`
`UNITED STATES DEPARTMENT OF COMMERCE
`
`United States Patent and Trademark Office
`
`October 17, 2018
`
`THIS IS TO CERTIFY THAT ANNEXED IS A TRUE COPY FROM THE
`
`RECORDS OF THIS OFFICE OF THE FILE WRAPPER AND CONTENTS
`OF:
`
`APPLICATION NUMBER: 09/608,237
`
`FILING DATE: June 30, 2000
`
`PATENT NUMBER: 6,651,099
`
`ISSUE DATE: November 18, 2003
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`By Authority of the
`
`Under Secretary of Commerce for Intellectual Property
`and Director of the United States Patent and Trademark Office
`
`I
`
`if
`
`Ii
`
`P. R. GRANT
`
`Certifying Officer
`
`PART ({ ) OF (39 PART(S)
`
`
`
`
`
`
`
`
`
`
`
`
`
`NOAC Ex. 1015 Page 1
`
`
`
`
`
`V};
`
`-(w
`
`SCANNEDLM
`
`
`:7 APPLICATIQN NO.
`
`
`
`
`
`
`
`X
`
`z
`
`E
`
`,g-
`
`’ i
`.
`
`>
`
`.
`
`(
`i
`'§
`
`1
`
`2
`
`}
`i
`
`g
`
`}
`
`L
`
`1
`.f
`i
`S
`
`i
`
`I
`‘,
`
`3
`ii
`
`.
`
`z'
`
`'
`
`.’ ,
`
`.
`
`J
`
`.
`
`:1
`
`.
`
`.
`
`,
`
`.
`
`a
`
`.
`,
`.‘
`
`3
`
`‘
`
`'
`
`.
`
`
`5 09/608237
`
`.
`" 1
`1.13.” S res
`.
`_
`.
`.11.: P,”3 Q l. 2004 .
`.
`.
`’
`>
`I
`:1
`Matt-"3d 3am:- appa‘ir‘atué For Infinity:I'I‘iII2: tra ffiI: 1r Weir .
`
`.
`,
`<
`.
`.
`«
`3
`.1
`0
`
`(D i3
`1%
`
`g
`
`m
`
`,
`
`'
`
`.
`
`.»
`
`-.
`
`,
`
`,
`
`y
`
`'3
`
`~
`
`f
`
`'
`I
`
`,
`
`.
`
`-'
`
`—0RIGINAI_ -
`c—Ass suectAss
`
`(I
`I
`i
`V
`
`‘I
`i
`.
`I
`‘I
`.g
`;,
`I
`.
`
`‘
`
`.
`
`3
`
`‘
`
`.
`
`TERMINAL
`DISCLAIMER
`
`'
`
`;.
`
`3 1D The term of this patent 3
`subsequent to
`,
`has been disclaimed.
`3
`D The term ofthis patentshaii
`not extend beyond the expiration date
`of U.S Patent. No.
`.
`.
`.
`
`3
`
`
`
`
`
`-
`
`_
`
`,
`
`‘.
`
`.
`
`,
`
`,
`
`,
`’
`~ M.
`MOUSTAFAM. MEKY
`' PWB‘AMINEH
`3
`3
`'7//3
`'
`
`(Primary Examlner)
`
`3
`
`_
`
`_
`
`-
`
`.
`
`-
`
`'
`
`‘
`
`.~_
`
`‘
`7_
`
`'
`-
`
`~
`
`.
`
`,
`
`.
`
`.
`
`i
`I
`,
`1
`
`,
`
`‘V'
`I
`t
`I
`i
`‘I
`1*
`5'3
`i
`
`j
`
`.
`
`3";
`i"
`i
`\
`'
`
`.
`
`:
`
`-.
`"
`
`I
`
`,
`
`,
`
`1
`‘.
`i
`3
`I
`
`2%
`
`
`
`months of
`D The terminal
`this patent have been disclaimed.
`
`
`(Legal inst
`ents Examiner)
`
`WARNING.
`The Information disclosed hereln may be restricted. Unauthorized disclosure may be prohibited by the Unlted States Code TItle 35, Sections 122 181 and 368
`Possession outside the U.S. Patent a. Trademark OfficeIs restricted to authorized employees and contractors only.
`335‘ 5534361
`.
`_
`FILED WITH |:| DISK (OFF) [:1 FiCHE [j CD-FtOM
`-
`(Attached In packet on right Inside flap)
`In 2: I!rm
`
`E?):0(CI Im "11
`
`
`
`NOAC Ex. 1015 Page 2
`
`
`
`:"‘3
`
`Xi'KZE-HWTFT‘
`
`ofl
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`COMMISSIONER FOR PATENTS
`UNITED STATES PATENT AND TRADEMARK OFFICE
`WAsHINGTDN, D.C. 2023i
`www.uspto.gc~
`
`CONFIRMATION NO, 9993
`-
`lllllllllllllllIlllllllllllllllllllllllllllllllllllllllllllllll
`Bib Data Sheet
`
`
`FILING DATE
`ATTORNE’T ‘
`
`
`
`
`
`
`SERIAL NUMBER
`06/30/2000
`GROUP ART UNIT
`DOCKET NO.
`
`
`
`
`
`09/608,237
`2755
`APPT-001-1
`
`
`
`RULE
`
`
`[APPLICANTS
`Russell 8. Dietz, San Jose, CA;
`Joseph R. Maixner. Aptos, CA;
`Andrew A. Koppenhaver. Littleton, CO;
`William H. Bares, Germantown, TN;
`
`Haig A. Sarkissian, San Antonio, TX;
`
`James F. Torgerson, Andover, MN;
`
`
`* CONTINUING DATA *************************
`
`
`
`
`
`
`
`
`
`
`7 w , MW
`
`
`i». FOREIGN APP wRONS *iiitiiiiiiiiflifitii
`
`THIS APPLN C
`
`I S BENEFIT OF 60/141,903 06/30/1999
`
`‘
`
`Examiner‘s Signature
`
`1
`
`
`
`
`
`Foreign Priority claimed
`D yes
`no
`
`STATE OR
`SHEETS
`‘5 USC 119 (a-d) conditions D yesg no G Met after
`COUNTRY DRAWING
`
`met
`Allowance
`I
`a
`
`I rials
`
`
`
`D All Fees
`
`
`
`D 1.16 Fees ( Filing)
`
`D 1 17 Fees ( Processing Ext. of
`time)
`
`
`
`
`FILING FEE FEES: Authority has been given in Paper
`
`RECEIVED No.
`'to charge/credit DEPOSIT ACCOUNT
`
`
`/ID 1.18 Fees ( Issue)
`for following:
`
`
`In Other
`5 I
`['3 Credit
`I
`
`
`
`
`
`NOAC EX. 1015 Page 3
`
`NOAC Ex. 1015 Page 3
`
`
`
`07 33/00
`
`,fiz
`
`/L_L
`:12?“ '
`gar; 3
`5%,. G
`0g '_
`.
`.
`—~«;="—- m
`Box Patent Application
`gg ‘
`ASSISTANT COMMISSIONER FOR PATENTS
`E '0
`.
`/:';'_ P!
`1?‘=- o ' Washington, DC. 20231
`
`IN THE US. PATENT AND TRADEMARK OFFICE
`Application Transmittal Sheet
`
`Our Ref/Docket No.: APPT—OOl-l
`
`r;
`‘2'—
`CM:
`ngo
`“nag? »
`"lags
`5435.53
`Osage)
`NO‘E
`ROE
`
`INVENTOR(s)/APPLICANT(s)
`"‘ 5
`First Name, MI
`Residence (Cig and State or Country)
`
`Dear Assistant Commissioner:
`
`Transmitted herewith is the patent application of
`
`Last Name
`
`
`
`
`
`£164::
`"=1:
`§:§in";
`F5.
`w
`3;
`2:
`
`Dietz
`Maixner
`Koppenhaver
`
`Russell S.
`Joseph R.
`Andrew A.
`
`San Jose, CA
`Aptos, CA
`Fairfax, VA
`
`Additional inventors are being named on separately numbened sheets attached hereto.
`
`TITLE OF THE INVENTION
`
`METHOD AND APPARATUS FOR MONITORING TRAFFIC IN A NETWORK
`
`CORRESPONDENCE ADDRESS AND AGENT FOR APPLICANT(S)
`
`Dov Rosenfeld, Reg. No. 38,387
`5507 College Avenue, Suite 2
`Oakland, California, 94618
`
`Telephone: (510) 547-3378; Fax: (510) 6537992
`
`'
`
`ENCLOSED APPLICATION PARTS (check all that apply)
`
`Included are:
`sheet(s) of specification, claims, and abstract
`X
`66
`sheet(s) of formal Drawing(s) with a submission letter to the Official Draftsperson
`X
`18
`Information Disclosure Statement.
`(
`Form PTO-1449: INFORMATION DISCLOSURE CITATION IN ANAPPLICATION, together with a
`copy of each references included in PTO-1449.
`Declaration and Power of Attorney
`An assignment of the invention to Apptitude, Inc.
`A letter requesting recordation of the assignment.
`An assignment Cover Sheet.
`
`*lxllllll Additional inventors are being named on separately numbered slacts attached hereto.
`
`Return postcard.
`This application has:
`a small entity status. A verified statement:
`is enclosed
`
`I
`
`was already filed.
`
`The fee has been calculated as shown in the following page.
`
`
`‘Certificate of Mailing under 37 CFR 1.10
`
`I hereby certify that this application and all attachments are being deposited with the United States Postal
`
`_—,_’——-——-
`Service as Express Mail (Express MailLabel: EI417961944US In an envelope addressed to Box Patent
`
`Application, Assistant Commissioner for Patents, Washington, DC. 20231 0
`E 101 5 P
`Date: W 30
`Sign
`.
`X.
`
`Name.
`ov Rosenfeld, Reg. No. 38687
`
`age
`
`
`
`
`
`4
`
`
`
`
`
`NOAC Ex. 1015 Page 4
`
`
`
`SUBMISSION DOCUMENT
`ATTORNEY DOCKET NO. APP'F-OOI-l
`
`Page 2
`
`
`
`
`TOTAL CLAIMS
`
`NO OF EXTRA
`(35mm
`
`
`
`RATE
`
`EXTRA CLAIM
`FEE
`
`
`
`BASIC APPLICATION FEB:
`
`35 690.00
`
`TOTAL FEES PAYABLE:
`
`$1,470.00
`
`
`
`
`
`
`METHOD OF PAYMENT
`
`”2-:-
`:.—: :
`
`A check1n the amount of ____is attached for application fee and presentation of claims.
`A checkin the amount of S 4000 is attached for recordation of the Assignment.
`The Commissioneris hereby authorized to charge payment of the any missing filing or other fees
`required for this filing or credit any overpayment to Deposit Account No. 50-0292
`(A DUPLICATE OF THIS TRANSMITTAL IS ATTACHED):
`
`Respectfully Submitted,
`
`
`
`
`'59]!1523'.'".1111.
`
`
`fl{£211£12le(1353:
`
`?&L&o—©
`
`Date
`
`Dov osenfeld , Reg. No. 38687
`
`Correspondence Address:
`Dov Rosenfeld
`
`5507 College Avenue, Suite 2
`Oakland, California, 94618
`Telephone: (510) 547-3378; Fax: (510) 653-7992
`
`.
`
`NOAC EX. 1015 Page 5
`
`NOAC Ex. 1015 Page 5
`
`
`
`SUBMISSION DOCUMENT
`ATTORNEY DOCKET NO. APPT-OOl-l
`
`Page 3
`
`ATTORNEY DOCKET NO. APPT-OO 1 -1
`
`r-«1yaw
`
`Application Cover Sheet (cont)
`
`INVENTOR(s)/APPLICANT(S)
`
`Last Name
`
`First Name, MI
`
`Residence (City and Either State or Foreign
`Country)
`
`Bares
`
`William H.
`
`Sarkissian
`
`Torgerson
`
`Haig A.
`
`James F.
`
`Germantown, TN
`
`San Antonio, Texas
`
`Andover, MN
`
`
`
`
`
`8332’}!{FF}.if.“‘12:}!11331111U.“
`
`
`
`
`
`#1:?x',‘
`I“
`.53....
`
`
`xiiiiCIIi
`u.(
`
`
`5:7:
`'12::
`
`NOAC EX. 1015 Page 6
`
`NOAC Ex. 1015 Page 6
`
`
`
`Our Ref/Docket No: APPT—OOl-l
`
`Patent
`
`IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`Applicant(s): Dietz, et al.
`
`Group Art Unit: unassigned
`
`
`
`
`Title: METHOD AND APPARATUS FOR
`
`Examiner: unassigned
`MONITORING TRAFFIC 1N A NETWORK
`
`
`
`LETTER TO OFFICIAL DRAFTSPERSON
`
`SUBMISSION OF FORMAL DRAWINGS
`
`The Assistant Commissioner for Patents
`
`Washington, DC 20231
`ATTN: Official Draftsperson
`
`Dear Sir or Madam:
`
`Attached please find _1_8 sheets of formal drawings to be made of record for the above
`identified patent application submitted herewith.
`
`Respectfully Submitted,
`
`Date
`
`Dov Rosenfeld, Reg. No. 38687 .
`
`Address for correspondence and attorney for applicant(s):
`Dov Rosenfeld, Reg. No. 38,687
`5507 College Avenue, Suite 2
`Oakland; CA 94618
`Telephone: (510) 547-3378; Fax: (510) 653-7992
`
`
`
`2.53::
`
`“a“:
`
`“ :3
`aL:
`
`en,”var.WIN)?”A“'"I?"
`
`
`
`
`
` Certificate of Mailing under 37 CFR 1.10
`I hereby certify that this application and all attachments are being deposited with the United States Postal
`
`
`Service as Express Mail (Express Mail Label:W m an envelope addressed to BOX Patent
`. ssistant Commissioner for Patents, Washington, DC 202
`Application,
`
`
`
`I
`‘
`Si
`'
`
`
`
`
`. -
`
`Name:
`
`ov osenféld, Reg. No. 3
`
`87
`
`‘
`
`a
`
`NOAC Ex. 1015 Page 7
`
`
`
`
`
`‘”Wmvw3.12m
`
`
`
`«inf:'~‘,
`
`
`
`”—351“:1x7,1(i
`
`Our Ref/Docket No.: APPT-OO l -l
`
`METHOD AND APPARATUS FOR MONITORING TRAFFIC IN A NETWORK
`
`2%we
`
`
`
`,~*mmwvmfmswmvmmv
`
`
`
`IIIIIIIIIII15”IIIII"
`
`Inventor(s):
`
`DIETZ, Russell S.
`
`San Jose, CA
`
`MAlXNER, Joseph R.
`Aptos, CA
`
`KOPPENHAVER, Andrew A.
`
`Fairfax, VA
`
`BARES, William H.
`
`Gerrnantown, TN
`
`SARKISSIAN, Haig A.
`San Antonio, Texas
`
`TORGERSON, James F.
`
`Andover, MN
`
`é
`
`,
`
`\
`
`5.
`
`if
`.
`i
`
`
`
`Certificate of Mailing under 37 CFR 1.10
`I hereby certify that this application and all attachments are being deposited with the-United States Postal Service as Express Mail
`
`
`(Express Mail Label: EI417961944US in an envelope addressed to Box Patent Application, Assistant Commissioner for Patents,
`
`
`Washington, DC. 20231 on.
`
`
`Signed:
`
`N
`: DOV Rosenfeld, Reg. No. 38687
`
`
`ZgAC \gx 1015 Page 8
`
`
`
`NOAC Ex. 1015 Page 8
`
`
`
`
`
`1
`
`METHOD AND APPARATUS FOR MONITORING
`
`TRAFFIC IN A NETWORK
`
`CROSS-REFERENCE TO RELATED APPLICATION
`
`This application claims the benefit of US. Provisional Patent Application Serial No.:
`
`60/141,903 for METHOD AND APPARATUS FOR MONITORING TRAFFIC IN A
`
`NETWORK to inventors Dietz, et al., filed June 30, 1999, the contents of which are
`
`incorporated herein by reference.
`
`This application is related to the following US. patent applications, each filed
`
`concurrently with the present application, and each assigned to Apptitude, Inc., the
`
`assignee of the present invention:
`
`1 ‘\
`US; Patent Application Serial No. CC\ /6°‘\ 1‘ for PROCESSING PROTOCOL
`
`SPECIFIC INFORMATION IN PACKETS SPECIFIED BY A PROTOCOL
`
`DESCRIPTION LANGUAGE, to inventors Koppenhaver, et al., filed June 30, 2000,
`5 1;; // flmr/PW"
`WW and incorporated herein by reference.
`
`US. Patent Application Serial No. 0‘\ lécE-
`
`or RE—USING INFORMATION FROM
`
`DATA TRANSACTIONS FOR MAINTAINING STATISTICS IN, NETWORK
`.
`.
`56: ll Pam/hf
`MONITORING, to inventors Dietz, et al., filed June 30, 2000, Attorney-Agent
`
`WWW-00%, and incorporated herein by reference.
`
`US. Patent Application Serial No. °c\ “503Mor ASSOCIATIVE CACHE
`
`STRUCTURE FOR LOOKUPS AND UPDATES OF FLOW RECORDS IN A
`
`NETWORK MON OR, to in entors Sarkissian, et al., filed June 30, 2000,
`S. HI Pi
`i732;
`
`-
`
`, and incorporated herein by reference.
`
`US. Patent Application Serial No. “I #8! 167for STATE PROCESSOR FOR
`
`PATTERN MATCHING IN A NETWORK MONITOR DEVICE, to inventors
`Sti
`/ pend;
`
`Sarkissian, et al., filed June 30, 2000,
`
`and incorporated herein by reference.
`
`FIELD OF INVENTION
`
`
`
`10
`
`15
`
`20
`
`25
`
`The present invention relates to computer networks, specifically to the real—time
`
`elucidation of packets communicated within a data network, including classification
`
`30
`
`according to protocol and application program.
`
`NOAC EX. 1015 Page 9
`
`
`
`m»:x":C”:
`
`NOAC Ex. 1015 Page 9
`
`
`
`
`
`
`
`2
`
`BACKGROUND TO THE PRESENT INVENTION
`
`There has long been a need for network activity monitors. This need has become
`
`especially acute, however, given the recent popularity of the Internet and other internets—
`
`an “internet” being any plurality of interconnected networks which forms a larger, single
`
`network. With the growth of networks used as a collection of clients obtaining services
`
`from one or more servers on the network, it is increasingly important to be able to
`
`monitor the use of those services and to rate them accordingly. Such objective
`
`information, for example, as which services (i.e., application programs) are being used,
`
`who is using them, how often they have been accessed, and for how long, is very useful in
`
`10
`
`the maintenance and continued operation of these networks. It is especially important that
`
`selected users be able to access a network remotely in order to generate reports on
`
`network use in real time. Similarly, a need exists for a real-time network monitor that can
`
`provide alarms notifying selected users of problems that may occur with the network or
`
`site.
`
`
`
`'‘zfliit]!“‘33!Ilfistill!
`
`
`
`
`
`"a.“
`if...
`
`15
`
`n.
`
`w
`
`. E
`5:
`
`20
`
`25
`
`30
`
`
`
`One prior art monitoring method uses log files. In this method, selected network
`
`activities may be analyzed retrospectively by reviewing log files, which are maintained by
`
`network servers and gateways. Log file monitors must access this data and analyze
`
`(“mine”) its contents to determine statistics about the server or gateway. Several problems
`
`exist with this method, however. First, log file information does not provide a map of
`
`real-time usage; and secondly, log file mining does not supply complete information. This
`
`method relies on logs maintained by numerous network devices and servers, which
`
`requires that the information be subjected to refining and correlation. Also, sometimes
`
`information is simply not available to any gateway or server in order to make a log file
`
`entry.
`
`One such case, for example, would be information concerning NetMeeting®
`
`(Microsoft Corporation, Redmond, Washington) sessions in which two computers
`
`connect directly on the network and the data is never seen by a server or a gateway.
`
`Another disadvantage of creating log files is that the process requires data logging
`
`features of network elements to be enabled, placing a substantial load on the device ,
`
`which results in a subsequent decline in network performance. Additionally, log files can
`
`grow rapidly, there is no standard means of storage for them, and they require a
`
`NOAC EX. 1015 Page 10
`
`NOAC Ex. 1015 Page 10
`
`
`
`
`
`
`
`significant amount of maintenance.
`
`Though Netflow® (Cisco Systems, Inc., San Jose, California), RMON2, and other
`
`network monitors are available for the real-time monitoring of networks, they lack
`
`visibility into application content and are typically limited to providing network layer
`
`level information.
`
`Pattem—matching parser techniques wherein a packet is parsed and pattern filters
`
`are applied are also known, but these too are limited in how deep into the protocol stack
`
`they can examine packets.
`
`Some prior art packet monitors classify packets into connection flows. The term
`
`“connection flow” is commonly used to describe all the packets involved with a single
`
`connection. A conversational flow, on the other hand, is the sequence of packets that are
`
`exchanged in any direction as a result of an activity—for instance, the running of an
`
`application on a server as requested by a client. It is desirable to be able to identify and
`
`classify conversational flows rather than only connection flows. The reason for this is that
`
`some conversational flows involve more than one connection, and some even involve
`
`more than one exchange of packets between a client and server. This is particularly true
`
`when using client/server protocols such as RPC, DCOMP, and SAP, which enable a
`
`service to be set up or defined prior to any use of that service.
`
`An example of such a case is the SAP (Service Advertising Protocol), a NetWai'e
`
`(Novell Systems, Provo, Utah) protocol used to identify the services and addresses of
`
`servers attached to a network. In the initial exchange, a client might send a SAP request to
`
`a server for print service. The server would then send a SAP reply that identifies a
`
`particular address—for example, SAP#S—as the print service on that server. Such
`
`responses might be used to update a table in a router, for instance, known as a Server
`
`Information Table. A client who has inadvertently seen this reply or who has access to the
`
`table (via the router that has the Service Information Table) would know that SAP#5 for
`
`this particular server is a print service. Therefore, in order to print data on the server, such
`
`a client would not need to make a request for a print service, but would simply send data
`
`to be printed specifying SAP#S. Like the previous exchange, the transmission of data to
`
`be printed also involves an exchange between a client and a server, but requires a second
`
`connection and is therefore independent of the initial exchange. In order to eliminate the
`
`10
`
`15
`
`20
`
`25
`
`30
`
`NOAC EX. 1015 Page 11
`
`:3
`
`.aw.,
`
`
`
`
`
`ISSUE-EEK]"'fiffilflflfl'filflflfl
`
`
`
`NOAC Ex. 1015 Page 11
`
`
`
`
`
`4
`
`possibility of disjointed conversational exchanges, it is desirable for a network packet
`
`monitor to be able to “virtually concatenate”—that is, to link—the first exchange with the
`
`second. If the clients were the same, the two packet exchanges would then be correctly
`
`identified as being part of the same conversational flow.
`
`Other protocols that may lead to disjointed flows, include RPC (Remote Procedure
`
`3 Call); DCOM (Distributed Component Object Model), formerly called Network OLE
`
`(Microsoft Corporation, Redmond, Washington); and CORBA (Common Object Request
`
`Broker Architecture). RPC is a programming interface from Sun Microsystems (Palo
`
`Alto, California) that allows one program to use the services of another program in a ——
`
`remote machine. DCOM, Microsoft’s counterpart to CORBA, defines the remote
`
`procedure call that allows those objects—objects are self—contained software modules—to
`
`be run remotely over the network. And CORBA, a standard from the Object Management
`
`Group (OMG) for communicating between distributed objects, provides a way to execute
`
`programs (objects) written in different programming languages running on different
`
`platforms regardless of where they reside in a network.
`
`What is needed, therefore, is a network monitor that makes it possible to
`
`continuously analyze all user sessions on a heavily trafficked network. Such a monitor
`
`should enable non-intrusive, remote detection, characterization, analysis, and capture of
`
`all information passing through any point on the network (i.e., of all packets and packet
`
`streams passing through any location in the network). Not only should all the packets be
`
`detected and analyzed, but for each of these packets the network monitor should
`
`determine the protocol (e. g., http, ftp, H.323, VPN, etc.), the application/use within the
`
`protocol (e. g., voice, video, data, real-time data, etc.), and an end user’s pattern of use
`
`within each application or the application context (e.g., options selected, service
`
`delivered, duration, time of day, data requested, etc.). Also, the network monitor should
`
`not be reliant upon server resident information such as log files. Rather, it should allow a
`
`user such as a network administrator or an Internet service provider (ISP) the means to
`
`measure and analyze network activity objectively; to customize the type of data that is
`
`collected and analyzed; to undertake real time analysis; and to receive timely notification
`
`10
`
`15
`
`20
`
`25
`
`30
`
`of network problems.
`
`Considering the previous SAP example again, because one features of the
`
`invention is to correctly identify the second exchange as being associated with a print
`
`NOAC EX. 1015 Page 12
`
`.,:mrwwvw
`
` i l
`
`.rs.
`
`50s..
`
`WW*wwwmm:
`
`.lllll‘liiill“353;“7.1%
`
`
`
`
`
`
`
`
`
`~WWWmmw‘:mWLmummmwwmmwmmww
`
`NOAC Ex. 1015 Page 12
`
`
`
`
`
`
`
`5
`
`service on that server, such exchange would even be recognized if the clients were not the
`
`same. What distinguishes this invention from prior art network monitors is that it has the
`
`ability to recognize disjointed flows as belonging to the same conversational flow.
`
`The data value in monitoring network communications has been recognized by
`
`many inventors. Chiu, et al., describe a method for collecting information at the session
`
`level in a computer network in United States Patent 5,101,402, titled “APPARATUS
`
`AND METHOD FOR REAL-TIME MONITORING OF NETWORK SESSIONS AND
`
`A LOCAL AREA NETWORK” (the “402 patent”). The 402 patent specifies fixed
`
`locations for particular types of packets to extract information to identify session of a
`
`packet. For example, if a DECnet packet appears, the 402 patent looks at six specific
`
`fields (at 6 locations) in the packet in order to identify the session of the packet. If, on the
`
`other hand, an IP packet appears, a different set of six different locations is specified for
`
`an IP packet. With the proliferation of protocols, clearly the specifying of all the possible
`
`places to look to determine the session becomes more and more difficult. Likewise,
`
`adding a new protocol or application is difficult. In the present invention, the locations
`
`examined and the information extracted from any packet are adaptively determined from
`
`information in the packet for the particular type of packet. There is no fixed definition of
`
`what to look for and where to look in order to form an identifying signature. A monitor
`
`implementation of the present invention, for example, adapts to handle differently IEEE
`
`802.3 packet from the older Ethernet Type 2 (or Version 2) DIX (Digital-Intel-Xerox)
`
`packet.
`
`The 402 patent system is able to recognize up to the session layer. In the present
`
`invention, the number of levels examined varies for any particular protocol. Furthermore,
`
`the present invention is capable of examining up to whatever level is sufficient to
`
`uniquely identify to a required level, even all the way to the application level (in the 081
`
`model).
`
`10
`
`15
`
`20
`
`25
`
`Other prior art systems also are known. Phael describes a network activity monitor
`
`that processes only randomly selected packets in United States Patent 5,315,580, titled
`
`“NETWORK MONITORING DEVICE AND SYSTEM.” Nakamura teaches a network
`
`30
`
`monitoring system in United States Patent 4,891,639, titled “MONITORING SYSTEM
`
`OF NETWORK.” Ross, et al., teach a method and apparatus for analyzing and
`
`monitoring network activity in United States Patent 5,247,517, titled “METHOD AND
`
`NOAC EX. 1015 Page 13
`
`'‘é‘lflmfiyrww
`
`’~:31'11]”r
`
`5.3.“wx4!
`
`.1;
`
`
`
`
`
`m..‘.~1me‘‘‘mmpgauy
`
`1‘?M91‘53)“1
`
` .
`
`«
`
`"ml/r‘5‘\zk'avW;
`
`m”rug“.»r,2
`
`n’Htfl
`
`
`
`may;.-.w,
`
`NOAC Ex. 1015 Page 13
`
`
`
`
`
`6
`
`1“
`
`l
`
`.3$9
`
`APPARATUS FOR ANALYSIS NETWORKS,” McCreery, et al., describe an Internet
`
`activity monitor that decodes packet data at the Internet protocol level layer in United
`
`States Patent 5,787,253, titled “APPARATUS AND METHOD OF ANALYZING
`
`INTERNET ACTIVITY.” The McCreery method decodes IP—packets. It goes through the
`
`decoding operations for each packet, and therefore uses the processing overhead for both
`
`recognized and unrecognized flows. In a monitor implementation of the present invention,
`
`a signature is built for every flow such that future packets of the flow are easily
`
`recognized. When a new packet in the flow arrives, the recognition process can
`
`commence from where it last left off, and a new signature built to recognize new packets
`
`10
`
`of the flow.
`
`SUMMARY
`
`In its various embodiments the present invention provides a network monitor that
`
`can accomplish one or more of the following objects and advantages:
`
`15
`
`20
`
`25
`
`0 Recognize and classify all packets that are exchanges between a client and
`
`server into respective client/server applications.
`
`0 Recognize and classify at all protocol layer levels conversational flows that
`
`pass in either direction at a point in a network.
`
`0 Determine the connection and flow progress between clients and servers
`
`according to the individual packets exchanged over a network.
`
`0 Be used to help tune the performance of a network according to the current
`
`mix of client/server applications requiring network resources.
`
`0 Maintain statistics relevant to the mix of client/server applications using
`
`network resources .
`
`0 Report on the occurrences of specific sequences of packets used by particular
`
`applications for client/server network conversational flows.
`
`Other aspects of embodiments of the invention are:
`
`0
`
`Properly analyzing each of the packets exchanged between a client and a
`
`server and maintaining information relevant to the current state of each of
`
`these conversational flows.
`
`NOAC EX. 1015 Page 14
`
`
`
`
`
`.anewwfirwarwa-nmmm*z‘W’W‘W
`
`m”.
`
`:6ea
`=2
`
`PE
`‘5‘"
`
`p
`
`
`
`
`
`
`
`III}!913313211$31.37.‘5':leFill"’as“:'12-...
`
`
`
`
`
`
`
`
`
`L..33W:MWIW55W..
`
`1Afifl‘mW?
`
`C311*"
`
`
`
`peer:his?#1:;.x9
`
`NOAC Ex. 1015 Page 14
`
`
`
`@
`
`
`
`7
`
`5.
`4.
`
`0 Providing a flexible processing system that can be tailored or adapted as new
`
`applications enter the client/server market.
`
`0 Maintaining statistics relevant to the conversational flows in a client/sever
`
`network as classified by an individual application.
`
`0 Reporting a specific identifier, which may be used by other network-oriented
`
`devices to identify the series of packets with a specific application for a
`
`specific client/server network conversational flow.
`
`In general, the embodiments-of the present invention overcome the problems and
`
`disadvantages of the art.
`
`10
`
`15
`
`20
`
`25
`
`As described herein, one embodiment analyzes each of the packets passing
`
`through any point in the network in either direction, in order to derive the actual
`
`application used to communicate between a client and a server. Note that there could be
`
`several simultaneous and overlapping applications executing over the network that are
`
`independent and asynchronous.
`
`A monitor embodiment of the invention successfully classifies each of the
`
`individual packets as they are seen on the network. The contents of the packets are parsed
`
`and selected parts are assembled into a signature (also called a key) that may then be used
`
`identify further packets of the same conversational flow, for example to further analyze
`
`the flow and ultimately to recognize the application program. Thus the key is a function
`
`of the selected parts, and in the preferred embodiment, the function is a concatenation of
`
`the selected parts. The preferred embodiment forms and remembers the state of any
`
`conversational flow, which is determined by the relationship between individual packets
`
`and the entire conversational flow over the network. By remembering the state of a flow
`
`in this way, the embodiment determines the context of the conversational flow, including
`
`the application program it relates to and parameters such as the time, length of the
`
`conversational flow, data rate, etc.
`
`The monitor is flexible to adapt to future applications developed for client/server
`
`networks. New protocols and protocol combinations may be incorporated by compiling
`
`files written in a high—level protocol description language.
`
`
`
`NOAC EX. 1015 Page 15
`
`NOAC Ex. 1015 Page 15
`
`
`
`
`
`8
`
`The monitor embodiment of the present invention is preferably implemented in
`
`application-specific integrated circuits (ASIC) or field programmable gate arrays (FPGA).
`
`In one embodiment, the monitor comprises a parser subsystem that forms a signature from
`
`a packet. The monitor further comprises an analyzer subsystem that receives the signature
`
`5
`
`from the parser subsystem.
`
`A packet acquisition device such as a media access controller (MAC) or a
`
`segmentation and reassemble module is used to provide packets to the parser subsystem
`
`of the monitor.
`
`In a hardware implementation, the parsing subsystem comprises two sub-parts, the
`
`10
`
`pattern analysis and recognition engine (PRE), and an extraction engine (slicer). The PRE
`
`interprets each packet, and in particular, interprets individual fields in each packet
`
`according to a pattern database.
`
`15
`
`20
`
`25
`
`The different protocols that can exist in different layers may be thought of as
`
`nodes of one or more trees of linked nodes. The packet type is the root of a tree. Each
`
`protocol is either a parent node or a terminal node. A parent node links a protocol to other
`
`protocols (child protocols) that can be at higher layer levels. For example, An Ethernet
`
`packet (the root node) may be an Ethertype packet—also called an Ethernet Type/Version
`2 and a DIX (DIGITAL—Intel—Xerox packet)—or an IEEE 802.3 packet. Continuing with
`
`the IEEE 802.3—type packet, one of the children nodes may be the IP protocol, and one of
`
`the children of the IP protocol may be the TCP protocol.
`
`The pattern database includes a description of the different headers of packets and
`
`their contents, and how these relate to the different nodes in a tree. The PRE traverses the
`
`tree as far as it can. If a node does not include a link to a deeper level, pattern matching is
`
`declared complete. Note that protocols can be the children of several parents. If a unique
`
`node was generated for each of the possible parent/child trees, the pattern database might
`
`become excessively large. Instead, child nodes are shared among multiple parents, thus
`
`compacting the pattern database.
`
`Finally the PRE can be used on its own when only protocol recognition is
`
`required.
`
`£3
`,3:
`
`é:
`5:
`
`..
`
`g
`
`‘
`
`g
`
`
`
`
`
`5
`
`2%
`
`ra
`
`:k g
`
`g
`
`"
`
`30
`
`For each protocol recognized, the slicer extracts important packet elements from
`
`the packet. These form a signature (i. e., key) for the packet. The slicer also preferably
`
`NOAC EX. 1015 Page 16
`
`NOAC Ex. 1015 Page 16
`
`
`
`.
`:
`5—1
`
`;:n:.
`===§
`I:l \
`ill
`
`
`,i“i
`
`ll“:‘Eiillllllll‘"at...
`
`
`
`
`HI}!Hill!llIill.;.
`
`1”]
`
`
`"WW.ramp,Wmv
`
`
`érwvl‘thfirn’Z'.Mfls‘fl’w‘,’t€‘“~$;¢"~'
`
`‘(flflkrfl'Q.“i!
`
`wmflmvm
`mmmae
`
`,3.«mam.
`
`«aim.,’
`
`2:{43%a
`
`
`
`
`
`.2»?33';.ZSARH‘*Mfl'i
`
`
`
`a
`
`9
`
`generates a hash for rapidly identifying a flow that may have this signature from a
`
`database of known flows.
`
`The flow signature of the packet, the hash and at least some of the payload are
`
`passed to an analyzer subsystem. In a hardware embodiment, the analyzer subsystem
`
`includes a unified flow key buffer (UFKB) for receiving parts of packets from the parser
`
`subsystem and for storing signatures in process, a lookup/update engine (LUE) to lookup
`
`a database of flow records for previously encountered conversational flows to determine
`
`whether a signature is from an existing flow, a state processor (SP) for performing state
`
`processing, a flow insertion and deletion engine (FIDE) for inserting new flows into the
`
`database of flows, a memory for storing the database of flows, and a cache for speeding
`
`up access to the memory containing the flow database. The LUE, SP, and FIDE are all
`
`coupled to the UFKB, and to the cache.
`
`The unified flow key bufferlthus contains the flow signature of the packet, the
`
`hash and at least some of the payload for analysis in the analyzer subsystem. Many
`
`operations can be performed to further elucidate the identity of the application program
`
`content of the packet involved in the client/server conversational flow while a packet
`
`signature exists in the unified flow signature buffer. In the particular hardware
`
`embodiment of the analyzer subsystem several flows may be processed in parallel, and
`
`multiple flow signatures from all the packets being analyzed in parallel may be held in the
`
`10
`
`15
`
`20
`
`one UFKB.
`
`The first step in the packet analysis process of a packet from the parser subsystem
`
`is to lookup the instance in the current database of known packet flow signatures. A
`
`lookup/update engine (LUE) accomplishes this task using first the hash, and then the flow
`
`signature. The search is carried out in the cache and if there is no flow with a matching
`
`25
`
`signature in the cache, the lookup engine attempts to retrieve the flow from the flow
`
`database in the memory. The flow—entry for previously encountered flows preferably
`
`includes state information, which is used in the state processor to execute any operations
`
`defined for the state, and to determine the next state. A typical state operation may be to
`
`search for one or more known reference strings in the payload of the packet stored in the
`
`30
`
`UFKB.
`
`Once the lookup processing by the LUE has been completed a flag stating whether
`
`NOAC EX. 1015 Page 17
`
`NOAC Ex. 1015 Page 17
`
`
`
`
`
`
`
`
`'71?“12'.“‘52“lL‘E‘MH
`
`
`
`([33!HI]![Iii£132:I"
`
`
`
`
`
`10
`
`it is found or is new is set within the unified flow signature buffer structure for this packet
`
`flow signature. For an existing flow, the flow-entry is updated by a calculator component
`
`of the LUE that adds values to counters in the flow-entry database used to store one or
`
`more statistical measures of the flow. The counters are used for determining network
`
`usage metrics on the flow.
`
`After the packet flow signature has been looked up and contents of the current
`
`flow signature are in the database, a state processor can begin analyzing the packet
`
`payload to further elucidate the identity of the application program component of this
`
`packet. The exact operation of the state processor and functions performed by it will vary
`
`depending on the current pack