Method of non-intrusive analysis of secure and non-secure web application traffic in real-time

US 8,103,765 B2
Filed: 04/27/2009
Issued: 01/24/2012
Est. Priority Date: 05/30/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

non-instrusively capturing a plurality of communications from a communication channel in substantially real-time;

grouping the plurality of communications into one or more streams, each stream representing a network connection;

processing the one or more streams in parallel to create a plurality of transactions, wherein a first transaction includes a request communication and a response communication from the plurality of communications;

storing the plurality of transactions in a memory;

analyzing the plurality of transactions to detect a transaction of interest, wherein the transaction of interest is detected based on a predefined event; and

retrieving a set of transactions belonging to the plurality of transactions from the memory based on metadata associated with the transaction of interest, wherein each transaction in the set of transactions has a predefined relationship with the transaction of interest; and

organizing the set of transactions into a hierarchical data structure according to dependencies between the set of transactions.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a method and system for monitoring and analysis of networked systems, that is non-intrusive and real time. Both secure and non-secure traffic may be analyzed. The provided method involves non-intrusively copying data from a communication medium, reconstructing this data to a higher level of communication, such as the application level, grouping the data into sets, each set representing a session, and organizing the data for chosen sessions in hierarchical fashion which corresponds to the hierarchy of the communicated information. If monitored communications are encrypted, they are non-intrusively decrypted in real time. Hierarchically reconstructed session data is used by one or more plug-in applications, such as alarms, archival applications, visualization applications, script generation applications, abandonment monitoring applications, error detection applications, performance monitoring applications, and others.

Citations

22 Claims

1. A method, comprising:
- non-instrusively capturing a plurality of communications from a communication channel in substantially real-time;
  
  grouping the plurality of communications into one or more streams, each stream representing a network connection;
  
  processing the one or more streams in parallel to create a plurality of transactions, wherein a first transaction includes a request communication and a response communication from the plurality of communications;
  
  storing the plurality of transactions in a memory;
  
  analyzing the plurality of transactions to detect a transaction of interest, wherein the transaction of interest is detected based on a predefined event; and
  
  retrieving a set of transactions belonging to the plurality of transactions from the memory based on metadata associated with the transaction of interest, wherein each transaction in the set of transactions has a predefined relationship with the transaction of interest; and
  
  organizing the set of transactions into a hierarchical data structure according to dependencies between the set of transactions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising adding connection meta information to each stream.
  - 3. The method of claim 1, wherein each of the plurality of transactions comprises session identifications and monitoring data.
  - 4. The method of claim 1, wherein analyzing the plurality of transactions comprises monitoring the plurality of transactions as the plurality of transactions are being created.
  - 5. The method of claim 1, wherein creating the plurality of transactions comprises configuring one or more of the plurality of communications to access the application level information.
  - 6. The method of claim 1, wherein creating the plurality of transactions comprises decrypting one or more of the plurality of communications.
  - 7. The method of claim 6, wherein decrypting further comprises generating a session key from a previously provided pre-master secret.
  - 8. The method of claim 1, wherein organizing the set of transactions includes identifying one or more page root documents from the set of transactions.
  - 9. The method of claim 1, further comprising generating a script from the hierarchical data structure to create a web application session.

10. A method for non-intrusive analysis of secure communication between two or more applications communicating through a communication channel, comprising:
- non-intrusively and securely capturing a communication passing through the communication channel in substantially real-time;
  
  grouping the communication into one or more streams in substantially real-time, each stream representing a network connection;
  
  processing the one or more streams in parallel to an application layer in substantially real-time to create a plurality of transactions;
  
  storing the plurality of transactions in a memory;
  
  analyzing the plurality of transactions to detect a transaction of interest, wherein the transaction of interest is detected based on a predefined event;
  
  parsing the transaction of interest and one or more of the plurality of transactions to determine a set of transactions associated with a web application session and a dependency among the set of transactions; and
  
  grouping the set of transactions into a hierarchical data structure, according to the dependencies among the set of transactions.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein processing the one or more streams further comprises decrypting the communication and another communication.
  - 12. The method of claim 10, wherein the dependency between a first transaction and a second transaction signifies an HTTP reference included in the first transaction, wherein the HTTP reference is configured to refer to an addressable object at least partially included in the second transaction.
  - 13. The method of claim 10, wherein the dependency between a first and a second transaction indicates an HTML reference included in the first transaction, wherein the HTML reference is configured to refer to an addressable object at least partially included in the second transaction.
  - 14. The method of claim 10, further comprising:
    - retrieving, from the memory, a second transaction that includes a message body to replace a first transaction that does not include a message body.
  - 15. The method of claim 10, further comprising:
    - generating a script from the hierarchical data structure to recreate a web application session.

16. A method, comprising:
- non-intrusively copying a plurality of secure communications from a communication channel in substantially real-time;
  
  separating the plurality of secure communications into one or more streams in substantially real-time, each stream representing a network connection;
  
  processing the one or more streams into a set of transactions in substantially real-time, the set of transactions associated with the network communication; and
  
  arranging one or more of the set of transactions into a hierarchical data structure according to dependencies between the set of transactions.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16, wherein each transaction comprises:
    - meta information;
      
      a request header; and
      
      a response header.
  - 18. The method of claim 17, wherein arranging one or more of the set of transactions further comprises:
    - identifying a first set of dependencies associated with the set of transactions;
      
      parsing a request body and a response body belonging to a transaction;
      
      identifying a second set of dependencies associated with the set of transactions based on at least one of the request body and the response body; and
      
      arranging one or more of the set of transactions into a hierarchical data structure according to the first set of dependencies and the second set of dependencies.
  - 19. The method of claim 16, wherein processing the one or more streams further comprises:
    - adding meta information to at least one of the one or more streams;
      
      creating a plurality of transactions from the one or more streams, wherein each transaction comprises one or more communications of a single stream; and
      
      storing the plurality of transactions.
  - 20. The method of claim 19, further comprising:
    - analyzing the plurality of transactions in order to select a transaction of interest; and
      
      retrieving a set of transactions from the plurality of transactions, wherein each transaction of the set of transactions has a predefined relationship with the transaction of interest.
  - 21. The method of claim 19, wherein creating a plurality of transactions further comprises:
    - deriving another stream from the one or more streamsderiving a plurality of request messages and a plurality of response messages from the another stream; and
      
      combining the plurality of request messages and the plurality of response messages into a plurality of transactions, each transaction comprising a request message and a response message,wherein at least one of the one or more streams is an encrypted stream and decrypting the encrypted stream creates the another stream.
  - 22. The method of claim 19, further comprising:
    - analyzing the plurality of transactions in order to select a transaction of interest;
      
      retrieving a first transaction based on the meta information, the first transaction having a request body and a response body; and
      
      retrieving a second transaction based on the request body and the response body.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Borland Software Corporation (Open Text Corporation)
Original Assignee
Borland Software Corporation (Open Text Corporation)
Inventors
Greifeneder, Bernd, Reichl, Bernhard, Spiegl, Helmut, Schwarzbauer, Gunter
Primary Examiner(s)
Meky, Moustafa M

Application Number

US12/430,790
Publication Number

US 20090265463A1
Time in Patent Office

1,002 Days
Field of Search

709200-202, 709/224, 709/227
US Class Current

709/224
CPC Class Codes

G06F 2221/2119   Authenticating web pages, e...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/0428   wherein the data content is...

H04L 63/1408   by monitoring network traff...

H04L 63/166   at the transport layer

Method of non-intrusive analysis of secure and non-secure web application traffic in real-time

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method of non-intrusive analysis of secure and non-secure web application traffic in real-time

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links