Apparatus and method for network analysis

US 7,634,557 B2
Filed: 04/29/2002
Issued: 12/15/2009
Est. Priority Date: 04/30/2001
Status: Active Grant

First Claim

Patent Images

1. A method of extracting information from a network session comprising a plurality of packets to create a record conforming to an event-based language comprising the steps of:

receiving a session comprising a plurality of packets that have previously been exchanged in a session between a first entity and a second entity;

extracting information from the session;

translating the information into an event statement describing an event between a first entity and a second entity;

creating a record containing the event statement, wherein the event statement describes an application used for the event, and an action describing the event;

further translating the information into a session statement describing the session of which the event is a part, wherein the record also contains the session statement;

translating the information into a property statement describing properties of the event, wherein the record also contains the property statement;

translating the information into a route statement describing a route through a network traveled by the event, the session or a part of the session, wherein the record also contains the route statement;

translating the information into an alias statement describing additional information related to an identity of the first entity or the second entity, wherein the record also contains the alias statement;

wherein the record is a condensed and simple representation of the session from which the information was extracted,wherein at least the translating steps are preformed in an analyzer that is in communication with a parser.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for and method of extracting information from multiple sessions of disparate protocols into a common language is disclosed. A method of creating a record conforming to an event-based language is also disclosed. A system configured to create a record conforming to an event-based language is also disclosed.

33 Citations

View as Search Results

13 Claims

1. A method of extracting information from a network session comprising a plurality of packets to create a record conforming to an event-based language comprising the steps of:
- receiving a session comprising a plurality of packets that have previously been exchanged in a session between a first entity and a second entity;
  
  extracting information from the session;
  
  translating the information into an event statement describing an event between a first entity and a second entity;
  
  creating a record containing the event statement, wherein the event statement describes an application used for the event, and an action describing the event;
  
  further translating the information into a session statement describing the session of which the event is a part, wherein the record also contains the session statement;
  
  translating the information into a property statement describing properties of the event, wherein the record also contains the property statement;
  
  translating the information into a route statement describing a route through a network traveled by the event, the session or a part of the session, wherein the record also contains the route statement;
  
  translating the information into an alias statement describing additional information related to an identity of the first entity or the second entity, wherein the record also contains the alias statement;
  
  wherein the record is a condensed and simple representation of the session from which the information was extracted,wherein at least the translating steps are preformed in an analyzer that is in communication with a parser.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the first entity and the second entity comprise one of the following entities:
    - IP, IP-port, IP-user, IP-resource, host, host-port, host-user, or host-resource.
  - 3. The method of claim 1, wherein the event statement describes the first entity and the second entity.
  - 4. The method of claim 3, wherein the record conforms to the following structure:
    - “
      
      <
      
      the first entity>
      
      was seen <
      
      the action>
      
      to <
      
      the second entity>
      
      with <
      
      the application>
      
      .”
  - 5. The method of claim 3, wherein the application is one of the following application types:
    - FTP, Telnet, SMTP, Domain Name Service, DHCP, AOL™
      
      Instant Messenger, Yahoo™
      
      Instant Messenger, HTTP, POP-2, POP-3, NNTP, Microsoft RPC, Netbios, MS File Access, SNMP, RIP, MS Instant Messenger, Lotus Notes™
      
      , Sybase™
      
      Database, MSSQL™
      
      Database, Oracle™
      
      Database, Lotus Sametime™
      
      , Unix™
      
      File Access, or IRC.
  - 6. The method of claim 3, wherein the event statement further contains one of the following content types:
    - Mail, HTML, DCARD, SMIME, or PGP.
  - 7. The method of claim 3, wherein the action includes at least one of the following action types:
    - User Login, User Logoff, Get Resource, Put Resource, Delete Resource, Send Message, Receive Message, Read Message, Delete Message, Database Query, User Login Response, User Logoff Response, Get Resource Response, Delete Resource Response, Send Message Response, Read Message Response, or Database Query Response.
  - 8. The method of claim 1, wherein the properties of the event include at least one of the following property types:
    - an application used, a subject of the event, or a database queried.
  - 9. The method of claim 1, wherein the alias statement contains at least one of the following alias types:
    - IP-Alias or User-Alias.
  - 10. The method of claim 1, wherein the record includes metadata about the session.
  - 11. The method of claim 10, wherein the record includes metadata about properties of the session.
  - 12. The method of claim 11, wherein the metadata about properties of the session comprises a global property name.
  - 13. The method of claim 1, wherein the session statement comprises times that the session of which the event is a part began and ended, a size of the session and a service type of the session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Netwitness Corporation (Dell Technologies Inc.)
Inventors
Moore, Todd A., Girardi, Brian, Longworth, Mark E., Love, Damon
Primary Examiner(s)
Winder; Patrice
Assistant Examiner(s)
MIRZA, ADNAN M

Application Number

US10/133,392
Publication Number

US 20020163934A1
Time in Patent Office

2,787 Days
Field of Search

709/223, 709/224, 709/230, 709/235, 709/245, 709/236, 709/246
US Class Current

709/224
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 43/18   Protocol analysers

H04L 69/06   Notations for structuring o...

H04L 69/08   Protocols for interworking;...

H04L 69/10   Streamlined, light-weight o...

H04L 69/18   Multiprotocol handlers, e.g...

H04L 9/40   Network security protocols

Apparatus and method for network analysis

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for network analysis

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links