Method and apparatus for data capture and analysis system

US 7,984,175 B2
Filed: 03/30/2004
Issued: 07/19/2011
Est. Priority Date: 12/10/2003
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

an object assembly module to reconstruct flows representing objects being transmitted on a network from packets, the packets associated with a document that includes the objects, wherein the document is captured based on a capture rule that specifies the objects, and wherein a determination is made as to whether to discard or to store the objects of the document;

an object classification module to determine a type of content of the objects and to reconstruct the objects from the flows;

an object store module to store the objects, wherein a location for storing the objects is determined based at least in part on the type of content for each of the objects, wherein the object store module comprises a content store to store the objects and a tag store to index the objects stored in the object store; and

a user interface to enable a user to search objects stored in the object store module, wherein the objects are searched based on a query, which includes search criteria used to identify selected objects that match the search criteria, wherein a particular search is scheduled for a recurring time interval and includes a particular search query with selected terms, and wherein certain results of the particular search trigger an alarm in a form of an e-mail message to be sent to an administrator.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Content leaving a local network can be captured and indexed so that queries can be performed on the captured data. In one embodiment, the present invention comprises an apparatus that connects to a network. In one embodiment, this apparatus includes a network interface module to connect the apparatus to a network, a packet capture module to intercept packets being transmitted on the network, an object assembly module to reconstruct objects being transmitted on the network from the intercepted packets, an object classification module to determine the content in the reconstructed objects, and an object store module to store the objects. This apparatus can also have a user interface to enable a user to search objects stored in the object store module.

274 Citations

18 Claims

1. An apparatus comprising:
- an object assembly module to reconstruct flows representing objects being transmitted on a network from packets, the packets associated with a document that includes the objects, wherein the document is captured based on a capture rule that specifies the objects, and wherein a determination is made as to whether to discard or to store the objects of the document;
  
  an object classification module to determine a type of content of the objects and to reconstruct the objects from the flows;
  
  an object store module to store the objects, wherein a location for storing the objects is determined based at least in part on the type of content for each of the objects, wherein the object store module comprises a content store to store the objects and a tag store to index the objects stored in the object store; and
  
  a user interface to enable a user to search objects stored in the object store module, wherein the objects are searched based on a query, which includes search criteria used to identify selected objects that match the search criteria, wherein a particular search is scheduled for a recurring time interval and includes a particular search query with selected terms, and wherein certain results of the particular search trigger an alarm in a form of an e-mail message to be sent to an administrator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1, wherein the object assembly module comprises a reassembler to assemble the intercepted packets into flows.
  - 3. The apparatus of claim 2, wherein the object assembly module further comprises a protocol demultiplexer to sort the assembled flows by protocol.
  - 4. The apparatus of claim 3, wherein the object assembly module further comprises a protocol classifier to extract the objects from the sorted assembled flows.
  - 5. The apparatus of claim 1, wherein the object classification module determines whether objects are stored in the object store or discarded based on one or more capture rules.
  - 6. The apparatus of claim 5, wherein the capture rules are user-configurable through the user interface.
  - 7. The apparatus of claim 1, wherein the object classification module determines the type of content of each object using a signature of each object.
  - 8. The apparatus of claim 1, wherein the user interface comprises a graphical user interface.
  - 9. The apparatus of claim 1, wherein the content store comprises a canonical storage, and the tag store comprises a database.

10. A method comprising:
- reconstructing flows of objects being transmitted on a network from data;
  
  classifying the reconstructed objects by content type, the data associated with a document that includes the objects, wherein the document is captured based on a capture rule that specifies the objects, and wherein a determination is made as to whether to discard or to store the objects of the document;
  
  creating a tag to describe each reconstructed object;
  
  storing the classified objects and tags; and
  
  indexing the stored objects to enable searching of the stored objects via the tags, wherein the content type of the objects is used in the indexing, and wherein the objects are searched based on a query, which includes search criteria used to identify selected objects that match the search criteria, wherein a particular search is scheduled for a recurring time interval and includes a particular search query with selected terms, and wherein certain results of the particular search trigger an alarm in a form of an e-mail message to be sent to an administrator.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein reconstructing the objects comprises:
    - sorting the intercepted data into packets; and
      
      sorting the assembled flows by protocol.
  - 12. The method of claim 10, further comprising determining whether each object is to be stored based on a set of one or more capture rules.
  - 13. The method of claim 10, further comprising receiving a query over the stored objects.
  - 14. The method of claim 13, further comprising searching the indexed objects, and retrieving objects matching the query.

15. A machine-readable storage medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- reconstructing flows of objects being transmitted on a network from data;
  
  classifying the reconstructed objects by content type, the data associated with a document that includes a plurality of objects that identify characteristics of the document, wherein the document is captured based on a capture rule that specifies the objects, and wherein a determination is made as to whether to discard or to store the objects of the document;
  
  creating a tag to describe each reconstructed object;
  
  storing the classified objects and tags; and
  
  indexing the stored objects to enable searching of the stored objects via the tags, wherein the content type of the objects is used in the indexing, and wherein the objects are searched based on a query, which includes search criteria used to identify selected objects that match the search criteria, wherein a particular search is scheduled for a recurring time interval and includes a particular search query with selected terms, and wherein certain results of the particular search trigger an alarm in a form of an e-mail message to be sent to an administrator.
- View Dependent Claims (16, 17, 18)
- - 16. The machine-readable storage medium of claim 15, wherein reconstructing the objects comprises:
    - sorting the intercepted data into packets; and
      
      sorting the assembled flows by protocol.
  - 17. The machine-readable storage medium of claim 15, wherein the instructions further cause the processor to determine whether each object is to be stored based on a set of one or more capture rules.
  - 18. The machine-readable storage medium of claim 15, wherein the instructions further cause the processor to receive a query over the stored objects, search the indexed objects in response to the query, and retrieve objects matching the query.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Massaro, Donald J., Deninger, William, de la Iglesia, Erik, King, Samuel, Khasgiwala, Ashish, Ahuja, Ratinder Paul Singh, Lowe, Rick
Primary Examiner(s)
SHAW, PELING ANDY

Application Number

US10/815,240
Publication Number

US 20050132046A1
Time in Patent Office

2,667 Days
Field of Search

709223-224, 709/231, 348/143, 348/149, 382/159, 382/224, 706/20, 726/7, 726/22, 726 31- 33
US Class Current

709/231
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Method and apparatus for data capture and analysis system

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

274 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for data capture and analysis system

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

274 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links