Correlating packets in communications networks

DC CAFC

US 10,659,573 B2
Filed: 08/28/2019
Issued: 05/19/2020
Est. Priority Date: 02/10/2015
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method comprising:

identifying, by a computing system, a plurality of packets received by a network device from a host located in a first network;

generating, by the computing system, a first plurality of log entries corresponding to the plurality of packets received by the network device;

identifying, by the computing system, a plurality of encrypted packets transmitted by the network device to a host located in a second network;

generating, by the computing system, a second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device;

correlating, by the computing system and based on the first plurality of log entries corresponding to the plurality of packets received by the network device and the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device, the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device; and

responsive to the correlating of the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device;

generating, by the computing system and based on the correlating, one or more rules configured to identify packets received from the host located in the first network; and

provisioning a packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A computing system may identify packets received by a network device from a host located in a first network and may generate log entries corresponding to the packets received by the network device. The computing system may identify packets transmitted by the network device to a host located in a second network and may generate log entries corresponding to the packets transmitted by the network device. Utilizing the log entries corresponding to the packets received by the network device and the log entries corresponding to the packets transmitted by the network device, the computing system may correlate the packets transmitted by the network device with the packets received by the network device.

269 Citations

24 Claims

1. A method comprising:
- identifying, by a computing system, a plurality of packets received by a network device from a host located in a first network;
  
  generating, by the computing system, a first plurality of log entries corresponding to the plurality of packets received by the network device;
  
  identifying, by the computing system, a plurality of encrypted packets transmitted by the network device to a host located in a second network;
  
  generating, by the computing system, a second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device;
  
  correlating, by the computing system and based on the first plurality of log entries corresponding to the plurality of packets received by the network device and the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device, the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device; and
  
  responsive to the correlating of the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device;
  
  generating, by the computing system and based on the correlating, one or more rules configured to identify packets received from the host located in the first network; and
  
  provisioning a packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein a communication path that interfaces the network device and the first network comprises a first tap, wherein a communication path that interfaces the network device and the second network comprises a second tap, the method comprising:
    - provisioning, by the computing system, the first tap with one or more rules configured to identify the plurality of packets received by the network device; and
      
      provisioning, by the computing system, the second tap with one or more rules configured to identify the plurality of encrypted packets transmitted by the network device.
  - 3. The method of claim 1, wherein correlating the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device comprises:
    - comparing one or more ports indicated by the first plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device.
  - 4. The method of claim 1, wherein correlating the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device comprises:
    - comparing one or more network-interface identifiers of the network device indicated by the first plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device.
  - 5. The method of claim 1, wherein correlating the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device comprises:
    - comparing one or more times indicated by the first plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device.
  - 6. The method of claim 1, wherein:
    - the first plurality of log entries corresponding to the plurality of packets received by the network device comprises a plurality of timestamps indicating times corresponding to receipt, by the network device, of the plurality of packets received by the network device;
      
      the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device comprises a plurality of timestamps indicating times corresponding to transmission, by the network device, of the plurality of encrypted packets transmitted by the network device; and
      
      correlating the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device comprises comparing one or more times indicated by the plurality of timestamps indicating times corresponding to receipt with one or more times indicated by the plurality of timestamps indicating times corresponding to transmission.
  - 7. The method of claim 1, comprising:
    - determining, by the computing system, that the host located in the second network is associated with a malicious entity; and
      
      generating, by the computing system, one or more rules configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 8. The method of claim 1, comprising:
    - generating, by the computing system, a message identifying the host located in the first network; and
      
      communicating, by the computing system and to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

9. A computing device comprising:
- at least one processor; and
  
  memory comprising instructions that, when executed by the at least one processor, cause the computing device to;
  
  identify a plurality of packets received by a network device from a host located in a first network;
  
  generate a first plurality of log entries corresponding to the plurality of packets received by the network device;
  
  identify a plurality of encrypted packets transmitted by the network device to a host located in a second network;
  
  generate a second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device;
  
  correlate, based on the first plurality of log entries corresponding to the plurality of packets received by the network device and the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device, the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device; and
  
  responsive to the correlating of the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device;
  
  generate, based on the correlating, one or more rules configured to identify packets received from the host located in the first network; and
  
  provision a packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computing device of claim 9, wherein a communication path that interfaces the network device and the first network comprises a first tap, wherein a communication path that interfaces the network device and the second network comprises a second tap, and wherein the memory comprises instructions that, when executed by the at least one processor, further cause the computing device to:
    - provision the first tap with the one or more rules configured to identify the plurality of packets received by the network device; and
      
      provision the second tap with one or more rules configured to identify the plurality of encrypted packets transmitted by the network device.
  - 11. The computing device of claim 9, wherein the instructions, when executed by the at least one processor, cause the computing device to correlate the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device by causing the computing device to:
    - compare one or more ports indicated by the first plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device.
  - 12. The computing device of claim 9, wherein the instructions, when executed by the at least one processor, cause the computing device to correlate the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device by causing the computing device to:
    - compare one or more network-interface identifiers of the network device indicated by the first plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device.
  - 13. The computing device of claim 9, wherein the instructions, when executed by the at least one processor, cause the computing device to correlate the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device by causing the computing device to:
    - compare one or more times indicated by the first plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device.
  - 14. The computing device of claim 9, wherein:
    - the first plurality of log entries corresponding to the plurality of packets received by the network device comprise a plurality of timestamps indicating times corresponding to receipt, by the network device, of the plurality of packets received by the network device;
      
      the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device comprises a plurality of timestamps indicating times corresponding to transmission, by the network device, of the plurality of encrypted packets transmitted by the network device; and
      
      the instructions, when executed by the at least one processor, cause the computing device to correlate the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device by causing the computing device to compare one or more times indicated by the plurality of timestamps indicating times corresponding to receipt with one or more times indicated by the plurality of timestamps indicating times corresponding to transmission.
  - 15. The computing device of claim 9, wherein the instructions that, when executed by the at least one processor, further cause the computing device to:
    - determine that the host located in the second network is associated with a malicious entity; and
      
      generate one or more rules configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 16. The computing device of claim 9, wherein the instructions that, when executed by the at least one processor, further cause the computing device to:
    - generate a message identifying the host located in the first network; and
      
      communicate, to at least one of the host located in the first network or a second computing device associated with an administrator of the first network, the message identifying the host located in the first network.

17. One or more non-transitory computer-readable media comprising instructions that, when executed by one or more processors of a computing system, cause the computing system to:
- identify a plurality of packets received by a network device from a host located in a first network;
  
  generate a first plurality of log entries corresponding to the plurality of packets received by the network device;
  
  identify a plurality of encrypted packets transmitted by the network device to a host located in a second network;
  
  generate a second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device;
  
  correlate, based on the first plurality of log entries corresponding to the plurality of packets received by the network device and the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device, the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device; and
  
  responsive to the correlating of the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device;
  
  generate, based on the correlating, one or more rules configured to identify packets received from the host located in the first network; and
  
  provision a packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The one or more non-transitory computer-readable media of claim 17, wherein a communication path that interfaces the network device and the first network comprises a first tap, wherein a communication path that interfaces the network device and the second network comprises a second tap, and wherein the instructions, when executed by the one or more processors of the computing system, further cause the computing system to:
    - provision the first tap with the one or more rules configured to identify the plurality of packets received by the network device; and
      
      provision the second tap with one or more rules configured to identify the plurality of encrypted packets transmitted by the network device.
  - 19. The one or more non-transitory computer-readable media of claim 17, wherein the instructions, when executed by the one or more processors of the computing system, cause the computing system to correlate the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device by causing the computing system to:
    - compare one or more ports indicated by the first plurality of log entries corresponding to the plurality of packets received by the network device with one or more ports indicated by the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device.
  - 20. The one or more non-transitory computer-readable media of claim 17, wherein the instructions, when executed by the one or more processors of the computing system, cause the computing system to correlate the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device by causing the computing system to:
    - compare one or more network-interface identifiers of the network device indicated by the first plurality of log entries corresponding to the plurality of packets received by the network device with one or more network-interface identifiers of the network device indicated by the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device.
  - 21. The one or more non-transitory computer-readable media of claim 17, wherein the instructions, when executed by the one or more processors of the computing system, cause the computing system to correlate the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device by causing the computing system to:
    - compare one or more times indicated by the first plurality of log entries corresponding to the plurality of packets received by the network device with one or more times indicated by the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device.
  - 22. The one or more non-transitory computer-readable media of claim 21, wherein:
    - the first plurality of log entries corresponding to the plurality of packets received by the network device comprises a plurality of timestamps indicating times corresponding to receipt, by the network device, of the plurality of packets received by the network device;
      
      the second plurality of log entries corresponding to the plurality of encrypted packets transmitted by the network device comprises a plurality of timestamps indicating times corresponding to transmission, by the network device, of the plurality of encrypted packets transmitted by the network device; and
      
      the instructions, when executed by the one or more processors of the computing system, cause the computing system to correlate the plurality of encrypted packets transmitted by the network device with the plurality of packets received by the network device by causing the computing system to compare one or more times indicated by the plurality of timestamps indicating times corresponding to receipt with one or more times indicated by the plurality of timestamps indicating times corresponding to transmission.
  - 23. The one or more non-transitory computer-readable media of claim 17, further comprising instructions that, when executed by the one or more processors of the computing system, cause the computing system to:
    - determine that the host located in the second network is associated with a malicious entity; and
      
      generate one or more rules configured to cause the first network to drop packets transmitted by the host located in the first network.
  - 24. The one or more non-transitory computer-readable media of claim 17, further comprising instructions that, when executed by the one or more processors of the computing system, cause the computing system to:
    - generate a message identifying the host located in the first network; and
      
      communicate, to at least one of the host located in the first network or a computing device associated with an administrator of the first network, the message identifying the host located in the first network.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Ahn, David K., Geremia, Peter P., Mallett, III, Pierre, Moore, Sean, Perry, Robert T.
Primary Examiner(s)
Huq, Obaidul

Application Number

US16/554,293
Publication Number

US 20190394310A1
Time in Patent Office

265 Days
Field of Search

370241
US Class Current
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 43/087   Jitter

H04L 43/106   using time related informat...

H04L 43/12   Network monitoring probes

H04L 43/16   Threshold monitoring

H04L 45/745   Address table lookup; Addre...

H04L 47/2483   involving identification of...

H04L 47/32   by discarding or delaying d...

H04L 61/2567   for reachability, e.g. inqu...

H04L 63/0263   Rule management

H04L 69/22   Parsing or analysis of headers

Correlating packets in communications networks

First Claim

2 Assignments

Litigations

1 Petition

Accused Products

Abstract

269 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Correlating packets in communications networks

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

269 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others