Application-layer monitoring and profiling network traffic
First Claim
Patent Images
1. A method comprising:
- processing packet flows with an intermediate network device positioned between a node and a public network to identify network elements associated with the packet flows;
forming, with the intermediate device, application-layer communications from the packet flows, wherein forming application-layer communications comprises buffering and reassembling packets of the same packet flows into the corresponding application-layer communications;
processing the application-layer communications with protocol-specific decoders to identify application-layer elements within the application-layer communications; and
generating profiling data that associates the application-layer elements of the application-layer communications with the network elements of the packet flows, wherein generating profiling data comprises storing the network elements and the application-layer elements in a correlation database and defining relationships within the correlation database to associate the network elements of the packet flows with the application-layer elements of the application-layer communications.
1 Assignment
0 Petitions
Accused Products
Abstract
An intrusion detection and prevention (IDP) device includes a flow analysis module, an analysis engine, a plurality of protocol-specific decoders and a profiler. The flow analysis module processes packet flows in a network to identify network elements associated with the packet flows. The analysis engine forms application-layer communications from the packet flows. The plurality of protocol-specific decoders processes the application-layer communications to generate application-layer elements. The profiler correlates the application-layer elements of the application-layer communications with the network elements of the packet flows of the computer network.
81 Citations
22 Claims
-
1. A method comprising:
-
processing packet flows with an intermediate network device positioned between a node and a public network to identify network elements associated with the packet flows; forming, with the intermediate device, application-layer communications from the packet flows, wherein forming application-layer communications comprises buffering and reassembling packets of the same packet flows into the corresponding application-layer communications; processing the application-layer communications with protocol-specific decoders to identify application-layer elements within the application-layer communications; and generating profiling data that associates the application-layer elements of the application-layer communications with the network elements of the packet flows, wherein generating profiling data comprises storing the network elements and the application-layer elements in a correlation database and defining relationships within the correlation database to associate the network elements of the packet flows with the application-layer elements of the application-layer communications. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 21)
-
-
10. An intermediate network device positioned between a node and a network comprising:
-
a forwarding plane that includes; a flow analysis module to process packet flows with a network to identify network elements associated with the packet flows; an analysis engine to form application-layer communications from the packet flows, wherein the analysis engine forms the application-layer communications by buffering and reassembling packets of the same packet flows into the corresponding application-layer communications; and a plurality of protocol-specific decoders to process the application-layer communications to generate application-layer elements; a processor that executes a profiler to correlate the application-layer elements of the application-layer communications with the network elements of the packet flows; and a correlation database, wherein the profiler updates the correlation database to store profiling data that maps the application-layer elements to the network elements. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 22)
-
-
20. A computer-readable storage medium comprising instructions that cause a programmable processor within a network device to:
-
receive network elements associated with packet flows within a computer network; receive application-layer elements associated with application-layer communications from the packet flows wherein the application-layer communications are formed by buffering and reassembling packets of the same packet flows into the corresponding application-layer communications; and maintain a correlation database that associates the application-layer elements of the application-layer communications with the network elements of the packet flows of the computer network.
-
Specification