DETECTING NETWORK FLOW STATES FOR NETWORK TRAFFIC ANALYSIS

US 20180324061A1
Filed: 05/03/2017
Published: 11/08/2018
Est. Priority Date: 05/03/2017
Status: Active Application

First Claim

Patent Images

1. A method for monitoring one or more network flows, wherein one or more processors in a network computer that execute instructions for a plurality of applications that perform actions, comprising:

employing a monitoring engine application to compare one or more characteristics of the one or more monitored network flows to one or more criteria, wherein the one or more criteria are provided by one or more filters;

employing a filter engine application to perform further actions including;

filtering network traffic based on the one or more filters and the comparison, wherein one or more universal payload analysis (UPA) engines are employed to analyze protocols that are one or more custom or unsupported natively by the network computer and extract packet payload data from the filtered network traffic, wherein the analysis includes employing one or more state machines to classify the protocols by mimicking state changes in the monitored network flows; and

employing a rule engine application to perform further actions, including;

providing one or more rules based on the filtered network traffic, wherein each rule is associated with one or more rule prologues and one or more rule actions;

executing the one or more rule prologues on the filtered network traffic to provide one or more satisfied rule prologues, wherein the one or more satisfied rule prologues includes indicating that a turn is occurring on a monitored network flow of packets between one or more servers and clients based on detection of one or more of a response-request data pattern or a new transaction data pattern, wherein the indication of the turn identifies the detected pattern regarding the monitored network flow in the packets'"'"' payload data; and

executing one or more of the one or more rule actions based on the one or more satisfied rule prologues, wherein the one or more executed rule actions and the one or more satisfied rule prologues are each associated with a same rule.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring a network flow. A characteristic of the monitored network flow may be compared to a criterion. A filter may provide the criterion. Filtered network traffic may be provided based on the filter and the comparison. A rule may be provided based on the filtered network traffic, such that each rule is associated with one or more rule prologues and one or more rule actions. The one or more rule prologues may be executed on the filtered network traffic to provide one or more satisfied rule prologues. One or more of the one or more rule actions may be executed based on the one or more satisfied rule prologues, such that the one or more executed rule actions and the one or more satisfied rule prologues are each associated with a same rule.

Citations

28 Claims

1. A method for monitoring one or more network flows, wherein one or more processors in a network computer that execute instructions for a plurality of applications that perform actions, comprising:
- employing a monitoring engine application to compare one or more characteristics of the one or more monitored network flows to one or more criteria, wherein the one or more criteria are provided by one or more filters;
  
  employing a filter engine application to perform further actions including;
  
  filtering network traffic based on the one or more filters and the comparison, wherein one or more universal payload analysis (UPA) engines are employed to analyze protocols that are one or more custom or unsupported natively by the network computer and extract packet payload data from the filtered network traffic, wherein the analysis includes employing one or more state machines to classify the protocols by mimicking state changes in the monitored network flows; and
  
  employing a rule engine application to perform further actions, including;
  
  providing one or more rules based on the filtered network traffic, wherein each rule is associated with one or more rule prologues and one or more rule actions;
  
  executing the one or more rule prologues on the filtered network traffic to provide one or more satisfied rule prologues, wherein the one or more satisfied rule prologues includes indicating that a turn is occurring on a monitored network flow of packets between one or more servers and clients based on detection of one or more of a response-request data pattern or a new transaction data pattern, wherein the indication of the turn identifies the detected pattern regarding the monitored network flow in the packets'"'"' payload data; and
  
  executing one or more of the one or more rule actions based on the one or more satisfied rule prologues, wherein the one or more executed rule actions and the one or more satisfied rule prologues are each associated with a same rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein providing the one or more rules, further comprises, providing the one or more rules based on which of the one or more filters are associated with the filtered network traffic.
  - 3. The method of claim 1, wherein the one or more criteria provided by the one or more filters include one or more discoveries of one or more new network flows or one or more new network devices on a monitored network.
  - 4. The method of claim 1, wherein executing the one or more rule prologues on the filtered network traffic, further comprises, inspecting payload contents of one or more network packets that are included in the filtered network traffic.
  - 5. The method of claim 1, wherein executing the one or more rule prologues on the filtered network traffic, further comprises, employing the one or more state machines to compare one or more state transitions in the filtered network traffic to one or more expected state transitions.
  - 6. The method of claim 1, wherein the one or more criteria provided by the one or more filters include one or more of a network protocol, an application protocol, an application type, a traffic rate, or tuple information of the one or more monitored network flows.
  - 7. The method of claim 1, wherein executing the one or more of the one or more rule actions further comprises, providing one or more portions of the filtered network traffic to the one or more universal payload analysis (UPA) engines.

8. A system for monitoring one or more network flows in a network comprising:
- a network computer, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions for a plurality of applications that perform actions, including;
  
  employing a monitoring engine application to compare one or more characteristics of the one or more monitored network flows to one or more criteria, wherein the one or more criteria are provided by one or more filters;
  
  employing a filter engine application to perform further actions including;
  
  filtering network traffic based on the one or more filters and the comparison, wherein one or more universal payload analysis (UPA) engines are employed to analyze protocols that are one or more of custom or unsupported natively by the network computer and extract packet payload data from the filtered network traffic, wherein the analysis includes employing one or more state machines to classify the protocols by mimicking state changes in the monitored network flows; and
  
  employing a rule engine application to perform further actions, including;
  
  providing one or more rules based on the filtered network traffic, wherein each rule is associated with one or more rule prologues and one or more rule actions;
  
  executing the one or more rule prologues on the filtered network traffic to provide one or more satisfied rule prologues, wherein the one or more satisfied rule prologues includes indicating that a turn is occurring on a monitored network flow of packets between one or more servers and clients based on detection of one or more of a response-request data pattern or a new transaction data pattern, wherein the indication of the turn identifies the detected pattern regarding the monitored network flow in the packets'"'"' payload data; and
  
  executing one or more of the one or more rule actions based on the one or more satisfied rule prologues, wherein the one or more executed rule actions and the one or more satisfied rule prologues are each associated with a same rule; and
  
  a client computer, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing one or more portions of the one or more monitored network flows.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein providing the one or more rules, further comprises, providing the one or more rules based on which of the one or more filters are associated with the filtered network traffic.
  - 10. The system of claim 8, wherein the one or more criteria provided by the one or more filters include one or more discoveries of one or more new network flows or one or more new network devices on a monitored network.
  - 11. The system of claim 8, wherein executing the one or more rule prologues on the filtered network traffic, further comprises, inspecting payload contents of one or more network packets that are included in the filtered network traffic.
  - 12. The system of claim 8, wherein executing the one or more rule prologues on the filtered network traffic, further comprises, employing the one or more state machines to compare one or more state transitions in the filtered network traffic to one or more expected state transitions.
  - 13. The system of claim 8, wherein the one or more criteria provided by the one or more filters include one or more of a network protocol, an application protocol, an application type, a traffic rate, or tuple information of the one or more monitored network flows.
  - 14. The system of claim 8, wherein executing the one or more of the one or more rule actions further comprises, providing one or more portions of the filtered network traffic to the one or more universal payload analysis (UPA) engines.

15. A processor readable non-transitory storage media that includes instructions for monitoring one or more network flows with a plurality of applications, wherein execution of the instructions by one or more processors causes the plurality of applications to perform actions, comprising:
- employing a monitoring engine application to compare one or more characteristics of the one or more monitored network flows to one or more criteria, wherein the one or more criteria are provided by one or more filters;
  
  employing a filter engine application to perform further actions including;
  
  filtering network traffic based on the one or more filters and the comparison, wherein one or more universal payload analysis (UPA) engines are employed to analyze protocols that are one or more of custom or unsupported natively by the network computer and extract packet payload data from the filtered network traffic, wherein the analysis includes employing one or more state machines to classify the protocols by mimicking state changes in the monitored network flows; and
  
  employing a rule engine application to perform further actions, including;
  
  providing one or more rules based on the filtered network traffic, wherein each rule is associated with one or more rule prologues and one or more rule actions;
  
  executing the one or more rule prologues on the filtered network traffic to provide one or more satisfied rule prologues, wherein the one or more satisfied rule prologues includes indicating that a turn is occurring on a monitored network flow of packets between one or more servers and clients based on detection of one or more of a response-request data pattern or a new transaction data pattern, wherein the indication of the turn identifies the detected pattern regarding the monitored network flow in the packets'"'"' payload data; and
  
  executing one or more of the one or more rule actions based on the one or more satisfied rule prologues, wherein the one or more executed rule actions and the one or more satisfied rule prologues are each associated with a same rule.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The media of claim 15, wherein providing the one or more rules, further comprises, providing the one or more rules based on which of the one or more filters are associated with the filtered network traffic.
  - 17. The media of claim 15, wherein the one or more criteria provided by the one or more filters include one or more discoveries of one or more new network flows or one or more new network devices on a monitored network.
  - 18. The media of claim 15, wherein executing the one or more rule prologues on the filtered network traffic, further comprises, inspecting payload contents of one or more network packets that are included in the filtered network traffic.
  - 19. The media of claim 15, wherein executing the one or more rule prologues on the filtered network traffic, further comprises, employing the one or more state machines to compare one or more state transitions in the filtered network traffic to one or more expected state transitions.
  - 20. The media of claim 15, wherein the one or more criteria provided by the one or more filters include one or more of a network protocol, an application protocol, an application type, a traffic rate, or tuple information of the one or more monitored network flows.
  - 21. The media of claim 15, wherein executing the one or more of the one or more rule actions further comprises, providing one or more portions of the filtered network traffic to the one or more universal payload analysis (UPA) engines.

22. A network computer for monitoring one or more network flows, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions for a plurality of applications that perform actions, including;
  
  employing a monitoring engine application to compare one or more characteristics of the one or more monitored network flows to one or more criteria, wherein the one or more criteria are provided by one or more filters;
  
  employing a filter engine application to perform further actions including;
  
  filtering network traffic based on the one or more filters and the comparison, wherein one or more universal payload analysis (UPA) engines are employed to analyze protocols that are one or more of custom or unsupported natively by the network computer and extract packet payload data from the filtered network traffic, wherein the analysis includes employing one or more state machines to classify the protocols by mimicking state changes in the monitored network flows; and
  
  employing a rule engine application to perform further actions, including;
  
  providing one or more rules based on the filtered network traffic, wherein each rule is associated with one or more rule prologues and one or more rule actions;
  
  executing the one or more rule prologues on the filtered network traffic to provide one or more satisfied rule prologues, wherein the one or more satisfied rule prologues includes indicating that a turn is occurring on a monitored network flow of packets between one or more servers and clients based on detection of one or more of a response-request data pattern or a new transaction data pattern, wherein the indication of the turn identifies the detected pattern regarding the monitored network flow in the packets'"'"' payload data; and
  
  executing one or more of the one or more rule actions based on the one or more satisfied rule prologues, wherein the one or more executed rule actions and the one or more satisfied rule prologues are each associated with a same rule.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The network computer of claim 22, wherein providing the one or more rules, further comprises, providing the one or more rules based on which of the one or more filters are associated with the filtered network traffic.
  - 24. The network computer of claim 22, wherein the one or more criteria provided by the one or more filters include one or more discoveries of one or more new network flows or one or more new network devices on a monitored network.
  - 25. The network computer of claim 22, wherein executing the one or more rule prologues on the filtered network traffic, further comprises, inspecting payload contents of one or more network packets that are included in the filtered network traffic.
  - 26. The network computer of claim 22, wherein executing the one or more rule prologues on the filtered network traffic, further comprises, employing the one or more state machines to compare one or more state transitions in the filtered network traffic to one or more expected state transitions.
  - 27. The network computer of claim 22, wherein the one or more criteria provided by the one or more filters include one or more of a network protocol, an application protocol, an application type, a traffic rate, or tuple information of the one or more monitored network flows.
  - 28. The network computer of claim 22, wherein executing the one or more of the one or more rule actions further comprises, providing one or more portions of the filtered network traffic to the one or more universal payload analysis (UPA) engines.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Khanal, Bhushan Prasad, Hammerle, Eric Joseph, Mukerji, Arindum

Application Number

US15/585,887
Publication Number

US 20180324061A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/028   by filtering

H04L 43/04   Processing captured monitor...

H04L 43/12   Network monitoring probes

H04L 43/18   Protocol analysers

H04L 69/32   Architecture of open system...

H04L 69/321   Interlayer communication pr...

DETECTING NETWORK FLOW STATES FOR NETWORK TRAFFIC ANALYSIS

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING NETWORK FLOW STATES FOR NETWORK TRAFFIC ANALYSIS

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links