System and method for efficient classification and processing of network traffic

US 10,454,790 B2
Filed: 03/26/2018
Issued: 10/22/2019
Est. Priority Date: 01/27/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

multiple flow analysis processors which are configured to analyze data content of flows of communication packets, wherein each of the multiple flow analysis processors is configured to carry out a different analytics function;

at least one classification processor, which is configured to classify each the flows of communication packets to one of a plurality of classifications, wherein the plurality of classifications include one or more classifications selected from a group of classifications consisting of;

unclassified;

requested for further analysis;

not requested for further analysis;

requested for forwarding to a monitoring center;

requested for long-term storage; and

requested for further analysis by a given flow analysis processor of the multiple flow analysis processors; and

a front-end processor, which is configured to receive input packets from a communication network, to associate each of the input packets with a respective one of the input flows of communication packets, and determine to which of the multiple flow analysis processors to forward each of the flows based on the respective classification of each of the flows of communication packets.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for analyzing flows of communication packets. A front-end processor associates input packets with flows and forwards each flow to the appropriate unit, typically by querying a flow table that holds a respective classification for each active flow. In general, flows that are not yet classified are forwarded to the classification unit, and the resulting classification is entered in the flow table. Flows that are classified as requested for further analysis are forwarded to an appropriate flow analysis unit. Flows that are classified as not requested for analysis are not subjected to further processing, e.g., discarded or allowed to pass.

24 Citations

View as Search Results

18 Claims

1. A system, comprising:
- multiple flow analysis processors which are configured to analyze data content of flows of communication packets, wherein each of the multiple flow analysis processors is configured to carry out a different analytics function;
  
  at least one classification processor, which is configured to classify each the flows of communication packets to one of a plurality of classifications, wherein the plurality of classifications include one or more classifications selected from a group of classifications consisting of;
  
  unclassified;
  
  requested for further analysis;
  
  not requested for further analysis;
  
  requested for forwarding to a monitoring center;
  
  requested for long-term storage; and
  
  requested for further analysis by a given flow analysis processor of the multiple flow analysis processors; and
  
  a front-end processor, which is configured to receive input packets from a communication network, to associate each of the input packets with a respective one of the input flows of communication packets, and determine to which of the multiple flow analysis processors to forward each of the flows based on the respective classification of each of the flows of communication packets.
- View Dependent Claims (2, 3, 4, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the different analytics function performed by one of the multiple flow analysis processors is selected from the group of analytics functions consisting of:
    - an analytics function to search for occurrences of key words or key phrases;
      
      an analytics function to search for occurrences of regular expressions;
      
      an analytics function to decrypt encrypted data; and
      
      an analytics function to scan for viruses or other malicious software or content.
  - 3. The system of claim 1, wherein the at least one classification processor is further configured to identify an application that is served by a given flow of the flows of communication packets, wherein the front-end processor is further configured to determine to which of the multiple flow analysis processors to forward the given flow based on the identified application.
  - 4. The system according to claim 1, wherein the at least one classification processor comprises multiple classification processors, and wherein the front-end processor is configured to distribute the flows of communication packets for classification among the multiple classification processors.
  - 6. The system according to claim 1, wherein the front-end processor is further configured to discard or allow a given flow to pass without further processing by the system when the given flow is classified as not requested for subsequent analysis.
  - 7. The system according to claim 1, wherein the front-end processor is further configured to forward a given flow to the at least one classification processor when the given flow is unclassified.
  - 8. The system according to claim 1, wherein the front-end processor is further configured to associate each of the input packets with a respective one of the flows of communication packets based on a key or tuple of packet attributes of the input packets.
  - 9. The system according to claim 1, further comprising:
    - a flow table, wherein each entry of the flow table comprises a key or tuple of packet attributes of a given flow and a classification of the given flow.

5. A system, comprising:
- multiple flow analysis processors which are configured to analyze data content of flows of communication packets, wherein each of the multiple flow analysis processors is configured to carry out a different analytics function;
  
  at least one classification processor, which is configured to classify each the flows of communication packets to one of a plurality of classifications;
  
  a front-end processor, which is configured to receive input packets from a communication network, to associate each of the input packets with a respective one of the flows of communication packets, and determine to which of the multiple flow analysis processors to forward each of the flows based on the respective classification of each of the flows of communication packets; and
  
  an additional flow analysis processor of a given one of the multiple flow analysis processors, the additional flow analysis processor configured to carry out the same analytics function as the given one of the multiple flow analysis processors,wherein the front-end processor is further configured to balance a flow analysis load among the additional flow analysis processor and the given one of the multiple flow analysis processors.

10. A method, comprising:
- receiving an input packet from a communication network at a front-end processor;
  
  associating, by the front-end processor, the input packet with a flow of communication packets;
  
  determining, by the front-end processor, to which one of multiple flow analysis processors to forward the input packet based on a classification of the flow to one of a plurality of classifications, wherein each of the multiple flow analysis processors is configured to carry out a different analytics function to analyze data content of flows of communications packets, wherein the plurality of classifications include one or more classifications selected from a group of classifications consisting of;
  
  unclassified;
  
  requested for further analysis;
  
  not requested for further analysis;
  
  requested for forwarding to a monitoring center;
  
  requested for long-term storage; and
  
  requested for further analysis by a given flow analysis processor of the multiple flow analysis processors; and
  
  sending, by the front-end processor, the input packet to the determined flow analysis processor.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, further comprising:
    - analyzing the flow, by the determined flow analysis processor, according to a respective analytics function of the determined flow analysis processor.
  - 12. The method of claim 10, further comprising:
    - sending, by the front-end processor, the flow to a classification processor; and
      
      classifying the flow, by the classification processor, to the classification from among the plurality of classifications.
  - 13. The method of claim 10, further comprising:
    - discarding or allowing a given flow to pass, by the front-end processor, without further processing when the given flow is classified as not requested for subsequent analysis.
  - 14. The method of claim 10, wherein the different analytics function performed by the determined flow analysis processor is selected from the group of analytics functions consisting of:
    - an analytics function to search for occurrences of key words or key phrases;
      
      an analytics function to search for occurrences of regular expressions;
      
      an analytics function to decrypt encrypted data; and
      
      an analytics function to scan for viruses or other malicious software or content.
  - 15. The method of claim 12, further comprising:
    - identifying, by the classification processor, an application that is served by the flow, wherein determining, by the front-end processor, to which one of the multiple flow analysis processors to forward the input packet is further based on the identified application.
  - 16. The method of claim 12, wherein the classification processor is one of a plurality of classification processors for classifying flows of communication packets, wherein sending the flow to the classification processor further comprises distributing the flow to the classification processor from among the multiple classification processors.
  - 17. The method of claim 10, wherein associating the input packet with a flow of communication packets is based on a key or tuple of packet attributes of the input packet.

18. A method, comprising:
- receiving an input packet from a communication network at a front-end processor;
  
  associating, by the front-end processor, the input packet with a flow of communication packets;
  
  determining, by the front-end processor, to which one of multiple flow analysis processors to forward the input packet based on a classification of the flow to one of a plurality of classifications, wherein each of the multiple flow analysis processors is configured to carry out a different analytics function to analyze data content of flows of communications packets;
  
  sending, by the front-end processor, the input packet to the determined flow analysis processor; and
  
  balancing, by the front-end processor, a flow analysis load among the determined flow analysis processor and an additional flow analysis processor configured to carry out the same analytics function as the determined flow analysis processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cognyte Technologies Israel Ltd. (Cognyte Software Ltd.)
Original Assignee
Verint Systems Limited (Verint Systems Incorporated)
Inventors
Goldfarb, Eithan, Altman, Yuval, Frid, Naomi, Yaari, Gur
Primary Examiner(s)
Salad, Abdullahi E

Application Number

US15/935,407
Publication Number

US 20180295035A1
Time in Patent Office

575 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/30   for supporting lawful inter...

H04L 63/306   intercepting packet switche...

System and method for efficient classification and processing of network traffic

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for efficient classification and processing of network traffic

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links