Filtering network data transfers
US-9160713-B2 · Oct 13, 2015 · US
Correlating packets in communications networks
US10931797B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10931797-B2 |
| Application number | US-202016854094-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 21, 2020 |
| Priority date | Feb 10, 2015 |
| Publication date | Feb 23, 2021 |
| Grant date | Feb 23, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A computing system may identify packets received by a network device from a host located in a first network and may generate log entries corresponding to the packets received by the network device. The computing system may identify packets transmitted by the network device to a host located in a second network and may generate log entries corresponding to the packets transmitted by the network device. Utilizing the log entries corresponding to the packets received by the network device and the log entries corresponding to the packets transmitted by the network device, the computing system may correlate the packets transmitted by the network device with the packets received by the network device.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: determining, by a computing system, a first plurality of log entries corresponding to a first plurality of packets received by a network device from a first host located in a first network; determining a second plurality of log entries corresponding to a second plurality of packets transmitted by the network device to a second host located in a second network; correlating, by the computing system, the second plurality of packets transmitted by the network device with the first plurality of packets received by the network device by comparing at least a first portion of the first plurality of log entries with at least a second portion of the second plurality of log entries; determining a correlation based on correlating the first plurality of packets and the second plurality of packets; generating, by the computing system and based on the determined correlation, one or more rules configured to identify packets received from the first host; and provisioning a packet-filtering device with the one or more rules. 2. The method of claim 1 , further comprising: provisioning, by the computing system and based on the determined correlation, a first tap associated with the first network with one or more first rules configured to identify the first plurality of packets received by the network device; and provisioning, by the computing system and based on the determined correlation, a second tap associated with the second network with one or more second rules configured to identify the second plurality of packets transmitted by the network device. 3. The method of claim 1 , wherein comparing the at least the first portion of the first plurality of log entries with the at least the second portion of the second plurality of log entries comprises: comparing one or more first ports indicated by the first plurality of log entries with one or more second ports indicated by the second plurality of log entries. 4. The method of claim 1 , wherein comparing the at least the first portion of the first plurality of log entries with the at least the second portion of the second plurality of log entries comprises: comparing one or more first network-interface identifiers indicated by the first plurality of log entries with one or more second network-interface identifiers indicated by the second plurality of log entries. 5. The method of claim 1 , wherein comparing the at least the first portion of the first plurality of log entries with the at least the second portion of the second plurality of log entries comprises: comparing one or more first times indicated by the first plurality of log entries with one or more second times indicated by the second plurality of log entries. 6. The method of claim 1 , wherein: the first plurality of log entries comprises a first plurality of timestamps indicating times corresponding to receipt, by the network device, of the first plurality of packets received by the network device; the second plurality of log entries comprises a second plurality of timestamps indicating times corresponding to transmission, by the network device, of the second plurality of packets transmitted by the network device; and comparing the at least the first portion of the first plurality of log entries with the at least the second portion of the second plurality of log entries comprises comparing the first plurality of timestamps with the second plurality of timestamps. 7. The method of claim 1 , further comprising: determining, by the computing system, that the first host is associated with a malicious entity; and causing one or more computing devices associated with the first network to drop packets transmitted by the first host. 8. The method of claim 1 , further comprising: generating, by the computing system, a message identifying the first host; and sending the message. 9. The method of claim 1 , wherein the second plurality of packets transmitted by the network device are encrypted. 10. The method of claim 1 , wherein the second plurality of packets transmitted by the network device are encapsulated. 11. The method of claim 1 , wherein generating the one or more rules comprises: receiving user input defining the one or more rules. 12. A computing device comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the computing device to: determine a first plurality of log entries corresponding to a first plurality of packets received by a network device from a first host located in a first network; determine a second plurality of log entries corresponding to a second plurality of packets transmitted by the network device to a second host located in a second network; correlate the second plurality of packets transmitted by the network device with the first plurality of packets received by the network device by comparing at least a first portion of the first plurality of log entries with at least a second portion of the second plurality of log entries; determine a correlation based on correlating the first plurality of packets and the second plurality of packets; generate, based on the determined correlation, one or more rules configured to identify packets received from the first host; and provision a packet-filtering device with the one or more rules. 13. The computing device of claim 12 , wherein the instructions, when executed by the one or more processors, further cause the computing device to: provision, based on the determined correlation, a first tap associated with the first network with one or more first rules configured to identify the first plurality of packets received by the network device; and provision, based on the determined correlation, a second tap associated with the second network with one or more second rules configured to identify the second plurality of packets transmitted by the network device. 14. The computing device of claim 12 , wherein the instructions, when executed by the one or more processors, further cause the computing device to compare the at least the first portion of the first plurality of log entries with the at least the second portion of the second plurality of log entries by: comparing one or more first ports indicated by the first plurality of log entries with one or more second ports indicated by the second plurality of log entries. 15. The computing device of claim 12 , wherein the instructions, when executed by the one or more processors, further cause the computing device to compare the at least the first portion of the first plurality of log entries with the at least the second portion of the second plurality of log entries by: comparing one or more first network-interface identifiers indicated by the first plurality of log entries with one or more second network-interface identifiers indicated by the second plurality of log entries. 16. The computing device of claim 12 , wherein the instructions, when executed by the one or more processors, further cause the computing device to compare the at least the first portion of the first plurality of log entries with the at least the second portion of the second plurality of log entries by: comparing one or more first times indicated by the first plurality of log entries with one or more second times indicated by the second plurality of log entries. 17. One or more non-transitory computer-readable media comprising instructions that, when executed by one or more processors of a computing device, cause the computing device to: determine a first
Assignees
Inventors
Classifications
- H04L69/22Primary
Parsing or analysis of headers · CPC title
- H04L43/04Primary
Processing captured monitoring data, e.g. for logfile generation · CPC title
Network monitoring probes · CPC title
using time related information in packets, e.g. by adding timestamps · CPC title
using flow identification · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10931797B2 cover?
- A computing system may identify packets received by a network device from a host located in a first network and may generate log entries corresponding to the packets received by the network device. The computing system may identify packets transmitted by the network device to a host located in a second network and may generate log entries corresponding to the packets transmitted by the network …
- Who is the assignee on this patent?
- Centripetal Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L69/22. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 23 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).