Tag data structure for maintaining relational data over captured objects

US 8,301,635 B2
Filed: 12/13/2010
Issued: 10/30/2012
Est. Priority Date: 12/10/2003
Status: Active Grant

First Claim

Patent Images

1. Software encoded in one or more non-transitory media that includes code for execution and when executed by a processor is operable to perform operations comprising:

receiving a data stream that includes a plurality of packets;

generating a tag for an object represented by the packets, wherein the tag includes;

a source address field indicative of an origination address associated with the object,a destination address field indicative of a destination address associated with the object,a source port field indicative of an origination port associated with the object,a destination port field indicative of a destination port associated with the object,a content field indicative of a content type associated with the object, anda time field indicative of when the object was captured;

generating a cryptographic tag signature over at least a portion of the tag;

generating an object signature over at least a portion of the object, wherein at least one of the object signature and the tag signature is generated using a first key; and

storing a tag record in a database in which the tag record indexes the object in a content store and contains information about the object, the tag record including a pointer associated with a storage location where the object is stored,wherein the object is verified by using the tag signature and the object signature before the object is presented, and wherein at least one key pair is used in a verification operation, the at least one key pair including the first key and a second key.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Objects captured over a network by a capture system can be indexed to provide enhanced search and content analysis capabilities. In one embodiment the objects can be indexed using a data structure having a source address field to indicate an origination address of the object, a destination address field to indicate a destination address of the object, a source port field to indicate an origination port of the object, a destination port field to indicate a destination port of the object, a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object, and a time field to indicate when the object was captured. The data structure may also store a cryptographic signature of the object to ensure the object is not altered after capture.

358 Citations

17 Claims

1. Software encoded in one or more non-transitory media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- receiving a data stream that includes a plurality of packets;
  
  generating a tag for an object represented by the packets, wherein the tag includes;
  
  a source address field indicative of an origination address associated with the object,a destination address field indicative of a destination address associated with the object,a source port field indicative of an origination port associated with the object,a destination port field indicative of a destination port associated with the object,a content field indicative of a content type associated with the object, anda time field indicative of when the object was captured;
  
  generating a cryptographic tag signature over at least a portion of the tag;
  
  generating an object signature over at least a portion of the object, wherein at least one of the object signature and the tag signature is generated using a first key; and
  
  storing a tag record in a database in which the tag record indexes the object in a content store and contains information about the object, the tag record including a pointer associated with a storage location where the object is stored,wherein the object is verified by using the tag signature and the object signature before the object is presented, and wherein at least one key pair is used in a verification operation, the at least one key pair including the first key and a second key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The software of claim 1, wherein the packets are grouped into individual flows based on Internet Protocol (IP) address information.
  - 3. The software of claim 1, wherein the flows are sorted using port data.
  - 4. The software of claim 1, wherein signature filters are applied to the flows in order to identify a protocol based on the packets.
  - 5. The software of claim 1, wherein objects within the data stream are used in order to identify a content type associated with documents being transmitted in the data stream.
  - 6. The software of claim 1, wherein capture rules are configured in order to determine whether certain types of data streams are to be discarded or stored.
  - 7. The software of claim 1, wherein the first key of the key pair is a private key of the capture system, and wherein the second key of the key pair is a public key.
  - 8. The software of claim 1, wherein both the object signature and the tag signature are generated using the first key.

9. A method, comprising:
- receiving a data stream that includes a plurality of packets;
  
  generating a tag for an object represented by the packets, wherein the tag includes;
  
  a source address field indicative of an origination address associated with the object,a destination address field indicative of a destination address associated with the object,a source port field indicative of an origination port associated with the object,a destination port field indicative of a destination port associated with the object,a content field indicative of a content type associated with the object, anda time field indicative of when the object was captured;
  
  generating a cryptographic tag signature over at least a portion of the tag;
  
  generating an object signature over at least a portion of the object, wherein at least one of the object signature and the tag signature is generated using a first key; and
  
  storing a tag record in a database in which the tag record indexes the object in a content store and contains information about the object, the tag record including a pointer associated with a storage location where the object is stored,wherein the object is verified by using the tag signature and the object signature before the object is presented, and wherein at least one key pair is used in a verification operation, the at least one key pair including the first key and a second key.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, wherein the flows are sorted using port data, and wherein signature filters are applied to the flows in order to identify a protocol based on the packets.
  - 11. The method of claim 9, wherein objects within the data stream are used in order to identify a content type associated with documents being transmitted in the data stream, and wherein capture rules are configured in order to determine whether certain types of data streams are to be discarded or stored.
  - 12. The method of claim 9, wherein the first key of the key pair is a private key of the capture system, and wherein the second key of the key pair is a public key.
  - 13. The method of claim 9, wherein both the object signature and the tag signature are generated using the first key.

14. An apparatus, comprising:
- a processor; and
  
  a memory, wherein the processor and the memory cooperate such that the apparatus is configured for;
  
  receiving a data stream that includes a plurality of packets;
  
  generating a tag for an object represented by the packets, wherein the tag includes;
  
  a source address field indicative of an origination address associated with the object,a destination address field indicative of a destination address associated with the object,a source port field indicative of an origination port associated with the object,a destination port field indicative of a destination port associated with the object,a content field indicative of a content type associated with the object, anda time field indicative of when the object was captured;
  
  generating a cryptographic tag signature over at least a portion of the tag;
  
  generating an object signature over at least a portion of the object, wherein at least one of the object signature and the tag signature is generated using a first key; and
  
  storing a tag record in a database in which the tag record indexes the object in a content store and contains information about the object, the tag record including a pointer associated with a storage location where the object is stored,wherein the object is verified by using the tag signature and the object signature before the object is presented, and wherein at least one key pair is used in a verification operation, the at least one key pair including the first key and a second key.
- View Dependent Claims (15, 16, 17)
- - 15. The apparatus of claim 14, further comprising:
    - a user interface configured for searching for the object based on the tag.
  - 16. The apparatus of claim 14, wherein the first key of the key pair is a private key of the capture system, and wherein the second key of the key pair is a public key.
  - 17. The apparatus of claim 14, wherein both the object signature and the tag signature are generated using the first key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
de la Iglesia, Erik, Lowe, Rick, Ahuja, Ratinder Paul Singh, Coleman, Shaun, King, Samuel, Khasgiwala, Ashish
Primary Examiner(s)
Nguyen, Kim

Application Number

US12/967,013
Publication Number

US 20110196911A1
Time in Patent Office

687 Days
Field of Search

707/741, 707/747
US Class Current

707/741
CPC Class Codes

G06F 21/64   Protecting data integrity, ...

H04L 63/12   Applying verification of th...

H04L 63/1408   by monitoring network traff...

Tag data structure for maintaining relational data over captured objects

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

358 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Tag data structure for maintaining relational data over captured objects

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

358 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links