with the NAT device;
  
  determining one or more session entries associated with the client source address, wherein the session entries are stored in the system state information;
  
  determining a session signature based one or more characteristics defined by the data packet header information and/or request header information in the one or more data packets, the session signature uniquely identifying one of the multiple computer user sessions coupled to the NAT device; and
  
  storing a new session entry in the system state information repository if the session signature is not associated with the one of the one or more sessions entries in the system state information; and
  
  a session declaration module for providing session identifying information, including an HTTP header summary and an associated session identifier, to one or more external systems for their use.
- View Dependent Claims (19, 20)
- - 19. The apparatus of claim 18 wherein the data packets are transmission control protocol/Internet Protocol (TCP/IP) packets.
  - 20. The apparatus of claim 19 further comprising a traffic data extraction module comprising:
    - a traffic interface for receiving the packets in a TCP/IP traffic stream from the service provider network;
      
      a TCP/IP header info extraction module for extracting information from the header of TCP/IP packets;
      
      an HTTP reassembly module for generating HTTP information that is contained across multiple TCP/IP packets, including both payloads and headers, to be reassembled into an HTTP header; and
      
      an HTTP header extraction module provides for extracting information from the reassembled HTTP header.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent USA, Inc. (Nokia Corporation)
Original Assignee
Kindsight Incorporated
Inventors
Deridder, Darren, Edmison, Kelvin, Gaudet, Robert

Granted Patent

US 8,180,892 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 61/2514   between local and global IP...

H04L 67/02   based on web technology, e....

H04L 67/14   Session management for real...

H04L 67/146   Markers for unambiguous ide...

H04L 67/535   Tracking the activity of th...

H04L 69/22   Parsing or analysis of headers

APPARATUS AND METHOD FOR MULTI-USER NAT SESSION IDENTIFICATION AND TRACKING

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD FOR MULTI-USER NAT SESSION IDENTIFICATION AND TRACKING

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links