METHODS AND SYSTEMS FOR IDENTIFYING DATA SESSIONS AT A VPN GATEWAY

US 20150281408A1
Filed: 03/27/2014
Published: 10/01/2015
Est. Priority Date: 03/27/2014
Status: Active Grant

First Claim

Patent Images

1. A method for identifying Internet Protocol (IP) data sessions at a VPN gateway comprising:

receiving encapsulating packets, wherein the encapsulating packets encapsulate IP packets;

identifying a corresponding VPN connection;

decapsulating encapsulating packets to retrieve IP packets;

performing deep packet inspection (DPI) on the IP packets to identify one or more data sessions the IP packets belong to; and

updating a DPI database based, at least in part, on the one or more data sessions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for identifying Internet Protocol (IP) data sessions at a VPN gateway. The VPN gateway receives encapsulating packets, wherein the encapsulating packets encapsulate IP packets. A corresponding VPN connection through which the encapsulating packets are received is identified. The VPN gateway decapsulates the encapsulating packets to retrieve the IP packets and performs deep packet inspection (DPI) on the IP packets in order to identify one or more data sessions that the IP packets belong to. A DPI database is updated accordingly, based on, at least in part, the one or more data sessions.

20 Citations

View as Search Results

22 Claims

1. A method for identifying Internet Protocol (IP) data sessions at a VPN gateway comprising:
- receiving encapsulating packets, wherein the encapsulating packets encapsulate IP packets;
  
  identifying a corresponding VPN connection;
  
  decapsulating encapsulating packets to retrieve IP packets;
  
  performing deep packet inspection (DPI) on the IP packets to identify one or more data sessions the IP packets belong to; and
  
  updating a DPI database based, at least in part, on the one or more data sessions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. According to the method of claim 1,wherein the step of updating includes adding a new record in the DPI database if one or more data sessions are identified the first time.
  - 3. According to the method of claim 1, further comprising:
    - displaying information corresponding to the one or more data sessions at a user interface,wherein the information is retrieved from the DPI database.
  - 4. According to the method of claim 3,wherein the user interface is shown on a display, wherein the display is not coupled to the VPN gateway.
  - 5. According to the method of claim 3,wherein the information is retrieved from the DPI database after a query is performed.
  - 6. According to the method of claim 3,wherein the information is categorized according to one category and statistical data.
  - 7. According to the method of claim 3,wherein the information is categorized according to a plurality of categories.
  - 8. According to the method of claim 7,wherein the information includes correlation among items in the plurality of categories.
  - 9. According to the method of claim 8,wherein the plurality of categories is selected from a group consisting of source IP address, destination IP address, source port, destination port, IP protocol, application, accumulated size of IP packet payloads received, accumulated size of IP packet payloads transmitted, domain name, begin timestamp and end timestamp.

10. According to the method of 1,wherein the VPN gateway is a VPN hub,wherein the VPN hub establishes one or more VPN connections with one or more other VPN gateways respectively.

11. According to the method of 10,wherein the one or more VPN connection can be an aggregated VPN connection.

12. A VPN gateway for identifying Internet Protocol (IP) data sessions, comprising:
- at least one network interface;
  
  at least one processing unit;
  
  at least one main memory;
  
  at least one secondary storage storing program instructions executable by the at least one processing unit for;
  
  receiving encapsulating packets, wherein the encapsulating packets encapsulate IP packets;
  
  identifying a corresponding VPN connection;
  
  decapsulating encapsulating packets to retrieve IP packets;
  
  performing deep packet inspection (DPI) on the IP packets to identify one or more data sessions the IP packets belong to; and
  
  updating a DPI database based, at least in part, on the one or more data sessions.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The VPN gateway of claim 12,wherein the step of updating includes adding a new record in the DPI database if one or more data sessions are identified the first time.
  - 14. The VPN gateway of claim 12, wherein the at least one secondary storage further storing program instructions executable by the at least one processing unit for:
    - displaying information corresponding to the one or more data sessions at a user interface,wherein the information is retrieved from the DPI database.
  - 15. The VPN gateway of claim 14,wherein the user interface is shown on a display, wherein the display is not coupled to the VPN gateway.
  - 16. The VPN gateway of claim 14,wherein the information is retrieved from the DPI database after a query is performed.
  - 17. The VPN gateway of claim 14,wherein the information is categorized according to one category and statistical data.
  - 18. The VPN gateway of claim 14,wherein the information is categorized according to a plurality of categories.
  - 19. The VPN gateway of claim 18,wherein the information includes correlation among items in the plurality of categories.
  - 20. According to the method of claim 19,wherein the plurality of categories is selected from a group consisting of source IP address, destination IP address, source port, destination port, IP protocol, application, accumulated size of IP packet payloads received, accumulated size of IP packet payloads transmitted, domain name, begin timestamp and end timestamp.

21. According to the method of 12,wherein the VPN gateway is a VPN hub,wherein the VPN hub establishes one or more VPN connections with one or more other VPN gateways respectively.

22. According to the method of 21,wherein the one or more VPN connection can be an aggregated VPN connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pismo Labs Technology Limited
Original Assignee
Pismo Labs Technology Limited
Inventors
Kwan, Ying, Lam, Ho Cheung

Granted Patent

US 9,674,316 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/6418   Hybrid transport

H04L 43/028   by filtering

H04L 43/045   for graphical visualisation...

H04L 43/106   using time related informat...

H04L 43/18   Protocol analysers

H04L 61/2514   between local and global IP...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 69/22   Parsing or analysis of headers

METHODS AND SYSTEMS FOR IDENTIFYING DATA SESSIONS AT A VPN GATEWAY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

METHODS AND SYSTEMS FOR IDENTIFYING DATA SESSIONS AT A VPN GATEWAY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others