Network monitor internals description

US 7,272,646 B2
Filed: 06/14/2001
Issued: 09/18/2007
Est. Priority Date: 06/16/2000
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus for translating packet data into a serialized stream of network event data, comprising:

means for accepting said packet data live or from a first file containing said packet data;

means for intepreting both sides of each network connection of one or more network connections in said packet data, wherein said means for interpreting comprises means for determining a relative time and a concurrency of each of a plurality of network events together with its comprised protocol events in said packet data and using said relative time and concurrency for making one or more policy decisions about said network event before it terminates;

means for extracting security-sensitive information from said packet data, wherein said means for extracting omits passwords, documents, and other sensitive data; and

means for generating output from said extracted security-sensitive information into said serialized stream of network event data in encoded format, wherein, said encoded format comprises a transaction identifier corresponding to said each said network connection, wherein each transaction identifier is used in a post-process to identify a plurality of actions corresponding to a plurality of protocol events on said network connections, each action including one or more elements of said security-sensitive information, and wherein said output is stored in a second file for subsequent post-processing by an interpreting processor or is fed continuously to said interpreting processor.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for a network monitor internals mechanism that serves to translate packet data into multiple concurrent streams of network event data is provided. The data translation is accomplished by interpreting both sides of each protocol transaction.

Citations

24 Claims

1. An apparatus for translating packet data into a serialized stream of network event data, comprising:
- means for accepting said packet data live or from a first file containing said packet data;
  
  means for intepreting both sides of each network connection of one or more network connections in said packet data, wherein said means for interpreting comprises means for determining a relative time and a concurrency of each of a plurality of network events together with its comprised protocol events in said packet data and using said relative time and concurrency for making one or more policy decisions about said network event before it terminates;
  
  means for extracting security-sensitive information from said packet data, wherein said means for extracting omits passwords, documents, and other sensitive data; and
  
  means for generating output from said extracted security-sensitive information into said serialized stream of network event data in encoded format, wherein, said encoded format comprises a transaction identifier corresponding to said each said network connection, wherein each transaction identifier is used in a post-process to identify a plurality of actions corresponding to a plurality of protocol events on said network connections, each action including one or more elements of said security-sensitive information, and wherein said output is stored in a second file for subsequent post-processing by an interpreting processor or is fed continuously to said interpreting processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The apparatus of claim 1, wherein said encoded format is network event encoded format.
  - 3. The apparatus of claim 1, wherein said generated output is suitable for processing by, but not limited to means for logging, means for debugging, and a policy engine.
  - 4. The apparatus of claim 1, further comprising:
    - means, for using a “
      
      stopped collecting”
      
      state where said packets may be ignored except to use information from transport protocol headers to determine a connection state associated with a connection and freeing resources when said connection terminates, thereby increasing efficiency in said translating packet data.
  - 5. The apparatus of claim 4, wherein said means for using headers and freeing resources is implemented as a hardware filter to stop additional packets of data from arriving.
  - 6. The apparatus of claim 1, further comprising:
    - means for using time received of said packet data as a point of reference and using corresponding time intervals for aligning results, said results stored in a database.
  - 7. The apparatus of claim 1, wherein when said accepting packet data is from said file, further comprising means for processing said packet data relative to time and time intervals of when said packet was originally received into the file.
  - 8. The apparatus of claim 1, said means for generating output further comprising:
    - an interface for communicating with a policy engine, said interface comprising calls for connecting and for starting and finishing a plurality of transactions, and event specific calls.
  - 9. The apparatus of claim 8, wherein said plurality of transactions are active at the same time.
  - 10. The apparatus of claim 1, further comprising:
    - means for decoding encoded versions of network events.
  - 11. The apparatus of claim 1, wherein said encoded format comprises:
    - a header;
      
      embedded agent descriptors indicating location of source of said packet data;
      
      type map used in detecting update types not supported by old software, thereby; and
      
      encoded transactions.
  - 12. The apparatus of claim 1, wherein different protocol layers of said network event data are combined to facilitate understanding of events in said packet data.

13. A method for translating packet data into a serialized stream of network event data, comprising:
- accepting said packet data live or from a first file containing said packet data;
  
  interpreting both sides of each network connection of one or more network connections in said packet data wherein said means for interpreting comprises means for determining a relative time and a concurrency of each of a plurality of network events together with its comprised protocol events in said packet data and using said relative time and concurrency for making one or more policy decisions about said network event before it terminates;
  
  extracting security-sensitive information from said packet data, wherein said means for extracting omits passwords, documents, and other sensitive data; and
  
  generating output from said extracted security-sensitive information into said serialized stream of network event data in encoded format, wherein said encoded format comprises a transaction identifier corresponding to said each said network connection, wherein each transaction identifier is used in a post-process to identify a plurality of actions corresponding to a plurality of protocol events on said network connections each action including one or more elements of said security-sensitive information, and wherein said output is stored in a second file for subsequent post-processing by an interpreting processor or is fed continuously to said interpreting processor.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13, wherein said encoded format is network event encoded format.
  - 15. The method of claim 13, wherein said generated output is suitable for processing by, but not limited to logging, debugging, and a policy engine.
  - 16. The method of claim 13, further comprising:
    - providing a “
      
      stopped collecting”
      
      state whereby said packets may be ignored except to use information from transport protocol headers to determine a connection state associated with a connection and free resources when said connection terminates, thereby increasing efficiency in said translating packet data.
  - 17. The method of claim 16, wherein using headers and freeing resources is implemented as a hardware filter to stop additional packets of data from arriving.
  - 18. The method of claim 13, further comprising:
    - using time received of said packet data as a point of reference and using corresponding time intervals for aligning results, said results stored in a database.
  - 19. The method of claim 13, wherein when said accepting packet data is from said file, further comprising processing said packet data relative to time and, time intervals of when said packet was originally received into the file.
  - 20. The method of claim 13, said generating output further comprising:
    - providing an interface for communicating with a policy engine, said interface comprising calls for connecting and for starting and finishing a plurality of transactions, and event specific calls.
  - 21. The method of claim 20, wherein said plurality of transactions are active at the same time.
  - 22. The method of claim 13, further comprising:
    - decoding encoded versions of network events.
  - 23. The method of claim 13, wherein said encoded format comprises:
    - a header;
      
      embedded agent descriptors indicating location of source of said packet data;
      
      type map used in detecting update types not supported by old software, thereby; and
      
      encoded transactions.
  - 24. The method of claim 13, wherein different protocol layers of said network event data are combined to facilitate understanding of events in said packet data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Securify, Inc. (McAfee, LLC)
Inventors
Cooper, Geoffrey, Sherlock, Kieran Gerard, Shaw, Robert Allen, Valente, Luis Filipe Pereira
Primary Examiner(s)
Najjar; Saleh
Assistant Examiner(s)
KOROBOV, VITALI A

Application Number

US10/311,109
Publication Number

US 20040030796A1
Time in Patent Office

2,287 Days
Field of Search

709/223, 709/224, 714/39, 714/51, 714/815, 726/13, 726/22
US Class Current

709/223
CPC Class Codes

H04L 41/0604   using filtering, e.g. reduc...

H04L 41/069   using logs of notifications...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/22   comprising specially adapte...

H04L 41/5012   determining service availab...

H04L 43/00   Arrangements for monitoring...

H04L 43/06   Generation of reports

H04L 43/062   related to network traffic

H04L 43/067   using time frame reporting

H04L 43/0811   by checking connectivity

H04L 43/18   Protocol analysers

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/166   at the transport layer

H04L 69/22 : Parsing or analysis of headers

View All

Network monitor internals description

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Network monitor internals description

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links