`
`
`
`
`
`
`
`UNITED STATES DEPARTMENT OF COMMERCE
`
`
`
`United States Patent and Trademark Office
`
`
`October 17, 2018
`¢
`
`
`em
`
`2 tookiy
`
`
`
`
`
`
` peOAC Ex.1015Pagel as
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`THIS IS TO CERTIFY THAT ANNEXEDIS A TRUE COPY FROM THE
`RECORDS OF THIS OFFICE OF THE FILE WRAPPER AND CONTENTS
`OF:
`
`APPLICATION NUMBER: 09/608,237
`
`FILING DATE: June 30, 2000
`
`PATENT NUMBER: 6,651,099
`
`ISSUE DATE: November18, 2003
`
`By Authority of the
`UnderSecretary of Commercefor Intellectual Property
`and Director of the United States Patent and Trademark Office
`
`!
`
`AN
`3
`
`P.R. GRANT
`Certifying Officer
`
`
`
`PART({ ) OF (& PART(S)
`
` Seea =
`
`
`
`ATT EDEL eRCCE LT CC Taereece
`
`
`
`
`
`= AR
`a
`
`NOAC Ex. 1015 Page 1
`
`

`

`
`lihy
`7/O08inti
`
`|
`
`
`
`
`
`
`
`
`
` APPLICATION NO.
`
` - 09/608237
`
`
` Arieeu Kor
`William Bares
`Method and apparatus for moniterina tradaffic in a
`
`APPLICANTS
`
`Bn 8
`
`devas mae hgeeecnens lleeaEeSethian ws
`:
`qo
`:
`»
`
`:
`
`ese sfontenfieueeswacnianiee Stans seem
`:
`:
`:
`
`TITLE
`
`
`eet
`
`TERMINAL
`DISCLAIMER
`
`
`
`
`
`et
`
`=a)
`
`:
`
`:
`
`:
`
`:
`{
`
`;
`
`y
`
`
`
`‘(J Theterm ofthis patent 7
`subsequentto
`7
`has been disclaimed.
`{1 The termofthis patent shall
`
`(date)
`a
`
`notextendbeyondtheiaaldate
`
`of U.S Patent. No.
`
`‘
`
`Sls
`
`|
`
`|
`
`.
`fassant Damien
`ee
`|
`:
`
`7
`
`>
`
`:
`
`MOUSTAFA M. MEKY -
`
`_{
`
`
`
`(Lega! instr4ments Examiner)”
`
`=
`
`( () Wy
`aIki
`iPRIMARYEXAMINER
`“+ (Date)
`_ {Primary Damionot
`:
`oO
`nibs ae0384.
`thispatenthavebeendisclaimed.
`‘el
`XR:
`months of
`Theterminat
`The Information disclosed herein may berestricted. Unauthorized disclosure may be pforpitea by the United States CodeTitle 35, Sections 122, 181 and 368.
`Possession outside the U.S. Patent & Trademark Officeis restricted to authorized employees and contractors only.
`fan Eescen
`ce
`FILED wiTH: [_] DISK (CRF) [7] FICHE O CD-ROM
`.
`issuE &EeE IN FILE :
`‘(Attachedinpocketonaflap)
`
`29
`
`Amount Due —
`i
`:
`- ISSUE BATCH NUMBER
`
`:
`
`:
`
`ag
`vt
`“al
`
` ethteaeennminineenesteae
`(FACE)
`
`NOAC Ex. 1015 Page 2
`
`

`

`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`ee :
`
`of 1
`
`COMMISSIONER FOR PATENTS
`UNITED STATES PATENT AND TRADEMARK OFFICE
`WASHINGTON, D.C. 2023}
`www.uspto.gov
`
`
`
`
`GRANTED ** 08/21/2000
`
`Allowance
`
`SREES
`
`CONFIRMATION NO.9993
`Bib Data Sheet
`
`
`
`
`ATTORNEY
`FILING DATE
`
`
`
`
`GROUP ART UNIT
`SERIAL NUMBER
`
`
`
`
`
`DOCKETNO.
`06/30/2000
`
`2755
`09/608 237
`
`
`
`APPT-001-1
`RULE
`
`
`
`[APPLICANTS
`
`
`Russell S. Dietz, San Jose, CA;
`Joseph R. Maixner, Aptos, CA;
`
`
`Andrew A. Koppenhaver,Littleton, CO;
`William H. Bares, Germantown, TN;
`
`Haig A. Sarkissian, San Antonio, TX;
`
`James F. Torgerson, Andover, MN;
`
`
`* CONTINUING DATA *ithstittetsanaanasaanaes
`
`
`
`THIS DPNeo BENEFIT OF 60/141,903 06/30/1999
`
`emroai MyoKEKERRERREAAAERERERE
`
`IF acanen, OREIGN FILING LICENSE
`
`
`
`yes
`Foreign Priority claimed
`
`35 USC 119 (a-d) conditions Od,no"Q Metafter
`STATE OR|
`SHEETS
`
`
`
`COUNTRY| DRAWING
`
`
` Examiner's Signature
`(hitials
`
` Dov Rosenfeld
`
`
`
`Suite 2
`
`
`5507 College Avenue
`Oakland ,CA 94618
`
`
`
`TITLE
`Method and apparatus for monitoringtraffic in a network
`
`
`
`
`
` FILING FEE |FEES: Authority has been given in Paper
`RECEIVED INo.
`“to charge/credit DEPOSIT ACCOUNT
`for following:
`
`
`
`[Gitsrees(issue)———_|1.18 Fees( issue )
`
`L) other
`
`C) Credit
`
`
`
`
`NOACEx. 1015 Page 3
`
`NOAC Ex. 1015 Page 3
`
`

`

`OF -O3-00
`
`F-
`
`IN THE U.S. PATENT AND TRADEMARK OFFICE
`Application Transmittal Sheet
`
`Our Ref./Docket No.:_APPT-001-1
`
`Box Patent Application
`ASSISTANT COMMISSIONER FOR PATENTS
`Washington,D.C. 20231
`
`—=
`=
`oMi=
`PT2it 00
`n= 3
`-O==35
`oo
`ng
`ToS
`
`INVENTOR(s)y/APPLICANT(s)
`a=
`First Name, MI
`Residence (City and State or Country)
`Last Name
`
`Dear Assistant Commissioner:
`
`Transmitted herewith is the patent application of
`
`San Jose, CA
`Russell S.
`Dietz
`Aptos, CA
`Joseph R.
`Maixner
`Fairfax, VA
`Andrew A.
`Koppenhaver
`Additional inventors are being named on separately numbered sheets attached hereto.
`
`METHOD AND APPARATUS FOR MONITORING TRAFFIC IN A NETWORK
`
`TITLE OF THE INVENTION
`
`CORRESPONDENCE ADDRESS AND AGENT FOR APPLICANT(S)
`
`DovRosenfeld, Reg. No. 38,387
`5507 College Avenue, Suite 2
`Oakland, California, 94618
`Telephone: (510) 547-3378; Fax: (510) 653-7992
`
`,
`
`
`
`
`
`ENCLOSED APPLICATION PARTS(checkall that apply)
`
`aas
`ges
`#23Be
`aan
`Includedare:
`OH4
`
`Xx 66___sheet(s) of specification, claims, and abstract
`x 18__sheet(s) of formal Drawing(s) with a submissionletter to the Official Draftsperson
`
`eh
`Information Disclosure Statement.
`-
`Form PTO-1449: INFORMATION DISCLOSURE CITATION IN ANAPPLICATION,together with a
`copy of each references included in PTO-1449.
`Declaration and Power of Attorney
`An assignmentof the invention to_Apptitude,Inc.
`A letter requesting recordation of the assignment.
`An assignment Cover Sheet.
`Additional inventors are being named on separately numbered shagts attached hereto.
`Return postcard.
`é
`This application has:
`a small entity status. A verified statement:
`is enclosed
`wasalready filed.
`
`“FELL
`
`The fee has been calculated as shownin the following page.
`
`
`
`‘Certificate of Mailing under 37 CFR 1.10
`
`
`Thereby certify that this application and all attachments are being deposited with the United States Postal
`
`
`
`Service as Express Mail (Express MailLabel: EI417961944USin an envelope addressed to Box Patent
`
`
`Application, Assistant Commissioner for Patents, Washington, D.C . 20231 0
`
`Date: Wine BO}
`Signed
`Ex. 1015 Page 4
`Name-Dov Rosenfeld, Reg. No. 38687
`
`
`
`
`NOAC Ex. 1015 Page 4
`
`

`

`SUBMISSION DOCUMENT
`Page 2
`ATTORNEY DOCKET NO._APPT-001-1
`
` BASIC APPLICATIONFEE:
`
`$ 690.00
`
`TOTAL FEES PAYABLE:|_$1,470.00
`
`METHOD OF PAYMENT
`
`is attached for application fee and presentation of claims.
`A check in the amountof
`A checkin the amountof $ 40.00 is attached for recordation of the Assignment.
`The Commissioner is hereby authorized to charge payment of the any missing filing or other fees
`required forthis filing or credit any overpayment to Deposit Account No. 50-0292
`(A DUPLICATE OF THIS TRANSMITTAL IS ATTACHED):
`
`BO too
`
`Date
`
`Respectfully Submitted,
`
`
`
`Dov Rosenfeld , Reg. No. 38687
`
`Correspondence Address:
`Dov Rosenfeld
`5507 College Avenue, Suite 2
`Oakland, California, 94618
`Telephone: (510) 547-3378; Fax: (510) 653-7992
`
`NOACEx. 1015 Page 5
`
`=w
`
`i e
`
`a
`Ce
`
`NOAC Ex. 1015 Page 5
`
`

`

`SUBMISSION DOCUMENT
`ATTORNEY DOCKET NO.
`
`_APPT-001-1
`
`Page 3
`
`ATTORNEY DOCKETNO. _APPT-001-1
`
`Application Cover Sheet (cont.)
`
`INVENTOR(s)/APPLICANT(s)
`
`Last Name
`
`First Name, MI
`
`Residence (City and Either State or Foreign
`Country)
`
`Bares
`
`Sarkissian
`
`Torgerson
`
`William H.
`
`Haig A.
`
`JamesF.
`
`Germantown, TN
`
`San Antonio, Texas
`
`Andover, MN
`
`4ongtERCE
`
`a
`ia
`Wau
`
`CK”
` Pri
`etiq
`
`NOACEx. 1015 Page 6
`
`NOAC Ex. 1015 Page 6
`
`

`

`Our Ref./Docket No: APPT-001-1
`
`Patent
`
`IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`Applicant(s): Dietz, etal.
`
`Group Art Unit: unassigned
`
`
`
`
`
`Title: METHOD AND APPARATUS FOR
`Examiner: unassigned
`MONITORING TRAFFIC IN A NETWORK
`
`
`
`LETTER TO OFFICIAL DRAFTSPERSON
`SUBMISSION OF FORMAL DRAWINGS
`
`The Assistant Commissioner for Patents
`Washington, DC 20231
`ATTN:Official Draftsperson
`
`Dear Sir or Madam:
`
`Attached please find 18 sheets of formal drawings to be made of record for the above
`identified patent application submitted herewith.
`
`Respectfully Submitted,
`
`Date
`
`Dov Rosenfeld, Reg. No. 38687 |
`
`Address for correspondenceand attorney for applicant(s):
`Dov Rosenfeld, Reg. No. 38,687
`5507 College Avenue, Suite 2
`Oakland, CA 94618
`Telephone: (510) 547-3378; Fax: (510) 653-7992
`
`
`
`Certificate of Mailing under 37 CFR 1.10
`
`
`
`Therebycertify that this application andall attachments are being deposited with the United States Postal
`
`Service as Express Mail (Express Mail Label: £1417961944USin an envelope addressed to Box Patent
`
`
`Assistant Commissioner for Patents, Washington, D.C. 202
`tA
`Lb 2&cO—
`Sigae
`
`
`Name:
`=
`
`Dov Rosenfeld, Reg. No. 38687
`
`
`sehriCRA=NARS2"
`
`wird
`
`3 =i
`
`iei!
`
`NOAC Ex. 1015 Page 7
`
`

`

`re,AeSng
`
`}‘
`dy
`
`Our Ref./Docket No.:
`
`_APPT-001-1
`
`METHOD AND APPARATUS FOR MONITORING TRAFFIC IN A NETWORK
`
`Inventor(s):
`
`DIETZ, Russell S.
`San Jose, CA
`
`MAIXNER,Joseph R.
`Aptos, CA
`
`KOPPENHAVER,Andrew A.
`Fairfax, VA
`
`BARES, William H.
`Germantown, TN
`
`SARKISSIAN,Haig A.
`San Antonio, Texas
`
`TORGERSON,JamesF.
`Andover, MN
`
`
`
`
`Certificate of Mailing under 37 CFR 1.10
`
`Thereby certify that this application and all attachments are being deposited with theUnited States Postal Service as Express Mail
`(Express Mail Label: EI417961944USin an envelope addressed to Box Patent Application, Assistant Commissionerfor Patents,
`Washington, D.C. 20231 on.
` LEE‘EX. 1015 Page 8
`
`GJ
`
`Signed:
`Namnté: Dov Rosenfeld, Reg. No. 38687
`
`
`
`
`
`ye 8
`
`sB
`
`S
`
`cs
`=na
`
`
`MopegDeen
`
`
`
`LTRIECNTMELLEEIREAEEEEE
`
`NOAC Ex. 1015 Page 8
`
`

`

`
`
`]
`
`METHOD AND APPARATUS FOR MONITORING
`TRAFFIC IN A NETWORK
`
`CROSS-REFERENCE TO RELATED APPLICATION
`
`This application claims the benefit of U.S. Provisional Patent Application Serial No.:
`
`60/141,903 for METHOD AND APPARATUS FOR MONITORING TRAFFIC IN A
`
`NETWORKto inventors Dietz,et al., filed June 30, 1999, the contents of which are
`
`incorporated herein by reference.
`
`This application is related to the following U.S. patent applications, eachfiled
`
`concurrently with the present application, and each assigned to Apptitude,Inc., the
`
`assignee of the present invention:
`
`AN
`U.S.Patent Application Serial No.0“ / 6) for PROCESSING PROTOCOL
`SPECIFIC INFORMATION IN PACKETS SPECIFIED BY A PROTOCOL
`
`DESCRIPTION LANGUAGE,to inventors Koppenhaver, etal., filed June 30, 2000,
`sti Lindy
`;
`“G0T=2, and incorporated herein by reference.
`
`U.S. Patent Application Serial No. ©“. /é¢&2Gfor RE-USING INFORMATION FROM
`
`DATA TRANSACTIONS FOR MAINTAINING STATISTICS IN NETWORK
`s&ill ferelng—
`MONITORING,to inventors Dietz,et al., filed June 30, 2000, Attorey+“~sent
`
`15
`
`
`
`~RefereneeNumber7APPFE-064+-3, and incorporated herein by reference.
`
` 10
`
`20
`
`25
`
`U.S. Patent Application Serial No. O\_/6c8,2é¢for ASSOCIATIVE CACHE
`STRUCTURE FOR LOOKUPS AND UPDATES OF FLOW RECORDSIN A
`
`NETWORK MONITOR,to inyentors Sarkissian,et al., filed June 30, 2000,
`Sti PRwdindy
`
`=4, and incorporated herein by reference.
`
`U.S. Patent Application Serial No. °4_/6%,267for STATE PROCESSOR FOR
`PATTERN MATCHINGIN A NETWORK MONITORPEVICR, to inventors
`séi
`Peng i
`Sarkissian,et al., filed June 30, 2000,
`:
`
`and incorporated herein by reference.
`
`FIELD OF INVENTION
`
`The present invention relates to computer networks, specifically to the real-time
`elucidation of packets communicated within a data network,includingclassification
`
`30
`
`according to protocol and application program.
`
`NOACEx. 1015 Page 9
`
`NOAC Ex. 1015 Page 9
`
`

`

`
`
`
`
`2
`
`BACKGROUND TO THE PRESENT INVENTION
`
`There has long been a need for network activity monitors. This need has become
`
`especially acute, however, given the recent popularity of the Internet and other internets—
`an “internet” being any plurality of interconnected networks which formsa larger, single
`
`network. With the growth of networksusedas a collection of clients obtaining services
`
`from one or moreservers on the network,it is increasingly important to be able to
`
`monitor the use of those services and to rate them accordingly. Such objective
`
`information, for example, as whichservices(i.e., application programs) are being used,
`
`whois using them, how often they have been accessed, and for how long,is very useful in
`
`10
`
`the maintenance and continued operation of these networks. It is especially important that
`
`selected users be able to access a network remotely in order to generate reports on
`
`networkuse in real time. Similarly, a need exists for a real-time network monitor that can
`
`provide alarmsnotifying selected users of problems that may occur with the network or
`
`site.
`
`15
`
`20
`
`25
`
`Oneprior art monitoring method useslogfiles. In this method, selected network
`
`activities may be analyzed retrospectively by reviewing log files, which are maintained by
`
`network servers and gateways. Log file monitors must access this data and analyze
`(“mine”) its contents to determinestatistics about the server or gateway. Several problems
`exist with this method, however. First, log file information does not provide a map of
`real-time usage; and secondly,log file mining does not supply complete information. This
`
`methodrelies on logs maintained by numerous network devices and servers, which
`
`requires that the information be subjected to refining andcorrelation. Also, sometimes
`informationis simply not available to any gateway orserverin order to makea logfile
`
`entry.
`
`Onesuchcase, for example, would be information concerning NetMeeting®
`(Microsoft Corporation, Redmond, Washington) sessions in which two computers
`
`SeCHCHA
`
`eectseasdl
`
`a aG
`
`aq
`
`connect directly on the network and the data is never seen byaserveror a gateway.
`
`Another disadvantage of creating log files is that the process requires data logging
`features of network elements to be enabled, placing a substantial load on the device ,
`whichresults in a subsequentdecline in network performance. Additionally,log files can
`grow rapidly, there is no standard meansof storage for them, and they require a
`
`30
`
`NOACEx. 1015 Page 10
`
`
`
`NOAC Ex. 1015 Page 10
`
`

`

`
`
`
`
`significant amount of maintenance.
`
`Though Netflow® (Cisco Systems, Inc., San Jose, California), RMON2, and other
`
`network monitors are available for the real-time monitoring of networks, they lack
`
`visibility into application content and are typically limited to providing network layer
`
`level information.
`
`Pattern-matching parser techniques wherein a packetis parsed and pattern filters
`
`are applied are also known,butthese too are limited in how deepinto the protocol stack
`
`they can examine packets.
`
`Someprior art packet monitors classify packets into connection flows. The term
`
`“connection flow” is commonly usedto describe all the packets involved with a single
`
`connection. A conversational flow, on the other hand, is the sequenceofpackets that are
`
`exchangedin any direction as a result of an activity—for instance, the running of an
`
`application on a server as requestedby a client. It is desirable to be able to identify and
`
`classify conversational flows rather than only connection flows. The reasonfor this is that
`
`15
`
`someconversational flows involve more than one connection, and some even involve
`
`whenusing client/server protocols such as RPC, DCOMP, and SAP, which enable a
`
`service to be set up or defined priorto any useofthat service.
`
`An example of such a case is the SAP (Service Advertising Protocol), a NetWare
`
`20
`
`(Novell Systems, Provo, Utah) protocol used to identify the services and addresses of
`
`servers attached to a network.In the initial exchange, a client might send a SAP request to
`
`a server for print service. The server would then send a SAP reply that identifies a
`
`particular address—for example, SAP#5—astheprint service on that server. Such
`
`responses might be used to update a table in a router, for instance, knownas a Server
`
`25
`
`Information Table. A client who has inadvertently seen this reply or who hasaccessto the
`
`table (via the router that has the Service Information Table) would know that SAP#5 for
`
`this particular server is a print service. Therefore, in order to print data on the server, such
`aclient would not need to make a requestfor a print service, but would simply send data
`to be printed specifying SAP#5. Like the previous exchange, the transmission of data to
`be printed also involves an exchange betweena client and a server, but requires a second
`connection andis therefore independentof the initial exchange. In order to eliminate the
`
`30
`
`NOACEx. 1015 Page 11
`
`more than one exchangeof packets betweenaclient and server. Thisis particularly true
`
`
`
`OOMESao"£eaeoouod
`
`
`
`NOAC Ex. 1015 Page 11
`
`

`

`€)
`
`
`
`4
`
`possibility of disjointed conversational exchanges,it is desirable for a network packet
`
`monitor to be able to “virtually concatenate”—that is, to link—thefirst exchange with the
`
`second.If the clients were the same, the two packet exchanges wouldthen becorrectly
`
`identified as being part of the same conversational flow.
`
`Other protocols that may lead to disjointed flows, include RPC (Remote Procedure
`
`Call); DCOM (Distributed Component Object Model), formerly called Network OLE
`
`(Microsoft Corporation, Redmond, Washington); and CORBA (Common Object Request
`
`Broker Architecture). RPC is a programminginterface from Sun Microsystems (Palo
`
`Alto, California) that allows one program to use the services of another program in a —
`
`10
`
`remote machine. DCOM,Microsoft’s counterpart to CORBA,defines the remote
`
`procedurecall that allows those objects—objectsare self-contained software modules—to
`
`pantyomeee
`
` } ré
`
`bee
`
`ogi
`
`be run remotely over the network. And CORBA,a standard from the Object Management
`
`Group (OMG)for communicating betweendistributed objects, provides a way to execute
`
`programs (objects) written in different programming languages running on different
`
`15
`
`platforms regardless of where they reside in a network.
`
`Aetalg
`
`e
`
`
`2e
`
`
`
`SHAME"AIESORCREEAAMTLEENINSINGER:IPEPEN0RRPS80
`
`
`
`Whatis needed, therefore, is a network monitor that makesit possible to
`
`continuously analyzeall user sessions on a heavily trafficked network. Such a monitor
`
`should enable non-intrusive, remote detection, characterization, analysis, and capture of
`
`all information passing through any point on the network(i.e., of all packets and packet
`
`20
`
`streams passing through any location in the network). Not only shouldall the packets be
`
`detected and analyzed, but for each of these packets the network monitor should
`
`determine the protocol(e.g., http, ftp, H.323, VPN,etc.), the application/use within the
`
`protocol(e.g., voice, video, data, real-time data, etc.), and an end user’s pattern of use
`
`within each application or the application context (e.g., options selected, service
`
`25
`
`delivered, duration, time of day, data requested, etc.). Also, the network monitor should
`
`not be reliant upon server resident information such as log files. Rather, it should allow a
`
`user such as a network administrator or an Internet service provider (ISP) the means to
`
`measure and analyze networkactivity objectively; to customize the type of data that is
`collected and analyzed; to undertakereal time analysis; and to receivetimely notification
`
`30
`
`of network problems.
`
`Considering the previous SAP example again, because onefeatures of the
`invention is to correctly identify the second exchange as being associated with a print
`
`NOACEx. 1015 Page 12
`
`NOAC Ex. 1015 Page 12
`
`

`

`
`
`
`
`5
`
`service on that server, such exchange would even be recognizedif the clients were not the
`
`same. Whatdistinguishes this invention from prior art network monitorsis that it has the
`
`ability to recognize disjointed flows as belonging to the same conversational flow.
`
`The data value in monitoring network communications has been recognized by
`manyinventors. Chiu, et al., describe a methodfor collecting information at the session
`
`level in a computer network in United States Patent 5,101,402,titled “APPARATUS
`
`AND METHODFOR REAL-TIME MONITORING OF NETWORKSESSIONS AND
`
`A LOCAL AREA NETWORK”(the “402 patent”). The 402 patent specifies fixed
`
`locations for particular types of packets to extract information to identify session of a
`
`10
`
`packet. For example, if a DECnet packet appears, the 402 patent looks at six specific
`
`fields (at 6 locations) in the packetin order to identify the session of the packet. If, on the
`
`other hand, an IP packet appears, a different set of six different locationsis specified for
`
`an IP packet. With the proliferation of protocols, clearly the specifying ofall the possible
`
`places to look to determine the session becomes more and moredifficult. Likewise,
`
`15
`
`adding a new protocolor application is difficult. In the present invention, the locations
`
`examined and the information extracted from any packet are adaptively determined from
`
`information in the packet for the particular type of packet. There is no fixed definition of
`
`what to look for and where to look in order to form an identifying signature. A monitor
`
`implementation of the present invention, for example, adapts to handle differently IEEE
`
`20
`
`802.3 packet from the older Ethernet Type 2 (or Version 2) DIX (Digital-Intel-Xerox)
`
`packet.
`
`The 402 patent system is able to recognize up to the session layer. In the present
`
`invention, the numberof levels examined varies for any particular protocol. Furthermore,
`
`the present invention is capable of examining up to whateverlevel is sufficientto
`
`25
`
`uniquely identify to a required level, even all the wayto the application level (in the OSI
`
`model).
`
`Otherprior art systems also are known. Phael describes a network activity monitor
`that processes only randomly selected packets in United States Patent 5,315,580,titled
`“NETWORK MONITORING DEVICE AND SYSTEM.” Nakamurateaches a network
`
`30
`
`monitoring system in United States Patent 4,891,639,titled “MONITORING SYSTEM
`OF NETWORK.”Ross,et al., teach a method and apparatus for analyzing and
`monitoring networkactivity in United States Patent 5,247,517, titled “METHOD AND
`
`NOACEx. 1015 Page 13
`
`
`
`as
`
`
`23
`
`reaeSLSStetSylvanian:
`
`SyTRAEE
`
`AnHE
`
`faitetix-devi
`
`NOAC Ex. 1015 Page 13
`
`

`

`
`
`<
`
`{49
`
`6
`
`APPARATUS FOR ANALYSIS NETWORKS,” McCreery,et al., describe an Internet
`
`activity monitor that decodes packet data at the Internet protocol level layer in United
`
`States Patent 5,787,253, titled “APPARATUS AND METHOD OF ANALYZING
`
`INTERNET ACTIVITY.” The McCreery method decodes IP-packets. It goes through the
`
`decoding operations for each packet, and therefore uses the processing overhead for both
`
`recognized and unrecognizedflows. In a monitor implementation of the present invention,
`
`a signature is built for every flow such that future packets of the flow are easily
`
`recognized. When a new packetin the flow arrives, the recognition process can
`
`commence from whereit last left off, and a new signature built to recognize new packets
`
`10
`
`of the flow.
`
`SUMMARY
`
`BoTAataeeSGReelyRRRO2OEAN
`
`SSSMEDCLORMSIESENETBEUaea
`(EESSE"ES
`
`In its various embodiments the present invention provides a network monitor that
`
`can accomplish one or moreofthe following objects and advantages:
`
`e Recognize andclassify all packets that are exchanges between a client and
`
`15
`
`server into respective client/server applications.
`
`e Recognize andclassify at all protocol layer levels conversational flows that
`
`pass in either direction at a point in a network.
`
`e Determine the connection and flow progress between clients and servers
`
`according to the individual packets exchanged over a network.
`
`20
`
`e Beusedto help tune the performance of a network according to the current
`
`mix ofclient/server applications requiring network resources.
`
`e Maintainstatistics relevant to the mix ofclient/server applications using
`
`network resources.
`
`e Report on the occurrences of specific sequences of packets used by particular
`
`25
`
`applications for client/server network conversational flows.
`
`Other aspects of embodimentsof the invention are:
`
`Sit
`
`airme
`Se
`
`*i w
`
`Aoeaeae
`
`vom
`
`
`
`e Properly analyzing each of the packets exchanged betweenaclient and a
`server and maintaining information relevantto the current state of each of
`
`painwebsfs
`
`these conversational flows.
`
`NOACEx. 1015 Page 14
`
`NOAC Ex. 1015 Page 14
`
`

`

`®@
`
`
`
`7
`
`e Providing a flexible processing system that can be tailored or adapted as new
`
`applicationsenter the client/server market.
`
`e Maintainingstatistics relevant to the conversational flowsin a client/sever
`
`networkasclassified by an individual application.
`
`e Reporting a specific identifier, which may be used by other network-oriented
`
`devices to identify the series of packets with a specific application for a
`
`specific client/server network conversational flow.
`
`In general, the embodiments-of the present invention overcome the problems and
`
`disadvantagesofthe art.
`
`10
`
`Asdescribed herein, one embodiment analyzes each of the packets passing
`
`through any point in the network in either direction, in order to derive the actual
`
`application used to communicate betweena client and a server. Note that there could be
`
`several simultaneous and overlapping applications executing over the network that are
`
`independent and asynchronous.
`
`15
`
`A monitor embodimentof the invention successfully classifies each of the
`
`individual packets as they are seen on the network. The contents of the packets are parsed
`
`and selected parts are assembledinto a signature (also called a key) that may then be used
`
`identify further packets of the same conversational flow, for example to further analyze
`
`the flow and ultimately to recognize the application program. Thusthe key is a function
`
`20
`
`of the selected parts, and in the preferred embodiment, the function is a concatenation of
`
`the selected parts. The preferred embodiment forms and remembersthe state of any
`
`conversational flow, which is determined by the relationship between individual packets
`
`and the entire conversational flow over the network. By rememberingthestate of a flow
`
`in this way, the embodiment determines the context of the conversational flow, including
`the application program it relates to and parameters such as the time, length of the
`
`25
`
`conversational flow,datarate,etc.
`
`The monitoris flexible to adapt to future applications developed for client/server
`networks. New protocols and protocol combinations may be incorporated by compiling
`files written in a high-level protocol description language.
`
`NOACEx. 1015 Page 15
`
`I
`
`
`
` eS
`
`=F
`
`e
`od
`=
`
`!|
`
`NOAC Ex. 1015 Page 15
`
`

`

`
`
`8
`
`The monitor embodimentof the presentinvention is preferably implemented in
`application-specific integrated circuits (ASIC)orfield programmable gate arrays (FPGA).
`
`In one embodiment, the monitor comprises a parser subsystem that forms a signature from
`
`a packet. The monitor further comprises an analyzer subsystem that receives the signature
`from the parser subsystem.
`
`A packet acquisition device such as a media access controller (MAC)ora
`
`segmentation and reassemble module is used to provide packets to the parser subsystem
`
`of the monitor.
`
`In a hardware implementation, the parsing subsystem comprises two sub-parts, the
`pattern analysis and recognition engine (PRE), and an extraction engine(slicer). The PRE
`
`10
`
`interprets each packet, and in particular, interprets individual fields in each packet
`
`according to a pattern database.
`
`The different protocols that can exist in different layers may be thoughtof as
`
`nodes of one or moretrees of linked nodes. The packet type is the rootof a tree. Each
`
`15
`
`protocolis either a parent node or a terminal node. A parent nodelinks a protocol to other
`
`protocols (child protocols) that can be at higher layer levels. For example, An Ethernet
`
`packet (the root node) may be an Ethertype packet—also called an Ethernet Type/Version
`2 and a DIX (DIGITAL-Intel-Xerox packet)—or an IEEE 802.3 packet. Continuing with
`the IEEE 802.3-type packet, one of the children nodes may bethe IP protocol, and one of
`
`20
`
`the children of the IP protocol may be the TCP protocol.
`
`The pattern database includes a description of the different headers of packets and
`
`their contents, and howtheserelate to the different nodes in a tree. The PRE traverses the
`
`tree as far as it can. If a node does not include a link to a deeperlevel, pattern matchingis
`
`25
`
`declared complete. Note that protocols can be the children of several parents. If a unique
`node wasgenerated for eachofthe possible parent/child trees, the pattern database might
`become excessively large. Instead, child nodes are shared among multiple parents, thus
`
`compacting the pattern database.
`
`Finally the PRE can be used on its own whenonly protocol recognition is
`
`required.
`
`30
`
`For each protocol recognized,the slicer extracts important packet elements from
`the packet. These form a signature(i.e., key) for the packet. Theslicer also preferably
`
`NOACEx. 1015 Page 16
`
`aEEURRRker2
`
`Ps
`ea=
`
`i jt
`we
`
`
`a
`
`;F&iIf a
`
`t
`
`filet=on
`
`NOAC Ex. 1015 Page 16
`
`

`

`erSARLAPAIRESORRTSaMce
`
`eaPRRS
`
`SN
`ttLara!
`
`i i
`
`ra
`
`weWareAAS
`
`ALGER,
`
`beShRie,
`
`SeraESRede.
`
`
`
`2
`
`9
`
`generates a hashfor rapidly identifying a flow that may have this signature from a
`
`database of knownflows.
`
`The flow signature of the packet, the hash andat least some ofthe payload are
`
`passed to an analyzer subsystem. In a hardware embodiment, the analyzer subsystem
`
`includes a unified flow key buffer (UFKB)for receiving parts of packets from the parser
`
`subsystem andfor storing signatures in process, a lookup/update engine (LUE) to lookup
`
`a database of flow records for previously encountered conversational flows to determine
`
`whethera signature is from an existing flow, a state processor (SP) for performingstate
`
`processing, a flow insertion and deletion engine (FIDE)for inserting new flowsinto the
`
`10
`
`database of flows, a memory forstoring the database of flows, and a cache for speeding
`
`up access to the memory containing the flow database. The LUE,SP, and FIDEare all
`
`coupled to the UFKB, andto the cache.
`
`The unified flow key buffer thus contains the flow signature of the packet, the
`
`hash andat least some of the payload for analysis in the analyzer subsystem. Many
`
`15
`
`operations can be performedto further elucidate the identity of the application program
`
`content of the packet involved in the client/server conversational flow while a packet
`
`signature exists in the unified flow signature buffer. In the particular hardware
`
`embodimentof the analyzer subsystem several flows may be processedin parallel, and
`
`multiple flow signatures from all the packets being analyzed in parallel may beheld in the
`
`20
`
`one UFKB.
`
`Thefirst step in the packet analysis process of a packet from the parser subsystem
`
`is to lookup the instance in the current database of known packet flow signatures. A
`
`lookup/update engine (LUE) accomplishes this task using first the hash, and then the flow
`
`signature. The searchis carried out in the cache and if there is no flow with a matching
`
`25
`
`signature in the cache, the lookup engine attempts to retrieve the flow from the flow
`
`database in the memory. The flow-entry for previously encountered flows preferably
`
`includesstate information, which is used in the state processor to execute any operations
`
`defined forthe state, and to determine the next state. A typical state operation may beto
`
`search for one or more knownreference strings in the payload of the packet stored in the
`
`30
`
`UFKB.
`
`Once the lookup processing by the LUE has been completeda flag stating whether
`
`NOACEx. 1015 Page 17
`
`NOAC Ex. 1015 Page 17
`
`

`

`
`
`
`
`
`
`10
`
`it is found or is new is set within the unified flow signature buffer structure for this packet
`flow signature.Foran existing flow, the flow-entry is updated by a calculator component
`of the LUE that addsvaluesto counters in the flow-entry database used to store one or
`
`more Statistical measures of the flow. The counters are used for determining network
`
`usage metrics on the flow.
`
`After the packet flow signature has been looked up and contents of the current
`
`flow signature are in the database, a state processor can begin analyzing the packet
`
`payload to further elucidate the identity of the application program componentofthis
`
`packet. The exact operation of the state processor and functions performedbyit will vary
`
`10
`
`depending on the current packet sequencein the stream of a conversational flow. The
`
`state processor movesto the next logical operation stored from the previous packet seen
`
`with this same flow signature. If any processing is required on this packet, the state
`
`processorwill execute instructions from a databaseofstate instruction for this state until
`
`there are either no moreleft or the instruction signifies processing.
`
` USESSSa
`
`j
`
`15
`
`In the preferred embodiment,the state processor functions are programmable to
`
`provide for analyzing new application programs, and new sequencesofpackets andstates
`
`that can arise from using such application.
`
`If during the lookup processfor this particular packet flow signature, the flow is
`
`required to be inserted into the active database, a flow insertion and deletion engine
`
`20
`
`(FIDE)is initiated. The state processor also may create new flow signatures and thus may
`
`instruct the flow insertion and deletion engine to add a new flow to the database as a new
`
`item.
`
`In the preferred hardware embodiment, each of the LUE,state processor, and
`FIDE operate independently from the other two engines.
`
`25
`
`BRIEF DESCRIPTION OF THE DRAWI