System and method for efficient classification and processing of network traffic

US 9,264,446 B2
Filed: 01/25/2012
Issued: 02/16/2016
Est. Priority Date: 01/27/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

multiple flow analysis units, which are configured to analyze flows of communication packets, wherein each of the multiple flow analysis units function in parallel, separately and independently of each other, and wherein at least one of the multiple flow analysis units analyzes flows by searching for occurrences of regular expressions in flows;

at least one classification unit, which is configured to accept one or more of the communication packets in the flow from a front-end processor and configured to assign a classification to the flow that indicates whether the flow is to be analyzed by the flow analysis units, wherein the classification is assigned based on less than 5% of the input packets of the given input flow, wherein the classification unit is configured to assign a first classification to a first input flow that indicates whether the flow is to be analyzed by the flow analysis units based on information produced in assigning a second classification to a second input flow, and wherein the classification unit is configured to identify a server-side address and a client-side address in the second input flow, and to use the identified serve-side and client-side addresses in assigning the first classification to the first input flow; and

a front-end processor, which is configured to receive input packets from a communication network, to associate each input packet with a respective input flow, to forward at least one input flow to the classification unit for assigning the classification, and to forward one or more input flows, which were classified by the classification unit as requiring analysis by the multiple flow analysis units, to the multiple flow analysis units.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for analyzing flows of communication packets. A front-end processor associates input packets with flows and forwards each flow to the appropriate unit, typically by querying a flow table that holds a respective classification for each active flow. In general, flows that are not yet classified are forwarded to the classification unit, and the resulting classification is entered in the flow table. Flows that are classified as requested for further analysis are forwarded to an appropriate flow analysis unit. Flows that are classified as not requested for analysis are not subjected to further processing, e.g., discarded or allowed to pass.

36 Citations

View as Search Results

12 Claims

1. A system, comprising:
- multiple flow analysis units, which are configured to analyze flows of communication packets, wherein each of the multiple flow analysis units function in parallel, separately and independently of each other, and wherein at least one of the multiple flow analysis units analyzes flows by searching for occurrences of regular expressions in flows;
  
  at least one classification unit, which is configured to accept one or more of the communication packets in the flow from a front-end processor and configured to assign a classification to the flow that indicates whether the flow is to be analyzed by the flow analysis units, wherein the classification is assigned based on less than 5% of the input packets of the given input flow, wherein the classification unit is configured to assign a first classification to a first input flow that indicates whether the flow is to be analyzed by the flow analysis units based on information produced in assigning a second classification to a second input flow, and wherein the classification unit is configured to identify a server-side address and a client-side address in the second input flow, and to use the identified serve-side and client-side addresses in assigning the first classification to the first input flow; and
  
  a front-end processor, which is configured to receive input packets from a communication network, to associate each input packet with a respective input flow, to forward at least one input flow to the classification unit for assigning the classification, and to forward one or more input flows, which were classified by the classification unit as requiring analysis by the multiple flow analysis units, to the multiple flow analysis units.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system according to claim 1, wherein the front-end processor is configured to forward the given input flow to the flow analysis units if the given input flow has been classified as requiring analysis from the multiple flow analysis units, to forward the given input flow to the classification unit if the given input flow has not yet been assigned a classification by the classification unit, and to refrain from forwarding the given input flow to the multiple flow analysis units if the flow has been classified by the classification unit as not requiring further analysis from the multiple flow analysis units.
  - 3. The system according to claim 1, wherein the front-end processor is configured to maintain a list of active input flows and respective assigned classifications of the active input flows, and to forward the input flows to the flow analysis units based on the assigned classifications of the input flows on the list.
  - 4. The system according to claim 3, wherein the front-end processor is configured to forward a given input flow to the classification unit responsively to identifying in the list that the given input flow has not yet been assigned a classification, and to update the list with a respective assigned classification of the given input flow that was produced and assigned by the classification unit.
  - 5. The system according to claim 1, wherein the classification unit is configured to identify an application that is served by a given input flow, and to assign a classification to the given input flow based on the identified application.
  - 6. The system according to claim 1, wherein the at least one classification unit comprises multiple classification units, and wherein the front-end processor is configured to distribute multiple input flows for classification among the classification units.

7. A method, comprising:
- receiving input packets from a communication network at a front-end processor;
  
  associating, by the front-end processor, each input packet with a respective input flow;
  
  forwarding at least one input flow to a classification unit for classification;
  
  assigning a classification to the flow, by the classification unit, wherein the classification assigned determines whether the flow is to be analyzed by multiple flow analysis units, wherein the classification is assigned based on less than 5% of the input packets of the given input flow;
  
  wherein assigning a classification to the flow comprises assigning a first, classification to a first input flow by the classification unit that indicates whether the flow is to be analyzed by the flow analysis units based on information produced in assigning, a classification to a second input flow, wherein assigning the second classification to the second input flow comprises identifying a server-side address and a client-side address in the second input flow, and wherein assigning the first classification to the first input flow is performed using the identified server-side and client-side addresses; and
  
  forwarding one or more input flows, which were classified by the classification unit as requiring analysis by the multiple flow analysis units, to the multiple flow analysis units so as to cause the multiple flow analysis units to analyze the requested flows, wherein each of the multiple flow analysis units function in parallel, separately and independently of each other, and wherein at least one of the multiple flow analysis units analyzes flows by searching for occurrences of regular expressions in the flows.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method according to claim 7, wherein forwarding the one or more input flows comprises:
    - forwarding the given input flow to the multiple flow analysis units if the given input flow has been classified by the classification unit as requiring analysis from the multiple flow analysis units, andrefraining from forwarding the given input flow to the multiple flow analysis units if the given input flow has been classified by the classification unit as not requiring further analysis by the multiple flow analysis units.
  - 9. The method according to claim 7, wherein forwarding the input flows comprises maintaining a list of active input flows and respective assigned classifications of the active input flows, and forwarding the input flows to the flow analysis units based on the assigned classifications of the input flows on the list.
  - 10. The method according to claim 9, wherein forwarding the input flows comprises forwarding a given input flow to the classification unit responsively to identifying in the list that the given input flow has not yet been assigned a classification and updating the list with a respective assigned classification of the given input flow that was produced and assigned by the classification unit.
  - 11. The method according to claim 7, further comprising, identifying, by the classification unit, an application that is served by a given input flow and assigning the classification of the given input flow based on the identified application.
  - 12. The method according to claim 7, and comprising operating multiple classification units, wherein forwarding the at least one input flow comprises distributing multiple input flows for classification among the classification units.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cognyte Technologies Israel Ltd. (Cognyte Software Ltd.)
Original Assignee
Verint Systems Limited (Verint Systems Incorporated)
Inventors
Goldfarb, Eithan, Altman, Yuval, Frid, Naomi, Yaari, Gur
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
Nguyen, Van Kim T

Application Number

US13/358,477
Publication Number

US 20120215909A1
Time in Patent Office

1,483 Days
Field of Search

709/224, 709/230, 709/232, 709/234, 709/238
US Class Current

1/1
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/30   for supporting lawful inter...

H04L 63/306   intercepting packet switche...

System and method for efficient classification and processing of network traffic

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

12 Claims

Specification

Use Cases

Quick Links

Others

System and method for efficient classification and processing of network traffic

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

12 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others