Intelligent feedback loop to iteratively reduce incoming network data for analysis

Description

FIELD OF TECHNOLOGY

This disclosure relates generally to the technical field of network communication, and in one example embodiment, this disclosure relates to a method, apparatus, and system of a feedback loop to iteratively remove extraneous portions of data in packets to be analyzed.

BACKGROUND

An application specific integrated circuit may be designed to process a large volume of data to highlight actions of interest according to a network traffic monitoring system. When changes are made to a network device (e.g., a router, a switch), the application specific integrated circuit may no longer be able to process the large volume of data to highlight the actions of interest. As such, investments in engineering time, labor cost, inventory, and/or distribution may be wasted.

The application specific integrated circuit may be expensive to redesign. For example, the application specific integrated circuit may not adapt to changes in a network topology (e.g., routing paths, network nodes, security protocols, communication protocols). When the application specific integrated circuit is inoperable, cybercrime and other illegal activities may be unnoticed and/or increase. As such, law enforcement resources may not be able to prevent illegal activities and threats to public security.

SUMMARY

A method, apparatus and system related to an intelligent feedback loop to iteratively reduce target packet analysis is disclosed. In one aspect, a method of a network traffic monitoring system includes processing a flow data received through an aggregation switch of a network traffic monitoring system in a first stage module of the network traffic monitoring system, filtering the flow data to a target data based on a packet classification in the first stage module, determining that a portion of a target data is an extraneous data based on a content filtering algorithm applied in a data processing system of the network traffic monitoring system, and iteratively removing from the target data the extraneous data based on a feedback loop created between the data processing system and the first stage module of the network traffic monitoring system.

The method may involve processing a flow data received through an aggregation switch of a network traffic monitoring system in the first stage and converting the flow data to a target data based on a packet classification in the first stage. The method may also involve applying a content filtering algorithm to the target data in the second stage and communicating which portion of the target data is extraneous from the second stage to the first stage based on the content filtering algorithm. The method may further involve applying a static filtering algorithm of the flow data based on an internet protocol analysis and a port analysis in the first stage, applying a tuple hash algorithm to map the flow data having a variable length into an ordered list of elements having a fixed length of the flow data in the first stage, and dynamically filtering the flow data in the first stage based on the static filtering algorithm and the tuple hash algorithm, and based on a removal of the extraneous data communicated from a filtering intelligence algorithm of the second stage.

The method may further include applying a zero-copy driver and a use buffer in at least one of the first stage and the second stage, reducing processing power and memory usage through the application of the zero-copy driver and the use buffer in the second stage, buffering the target data in a random access memory in the second stage, classifying a set of protocols associated with the target data in the second stage, applying the filtering intelligence algorithm to extract the extraneous data from the target data in the second stage, a determining a communication mode between the second stage and the dynamic filtering operation of the first stage so that a request to remove the extraneous data based on the filtering intelligence algorithm of the second stage is executable.

The method may also involve extracting a meta data associated with the target data in the second stage, communicating the extracted meta data to an data retention server, applying a regex based targeting algorithm to the target data in the second stage to produce a set of regular expressions describing a search pattern and communicating the set of regular expressions to a master controller. The method may further involve analyzing the target data to discover an action of interest in the set of regular expressions associated with a target individual in the second stage. The action of interest may be subject to a governmental permission as to how the action of interest is usable in a lawful data interception system.

In another aspect, a system includes an aggregation switch to consolidate a flow data, a first stage module to create a target data from the flow data through an iterative exclusion of an extraneous data, and a data processing system comprising a processor and a memory to iteratively remove from the target data the extraneous data, and to form a feedback loop between the data processing system and the first stage module of the network traffic monitoring system. The first stage module may process the flow data received through an aggregation switch of the network traffic monitoring system and convert the flow data to a target data based on a packet classification in the first stage. The data processing system may apply a content filtering algorithm to the target data in the data processing system and communicate which portion of the target data is extraneous from the data processing system to the first stage module based on the content filtering algorithm. The first stage module may apply a static filtering algorithm of the flow data based on an internet protocol analysis and a port analysis using the first stage module, a tuple hash algorithm to map the flow data having a variable length into an ordered list of elements having a fixed length of the flow data in the first stage, and dynamically filter the flow data in the first stage based on the static filtering algorithm and the tuple hash algorithm, and based on a removal of the extraneous data communicated from a filtering intelligence algorithm of the data processing system.

The data processing system may further include applying a zero-copy driver and a use buffer in the data processing system, reducing processing power and memory usage through the application of the zero-copy driver and the use buffer in the data processing system, buffering the target data in a random access memory in the data processing system, classifying a set of protocols associated with the target data in the data processing system, applying the filtering intelligence algorithm to extract the extraneous data from the target data in the data processing system, and determining a communication mode between the data processing system and the dynamic filtering operation of the first stage so that a request to remove the extraneous data based on the filtering intelligence algorithm of the data processing system is executable.

The data processing system may further involve extracting a meta data associated with the target data in the data processing system, communicating the extracted meta data to an data retention server, applying a regex based targeting algorithm to the target data in the data processing system to produce a set of regular expressions describing a search pattern, and communicating the set of regular expressions to a master controller. The data processing system may also analyze the target data to discover an action of interest in the set of regular expressions associated with a target individual in the data processing system.

In yet another aspect, a method of a network traffic monitoring system includes processing a flow data received through an aggregation switch of a network traffic monitoring system in a first stage module of the network traffic monitoring system, filtering the flow data to a target data based on a packet classification in the first stage module, determining that a portion of a target data is an extraneous data based on a content filtering algorithm applied in a data processing system of the network traffic monitoring system, and iteratively removing from the target data the extraneous data based on a feedback loop created between the data processing system and the first stage module of the network traffic monitoring system.

The method of a network traffic monitoring system may also involve applying a content filtering algorithm to the target data in the data processing system and communicating which portion of the target data is extraneous from the data processing system to the first stage module based on the content filtering algorithm. The method of a network traffic monitoring system may further involve applying a static filtering algorithm of the flow data based on an internet protocol analysis and a port analysis in the first stage, applying a tuple hash algorithm to map the flow data having a variable length into an ordered list of elements having a fixed length of the flow data in the first stage, and dynamically filtering the flow data in the first stage module based on the static filtering algorithm and the tuple hash algorithm, and based on a removal of the extraneous data communicated from a filtering intelligence algorithm of the data processing system.

The method of a network traffic monitoring system may also include applying a zero-copy driver and a use buffer in the data processing system, reducing processing power and memory usage through the application of the zero-copy driver and the use buffer in the data processing system, buffering the target data in a random access memory in the data processing system, classifying a set of protocols associated with the target data in the data processing system, applying the filtering intelligence algorithm to extract the extraneous data from the target data in the data processing system, and determining a communication mode between the data processing system and the dynamic filtering operation of the first stage module so that a request to remove the extraneous data based on the filtering intelligence algorithm of the data processing system is executable.

The method of a network traffic monitoring system may also include extracting a meta data associated with the target data in the data processing system, communicating the extracted meta data to a data retention server, applying a regex based targeting algorithm to the target data in the data processing system to produce a set of regular expressions describing a search pattern, and communicating the set of regular expressions to a master controller. The method of a network traffic monitoring system may further include analyzing the target data to discover an action of interest in the set of regular expressions associated with a target individual in the data processing system. The action of interest may be subject to a governmental permission as to how the action of interest is usable in a lawful data interception system.

BRIEF DESCRIPTION OF DRAWINGS

Example embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:

FIG. 1 is an event map illustrating temporal discrepancies in responses to changes in network security by different network monitoring solutions, according to one embodiment.

FIG. 3 is a functional block diagram that illustrates the components of the feedback loop 206 of the network traffic monitoring system 200 of FIG. 2, according to one embodiment.

FIG. 4 is a functional block diagram that illustrates the first stage module of FIG. 3 mapping the flow data 302 into an ordered list of elements 404, according to one embodiment.

FIG. 5 is a functional block diagram of the data processing system 308 of FIG. 3 which buffers the target data 312 in a random access memory 334, classifies a set of protocols 504 associated with the target data 312, and communicates a request to remove extraneous data 320 to the first stage 202, according to one embodiment.

FIG. 6 is a schematic view of the data processing system 308 of FIG. 3 reporting a search pattern 604 to a master controller 606 and an extracted meta data 608 of the target data 612 to a data retention server 610, according to one embodiment.

FIG. 7 is a table view illustrating a governmental permission 708 accessed through a lawful data interception system 710 to capture the target data 612 of FIG. 6 associated with an action of interest 706, according to one embodiment.

FIG. 8 is a process flow chart of a method of the first stage module 202 of FIG. 2 for converting the flow data 302 to the target data 312, according to one embodiment.

FIG. 9 is a process flow chart, continued from FIG. 8, of a method of the data processing system 308 of FIG. 3 for determining a portion of extraneous data 318 and communicating the extraneous data 318 to the first stage 202, according to one embodiment.

FIG. 10 is a process flow chart, continued from FIG. 9, of a method of a feedback loop 206 of FIG. 2 to iteratively remove a portion of extraneous data from the target data 312, according to one embodiment.

Other features of the present embodiments will be apparent from the accompanying drawings and from the detailed description that follows.

DETAILED DESCRIPTION

Example embodiments, as described below, may be used to provide a method, a system, and/or an apparatus of implementing an intelligent feedback loop to iteratively reduce target packet analysis, according to one or more embodiments. Although the present embodiments have been described with reference to specific example embodiments, it will be evident that various modifications and changes may be made to these embodiments without departing from the broader spirit and scope of the various embodiments.

In one embodiment, a method of a network traffic monitoring system 200 includes processing a flow data 302 received through an aggregation switch 304 of a network traffic monitoring system 200 in a first stage module 306 of the network traffic monitoring system 200, filtering the flow data 302 to a target data 312 based on a packet classification in the first stage module 306, determining that a portion of a target data 312 is an extraneous data 318 based on a content filtering algorithm applied in a data processing system 308 of the network traffic monitoring system 200, and iteratively removing from the target data 312 the extraneous data 318 based on a feedback loop 206 created between the data processing system 308 and the first stage module 306 of the network traffic monitoring system 200.

In another embodiment, a system includes an aggregation switch 304 to consolidate a flow data 302, a first stage module 306 to create a target data 312 from the flow data 302 through an iterative exclusion of an extraneous data 318, and a data processing system 308 comprising a processor 328 and a random access memory 330 to iteratively remove from the target data 312 the extraneous data 318, and to form a feedback loop 206 between the data processing system 308 and the first stage module 306 of the network traffic monitoring system 200. The first stage module 306 may process the flow data 302 received through an aggregation switch 304 of the network traffic monitoring system 200 and convert the flow data 302 to a target data 312 based on a packet classification in the first stage. The data processing system 308 may apply a content filtering algorithm to the target data 312 in the data processing system 308 and communicate which portion of the target data 312 is extraneous from the data processing system 308 to the first stage module 306 based on the content filtering algorithm. The first stage module 306 may apply a static filtering algorithm of the flow data 302 based on an internet protocol analysis and a port analysis using the first stage module 306, a tuple hash algorithm to map the flow data 302 having a variable length into an ordered list of elements having a fixed length of the flow data 302 in the first stage, and dynamically filter the flow data 302 in the first stage based on the static filtering algorithm and the tuple hash algorithm, and based on a removal of the extraneous data 318 communicated from a filtering intelligence algorithm of the data processing system.

In yet another embodiment, a method of a network traffic monitoring system 200 includes processing a flow data 302 received through an aggregation switch 304 of a network traffic monitoring system 200 in a first stage module 306 of the network traffic monitoring system 200, filtering the flow data 302 to a target data 312 based on a packet classification in the first stage module 306, determining that a portion of a target data 312 is an extraneous data 318 based on a content filtering algorithm applied in a data processing system 308 of the network traffic monitoring system 200, and iteratively removing from the target data 312 the extraneous data 318 based on a feedback loop 206 created between the data processing system 308 and the first stage module 306 of the network traffic monitoring system 200.

FIG. 1 is an event map illustrating temporal discrepancies in responses to changes in network security by different network monitoring solutions, according to one embodiment. Particularly, FIG. 1 illustrates that implementing security changes in software may reduce an amount of time in which there is a blackout in a network monitored for lawful data interception. In FIG. 1, a network 100A may transmit a data 102A and may implement a custom hardware 104 to facilitate a network data analysis approach 108A with respect to time 110. Additionally, a network 100B may transmit a data 102B. In addition, the network 100B may implement a software 106 to facilitate a network data analysis approach 108B with respect to time 110. Responses to network events may be preceded by a vulnerable period 112 and may be followed by a secured period 114. Network data analysis approach 108A may yield a longer vulnerable period (e.g. the vulnerable period 112) and a shorter secured period (e.g. the secured period 114) than network data analysis approach 108B.

FIG. 2 is a functional block diagram of a network traffic monitoring system 200 comprising a first stage 202 communicating with a second stage 204, which provides feedback to the first stage 202 through a feedback loop 206, according to one embodiment. The first stage 202 may comprise of classifying and filtering packets in software. The second stage 204 may involve data processing in commodity hardware. For example, commodity hardware may include a general purpose computing system running on a general purpose processor (e.g., an Intel® brand integrated circuit). Additionally, the second stage 204 may also involve a meta data extraction and target data analysis. The second stage 204 may further involve a feedback loop 206 with the first stage 202 to extract extraneous data.

A stage (e.g. a first stage 202, a second stage 204) is a singular phase in a series of phases that take place in consecutive fashion with respect to time. A stage may be implemented in software or hardware and may involve the manipulation of data before and/or after additional stages. A series of stages may be orchestrated to perform a particular function. The stages in the series may also be able to establish a communication medium for the purpose of providing feedback to an earlier or a later stage.

The feedback loop 206 may be a control system that allows for feedback and self-correction. The feedback loop 206 may adjusts its operation according to differences between an actual output and a desired output in the second stage 204 of FIG. 2. To effect the output of the second stage 204, the feedback loop 206 may involve a modification in the data processing of the first stage 202 of FIG. 2.

FIG. 3 is a functional block diagram that illustrates the components of the feedback loop 206 of the network traffic monitoring system 200 of FIG. 2, according to one embodiment. The network traffic monitoring system 200 may comprise of a network 300 transmitting a flow data 302 processed by an aggregation switch 304 to a first stage module 306. The first stage module 306 may also include a packet classification module 310 which may convert the flow data 302 to a target data 312. The target data 312 may be communicated to a data processing system 308 which may include a content filtering circuit 314 and a filtering intelligence circuit 316 associated with a processor 328 and a random access memory of the data processing system 308. An extraneous data 318 may be extracted based on the content filtering circuit 314 and the filtering intelligence circuit 316. A request to remove the extraneous data 320 may be communicated to the first stage module 306. The first stage module may further include a static filtering module 322, a tuple hash module 324 and a dynamic filtering module 326.

The extraneous data 318 may be a portion of the target data 312 of FIG. 3 that is not applicable or relevant in a network traffic monitoring system 200 used by a lawful data interception system 710.

The filtering intelligence circuit 316 may be a hardware component that comprises a set of instructions used to classify the target data 312 in FIG. 3 according to an analysis of protocols associated with the target data 312. The filtering intelligence circuit 316 may also facilitate a communication mode with the dynamic filtering module 326 in order to establish a feedback loop 206 to iteratively remove the extraneous data 318.

According to one embodiment, a method of a network traffic monitoring system 200 includes processing a flow data 302 received through an aggregation switch 304 in a first stage module 306 of the network traffic monitoring system 200. The method may also involve filtering the flow data 302 to a target data 312 based on a packet classification performed by a packet classification module 310 in the first stage module 306. The method may also involve determining that a portion of a target data 312 is an extraneous data 318 based on a content filtering algorithm implemented by a content filtering circuit 314 in a data processing system 308 of the network traffic monitoring system 200. Furthermore, the method may also involve iteratively removing from the target data 312 the extraneous data 318 based on a feedback loop 206 created between the data processing system 308 and the first stage module 306 of the network traffic monitoring system 200.

The method of a network traffic monitoring system 200 may involve processing a flow data 302 received through an aggregation switch 304 of a network traffic monitoring system 200 in the first stage 202 and converting the flow data 302 to a target data 312 based on a packet classification performed by a packet classification module 310 in the first stage 202. The method may also involve applying a content filtering algorithm of the content filtering circuit 314 to the target data 312 in the second stage 204 and communicating which portion of the target data 312 is extraneous from the second stage 204 to the first stage 202 based on the content filtering algorithm of the content filtering circuit 314.

In another embodiment, a network traffic monitoring system 200 includes an aggregation switch 304 to consolidate a flow data 302, a first stage module 306 to create a target data 312 from the flow data 302 through an iterative exclusion of an extraneous data 318, and a data processing system 308 comprising a processor 328 and a memory to iteratively remove from the target data 312 the extraneous data 318, and to form a feedback loop 206 between the data processing system 308 and the first stage module 306 of the network traffic monitoring system 200. The first stage module 306 may process the flow data 302 received through an aggregation switch 304 of the network traffic monitoring system 200 and convert the flow data 302 to a target data 312 based on a packet classification performed by a packet classification module 310 in the first stage 202. The data processing system 308 may apply a content filtering algorithm of the content filtering circuit 314 to the target data 312 in the data processing system 308 and communicate which portion of the target data 312 is extraneous from the data processing system 308 to the first stage module 306 based on the content filtering algorithm implemented by the content filtering circuit 314.

In yet another embodiment, a method of a network traffic monitoring system 200 includes processing a flow data 302 received through an aggregation switch 304 in a first stage module 306 of the network traffic monitoring system 200. The method may also involve filtering the flow data 302 to a target data 312 based on a packet classification performed by a packet classification module 310 in the first stage module 306. The method may also involve determining that a portion of a target data 312 is an extraneous data 318 based on a content filtering algorithm implemented by a content filtering circuit 314 in a data processing system 308 of the network traffic monitoring system 200. Furthermore, the method may also involve iteratively removing from the target data 312 the extraneous data 318 based on a feedback loop 206 created between the data processing system 308 and the first stage module 306 of the network traffic monitoring system 200.

The method of a network traffic monitoring system 200 may also involve applying a content filtering algorithm of the content filtering circuit 314 to the target data 312 in the data processing system 308 and communicating which portion of the target data 312 is extraneous from the data processing system 308 to the first stage 202 module based on the content filtering algorithm of the content filtering circuit 314.

FIG. 4 is a functional block diagram that illustrates the first stage module 306 of FIG. 3 mapping the flow data 302 into an ordered list of elements 404, according to one embodiment. In FIG. 4, the static filtering module 322 of the first stage module 306 may include a port analysis module 400 and a IP analysis module 402. The tuple hash module 324 may produce an ordered list of elements 404 based on the flow data 302.

In one embodiment, the method of a network traffic monitoring system 200 involves applying a static filtering algorithm implemented by a static filtering module 322 to the flow data 302 based on a port analysis executed by a port analysis module 400 and a protocol analysis executed by a IP analysis module 402 in the first stage 202. The method may also involve applying a tuple hash algorithm implemented by a tuple hash module 324 to map the flow data 302 having a variable length into an ordered list of elements 404 having a fixed length of the flow data 302 in the first stage 202. The method may further involve dynamically filtering the flow data 302 in the first stage 202 based on the static filtering algorithm implemented by a static filtering module 322 and the tuple hash algorithm implemented by a tuple hash module 324, and based on a removal of the extraneous data 318 communicated from a filtering intelligence algorithm implemented by a filtering intelligence circuit 316 of the second stage 204.

In another embodiment, the first stage module 306 of the network traffic monitoring system 200 may apply a static filtering algorithm, implemented by a static filtering module 322, to the flow data 302 based on a port analysis executed by a port analysis module 400 and an internet protocol analysis executed by a IP analysis module 402 using the first stage module 306. The system may also include a tuple hash algorithm implemented by a tuple hash module 324 to map the flow data 302 having a variable length into an ordered list of elements 404 having a fixed length of the flow data 302 in the first stage 202. The system may further involve dynamically filtering the flow data 302 in the first stage 202 based on the static filtering algorithm implemented by a static filtering module 322 and the tuple hash algorithm implemented by a tuple hash module 324, and based on a removal of the extraneous data 318 communicated from a filtering intelligence algorithm implemented by a filtering intelligence circuit 316 of the data processing system 308.

In yet another embodiment, the method of a network traffic monitoring system 200 involves applying a static filtering algorithm implemented by a static filtering module 322 to the flow data 302 based on an internet protocol analysis executed by a IP analysis module 402 and a port analysis executed by a port analysis module 400 in the first stage 202. The method may also involve applying a tuple hash algorithm implemented by a tuple hash module 324 to map the flow data 302 having a variable length into an ordered list of elements 404 having a fixed length of the flow data 302 in the first stage 202. The method may further involve dynamically filtering the flow data 302 in the first stage module 306 based on the static filtering algorithm implemented by a static filtering module 322 and the tuple hash algorithm implemented by a tuple hash module 324, and based on a removal of the extraneous data 318 communicated from a filtering intelligence algorithm implemented by a filtering intelligence circuit 316 of the data processing system 308.

FIG. 5 is a functional block diagram of the data processing system 308 of FIG. 3 which buffers the target data 312 in a random access memory 330, classifies a set of protocols 504 associated with the target data 312, and communicates a request to remove extraneous data 320 to the first stage 202, according to one embodiment. In FIG. 5, a zero-copy driver 500 and a use buffer 502 may be associated with a processor 328 and a random access memory 330. The target data 312 may be buffered in the random access memory 330 and a set of protocols 504 may be produced based on the filtering intelligence circuit 316. A portion of the target data 312 may be an extraneous data 318 based on the set of protocols 504 produced by the filtering intelligence circuit 316.

In one embodiment, the method of a network traffic monitoring system 200 includes applying a zero-copy driver 500 and a use buffer 502 in a the first stage 202 and/or the second stage 204 and reducing processing power and memory usage through the application of the zero-copy driver 500 and the use buffer 502 in the second stage 204. The method may involve buffering the target data 312 in a random access memory 330 in the second stage 204. The method may further involve classifying a set of protocols 504 associated with the target data 312 in the second stage 204 and applying the filtering intelligence algorithm implemented by a filtering intelligence circuit 316 to extract the extraneous data 318 from the target data 312 in the second stage 204. Furthermore, the method may further involve determining a communication mode between the second stage 204 and the dynamic filtering operation of the first stage 202 so that a request to remove the extraneous data 320 based on the filtering intelligence algorithm implemented by a filtering intelligence circuit 316 of the second stage 204 is executable.

In another embodiment, the data processing system 308 includes applying a zero-copy driver 500 and a use buffer 502 in the data processing system 308 and reducing processing power and memory usage in the data processing system 308. The data processing system 308 may include buffering the target data 312 in a random access memory 330. The data processing system 308 may also include classifying a set of protocols 504 associated with the target data 312 and applying the filtering intelligence algorithm implemented by a filtering intelligence circuit 316 to extract the extraneous data 318 from the target data 312. Furthermore, the data processing system 308 may also involve determining a communication mode between the data processing system 308 and the dynamic filtering operation of the first stage 202 so that a request to remove the extraneous data 320 based on the filtering intelligence algorithm implemented by a filtering intelligence circuit 316 of the data processing system 308 is executable.

In yet another embodiment, the method of a network traffic monitoring system 200 includes applying a zero-copy driver 500 and a use buffer 502 in the data processing system 308 and reducing processing power and memory usage through the application of the zero-copy driver 500 and the use buffer 502 in the data processing system 308. The method may also include buffering the target data 312 in a random access memory 330 in the data processing system 308. The method may further include classifying a set of protocols 504 associated with the target data 312 in the data processing system 308 and applying the filtering intelligence algorithm implemented by a filtering intelligence circuit 316 to extract the extraneous data 318 from the target data 312 in the data processing system 308. Furthermore, the method may also include determining a communication mode between the data processing system 308 and the dynamic filtering operation of the first stage module 306 so that a request to remove the extraneous data 320 based on the filtering intelligence algorithm implemented by a filtering intelligence circuit 316 of the data processing system 308 is executable.

FIG. 6 is a schematic view of the data processing system 308 of FIG. 3 reporting a search pattern 604 to a master controller 606 and an extracted meta data 610 of the target data 612 to a data retention server 614, according to one embodiment. In FIG. 6, a regex based targeting circuit 600 may be applied to a target data 612 of the data processing system 308 to produce a set of regular expressions 602 describing a search pattern 604. The set of regular expressions 602 may be communicated to a master controller 606. Furthermore, a meta data 608 associated with the target data 612 may be extracted. The extracted meta data 610 may be communicated to a data retention server 614.

In one embodiment, the method of a network traffic monitoring system 200 may include applying a regex based targeting algorithm, implemented through a regex based targeting circuit 600, to a target data 612 in the second stage 204 to produce a set of regular expressions 602 describing a search pattern 604. The method may also involve communicating the set of regular expressions 602 to a master controller 606. The method may further involve extracting a meta data 608 associated with the target data 612 in the second stage 204 and communicating the extracted meta data 610 to a data retention server 614.

In another embodiment, the method may involve applying a regex based targeting algorithm, implemented by a regex based targeting circuit 600, to the target data 612 in the data processing system 308 to produce a set of regular expressions 602 describing a search pattern 604. The method may also involve communicating the set of regular expressions 602 to a master controller 606. The method may further involve extracting a meta data 608 associated with the target data 612 in the data processing system 308 and communicating the extracted meta data 610 to a data retention server 614.

In yet another embodiment, the method of a network traffic monitoring system 200 may also include extracting a meta data 608 associated with the target data 612 in the data processing system 308, communicating the extracted meta data 610 to a data retention server 614, applying a regex based targeting algorithm implemented by a regex based targeting circuit 600 to the target data 612 in the data processing system 308 to produce a set of regular expressions 602 describing a search pattern 604, and communicating the set of regular expressions 602 to a master controller 606.

FIG. 7 is a table view illustrating a governmental permission 708 accessed through a lawful data interception system 710 to capture the target data 312 of FIG. 3 associated with an action of interest 706, according to one embodiment. In FIG. 7, a case table 700 and a web browser 702 may share an action of interest 706 associated with the set of regular expressions 602 of FIG. 6 and a target individual 704. The web browser 702 may also include a web object 712, an ad 714, a streaming video 716 and/or a web article 718.

In one embodiment, the method of a network traffic monitoring system 200 includes analyzing the target data 612 to discover an action of interest 706 in the set of regular expressions 602 associated with a target individual 704 in the second stage 204. The action of interest 706 may be subject to a governmental permission 708 as to how the action of interest 706 is usable in a lawful data interception system 710.

In another embodiment, the data processing system 308 includes analyzing the target data 612 to discover an action of interest 706 in the set of regular expressions 602 associated with a target individual 704 in the data processing system 308.

In yet another embodiment, the method of a network traffic monitoring system 200 includes analyzing the target data 612 to discover an action of interest 706 in the set of regular expressions 602 associated with a target individual 704 in the data processing system 308. The action of interest 706 may be subject to a governmental permission 708 as to how the action of interest 706 is usable in a lawful data interception system 710.

FIG. 8 is a process flow chart of a method of the first stage module 306 of FIG. 2 for converting the flow data 302 to the target data 312, according to one embodiment. In operation 800, a flow data 302 is processed by an aggregation switch 304. In operation 802, a static filtering algorithm implemented by a static filtering module 322 is applied to the flow data 302 based on an internet protocol analysis performed by a IP analysis module 402 and a port analysis performed by a port analysis module 400. In operation 804, a tuple hash algorithm implemented by a tuple hash module 324 is applied to the flow data 302 to map the flow data 302 to an ordered list of elements 404. In operation 806, the flow data 302 is dynamically filtered by a dynamic filtering module 326. In operation 808, the flow data 302 is converted to a target data 312 based on a packet classification performed by a packet classification module 310.

FIG. 9 is a process flow chart, continued from FIG. 8, of a method of the data processing system 308 of FIG. 3 to determine a portion of extraneous data 318 and communicating the extraneous data 318 to the first stage 202, according to one embodiment. In operation 900, a zero-copy driver 500 and a use buffer 502 is applied to the target data 312. In operation 902, the target data 312 is buffered in a random access memory 330. In operation 904, a set of protocols 504 associated with the target data 312 is classified. In operation 906, a filtering intelligence algorithm is applied to the target data 312 through a filtering intelligence circuit 316. In operation 908, a portion of an extraneous data 318 of the target data 312 is communicated to the dynamic filtering module 326.

FIG. 10 is a process flow chart, continued from FIG. 9, of a method of a feedback loop 206 of FIG. 2 to iteratively remove a portion of extraneous data 318 from the target data 312, according to one embodiment. In operation 1000, a portion of an extraneous data 318 of the target data 312 is determined. In operation 1002, the extraneous data 318 is iteratively removed from the target data 312 through a feedback loop 206 between the data processing system 308 and the dynamic filtering module 326 of the first stage module 306.

FIG. 11 is a process flow chart, continued from FIG. 10, of reporting the action of interest 706 associated with the target individual 704 of FIG. 7 derived from the target data 612 to a master controller 606 and communicating the extracted meta data 610 to a data retention server 614, according to one embodiment. In operation 1100, a regex based targeting algorithm, implemented by a regex based targeting circuit 600 is applied to the target data 612 to produce a set of regular expressions 602. In operation 1102, the set of regular expressions 602 is communicated to a master controller 606. In operation 1104, the set of regular expressions 602 is analyzed to discover an action of interest 706 associated with a target individual 704. In operation 1106, a meta data 608 associated with the target data 612 is extracted. In operation 1108, an extracted meta data 610 associated with the target data 612 is communicated to a data retention server 614.

An example will now be described in which the various embodiments will be explained in a hypothetical scenario. A government security team named ‘XYZ, Inc.’ may wish to utilize a software program on standard commodity hardware to monitor a network named ‘XYZ Net’ for cybercrime activities. XYZ, Inc. may prefer to use software instead of hardware since software is cheaper to maintain, easier to upgrade, and can be flexible in the way it manipulates data. However, processing data in software may be slower than in hardware. As such XYZ, Inc. may wish to reduce the inflow of network data to 1) enable the use of software instead of expensive custom hardware, and 2) maximize efficiency and minimize redundancies in monitoring data. More specifically, XYZ, Inc. may wish to filter the network data to focus on specific web activities associated with individuals engaging in illegal activity.

Any data entering the XYZ Net network may be classified according to the threat level of the web activities involved with the incoming data. To reduce the amount of data to monitor, XYZ, Inc. may wish to develop a way for the software and the hardware to communicate for the purpose of ignoring certain sources of data, e.g., a web object 712, ads 714, streaming video 716, or a web article 718, all of which can be found in a web browser 702. XYZ, Inc. may wish to ignore this innocuous data in order to focus on actions of interest 706 associating a target individual 704 with an illegal activity.

Although the present embodiments have been described with reference to specific example embodiments, it will be evident that various modifications and changes may be made to these embodiments without departing from the broader spirit and scope of the various embodiments. For example, the various devices and modules described herein may be enabled and operated using hardware circuitry (e.g., CMOS based logic circuitry), firmware, software or any combination of hardware, firmware, and software (e.g., embodied in a machine readable medium). For example, the various electrical structure and methods may be embodied using transistors, logic gates, and electrical circuits (e.g., application specific integrated (ASIC) circuitry and/or Digital Signal Processor (DSP) circuitry).

In addition, it will be appreciated that the various operations, processes, and methods disclosed herein may be embodied in a machine-readable medium and/or a machine accessible medium compatible with a data processing system (e.g., a computer device). Accordingly, the specification and drawings are to be regarded in an illustrative in rather than a restrictive sense.

Claims

1. A non-transitory medium, readable through a network traffic monitoring system used by a data interception system and comprising instructions embodied therein that are executable through the network traffic monitoring system, comprising: instructions to process flow data from a computer network received through an aggregation switch of the network traffic monitoring system in a first stage module of the network traffic monitoring system;instructions to identify target network activities of interest to the data interception system;instructions to filter the flow data to target data based on packet classification in the first stage module, the target data being associated with the identified target network activities of interest to the data interception system;instructions to determine that a portion of the target data is extraneous data in a data processing system of the network traffic monitoring system based on classifying the target data according to an analysis of protocols associated therewith through a hardware component of the data processing system, the extraneous data being the portion of the target data that is determined to be: irrelevant in the network traffic monitoring system used by the data interception system and innocuous with respect to a threat level thereof based on the classification of the target data, and the data processing system being commodity hardware in a second stage of the network traffic monitoring system communicatively coupled to the first stage module;instructions to extract metadata associated with the target data in the data processing system;instructions to produce, through the data processing system, a set of regular expressions describing a search pattern in the target data;instructions to analyze the target data to discover an action of interest in the set of regular expressions associated with a target individual in the data processing system, the action of interest corresponding to an identified target network activity of interest; andinstructions to utilize, through the data processing system, instructions to monitor the computer network for specific network activities of interest to the data interception system, the instructions to monitor the computer network for the specific network activities of interest comprising instructions to iteratively remove from the target data the extraneous data based on creating a feedback loop between the data processing system and the first stage module of the network traffic monitoring system, the feedback loop being a control system configured to adjust operation thereof between an actual output and a desired output of the data processing system, and the feedback loop involving a modification in data processing through the first stage module to effect the desired output of the data processing system.
2. The non-transitory medium of claim 1, further comprising: instructions to apply a zero-copy driver and a use buffer in at least one of the first stage module and the data processing system; andinstructions to reduce processing power and memory usage through the application of the zero-copy driver and the use buffer in the data processing system.
3. The non-transitory medium of claim 1, further comprising: instructions to communicate the extraneous portion of the target data from the data processing system to the first stage module following the content filtering.
4. The non-transitory medium of claim 1, wherein the instructions to determine that the portion of the target data is the extraneous data further comprises at least one of: instructions to perform static filtering of the flow data based on an internet protocol analysis and a port analysis in the first stage module;instructions to map the flow data having a variable length into an ordered list of elements having a fixed length of the flow data in the first stage module; andinstructions to dynamically filter the flow data in the first stage module based on the removal of the extraneous data communicated from the data processing system.
5. The non-transitory medium of claim 4, further comprising at least one of: instructions to buffer the target data in a random access memory in the data processing system; andinstructions to determine a communication mode between the data processing system and the dynamic filtering of the first stage module so that a request to remove the extraneous data is executable.
6. The non-transitory medium of claim 1, further comprising: instructions to communicate the extracted metadata to a data retention server; andinstructions to communicate the set of regular expressions to a master controller.
7. The non-transitory medium of claim 6, wherein the action of interest is subject to a governmental permission as to how the action of interest is usable in the data interception system.
8. A network traffic monitoring system used by a data interception system comprising: an aggregation switch to consolidate flow data from a computer network;a processing module to identify target network activities of interest to the data interception system;a first stage module to filter the flow data to target data based on packet classification therein, the target data being associated with the identified target network activities of interest to the data interception system; anda data processing system comprising a processor and a memory to determine that a portion of the target data is extraneous data based on classifying the target data according to an analysis of protocols associated therewith through a hardware component of the data processing system, to utilize instructions to monitor the computer network for specific network activities of interest to the data interception system, to extract metadata associated with the target data, to produce a set of regular expressions describing a search pattern in the target data, to analyze the target data to discover an action of interest corresponding to an identified target network activity of interest in the set of regular expressions associated with a target individual in the data processing system, and to iteratively remove from the target data the extraneous data based on forming a feedback loop between the data processing system and the first stage module, the extraneous data being the portion of the target data that is determined to be: irrelevant in the network traffic monitoring system used by the data interception system and innocuous with respect to a threat level thereof based on the classification of the target data, and the data processing system being commodity hardware in a second stage of the network traffic monitoring system communicatively coupled to the first stage module,wherein the feedback loop is a control system configured to adjust operation thereof between an actual output and a desired output of the data processing system, the feedback loop involving a modification in data processing through the first stage module to effect the desired output of the data processing system.
9. The network traffic monitoring system of claim 8, wherein the first stage module is further configured to at least one of: perform static filtering of the flow data based on an internet protocol analysis and a port analysis,map the flow data having a variable length into an ordered list of elements having a fixed length of the flow data, anddynamically filter the flow data based on the removal of the extraneous data communicated from the data processing system.
10. The network traffic monitoring system of claim 9, wherein the data processing system is further configured to at least one of: apply a zero-copy driver and a use buffer,reduce processing power and memory usage through the application of the zero-copy driver and the use buffer,buffer the target data in a random access memory, anddetermine a communication mode between the data processing system and the dynamic filtering of the first stage module so that a request to remove the extraneous data is executable.
11. The network traffic monitoring system of claim 8, wherein the data processing system is further configured to at least one of: communicate the extracted metadata to a data retention server, andcommunicate the set of regular expressions to a master controller.
12. The network traffic monitoring system of claim 11, wherein the action of interest is subject to a governmental permission as to how the action of interest is usable in the data interception system.
13. A method of a network traffic monitoring system used by a data interception system comprising: processing flow data from a computer network received through an aggregation switch of the network traffic monitoring system in a first stage module of the network traffic monitoring system;identifying target network activities of interest to the data interception system;filtering the flow data to target data based on packet classification in the first stage module, the target data being associated with the identified target network activities of interest to the data interception system;determining that a portion of the target data is extraneous data in a data processing system of the network traffic monitoring system based on classifying the target data according to an analysis of protocols associated therewith through a hardware component of the data processing system, the extraneous data being the portion of the target data that is determined to be: irrelevant in the network traffic monitoring system used by the data interception system and innocuous with respect to a threat level thereof based on the classification of the target data, and the data processing system being commodity hardware in a second stage of the network traffic monitoring system communicatively coupled to the first stage module;extracting metadata associated with the target data in the data processing system;producing, through the data processing system, a set of regular expressions describing a search pattern in the target data;analyzing the target data to discover an action of interest in the set of regular expressions associated with a target individual in the data processing system, the action of interest corresponding to an identified target network activity of interest; andutilizing, through the data processing system, instructions to monitor the computer network for specific network activities of interest to the data interception system, the monitoring of the computer network for the specific network activities of interest comprising iteratively removing from the target data the extraneous data based on creating a feedback loop between the data processing system and the first stage module of the network traffic monitoring system, the feedback loop being a control system configured to adjust operation thereof between an actual output and a desired output of the data processing system, and the feedback loop involving a modification in data processing through the first stage module to effect the desired output of the data processing system.
14. The method of claim 13, further comprising: communicating the extraneous portion of the target data from the data processing system to the first stage module following the content filtering.
15. The method of claim 13, further comprising: performing static filtering of the flow data based on an internet protocol analysis and a port analysis in the first stage module;mapping the flow data having a variable length into an ordered list of elements having a fixed length of the flow data in the first stage module; anddynamically filtering the flow data in the first stage module based on the removal of the extraneous data communicated from the data processing system.
16. The method of claim 15, further comprising at least one of: applying a zero-copy driver and a use buffer in the data processing system;reducing processing power and memory usage through the application of the zero-copy driver and the use buffer in the data processing system;buffering the target data in a random access memory in the data processing system; anddetermining a communication mode between the data processing system and the dynamic filtering of the first stage module so that a request to remove the extraneous data is executable.
17. The method of claim 13, further comprising at least one of: communicating the extracted metadata to a data retention server; andcommunicating the set of regular expressions to a master controller.
18. The method of claim 17, wherein the action of interest is subject to a governmental permission as to how the action of interest is usable in the data interception system.

US Referenced Citations (343)

Number	Name	Date	Kind
5185860	Wu	Feb 1993	A
5444850	Chang	Aug 1995	A
5475819	Miller et al.	Dec 1995	A
5675741	Aggarwal et al.	Oct 1997	A
5796952	Davis et al.	Aug 1998	A
5835720	Nelson et al.	Nov 1998	A
5878384	Johnson et al.	Mar 1999	A
5944790	Levy	Aug 1999	A
5954797	Sidey	Sep 1999	A
5958010	Agarwal et al.	Sep 1999	A
5987430	Van Horne et al.	Nov 1999	A
5996011	Humes	Nov 1999	A
6006260	Barrick, Jr. et al.	Dec 1999	A
6012088	Li et al.	Jan 2000	A
6055542	Nielsen et al.	Apr 2000	A
6112240	Pogue et al.	Aug 2000	A
6115742	Franklin et al.	Sep 2000	A
6134592	Montulli	Oct 2000	A
6148342	Ho	Nov 2000	A
6151631	Ansell et al.	Nov 2000	A
6182075	Hsu	Jan 2001	B1
6289341	Barney	Sep 2001	B1
6314460	Knight et al.	Nov 2001	B1
6317792	Mundy et al.	Nov 2001	B1
6321336	Applegate et al.	Nov 2001	B1
6321338	Porras et al.	Nov 2001	B1
6327619	Blumenau	Dec 2001	B1
6359557	Bilder	Mar 2002	B2
6373838	Law et al.	Apr 2002	B1
6377987	Kracht	Apr 2002	B1
6393461	Okada et al.	May 2002	B1
6393479	Glommen et al.	May 2002	B1
6404860	Casellini	Jun 2002	B1
6425007	Messinger	Jul 2002	B1
6442590	Inala et al.	Aug 2002	B1
6449604	Hansen et al.	Sep 2002	B1
6466981	Levy	Oct 2002	B1
6466984	Naveh et al.	Oct 2002	B1
6470386	Combar et al.	Oct 2002	B1
6516345	Kracht	Feb 2003	B1
6564261	Gudjonsson et al.	May 2003	B1
6591251	Leon et al.	Jul 2003	B1
6658465	Touboul	Dec 2003	B1
6665715	Houri	Dec 2003	B1
6678720	Matsumoto et al.	Jan 2004	B1
6714977	Fowler et al.	Mar 2004	B1
6721726	Swaminathan et al.	Apr 2004	B1
6725377	Kouznetsov	Apr 2004	B1
6760761	Sciacca	Jul 2004	B1
6782421	Soles et al.	Aug 2004	B1
6792458	Muret et al.	Sep 2004	B1
6795856	Bunch	Sep 2004	B1
6804701	Muret et al.	Oct 2004	B2
6816455	Goldberg et al.	Nov 2004	B2
6892226	Tso et al.	May 2005	B1
6925454	Lam et al.	Aug 2005	B2
6941321	Schuetze et al.	Sep 2005	B2
6957229	Dyor	Oct 2005	B1
6973577	Kouznetsov	Dec 2005	B1
6981047	Hanson et al.	Dec 2005	B2
6983317	Bishop et al.	Jan 2006	B1
6985901	Sachse et al.	Jan 2006	B1
7006508	Bondy et al.	Feb 2006	B2
7027398	Fang	Apr 2006	B2
7027416	Kriz	Apr 2006	B1
7031941	Garrow et al.	Apr 2006	B2
7046247	Hao et al.	May 2006	B2
7047294	Johnson et al.	May 2006	B2
7050396	Cohen et al.	May 2006	B1
7055174	Cope et al.	May 2006	B1
7058976	Dark	Jun 2006	B1
7076275	Karstens et al.	Jul 2006	B1
7083095	Hendrick	Aug 2006	B2
7093020	McCarty et al.	Aug 2006	B1
7143151	Kayashima et al.	Nov 2006	B1
7152103	Ryan et al.	Dec 2006	B1
7152108	Khan et al.	Dec 2006	B1
7171681	Duncan et al.	Jan 2007	B1
7203674	Cohen	Apr 2007	B2
7206835	Kusumoto et al.	Apr 2007	B2
7212491	Koga	May 2007	B2
7216110	Ogg et al.	May 2007	B1
7228566	Caceres et al.	Jun 2007	B2
7231448	O'Steen et al.	Jun 2007	B1
7246162	Tindal	Jul 2007	B2
7257722	Sone	Aug 2007	B2
7277938	Duimovich et al.	Oct 2007	B2
7277941	Ignatius et al.	Oct 2007	B2
7278037	Sone	Oct 2007	B2
7313625	Tindal et al.	Dec 2007	B2
7328242	McCarthy et al.	Feb 2008	B1
7346658	Simpson	Mar 2008	B2
7356576	Rabe	Apr 2008	B2
7359967	Synnestvedt et al.	Apr 2008	B1
7373399	Steele et al.	May 2008	B2
7376722	Sim et al.	May 2008	B1
7386613	Piccirilli et al.	Jun 2008	B2
7406516	Davis et al.	Jul 2008	B2
7447909	Reith	Nov 2008	B2
7466690	Schrodi	Dec 2008	B2
7472412	Wolf et al.	Dec 2008	B2
7474617	Molen et al.	Jan 2009	B2
7478161	Bernet et al.	Jan 2009	B2
7490065	Ogg et al.	Feb 2009	B1
7496049	Estrada et al.	Feb 2009	B2
7506072	Waldorf et al.	Mar 2009	B2
7523191	Thomas et al.	Apr 2009	B1
7526541	Roese et al.	Apr 2009	B2
7535993	Cai et al.	May 2009	B2
7536459	Johnson et al.	May 2009	B2
7570743	Barclay et al.	Aug 2009	B2
7571237	Pfitzmann	Aug 2009	B2
7580356	Mishra et al.	Aug 2009	B1
7587453	Bhrara et al.	Sep 2009	B2
7587757	Scoggins et al.	Sep 2009	B2
7624144	Mitrov	Nov 2009	B1
7627664	Sutou et al.	Dec 2009	B2
7631007	Morris	Dec 2009	B2
7636680	Gatto	Dec 2009	B2
7639613	Ghannadian et al.	Dec 2009	B1
7647406	Liu	Jan 2010	B2
7657540	Bayliss	Feb 2010	B1
7664974	Sone	Feb 2010	B2
7676570	Levy et al.	Mar 2010	B2
7698457	Ghetie et al.	Apr 2010	B2
7730120	Singh et al.	Jun 2010	B2
7769851	Guruswamy et al.	Aug 2010	B1
7769873	Mackie	Aug 2010	B1
7779073	Hoile et al.	Aug 2010	B2
7788330	Goggin	Aug 2010	B2
7809826	Guruswamy	Oct 2010	B1
7852849	Davidson et al.	Dec 2010	B2
7873719	Bishop et al.	Jan 2011	B2
7885194	Narin et al.	Feb 2011	B1
7886049	Adelstein et al.	Feb 2011	B2
7904478	Yu et al.	Mar 2011	B2
7904554	Lu et al.	Mar 2011	B1
7933926	Ebert	Apr 2011	B2
7953851	Britton et al.	May 2011	B2
7958233	Fernández Gutierrez	Jun 2011	B2
7958267	Eiras et al.	Jun 2011	B1
7969875	Lin	Jun 2011	B2
7975046	Sheppard	Jul 2011	B2
7979521	Greaves et al.	Jul 2011	B2
7979529	Kreusch et al.	Jul 2011	B2
7996493	Hill	Aug 2011	B2
8001246	Lu et al.	Aug 2011	B2
8010085	Apte et al.	Aug 2011	B2
8010602	Shen et al.	Aug 2011	B2
8010689	Deninger et al.	Aug 2011	B2
8014303	Narin et al.	Sep 2011	B2
8015277	Brown et al.	Sep 2011	B2
8032701	Glade et al.	Oct 2011	B1
8041022	Andreasen et al.	Oct 2011	B1
8051130	Logan et al.	Nov 2011	B2
8051168	Boysko et al.	Nov 2011	B1
8055709	Singh et al.	Nov 2011	B2
8059790	Paterik et al.	Nov 2011	B1
8077704	Yin et al.	Dec 2011	B2
8078679	Kajekar et al.	Dec 2011	B2
8090852	Ianchici et al.	Jan 2012	B2
8099500	Deason	Jan 2012	B2
8117314	Croft et al.	Feb 2012	B2
8127005	Fernández Gutierrez	Feb 2012	B2
8135134	Orsini et al.	Mar 2012	B2
8135833	Cancel et al.	Mar 2012	B2
8145753	Inoue et al.	Mar 2012	B2
8156155	Yu et al.	Apr 2012	B1
8200809	Sheppard	Jun 2012	B2
8204884	Freedman et al.	Jun 2012	B2
8230056	Bishop et al.	Jul 2012	B2
8234368	Nielsen et al.	Jul 2012	B1
8244859	Ramakrishnan et al.	Aug 2012	B2
8274979	Bragagnini et al.	Sep 2012	B2
8281027	Martinez et al.	Oct 2012	B2
8281175	Blackburn et al.	Oct 2012	B2
8281360	Flewallen et al.	Oct 2012	B2
8316134	Tanimoto	Nov 2012	B2
8321515	Gailloux et al.	Nov 2012	B1
8327012	Nguyen et al.	Dec 2012	B1
8332477	Kaiserlian et al.	Dec 2012	B1
8332507	Wagh et al.	Dec 2012	B2
8339959	Moisand et al.	Dec 2012	B1
8352590	Sankaran et al.	Jan 2013	B2
8380234	Kronander et al.	Feb 2013	B2
8380863	Natarajan et al.	Feb 2013	B2
8396075	Skoczkowski et al.	Mar 2013	B2
8407038	Bizzarri et al.	Mar 2013	B2
8416695	Liu et al.	Apr 2013	B2
8438089	Wasserblat et al.	May 2013	B1
8478879	Brown et al.	Jul 2013	B2
8479212	Jamjoom et al.	Jul 2013	B2
8527577	Lu et al.	Sep 2013	B2
8542592	Moisand et al.	Sep 2013	B2
8542676	Lakhani et al.	Sep 2013	B2
8544023	Sim-Tang et al.	Sep 2013	B2
8572252	Ahuja et al.	Oct 2013	B2
8589516	Wheeler et al.	Nov 2013	B2
8595490	Von Mueller et al.	Nov 2013	B2
8621090	Bustamente	Dec 2013	B2
8626860	Gailloux et al.	Jan 2014	B1
8627479	Wittenstein et al.	Jan 2014	B2
8630836	Wasser	Jan 2014	B2
8630854	Marvit	Jan 2014	B2
8634423	Olding et al.	Jan 2014	B1
8698872	Begeja et al.	Apr 2014	B2
8712019	Anchan et al.	Apr 2014	B2
8713453	Shahine et al.	Apr 2014	B2
8725869	Reiner et al.	May 2014	B1
8756312	Malloy et al.	Jun 2014	B2
8769059	Chheda et al.	Jul 2014	B1
8782283	Attanasio	Jul 2014	B2
8793395	Cadiou et al.	Jul 2014	B2
8812740	Li et al.	Aug 2014	B2
8813090	Jamjoom et al.	Aug 2014	B2
20010052081	McKibben et al.	Dec 2001	A1
20020026505	Terry	Feb 2002	A1
20020042821	Muret et al.	Apr 2002	A1
20020078382	Sheikh et al.	Jun 2002	A1
20020099818	Russell et al.	Jul 2002	A1
20020174235	Likourezos	Nov 2002	A1
20030023715	Reiner et al.	Jan 2003	A1
20030043820	Goringe et al.	Mar 2003	A1
20030059017	Cugalj et al.	Mar 2003	A1
20030065605	Gatto	Apr 2003	A1
20030120822	Langrind et al.	Jun 2003	A1
20030140131	Chandrashekhar et al.	Jul 2003	A1
20030214504	Hao et al.	Nov 2003	A1
20040022191	Bernet et al.	Feb 2004	A1
20040049693	Douglas	Mar 2004	A1
20040105424	Skoczkowski et al.	Jun 2004	A1
20040181599	Kreusch et al.	Sep 2004	A1
20040199623	Houri	Oct 2004	A1
20040202295	Shen et al.	Oct 2004	A1
20040215770	Maher, III et al.	Oct 2004	A1
20040249938	Bunch	Dec 2004	A1
20040255126	Reith	Dec 2004	A1
20040267729	Swaminathan et al.	Dec 2004	A1
20050013259	Papoushado et al.	Jan 2005	A1
20050076117	Hou et al.	Apr 2005	A1
20050174937	Scoggins et al.	Aug 2005	A1
20050246419	Jaatinen	Nov 2005	A1
20060015613	Greaves	Jan 2006	A1
20060026268	Sanda	Feb 2006	A1
20060041660	Bishop et al.	Feb 2006	A1
20060064391	Petrov et al.	Mar 2006	A1
20060109847	Satou	May 2006	A1
20060168332	Pfitzmann	Jul 2006	A1
20070055766	Petropoulakis et al.	Mar 2007	A1
20070083924	Lu	Apr 2007	A1
20070156889	Bhrara et al.	Jul 2007	A1
20070203991	Fisher et al.	Aug 2007	A1
20070266145	Nesbitt et al.	Nov 2007	A1
20080028031	Bailey et al.	Jan 2008	A1
20080036767	Janzen	Feb 2008	A1
20080052392	Webster et al.	Feb 2008	A1
20080147623	Swaminathan et al.	Jun 2008	A1
20080162397	Zaltzman	Jul 2008	A1
20080183867	Singh et al.	Jul 2008	A1
20090052443	Kolenchery et al.	Feb 2009	A1
20090077623	Baum et al.	Mar 2009	A1
20090132450	Schlottmann	May 2009	A1
20090150472	Devarakonda et al.	Jun 2009	A1
20090165142	Adelstein et al.	Jun 2009	A1
20090171960	Katzir	Jul 2009	A1
20090193037	Yu et al.	Jul 2009	A1
20090254653	Kowa et al.	Oct 2009	A1
20100042545	Ogg et al.	Feb 2010	A1
20100057858	Shen et al.	Mar 2010	A1
20100071053	Ansari et al.	Mar 2010	A1
20100079464	Matsumura	Apr 2010	A1
20100094910	Bayliss	Apr 2010	A1
20100095017	Ghetie et al.	Apr 2010	A1
20100115018	Yoon et al.	May 2010	A1
20100150138	Bjorsell et al.	Jun 2010	A1
20100182320	Cartan	Jul 2010	A1
20100199189	Ben-Aroya et al.	Aug 2010	A1
20100211672	Brown et al.	Aug 2010	A1
20100217837	Ansari et al.	Aug 2010	A1
20100228854	Morrison et al.	Sep 2010	A1
20100250497	Redlich et al.	Sep 2010	A1
20100281161	Cohn et al.	Nov 2010	A1
20100287286	Bustamente	Nov 2010	A1
20100309786	Moisand et al.	Dec 2010	A1
20100312884	Nandy et al.	Dec 2010	A1
20100312903	Miyata	Dec 2010	A1
20100318647	Savoor et al.	Dec 2010	A1
20100321183	Donovan et al.	Dec 2010	A1
20110010449	Andrews et al.	Jan 2011	A1
20110029667	Imbimbo et al.	Feb 2011	A1
20110030067	Wilson	Feb 2011	A1
20110047273	Young, Jr. et al.	Feb 2011	A1
20110161507	O'Sullivan et al.	Jun 2011	A1
20110173330	Gong et al.	Jul 2011	A1
20110182205	Gerdes et al.	Jul 2011	A1
20110206198	Freedman et al.	Aug 2011	A1
20110208859	Fernández Gutierrez	Aug 2011	A1
20110252032	Fitzgerald et al.	Oct 2011	A1
20110270977	Ansiaux et al.	Nov 2011	A1
20110283343	Jaeger et al.	Nov 2011	A1
20110289134	De Los Reyes et al.	Nov 2011	A1
20110296014	Cancel et al.	Dec 2011	A1
20120005331	Beattie, Jr. et al.	Jan 2012	A1
20120084081	Melamed et al.	Apr 2012	A1
20120096145	Le et al.	Apr 2012	A1
20120110062	Savage et al.	May 2012	A1
20120117236	Fukuda et al.	May 2012	A1
20120143972	Malik et al.	Jun 2012	A1
20120150955	Tseng	Jun 2012	A1
20120158955	Kim et al.	Jun 2012	A1
20120191854	Bharatia et al.	Jul 2012	A1
20120197976	Welingkar et al.	Aug 2012	A1
20120203847	Kendall et al.	Aug 2012	A1
20120224021	Begeja et al.	Sep 2012	A1
20120239805	Savoor et al.	Sep 2012	A1
20120254403	Imbimbo et al.	Oct 2012	A1
20120259975	Le et al.	Oct 2012	A1
20120265824	Lawbaugh	Oct 2012	A1
20120317196	Schigel et al.	Dec 2012	A1
20120324470	Jamjoom et al.	Dec 2012	A1
20120331126	Abdul-Razzak et al.	Dec 2012	A1
20130007129	German et al.	Jan 2013	A1
20130024506	Setton	Jan 2013	A1
20130091241	Goetz et al.	Apr 2013	A1
20130097308	Le et al.	Apr 2013	A1
20130155068	Bier et al.	Jun 2013	A1
20130159234	Xing et al.	Jun 2013	A1
20130191493	Le et al.	Jul 2013	A1
20130207980	Ankisettipalli et al.	Aug 2013	A1
20130262622	Li et al.	Oct 2013	A1
20130268443	Petrov et al.	Oct 2013	A1
20130275306	Ignatchenko et al.	Oct 2013	A1
20130293551	Erez et al.	Nov 2013	A1
20130304761	Redlich et al.	Nov 2013	A1
20130311557	Aston Motes et al.	Nov 2013	A1
20140059024	Le et al.	Feb 2014	A1
20140082087	Bustamente	Mar 2014	A1
20140086102	Doddapaneni	Mar 2014	A1
20140149487	Dikmen et al.	May 2014	A1
20140150077	Roy et al.	May 2014	A1
20140222522	Chait	Aug 2014	A1
20150200967	Redlich	Jul 2015	A1
20150215186	Alonso Franco et al.	Jul 2015	A1

Foreign Referenced Citations (1)

Number	Date	Country
2001077357	Mar 2001	JP

Non-Patent Literature Citations (6)

Entry
“Visualizing criminal relationships: comparison of a hyperbolic tree and a hierarchical list”, by Yang Xiang et al., Jul. 14, 2005 (pp. 15) http://ai.arizona.edu/intranet/papers/VisualizingCriminalRelationships.pdf.
“Securing Public Instant Messaging (IM) at Work”, by Nigel Williams, Joanne Ly, Jul. 2004 (pp. 43) http://caia.swin.edu.au/reports/040726A/CAIA-TR-040726A.pdf.
“Network Element Service Specification Template”, by S. Shenker et al., Sep. 1997 (pp. 22) http://tools.ietf.org/pdf/rfc2216.pdf.
“RSVP+: An Extension to RSVP”, by Silvano Gai et al., Jun. 1999 (pp. 18) http://tools.ietf.org/pdf/draft-sgai-rsvp-plus-00.pdf.
“Cellular access control and charging for mobile operator wireless local area networks”, by H. Haverinen et al., Jan. 14, 2003 (p. 1) http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=1160081&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs—all.jsp%3Farnumber%3D1160081.
“An Analysis of Anonymity in the Bitcoin System”, by Reid Fergal et al., May 7, 2012 (pp. 30) http://arxiv.org/pdf/1107.4524.pdf?origin=publication—detail.

Related Publications (1)

	Number	Date	Country
	20140086102 A1	Mar 2014	US

Intelligent feedback loop to iteratively reduce incoming network data for analysis

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

Field of Search

US

CPC

International Classifications