Transparent network traffic inspection

US 8,705,356 B2
Filed: 04/25/2013
Issued: 04/22/2014
Est. Priority Date: 12/23/2008
Status: Active Grant

First Claim

Patent Images

1. A network monitoring method, comprising:

filtering network traffic as a function of a set of filter criteria stored in a filter criteria data store;

receiving, with a computer and from an inspection data requester and over a communication network, an inspection data request for requested inspection data stored in an inspection data store associated with at least one subscriber, the inspection data store being accessible via the communication network;

determining with the computer, whether the inspection data requester is authorized to access the requested inspection data; and

when the inspection data requester is authorized to access the requested inspection data, providing, by the computer, the inspection data requester with access to the requested inspection data over the communication network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are disclosed for providing parties with levels of transparency into filtering functionality of network traffic inspection implementations. Embodiments include receiving a filter change request from a subscriber over a network that defines a modification to a set of filter criteria for filtering network traffic, the filter criteria being stored in association with the subscriber in a filter criteria data store; updating the set of filter criteria in the filter criteria data store as a function of the filter change request; receiving a content dataset relating to the network traffic; identifying the content dataset as being associated with the subscriber; retrieving the set of filter criteria associated with the subscriber from the data store; and filtering the network traffic as a function of the set of filter criteria. Embodiments further provide layers of access for different entities to the filtered traffic.

Citations

20 Claims

1. A network monitoring method, comprising:
- filtering network traffic as a function of a set of filter criteria stored in a filter criteria data store;
  
  receiving, with a computer and from an inspection data requester and over a communication network, an inspection data request for requested inspection data stored in an inspection data store associated with at least one subscriber, the inspection data store being accessible via the communication network;
  
  determining with the computer, whether the inspection data requester is authorized to access the requested inspection data; and
  
  when the inspection data requester is authorized to access the requested inspection data, providing, by the computer, the inspection data requester with access to the requested inspection data over the communication network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving authentication data over the communication network,wherein determining whether the inspection data requester is authorized to access the requested inspection data comprises determining, as a function of the authentication data, whether the inspection data requester is authorized to access the requested inspection data.
  - 3. The method of claim 1, further comprising:
    - when the inspection data requester is not authorized to access the inspection data, generating and sending a notification to one or more of a service provider that manages a network traffic processing system that controls access to the inspection data, a logging module that logs unsuccessful attempts at access to inspection data, or the inspection data requester.
  - 4. The method of claim 1, further comprising:
    - storing, in the inspection data store, the inspection data in association with one of a plurality of authentication levels, each authentication level defining a set of privileges required for access to associated inspection data.
  - 5. The method of claim 4, further comprising:
    - receiving authentication data over the communication network from the inspection data requester;
      
      determining the authentication level associated with the requested inspection data,wherein determining whether the inspection data requester is authorized to access the requested inspection data comprises determining, as a function of the authentication data and the determined authentication level, whether the inspection data requester is authorized to access the requested inspection data.
  - 6. The method of claim 1, further comprising:
    - generating a network usage profile using the requested inspection data.
  - 7. The method of claim 6, wherein the network usage profile includes at least one of a devices-by-user profile, a traffic-by-device profile, a traffic-by-user profile, a traffic-by-customer profile, a traffic-by-device-by-customer profile, or a devices-by-node profile.
  - 8. The method of claim 6, further comprising:
    - determining, based on the generated network usage profile, at least one of types of advertisements, best times to present advertisements to the at least one subscriber, or which one or more devices associated with the at least one subscriber to send advertisements for presentation to the at least one subscriber; and
      
      presenting advertisements to the at least one subscriber, based on said determination.

9. A network monitoring system, comprising:
- a filter module, in operative communication with a traffic inspection module and a filter criteria data store, that filters network traffic as a function of a set of filter criteria stored in the filter criteria data store;
  
  an extraction layer module, in operative communication with an inspection data store, that receives, from an inspection data requester and over a communication network, an inspection data request for requested inspection data stored in the inspection data store associated with at least one subscriber, the inspection data store being accessible via the communication network; and
  
  an access control module, in operative communication with the filter module and the extraction layer module, that determines whether the inspection data requester is authorized to access the requested inspection data,wherein, when the inspection data requester is authorized to access the requested inspection data, the extraction layer module provides the inspection data requester with access to the requested inspection data over the communication network.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, wherein the extraction layer module receiving the inspection data request includes the extraction layer module receiving a query from the access control module, wherein the query is generated by the access control module as a function of query data received over the communication network from the inspection data requester.
  - 11. The system of claim 10, wherein the extraction layer module providing the inspection data requester with access to the requested inspection data over the communication network includes the extraction layer module executing the query against inspection data stored in the inspection data store to generate inspection query results, and the extraction layer module providing the inspection data requester with access to the query results over the communication network.
  - 12. The system of claim 9, wherein:
    - the access control module receives, from the inspection data requester, authentication data over the communication network;
      
      the access control module determining whether the inspection data requester is authorized to access the requested inspection data includes the access control module determining, as a function of the authentication data, whether the inspection data requester is authorized to access the requested inspection data; and
      
      the extraction layer module providing the inspection data requester with access to the requested inspection data over the communication network includes the extraction layer module receiving authorization from the access control module to execute the inspection data request, the authorization being sent from the access control module based on a determination by the access control module that, as a function of the authentication data, the inspection data requester is authorized to access the requested inspection data.
  - 13. The system of claim 9, wherein:
    - the inspection data store stores the inspection data in association with one of a plurality of authentication levels, each authentication level defining a set of privileges required for access to associated inspection data;
      
      the access control module receives authentication data over the communication network from the inspection data requester;
      
      the access control module determines the authentication level associated with the requested inspection data;
      
      the access control module determining whether the inspection data requester is authorized to access the requested inspection data includes the access control module determining, as a function of the authentication data and the determined authentication level, whether the inspection data requester is authorized to access the requested inspection data; and
      
      the extraction layer module providing the inspection data requester with access to the requested inspection data over the communication network includes the extraction layer module receiving authorization from the access control module to execute the inspection data request, the authorization being sent from the access control module based on a determination by the access control module that, as a function of the authentication data and the determined authentication level, the inspection data requester is authorized to access the requested inspection data.

14. An apparatus, comprising a non-transitory computer-readable storage medium having a computer-readable program embodied therein for monitoring a network, the computer-readable program including a set of instructions that, when executed by a computer system, causes the computer system to perform one or more functions, the set of instructions comprising:
- instructions to filter network traffic as a function of a set of filter criteria stored in a filter criteria data store;
  
  instructions to receive, from an inspection data requester and over a communication network, an inspection data request for requested inspection data stored in an inspection data store associated with at least one subscriber, the inspection data store being accessible via the communication network;
  
  instructions to determine whether the inspection data requester is authorized to access the requested inspection data; and
  
  instructions, when the inspection data requester is authorized to access the requested inspection data, to provide the inspection data requester with access to the requested inspection data over the communication network.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The apparatus of claim 14, wherein the set of instructions further comprises:
    - instructions to receive, from the inspection data requester, authentication data over the communication network,wherein the instructions to determine whether the inspection data requester is authorized to access the requested inspection data includes instructions to determine, as a function of the authentication data, whether the inspection data requester is authorized to access the requested inspection data.
  - 16. The apparatus of claim 14, wherein the set of instructions further comprises:
    - instructions to store, in the inspection data store, the inspection data in association with one of a plurality of authentication levels, each authentication level defining a set of privileges required for access to associated inspection data.
  - 17. The apparatus of claim 16, wherein the set of instructions further comprises:
    - instructions to receive authentication data over the communication network from the inspection data requester;
      
      instructions to determine the authentication level associated with the requested inspection data,wherein the instructions to determine whether the inspection data requester is authorized to access the requested inspection data includes instructions to determine, as a function of the authentication data and the determined authentication level, whether the inspection data requester is authorized to access the requested inspection data.
  - 18. The apparatus of claim 16, wherein the set of instructions further comprises:
    - instructions to generate a network usage profile using the requested inspection data.
  - 19. The apparatus of claim 18, wherein the network usage profile includes at least one of a devices-by-user profile, a traffic-by-device profile, a traffic-by-user profile, a traffic-by-customer profile, a traffic-by-device-by-customer profile, or a devices-by-node profile.
  - 20. The apparatus of claim 18, wherein the set of instructions further comprises:
    - instructions to determine, based on the generated network usage profile, at least one of types of advertisements, best times to present advertisements to the at least one subscriber, or which one or more devices associated with the at least one subscriber to send advertisements for presentation to the at least one subscriber; and
      
      instructions to present advertisements to the at least one subscriber based on said determination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CenturyLink Intellectual Property LLC (Lumen Technologies, Inc.)
Original Assignee
CenturyLink Intellectual Property LLC (Lumen Technologies, Inc.)
Inventors
Casey, Steven M., Elcan, Amie, Butala, John, Castro, Felipe, Phillips, Bruce A.
Primary Examiner(s)
Phan, Tri H

Application Number

US13/870,197
Publication Number

US 20130238430A1
Time in Patent Office

362 Days
Field of Search

370229-240, 370328-333, 370400-402, 370241-252, 370389-392, 709217-229, 709230-244, 726 1- 21
US Class Current

370/230
CPC Class Codes

H04L 43/062   related to network traffic

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

Transparent network traffic inspection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent network traffic inspection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links