Defining and detecting network application business activities

US 7,653,742 B1
Filed: 09/28/2004
Issued: 01/26/2010
Est. Priority Date: 09/28/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting activities involving use of a software application, the method comprising the computer-implemented steps of:

establishing a set of rules associating business signatures with business activities, in which each rule comprises an association of one of the business signatures with one of the business activities;

wherein said business activities are each an activity that involves one or more interactions between the application and application users;

wherein the set of rules comprises a rule associating an activity with a signature;

monitoring information that is generated based on at least one user'"'"'s use of the application;

comparing the information against at least a portion of at least some of the business signatures to determine which of the business activities have been initiated;

based on the comparing, determining that the activity has been initiated;

wherein determining that the activity has been initiated comprises identifying, in said information, a first signature that matches said signature;

wherein identifying the first signature comprises determining that a first set of one or more name-value pairs in a first stream of characters in said information matches the signature;

wherein the signature is a template for the first signature, said template comprising at least one non-literal parameter value capable of matching multiple different values; and

in response to determining that the activity has been initiated, triggering execution of an action or policy associated with the activity;

wherein the method is performed by one or more processors of a computer system.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network applications are monitored by defining and detecting activities associated with the applications. Such activities are referred to as “business activities” in the sense that the activities are performed in the process of conducting business using applications. Each business activity of interest is associated with a unique “business signature” which can be used to identify the activity from streams or collections of information. In one embodiment, each business signature of interest to a business is defined as a set of one or more parameter name-value pairs. Once defined, network traffic to and from an application is monitored to detect business signatures, to detect that a corresponding business activity was started. Detecting an activity is based on real-time matching of business signature character patterns within a stream of characters with a repository of character patterns that each represents a business signature defined for the application.

48 Citations

View as Search Results

54 Claims

1. A method for detecting activities involving use of a software application, the method comprising the computer-implemented steps of:
- establishing a set of rules associating business signatures with business activities, in which each rule comprises an association of one of the business signatures with one of the business activities;
  
  wherein said business activities are each an activity that involves one or more interactions between the application and application users;
  
  wherein the set of rules comprises a rule associating an activity with a signature;
  
  monitoring information that is generated based on at least one user'"'"'s use of the application;
  
  comparing the information against at least a portion of at least some of the business signatures to determine which of the business activities have been initiated;
  
  based on the comparing, determining that the activity has been initiated;
  
  wherein determining that the activity has been initiated comprises identifying, in said information, a first signature that matches said signature;
  
  wherein identifying the first signature comprises determining that a first set of one or more name-value pairs in a first stream of characters in said information matches the signature;
  
  wherein the signature is a template for the first signature, said template comprising at least one non-literal parameter value capable of matching multiple different values; and
  
  in response to determining that the activity has been initiated, triggering execution of an action or policy associated with the activity;
  
  wherein the method is performed by one or more processors of a computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 25, 26, 27, 28, 37, 38, 39, 40, 41, 42, 43, 45, 46, 47)
- - 2. The method of claim 1, whereinthe signature comprises a set of one or more parameter expressions;
    - andthe step of identifying the first signature includes comparing the set of one or more parameter expressions to the first set of one or more name-value pairs.
  - 3. The method of claim 1, wherein the step of comparing is performed substantially concurrent with generation of the information.
  - 4. The method of claim 1, wherein the information that is monitored includes an HTTP (Hypertext Transfer Protocol) message, and wherein the step of comparing includes comparing the HTTP message against at least one of the signatures in the set of rules to determine whether or not a business activity was initiated via the HTTP message.
  - 5. The method of claim 1, wherein the rule indicates that execution of the action or policy is to be triggered in response to determining that the activity was initiated.
  - 6. The method of claim 1, wherein monitoring the information includes intercepting communications between the application and the at least one user.
  - 7. The method of claim 6, wherein intercepting communications comprises intercepting a stream of messages.
  - 8. The method of claim 7, wherein the stream of messages is a stream of HTTP (Hypertext Transfer Protocol) messages.
  - 9. The method of claim 1, wherein monitoring the information includes collecting events emitted by the application.
  - 10. The method of claim 1, wherein monitoring the information includes collecting events emitted by an application or routine other than the application.
  - 11. The method of claim 1, wherein monitoring the information includes accessing log records of activities that are logged by the application.
  - 12. The method of claim 1, wherein at least one of the rules in the set includes a corresponding action to perform in response to determining that a plurality of activities were initiated, the method further comprising the computer-implemented step of:
    - in response to determining that the plurality of activities were initiated, triggering execution of the corresponding action.
  - 13. The method of claim 1, wherein at least one of the rules in the set includes a corresponding action to perform in response to determining that a plurality of activities were initiated in a sequence, the method further comprising the computer-implemented step of:
    - in response to determining that the plurality of activities were initiated in the sequence, triggering execution of the corresponding action.
  - 14. The method of claim 1, wherein determining which of the business activities have been initiated, includesidentifying the first signature in the information based on comparing the first set of name-value pairs against at least a portion of the at least some of the business signatures;
    - andusing business activity information that is different than the set of rules, in conjunction with identifying the first signature in the information, to determine that one or more of the business activities, including the activity, have been initiated.
  - 25. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 1.
  - 26. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 2.
  - 27. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 3.
  - 28. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 4.
  - 37. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 5.
  - 38. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 6.
  - 39. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 7.
  - 40. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 8.
  - 41. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 9.
  - 42. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 10.
  - 43. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 11.
  - 45. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 12.
  - 46. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 13.
  - 47. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 14.

15. A method for detecting activities involving use of a software application, the method comprising the computer-implemented steps of:
- establishing a set of rules associating business signatures with business activities, in which each rule comprises an association of one of the business signatures with one of the business activities;
  
  wherein said business activities are each an activity that involves one or more interactions between the application and application users;
  
  wherein the business signatures collectively comprise a set of one or more parameter expressions;
  
  wherein each of the business signatures comprises a subset of the one or more parameter expressions;
  
  analyzing the set of rules to identify a set of selective parameter expressions from the set of parameter expressions and a set of non-selective parameter expressions from the set of parameter expressions, wherein the selective parameter expressions are expressions that are associated with fewer signatures than non-selective parameter expressions;
  
  monitoring information that is generated based on at least one user'"'"'s use of the application;
  
  comparing the information against at least a portion of at least some of the business signatures in the set of rules to determine which of said business activities have been initiated;
  
  wherein the step of comparing includes performing a first comparison stage by comparing the information against at least one of the selective parameter expressions, without comparing the information against any of the non-selective parameter expressions during the first comparison stage;
  
  based on said comparing, determining that one or more of the business activities has been initiated;
  
  in response to determining that one or more of the business activities has been initiated, triggering execution of one or more actions or one or more policies associated with the one or more of the business activities;
  
  wherein the method is performed by one or more processors of a computer system.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 29, 30, 31, 32, 33, 34, 35, 36, 49, 50)
- - 16. The method of claim 15, wherein the step of analyzing the set of rules to identify selective parameter expressions includes identifying the selective parameter expressions such that each business signature comprises at least one selective parameter expression.
  - 17. The method of claim 15, wherein the step of analyzing the set of rules to identify selective parameter expressions includes identifying the selective parameter expressions such that each business signature comprises only one selective parameter expression.
  - 18. The method of claim 15, further comprising the computer-implemented step of:
    - analyzing the information to identify one or more selective parameter name-value pairs, wherein the selective parameter name-value pairs occur less frequently in the information than non-selective parameter name-value pairs.
  - 19. The method of claim 15, the method further comprising the computer-implemented step of:
    - for each signature, converting the signature into a pattern of characters;
      
      wherein, for information in which at least one of the selective parameter expressions is detected, the step of comparing includes a second comparison stage of comparing the information against the pattern of characters corresponding to the signatures that include the at least one selective parameter expression.
  - 20. The method of claim 19,wherein converting each signature comprises alphabetically ordering, within the pattern of characters corresponding to the signature, parameter names from the signature;
    - andwherein the second comparison stage includes;
      
      alphabetically ordering the parameter names from the information, andcomparing the alphabetically ordered parameter names from the information against the pattern of characters corresponding to at least one of the signatures.
  - 21. The method of claim 20, wherein converting each signature comprises including, in the pattern of characters corresponding to the signature, a wildcard character between alphabetically ordered parameter names from the signature.
  - 22. The method of claim 19, further comprising the computer-implemented step of:
    - for an activity whose signature is defined to include a parameter name whose corresponding value must be greater than a first value and less than a second value for the activity to occur,associating a flag with the pattern of characters to indicate that the signature includes a parameter name whose corresponding value must be greater than a first value and less than a second value;
      
      wherein the step of comparing comprises;
      
      identifying the flag associated with the pattern of characters corresponding to the signature for the activity; and
      
      determining, from the information, whether a value for the parameter name is greater than the first value and less than the second value.
  - 29. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 15.
  - 30. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 16.
  - 31. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 17.
  - 32. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 18.
  - 33. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 19.
  - 34. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 20.
  - 35. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 21.
  - 36. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 22.
  - 49. The method of claim 15, wherein:
    - the step of comparing further includes performing a second comparison stage for a signature, said signature having a selective parameter expression for which a match was found in the information during the first comparison stage;
      
      the second comparison stage comprises determining that the information comprises a match for the signature by performing a comparison based on at least the information and one or more non-selective expressions associated with the signature.
  - 50. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 49.

23. A method for detecting, in a stream of information that represents an interaction between a software application and a user of the application, business activities conducted using the software application, the method comprising the computer-implemented steps of:
- establishing a set of rules associating business signatures with business activities, in which each rule comprises an association of one of the business signatures with one of the business activities;
  
  wherein said business activities are each an activity that involves one or more interactions between the application and application users;
  
  wherein each of the business signatures comprises a set of one or more parameter expressions, wherein each parameter expression in a business signature must be present for the activity associated with that business signature to have occurred;
  
  monitoring at least one stream of information transmitted between the application and a user;
  
  comparing the at least one stream of information against at least a portion of the at least some of the signatures in the set of rules to detect whether any of the business activities have been initiated via the stream;
  
  detecting whether any of the business activities have been initiated based on said comparing, by determining whether a match to at least one of the parameter expressions in the business signatures is included in the at least one stream;
  
  in response to detecting that that an activity has been initiated, detecting whether the activity was completed successfully based on said comparing; and
  
  in response to detecting that performance of the activity that was initiated did not complete, triggering execution of an action or policy associated with a failure to complete the activity; and
  
  wherein the method is performed by one or more processors of a computer system.
- View Dependent Claims (24, 44, 48, 51, 52, 53, 54)
- - 24. The method of claim 23, wherein the rule includes a corresponding action to perform in response to determining that performance of the activity did not complete, the method further comprising the computer-implemented step of:
    - in response to determining that performance of the activity did not complete, triggering execution of the corresponding action.
  - 44. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 24.
  - 48. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 23.
  - 51. The method of claim 23,wherein detecting that that the activity has been initiated, comprises matching a first parameter expression in a first signature to the at least one stream;
    - wherein detecting that that the activity did not complete comprises failing to detect a second parameter expression in a second signature within the at least one stream within a certain period of time;
      
      wherein the first signature and the second signature are both in a sequence of signatures.
  - 52. The method of claim 23,wherein detecting that that the activity has been initiated, comprises matching a first parameter expression in a first signature to the at least one stream;
    - wherein detecting that that the activity did not complete comprises detecting a second parameter expression in a second signature within the at least one stream;
      
      wherein the second signature is associated with said failure.
  - 53. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 51.
  - 54. A machine-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 52.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
Entrust Incorporated (Entrust Corp.)
Inventors
Bhargava, Sunil, Thakur, Sudheer
Primary Examiner(s)
Dalencourt, Yves

Application Number

US10/952,599
Time in Patent Office

1,946 Days
Field of Search

709/224, 709/225, 709/229, 709/240, 713/164, 713/165, 726/2, 726/6, 726/23
US Class Current

709/240
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/5058   Service discovery by the se...

H04L 41/5096   wherein the managed service...

Defining and detecting network application business activities

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Defining and detecting network application business activities

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links