Processing

Please wait...

Settings

Settings

Goto Application

1. AU2017385032 - System for preparing network traffic for fast analysis

Note: Text based on automatic Optical Character Recognition processes. Please use the PDF version for legal matters

[ EN ]
WHAT IS CLAIMED IS:
1. A system for analyzing a computer network flow, comprising a network flow exporter for preparing a network flow; a network flow analyzer for decomposing saidnetwork flow into a plurality of network flow standard elements; and a flow tagger for tagging the plurality of network flow standard elements to form tagged elements, wherein said tagged elements are derived from said plurality of network flow standard elements.
2. The system of claim 1, wherein said tagged elements comprise simple tagged elements that are derived from at least one of said network flow standard elements according to a source of information external to said network flow or according to a calculation, or a combination thereof.
3. The system of claim 2, wherein said tagged elements comprise compoundtagged elements that are derived from a combination of a plurality of simple tagged elements.
4. The system of claim 3, wherein said compound tagged elements are derived from a simple tagged element plus information external to the network flow, by performing sometype of calculation on the simple tagged element, or by combining a network flow standard element with a simple tagged element.
5. The system of claim 4, wherein said compound tagged elements further include a calculation on a simple or compound tagged element (or both), information external to the network flow, a plurality of compound tagged elements or a combinationthereof
6. The system of claim 5, wherein said tagged elements comprise at least one simple tagged element and at least one compound tagged element, and wherein said flow tagger tags the plurality of network flow standard elements iteratively, such that said at least one compound tagged element is determined after said at least one simple tagged element.
7. The system of claim 2, wherein said simple tagged element is selected from the group consisting of a traffic ratio, derived from the amount of data sent to, and received from, a particular IP address or a particular port of particular IP address; and a port/IP address element, derived from the source IP address and the destination port of the network flow.
8. The system of claim 1, wherein said network flow standard element is determined according to one or both of the IPFIX or Netflow standards.
9. The system of claim 1, wherein said source of information external to thenetwork flow comprises a look-up table for matching a value of a tagged element to an external information value.
10. The system of claim 9, wherein said look-up table comprises geolocation information and said tagged element comprises an IP address.
11. A method for analyzing a network flow, the network flow comprising a plurality of packets having a common set of properties, the method being performed by a computational device, the method comprising:
a. receiving a network flow, wherein said network flow comprises a plurality of packet properties organized into columns, each property in a column;
b. analyzing the network flow to decompose the network flow into a plurality of elements;
c. tagging the plurality of elements in an iterative order determined according to a tagging dependency between the plurality of elements; and d. writing the tagged elements by column.
12. The method of claim 11, wherein said analyzing the network flow comprises determining simpler tagged elements first, before then determining compoundtagged elements.
13. The method of claim 12, wherein said analyzing the network flow further comprises mapping each type of tagged element to a column of a record of tagged elements for the network flow; and determining an order of said columns according to tagging dependencies.
14. The method of claim 11, wherein said plurality of packet properties is selectedfrom the group consisting of a packet header field element, a measured property ofthe plurality of packets, interpreted information based on packet contents, and meta information.