System and method for conditional analysis of network traffic

US 9,628,580 B2
Filed: 10/30/2014
Issued: 04/18/2017
Est. Priority Date: 10/30/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving network traffic that carries content items for processing by an analytics system;

extracting a content item from the network traffic;

finding whether the content item is a duplicate of previous content that was already processed by the analytics system and cached;

when the content item is found to duplicate the previous content, retrieving and outputting a cached analytics outcome of the content item;

when the content item is found not to duplicate any previous content, causing the analytics system to produce the analytics outcome for the content item, and caching the analytics outcome, wherein extracting the content item comprises deriving a respective unique identifier for the content item, and wherein finding that the content item does not duplicate comprises validating that the unique identifier does not match any identifier in a cache memory that caches identifiers of previous content items that were processed by the analytics system; and

for a given content item, counting a number of matching, occurrences of the given content item, and caching the number of matching occurrences in the cache memory in association with the unique identifier of the given content item, for use by the analytics system, wherein caching the number of matching occurrences comprises deleting from the cache memory the given content identifier if the number of matching occurrences during a predefined duration is lower than a predefined threshold, wherein the number of matching occurrences is multiplied by a weight factor that is based on a processing time of the content item.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments that are described herein provide improved methods and systems for analyzing network traffic. The disclosed embodiments enable an analytics system to perform complex processing to only new, first occurrences of received content, while refraining from processing duplicate instances of that content. In a typical embodiment, the analytics results regarding the first occurring content are reported and cached in association with the content. For any duplicate instance of the content, the analytics results are retrieved from the cache without re-processing of the duplicate content. When using the disclosed techniques, the system still processes all first occurring content but not duplicate instances of content that was previously received and processed. In the embodiments described herein, input data comprises communication packets exchanged in a communication network.

Citations

16 Claims

1. A method, comprising:
- receiving network traffic that carries content items for processing by an analytics system;
  
  extracting a content item from the network traffic;
  
  finding whether the content item is a duplicate of previous content that was already processed by the analytics system and cached;
  
  when the content item is found to duplicate the previous content, retrieving and outputting a cached analytics outcome of the content item;
  
  when the content item is found not to duplicate any previous content, causing the analytics system to produce the analytics outcome for the content item, and caching the analytics outcome, wherein extracting the content item comprises deriving a respective unique identifier for the content item, and wherein finding that the content item does not duplicate comprises validating that the unique identifier does not match any identifier in a cache memory that caches identifiers of previous content items that were processed by the analytics system; and
  
  for a given content item, counting a number of matching, occurrences of the given content item, and caching the number of matching occurrences in the cache memory in association with the unique identifier of the given content item, for use by the analytics system, wherein caching the number of matching occurrences comprises deleting from the cache memory the given content identifier if the number of matching occurrences during a predefined duration is lower than a predefined threshold, wherein the number of matching occurrences is multiplied by a weight factor that is based on a processing time of the content item.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method according to claim 1, and comprising, in response to finding that the content item does not duplicate, caching the unique identifier of the content item, and the analytics outcome produced for the content item by the analytics system, in the cache memory in association with the unique identifier.
  - 3. The method according to claim 1, wherein deriving the unique identifier comprises composing the unique identifier from at least part of a Uniform Resource Locator (URL) in which the content item resides.
  - 4. The method according to claim 3, wherein the at least part of the URL is chosen to exclude a variable section of the URL.
  - 5. The method according to claim 1, wherein extracting the content item comprises extracting a traffic transaction created by servers that are infected by malware, and wherein deriving the unique identifier comprises deriving a pattern of the traffic transaction.
  - 6. The method according to claim 1, wherein deriving the unique identifier comprises calculating a digital signature over at least part of the content item.
  - 7. The method according to claim 6, wherein calculating the digital signature comprises calculating the digital signature over only a predefined portion of the content item.
  - 8. The method according to claim 7, wherein the predefined portion is chosen to exclude a section of the content item that varies among duplicates of the content item.
  - 9. The method according to claim 1, wherein the unique identifier comprises a first signature and a second signature, which is stronger than the first signature, and wherein validating that the unique identifier does not match any identifier in the cache memory comprises checking the second signature only if checking the first signature is not sufficient for deciding that the identifier does not match.
  - 10. The method according to claim 1, wherein extracting the content item comprises recognizing HTTP transactions in the network traffic and extracting the content item from the HTTP transactions.
  - 11. The method according to claim 10, wherein the content item comprises a multimedia content.
  - 12. The method according to claim 1, wherein the analytics system produces analytics outcomes based on an analytics rule, and comprising, upon changing the analytics rule, updating cached analytics outcomes for the content items for which the analytics rule was applied.
  - 13. The method according to claim 12, wherein changing the analytics rule comprises removing the analytics rule, and wherein updating the analytics outcomes comprises deleting the cached content items for which the analytics rule was applied.
  - 14. The method according to claim 12, wherein changing the analytics rule comprises changing the analytics rule with respect to a given content type, and wherein updating the analytics outcomes comprises removing the cached content items of the given content type.
  - 15. The method according to claim 12, wherein changing the analytics rule comprises replacing the analytics rule with a new analytics rule, which is different from the analytics rule, and wherein updating the analytics outcomes comprises producing new analytics outcomes by applying the new analytics rule to the content items and replacing the cached analytics outcomes with the new analytics outcomes.

16. An apparatus, comprising:
- an input circuit, which is configured to receive network traffic that carries content items for processing by an analytics system; and
  
  a processor coupled to a memory, which is configured to extract a content item from the network traffic, to find whether the content item is a duplicate of a previous content that was already processed by the analytics system and cached, to retrieve and output a cached analytics outcome of the content item when the content item is found to duplicate the previous content, and, when the content item is found not to duplicate any previous content, to cause the analytics system to produce the analytics outcome for the content item and to cache the analytics outcome, wherein extracting the content item comprises the processor deriving a respective unique identifier for the content item, and wherein finding that the content item does not duplicate comprises the processor validating that the unique identifier does not match any identifier in a cache memory that caches identifies of previous content items that were processed by the analytics system;
  
  wherein for a given content item the processor is further configured to count a number of matching occurrences of the given content item, and cache the number of matching occurrences in the cache memory in association with the unique identifier of the given content item, for use by the analytics system, wherein caching the number of matching occurrences comprises the processor deleting from the cache memory the given content identifier if the number of matching occurrences during a predefined duration is lower than a predefined threshold, wherein the number of matching occurrences is multiplied by a weight factor that is based on a processing time of the content item.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cognyte Technologies Israel Ltd. (Cognyte Software Ltd.)
Original Assignee
Verint Systems Limited (Verint Systems Incorporated)
Inventors
Yishay, Yitshak, Goldfarb, Eithan
Primary Examiner(s)
Hussain, Tauqir
Assistant Examiner(s)
MOREAU, AUSTIN J

Application Number

US14/527,894
Publication Number

US 20150134768A1
Time in Patent Office

901 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/0813   with a network or matrix co...

G06F 2212/154   Networked environment

G06F 2212/60   Details of cache memory

G06F 2212/62   Details of cache specific t...

H04L 43/062   related to network traffic

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/02   based on web technology, e....

H04L 67/535   Tracking the activity of th...

H04L 67/568   Storing data temporarily at...

System and method for conditional analysis of network traffic

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for conditional analysis of network traffic

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links