Correlating Packets in Communications Networks/US

US 20170359449A1
Filed: 01/24/2017
Published: 12/14/2017
Est. Priority Date: 02/10/2015
Status: Active Grant

First Claim

Patent Images

1. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing system may identify packets received by a network device from a host located in a first network and may generate log entries corresponding to the packets received by the network device. The computing system may identify packets transmitted by the network device to a host located in a second network and may generate log entries corresponding to the packets transmitted by the network device. Utilizing the log entries corresponding to the packets received by the network device and the log entries corresponding to the packets transmitted by the network device, the computing system may correlate the packets transmitted by the network device with the packets received by the network device.

10 Citations

View as Search Results

21 Claims

1. (canceled)

2. A method comprising:
- generating, by a computing system, a plurality of log entries corresponding to a plurality of packets received by a network device from a first host located in a first network, each of the plurality of log entries comprising a receipt timestamp indicating a packet receipt time;
  
  generating, by the computing system, a plurality of log entries corresponding to a plurality of packets transmitted by the network device to a second host located in a second network, each of the plurality of log entries comprising a transmission timestamp indicating a packet transmission time;
  
  determining, by the computing system and for each transmission timestamp indicating a packet transmission time, differences between at least one packet transmission time indicated by transmission timestamps and at least one packet receipt time indicated by receipt timestamps;
  
  correlating, by the computing system and based on the plurality of log entries corresponding to the plurality of packets received by the network device and based on the plurality of log entries corresponding to the plurality of packets transmitted by the network device, at least a portion of the plurality of packets transmitted by the network device with at least a portion of the plurality of packets received by the network device based on the determined differences; and
  
  responsive to correlating the at least the portion of the plurality of packets transmitted by the network device with the at least the portion of the plurality of packets received by the network device;
  
  generating, by the computing system, data identifying the first host located in the first network; and
  
  communicating, by the computing system, the data identifying the first host located in the first network.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 3. The method of claim 2, wherein correlating the at least a portion of the plurality of packets transmitted by the network device with the at least a portion of the plurality of packets received by the network device comprises comparing one or more ports indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets received by the network device with one or more ports indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets transmitted by the network device.
  - 4. The method of claim 2, wherein correlating the at least a portion of the plurality of packets transmitted by the network device with the at least a portion of the plurality of packets received by the network device comprises correlating one or more protocol types indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets received by the network device with one or more protocol types indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets transmitted by the network device.
  - 5. The method of claim 2, wherein correlating the at least a portion of the plurality of packets transmitted by the network device with the at least a portion of the plurality of packets received by the network device comprises comparing application-layer data indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets received by the network device with application-layer data indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets transmitted by the network device.
  - 6. The method of claim 2, wherein correlating the at least a portion of the plurality of packets transmitted by the network device with the at least a portion of the plurality of packets received by the network device comprises comparing network-interface identifiers indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets received by the network device with network-interface identifiers indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets transmitted by the network device.
  - 7. The method of claim 2, wherein correlating the at least a portion of the plurality of packets transmitted by the network device with the at least a portion of the plurality of packets received by the network device comprises comparing one or more times indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets received by the network device with one or more times indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets transmitted by the network device.
  - 8. The method of claim 2, wherein the network device comprises a proxy configured to:
    - receive requests, for data from the second host located in the second network, transmitted by the first host located in the first network; and
      
      generate requests corresponding to the requests transmitted by the first host located in the first network and configured to cause the second host located in the second network to transmit, to the network device, the data from the second host located in the second network; and
      
      wherein the method further compromises;
      
      correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device by comparing data from the requests transmitted by the first host located in the first network with data from the requests corresponding to the requests transmitted by the second host located in the second network.
  - 9. The method of claim 2, wherein the network device comprises a gateway configured to:
    - receive, from the first host located in the first network, data destined for the second host located in the second network; and
      
      generate one or more packets, destined for the second host located in the second network, encapsulating the data destined for the second host located in the second network; and
      
      wherein the method further compromises;
      
      correlating the plurality of packets transmitted by the network device with the plurality of packets received by the network device by comparing at least a portion of the data destined for the second host located in the second network with data from the one or more packets encapsulating the data destined for the second host located in the second network.
  - 10. The method of claim 2, wherein the second host located in the second network is associated with a malicious entity, the method further comprising:
    - generating, by the computing system, data configured to cause the first network to drop packets transmitted by the first host located in the first network.
  - 11. The method of claim 2, wherein a communication path interfaces the network device and the first network comprises a packet-filtering device, the method comprising:
    - generating, by the computing system, one or more rules configured to identify packets received from the first host located in the first network;
      
      provisioning, by the computing system, the packet-filtering device with the one or more rules configured to identify packets received from the first host located in the first network;
      
      identifying, by the packet-filtering device and based on the one or more rules configured to identify packets received from the first host located in the first network, at least one packet received from the first host located in the first network; and
      
      responsive to identifying the at least one packet received from the first host located in the first network, dropping, by the packet-filtering device, the at least one packet received from the first host located in the first network.

12. An apparatus comprising:
- at least one processor; and
  
  a memory storing instructions that when executed by the at least one processor cause the apparatus to;
  
  generate, by the apparatus, a plurality of log entries corresponding to a plurality of packets received by a network device from a first host located in a first network, each of the plurality of log entries comprising a receipt timestamp indicating a packet receipt time;
  
  generate, by the apparatus, a plurality of log entries corresponding to the plurality of packets transmitted by the network device to a second host located in a second network, each of the plurality of log entries comprising a transmission timestamp indicating a packet transmission time;
  
  determine, by the apparatus and for each transmission timestamp indicating a packet transmission time, differences between at least one packet transmission time indicated by transmission timestamps and at least one packet receipt time indicated by receipt timestamps;
  
  correlate, by the apparatus and based on the plurality of log entries corresponding to the plurality of packets received by the network device and based on the plurality of log entries corresponding to the plurality of packets transmitted by the network device, at least a portion of the plurality of packets transmitted by the network device with at least a portion of the plurality of packets received by the network device based on the determined differences; and
  
  responsive to correlating the at least the portion of the plurality of packets transmitted by the network device with the at least the portion of the plurality of packets received by the network device;
  
  generate, by the apparatus, data identifying the first host located in the first network; and
  
  communicate, by the apparatus, the data identifying the first host located in the first network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The apparatus of claim 12, wherein the instructions, when executed by the at least one processor, cause the apparatus to correlate the at least a portion of the plurality of packets transmitted by the network device with the at least a portion of the plurality of packets received by the network device based on a comparison of one or more ports indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets received by the network device with one or more ports indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets transmitted by the network device.
  - 14. The apparatus of claim 12, wherein the instructions, when executed by the at least one processor, cause the apparatus to correlate one or more protocol types indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets received by the network device with one or more protocol types indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets transmitted by the network device.
  - 15. The apparatus of claim 12, wherein the instructions, when executed by the at least one processor, cause the apparatus to correlate the at least a portion of the plurality of packets transmitted by the network device with the at least a portion of the plurality of packets received by the network device based on a comparison of application-layer data indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets received by the network device with application-layer data indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets transmitted by the network device.
  - 16. The apparatus of claim 12, wherein the instructions, when executed by the at least one processor, cause the apparatus to correlate the at least a portion of the plurality of packets transmitted by the network device with the at least a portion of the plurality of packets received by the network device based on a comparison of network-interface identifiers indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets received by the network device with network-interface identifiers indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets transmitted by the network device.
  - 17. The apparatus of claim 12, wherein the instructions, when executed by the at least one processor, cause the apparatus to correlate the at least a portion of the plurality of packets transmitted by the network device with the at least a portion of the plurality of packets received by the network device based on a comparison of one or more times indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets received by the network device with one or more times indicated by the plurality of log entries corresponding to the at least a portion of the plurality of packets transmitted by the network device.
  - 18. The apparatus of claim 12, wherein the network device comprises a proxy configured to:
    - receive requests, for data from the second host located in the second network, transmitted by the first host located in the first network; and
      
      generate requests corresponding to the requests transmitted by the first host located in the first network and configured to cause the second host located in the second network to transmit, to the network device, the data from the second host located in the second network; and
      
      wherein the instructions, when executed by the at least one processor, cause the apparatus to;
      
      correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device by comparing data from the requests transmitted by the first host located in the first network with data from the requests corresponding to the requests transmitted by the second host located in the second network.
  - 19. The apparatus of claim 12, wherein the network device comprises a gateway configured to:
    - receive, from the first host located in the first network, data destined for the second host located in the second network; and
      
      generate one or more packets, destined for the second host located in the second network, encapsulating the data destined for the second host located in the second network; and
      
      wherein the instructions, when executed by the at least one processor, cause the apparatus to;
      
      correlate the plurality of packets transmitted by the network device with the plurality of packets received by the network device by comparing at least a portion of the data destined for the second host located in the second network with data from the one or more packets encapsulating the data destined for the second host located in the second network.
  - 20. The apparatus of claim 12, wherein the second host located in the second network is associated with a malicious entity, and wherein the instructions, when executed by the at least one processor, cause the apparatus to generate data configured to cause the first network to drop packets transmitted by the first host located in the first network.
  - 21. The apparatus of claim 12, wherein the instructions, when executed by the at least one processor, cause the apparatus to:
    - generate one or more rules configured to identify packets received from the first host located in the first network;
      
      provision a packet-filtering device with the one or more rules configured to identify packets received from the first host located in the first network; and
      
      configure the packet-filtering device to;
      
      identify, based on the one or more rules configured to identify packets received from the first host located in the first network, at least one packet received from the first host located in the first network; and
      
      responsive to identifying the at least one packet received from the first host located in the first network, drop the at least one packet received from the first host located in the first network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Ahn, David K., Geremia, Peter P., Mallett, III, Pierre, Moore, Sean, Perry, Robert T.

Granted Patent

US 10,530,903 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 43/087   Jitter

H04L 43/106   using time related informat...

H04L 43/12   Network monitoring probes

H04L 43/16   Threshold monitoring

H04L 45/745   Address table lookup; Addre...

H04L 47/2483   involving identification of...

H04L 47/32   by discarding or delaying d...

H04L 61/2567   for reachability, e.g. inqu...

H04L 63/0263   Rule management

H04L 69/22   Parsing or analysis of headers

Correlating Packets in Communications Networks/US

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Correlating Packets in Communications Networks/US

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others