PTO-1390 (06-13)
`
`
`
`Approved for use through 6/30/2013. 0MB 0651-0021
`
`
`
`U.S. Patent and Trademark Office; U.S. DEPARTMENT OF COMMERCE
`
`
`
`
`
`Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid 0MB control number.
`
`
`
`
`
`Attorney Docket No.
`
`ORCKIT-001-US
`TRANSMITTAL LETTER TO THE UNITED STATES
`
`
`
`U.S. Application No. (if known, see 37 CFR 1.5)
`
`DESIGNATED/ELECTED OFFICE (DO/EO/US)
`
`CONCERNING A SUBMISSION UNDER 35 U.S.C. 371
`
`I International Filing Date
`
`
`International Application No.
`
`Priority Date Claimed
`Title of Invention
`First Named Inventor
`
`21 April 2015
`PCT/US2015/026869
`
`
`
`22 April 2014
`
`
`
`A METHOD AND SYSTEM FOR DEEP PACKET INSPECTION IN SOFTWARE DEFINED NETWORKS
`
`
`
`
`
`BARSHESHET, Yossi
`
`
`
`Applicant herewith submits to the United States Designated/Elected Office (D0/EO/US) the following items and other information.
`
`
`
`
`
`
`
`
`
`
`
`1.0 This is an express request to begin national examination procedures (35 U.S.C. 371 (f)). NOTE: The express request under
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`35 U.S.C. 371 (f) will not be effective unless the requirements under 35 U.S.C. 371 (c)(1), (2), and (4) for payment of the basic national
`
`
`
`
`
`
`
`fee, copy of the International Application and English translation thereof (if required), and the oath or declaration of the inventor(s)
`have been received.
`
`
`
`
`
`
`
`was if the International Application is attached hereto (not required 2. □ A copy of the International Application (35 U.S.C. 371 (c)(2))
`
`
`
`
`
`
`previously communicated by the International Bureau or was filed in the United States Receiving Office (RO/US)).
`
`
`
`
`
`3. An English language translation of the International Application (35 U.S.C. 371 (c)(2))
`
`a.D is attached hereto.
`
`
`b.D has been previously submitted under 35 U.S.C. 154(d)(4).
`
`
`4. An oath or declaration of the inventor(s) (35 U.S.C. 371 (c)(4))
`a.0 is attached.
`
`
`phase under PCT Rule 4.17(iv).b.D was previously filed in the international
`PCT Article 19 and 34 amendments
`
`
`
`
`
`
`
`
`371 (c)(3)).
`6.□
`
`
`
`
`
`English translation of the PCT Article 19 amendment is attached (35 U.S.C. 371 (c)(3)).
`7. □
`
`
`
`
`
`
`
`
`attached (35 U.S.C. 371 (c)(5)).
`
`
`
`Cancellation of amendments made in the international phase
`
`
`Sa. D Do not enter the amendment made in the international phase under PCT Article 19.
`
`
`
`Sb. D Do not enter the amendment made in the international phase under PCT Article 34.
`
`
`
`
`
`
`
`
`instruction from applicant not to enter the amendment(s).
`
`Bureau) (35 U.S.C. if communicated by the International are attached (not required to the claims under PCT Article 19 5.□ Amendments
`
`
`
`
`
`
`
`
`
`Items 5 to 8 below concern amendments made in the international phase.
`
`English translation of annexes (Article 19 and/or 34 amendments only) of the International Preliminary Examination Report is
`
`
`
`NOTE: A proper amendment made in English under Article 19 or 34 will be entered in the U.S. national phase application absent a clear
`
`
`
`
`
`
`
`
`10.0 A preliminary amendment.
`
`
`11.0 An Application Data Sheet under 3 7 CFR 1. 76.
`
`
`
`
`
`
`
`13. 0 A power of attorney and/or change of address letter.
`14.D A computer-readable form of the sequence listing in accordance with PCT Rule 13ter.3 and 37 CFR 1.821-1.825.
`
`
`
`
`
`
`Name of Assignee: _O_R_C_K_I_T_I P_,_L_L_C ______________ _
`
`15.0 Assignment papers (cover
`
`16.D 37 CFR 3.73(c) Statement
`
`
`
`The following items 9 to 17 concern a document(s) or information included.
`
`
`
`9.0 An Information Disclosure Statement under 37 CFR 1.97 and 1.98.
`
`
`
`12. D A substitute specification. NOTE: A substitute specification cannot include claims. See 37 CFR 1.125(b).
`
`sheet and document(s)).
`
`(when there is an Assignee).
`
`This collection of information Is required by 37 CFR 1.414 and 1.491-1.492. The information Is required to obtain or retain a benefit by the public, which Is to file
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(and by the USPTO to process) an application. Confidentiality is governed by 35 U.S.C. 122 and 37 CFR 1.11 and 1.14. This collection is estimated to take 15
`
`
`
`
`
`
`
`
`
`
`minutes to complete, including gathering, preparing, and submitting the completed application form to the USPTO. Time will vary depending upon the individual
`
`
`
`
`
`
`
`case. Any comments on the amount of time you require to complete this form and/or suggestions for reducing this burden should be sent to the Chief Information
`
`
`
`
`
`
`
`Officer, U.S. Patent and Trademark Office, U.S. Department of Commerce, P.O. Box 1450, Alexandria, VA 22313-1450. DO NOT SEND FEES OR COMPLETED
`
`
`
`FORMS TO TH IS ADDRESS. SEND TO: Mail Stop PCT, Commissioner for Patents, P.O. Box 1450, Alexandria, VA 22313-1450.
`
`EX 1002 Page 1
`
`

`

`Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number.
`
`U.S. APPLN. No. (if known - see 37 CFR 1.5) INTERNATIONAL APPLICATION No. ATTORNEY DOCKET No.
`
`PCT/US2015/026869
`
`ORCKIT-001-US
`
`U.S. Patent and Trademark Office; U.S. DEPARTMENT OF COMMERCE
`
`Approved for use through 6/30/2013. OMB 0651-0021
`
`PTO-1390 (06-13)
`
`17. Other items or information:
`
`Declaration, PCT-Request, Four (4) PCT/IB/306 forms
`
`The following fees have been submitted. CALCULATIONS PTO USE ONLY
`
`18. [v] Basic national fee (37 CFR 1.492(8)) ......ccccccceceeseececeeseesceecetssesesseess $280 $ 280
`
`19. [vy] Examination fee (37 CFR 1.492(c))
`If the written opinion prepared by ISA/US or the international preliminary 720
`examination report prepared by IPEA/US indicates all claims satisfy provisions of $
`
`PCT Article 33(1)- aa bee c cece eect see seetee cesses sae teeseesesetseeteesstsees eee eeees 90
`All other situations . bees tee eeeuas .. $720
`
`20. Search fee (37 CFR 1 aD)
`If the written opinion prepared by ISA/US or the international preliminary 600
`examination report prepared by IPEA/US indicates all claims satisfy provisions of
`PCT Article 33(1)-(4) .. . $0
`Search fee (37 CFR 1. 445(a)(2)) has been paid o on nthe international ‘application to $
`the USPTO as an International Searching Authority .. . ..$120
`International Search Report prepared by an ISA other than the US. and ‘provided to
`the Office or previously communicated to the US S by th the IB... $480
`
`All other situations . ce cee eee ceeaeeeees bev aeeeees ...$600
`
`TOTAL OF 18, 19, and 20 = | $1600
`
`[| Additional fee for specification and drawings filed in paper over 100 sheets
`(excluding sequence listing in compliance with 37 CFR 1.821(c) or (e) in an
`
`electronic medium or computer program listing in an electronic medium) (37 CFR
`
`1.492(j)).
`
`Fee for each additional 50 sheets of paper or fraction thereof ............... $400
`
`Total Sheets Extra Sheets Number of each addition 50 or fraction RATE
`
`thereof (round up to a whole number)
`
`26 - 100 = /50= x $400 $
`
`Surcharge of $140.00 for furnishing any of the search fee, examination fee, or the oath or $
`
`declaration after the date of commencement of the national stage (87 CFR 1.492(h)).
`
`CLAIMS NUMBER FILED NUMBER EXTRA RATE
`
`Total claims 4 -20= 34 x $80 $2720
`
`Independent claims | 2 -3= x $420 $
`
`MULTIPLE DEPENDENT CLAIM(S) (if applicable) + $780 $
`
`Processing fee of $140.00 for furnishing the English translation later than 30 months from the $
`
`earliest claimed priority date (37 CFR 1.492(i)). +
`
`TOTAL OF ABOVE CALCULATIONS = | $4320
`
`Applicant asserts small entity status. See 37 CFR 1.27. Fees above are reduced by %.
`
`[] Applicant certifies micro entity status. See 37 CFR 1.29. Fees above are reduced by %.
`Applicant must attach form PTO/SB/15A or B or equivalent.
`
`Fee for recording the enclosed assignment (37 CFR 1.21(h)). The assignment must be $40
`
`accompanied by an appropriate cover sheet (37 CFR 3.28, 3.31). $40.00 per property. +
`
`TOTAL FEES ENCLOSED = | $2200
`
`TOTAL NATIONAL FEE = | $2160
`
`Amount to be
`
`refunded:
`
`Amount to be
`
`charged:
`
`[Page 2 of 3]
`
`EX 1002 Page 2
`
`

`

`U.S. Patent and Trademark Office; U.S. DEPARTMENT OF COMMERCE
`
`Approved for use through 6/30/2013. OMB 0651-0021
`
`PTO-1390 (06-13)
`
`Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number.
`
`: [| A check in the amount of $ to cover the above fees is enclosed.
`
`b. Please charge my Deposit Account No. 600117 in the amount of $ 2200 to cover the above fees.
`
`C The Director is hereby authorized to charge additional fees which may be required, or credit any overpayment, to Deposit Account
`No. as follows:
`
`[| any required fee.
`
`ii. Cc any required fee except for excess claims fees required under 37 CFR 1.492(d) and (e) and multiple dependent claim fee
`
`required under 37 CFR 1.492(f).
`[| Fees are to be charged to a credit card. WARNING: Information on this form may become public. Credit card information should not
`be included on this form. Provide credit card information and authorization on PTO-2038. The PTO-2038 should only be mailed or
`
`faxed to the USPTO. However, when paying the basic national fee, the PTO-2038 may NOT be faxed to the USPTO.
`
`ADVISORY: If filing by EFS-Web, do NOT attach the PTO-2038 form as a PDF along with your EFS-Web submission. Please be
`
`advised that this is not recommended and by doing So your credit card information may be displayed via PAIR. To protect your
`
`information, it is recommended to pay fees online by using the electronic payment method.
`
`NOTE: Where an appropriate time limit under 37 CFR 1.495 has not been met, a petition to revive (37 CFR 1.137(a) or (b)} must be
`
`filed and granted to restore the International Application to pending status.
`
`Statement under 37 CFR 1.55 or 1.78 for AIA (First Inventor to File)Transition Applications
`
`C] This application (1) claims priority to or the benefit of an application filed before March 16, 2013, and (2) also contains, or contained at
`any time, a claim to a claimed invention that has an effective filing date on or after March 16, 2013.
`
`NOTE 1: By providing this statement under 37 CFR 1.55 or 1.78, this application, with a filing date on or after March 16, 2013, will be
`
`examined under the first inventor to file provisions of the AIA.
`
`NOTE 2: AU.S. national stage application may not claim priority to the international application of which it is the national phase. The filing
`
`date of a U.S. national stage application is the international filing date. See 35 U.S.C. 363.
`
`Correspondence Address
`
`The address associated with Customer Number: _131926
`
`OR [ | Correspondence address below
`
`Name
`
`Address
`
`City
`
`Country
`
`Email
`
`State
`
`Zip Code
`
`Telephone
`
`Signature /Yehuda Binder/
`
`Name
`
`(Print/Type) Yehuda BINDER
`
`oe |Sep. 15, 2016
`
`Registration No.
`
`(attomey/agent) | 73012
`
`[Page 3 of 3]
`
`EX 1002 Page 3
`
`

`

`Privacy Act Statement
`
`The Privacy Act of 1974 (P.L. 93-579) requires that you be given certain information in connection with your
`
`submission of the attached form related to a patent application or patent. Accordingly, pursuant to the requirements of
`
`the Act, please be advised that: (1) the general authority for the collection of this information is 35 U.S.C. 2(b)(2); (2)
`
`furnishing of the information solicited is voluntary; and (3) the principal purpose for which the information is used by the
`
`U.S. Patent and Trademark Office is to process and/or examine your submission related to a patent application or
`
`patent. If you do not furnish the requested information, the U.S. Patent and Trademark Office may not be able to
`
`process and/or examine your submission, which may result in termination of proceedings or abandonment of the
`
`application or expiration of the patent.
`
`The information provided by you in this form will be subject to the following routine uses:
`
`1.
`
`The information on this form will be treated confidentially to the extent allowed under the Freedom of
`
`Information Act (5 U.S.C. 552) and the Privacy Act (5 U.S.C 552a). Records from this system of records may
`
`be disclosed to the Department of Justice to determine whether disclosure of these records is required by the
`
`Freedom of Information Act.
`
`A record from this system of records may be disclosed, as a routine use, in the course of presenting evidence
`
`to a court, magistrate, or administrative tribunal, including disclosures to opposing counsel in the course of
`
`settlement negotiations.
`
`A record in this system of records may be disclosed, as a routine use, to a Member of Congress submitting a
`
`request involving an individual, to whom the record pertains, when the individual has requested assistance from
`
`the Member with respect to the subject matter of the record.
`
`A record in this system of records may be disclosed, as a routine use, to a contractor of the Agency having
`
`need for the information in order to perform a contract. Recipients of information shall be required to comply
`
`with the requirements of the Privacy Act of 1974, as amended, pursuant to 5 U.S.C. 552a(m).
`
`A record related to an International Application filed under the Patent Cooperation Treaty in this system of
`
`records may be disclosed, as a routine use, to the International Bureau of the World Intellectual Property
`
`Organization, pursuant to the Patent Cooperation Treaty.
`
`A record in this system of records may be disclosed, as a routine use, to another federal agency for purposes
`
`of National Security review (35 U.S.C. 181) and for review pursuant to the Atomic Energy Act (42 U.S.C.
`
`218(c)).
`
`A record from this system of records may be disclosed, as a routine use, to the Administrator, General
`
`Services, or his/her designee, during an inspection of records conducted by GSA as part of that agency’s
`
`responsibility to recommend improvements in records management practices and programs, under authority of
`
`44 U.S.C. 2904 and 2906. Such disclosure shall be made in accordance with the GSA regulations governing
`
`inspection of records for this purpose, and any other relevant (/.e., GSA or Commerce) directive. Such
`
`disclosure shall not be used to make determinations about individuals.
`
`A record from this system of records may be disclosed, as a routine use, to the public after either publication of
`
`the application pursuant to 35 U.S.C. 122(b) or issuance of a patent pursuant to 35 U.S.C. 151. Further, a
`
`record may be disclosed, subject to the limitations of 37 CFR 1.14, as a routine use, to the public if the record
`
`was filed in an application which became abandoned or in which the proceedings were terminated and which
`
`application is referenced by either a published application, an application open to public inspection or an issued
`
`patent.
`
`A record from this system of records may be disclosed, as a routine use, to a Federal, State, or local law
`
`enforcement agency, if the USPTO becomes aware of a violation or potential violation of law or regulation.
`
`EX 1002 Page 4
`
`

`

`(12) ENTERNATIONAL APPLICATION PUBLISHED ONDER TRE PATENT COOPERATION TREATY (PCP)
`
`(19) World Intellectual Property ~L
`
`-~.
`
`Organization
`
`International Bureau
`
`(43) international Publication Date
`
`29 October 2015 (29.10.2015) WiPO!> PCT
`
`(1@ International Publication Number
`
`WO 2013/164370 Al
`
`GY
`
`(2)
`
`international Patent Classification:
`
`(743 Agents: BEN-SHIMON, Michael et al; M&b IP Ana-
`
`HO4E 12/26 (2006.91) FIO4E 123/742 (2013013
`
`international Application Number:
`
`lysts, LLC, 45 S. Park Place #262, Morristown, NJ 07960
`CUS}.
`
`POCT/US2015/026869 (813) Designated States (unless otherwise indicated, for every
`
`{22}
`
`International Filing Date:
`
`21 April 2015 (21.04.2015)
`
`Uiling Language: English
`
`Publication Language: English
`
`Priority Data:
`
`61/982,358 22 April 2014 (22.04.2014) US
`
`Kind af national protection available): AE, AG, AL, AM,
`
`AO, AT, AU, AZ, BA, BB, BG, BH, BN, BR, BW, BY,
`
`BZ, CA, CH, CL, CN, CO, CR, CU, CZ, DE, DK, DM,
`
`DO, DZ, EC, EE, EG, ES, FI GB, GD, GE, GH, GM, GT,
`
`TON, GER, OU, TD, BL, IN, BR, ES, PPL RE, KG, KN, KP, BR,
`
`RZ, LA, LC, LE, LR, LS, LU, LY, MA, MB, ME, MG,
`
`MK, MN, MW, MX, MY, MZ, NA, NG, NU NO, NZ, OM,
`
`PA, PE, PG, PH, PL, PT, QA, RO, RS, RU, RW, SA, 8C,
`
`SD, SE, SG, SK, SL, SM, ST, SV, SY, TH, TJ, TM, TN,
`
`Applicant: ORCKIT-CORRIGENT LTD. [ELIE]; 126
`
`TR, TT, TZ, UA, UG, OS, UZ, VC, VN, ZA, ZM, ZW.
`
`Yigal Adlon Street, 67443 Tel Aviv IL).
`
`Applicant (for BZ only): M&B IP ANALYSTS, LLC
`
`iUS/US}; 485 S. Park Place # 262, Morristown, NJ 07960
`
`CUS}.
`
`Inventors: BARSHESHET, Yossi; Orckit-corrigent Lid.
`
`126 Yigal Aon Street, 67443 Telaviv GL}. DOCTORE
`
`Strahan; Orckil-corrigent Lid., 126 Yigal Allon Street,
`
`67443 Tel Alviv CL). SOLOMON, Ronen; Orckit-corri-
`
`gent Ltd., 126 Yigai Allon Street, 67443 Tel-aviv CL).
`
`(84) Designated States (unless otherwise indicated, for every
`
`kind of regional protection available): ARIPO (BW, GR,
`
`GM, KE, LR, LS, MW, MZ, NA, RW, SD, SL, ST, SZ,
`
`TZ, UG, 2M, 2W3, Eurasian (AM, AZ, BY, BG, KZ, RU,
`
`TJ, TM), European (AL, AT, BE, BG, CH, CY, CZ, DE,
`
`DE, EE, ES, FE FR, GB, GR, HR, HU, TE, ES, iT, LT, LU,
`
`LY, MC, MK, MT, NL, NO, PL, PT, RO, RS, SE, SE SK,
`
`SM, TR}, OAPI (BF, BY, CF, CG, CE CM, GA, GN, GQ,
`
`GW, KM, ML, MR, NE, SN, TD, PG).
`
`Published:
`
`with international search report (Art. 21(3})
`
`(54) Title: A METHOD AND SYSTEM FOR DEEP PACKET INSPECTION IN SOPTWARE DEFINED NETWORKS
`
`DPI Fiaw Detection unit
`
`va
`
`411
`
`TOP Ft — Mirror
`TOP Flag (xe Packets
`_ Ge)
`ey
`
`(7) Absteact: A method for deep packet inspection GOP] im
`
`a software defined network (SDN). The method includes con-
`
`figuring a plurality of network nodes operable in the SION
`
`with at least one probe instruction; receiving from a network
`
`node a first packet of a flow, the first pa matches the at
`
`least one probe instruction and includes a sequence num-
`
`ber; receiving from a network node a second packet of the
`
`flow, the second packet matches the at least one probe in-
`
`striction and imchides a second sequence number, the second
`
`packet is a response of the first packet; computing a maslc
`
`value respective of at least the first and second sequence
`
`Probe Fiow Module
`Cae zt
`iS)
`
`numbers indicating which bytes to be mirrored from sub-
`
`—
`
`sequent packets belonging to the same flow; gonerating at
`
`least one mirror imstruction based on at least the mask vahie;
`
`and confignrmg the plurality of network nodes with at least
`
`one mirror instruction.
`
`C S208
`ae
`
`“ Ce)
`
`Probe sequence
`4 counter
`FIG. 3 Pe
`
`wo 2015/164370 AT HTT
`
`EX 1002 Page 5
`
`

`

`WO 2615/164376 PCT/US20 15/626369
`
`A METHOD AND SYSTEM FOR DEEP PACKET INSPECTION IN SOFTWARE
`
`DEFINED NETWORKS
`
`CROSS REFERENCE TO RELATED APPLICATIONS
`
`{007] This application claims the benefit of US provisional application No. 61/982,358
`
`fled on April 22, 2014, the contents of which are herein incorporated by reference.
`
`iO02] This disclosure generally relates to techniques for deep packet inspection (DPD,
`
`and particularly for DPI of traffic in cloud-based networks utilizing software defined
`
`TECHNICAL FIELD
`
`networks.
`
`BACKGROUND
`
`{003] Deep packet inspection (DP1}) technology is a form of network packet scanning
`
`technique that allows specific data paiterns to be extracted from a data communication
`
`channel. Extracted data patterns can then be used by various applications, such as
`
`security and data analytics applications. DPI currently performs across various
`
`networks, such as internal networks, Internet service providers (ISPs), and public
`
`networks provided to customers. Typically, the DPI is performed by dedicated engines
`
`installed in such networks.
`
`004] A software defined networking is a relatively new type of networking architecture
`
`that provides centralized management of network nodes rather than a distributed
`
`architecture utilized by conventional networks. The SDN is prompted by an ONF (open
`
`network foundation). The feading communication standard that currently defines
`
`communication between the central controller (e.g., a SDN controller) and the network
`
`nodes (e.g., vSwitches) is the OpenFiowTM standard.
`
`1005] Specifically, in SDN-based architectures the data forwarding (e.g. data plane) is
`
`typically decoupled from control decisions (6.g. control plane), such as routing,
`
`resources, and other management functionalities. The decoupling may also allow the
`
`data plane and the control plane to operate on different hardware, in different runtime
`
`environments, and/or operate using different models. As such, in an SDN network, the
`
`EX 1002 Page 6
`
`

`

`WO 2015/164370 PCT/US2015/026869
`
`network intelligence is logically centralized in the central controller which configures,
`
`using OpenFlow protocol, network nodes and to control application data traffic flows.
`
`i006] Although, the OpenFlow protocol allows addition of programmability to network
`
`nodes for the purpose of packets-processing operations under the control of the central
`
`controller, the OpenFiow does not support any mechanism to allow DP! of packets
`
`through the various networking layers as defined by the OS! model. Specifically, the
`
`current OpenFlow specification defines a mechanism to parse and extract only packel
`
`headers, in layer-2 through layer-4, from packets flowing via the network nodes. The
`
`OpenFlow specification does not define or suggest any mechanism to extract non-
`
`generic, uncommon, and/or arbitrary data patterns contained in layer-4 to layer 7 fleids.
`
`in addition, the OpenFlow specification does not define or suggest any mechanism to
`
`inspect or to extract content from packets belonging to a specific flow or session. This
`
`is a major limitation as it would not require inspection of the packet for the purpose of
`
`identification of, for example, security threats detection.
`
`{007] The straightforward approach of routing all traffic from network nodes to the central
`
`controller introduces some significant drawbacks, such as increased end-to-end traffic
`
`delays between the client and the server; overflowing the controller capability to perform
`
`other networking functions; and a single point of failure for the re-routed traffic.
`
`{008] Therefore, it would be advantageous to provide a solution that overcomes the
`
`deficiencies noted above and allow eificient DPI in SDNs.
`
`SUMMARY
`
`{608] A summary of several example embodiments of the disclosure follows. This
`
`summary is provided for the convenience of the reader to provide a basic understanding
`
`of such embodiments and does not wholly define the breadth of the disclosure. This
`
`summary is not an extensive overview of all contemplated embodiments, and is intended
`
`to neither identify key or critical nodes of all aspects nor delineate the scope of any or all
`
`embodiments. lis sole purpose is to present some concepts of one or more embodiments
`
`ina simplified form as a prelude to the more detailed description that is presented later.
`
`For convenience, the term some embodiments may be used herein to refer to a single
`
`embodiment or multiple embodiments of the disclosure.
`
`EX 1002 Page 7
`
`

`

`WO 2015/164370 PCT/US2015/026869
`
`(00710]Certain embodiments disclosed herein include a method for deep packet
`
`inspection (DPi} in a software defined network (SDN), wherein the method is performed
`
`by a central controller of the SDN. The method comprises: configuring a plurality of
`
`network nodes operable in the SDN with at feast one probe instruction; receiving from a
`
`network node a first packet of a flow, wherein the first packet matches the at least one
`
`probe instruction, wherein the first packet includes a first sequence number; receiving
`
`from a network node a second packet of the flow, wherein the second packet maiches
`
`the atleast one probe instruction, wherein the second packet includes a second sequence
`
`number, wherein the second packet is a response of the first packet; computing a mask
`
`value respective of at least the first and second sequence numbers, wherein the mask
`
`value indicates which bytes to be mirrored from subsequent packets belonging to the
`
`same flow, wherein the mirrored bytes are inspected; generating at least one mirror
`
`instruction based on at least the mask value; and configuring the plurality of network
`
`nades with at least one mirror instruction.
`
`{0011] Certain embodiments disclosed herein include a system for deep packet inspection
`
`(DPD in a software defined network (SDN), wherein the methad is performed by a central
`
`controller of the SDN. The system comprises: a processor; a memory connected to the
`
`processor and configured to contain a plurality of instructions that when executed by the
`
`processor configure the system to: set a plurality of network nodes operable in the SDN
`
`with at least one probe instruction; receive fram a network node a first packet of a flow,
`
`wherein the first packet matches the al least one probe instruction, wherein the first packet
`
`includes a first sequence number; receive from a network node a second packet of the
`
`flow, wherein the second packet matches the at ieast one probe instruction, wherein the
`
`second packet includes a second sequence number, wherein the second packet is a
`
`response of the first packel; compute a mask value respective of at least the first and
`
`second sequence numbers, wherein the mask value indicates which bytes to be mirrored
`
`from subsequent packets belonging to the same flow, wherein the mirrored bytes are
`
`inspected; generate at least one mirror instruction based on at least the mask value;
`
`and configure the plurality of network nodes with at least one mirror instruction.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`EX 1002 Page 8
`
`

`

`WO 2015/164370 PCT/US2015/026869
`
`{0012} The subiect matter disclosed herein is particularly pointed out and distinctly
`
`claimed in the claims at the conclusion of the specification. The foregoing and other
`
`objecis, features, and advantages of the invention will be apparent from the following
`
`detailed description taken in conjunction with the accompanying drawings.
`
`{00713] Figure 1 is a schematic diagram of a network system utilized to describe the
`
`various disclosed embodiments.
`
`i0074] Figure 2 illustrates is a schematic diagram of a flow table stored in a central
`
`controller.
`
`{O015] Figure Sis a schematic diagram of a systern utilized for describing the process
`
`of flow detection as performed by a central controller and a network node according to
`
`one embodiment.
`
`(0016) Figure 4 is a schematic diagram of a system utilized for describing the process
`
`of flow termination as performed by a central controller and a network node according to
`
`one embodiment.
`
`{00717] Figure 5 is a data structure depicting the organization of flows according to one
`
`embodiment.
`
`{0078} Figure 6 is flowchart illustrating the operation of the central controller according
`
`to one embodiment.
`
`DETAILED DESCRIPTION
`
`{O079] itis imporiant to note that the embodiments cisclosed herein are only examples
`
`of the many advantageous uses of the innovative teachings herein. In general, staternents
`
`made in the specification of the present application do not necessarily limit any of the
`
`various claimed embodiments. Moreover, some statements may apply to some inventive
`
`features but not to others. in general, unless otherwise indicated, singular nodes may be
`
`in plural and vice versa with no loss of generality. In the drawings, like numerals refer to
`
`like parts through several views.
`
`0020] Fig. iis an exemplary and non-limiting diagram of a network system 100 utilized
`
`to describe the various disclosed embodiments. The network system 100 includes a
`
`software defined network (SDN) 110 (not shown} containing a central controller 111 and
`
`a plurality of network nodes ii2. The network nodes 112 communicate with the central
`
`EX 1002 Page 9
`
`

`

`WO 2015/164370 PCT/US2015/026869
`
`controller 111 using, for example, an OpenFiow protocol. The central controller 111 can
`
`configure the network nodes 112 to perform certain data path operations. The SDN 116
`
`can be implemented in wide area networks (WANs), local area networks (LANs), the
`
`internet, metropolitan area networks (MANs), ISP backbones, datacenters, inter-
`
`datacenter networks, and the like. Each network node 112 in the SDN may be a router, a
`
`switch, a bridge, and so on.
`
`{o021] The central controller 111 provides inspected data (such as application
`
`metadata) to a plurality of application servers (collectively referred to as application
`
`servers 120, merely for simplicity purposes}. An application server 120 executes, for
`
`example, security applications (e.g., Firewall, intrusion detection, cic.}), data analytic
`
`applications, and so on.
`
`{0022} In the exemplary network system 100, a plurality of client devices (collectively
`
`referred to as client devices 130, merely for simplicity purposes) communicate with a
`
`plurality of destination servers (collectively referred to as destination servers 140, merely
`
`for simplicity purposes} connected over the network 110. A client device 130 may be, for
`
`example, a smart phone, a tablet computer, a personal computer, a laptop computer, a
`
`wearable computing device, and the like. The destination servers 140 are accessed by
`
`the devices 130 and may be, for example, web servers.
`
`{0023] According to some embodiments, the central controller 111 is configured to
`
`perform deep packet inspection on designated packets from designated flows or TCP
`
`sessions. To this end, the central controller 111 is further configured to instruct each of
`
`the network nodes 112 which of the packets and/or sessions should be directed to the
`
`controller 111 for packet inspections.
`
`0024] According to some embodiments, each network node 112 is configured to
`
`determine if an incoming packet requires inspection or not. The determination is
`
`performed based on a set of instructions provided by the controller 111. A packet that
`
`requires inspection is either redirected to the controller 111 or mirrored and a copy thereof
`
`is sent to the controller 1171. lt should be noted that traffic flows that are inspected are not
`
`affected by the operation of the network node 112. In an embodiment, each network node
`
`112 is configured to extract and send only a portion of a packet data that contains
`
`meaningful information.
`
`i
`
`EX 1002 Page 10
`
`

`

`WO 2015/164370 PCT/US2015/026869
`
`0025] The set of instructions that the controller 111 configures each of the network
`
`nodes 1i2 with include “probe instructions”, “mirroring instructions”, and “termination
`
`instructions.” According to some exemplary and non-limiting embodiments, the probe
`
`instructions include:
`
`iH(TCP FLAG SYN=1) then (re-direct packet to central controller);
`
`if (TCP FLAG SYN=T and ACK=1) then (re-direct packet to central controller); and
`
`HITCP FLAG ACK=1)} then (forward packet directly to a destination server).
`
`The termination instructions include:
`
`if (TCP FLAG FiN=1) then (re-direct packet to controller);
`
`Hi (TCP FLAG FIN=1? and ACK=1) then (re-direct packet to controller); and
`
`if (TCP FLAG RST=1) then (re-direct packet to controller).
`
`0026] The TCP FLAG SYN, TCP FLAG ACK, TCP FLAG FIN, TCP FLAG RST are
`
`fields in a TCP packet’s header that can be analyzed by the network nodes 112. That is,
`
`each node 112 is configured to receive an incoming packet (either a request from a client
`
`device 130 or response for a server 140), analyze the packet’s header, and perform the
`
`action {redirect the packet to controller 111 or send to destination server 140) respective
`
`of the value of the TCP flag.
`
`{0027] Thecontrolier 111 also configures each of the network nodes 112 with mirroring
`
`instructions with a mirror action of X number of bytes within a packet. The mirrored bytes
`
`are sent to the controller 111 to perform the DPI analysis. According to some exemplary
`
`embodiments, the set of mirroring instructions have the following format:
`
`lf (source IP Address = V1 and destination IP Address = V2 and source TCP port = V3
`
`and destination IP address = V4 and TCP sequence = V5 and TCP sequence mask = V6)
`
`then (mirror V7 bytes)
`
`EX 1002 Page 11
`
`

`

`WO 2015/164370 PCT/US2015/026869
`
`0028] The vaiues V1 through V7 are determined by the controller 111 per network
`
`node or for all nades 112. The values of the TCP sequence, and TCP sequence mask
`
`are computed, by the controller 111, as discussed in detail below.
`
`{0029] in another embodiment, in order to allow analysis of TCP packets’ headers by
`
`a network node 112 and tracks flows, new type-length-value (TLV) Structures are
`
`provided. The TLV structures may be applied to be utilized by an OpenFiow protocol
`
`siandard as defined, for example, in the OpenFlow 1.3.3 specification published by the
`
`Open Flow Foundation on September 27, 2013 or OpenFlow 1.4.0 specification published
`
`on October 14, 2013, for parsing and identifying any arbitrary fleids within a packet.
`
`According to non-limiting and exemplary embodiments, the TLV structures disclosed
`
`herein include:
`
`1.T