Method, device arrangement and computer program product for producing identity graphs for analyzing communication network

US 8,654,127 B2
Filed: 03/31/2009
Issued: 02/18/2014
Est. Priority Date: 03/31/2008
Status: Active Grant

First Claim

Patent Images

1. A method for recognizing and analyzing relations between taps of a communication device in a packet connected communication network and the communication network, comprising the steps of:

gathering traffic information in the communication network with a tap of a communication device connected to the communication network, the tap examining header information of connections of the communication network;

storing the information gathered by the tap in a data storage, the tap connected to the data storage, the tap and the data storage together defining a network probe, the network probe being one of i) a physical device and ii) a computer unit;

observing connections of the communication network with the network probe, each connection travels in the communication network and has header information describing the connection, the header information including an identity of the connection and relations to other identities, wherein the observing the connections comprises the tap i) passively analyzing IP packets and association logs received to the tap, the association logs being a description of an observed connection of the communication network, the description being searchable for identities, from the IP packets and association logs, locating the header information of the observed connections, ii) using the located header information to determine the identities of the observed connections and the relations between the observed connections, and iii) saving at least a part of the located header information, the identities, and the relations to the data storage;

with the network probe, modelling the determined identities and relations as identity flows, the identity flows describing i) the identities, ii) the relations of the identities to the other identities, and iii) identity changes, the identity flows being relative to time and place of the connections; and

using at least some of the identity flows for creating an identity graph for analyzing functioning of the communication network, the identity graph being a graphical presentation of the relations of the identities, with the identities of different places and devices of the communication network being marked in the identity graph, and the relations of the identities to the other identities being marked in the identity graph, the identity graphs describing the communication network depending on from where and when the communication network is observed, wherein the identities and the relations of the identities to the other identities to be included in an identity graph are chosen according to predetermined modifiers, the modifiers defining objects in the communication network which are the object of interest for the analyzing of the communication network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, a device arrangement and a computer program product for examining and analyzing the functioning of a communication network. In one or more taps of the examined communication network there is a network probe which examines communication packets flowing in the communication network via a tap and searches for identities and their relations from their header information. Identities and relations between them are used to create an identity flow which is used to create an identity graph for describing the operation of the communication network. A network probe(s) sends all or a part of the data of the traffic of the communication network it has collected or analyzed to a supervisor unit. The data is sent according to previously given instructions or by a request sent by the supervisor unit. The identities and relations between them to be included in the identity graph are chosen according to predetermined modifiers.

25 Citations

View as Search Results

27 Claims

1. A method for recognizing and analyzing relations between taps of a communication device in a packet connected communication network and the communication network, comprising the steps of:
- gathering traffic information in the communication network with a tap of a communication device connected to the communication network, the tap examining header information of connections of the communication network;
  
  storing the information gathered by the tap in a data storage, the tap connected to the data storage, the tap and the data storage together defining a network probe, the network probe being one of i) a physical device and ii) a computer unit;
  
  observing connections of the communication network with the network probe, each connection travels in the communication network and has header information describing the connection, the header information including an identity of the connection and relations to other identities, wherein the observing the connections comprises the tap i) passively analyzing IP packets and association logs received to the tap, the association logs being a description of an observed connection of the communication network, the description being searchable for identities, from the IP packets and association logs, locating the header information of the observed connections, ii) using the located header information to determine the identities of the observed connections and the relations between the observed connections, and iii) saving at least a part of the located header information, the identities, and the relations to the data storage;
  
  with the network probe, modelling the determined identities and relations as identity flows, the identity flows describing i) the identities, ii) the relations of the identities to the other identities, and iii) identity changes, the identity flows being relative to time and place of the connections; and
  
  using at least some of the identity flows for creating an identity graph for analyzing functioning of the communication network, the identity graph being a graphical presentation of the relations of the identities, with the identities of different places and devices of the communication network being marked in the identity graph, and the relations of the identities to the other identities being marked in the identity graph, the identity graphs describing the communication network depending on from where and when the communication network is observed, wherein the identities and the relations of the identities to the other identities to be included in an identity graph are chosen according to predetermined modifiers, the modifiers defining objects in the communication network which are the object of interest for the analyzing of the communication network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein a data structure has been created from the identity flow of the communication network, which data structure is used by a supervisor unit for creating an identity graph, the supervisor unit being outside of the communication network, the supervisor unit using the created data structure to create the identity graph.
  - 3. The method according to claim 1, wherein,the communication device comprises plural of said tap, the network probe comprising said plural taps, andthe network probe analyzes the identities and the relations of the identities from the traffic information gathered by each of the plural taps.
  - 4. The method according to claim 2, wherein at least a part of the data gathered or analysed by the network probe is sent to the supervisor unit which performs the final analysis.
  - 5. The method according to claim 2, wherein the supervisor unit makes requests to the network probe for sending information when the data structure does not contain needed information for creating an identity graph.
  - 6. The method according to claim 3, the wherein temporal or local changes of the identities and the relations between the identities at the one tap or between two or more of the taps are found out with the identity graph created by the method.
  - 7. The method of claim 1, wherein, the modifiers define objects in the communication network which are the object of interest for the analyzing of the communication network and include at least one of i) a point in time, ii) a time interval, iii) the identities related to a specific device, iv) a specific kind of identities, and v) a specific kind of relation between the identities.
  - 8. The method of claim 7, wherein the modifiers comprise IP numbers and DNS addresses of the identifiers and relations connecting the IP numbers and the DNS addresses of the identifiers.
  - 9. The method of claim 7, wherein the modifiers comprise different points in time and the identity graphs presents a sequence of the connections of the of communication network over the different points in time.

10. A device arrangement for analyzing relations between taps of a communication device in a packet connected communication network and the communication network, comprising:
- a communication device connected to the communication network, the communications device comprising at least one tap, the tap arranged for gathering up traffic information in the communication network, the tap examining header information of connections of the communication network; and
  
  a data storage unit storing the information gathered by the tap, the tap connected to the data storage unit, the tap and the data storage unit together defining a network probe, the network probe being one of i) a physical device and ii) a computer unit,the network probe arranged for observing connections of the communication network with the network probe, each connection travels in the communication network and has header information describing the connection, the header information including an identity of the connection and relations to other identities, wherein the observing the connections comprises the tap i) passively analyzing IP packets and association logs received to the tap, the association logs being a description of an observed connection of the communication network, the description being searchable for identities, from the IP packets and association logs, locating the header information of the observed connections, ii) using the located header information to determine the identities of the observed connections and the relations between the observed connections, and iii) saving at least a part of the located header information, the identities, and the relations to the data storage unit,the network probe modelling the determined identities and relations as identity flows, the identity flows describing i) the identities, ii) the relations of the identities to the other identities, and iii) identity changes, the identity flows being relative to time and place of the connections, anda graph-creating unit arranged for using at least some of the identity flows for creating an identity graph for analyzing functioning of the communication network, the identity graph being a graphical presentation of the relations of the identities, with the identities of different places and devices of the communication network being marked in the identity graph, and the relations of the identities to the other identities being marked in the identity graph, the identity graphs describing the communication network depending on from where and when the communication network is observed, wherein the identities and the relations of the identities to the other identities to be included in an identity graph are chosen according to predetermined modifiers, the modifiers defining objects in the communication network which are the object of interest for the analyzing of the communication network.
- View Dependent Claims (11, 12, 13)
- - 11. The device arrangement according to claim 10, wherein when identities and the relations between the connections according to the modifiers are not found from the data structure, the graph-creating unit has been arranged to send a request for missing information to the storing unit storing connections of the communication network.
  - 12. The device arrangement according to claim 11, wherein the graph-creating unit is arranged to send a checking request to the storing unit storing the connections of the communication network, which checking request checks whether the storing unit storing the connections of the communication network has stored such identities and their relations fulfilling the modifiers which are not included in the data structure.
  - 13. The device arrangement according to claim 10, characterized in that the network probe is arranged to receive and store in the data structure information sent by the storing unit storing the connections of the communication network.

14. A non-transitory computer-readable data storage medium having recorded thereon a computer program product, the computer product when executed by a computer, controlling the computer to execute a method of:
- gathering up traffic information in the communication network with taps of a communication device connected to the communication network, the taps examining header information of connections of the communication network;
  
  observing connections of the communication network with the taps, each connection travels in the communication network and has header information describing the connection, the header information including an identity of the connection and relations to other identities, wherein the observing the connections comprises the tap i) passively analyzing IP packets and association logs received to the tap, the association logs being a description of an observed connection of the communication network, the description being searchable for identities, from the IP packets and association logs, locating the header information of the observed connections, and ii) using the located header information to determine the identities of the observed connections and the relations between the observed connections;
  
  modelling the determined identities and relations as identity flows, the identity flows describing i) the identities, ii) the relations of the identities to the other identities, and iii) identity changes, the identity flows being relative to time and place of the connections; and
  
  using at least some of the identity flows for creating an identity graph for analyzing functioning of the communication network, the identity graph being a graphical presentation of the relations of the identities, with the identities of different places and devices of the communication network being marked in the identity graph, and the relations of the identities to the other identities being marked in the identity graph, the identity graphs describing the communication network depending on from where and when the communication network is observed, wherein the identities and the relations of the identities to the other identities to be included in an identity graph are chosen according to predetermined modifiers, the modifiers defining objects in the communication network which are the object of interest for the analyzing of the communication network.
- View Dependent Claims (15, 16, 17)
- - 15. The non-transitory computer-readable data storage medium according to claim 14, wherein the computer is controlled to analyze information collected from the identities and their relations.
  - 16. The non-transitory computer-readable data storage medium according to claim 14, wherein the computer is controlled to store at least a part of the identities and their relations they have found to data storage.
  - 17. The non-transitory computer-readable data storage medium according to claim 14, wherein the computer is controlled to send collected data either according to predetermined rules or on grounds of a received request.

18. A non-transitory computer-readable data storage medium having recorded thereon a computer program product, the computer product when executed by a computer, controlling the computer to execute a method examining a communication network of:
- gathering up traffic information in the communication network with a tap of a communication device connected to the communication network, the tap examining header information of connections of the communication network;
  
  storing the information gathered by the tap in a data storage, the tap connected to the data storage, the tap and the data storage together defining a network probe, the network probe being one of i) a physical device and ii) a computer unit;
  
  observing connections of the communication network with the network probe, each connection travels in the communication network and has header information describing the connection, the header information including an identity of the connection and relations to other identities, wherein the observing the connections comprises the tap i) passively analyzing IP packets and association logs received to the tap, the association logs being a description of an observed connection of the communication network, the description being searchable for identities, from the IP packets and association logs, locating the header information of the observed connections, ii) using the located header information to determine the identities of the observed connections and the relations between the observed connections, and iii) saving at least a part of the located header information, the identities, and the relations to the data storage;
  
  with the network probe, modelling the determined identities and relations as identity flows, the identity flows describing i) the identities, ii) the relations of the identities to the other identities, and iii) identity changes, the identity flows being relative to time and place of the connections; and
  
  using at least some of the identity flows for creating an identity graph for analyzing functioning of the communication network, the identity graph being a graphical presentation of the relations of the identities, with the identities of different places and devices of the communication network being marked in the identity graph, and the relations of the identities to the other identities being marked in the identity graph, the identity graphs describing the communication network depending on from where and when the communication network is observed, wherein the identities and the relations of the identities to the other identities to be included in an identity graph are chosen according to predetermined modifiers, the modifiers defining objects in the communication network which are the object of interest for the analyzing of the communication network.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The non-transitory computer-readable data storage medium according to claim 18, wherein the computer is controlled to receive data about identities and their relations sent by the storage unit for storing connections of the communication network.
  - 20. The non-transitory computer-readable data storage medium to claim 18, wherein the computer is controlled for creating a data structure from the identities and their relations of the examined communication network.
  - 21. The non-transitory computer-readable data storage medium according to claim 18, wherein the computer is controlled to receive modifiers which define the identities and their relations that are to be included in an identity graph analysing the communication network.
  - 22. The non-transitory computer-readable data storage medium according to claim 18, wherein the computer is controlled to send a request to the storage unit for storing the connections of communication network if the data structure does not contain identities and their relations according to the modifiers.
  - 23. The non-transitory computer-readable data storage medium according to claim 18, wherein the computer is controlled to send a checking request to the storage unit for storing the connections of the communication network in which checking request to the storage unit for storing the connections of the communication network a request to check if their data storages contain such identities and their relations that fulfill the modifiers that the data structure does not have is presented.
  - 24. The non-transitory computer-readable data storage medium according to claim 18, wherein the computer is controlled to passively search for flow identities and relations between the flow identities from the identity flow of the communication network from the header information of packets relayed in the communication network or the description of packets being analyzed.
  - 25. The non-transitory computer-readable data storage medium according to claim 18, wherein the computer is controlled to create an identity graph for analysing the communication network in which identity graph the identities and their relations to be included in the identity graph are chosen according to the given modifiers.
  - 26. The non-transitory computer-readable data storage medium according to claim 18, wherein the computer is controlled to create identity graphs for analysing the communication network which identity graphs present the temporal or local changes of identities and relations between them in one tap or between two or more taps.
  - 27. The non-transitory computer-readable data storage medium according to claim 18, wherein the computer executing said method is located outside the examined communication network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Software Integrity Group Incorporated
Original Assignee
Clarified Networks Oy (Synopsys Incorporated)
Inventors
Kenttl, Jani, Laakso, Marko, Huhta, Jyrki
Primary Examiner(s)
WANG, JIN CHENG

Application Number

US12/414,960
Publication Number

US 20090244069A1
Time in Patent Office

1,785 Days
Field of Search

370/241, 370254-255, 345440-442
US Class Current

345/440
CPC Class Codes

G06T 11/203   Drawing of straight lines o...

G06T 11/206   Drawing of charts or graphs

H04L 41/12   Discovery or management of ...

H04L 43/026   using flow identification

Method, device arrangement and computer program product for producing identity graphs for analyzing communication network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method, device arrangement and computer program product for producing identity graphs for analyzing communication network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links