Tag data structure for maintaining relational data over captured objects

US 7,899,828 B2
Filed: 03/30/2004
Issued: 03/01/2011
Est. Priority Date: 12/10/2003
Status: Active Grant

First Claim

Patent Images

1. A computer readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:

generating a tag describing an object of a communication captured during transmission of the communication from an origination address to a destination address, extracted from the communication, and stored in a memory block, wherein the tag includes,a source address field to indicate an origination address of the object,a destination address field to indicate a destination address of the object,a source port field to indicate an origination port of the object,a destination port field to indicate a destination port of the object,a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object, anda time field to indicate when the object was captured; and

storing the tag in a database, wherein the tag indexes the object in the memory block, the tag being stored to allow subsequent searching for the object based on one or more of the fields, wherein the fields are obtained from the communication, and wherein the object is part of a document captured based on a capture rule that defines which objects are to be captured, wherein the capture rule is part of a default rule set for a capture system configured to monitor network traffic, and wherein a determination is made based on the capture rule to discard or to store the document, and wherein the capture rule identifies a first internet protocol (IP) address from which the document was sent and a second IP address associated with an intended destination of the document.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Objects captured over a network by a capture system can be indexed to provide enhanced search and content analysis capabilities. In one embodiment the objects can be indexed using a data structure having a source address field to indicate an origination address of the object, a destination address field to indicate a destination address of the object, a source port field to indicate an origination port of the object, a destination port field to indicate a destination port of the object, a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object, and a time field to indicate when the object was captured. The data structure may also store a cryptographic signature of the object to ensure the object is not altered after capture.

Citations

19 Claims

1. A computer readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- generating a tag describing an object of a communication captured during transmission of the communication from an origination address to a destination address, extracted from the communication, and stored in a memory block, wherein the tag includes,a source address field to indicate an origination address of the object,a destination address field to indicate a destination address of the object,a source port field to indicate an origination port of the object,a destination port field to indicate a destination port of the object,a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object, anda time field to indicate when the object was captured; and
  
  storing the tag in a database, wherein the tag indexes the object in the memory block, the tag being stored to allow subsequent searching for the object based on one or more of the fields, wherein the fields are obtained from the communication, and wherein the object is part of a document captured based on a capture rule that defines which objects are to be captured, wherein the capture rule is part of a default rule set for a capture system configured to monitor network traffic, and wherein a determination is made based on the capture rule to discard or to store the document, and wherein the capture rule identifies a first internet protocol (IP) address from which the document was sent and a second IP address associated with an intended destination of the document.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer readable medium of claim 1, wherein the plurality of content types comprises JPEG, GIF, BMP, TIFF, PNG, Skintone, PDF, MSWord, Excel, PowerPoint, MSOffice, HTML, WebMail, SMTP, Telnet, Rlogin, FTP, Chat, GZIP, ZIP, TAR, C++Source, C Source, FORTRAN Source, Verilog Source, C Shell, K Shell, Bash Shell, Plaintext, Crypto, LIF, Binary Unknown, ASCII Unknown, and Unknown.
  - 3. The computer readable medium of claim 1, further comprising generating a device identity field to indicate a device that captured the object.
  - 4. The computer readable medium of claim 1, further comprising generating a protocol field to indicate the protocol that carried the object.
  - 5. The computer readable medium of claim 1, further comprising an instance field to indicate a number of the object in a connection.
  - 6. The computer readable medium of claim 1, further comprising generating an encoding field to indicate a how the object was encoded.
  - 7. The computer readable medium of claim 1, further comprising generating a size field to indicate the size of the object.
  - 8. The computer readable medium of claim 1, further comprising generating an owner field to indicate an entity that requested capture of the object.
  - 9. The computer readable medium of claim 1, further comprising generating a capture rule field to indicate a rule that triggered capture of the object.
  - 10. The computer readable medium of claim 1, further comprising generating a signature field to store a signature of the object.
  - 11. The computer readable medium of claim 10, wherein the signature comprises a digital cryptographic signature.
  - 12. The computer readable medium of claim 1, further comprising generating a tag signature field to store a signature of the data structure.
  - 13. The computer readable medium of claim 12, wherein the tag signature comprises a digital cryptographic signature.

14. A computer readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- storing data associated with an object of a communication captured during transmission of the communication from an origination address to a destination address, extracted from the communication, and stored in a memory block by a capture system to create a tag that indexes the object in the memory block, the data comprising;
  
  an Ethernet controller MAC address of the capture system that captured the object;
  
  a source Ethernet IP address of the object;
  
  a destination Ethernet IP address of the object;
  
  a source TCP/IP port number of the object;
  
  a destination TCP/IP port number of the object.an IP protocol that carried the object when captured by the capture system;
  
  a canonical count of a number of the object within a TCP/IP connection;
  
  a content type of the object;
  
  an encoding that was used on the object;
  
  a size of the object;
  
  a timestamp indicating when the capture system captured the object;
  
  a user who requested capture of the object;
  
  a capture rule that directed capture of the object;
  
  a hash signature of the object; and
  
  a hash signature of the tag, the tag being stored to allow subsequent searching for the object based on one or more of the fields, wherein the IP addresses are obtained from the communication, and wherein the object is part of a document captured based on a capture rule that defines which objects are to be captured, wherein the capture rule is part of a default rule set for the capture system configured to monitor network traffic, and wherein a determination is made based on the capture rule to discard or to store the document, and wherein the capture rule identifies a first internet protocol (IP) address from which the document was sent and a second IP address associated with an intended destination of the document.
- View Dependent Claims (15, 16, 17)
- - 15. The computer readable medium of claim 14, wherein the hash signature of the object comprises a digital cryptographic signature of the object.
  - 16. The computer readable medium of claim 15, wherein the hash signature of the tag comprises a digital cryptographic signature of the tag.
  - 17. The computer readable medium of claim 14, wherein the content type of the object is one of JPEG, GIF, BMP, TIFF, PNG, Skintone, PDF, MSWord, Excel, PowerPoint, MSOffice, HTML, WebMail, SMTP, Telnet, Rlogin, FTP, Chat, GZIP, ZIP, TAR, C++Source, C Source, FORTRAN Source, Verilog Source, C Shell, K Shell, Bash Shell, Plaintext, Crypto, LIF, Binary Unknown, ASCII Unknown, and Unknown.

18. A method to index a captured object, comprising:
- generating for storage of objects of a communication captured during transmission of the communication from an origination address to a destination address, extracted from the communication, and stored in a memory block;
  
  a source address field to indicate an origination address of the object;
  
  a destination address field to indicate a destination address of the object;
  
  a source port field to indicate an origination port of the object;
  
  a destination port field to indicate a destination port of the object;
  
  a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object; and
  
  a time field to indicate when the object was captured; and
  
  storing data in the fields to create a tag, the tag indexing the objects in the memory block, the tag being stored to allow subsequent searching for the objects based on one or more of the fields, wherein the fields are obtained from the communication, and wherein the object is part of a document captured based on a capture rule that defines which objects are to be captured, wherein the capture rule is part of a default rule set for a capture system configured to monitor network traffic, and wherein a determination is made based on the capture rule to discard or to store the document, and wherein the capture rule identifies a first internet protocol (IP) address from which the document was sent and a second IP address associated with an intended destination of the document.

19. A method to index a captured object, comprising:
- storing data associated with an object of a communication captured during transmission of the communication from an origination address to a destination address, extracted from the communication, and stored in a memory block by a capture system to create a tag indexing the object in the memory block, the data comprising;
  
  an Ethernet controller MAC address of the capture system that captured the object;
  
  a source Ethernet IP address of the object;
  
  a destination Ethernet IP address of the object;
  
  a source TCP/IP port number of the object;
  
  a destination TCP/IP port number of the object;
  
  an IP protocol that carried the object when captured by the capture system;
  
  a canonical count of a number of the object within a TCP/IP connection;
  
  a content type of the object;
  
  an encoding that was used on the object;
  
  a size of the object;
  
  a timestamp indicating when the capture system captured the object;
  
  a user who requested capture of the object;
  
  a capture rule that directed capture of the object;
  
  a hash signature of the object; and
  
  a hash signature of the tag, the tag being stored to allow subsequent searching for the object based on one or more of the fields, wherein the IP addresses are obtained from the communication, and wherein the object is part of a document captured based on a capture rule that defines which objects are to be captured, wherein the capture rule is part of a default rule set for the capture system configured to monitor network traffic, and wherein a determination is made based on the capture rule to discard or to store the document, and wherein the capture rule identifies a first internet protocol (IP) address from which the document was sent and a second IP address associated with an intended destination of the document.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
King, Samuel, Khasgiwala, Ashish, Ahuja, Ratinder Paul Singh, Lowe, Rick, Coleman, Shaun, de la Iglesia, Erik
Primary Examiner(s)
Wong; Don
Assistant Examiner(s)
Nguyen; Kim T

Application Number

US10/814,093
Publication Number

US 20050132079A1
Time in Patent Office

2,527 Days
Field of Search

707/741, 707/747
US Class Current

707/741
CPC Class Codes

G06F 21/64   Protecting data integrity, ...

H04L 63/12   Applying verification of th...

H04L 63/1408   by monitoring network traff...

Tag data structure for maintaining relational data over captured objects

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Tag data structure for maintaining relational data over captured objects

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links