Patent Grant
8199651
Embodiments of the present invention relate to modifying an Internet Protocol (IP) communication over a network and more specifically to modifying a communication flow from a source port to a destination port.
A network subscriber can use peer-to-peer (P2P) software for the unauthorized sharing of copyright-protected content (e.g., music) over a P2P network. Typically, Internet Service Providers (ISPs) prevent the unauthorized sharing of copyright-protected material by cutting off the subscriber from the network, essentially assigning the subscriber a bandwidth of zero. Therefore, the network subscriber is not only prevented from transferring copyright-protected material over the P2P network, but the network subscriber is prevented from transferring any material over the network.
In addition, ISPs are beginning to operate as Media Providers (MP) (e.g., a Music Service Provider (MSP)) to permit network subscribers to legally share unlimited music files among one another within an enclosed network, or “walled garden.” There are no digital rights management (DRM) restrictions attached to the music files being traded within the MP (e.g., MSP). Therefore, various business rules need to be applied to the content streams (flows) over the network to manage and maintain data transfers within a MP network. For example, MP subscribers are authorized to upload music (i.e., share music) within the MP network. Therefore, content streams of copyright-protected music from a MP subscriber to an ISP subscriber outside of the MP network need to be blocked without disabling the permissible content streams from the same MP subscriber to other MP subscribers within the MP network. The network traffic should be monitored to determine the source of the content, the destination of the content, and the content that is being transferred on a particular network stream. In addition, an appropriate action should be taken on a subscriber's particular network stream to modify (e.g., block the stream) based on the source address, destination address, and content being transferred independent of a subscriber's other network streams.
The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:
Embodiments of the invention provide a method and system for modifying a communication flow over a network from a specific port at a source IP address to a specific port at a destination IP address where the modifying is independent from communication flows at other ports at the source IP address and communication flows at other ports at the destination IP address. A flow management system monitors a communication flow of content being transferred from a source port at a source IP address to a destination port at a destination IP address and determines whether a source IP address and destination IP address are participating in a service of a media provider (MP). Examples of a MP include a Music Service Provider (MSP) and a Video Service Provider (VSP). The flow management system analyzes the content of the communication flow and modifies the communication flow transferring the content from the source port to the destination port based on the analyzed content and the determination of whether the source IP address and the destination IP address are participating in a media provider service. This method and system allows modification of a communication flow from a specific port at a source IP address to a specific port at a destination IP address independent of communication flows at other ports at the source IP address and communication flows at other ports at the destination IP address.
Some portions of the detailed description which follows are presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.
It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the following discussion, it is appreciated that throughout the description, discussions utilizing terms such as “monitoring,” “analyzing,” “modifying,” “determining,” “identifying,” “storing,” “receiving,” “initiating,” “sending,” “closing,” or the like, or the like, refer to the actions and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (e.g., electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission or display devices.
The present invention also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions.
The algorithms and displays presented herein are not inherently related to any particular computer or other apparatus. Various general purpose systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct a more specialized apparatus to perform the required method steps. The required structure for a variety of these systems will appear from the description below. In addition, the present invention is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the invention as described herein.
A machine-readable medium includes any mechanism for storing or transmitting information in a form readable by a machine (e.g., a computer). For example, a machine-readable medium includes a machine readable storage medium (e.g., read only memory (“ROM”), random access memory (“RAM”), magnetic disk storage media, optical storage media, flash memory devices, etc.), a machine readable transmission medium (electrical, optical, acoustical or other form of propagated signals (e.g., carrier waves, infrared signals, digital signals, etc.)), etc.
In the following description, numerous details are set forth. It will be apparent, however, to one skilled in the art, that the present invention may be practiced without these specific details. In some instances, well-known structures and devices are shown in block diagram form, rather than in detail, in order to avoid obscuring the present invention.
System 100 includes one or more network devices 105A,B for load balancing network traffic and filtering network traffic. A network device can perform load balancing by mirroring network traffic and can be any network device capable of mirroring network traffic. A network device can filter network traffic by controlling traffic on a flow by flow basis and can be any network device capable of controlling traffic on a flow by flow basis. The functionality of load balancing and filtering can be performed by a single network device or separately by separate network devices. For example, a single network device, such as a Cisco® Service Control Engine (SCE) or a Allot® Service Gateway (SG) device, can perform both functions, or separate devices, such as a TopLayer® device can perform the load balancing functionality and an SCE or SG network device, can perform the filtering functionality.
The functionality of load balancing and filtering can also be performed by a single network device. For example, network device 105A can be a single network device such as a deep packet inspection (DPI) system capable of monitoring traffic being sent from User_1, User_2 and User 3 over network 131, mirroring traffic from User_1, User_2 and User 3 to one or more flow management systems 131, and filtering the network traffic of User_1, User_2 and User 3. Deep packet inspection is a form of computer network packet filtering that examines the data and/or header part of a packet as it passes an inspection point, searching for predefined criteria to decide if the packet can pass or if it needs to be routed to a different destination. System 100 illustrates the network device 105A (e.g., a DPI device) can be in-line for relevant communication flows, in that the communication flows from one client machine (e.g., client 101A, client 101B, or client 101C) can pass through the network device 105A to another client machine (e.g., client 101D or client 101E) in such a manner that the network device 105A is capable to restrict or modify a plurality of communication flows. In another example, a network device 105B can monitor traffic being sent from User_5 (client 101E). The network device 105A,B can be hosted by any type of computing device including network computing appliances, desktop computers, laptop computers, handheld computers or similar computing device. System 100 illustrates a network device 105A,B as a network appliance (e.g., a network router, hub, or managed switch) connected directly to network 131 in accordance with one embodiment of the invention. The network device 105A,B can be maintained by a media provider (e.g., MSP), a network operator, or a third party service provider.
System 100 includes one or more flow management systems 103 to monitor, analyze and modify traffic travelling over network 131. A flow management system 103 can be hosted by any type of computing device including network computing appliances, desktop computers, laptop computers, handheld computers or similar computing device. A flow management system 103 can connect directly or indirectly to network 131. System 100 illustrates a flow management system 103 as a network appliance connected indirectly to network 131 via network device 105A in accordance with one embodiment of the invention. In one embodiment, network device 105A is a single network device capable of performing both load balancing and filtering (e.g., a DPI system) and a flow management system 103 obtains a copy of the network from the single network device. In another embodiment, network device 105A is separate network devices, one capable of load balancing (mirroring) and another capable of filtering. In this embodiment, the flow management system 103 can obtain a copy of the network traffic 111 from the network device capable of mirroring traffic. In another embodiment, a flow management system 103 and a network device 105A can be hosted by a single machine. The flow management system 103 can be maintained by a media provider (e.g., MSP), a network operator, or a third party service provider.
System 150 includes a service management server 107 to maintain service transaction data 127. The service management server 107 can be hosted by any type of computing device including desktop computers, laptop computers, handheld computers or similar computing device. The service management server 107 can be maintained by a media provider (e.g., MSP), a network operator, or a third party service provider. The service management server 107 communicates with various devices (not shown) that assign or maintain IP addresses to subscribers in different parts of the network 131 to maintain a consolidated, up-to-date mapping of certain subscriber groups to current IP addresses on an ISP network. Examples of the various devices include DHCP servers, radius servers, cable modem management servers, etc. For example, the service management server 107 maps IP-1 to User_1, IP-2 to User_2, IP-3 to User_3, IP-4 to User_4 and IP-2 to User_2. In addition, the service management server 107 identifies User_1 as both an ISP subscriber and a MP subscriber, User_3 as both an ISP subscriber and a MP subscriber, and User_2, User_4 and User-5 as only an ISP subscriber. The service management server 107 can further identify User_1 and User_3 as MP Executive Service Level subscribers. The service management server 107 can report on all of the maintained data to interested parties or can report on a portion of the data maintained to interested parties. For instance, the service management server 107 may record all of the data transfers performed over network 131, but may report to a content owner only the details of data transfers involving the content owned by the content owner.
Service transaction data 127 includes a list of IP addresses, the services assigned (e.g., ISP service, MP service) to the IP addresses, and the service levels (e.g., MP Executive Service Level) associated with the IP addresses. Subscribers can be grouped according to the service a subscriber has subscribed to.
In one embodiment, the network device 105 can monitor the network traffic being sent from User_1 (client 101A), User_2 (client 101B), and User_3 (client 101C), over network 131 and provides a copy 111A-C of the communication flows for client machines 101A,101B,101C to one or more flow management systems 103. A network device 105 can communicate with one or more flow management systems 103 and can handle concurrent incoming connections from the one or more flow management systems 103. The network device 105 can have more than one traffic output. For example, the network device 105 may be monitoring 10 Gbps network traffic 137 and may filter peer-to-peer (P2P) traffic of P2P users (e.g., User_1, User_2, User_3). The P2P traffic may be only 3 Gbps. The network device 105 can mirror the filtered traffic 111 to one or more flow management systems 103. The network device 105 can output three outputs of 1 Gbps each (111A, 111B, 111C). In one embodiment, the network device 105 can be a single device including a load balancer 151 to mirror traffic 137 and a traffic controller 153 to filter traffic 137. For example, network device 105 can be a single device such as a DPI system used coupled to several flow management systems 103. In an alternative embodiment, the load balancer 151 and traffic controller 153 can be hosted by separate network devices. For example, load balancer 151 can be a load balancing device, as is known in the art, and can be placed in system 100 to intercept traffic 137 and direct a copy of traffic 111 to one or more flow management systems 103 and traffic controller 153 can be hosted by a separate network device.
In one embodiment, the network device 105 mirrors all network traffic 137 from client 101A,B,C and send the copy 111A-C of all of the traffic 137 to one or more flow management systems 103. In an alternative embodiment the network device 105 can filter the network traffic 137 and sends a copy of traffic of interest 111A-C to the one or more flow management systems 103. The traffic of interest 111A-C can be one or more of P2P traffic, HTTP traffic, FTP traffic, etc.
In particular, a flow management system 103 modifies a communication flow from a specific port at a source IP address to a specific port at a destination IP address where the modifying is independent from communication flows at other ports at the source IP address and communication flows at other ports at the destination IP address. For example, a flow management system 103 can block the unauthorized sharing of a copyright-protected music file in a communication flow between User_1 and User_2, while allowing other legitimate communication flows between User_1 and User_2 (e.g., the sharing of music files that are not copyright-protected). In networking, a transport layer protocol, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), specifies a source and destination port in its packet headers. A specific port is identified by its number commonly known as the port number. A process “binds” to a particular port to send and receive data, meaning that a port will listen for incoming packets whose destination port matches that port number, and/or send outgoing packets whose source port is set to that port number. IP addresses (e.g., IP-1101A and IP-2101B) communicating to each other over network 131 have many communication flows between them at the same time. IP addresses can have several TCP connections and several UDP streams, each running on different ports and serving different purposes. A communication flow (“flow”) can refer to a communication between two IP addresses on specific ports. In one embodiment, a flow is specified by the vector (IP1, Port1, IP2, Port2), where IP1 is the source IP address, Port1 is the port number of the source port, IP2 is the destination IP address and Port2 is the port number of the destination port.
The flow management system 103 includes a flow monitor 119, a content analyzer 133, a service correlator 121, a content rule implementer 132 and a command issuer 135. This division of functionality is presented by way example for sake of clarity. One skilled in the art would understand that the functionality described could be combined into a monolithic component or sub-divided into any combination of components.
The flow monitor 119 manages the connection with the network device105. The flow monitor 119 initiates the connection and closes the connection with the network device105. When a connection is established, the flow monitor 119 obtains the copy 111 of traffic (one or more communication flows) from the network device105. For example, the flow monitor 119 obtains a copy 111 of the communication flow of User_1 trading a music file with User_2.
A content analyzer 133 analyzes the communication flow to determine whether a communication flow includes content that can trigger the communication flow to be modified (e.g., block a communication flow, increase the bandwidth of a communication flow). The content analyzer 133 can use business rules stored as service transaction data 129 to analyze the content. Business rules can define the type of content that triggers the modification of a communication flow.
For example, User_1 transfers a copyright-protected music file to User_2. Business rules define that copyright-protected music files can be transferred within a group of MP subscribers, otherwise a particular communication flow transferring the copyright-protected music file is to be blocked. The content analyzer 133 uses the business rules to analyze the copy 111 of the communication flow between User_1 and User_2 and determines that this particular communication flow includes content (e.g., copyright-protected music) that requires the communication flow to be modified (e.g., blocked) if User_1 or User_2 is not an MP subscriber.
In another example, a particular communication flow between two client machines 101A,101C can be modified to increase the bandwidth of the particular communication flow. For example, the business rules can define to increase the bandwidth for any communication flow transferring copyright-protected ™ & © Disney/Pixar files amongst MP service subscribers. User_1 transfers a movie file, Finding Nemo©, a copyright-protected ™ & © Disney/Pixar movie file, to User_3. The content analyzer 133 identifies the content as copyright-protected material and specifically, that the content is ™ & © Disney/Pixar content. The content analyzer 133, using the business rules, determines this particular communication flow includes content (e.g., ™ & © Disney/Pixar movie file) to trigger the modification of the communication flow (e.g., increase the bandwidth of the communication flow).
A service correlator 121 identifies a source IP address (e.g., User_1's address IP-1) and a destination IP address (e.g., User_2's address IP-2) to determine how the content is being transferred (e.g., whether the content is being transferred within the MP network (amongst MP service subscribers)). The service correlator 121 compares the source IP address and destination IP address to service transaction data 129 to determine the services associated with each IP address. The service correlator 121 can determine a subscriber group associated with the source IP address and a subscriber group associated with the destination IP address. For example, the service correlator 121 may determine that User_1's IP address is mapped as a subscriber to the MP service and that User_2's IP address is not mapped as a subscriber to the MP service. The service correlator 121 interfaces with a persistent storage unit 125 that stores service transaction data 129 (e.g., an access control list of IP addresses). The persistent storage unit 125 can be a local storage unit or a remote storage unit. The persistent storage unit 125 can be a magnetic storage unit, optical storage unit, solid state storage unit or similar storage unit. The persistent storage unit 125 can be a monolithic device or a distributed set of devices. A ‘set,’ as used herein, refers to any positive whole number of items including one.
The service correlator 121 updates service data 129 with the IP addresses obtained from the service management server 107. The service correlator 121 can request service transaction data 127 from a service management server 107 and stores it on the persistent storage unit 125. System 150 illustrates a plurality of flow management systems 103, each including a service correlator 121. Service management server 107 can provide service transaction data 127 to each flow management system as illustrated by connections 155A-C. Although connections 155A-C are illustrated as direct connections, service management server 107 can communicate with each flow management system 103 via network 131. The service correlator 121 can include an ACL (access control list) in order to obtain data from a service management server 107 that is listed in the ACL list. The service management server 107 gathers IP and user group (subscriber group) data mappings from various network devices (e.g., DHCP servers, radius servers, cable modem management servers, etc.) and updates service transaction data 127 (e.g., a master list) of IP addresses mapped to services (e.g., ISP service, MP service) and IP addresses mapped to service levels (e.g., MP Executive Service Level). For example, the service management server 107 can obtain a list of users who are MP subscribers from a provisioning server (not shown) maintained by an ISP. The provisioning server is a system that keeps track of the services each user is entitled to. The service management server 107 can also obtain a list of which IP addresses have been assigned to each user. If an MP subscriber has an IP address, the service management server 107 can keep track of MP subscriber's IP address. Each update, also referred to as a transaction, will either add or delete an IP address according to the services subscribed to. For example, when an ISP subscriber becomes a MP subscriber, an IP address is assigned to the MP subscriber and an ‘add’ transaction is added to update the master list.
As the service management server 107 applies transactions to the service data 127, it assigns a sequence number to each transaction (e.g., a monotonically increasing sequence number). In one embodiment, the sequence number (transaction number) is implemented as an unsigned 4 byte integer. In one embodiment, the service management server 107 sends transactions to each flow management system 103 in batches and sequence numbers are used between the service management server 107 and a flow management system 103 to assure that no transactions are lost. For example, User_1 and User_3 are MP subscribers. User_2 and User_4 are not MP subscribers. Table 1 illustrates transactions and sequence numbers relating to User_1, User_2, User_3 and User_4 in accordance with one embodiment of the invention.
When an ISP subscriber becomes a MP subscriber, an IP address is assigned to the MP subscriber and an ‘add’ transaction is logged with a sequence number. For example, as seen in Table 1, User_1 is a MP subscriber assigned IP address 1.2.3.4 and the ‘add’ transaction for IP address 1.2.3.4 is stored with a corresponding sequence number 105. User_2 is an ISP subscriber assigned IP address 1.2.3.6, but is not a MP subscriber, and the IP address assignment to User_2 is not stored as a transaction and is not assigned a sequence number. If a MP subscriber discontinues the MP service (e.g., a MP subscriber logs out of the MP network), the IP address assigned to the MP subscriber is released. For example, User_1 logs out and the IP address 1.2.3.4 is released. The service management server 107 does not store the release of IP address 1.2.3.4 as a transaction and does not assign the release a sequence number until the released IP address is re-assigned to an ISP subscriber who is not an MP subscriber (e.g., User_4). If the released IP address is assigned to an ISP subscriber who is not an MP subscriber (e.g., User_4), the service management server deletes the IP address of the MP subscriber discontinuing the service. For example, User_4 is assigned IP address 1.2.3.4 and is not a MP subscriber. The ‘delete’ 1.2.3.4 transaction is stored having a sequence number of 107. However, if the released IP address is re-assigned to an ISP subscriber that is a MP subscriber, the service management server continues to maintain the released IP address as an IP address assigned to a MP subscriber. For example, User_4 signs up as a MP subscriber, and an ‘add’ 1.2.3.4 transaction is stored having a sequence number of 109.
The service management server 107 has connections with one or more flow management systems 103 and maintains a list of active flow management systems 103. The list can be included as service management data 127. For each active flow management system 103 the service management server 107 stores the sequence number of the last transaction that was sent to the flow management system 103. The service management server 107 interfaces with a persistent storage unit 109 to store the service transaction data 127.
The content rule implementer 123 is responsible for issuing a flow management command 113 to modify a communication flow. The content rule implementer 123 identifies a source port at the source IP address and a destination port at the destination IP address of the communication flow. The content rule implementer 123 can identify a port by a port number. The content rule implementer 123 uses the analyzed content and the services correlated to the source IP address and the destination IP address to determine which flow management command 113 to issue. The content rule implementer 123 can access business rules which can be stored in persistent storage unit 125 to determine which flow management command 113 to implement. In one embodiment, the network device105 obtains the command 113 and implements the modification. In another embodiment, the content rule implementer 123 sends the command 113 to a queue 117. A command issuer 135 can obtain the command 113 from the queue 117 and send the command 113 to the network device105. In one embodiment, the network device 105 is a single device hosting a load balancer 151 and a traffic controller 153. In another embodiment, the network device 105 is hosting the load balancer 151 and traffic controller 153 on separate devices and the command issuer 135 can send the command to the network device hosting the traffic controller 153 to modify the specific flow. Examples of flow management commands 113 include a Block Stream command, a Stop Mirroring Stream command, and a Continue Mirroring command.
Modifying (e.g., blocking, increasing bandwidth) a specific communication flow from a source port at a source IP address to a destination port at a destination IP address is independent of the other communication flows at other ports at the source IP address and communication flows at other ports at the destination IP address. For example, blocking a communication flow of User_1 sharing a copyright-protected music file to User_2 does not prevent User_1 from transferring music files that are not copyright-protected material to User_2 or does not prevent User_1 from transferring copyright-protected music files to other MP service subscribers. Therefore, only a particular communication flow between a specific port on one client machine 101A and a specific port on another client machine 101B is modified (e.g., blocked).
In one embodiment, this method can be initiated by processing logic monitoring traffic of communication flows (block 201). At block 203, processing logic determines whether a source IP address and a destination IP address are part of a service of a media provider (e.g., whether an IP address is assigned to a subscriber of a MP service). Processing logic identifies a source IP address and a destination IP address of the communication flow and can access service management data to determine which services (e.g., ISP service, MP service) and service levels (e.g., MP Executive Service Level) are associated with the source IP address and the destination IP address. At block 205, processing logic analyzes the content of a communication flow to determine whether the communication flow includes content which may trigger the communication flow to be modified. Processing logic can access service management data (e.g., business rules) to determine which content requires the communication flow to be modified. For example, business rules can define that copyright-protected material in a communication flow may require the communication flow to be blocked. In another example, business rules can define that the bandwidth of communication flows including music files recorded under the Sony BMG™ recording label be increased.
At block 207, processing logic modifies a communication flow based on the analyzed content and the services associated with the IP addresses. Processing logic identifies the source port and destination port of the communication flow to modify. Processing logic can identify a port by port number. Processing logic can send a flow management command to modify a communication flow. For example, if processing logic determines the content of a communication flow is copyright-protected content being transferred to a destination IP address outside the MP network (a destination address not assigned to a MP service subscriber), processing logic sends a Block Stream command to a network device capable of controlling traffic on a flow by flow basis (e.g., a DPI system) to block the communication flow transferring the copyright-protected content from the specific source port at the source IP address to the specific destination port at the destination IP address. The network device then ends the identified communication flow from the specific port at the source IP address to the specific port at the destination IP address.
In one embodiment, this method can be initiated by processing logic initiating a connection with a network device (block 301). In one embodiment, processing logic opens a Secure Sockets Layer (SSL) TCP connection to a specific port on the network device to initiate communication with the network device.
At block 303, processing logic determines whether a connection with a network device has been established. If a connection with a network device has not been established (block 303), processing logic returns to block 301 to attempt a connection. If a connection with a DPI system has been established (block 303), the TCP connection remains open for the remainder of the communication between the flow management system and the network device. At block 305, processing logic obtains a copy of the traffic from the network device. In one embodiment, the network device mirrors all network traffic to the flow management system. In an alternative embodiment the network device filters the network traffic and sends traffic of interest to the flow management system. The traffic of interest can include one of more of P2P traffic, HTTP traffic, FTP traffic, etc.
At block 307, processing logic reassembles the traffic. For each flow, processing logic extracts and assembles the payload data (e.g., the data and information that identifies the source and destination) from the network traffic. At block 309, processing logic identifies the source IP address and the destination IP address of the communication flow. At block 311, processing logic determines the subscriber group that the source IP address belongs to, if any, and the subscriber group that the destination IP address belongs to, if any. For example, processing logic can compare the source IP address and the destination IP address to a list that maps IP addresses to services (e.g., ISP service, MP service) and maps IP addresses to service levels (e.g., MP Executive Service Level).
At block 313, processing logic identifies the content of the communication flow. For example, processing logic may identify the content of a communication flow is copyright-protected material that is limited to be shared within a MP network. At block 315, processing logic uses the identity of the content, the subscriber group information for the source IP address, and the subscriber group information for the destination IP address to determine whether the communication flow between a specific port at the source IP address and a specific port at the destination IP address is permitted. For example, processing logic may determine that the copyright-protected material is being transferred from a source IP address assigned to a MP subscriber to a destination IP address that is not assigned to a MP subscriber. In such a case, the communication flow between the specific port at the source IP address to the specific port at the destination IP address is not permitted.
If the communication flow is permitted (block 315), processing logic determines whether the analysis of a particular communication flow is complete at block 323. If the communication flow is not permitted (block 315), processing logic sends a flow management command to block the communication flow at block 317. Processing logic identifies the source port (e.g., by port number) and destination port of the communication flow to modify (e.g., block). Processing logic can send the flow management command to block the communication flow to a network device to implement. In one embodiment, processing logic sends the block command to a queue before it is sent to the network device. In one embodiment, the network device will end the identified communication flow between the identified ports. In another embodiment, the network device will severely restrict the bandwidth of the identified communication flow between the identified ports.
Returning to
At block 323, for example, processing logic can determine whether the remaining data in the data stream (communication flow) is necessary for further analysis. If the remaining data in the stream is necessary for further analysis (block 323), the analysis of the particular communication flow is not complete and processing logic returns to block 305 to continue receiving the mirrored traffic from the network device. If the remaining data in the stream is not necessary for further analysis (block 323), the analysis of the particular communication flow is complete and processing logic sends a command to the network device to stop mirroring the particular communication flow at block 325.
In one embodiment, processing logic sends the stop mirroring command to a queue before it is sent to the network device.
Returning to
In one embodiment, this method can be initiated by processing logic initiating a connection with a service management server (block 501). In one embodiment, processing logic opens a SSL TCP connection to a well known port on the service management server. A flow management system has a single TCP connection open to the service management server at a time.
At block 503, processing logic determines whether a connection with a service management server has been established. If a connection with the service management server has not been established (block 503), processing logic returns to block 501 to initiate a connection. If a connection with the service management server has been established (block 503), the TCP connection remains open for the remainder of the communication between the flow management system and the service management server.
At block 505, processing logic sends a request for service transaction data. The request can be a full load request or a delta load request. A full load request is a request for a complete list of all service (e.g., MP service) subscriber IP addresses. Processing logic can send a full load request to completely initialize its own MP IP list. In one embodiment, processing logic deletes its own service transaction data in its entirety (e.g., processing logic deletes its entire IP list) prior to sending a full load request.
A delta load request is a request for the transactions with a sequence number greater than the last transaction successfully applied to the flow management system's locally stored service transaction data (e.g., IP address list mapped to services). For example, a flow management system may have lost communication with the service management server and may have established a reconnection. Processing logic sends a delta load request to the service management server including a sequence number that indicates the last transaction that was successfully applied to the flow management system's locally stored service transaction data.
Returning to
Alternatively, processing logic can receive a Delta Data XML package in response to a delta load request.
Returning to
At block 509, processing logic determines whether a status request was received. The service management server can have communications open with one or more flow management systems and maintains a list of active flow management systems it is connected to. The service management server sends a status request to each flow management system in its list of active systems at an interval (e.g., every two minutes). In one embodiment, the status request is an XML request.
Returning to
Returning to
If a status request was not received (block 509), processing logic determines whether a predefined time period (e.g., five minutes) for receiving a status request has expired at block 515. If the predefined time period has expired (block 515), processing logic closes the TCP connection with the service management server at block 517. Processing logic returns to block 501 to attempt to reconnect to the service management server and to determine at block 503 whether a connection has been established. If a connection has not been established (block 503), processing logic returns to block 501 and continues at an interval (e.g., every five minutes) until a connection is established. If a connection is established (block 503), processing logic requests a Delta Data Load at block 505.
If the predefined time period has not expired (block 515), processing logic determines whether there is a gap in the series of sequence numbers at block 519. If processing logic detects a gap in the sequence number series (block 519), processing logic returns to block 505 to send a delta load request to request service transaction data. If processing logic does not detect a gap in the sequence number series (block 519), processing logic determines whether there is an overlap in the sequence number series at block 521.
If the sequence number series have an overlap in numbers (block 521), processing logic discards transactions which have a sequence number less than the sequence number of the last transaction that was successfully added to the flow management system's service transaction data (e.g., IP address list) at block 523. If the series of sequence numbers does not have an overlap in numbers (block 521), processing logic merges transactions into its data store in order of increasing sequence numbers at block 525. At block 527 processing logic stores the transaction data. The data can be stored in a persistent storage unit (e.g., persistent storage unit 125 in
The exemplary computer system 900 includes a processing device (processor) 901, a main memory 903 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM) or Rambus DRAM (RDRAM), etc.), a static memory 905 (e.g., flash memory, static random access memory (SRAM), etc.), and a data storage device 915, which communicate with each other via a bus 907.
Processor 901 represents one or more general-purpose processing devices such as a microprocessor, central processing unit, or the like. More particularly, the processor 901 may be a complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or a processor implementing other instruction sets or processors implementing a combination of instruction sets. The processor 901 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processor 901 is configured to execute the processing logic 925 for performing the operations and steps discussed herein.
The computer system 900 may further include a network interface device 921. The computer system 900 also may include a video display unit 909 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 911 (e.g., a keyboard), a cursor control device 913 (e.g., a mouse), and a signal generation device 919 (e.g., a speaker).
The data storage device 915 may include a machine-accessible storage medium 923 on which is stored one or more sets of instructions (e.g., software 925) embodying any one or more of the methodologies or functions described herein. The software 925 may also reside, completely or at least partially, within the main memory 903 and/or within the processor 901 during execution thereof by the computer system 900, the main memory 903 and the processor 901 also constituting machine-accessible storage media. The software 925 may further be transmitted or received over a network 917 via the network interface device 921.
The machine-accessible storage medium 923 may also be used to store data structure sets that define user identifying states and user preferences that define user profiles. Data structure sets and user profiles may also be stored in other sections of computer system 900, such as static memory 905.
While the machine-accessible storage medium 923 is shown in an exemplary embodiment to be a single medium, the term “machine-accessible storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The term “machine-accessible storage medium” shall also be taken to include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present invention. The term “machine-accessible storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, optical and magnetic media, and carrier wave signals.
It is to be understood that the above description is intended to be illustrative, and not restrictive. Many other embodiments will be apparent to those of skill in the art upon reading and understanding the above description.
| Number | Name | Date | Kind |
|---|---|---|---|
| 3919479 | Moon et al. | Nov 1975 | A |
| 4230990 | Lert, Jr. et al. | Oct 1980 | A |
| 4449249 | Price | May 1984 | A |
| 4450531 | Kenyon | May 1984 | A |
| 4454594 | Heffron et al. | Jun 1984 | A |
| 4677455 | Okajima | Jun 1987 | A |
| 4677466 | Lert, Jr. et al. | Jun 1987 | A |
| 4739398 | Thomas et al. | Apr 1988 | A |
| 4843562 | Kenyon et al. | Jun 1989 | A |
| 4918730 | Schulze | Apr 1990 | A |
| 5210820 | Kenyon | May 1993 | A |
| 5247688 | Ishigami | Sep 1993 | A |
| 5283819 | Glick | Feb 1994 | A |
| 5327521 | Savic et al. | Jul 1994 | A |
| 5437050 | Lamb et al. | Jul 1995 | A |
| 5442645 | Ugon | Aug 1995 | A |
| 5504518 | Ellis | Apr 1996 | A |
| 5581658 | O'Hagan et al. | Dec 1996 | A |
| 5588119 | Vincent | Dec 1996 | A |
| 5612729 | Ellis et al. | Mar 1997 | A |
| 5612974 | Astrachan | Mar 1997 | A |
| 5613004 | Cooperman et al. | Mar 1997 | A |
| 5638443 | Stefik | Jun 1997 | A |
| 5692213 | Goldberg et al. | Nov 1997 | A |
| 5701452 | Siefert | Dec 1997 | A |
| 5710916 | Barbara et al. | Jan 1998 | A |
| 5724605 | Wissner | Mar 1998 | A |
| 5732193 | Aberson | Mar 1998 | A |
| 5850388 | Anderson et al. | Dec 1998 | A |
| 5881182 | Fiete et al. | Mar 1999 | A |
| 5918223 | Blum et al. | Jun 1999 | A |
| 5924071 | Morgan et al. | Jul 1999 | A |
| 5930369 | Cox et al. | Jul 1999 | A |
| 5943422 | Van Wie et al. | Aug 1999 | A |
| 5949885 | Leighton | Sep 1999 | A |
| 5959659 | Dokic | Sep 1999 | A |
| 5983176 | Hoffert et al. | Nov 1999 | A |
| 6006183 | Lai et al. | Dec 1999 | A |
| 6006256 | Zdepski et al. | Dec 1999 | A |
| 6011758 | Dockes et al. | Jan 2000 | A |
| 6026439 | Chowdhury | Feb 2000 | A |
| 6044402 | Jacobson | Mar 2000 | A |
| 6067369 | Kamei | May 2000 | A |
| 6088455 | Logan et al. | Jul 2000 | A |
| 6092040 | Voran | Jul 2000 | A |
| 6096961 | Bruti | Aug 2000 | A |
| 6118450 | Proehl et al. | Sep 2000 | A |
| 6192340 | Abecassis | Feb 2001 | B1 |
| 6195693 | Berry | Feb 2001 | B1 |
| 6229922 | Sasakawa et al. | May 2001 | B1 |
| 6243615 | Neway | Jun 2001 | B1 |
| 6243725 | Hempleman et al. | Jun 2001 | B1 |
| 6253193 | Ginter | Jun 2001 | B1 |
| 6253337 | Maloney et al. | Jun 2001 | B1 |
| 6279010 | Anderson | Aug 2001 | B1 |
| 6279124 | Brouwer et al. | Aug 2001 | B1 |
| 6285596 | Miura et al. | Sep 2001 | B1 |
| 6330593 | Roberts et al. | Dec 2001 | B1 |
| 6345256 | Milsted et al. | Feb 2002 | B1 |
| 6360265 | Falck et al. | Mar 2002 | B1 |
| 6374260 | Hoffert et al. | Apr 2002 | B1 |
| 6385596 | Wiser | May 2002 | B1 |
| 6418421 | Hurtado et al. | Jul 2002 | B1 |
| 6422061 | Sunshine | Jul 2002 | B1 |
| 6438556 | Malik et al. | Aug 2002 | B1 |
| 6449226 | Kumagai | Sep 2002 | B1 |
| 6452874 | Otsuka et al. | Sep 2002 | B1 |
| 6453252 | Laroche | Sep 2002 | B1 |
| 6460050 | Pace et al. | Oct 2002 | B1 |
| 6463508 | Wolf et al. | Oct 2002 | B1 |
| 6477704 | Cremia | Nov 2002 | B1 |
| 6487641 | Cusson et al. | Nov 2002 | B1 |
| 6490279 | Chen et al. | Dec 2002 | B1 |
| 6496802 | van Zoest et al. | Dec 2002 | B1 |
| 6526411 | Ward | Feb 2003 | B1 |
| 6542869 | Foote | Apr 2003 | B1 |
| 6550001 | Corwin et al. | Apr 2003 | B1 |
| 6550011 | Sims, III | Apr 2003 | B1 |
| 6552254 | Hasegawa et al. | Apr 2003 | B2 |
| 6591245 | Klug | Jul 2003 | B1 |
| 6609093 | Gopinath et al. | Aug 2003 | B1 |
| 6609105 | Van Zoest et al. | Aug 2003 | B2 |
| 6628737 | Timus | Sep 2003 | B1 |
| 6636965 | Beyda et al. | Oct 2003 | B1 |
| 6654757 | Stern | Nov 2003 | B1 |
| 6732180 | Hale | May 2004 | B1 |
| 6771316 | Iggulden | Aug 2004 | B1 |
| 6771885 | Agnihotri et al. | Aug 2004 | B1 |
| 6834308 | Ikezoye | Dec 2004 | B1 |
| 6947909 | Hoke, Jr. | Sep 2005 | B1 |
| 6968337 | Wold | Nov 2005 | B2 |
| 7043536 | Philyaw | May 2006 | B1 |
| 7047241 | Erickson | May 2006 | B1 |
| 7058223 | Cox et al. | Jun 2006 | B2 |
| 7181398 | Thong et al. | Feb 2007 | B2 |
| 7266645 | Garg et al. | Sep 2007 | B2 |
| 7269556 | Kiss et al. | Sep 2007 | B2 |
| 7281272 | Rubin et al. | Oct 2007 | B1 |
| 7289643 | Brunk et al. | Oct 2007 | B2 |
| 7349552 | Levy et al. | Mar 2008 | B2 |
| 7363278 | Schmelzer et al. | Apr 2008 | B2 |
| 7426750 | Cooper et al. | Sep 2008 | B2 |
| 7443797 | Cheung et al. | Oct 2008 | B2 |
| 7500007 | Ikezoye et al. | Mar 2009 | B2 |
| 7529659 | Wold | May 2009 | B2 |
| 7546120 | Ulvenes | Jun 2009 | B1 |
| 7562012 | Wold | Jul 2009 | B1 |
| 7565327 | Schmelzer | Jul 2009 | B2 |
| 7593576 | Meyer et al. | Sep 2009 | B2 |
| 7701941 | O'Callaghan et al. | Apr 2010 | B2 |
| 20010013061 | DeMartin | Aug 2001 | A1 |
| 20010027493 | Wallace | Oct 2001 | A1 |
| 20010027522 | Saito | Oct 2001 | A1 |
| 20010034219 | Hewitt et al. | Oct 2001 | A1 |
| 20010037304 | Paiz | Nov 2001 | A1 |
| 20010041989 | Vilcauskas et al. | Nov 2001 | A1 |
| 20010051996 | Cooper et al. | Dec 2001 | A1 |
| 20010056430 | Yankowski | Dec 2001 | A1 |
| 20020049760 | Scott | Apr 2002 | A1 |
| 20020064149 | Elliott et al. | May 2002 | A1 |
| 20020069098 | Schmidt | Jun 2002 | A1 |
| 20020082999 | Lee | Jun 2002 | A1 |
| 20020087885 | Peled et al. | Jul 2002 | A1 |
| 20020120577 | Hans et al. | Aug 2002 | A1 |
| 20020123990 | Abe et al. | Sep 2002 | A1 |
| 20020129140 | Peled et al. | Sep 2002 | A1 |
| 20020133494 | Goedken | Sep 2002 | A1 |
| 20020141384 | Liu et al. | Oct 2002 | A1 |
| 20020152261 | Arkin et al. | Oct 2002 | A1 |
| 20020152262 | Arkin et al. | Oct 2002 | A1 |
| 20020156737 | Kahn et al. | Oct 2002 | A1 |
| 20020158737 | Yokoyama | Oct 2002 | A1 |
| 20020186887 | Rhoads | Dec 2002 | A1 |
| 20020198789 | Waldman | Dec 2002 | A1 |
| 20030014530 | Bodin et al. | Jan 2003 | A1 |
| 20030018709 | Schrempp et al. | Jan 2003 | A1 |
| 20030023852 | Wold | Jan 2003 | A1 |
| 20030033321 | Schrempp et al. | Feb 2003 | A1 |
| 20030037010 | Schmelzer | Feb 2003 | A1 |
| 20030051100 | Patel | Mar 2003 | A1 |
| 20030061352 | Bohrer et al. | Mar 2003 | A1 |
| 20030061490 | Abajian | Mar 2003 | A1 |
| 20030095660 | Lee et al. | May 2003 | A1 |
| 20030135623 | Schrempp et al. | Jul 2003 | A1 |
| 20030191719 | Ginter et al. | Oct 2003 | A1 |
| 20030195852 | Campbell et al. | Oct 2003 | A1 |
| 20040008864 | Watson et al. | Jan 2004 | A1 |
| 20040010495 | Kramer et al. | Jan 2004 | A1 |
| 20040053654 | Kokumai et al. | Mar 2004 | A1 |
| 20040073513 | Stefik et al. | Apr 2004 | A1 |
| 20040089142 | Georges et al. | May 2004 | A1 |
| 20040133797 | Arnold | Jul 2004 | A1 |
| 20040148191 | Hoke, Jr. | Jul 2004 | A1 |
| 20040163106 | Schrempp et al. | Aug 2004 | A1 |
| 20040167858 | Erickson | Aug 2004 | A1 |
| 20040201784 | Dagtas et al. | Oct 2004 | A9 |
| 20050021783 | Ishii | Jan 2005 | A1 |
| 20050039000 | Erickson | Feb 2005 | A1 |
| 20050044189 | Ikezoye et al. | Feb 2005 | A1 |
| 20050097059 | Shuster | May 2005 | A1 |
| 20050154678 | Schmelzer | Jul 2005 | A1 |
| 20050154680 | Schmelzer | Jul 2005 | A1 |
| 20050154681 | Schmelzer | Jul 2005 | A1 |
| 20050216433 | Bland et al. | Sep 2005 | A1 |
| 20050267945 | Cohen et al. | Dec 2005 | A1 |
| 20050289065 | Weare | Dec 2005 | A1 |
| 20060034177 | Schrempp | Feb 2006 | A1 |
| 20060062426 | Levy et al. | Mar 2006 | A1 |
| 20070074147 | Wold | Mar 2007 | A1 |
| 20070078769 | Way | Apr 2007 | A1 |
| 20070186229 | Conklin et al. | Aug 2007 | A1 |
| 20080008173 | Kanevsky et al. | Jan 2008 | A1 |
| 20080019371 | Anschutz et al. | Jan 2008 | A1 |
| 20080133415 | Ginter et al. | Jun 2008 | A1 |
| 20080141379 | Schmelzer | Jun 2008 | A1 |
| 20080154730 | Schmelzer | Jun 2008 | A1 |
| 20080155116 | Schmelzer | Jun 2008 | A1 |
| 20090030651 | Wold | Jan 2009 | A1 |
| 20090031326 | Wold | Jan 2009 | A1 |
| 20090043870 | Ikezoye et al. | Feb 2009 | A1 |
| 20090077673 | Schmelzer | Mar 2009 | A1 |
| 20090089586 | Brunk | Apr 2009 | A1 |
| 20090131152 | Busse | May 2009 | A1 |
| 20090192640 | Wold | Jul 2009 | A1 |
| 20090240361 | Wold et al. | Sep 2009 | A1 |
| 20090328236 | Schmelzer | Dec 2009 | A1 |
| Number | Date | Country |
|---|---|---|
| 0349106 | Jan 1990 | EP |
| 0402210 | Jun 1990 | EP |
| 0517405 | May 1992 | EP |
| 0689316 | Dec 1995 | EP |
| 0731446 | Sep 1996 | EP |
| 0859503 | Aug 1998 | EP |
| 0459046 | Apr 1999 | EP |
| 1354276 | Dec 2007 | EP |
| 1485815 | Oct 2009 | EP |
| WO 9636163 | Nov 1996 | WO |
| WO 9820672 | May 1998 | WO |
| WO 0005650 | Feb 2000 | WO |
| WO 0039954 | Jul 2000 | WO |
| WO 0063800 | Oct 2000 | WO |
| WO 0123981 | Apr 2001 | WO |
| WO 0147179 | Jun 2001 | WO |
| WO 0152540 | Jul 2001 | WO |
| WO 0162004 | Aug 2001 | WO |
| WO 0203203 | Jan 2002 | WO |
| WO 0215035 | Feb 2002 | WO |
| WO 0237316 | May 2002 | WO |
| WO 02082271 | Oct 2002 | WO |
| WO 03007235 | Jan 2003 | WO |
| WO 03009149 | Jan 2003 | WO |
| WO 03036496 | May 2003 | WO |
| WO 03067459 | Aug 2003 | WO |
| WO 03091990 | Nov 2003 | WO |
| WO 2004044820 | May 2004 | WO |
| WO 2004070558 | Aug 2004 | WO |
| WO 2006015168 | Feb 2006 | WO |
| WO 2009017710 | Feb 2009 | WO |
