`Approved for use through 6/30/2013. 0MB 0651-0021
`U.S. Patent and Trademark Office; U.S. DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid 0MB control number.
`Attorney Docket No.
`TRANSMITTAL LETTER TO THE UNITED STATES
`ORCKIT-001-US
`DESIGNATED/ELECTED OFFICE (DO/EO/US)
`U.S. Application No. (if known, see 37 CFR 1.5)
`CONCERNING A SUBMISSION UNDER 35 U.S.C. 371
`International Application No.
`PCT/US2015/026869
`Title of Invention
`A METHOD AND SYSTEM FOR DEEP PACKET INSPECTION IN SOFTWARE DEFINED NETWORKS
`First Named Inventor
`BARSHESHET, Yossi
`
`I International Filing Date
`
`21 April 2015
`
`Priority Date Claimed
`22 April 2014
`
`Applicant herewith submits to the United States Designated/Elected Office (D0/EO/US) the following items and other information.
`1. 0 This is an express request to begin national examination procedures (35 U.S.C. 371 (f)). NOTE: The express request under
`35 U.S.C. 371 (f) will not be effective unless the requirements under 35 U.S.C. 371 (c)(1), (2), and (4) for payment of the basic national
`fee, copy of the International Application and English translation thereof (if required), and the oath or declaration of the inventor(s)
`have been received.
`A copy of the International Application (35 U.S.C. 371 (c)(2)) is attached hereto (not required if the International Application was
`2. □
`previously communicated by the International Bureau or was filed in the United States Receiving Office (RO/US)).
`
`3.
`
`An English language translation of the International Application (35 U.S.C. 371 (c)(2))
`
`a. D is attached hereto.
`b. D has been previously submitted under 35 U.S.C. 154(d)(4).
`
`4.
`
`An oath or declaration of the inventor(s) (35 U.S.C. 371 (c)(4))
`
`a. 0 is attached.
`b. D was previously filed in the international phase under PCT Rule 4.17(iv).
`Items 5 to 8 below concern amendments made in the international phase.
`
`PCT Article 19 and 34 amendments
`Amendments to the claims under PCT Article 19 are attached (not required if communicated by the International Bureau) (35 U.S.C.
`5. □
`371 (c)(3)).
`English translation of the PCT Article 19 amendment is attached (35 U.S.C. 371 (c)(3)).
`6. □
`English translation of annexes (Article 19 and/or 34 amendments only) of the International Preliminary Examination Report is
`7. □
`attached (35 U.S.C. 371 (c)(5)).
`
`Cancellation of amendments made in the international phase
`
`Sa. D Do not enter the amendment made in the international phase under PCT Article 19.
`Sb. D Do not enter the amendment made in the international phase under PCT Article 34.
`
`NOTE: A proper amendment made in English under Article 19 or 34 will be entered in the U.S. national phase application absent a clear
`instruction from applicant not to enter the amendment(s).
`
`The following items 9 to 17 concern a document(s) or information included.
`9. 0 An Information Disclosure Statement under 37 CFR 1.97 and 1.98.
`10. 0 A preliminary amendment.
`11. 0 An Application Data Sheet under 3 7 CFR 1. 76.
`12. D A substitute specification. NOTE: A substitute specification cannot include claims. See 37 CFR 1.125(b).
`13. 0 A power of attorney and/or change of address letter.
`14. D A computer-readable form of the sequence listing in accordance with PCT Rule 13ter.3 and 37 CFR 1.821-1.825.
`15. 0 Assignment papers (cover sheet and document(s)). Name of Assignee: _O_R_C_K_I_T_I P_,_L_L_C ______________ _
`16. D 37 CFR 3.73(c) Statement (when there is an Assignee).
`
`This collection of information Is required by 37 CFR 1.414 and 1.491-1.492. The information Is required to obtain or retain a benefit by the public, which Is to file
`(and by the USPTO to process) an application. Confidentiality is governed by 35 U.S.C. 122 and 37 CFR 1.11 and 1.14. This collection is estimated to take 15
`minutes to complete, including gathering, preparing, and submitting the completed application form to the USPTO. Time will vary depending upon the individual
`case. Any comments on the amount of time you require to complete this form and/or suggestions for reducing this burden should be sent to the Chief Information
`Officer, U.S. Patent and Trademark Office, U.S. Department of Commerce, P.O. Box 1450, Alexandria, VA 22313-1450. DO NOT SEND FEES OR COMPLETED
`FORMS TO TH IS ADDRESS. SEND TO: Mail Stop PCT, Commissioner for Patents, P.O. Box 1450, Alexandria, VA 22313-1450.
`
`Exhibit 1002
`Cisco v. Orckit – IPR2023-00554
`Page 1 of 557
`
`
`
`PTO-1390 (06-13)
`Approved for use through 6/30/2013. 0MB 0651-0021
`U.S. Patent and Trademark Office; U.S. DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid 0MB control number.
`U.S. APPLN. No. (if known - see 37 CFR 1.5)
`ATTORNEY DOCKET No.
`INTERNATIONAL APPLICATION No.
`PCT/US2015/026869
`ORCKIT-001-US
`
`17. 0 Other items or information:
`Declaration, PCT-Request, Four (4) PCT/IB/306 forms
`
`The following fees have been submitted.
`18. 0 Basic national fee (37 CFR 1.492(a)) ............................................... $280
`19. 0 Examination fee (37 CFR 1.492(c))
`
`If the written opinion prepared by ISA/US or the international preliminary
`examination report prepared by IPEA/US indicates all claims satisfy provisions of
`PCT Article 33(1 )-(4) .................................................................... $0
`All other situations ....................................................................... $720
`20. 0 Search fee (37 CFR 1.492(b))
`
`PTO USE ONLY
`
`CALCULATIONS
`$
`280
`
`720
`
`$
`
`600
`
`$
`
`If the written opinion prepared by ISA/US or the international preliminary
`examination report prepared by IPEA/US indicates all claims satisfy provisions of
`PCT Article 33(1 )-(4) .................................................................... $0
`Search fee (37 CFR 1.445(a)(2)) has been paid on the international application to
`the USPTO as an International Searching Authority ........................... . $120
`International Search Report prepared by an ISA other than the US and provided to
`the Office or previously communicated to the US by the IB .................. . $480
`All other situations ..................................................................... ... $600
`TOTAL OF 18, 19, and 20 = $1600
`□ Additional fee for specification and drawings filed in paper over 100 sheets
`
`(excluding sequence listing in compliance with 37 CFR 1.821 (c) or (e) in an
`electronic medium or computer program listing in an electronic medium) (37 CFR
`1.492(j)).
`Fee for each additional 50 sheets of paper or fraction thereof ............... $400
`Number of each addition 50 or fraction
`thereof (round up to a whole number)
`
`Total Sheets
`
`Extra Sheets
`
`RATE
`
`26
`
`I 50 =
`- 100 =
`Surcharge of $140.00 for furnishing any of the search fee, examination fee, or the oath or
`declaration after the date of commencement of the national stage (37 CFR 1.492(h)).
`
`x$400
`
`$
`$
`
`CLAIMS
`
`Total claims
`
`Independent claims
`
`NUMBER FILED
`- 20 =
`- 3 =
`
`54
`
`2
`
`NUMBER EXTRA
`
`RATE
`
`34
`
`x$80
`
`X $420
`
`$2720
`$
`$
`+ $780
`MULTIPLE DEPENDENT CLAIM(S) (if applicable)
`Processing fee of $140.00 for furnishing the English translation later than 30 months from the $
`+
`earliest claimed priority date (37 CFR 1.492(i)).
`TOTAL OF ABOVE CALCULATIONS= $4320
`0 Applicant asserts small entity status. See 37 CFR 1.27. Fees above are reduced by½.
`□ Applicant certifies micro entity status. See 37 CFR 1.29. Fees above are reduced by¾.
`TOTAL NATIONAL FEE= $2160
`Fee for recording the enclosed assignment (37 CFR 1.21 (h)). The assignment must be
`$40
`accompanied by an appropriate cover sheet (37 CFR 3.28, 3.31). $40.00 per property.
`+
`TOTAL FEES ENCLOSED = $2200
`Amount to be
`refunded:
`Amount to be
`charged:
`
`Applicant must attach form PTO/SB/15A or B or equivalent.
`
`[Page 2 of 3]
`
`$
`$
`
`Exhibit 1002
`Cisco v. Orckit – IPR2023-00554
`Page 2 of 557
`
`
`
`a.
`
`b.
`
`C.
`
`d.
`
`No.
`
`as follows:
`
`required under 37 CFR 1.492(f).
`
`□ A check in the amount of$
`0 Please charge my Deposit Account No. 600117
`□ The Director is hereby authorized to charge additional fees which may be required, or credit any overpayment, to Deposit Account
`i. □ any required fee.
`ii. □ any required fee except for excess claims fees required under 37 CFR 1.492(d) and (e) and multiple dependent claim fee
`□ Fees are to be charged to a credit card. WARNING: Information on this form may become public. Credit card information should not
`
`PTO-1390 (06-13)
`Approved for use through 6/30/2013. 0MB 0651-0021
`U.S. Patent and Trademark Office; U.S. DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid 0MB control number.
`
`to cover the above fees is enclosed.
`
`in the amount of$ 2200
`
`to cover the above fees.
`
`be included on this form. Provide credit card information and authorization on PTO-2038. The PTO-2038 should only be mailed or
`faxed to the USPTO. However, when paying the basic national fee, the PTO-2038 may NOT be faxed to the USPTO.
`
`ADVISORY: If filing by EFS-Web, do NOT attach the PTO-2038 form as a PDF along with your EFS-Web submission. Please be
`advised that this is not recommended and by doing so your credit card information may be displayed via PAIR. To protect your
`information, it is recommended to pay fees online by using the electronic payment method.
`
`NOTE: Where an appropriate time limit under 37 CFR 1.495 has not been met, a petition to revive (37 CFR 1.137(a) or (b)) must be
`filed and granted to restore the International Application to pending status.
`
`Statement under 37 CFR 1.55 or 1. 78 for AIA (First Inventor to File)Transition Applications
`
`□ This application (1) claims priority to or the benefit of an application filed before March 16, 2013, and (2) also contains, or contained at
`
`any time, a claim to a claimed invention that has an effective filing date on or after March 16, 2013.
`NOTE 1: By providing this statement under 37 CFR 1.55 or 1. 78, this application, with a filing date on or after March 16, 2013, will be
`examined under the first inventor to file provisions of the AIA.
`NOTE 2: A U.S. national stage application may not claim priority to the international application of which it is the national phase. The filing
`date of a U.S. national stage application is the international filing date. See 35 U.S.C. 363.
`
`Correspondence Address
`0 The address associated with Customer Number:
`Name I
`
`131926
`
`OR D Correspondence address below
`
`Address
`
`City I
`
`Country
`
`
`I State I
`
`I Zip Code I
`I Telephone I
`
`Signature l1Yehuda Binder/
`~p~~~Type) IYehuda BINDER
`
`Date I Sep. 15, 2016
`Registration No. I 73612
`
`(Attorney/ Agent)
`
`[Page 3 of 3]
`
`Exhibit 1002
`Cisco v. Orckit – IPR2023-00554
`Page 3 of 557
`
`
`
`Privacy Act Statement
`
`The Privacy Act of 1974 (P.L. 93-579) requires that you be given certain information in connection with your
`submission of the attached form related to a patent application or patent. Accordingly, pursuant to the requirements of
`the Act, please be advised that: (1) the general authority for the collection of this information is 35 U.S.C. 2(b)(2); (2)
`furnishing of the information solicited is voluntary; and (3) the principal purpose for which the information is used by the
`U.S. Patent and Trademark Office is to process and/or examine your submission related to a patent application or
`patent. If you do not furnish the requested information, the U.S. Patent and Trademark Office may not be able to
`process and/or examine your submission, which may result in termination of proceedings or abandonment of the
`application or expiration of the patent.
`
`The information provided by you in this form will be subject to the following routine uses:
`
`1. The information on this form will be treated confidentially to the extent allowed under the Freedom of
`Information Act (5 U.S.C. 552) and the Privacy Act (5 U.S.C 552a). Records from this system of records may
`be disclosed to the Department of Justice to determine whether disclosure of these records is required by the
`Freedom of Information Act.
`2. A record from this system of records may be disclosed, as a routine use, in the course of presenting evidence
`to a court, magistrate, or administrative tribunal, including disclosures to opposing counsel in the course of
`settlement negotiations.
`3. A record in this system of records may be disclosed, as a routine use, to a Member of Congress submitting a
`request involving an individual, to whom the record pertains, when the individual has requested assistance from
`the Member with respect to the subject matter of the record.
`4. A record in this system of records may be disclosed, as a routine use, to a contractor of the Agency having
`need for the information in order to perform a contract. Recipients of information shall be required to comply
`with the requirements of the Privacy Act of 1974, as amended, pursuant to 5 U.S.C. 552a(m).
`5. A record related to an International Application filed under the Patent Cooperation Treaty in this system of
`records may be disclosed, as a routine use, to the International Bureau of the World Intellectual Property
`Organization, pursuant to the Patent Cooperation Treaty.
`6. A record in this system of records may be disclosed, as a routine use, to another federal agency for purposes
`of National Security review (35 U.S.C. 181) and for review pursuant to the Atomic Energy Act (42 U.S.C.
`218(c)).
`7. A record from this system of records may be disclosed, as a routine use, to the Administrator, General
`Services, or his/her designee, during an inspection of records conducted by GSA as part of that agency's
`responsibility to recommend improvements in records management practices and programs, under authority of
`44 U.S.C. 2904 and 2906. Such disclosure shall be made in accordance with the GSA regulations governing
`inspection of records for this purpose, and any other relevant (i.e., GSA or Commerce) directive. Such
`disclosure shall not be used to make determinations about individuals.
`8. A record from this system of records may be disclosed, as a routine use, to the public after either publication of
`the application pursuant to 35 U.S.C. 122(b) or issuance of a patent pursuant to 35 U.S.C. 151. Further, a
`record may be disclosed, subject to the limitations of 37 CFR 1.14, as a routine use, to the public if the record
`was filed in an application which became abandoned or in which the proceedings were terminated and which
`application is referenced by either a published application, an application open to public inspection or an issued
`patent.
`9. A record from this system of records may be disclosed, as a routine use, to a Federal, State, or local law
`enforcement agency, if the USPTO becomes aware of a violation or potential violation of law or regulation.
`
`Exhibit 1002
`Cisco v. Orckit – IPR2023-00554
`Page 4 of 557
`
`
`
`(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT)
`(19) World Intellectual Property
`11111111111111 Ii 11111111111 HIii 11111 11111 Ii 11111111 lllil IIIH 1111111111 Hll 11111111111 illi 1111
`Organization
`Internationa1 Bureau
`(10) International Pubiication Number·
`WO 2015/164370 r\l
`
`~
`~ ~
`
`(43) International Publication Date
`29 October 2015 (29.10.2015) WIPOIPCT
`
`(51) International Patent Classification:
`H04L 12/26 (2006.0l)
`H04L 12/741 (2013.01)
`
`(21) International Ajlplication Number:
`
`(22) International Filing Date:
`
`(25) Filing Language:
`
`(26) Publication Language:
`
`PCT{US20 l 5/026869
`
`21 Ap1il 2015 (21.04.2015)
`
`English
`
`English
`
`(30) Priodty Data:
`61/982,358
`
`us
`(71) Applicant: ORCKIT-CORRIGENT LTD. lIL/IL]; 126
`Yigal Allon Street, 67443 Tel Aviv (IL).
`
`22 April 2014 (22.04.2014)
`
`(71) Applicant (for BZ onlv): M&B IP ANALYSTS, LLC
`[US:1JSJ; 45 S. Park Place # 262, Morristown, NJ 07960
`(US).
`
`(72) Inventors: HARSHESHET, Yossi; Orcki!-conigent Ltd.,
`126 Yigal Allon Street, 674,B Tel-aviv (IL). DOCTOR.I,
`Simhon; Orcki1--corrigent Ltd., 126 Yiga] Allon Street,
`67443 Tel Alviv (IL). SOLO:'.\'lON, Rouen; Orckit-coni(cid:173)
`gent Ltd., 126 Yigai Allon Street, 67443 Tel-aviv (IL).
`
`(74) Agents: BEN-SHIMON, Michael et al.; M&b IP .Ana(cid:173)
`lysts, I.LC, 45 S. Park Place #262, MOrrislowu, NJ 07960
`(US).
`
`(81) Designated States (unless otherwise indicated, for every
`kind c,f national protection available): AE, AG, AL, AM,
`AO, AT, AU, AZ, BA, BB, BG, BH, BN, BR, B\V, BY,
`BZ, CA, CH, CL, CN, CO, CR, CU, CZ, DE, DK, DM,
`DO, DZ, EC, EE, EG, ES, FI, GB, GD, GE, GH, GM, GT,
`HN, HR, HU, ID, IL, IN, iR, lS, JP, KE, KG, KN, KP, KR,
`KZ, LA, LC, LK, LR, LS, LU, LY, r-vl.A., MD, ME, MG,
`MK, MN, M\V, JV[X, lV[Y, MZ, NA, NG, 1'H, NO, NZ, OM,
`PA, PE, PG, PH, PL, PT, QA, RO, RS, RU, R\V, SA, SC,
`SD, SE, SG, SK, SL, Stvi, ST, SV, SY, TH, TJ, TM, TN,
`TR, TT, TZ, UA, UG, US, UZ, VC, VN, ZA, ZM, ZW.
`
`(84) Designated States (unless othe1,vise indicated, jiJr everv
`kind of regional protection available): i\RiPO (BW, GH,
`GM, KE, LR, LS, M\V, WlZ, NA, RW, SD, SL, ST, SZ,
`TL UG, ZM, ZW), Eurasian (AM, AZ, BY, KG, KZ, RU,
`TJ, TM), European (A.L, AT, BE, BG, CH, CY, CZ, DE,
`DK, EE, ES, Fl, FR, GB, GR, HR, HU, lE, [S, IT, LT, LU,
`LV, MC, MK, MT, NL, NO, PL, PT, RO, RS, SE, SI, SK,
`SM, TR), OAPI (BF, BJ, CF, CG, CL CM, GA, GN, lJQ,
`G\V, KM, ML, MR, NE, SN, TD, TG).
`
`Published:
`with internmionai search report (Art. 21 (3;)
`
`(54) Title: A METHOD AND .SY.STEM FOR DEEP PACKET INSPECTION IN SOFTWARE DEFINED NETWORKS
`
`..;;;;;;;;;; -
`
`~
`
`..;;;;;;;;;; -
`-~
`..;;;;;;;;;; -
`
`~
`
`~
`
`(57) Abstract: A method for deep packe1 inspection (DI-'l) in
`a software defined netvmrk (SDN). The method includes con(cid:173)
`figuring a plurality of network nodes operable in the .SDN
`with ar least one probe instrncrion; receiving front a network
`node a first packet of a flow, the first packet matches the at
`least one probe instntction and includes a Hrs! sequence num-(cid:173)
`ber; receiving from a nerwurk node a second packet of the
`How, the second packet matches the at leas1 one probe in(cid:173)
`stniction and includes a second sequence number, the second
`packet is a response of the first packet; computing a mask
`value respective of al leas! tbe first and second sequence
`numbers indicating which bytes ro be mirrored from sub(cid:173)
`sequent packets belonging to the same flow; generating at
`least one mirror ins1rnction based on at least the mask value;
`and configuring the plurality of network nodes with at least
`one miff01· ins1ruction .
`
`---,
`
`Probe FiO'W Module
`321
`
`•
`I
`I
`
`(~~~ - - - - -+ - - - - - - - - - - - -+ - - - - - - - ,..-~ ..
`
`-----+------------+-----+-+--',-:=:)
`r
`112 ~ - - - - - - - - - - - - - - - -~
`
`FIG. 3
`
`Exhibit 1002
`Cisco v. Orckit – IPR2023-00554
`Page 5 of 557
`
`
`
`WO 2015/164370
`
`PCT iUS2015/02686!>
`
`A METHOD AND SYSTEM FOR DEEP PACKET INSPECTION IN SOFTWARE
`DEFINED NETWORKS
`
`CROSS REFERENCE TO RELATED APPUCATIONS
`[001] This application claims the benefit of US provisional application No. 61 /982,358
`
`filed on April 22, 2014, the contents of which are herein incorporated by reference.
`
`TECHNICAL FIELD
`[002] This disclosure generally relates to techniques for deep packet inspection (OPI),
`
`and paiiicularly for OPI of traffic in cloud-based networks utilizing software defined
`
`netvvorks.
`
`BACKGROUND
`[003] Deep packet inspection (DPI) technology is a form of network packet scanning
`
`technique that allows specific data patterns to be extracted from a data communication
`
`channel. Extracted data patterns can then be used by various applications, such as
`
`security and data analytics applications. DPl currently performs across various
`
`networks, such as internal networks, Internet service providers (ISPs), and public
`
`networks provided to customers. Typically, the DPI is performed by dedicated engines
`
`installed in such networks.
`[004] A software defined networking is a relatively new type of networking architecture
`
`that provides centralized management of network nodes rather than a distributed
`
`architecture utilized by conventional networks. The SON is prompted by an ONF (open
`
`network foundation}. The leading communication standard that currently defines
`
`communication betvveen the central controller (e.g., a SON controller) and the network
`nodes (e.g., vSwitches) is the OpenFlowTM standard.
`[005] Specifically, in SON-based architectures the data forwarding (e.g. data plane) is
`
`typically decoupled from control decisions (e.g. control plane), such as routing,
`
`resources, and other management functionalities. The decoupling may also allow the
`
`data plane and the control plane to operate on different !1ardware, in different runtime
`
`environments, and/or operate using different models. As such, in an SON network, the
`
`1
`
`Exhibit 1002
`Cisco v. Orckit – IPR2023-00554
`Page 6 of 557
`
`
`
`WO 2015/164370
`
`PCTiUS20:l5/026869
`
`netvvork intelligence is logically centralized in the central controller which configures,
`
`using OpenFlow protocol, network nodes and to control application data traffic flows.
`[006] Although, the OpenFiow protocol allows addition of programmability to network
`
`nodes for the purpose of packets-processing operations under the control of the central
`
`controller, the OpenFiow does not support any mechanism to ailow DPI of packets
`
`through the various networking layers as defined by the OSI modeL Specifically, the
`
`current Open Flow specification defines a mechanism to parse and extract only packet
`
`headers, in iayer-2 through iayer-4, from packets flowing via the netvvork nodes. The
`
`OpenFlow specification does not define or suggest any mechanism to extract non(cid:173)
`
`generic, uncommon, and/or arbitrary data patterns contained in layer-4 to layer 7 fields.
`
`in addition, the OpenF!ow specification does not define or suggest any mechanism to
`
`inspect or to extract content from packets belonging to a specific flow or session. This
`
`is a major limitation as it would not require inspection of the packet for the purpose of
`
`identification of, for example, security threats detection.
`[007] The straightforward approach of routing all traffic from network nodes to the central
`
`controller introduces some significant drawbacks, such as increased end-to-end traffic
`
`delays between the client and the server; overflowing the controller capability to perform
`
`other networking functions; and a single point of failure for the re-routed traffic.
`[008] Therefore, it would be advantageous to provide a solution that overcomes the
`
`deficiencies noted above and allow efficient DP! in SDNs.
`
`SUMMARY
`[009] A summary of several example embodiments of the disclosure follows. This
`
`summary is provided for the convenience of the reader to provide a basic understanding
`
`of such embodiments and does not wholly define the breadth of the disclosure. This
`
`summary is not an extensive overview of ali contemplated embodiments, and is intended
`
`to neither identify key or critical nodes of all aspects nor delineate the scope of any or all
`
`embodiments. Its sole purpose is to present some concepts of one or more embodiments
`
`in a simplified form as a prelude to the more detailed description that is presented later.
`
`For convenience, the term some embodiments may be used herein to refer to a single
`
`embodiment or multiple embodiments of the disclosure.
`
`2
`
`Exhibit 1002
`Cisco v. Orckit – IPR2023-00554
`Page 7 of 557
`
`
`
`WO 2015/164370
`
`PCTiUS20:l5/026869
`
`[0010]Certain embodiments disclosed herein
`
`include a method for deep packet
`
`inspection (DP!) in a software defined network (SON), wherein the method is performed
`
`by a central controller of the SON. The method comprises: configuring a plurality of
`
`network nodes operable in the SON with at least one probe instruction; receiving from a
`
`network node a first packet of a flow, wherein the first packet matches the at least one
`
`probe instruction, wherein the first packet includes a first sequence number; receiving
`
`from a network node a second packet of the flow, wherein the second packet matches
`
`the at least one probe instruction, wherein the second packet includes a second sequence
`
`number, wherein the second packet is a response of the first packet; computing a mask
`
`value respective of at least the first and second sequence numbers, wherein the mask
`
`value indicates which bytes to be mirrored from subsequent packets belonging to the
`
`same flow, wherein the mirrored bytes are inspected; generating at least one mirror
`
`instruction based on at !east the mask value; and configuring the plurality of network
`
`nodes with at least one mirror instruction.
`[0011] Certain embodiments disclosed herein include a system for deep packet inspection
`
`(DP!) in a software defined network (SON), wherein tt1e method is performed by a central
`
`controller of the SON. The system comprises: a processor; a memory connected to the
`
`processor and configured to contain a plurality of instructions that when executed by the
`
`processor configure the system to: set a plurality of network nodes operable in the SON
`
`with at least one probe instruction; receive from a network node a first packet of a flow,
`
`wherein the first packet matches the at least one probe instruction, wherein the first packet
`
`includes a first sequence number; receive from a network node a second packet of the
`
`flow, wherein the second packet matches the at least one probe instruction, wherein the
`
`second packet includes a second sequence number, wherein the second packet is a
`
`response of the first packet; compute a mask value respective of at least the first and
`
`second sequence numbers, wherein the mask value indicates which bytes to be mirrored
`
`from subsequent packets belonging to the same flow, wherein the mirrored bytes are
`
`inspected;
`
`generate at least one mirror instruction based on at least the mask value;
`
`and configure the plurality of network nodes with at least one mirror instruction.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`3
`
`Exhibit 1002
`Cisco v. Orckit – IPR2023-00554
`Page 8 of 557
`
`
`
`WO 2015/164370
`
`PCTiUS20:l5/026869
`
`[0012] The subject matter disclosed herein is particularly pointed out and distinctly
`
`claimed in the claims at the conclusion of the specification. The foregoing and other
`
`objects, features, and advantages of the invention will be apparent from the following
`
`detailed description taken in conjunction with the accompanying drawings.
`[0013]
`
`Figure 1 is a schematic diagram of a network system utilized to describe the
`
`various disclosed embodiments.
`[0014]
`
`Figure 2 illustrates is a schematic diagram of a flow table stored in a central
`
`controller.
`
`[0015]
`
`Figure 3 is a schematic diagram of a system utilized for describing the process
`
`of flow detection as performed by a central controller and a network node according to
`
`one embodiment
`[0016]
`
`Figure 4 is a schematic diagram of a system utilized for describing the process
`
`of flow termination as performed by a central controller and a network node according to
`
`one embodiment.
`[0017]
`
`Figure 5 is a data structure depicting t11e organization of flows according to one
`
`embodiment.
`
`[0018]
`
`Figure 6 is flowchart illustrating the operation of the central controller according
`
`to one embodiment.
`
`DETAILED DESCRIPTION
`
`[0019]
`
`It is important to note that the embodiments disclosed tierein are only examples
`
`of the many advantageous uses of the innovative teachings herein. In general, statements
`
`made in the specification of the present application do not necessarily limit any of the
`
`various claimed embodiments. Moreover, some statements may apply to some inventive
`
`features but not to others. In general, unless otherwise indicated, singular nodes may be
`
`in plural and vice versa with no loss of generality. In the drawings, like numerals refer to
`
`like parts through several views.
`[0020]
`
`Fig. 1 is an exemplary and non-limiting diagram of a network system 100 utilized
`
`to describe the various disclosed embodiments. The network system 100 includes a
`
`software defined network (SON) 110 {not shown) containing a central controller 111 and
`
`a plurality of network nodes 112. The network nodes 112 communicate with the central
`
`4
`
`Exhibit 1002
`Cisco v. Orckit – IPR2023-00554
`Page 9 of 557
`
`
`
`WO 2015/164370
`
`PCTiUS20:l5/026869
`
`controller 111 using, for example, an OpenFlow protocol. The central contro!ler 111 can
`
`configure the network nodes 112 to perform certain data path operations. The SON 110
`
`can be implemented in wide area networks (WANs), iocal area networks (LANs), the
`
`Internet, metropolitan area networks (MANs),
`
`ISP backbones, datacenters,
`
`inter(cid:173)
`
`datacenter networks, and the like. Each network node 112 in the SON may be a router, a
`
`switch, a bridge, and so on.
`[0021] The central controller 111 provides inspected data (such as application
`
`metadata) to a plurality of application servers (collectively referred to as application
`
`servers 120, merely for simplicity purposes). An application server 120 executes, for
`
`example, security applications (e.g., Firewall, intrusion detection, etc.), data analytic
`
`applications, and so on.
`[0022]
`
`In the exemplary network system 100, a plurality of client devices (collectively
`
`referred to as client devices 130, merely for simplicity purposes) communicate with a
`
`plurality of destination servers (collectively referred to as destination servers 140, merely
`
`for simplicity purposes) connected over the network 110. A client device 130 may be, for
`
`example, a smart phone, a tablet computer, a personal computer, a laptop computer, a
`
`wearable computing device, and tt1e like. The destination servers 140 are accessed by
`
`the devices 130 and may be, for example, web servers.
`[0023] According to some embodiments, the central controller 111 is configured to
`
`perform deep packet inspection on designated packets from designated flows or TCP
`
`sessions. To this end, the central controller 111 is further configured to instruct each of
`
`the network nodes 112 which of the packets and/or sessions should be directed to the
`
`controller 111 for packet inspections.
`[0024] According to some embodiments, each network node 112 is configured to
`
`determine if an incoming packet requires inspection or not The determination is
`
`performed based on a set of instructions provided by the controller 111 . A packet that
`
`requires inspection is either redirected to the controller 111 or mirrored and a copy thereof
`
`is sent to the controller 111 . It should be noted that traffic flows that are inspected are not
`
`affected by t11e operation of the network node 112. in an embodiment, each network node
`
`112 is configured to extract and send only a portion of a packet data that contains
`
`meaningful information.
`
`5
`
`Exhibit 1002
`Cisco v. Orckit – IPR2023-00554
`Page 10 of 557
`
`
`
`WO 2015/164370
`
`PCTiUS20:l5/026869
`
`[0025] The set of instructions that the controller 111 configures each of the network
`
`nodes 112 with include "probe instructions", "mirroring instructions", and "termination
`
`instructions." According to some exemplary and non-limiting embodiments, the probe
`
`instructions include:
`
`If (TCP FLAG SYN=1) then (re-direct packet to central controller);
`
`If (TCP FLAG SYN= 1 and ACK= 1) then (re-direct packet to central controller); and
`
`If (TCP FLAG ACK=1) then (forward packet directly to a destination seNer).
`
`The termination instructions include:
`
`If (TCP FLAG FIN=1) then (re-direct packet to controller);
`
`If (TCP FLAG FIN= 1 and ACK= 1) then (re-direct packet to controller); and
`If (TCP FLAG RST = 1) then (re-direct packet to controiler).
`
`[0026] The TCP FLAG SYN, TCP FLAG ACK, TCP FLAG FIN, TCP FLAG RST are
`
`fields in a TCP packet's header that can be analyzed by the network nodes 112. That is,
`
`each node 112 is configured to receive an incoming packet (either a request from a client
`
`device 130 or response for a server i 40), analyze the packet's header, and perform the
`
`action {redirect the packet to controller 111 or send to destination server 140) respective
`
`of the value of the TCP flag.
`[0027] The controller 111 also configures each of the network nodes 112 with mirroring
`
`instructions with a mirror action of X number of bytes within a packet The mirrored bytes
`
`are sent to the controller 111 to perfor