Intelligent feedback loop to iteratively reduce incoming network data for analysis

US 9,350,762 B2
Filed: 09/25/2012
Issued: 05/24/2016
Est. Priority Date: 09/25/2012
Status: Active Grant

First Claim

Patent Images

1. A non-transitory medium, readable through a network traffic monitoring system used by a data interception system and comprising instructions embodied therein that are executable through the network traffic monitoring system, comprising:

instructions to process flow data from a computer network received through an aggregation switch of the network traffic monitoring system in a first stage module of the network traffic monitoring system;

instructions to identify target network activities of interest to the data interception system;

instructions to filter the flow data to target data based on packet classification in the first stage module, the target data being associated with the identified target network activities of interest to the data interception system;

instructions to determine that a portion of the target data is extraneous data in a data processing system of the network traffic monitoring system based on classifying the target data according to an analysis of protocols associated therewith through a hardware component of the data processing system, the extraneous data being the portion of the target data that is determined to be;

irrelevant in the network traffic monitoring system used by the data interception system and innocuous with respect to a threat level thereof based on the classification of the target data, and the data processing system being commodity hardware in a second stage of the network traffic monitoring system communicatively coupled to the first stage module;

instructions to extract metadata associated with the target data in the data processing system;

instructions to produce, through the data processing system, a set of regular expressions describing a search pattern in the target data;

instructions to analyze the target data to discover an action of interest in the set of regular expressions associated with a target individual in the data processing system, the action of interest corresponding to an identified target network activity of interest; and

instructions to utilize, through the data processing system, instructions to monitor the computer network for specific network activities of interest to the data interception system, the instructions to monitor the computer network for the specific network activities of interest comprising instructions to iteratively remove from the target data the extraneous data based on creating a feedback loop between the data processing system and the first stage module of the network traffic monitoring system, the feedback loop being a control system configured to adjust operation thereof between an actual output and a desired output of the data processing system, and the feedback loop involving a modification in data processing through the first stage module to effect the desired output of the data processing system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus and system related to an intelligent feedback loop to iteratively reduce target packet analysis is disclosed. According to one embodiment, a method of a network traffic monitoring system includes processing a flow data received through an aggregation switch of a network traffic monitoring system in a first stage module of the network traffic monitoring system, filtering the flow data to a target data based on a packet classification in the first stage module, determining that a portion of a target data is an extraneous data based on a content filtering algorithm applied in a data processing system of the network traffic monitoring system, and iteratively removing from the target data the extraneous data based on a feedback loop created between the data processing system and the first stage module of the network traffic monitoring system.

344 Citations

18 Claims

1. A non-transitory medium, readable through a network traffic monitoring system used by a data interception system and comprising instructions embodied therein that are executable through the network traffic monitoring system, comprising:
- instructions to process flow data from a computer network received through an aggregation switch of the network traffic monitoring system in a first stage module of the network traffic monitoring system;
  
  instructions to identify target network activities of interest to the data interception system;
  
  instructions to filter the flow data to target data based on packet classification in the first stage module, the target data being associated with the identified target network activities of interest to the data interception system;
  
  instructions to determine that a portion of the target data is extraneous data in a data processing system of the network traffic monitoring system based on classifying the target data according to an analysis of protocols associated therewith through a hardware component of the data processing system, the extraneous data being the portion of the target data that is determined to be;
  
  irrelevant in the network traffic monitoring system used by the data interception system and innocuous with respect to a threat level thereof based on the classification of the target data, and the data processing system being commodity hardware in a second stage of the network traffic monitoring system communicatively coupled to the first stage module;
  
  instructions to extract metadata associated with the target data in the data processing system;
  
  instructions to produce, through the data processing system, a set of regular expressions describing a search pattern in the target data;
  
  instructions to analyze the target data to discover an action of interest in the set of regular expressions associated with a target individual in the data processing system, the action of interest corresponding to an identified target network activity of interest; and
  
  instructions to utilize, through the data processing system, instructions to monitor the computer network for specific network activities of interest to the data interception system, the instructions to monitor the computer network for the specific network activities of interest comprising instructions to iteratively remove from the target data the extraneous data based on creating a feedback loop between the data processing system and the first stage module of the network traffic monitoring system, the feedback loop being a control system configured to adjust operation thereof between an actual output and a desired output of the data processing system, and the feedback loop involving a modification in data processing through the first stage module to effect the desired output of the data processing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The non-transitory medium of claim 1, further comprising:
    - instructions to apply a zero-copy driver and a use buffer in at least one of the first stage module and the data processing system; and
      
      instructions to reduce processing power and memory usage through the application of the zero-copy driver and the use buffer in the data processing system.
  - 3. The non-transitory medium of claim 1, further comprising:
    - instructions to communicate the extraneous portion of the target data from the data processing system to the first stage module following the content filtering.
  - 4. The non-transitory medium of claim 1, wherein the instructions to determine that the portion of the target data is the extraneous data further comprises at least one of:
    - instructions to perform static filtering of the flow data based on an internet protocol analysis and a port analysis in the first stage module;
      
      instructions to map the flow data having a variable length into an ordered list of elements having a fixed length of the flow data in the first stage module; and
      
      instructions to dynamically filter the flow data in the first stage module based on the removal of the extraneous data communicated from the data processing system.
  - 5. The non-transitory medium of claim 4, further comprising at least one of:
    - instructions to buffer the target data in a random access memory in the data processing system; and
      
      instructions to determine a communication mode between the data processing system and the dynamic filtering of the first stage module so that a request to remove the extraneous data is executable.
  - 6. The non-transitory medium of claim 1, further comprising:
    - instructions to communicate the extracted metadata to a data retention server; and
      
      instructions to communicate the set of regular expressions to a master controller.
  - 7. The non-transitory medium of claim 6,wherein the action of interest is subject to a governmental permission as to how the action of interest is usable in the data interception system.

8. A network traffic monitoring system used by a data interception system comprising:
- an aggregation switch to consolidate flow data from a computer network;
  
  a processing module to identify target network activities of interest to the data interception system;
  
  a first stage module to filter the flow data to target data based on packet classification therein, the target data being associated with the identified target network activities of interest to the data interception system; and
  
  a data processing system comprising a processor and a memory to determine that a portion of the target data is extraneous data based on classifying the target data according to an analysis of protocols associated therewith through a hardware component of the data processing system, to utilize instructions to monitor the computer network for specific network activities of interest to the data interception system, to extract metadata associated with the target data, to produce a set of regular expressions describing a search pattern in the target data, to analyze the target data to discover an action of interest corresponding to an identified target network activity of interest in the set of regular expressions associated with a target individual in the data processing system, and to iteratively remove from the target data the extraneous data based on forming a feedback loop between the data processing system and the first stage module, the extraneous data being the portion of the target data that is determined to be;
  
  irrelevant in the network traffic monitoring system used by the data interception system and innocuous with respect to a threat level thereof based on the classification of the target data, and the data processing system being commodity hardware in a second stage of the network traffic monitoring system communicatively coupled to the first stage module,wherein the feedback loop is a control system configured to adjust operation thereof between an actual output and a desired output of the data processing system, the feedback loop involving a modification in data processing through the first stage module to effect the desired output of the data processing system.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The network traffic monitoring system of claim 8, wherein the first stage module is further configured to at least one of:
    - perform static filtering of the flow data based on an internet protocol analysis and a port analysis,map the flow data having a variable length into an ordered list of elements having a fixed length of the flow data, anddynamically filter the flow data based on the removal of the extraneous data communicated from the data processing system.
  - 10. The network traffic monitoring system of claim 9, wherein the data processing system is further configured to at least one of:
    - apply a zero-copy driver and a use buffer,reduce processing power and memory usage through the application of the zero-copy driver and the use buffer,buffer the target data in a random access memory, anddetermine a communication mode between the data processing system and the dynamic filtering of the first stage module so that a request to remove the extraneous data is executable.
  - 11. The network traffic monitoring system of claim 8, wherein the data processing system is further configured to at least one of:
    - communicate the extracted metadata to a data retention server, andcommunicate the set of regular expressions to a master controller.
  - 12. The network traffic monitoring system of claim 11, whereinthe action of interest is subject to a governmental permission as to how the action of interest is usable in the data interception system.

13. A method of a network traffic monitoring system used by a data interception system comprising:
- processing flow data from a computer network received through an aggregation switch of the network traffic monitoring system in a first stage module of the network traffic monitoring system;
  
  identifying target network activities of interest to the data interception system;
  
  filtering the flow data to target data based on packet classification in the first stage module, the target data being associated with the identified target network activities of interest to the data interception system;
  
  determining that a portion of the target data is extraneous data in a data processing system of the network traffic monitoring system based on classifying the target data according to an analysis of protocols associated therewith through a hardware component of the data processing system, the extraneous data being the portion of the target data that is determined to be;
  
  irrelevant in the network traffic monitoring system used by the data interception system and innocuous with respect to a threat level thereof based on the classification of the target data, and the data processing system being commodity hardware in a second stage of the network traffic monitoring system communicatively coupled to the first stage module;
  
  extracting metadata associated with the target data in the data processing system;
  
  producing, through the data processing system, a set of regular expressions describing a search pattern in the target data;
  
  analyzing the target data to discover an action of interest in the set of regular expressions associated with a target individual in the data processing system, the action of interest corresponding to an identified target network activity of interest; and
  
  utilizing, through the data processing system, instructions to monitor the computer network for specific network activities of interest to the data interception system, the monitoring of the computer network for the specific network activities of interest comprising iteratively removing from the target data the extraneous data based on creating a feedback loop between the data processing system and the first stage module of the network traffic monitoring system, the feedback loop being a control system configured to adjust operation thereof between an actual output and a desired output of the data processing system, and the feedback loop involving a modification in data processing through the first stage module to effect the desired output of the data processing system.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, further comprising:
    - communicating the extraneous portion of the target data from the data processing system to the first stage module following the content filtering.
  - 15. The method of claim 13, further comprising:
    - performing static filtering of the flow data based on an internet protocol analysis and a port analysis in the first stage module;
      
      mapping the flow data having a variable length into an ordered list of elements having a fixed length of the flow data in the first stage module; and
      
      dynamically filtering the flow data in the first stage module based on the removal of the extraneous data communicated from the data processing system.
  - 16. The method of claim 15, further comprising at least one of:
    - applying a zero-copy driver and a use buffer in the data processing system;
      
      reducing processing power and memory usage through the application of the zero-copy driver and the use buffer in the data processing system;
      
      buffering the target data in a random access memory in the data processing system; and
      
      determining a communication mode between the data processing system and the dynamic filtering of the first stage module so that a request to remove the extraneous data is executable.
  - 17. The method of claim 13, further comprising at least one of:
    - communicating the extracted metadata to a data retention server; and
      
      communicating the set of regular expressions to a master controller.
  - 18. The method of claim 17,wherein the action of interest is subject to a governmental permission as to how the action of interest is usable in the data interception system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SS8, Inc.
Original Assignee
SS8 Networks Incorporated
Inventors
Doddapaneni, Ashok Babu
Primary Examiner(s)
Elallam, Ahmed

Application Number

US13/626,367
Publication Number

US 20140086102A1
Time in Patent Office

1,337 Days
Field of Search

709/224
US Class Current

1/1
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/30 for supporting lawful inter...

Intelligent feedback loop to iteratively reduce incoming network data for analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

344 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Intelligent feedback loop to iteratively reduce incoming network data for analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

344 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links