System and method for efficient classification and processing of network traffic
First Claim
Patent Images
1. A system, comprising:
- multiple flow analysis units, which are configured to analyze flows of communication packets, wherein each of the multiple flow analysis units function in parallel, separately and independently of each other, and wherein at least one of the multiple flow analysis units analyzes flows by searching for occurrences of regular expressions in flows;
at least one classification unit, which is configured to accept one or more of the communication packets in the flow from a front-end processor and configured to assign a classification to the flow that indicates whether the flow is to be analyzed by the flow analysis units, wherein the classification is assigned based on less than 5% of the input packets of the given input flow, wherein the classification unit is configured to assign a first classification to a first input flow that indicates whether the flow is to be analyzed by the flow analysis units based on information produced in assigning a second classification to a second input flow, and wherein the classification unit is configured to identify a server-side address and a client-side address in the second input flow, and to use the identified serve-side and client-side addresses in assigning the first classification to the first input flow; and
a front-end processor, which is configured to receive input packets from a communication network, to associate each input packet with a respective input flow, to forward at least one input flow to the classification unit for assigning the classification, and to forward one or more input flows, which were classified by the classification unit as requiring analysis by the multiple flow analysis units, to the multiple flow analysis units.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for analyzing flows of communication packets. A front-end processor associates input packets with flows and forwards each flow to the appropriate unit, typically by querying a flow table that holds a respective classification for each active flow. In general, flows that are not yet classified are forwarded to the classification unit, and the resulting classification is entered in the flow table. Flows that are classified as requested for further analysis are forwarded to an appropriate flow analysis unit. Flows that are classified as not requested for analysis are not subjected to further processing, e.g., discarded or allowed to pass.
36 Citations
12 Claims
-
1. A system, comprising:
-
multiple flow analysis units, which are configured to analyze flows of communication packets, wherein each of the multiple flow analysis units function in parallel, separately and independently of each other, and wherein at least one of the multiple flow analysis units analyzes flows by searching for occurrences of regular expressions in flows; at least one classification unit, which is configured to accept one or more of the communication packets in the flow from a front-end processor and configured to assign a classification to the flow that indicates whether the flow is to be analyzed by the flow analysis units, wherein the classification is assigned based on less than 5% of the input packets of the given input flow, wherein the classification unit is configured to assign a first classification to a first input flow that indicates whether the flow is to be analyzed by the flow analysis units based on information produced in assigning a second classification to a second input flow, and wherein the classification unit is configured to identify a server-side address and a client-side address in the second input flow, and to use the identified serve-side and client-side addresses in assigning the first classification to the first input flow; and a front-end processor, which is configured to receive input packets from a communication network, to associate each input packet with a respective input flow, to forward at least one input flow to the classification unit for assigning the classification, and to forward one or more input flows, which were classified by the classification unit as requiring analysis by the multiple flow analysis units, to the multiple flow analysis units. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method, comprising:
-
receiving input packets from a communication network at a front-end processor; associating, by the front-end processor, each input packet with a respective input flow; forwarding at least one input flow to a classification unit for classification; assigning a classification to the flow, by the classification unit, wherein the classification assigned determines whether the flow is to be analyzed by multiple flow analysis units, wherein the classification is assigned based on less than 5% of the input packets of the given input flow;
wherein assigning a classification to the flow comprises assigning a first, classification to a first input flow by the classification unit that indicates whether the flow is to be analyzed by the flow analysis units based on information produced in assigning, a classification to a second input flow, wherein assigning the second classification to the second input flow comprises identifying a server-side address and a client-side address in the second input flow, and wherein assigning the first classification to the first input flow is performed using the identified server-side and client-side addresses; andforwarding one or more input flows, which were classified by the classification unit as requiring analysis by the multiple flow analysis units, to the multiple flow analysis units so as to cause the multiple flow analysis units to analyze the requested flows, wherein each of the multiple flow analysis units function in parallel, separately and independently of each other, and wherein at least one of the multiple flow analysis units analyzes flows by searching for occurrences of regular expressions in the flows. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification