公开(公告)号：US09054952B2

公开(公告)日：2015-06-09

申请号：US14107580

申请日：2013-12-16

Applicant: ExtraHop Networks, Inc.

Inventor： Jesse Abraham Rothstein ,  Arindum Mukerji ,  Bhushan Prasad Khanal

IPC: G06F15/173 ,  H04L12/26 ,  H04L29/08

CPC classification number: H04L43/04 ,  H04L43/18 ,  H04L67/16 ,  H04L67/303 ,  H04L67/36

Abstract: Embodiments are directed to monitoring communication over a network using a network monitoring device (NMD) to discover devices, roles, applications, and application dependencies present on the monitored networks. A NMD may monitor network packets that may be flowing on monitored networks. Using OSI L2-to-L3 data the NMD may determine the devices that may be on the monitored networks. Also, the NMD may determine the network protocols that may be in use on the monitored networks. Further, the NMD may reassemble monitored network packets into transactions based on knowledge regarding the network protocols are in use on the monitored networks. The NMD may perform various tests to determine the applications that may be running on the discovered devices. Some of the tests used by the NMD may examine OSI L4-L7 data that may be included in the transactions.

Abstract translation: 实施例涉及通过使用网络监视设备（NMD）的网络来监视通信，以发现被监控网络上存在的设备，角色，应用和应用依赖性。 NMD可以监视可能在受监控网络上流动的网络数据包。 使用OSI L2到L3数据，NMD可以确定可能在被监控网络上的设备。 此外，NMD可以确定可能在被监控网络上使用的网络协议。 此外，NMD可以基于关于被监视网络上正在使用的网络协议的知识将监控的网络分组重新组合成事务。 NMD可以执行各种测试来确定可能在发现的设备上运行的应用程序。 NMD使用的某些测试可能会检查可能包含在交易中的OSI L4-L7数据。

公开(公告)号：US09003065B2

公开(公告)日：2015-04-07

申请号：US14107631

申请日：2013-12-16

Applicant: ExtraHop Networks, Inc.

Inventor： Jesse Abraham Rothstein ,  Arindum Mukerji

IPC: H04L12/26 ,  G06F15/16 ,  H04L12/801

CPC classification number: H04L43/04 ,  G06F15/16 ,  H04L43/022 ,  H04L43/026 ,  H04L43/106 ,  H04L43/14 ,  H04L47/10 ,  H04L47/15

Abstract: Embodiments are directed towards receiving packets communicated over at least one network, determining layer 3 header information for the received packets, normalizing the determined layer 3 header information for each received packet, employing a determined value based on the normalized layer 3 header information to detect each received packet that is a duplicate, disregarding duplicate packets, and enabling monitoring and analysis of at least selected flows that include packets that are determined to be non-duplicated. Also, if the determined layer 3 header information indicates that the received packet is fragmented, that packet is de-fragmented at least in accordance with a fragment offset. Additionally, normalization may include at least one of masking at least one value in the layer 3 header information, or rolling back changes in the layer 3 header information.

Abstract translation: 实施例涉及接收通过至少一个网络传送的分组，确定所接收的分组的层3报头信息，对所接收的分组进行标准化确定的层3报头信息，采用基于归一化层3报头信息的确定值来检测每个 接收到的重复数据包，忽略重复数据包，并且能够监视和分析至少被选择的流，包括被确定为不重复的数据包。 此外，如果所确定的层3报头信息指示接收到的分组被分段，那么该分组至少根据片段偏移被去分片。 此外，标准化可以包括屏蔽层3标题信息中的至少一个值或者回滚第3层报头信息中的变化中的至少一个。

公开(公告)号：US20140280908A1

公开(公告)日：2014-09-18

申请号：US14107631

申请日：2013-12-16

Applicant: ExtraHop Networks, Inc

Inventor： Jesse Abraham Rothstein ,  Arindum Mukerji

IPC: H04L12/26

CPC classification number: H04L43/04 ,  G06F15/16 ,  H04L43/022 ,  H04L43/026 ,  H04L43/106 ,  H04L43/14 ,  H04L47/10 ,  H04L47/15

Abstract: Embodiments are directed towards receiving packets communicated over at least one network, determining layer 3 header information for the received packets, normalizing the determined layer 3 header information for each received packet, employing a determined value based on the normalized layer 3 header information to detect each received packet that is a duplicate, disregarding duplicate packets, and enabling monitoring and analysis of at least selected flows that include packets that are determined to be non-duplicated. Also, if the determined layer 3 header information indicates that the received packet is fragmented, that packet is de-fragmented at least in accordance with a fragment offset. Additionally, normalization may include at least one of masking at least one value in the layer 3 header information, or rolling back changes in the layer 3 header information.

Abstract translation: 实施例涉及接收通过至少一个网络传送的分组，确定所接收的分组的层3报头信息，对所接收的分组进行标准化确定的层3报头信息，采用基于归一化层3报头信息的确定值来检测每个 接收到的重复数据包，忽略重复数据包，并且能够监视和分析至少被选择的流，包括被确定为不重复的数据包。 此外，如果所确定的层3报头信息指示接收到的分组被分段，那么该分组至少根据片段偏移被去分片。 此外，标准化可以包括屏蔽层3标题信息中的至少一个值或者回滚第3层报头信息中的变化中的至少一个。

公开(公告)号：US20140280907A1

公开(公告)日：2014-09-18

申请号：US14107580

申请日：2013-12-16

Applicant: ExtraHop Networks, Inc.

Inventor： Jesse Abraham Rothstein ,  Arindum Mukerji ,  Bhushan Prasad Khanal

IPC: H04L12/26

CPC classification number: H04L43/04 ,  H04L43/18 ,  H04L67/16 ,  H04L67/303 ,  H04L67/36

Abstract: Embodiments are directed to monitoring communication over a network using a network monitoring device (NMD) to discover devices, roles, applications, and application dependencies present on the monitored networks. A NMD may monitor network packets that may be flowing on monitored networks. Using OSI L2-to-L3 data the NMD may determine the devices that may be on the monitored networks. Also, the NMD may determine the network protocols that may be in use on the monitored networks. Further, the NMD may reassemble monitored network packets into transactions based on knowledge regarding the network protocols are in use on the monitored networks. The NMD may perform various tests to determine the applications that may be running on the discovered devices. Some of the tests used by the NMD may examine OSI L4-L7 data that may be included in the transactions.

Abstract translation: 实施例涉及通过使用网络监视设备（NMD）的网络来监视通信，以发现被监控网络上存在的设备，角色，应用和应用依赖性。 NMD可以监视可能在受监控网络上流动的网络数据包。 使用OSI L2到L3数据，NMD可以确定可能在被监控网络上的设备。 此外，NMD可以确定可能在被监控网络上使用的网络协议。 此外，NMD可以基于关于被监视网络上正在使用的网络协议的知识将监控的网络分组重新组合成事务。 NMD可以执行各种测试来确定可能在发现的设备上运行的应用程序。 NMD使用的一些测试可能会检查可能包含在交易中的OSI L4-L7数据。

公开(公告)号：US08626912B1

公开(公告)日：2014-01-07

申请号：US13831626

申请日：2013-03-15

Applicant: ExtraHop Networks, Inc.

Inventor： Jesse Abraham Rothstein ,  Arindum Mukerji

IPC: G06F15/173

CPC classification number: H04L43/04 ,  H04L43/18 ,  H04L67/16 ,  H04L67/303 ,  H04L67/36

Abstract: Embodiments are directed to monitoring communication over a network using a network monitoring device (NMD) to discover devices, roles, applications, and application dependencies present on the monitored networks. A NMD may monitor network packets that may be flowing on monitored networks. Using OSI L2-to-L3 data the NMD may determine the devices that may be on the monitored networks. Also, the NMD may determine the network protocols that may be in use on the monitored networks. Further, the NMD may reassemble monitored network packets into transactions based on knowledge regarding the network protocols are in use on the monitored networks. The NMD may perform various tests to determine the applications that may be running on the discovered devices. Some of the tests used by the NMD may examine OSI L4-L7 data that may be included in the transactions.

Abstract translation: 实施例涉及通过使用网络监视设备（NMD）的网络来监视通信，以发现被监控网络上存在的设备，角色，应用和应用依赖性。 NMD可以监视可能在受监控网络上流动的网络数据包。 使用OSI L2到L3数据，NMD可以确定可能在被监控网络上的设备。 此外，NMD可以确定可能在被监控网络上使用的网络协议。 此外，NMD可以基于关于被监视网络上正在使用的网络协议的知识将监控的网络分组重新组合成事务。 NMD可以执行各种测试来确定可能在发现的设备上运行的应用程序。 NMD使用的一些测试可能会检查可能包含在交易中的OSI L4-L7数据。

公开(公告)号：US20240356926A1

公开(公告)日：2024-10-24

申请号：US18530616

申请日：2023-12-06

Applicant: ExtraHop Networks, Inc.

Inventor： Xue Jun Wu ,  Swagat Dasgupta ,  Matthew Alexander Schurr

IPC: H04L9/40 ,  G06F18/214 ,  G06F21/62 ,  H04L67/06

CPC classification number: H04L63/102 ,  G06F18/214 ,  G06F21/6263 ,  H04L63/20 ,  H04L67/06

Abstract: Embodiments are directed monitoring network traffic using network monitoring computers. Activity associated with a document in a network may be determined based on the network traffic. A profile may be generated based on a summarization of the activity associated with the document such that the profile may be stored in a data store that stores other profiles. Similar profiles may be determined based on a classification of each profile in the data store based on similarities between the profile and the other profiles in the data store. In response to determining similar profiles, locations in the network associated with documents that correspond to the similar profiles may be determined. Locations may be classified based on the activity, the similar profiles and access policies. In response to portions of the locations being classified as inconsistent with the access policies may be reported.

公开(公告)号：US11652714B2

公开(公告)日：2023-05-16

申请号：US17861373

申请日：2022-07-11

Applicant: ExtraHop Networks, Inc.

Inventor： Xue Jun Wu ,  Arindum Mukerji ,  Jeff James Costlow ,  Michael Kerber Krause Montague ,  Jesse Abraham Rothstein ,  Matthew Alexander Schurr

IPC: H04L43/08 ,  H04L47/41

CPC classification number: H04L43/08 ,  H04L47/41

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by a traffic forwarding device (TFD) may be monitored. External network addresses and internal network addresses may be determined based on encrypted network traffic exchanged between external endpoints and the TFD and internal network traffic exchanged between internal endpoints and the TFD. Metrics associated with the external network addresses or the internal network addresses may be determined based on the monitoring. Correlation scores may be provided for the external network addresses and the internal network addresses based on of a correlation model, the metrics, or the other metrics. If a correlation score associated with an external network address and an internal network address exceeds a threshold value, the external network address and the internal network address may be associated with each other based on the correlation score.

公开(公告)号：US11496378B2

公开(公告)日：2022-11-08

申请号：US17318423

申请日：2021-05-12

Applicant: ExtraHop Networks, Inc.

Inventor： Eric Jacob Ball ,  Eric Joseph Hammerle ,  Benjamin Thomas Higgins ,  Bhushan Prasad Khanal ,  Michael Kerber Krause Montague ,  Xue Jun Wu

IPC: H04L43/062 ,  H04L43/04 ,  H04L43/08 ,  H04L43/12

Abstract: Embodiments are directed to monitoring network traffic using a monitoring engine that monitors network traffic in networks to provide metrics. An inference engine may provide activity profiles based on portions of the network traffic where each activity profile includes features associated with the portions of network traffic. The inference engine may determine other activity profiles correlated with the activity profiles based on correlation models such that the determination of the other activity profiles occurs prior to monitoring an occurrence of other portions of the network traffic. The inference engine may modify monitoring actions of the monitoring engine based on the other activity profiles. The inference engine may provide reports based on the portions of the network traffic, the activity profiles, the other portions of the network traffic, or the other activity profiles.

公开(公告)号：US20220060518A1

公开(公告)日：2022-02-24

申请号：US17515963

申请日：2021-11-01

Applicant: ExtraHop Networks, Inc.

Inventor： Benjamin Thomas Higgins ,  Jesse Abraham Rothstein

IPC: H04L29/06 ,  H04L12/26 ,  G06F21/60

Abstract: Embodiments are directed to monitoring communication between computers using network monitoring computers (NMCs). NMCs identify a secure communication session established between two of the computers based on an exchange of handshake information associated with the secure communication session. Key information that corresponds to the secure communication session may be obtained from a key provider such that the key information may be encrypted by the key provider. NMCs may decrypt the key information. NMCs may derive the session key based on the decrypted key information and the handshake information. NMCs may decrypt network packets included in the secure communication session. NMCs may be employed to inspect the one or more decrypted network packets to execute one or more rule-based policies.

公开(公告)号：US20220060503A1

公开(公告)日：2022-02-24

申请号：US17516063

申请日：2021-11-01

Applicant: ExtraHop Networks, Inc.

Inventor： Po-Shen Lee ,  Songqian Chen ,  Amanda Jewitt ,  Olga Kazakova ,  Todd Kemmerling ,  Bhushan Prasad Khanal ,  Katherine Megan Porterfield ,  Jade Alexi Tabony ,  Karan Rajesh Thakker ,  Xue Jun Wu

IPC: H04L29/06

Abstract: Embodiments are directed to monitoring network traffic using NMCs that may be arranged to provide scores based on threat assessments associated with anomaly classes such that the anomaly classes may be associated with types of anomalous activity. NMCs may employ the anomaly classes, the scores, characteristics of the anomaly classes, or the like, to determine triage models. The NMCs may modify the scores based on the triage models or archival information associated with the anomaly classes. The NMCs may associate the modified scores with the anomaly classes. In response to detecting anomalous activity, the NMCs may provide other scores based on the anomalous activity and provide a report that includes the other scores to a user.