EP2476237A1 - Supervision of a communication session comprising several flows over a data network - Google Patents

Supervision of a communication session comprising several flows over a data network

Info

Publication number
EP2476237A1
EP2476237A1 EP10763796A EP10763796A EP2476237A1 EP 2476237 A1 EP2476237 A1 EP 2476237A1 EP 10763796 A EP10763796 A EP 10763796A EP 10763796 A EP10763796 A EP 10763796A EP 2476237 A1 EP2476237 A1 EP 2476237A1
Authority
EP
European Patent Office
Prior art keywords
stream
data
signature
parent
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP10763796A
Other languages
German (de)
French (fr)
Inventor
Jérôme TOLLET
Jérôme ABELA
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qosmos Tech
Original Assignee
Qosmos
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qosmos filed Critical Qosmos
Publication of EP2476237A1 publication Critical patent/EP2476237A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1083In-session procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/80Responding to QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/18Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present invention relates to a method and a system for monitoring a communication session on a data network, said session comprising a first data stream, called a parent stream, using a first protocol, said parent stream comprising data enabling establishing a second stream of data, said child stream, using a second protocol for said session. It also relates to a computer program product for implementing the monitoring method.
  • a real-time protocol (RTP) session will be initiated by a Session Initiation Protocol (SIP) session. session initialization), and the parameters of the RTP session will depend on information exchanged by the SIP session.
  • SIP Session Initiation Protocol
  • Network monitoring devices such as, for example, firewalls, link the sessions of different protocols via state machines.
  • a method of monitoring a communication session on a data network comprising a first stream of data, said parent stream, using a first protocol, the parent stream comprising data enabling the establishment of a second data stream, said child stream, using a second protocol for this session, comprises:
  • this method advantageously makes it possible to easily group the related streams, and in particular without defining a state machine.
  • the session comprising a determined plurality of child flows, the data flows are audited until the set of child flows is determined.
  • the child stream including data for establishing a third data stream using a third protocol for the session, a signature is generated from these data, and data streams using the third protocol are audited to determining the data flow corresponding to the session.
  • the method monitoring a plurality of sessions each comprising a parent stream for which a parent key is generated and stored, for each of the streams using the second protocol, the The signature is compared to each of the parent keys to determine whether the stream is, or not, the child stream of one of the sessions. It should be noted in particular that this method advantageously applies to a multitude of parent flows, child flows and any type of tree defining an inheritance between one or more parent flows, one or child flows with any level of information. 'legacies.
  • a computer program product includes program code instructions recorded on a computer readable medium, for implementing the steps of the preceding method when said program is running on a computer.
  • a system for monitoring a communication session on a data network comprising a first data stream, called a parent stream, using a first protocol, the parent stream comprising data enabling establishing a second stream of data, said child stream, using a second protocol for the session, comprises:
  • a first stream analyzer for searching the parent stream for the data enabling the child stream to be established
  • a second stream analyzer for auditing data streams using the second protocol on the data network
  • a second signature generator for each of these streams
  • the system comprises at least two devices connected by a data network, a first device comprising at least the storage memory, the signature comparator and the tagger and the second device comprising at least the first analyzer the first signature generator and an interface for transmitting the generated signature to the first device. It may also include at least a third device connected to the first device by the data network and comprising at least the second flow analyzer and the second signature generator and an interface for transmitting the generated signature to the first device.
  • FIG. 1 is a schematic view of a data network
  • FIG. 2 is a flow chart of a method according to one embodiment of the invention.
  • FIG. 3 is a schematic view of a surveillance system according to one embodiment of the invention.
  • FIG. 4 is a schematic view of a monitoring system according to a second embodiment of the invention.
  • a digital data network 1 connects a multitude of devices 3 to each other.
  • a monitoring system 5 is connected to this network to capture the data flows exchanged between the equipment 3.
  • the system 5 thus monitors the communication sessions running on the network 1.
  • the term "session”, or application session, is the set of data exchanges generated by a given network application.
  • a first device when a first device wishes to transfer a file using a FTP protocol to a second device, the first device and the second device will start by establishing a first exchange using the TCP protocol on the port. 21 then they will agree to transfer the file itself using FTP-DATA which uses the TCP protocol on a variable number port greater than 1024. All of these exchanges constitute a session.
  • sub-session or simply data stream
  • the first sub-session will be called parent sub-session, or parent stream, in that it allows to exchange the data between the two equipments allowing the establishment of the second sub-session which will thus be called child sub-session, or child flow.
  • the system 5 implements the following method, FIG.
  • step 1 the system detects, step 1 1, establishment of an application session in the form of a parent stream.
  • the system 5 analyzes, step 1 3, then the parent stream looking for establishment data of a child stream. For example, in the context of an FTP session, the system 5 will analyze the transmitted packets to determine the number of the port on which the file transfer will take place.
  • step 1 5 a signature, called parent key, from these data.
  • a signature for example, for an FTP session, the system 5 generates a signature from the I P addresses of the source equipment and the receiving equipment and the port number. This signature is, for example, a hash value of this data.
  • This parent key is stored, step 1 7, by the system 5.
  • the system 5 then monitors, step 1 9, the flows that can correspond to the child stream because implementing, for example, a protocol compatible with it.
  • step 21 a signature.
  • the calculation of this signature is similar to the calculation of the parent key. For example, for the FTP session, it calculates the hash key of the I P addresses of the two devices and the port number.
  • This signature is compared, step 23, to the parent key.
  • step 25 the desired child stream.
  • the description above is limited to a parent stream and a child stream.
  • the method is generalized without difficulty to a plurality of parent flows and child flows.
  • a session consists of a parent stream and a plurality of child streams
  • the system calculates as many parent keys as necessary and monitors all flows until all child flows are found.
  • the comparison of the flow signatures is then made on all the parent keys until a parent key matches, thus defining the attachment session. If no key matches, it means that the stream does not belong to any monitored session.
  • the method also applies smoothly to sessions with multiple cascading inheritances, i.e., a child stream has establishment data of another stream and behaves like a parent stream for that stream. other flow that is then its child flow. Based on the settlement data carried by the child stream, the system sets a parent key on which the signatures of the prospective child flows are compared.
  • the set of parent keys may correspond to an ordered index vector, one of whose attributes is the session name.
  • the search and comparison with the parent key (s) and the allocation of the flow to a session then correspond to an operation on indexes, a computer operation that is extremely efficient in terms of resources used and speed. It also makes it possible to pool the monitoring operations of a multitude of sessions.
  • the monitoring system 5 thus comprises, FIG.
  • a first signature generator 33 called the parent key, from these data
  • a second stream analyzer 37 for auditing data streams using the second protocol on the data network;
  • a second signature generator 39 for each of these streams;
  • This monitoring system is feasible in the form of a dedicated electronic circuit or by specifically programming a computer with a computer program comprising program code instructions recorded on a computer-readable medium, to implement the steps of the program. monitoring process when the program is running on a computer.
  • This computer comprises in particular a network interface enabling it to listen to the transmissions carried out on the network, volatile random access memories connected to a computing unit to generate the keys and signatures, storage memories that can be, for example, a magnetic hard disk to store especially the rules of formation of signatures.
  • a particularly interesting embodiment of this system consists of breaking it up into several decentralized devices, FIG. 4.
  • a first series of devices 50 installed closest to the streams comprises the flow analyzers 31, 37 and the signature generators 33, 39. Each then comprises a communication interface 52 with a centralization device 54 comprising, in addition to a communication interface 56 in connection with the interfaces 52, the storage memory 35 of the signatures as well as the comparator 41 of the signature and the tagger 43.
  • the latter element can also be found in the first devices 50 in order to label the flows as close to their production.
  • the monitoring system may actually include only one flow analyzer and one signature generator capable of auditing feeds and generating signatures for parent feeds as well. only for child flows. Or, for reasons of speed, these can be as numerous as there are types of protocols.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a method for supervising a communication session over a data network, said session including a first data flow, referred to as the parent flow, using a first protocol, said parent flow including data suitable for setting up a second data flow, referred to as the child flow, using a second protocol for said session, which includes: searching (13) the parent flow for the data that enable the child flow to be set up; generating (15) and storing (17) a signature, referred to as a parent key, using said data; auditing (19) data flows using the second protocol on the data network; creating (21) a signature for each one of the flows; comparing (23) said signature of each one of the flows with the parent key; and, if the comparison is positive, determining (25) that the data flow in question is the child flow of the session.

Description

SURVEILLANCE D'UNE SESSION DE COMMUNICATION COMPORTANT PLUSIEURS FLUX SUR UN RESEAU DE DONNEES.  MONITORING A COMMUNICATION SESSION COMPRISING MULTIPLE STREAMS ON A DATA NETWORK.
La présente invention concerne un procédé et un système de surveillance d'une session de communication sur un réseau de données, ladite session comprenant un premier flux de données, dit flux parent, utilisant un premier protocole, ledit flux parent comprenant des données permettant l'établissement d'un second flux de données, dit flux enfant, utilisant un second protocole pour ladite session. Elle concerne également un produit programme d'ordinateur pour mettre en œuvre le procédé de surveillance. The present invention relates to a method and a system for monitoring a communication session on a data network, said session comprising a first data stream, called a parent stream, using a first protocol, said parent stream comprising data enabling establishing a second stream of data, said child stream, using a second protocol for said session. It also relates to a computer program product for implementing the monitoring method.
Les applications réseau actuelles utilisent en général plus d'une session et d'un protocole pour effectuer leur tâche.  Current network applications typically use more than one session and protocol to perform their task.
Par exemple, lors d'un appel vidéo généré par la mise en place d'une vidéoconférence, une session RTP (« real-time Protocol » - protocole temps réel) va être initiée par une session SIP (« Session Initiation Protocol » - protocole d'initialisation de session), et les paramètres de la session RTP dépendront d'informations échangées par la session SIP.  For example, during a video call generated by the setting up of a video conference, a real-time protocol (RTP) session will be initiated by a Session Initiation Protocol (SIP) session. session initialization), and the parameters of the RTP session will depend on information exchanged by the SIP session.
Les appareils de surveillance de réseau, tels que, par exemple, les pare-feux, font la liaison entre les sessions des différents protocoles par l'intermédiaire de machines d'état.  Network monitoring devices, such as, for example, firewalls, link the sessions of different protocols via state machines.
Cette solution a pour inconvénient de rendre ces appareils complexes car il faut, en particulier, écrire le comportement d'une machine d'état pour chaque nouvelle application réseau. De plus, le traitement des différents flux peut s'avérer très consommateur de ressource, ce qui limite la bande passante disponible au travers de ces appareils, ou bien oblige aux développements de machines onéreuses ou à limiter la quantité de données surveillées.  This solution has the disadvantage of making these devices complex because it is necessary, in particular, to write the behavior of a state machine for each new network application. In addition, the processing of the different streams can be very resource-consuming, which limits the bandwidth available through these devices, or requires the development of expensive machines or to limit the amount of data monitored.
Il serait donc avantageux d'obtenir un procédé et un système de surveillance permettant de surveiller des applications réseaux utilisant de nombreux protocoles avec une meilleure efficacité en termes de ressources matérielles et de mise en œuvre.  It would therefore be advantageous to obtain a method and a monitoring system for monitoring network applications using many protocols with greater efficiency in terms of hardware resources and implementation.
Pour résoudre un ou plusieurs des inconvénients cités précédemment, un procédé de surveillance d'une session de communication sur un réseau de données, la session comprenant un premier flux de données, dit flux parent, utilisant un premier protocole, le flux parent comprenant des données permettant l'établissement d'un second flux de données, dit flux enfant, utilisant un second protocole pour cette session, comprend: To solve one or more of the aforementioned drawbacks, a method of monitoring a communication session on a data network, the session comprising a first stream of data, said parent stream, using a first protocol, the parent stream comprising data enabling the establishment of a second data stream, said child stream, using a second protocol for this session, comprises:
· rechercher dans le flux parent les données permettant l'établissement du flux enfant ;  · Search in the parent stream for data allowing the establishment of the child stream;
• générer et stocker une signature, dite clé parente, à partir de ces données ;  • generate and store a signature, called parent key, from these data;
• auditer des flux de données utilisant le second protocole sur le réseau de données ;  • auditing data flows using the second protocol on the data network;
• créer une signature pour chacun des flux ;  • create a signature for each stream;
• comparer la signature de chacun des flux à la clé parente ; et • compare the signature of each stream to the parent key; and
• si la comparaison est positive, déterminer que le flux de données correspondant est le flux enfant de la session. • If the comparison is positive, determine that the corresponding data flow is the child flow of the session.
En définissant chaque flux par une signature adaptée, et en faisant une simple comparaison de signatures, opération informatiquement simple et rapide, ce procédé permet avantageusement de regrouper aisément les flux apparentés, et, en particulier, sans définir de machine d'état.  By defining each stream by a suitable signature, and by making a simple comparison of signatures, a computer operation that is simple and fast, this method advantageously makes it possible to easily group the related streams, and in particular without defining a state machine.
Des caractéristiques ou des modes de réalisation particuliers, utilisables seuls ou en combinaison, sont :  Particular characteristics or embodiments that can be used alone or in combination are:
• la session comportant une pluralité déterminée de flux enfants, les flux de données sont audités jusqu'à ce que l'ensemble des flux enfants soit déterminé.  The session comprising a determined plurality of child flows, the data flows are audited until the set of child flows is determined.
• le flux enfant comprenant des données permettant l'établissement d'un troisième flux de données utilisant un troisième protocole pour la session, une signature est générée à partir de ces données, et des flux de données utilisant le troisième protocole sont audités jusqu'à la détermination du flux de données correspondant à la session.  The child stream including data for establishing a third data stream using a third protocol for the session, a signature is generated from these data, and data streams using the third protocol are audited to determining the data flow corresponding to the session.
· le procédé surveillant une pluralité de sessions comprenant chacune un flux parent pour lequel est générée et stockée une clé parente, pour chacun des flux utilisant le second protocole, la signature est comparée à chacune des clés parentes pour déterminer si le flux est, ou non, le flux enfant d'une des sessions. Il est à noter en particulier que ce procédé s'applique avantageusement à une multitude de flux parents, de flux enfants et à tout type d'arborescence définissant un héritage entre un ou des flux parents, un ou des flux enfants avec un niveau quelconque d'héritages. The method monitoring a plurality of sessions each comprising a parent stream for which a parent key is generated and stored, for each of the streams using the second protocol, the The signature is compared to each of the parent keys to determine whether the stream is, or not, the child stream of one of the sessions. It should be noted in particular that this method advantageously applies to a multitude of parent flows, child flows and any type of tree defining an inheritance between one or more parent flows, one or child flows with any level of information. 'legacies.
Dans un deuxième aspect de l'invention, un produit programme d'ordinateur comprend des instructions de code de programme enregistrées sur un support lisible par un ordinateur, pour mettre en œuvre les étapes du procédé précédent lorsque ledit programme fonctionne sur un ordinateur.  In a second aspect of the invention, a computer program product includes program code instructions recorded on a computer readable medium, for implementing the steps of the preceding method when said program is running on a computer.
Dans un troisième aspect de l'invention, un système de surveillance d'une session de communication sur un réseau de données, la session comprenant un premier flux de données, dit flux parent, utilisant un premier protocole, le flux parent comprenant des données permettant l'établissement d'un second flux de données, dit flux enfant, utilisant un second protocole pour la session, comprend:  In a third aspect of the invention, a system for monitoring a communication session on a data network, the session comprising a first data stream, called a parent stream, using a first protocol, the parent stream comprising data enabling establishing a second stream of data, said child stream, using a second protocol for the session, comprises:
• un premier analyseur de flux pour rechercher dans le flux parent les données permettant l'établissement du flux enfant ;  A first stream analyzer for searching the parent stream for the data enabling the child stream to be established;
• un premier générateur de signature, dite clé parente, à partir de ces données ;  • a first signature generator, called parent key, from these data;
• une mémoire de stockage de la signature ;  • a storage memory of the signature;
• un second analyseur de flux pour auditer des flux de données utilisant le second protocole sur le réseau de données ; A second stream analyzer for auditing data streams using the second protocol on the data network;
• un second générateur de signature pour chacun de ces flux ; A second signature generator for each of these streams;
· un comparateur de la signature de chacun des flux à la clé parente ; et  · A comparator of the signature of each stream to the parent key; and
• un étiqueteur pour attacher le flux correspondant à la signature, si le résultat du comparateur est positif, en tant que flux enfant de la session.  • a tagger to attach the stream corresponding to the signature, if the result of the comparator is positive, as a child stream of the session.
Dans des modes particuliers de réalisation, le système comporte aux moins deux dispositifs reliés par un réseau de données, un premier dispositif comportant au moins la mémoire de stockage, le comparateur de signature et l'étiqueteur et le second dispositif comportant au moins le premier analyseur de flux et le premier générateur de signature et une interface pour transmettre la signature générée au premier dispositif. Il peut également comporter au moins un troisième dispositif relié au premier dispositif par le réseau de données et comportant au moins le second analyseur de flux et le second générateur de signature et une interface pour transmettre la signature générée au premier dispositif. In particular embodiments, the system comprises at least two devices connected by a data network, a first device comprising at least the storage memory, the signature comparator and the tagger and the second device comprising at least the first analyzer the first signature generator and an interface for transmitting the generated signature to the first device. It may also include at least a third device connected to the first device by the data network and comprising at least the second flow analyzer and the second signature generator and an interface for transmitting the generated signature to the first device.
L'invention sera mieux comprise à la lecture de la description qui suit, faite uniquement à titre d'exemple, et en référence aux figures en annexe dans lesquelles :  The invention will be better understood on reading the description which follows, given solely by way of example, and with reference to the appended figures in which:
- la figure 1 est une vue schématique d'un réseau de données ;  FIG. 1 is a schematic view of a data network;
- la figure 2 est un ordinogramme d'un procédé selon un mode de réalisation de l'invention ;  FIG. 2 is a flow chart of a method according to one embodiment of the invention;
- la figure 3 est une vue schématique d'un système de surveillance selon un mode de réalisation de l'invention ; et  FIG. 3 is a schematic view of a surveillance system according to one embodiment of the invention; and
- la figure 4 est une vue schématique d'un système de surveillance selon un second mode de réalisation de l'invention.  - Figure 4 is a schematic view of a monitoring system according to a second embodiment of the invention.
En référence à la figure 1 , un réseau numérique de données 1 connecte une multitude d'équipements 3 entre eux. Un système de surveillance 5 est connecté à ce réseau pour capter les flux de données échangés entre les équipements 3.  With reference to FIG. 1, a digital data network 1 connects a multitude of devices 3 to each other. A monitoring system 5 is connected to this network to capture the data flows exchanged between the equipment 3.
Le système 5 surveille donc les sessions de communication circulant sur le réseau 1 . On appelle « session », ou session applicative, l'ensemble des échanges de données généré par une application réseau donnée.  The system 5 thus monitors the communication sessions running on the network 1. The term "session", or application session, is the set of data exchanges generated by a given network application.
Par exemple, comme il est bien connu, lorsqu'un premier équipement souhaite transférer vers un second équipement un fichier en utilisant le protocole FTP, le premier équipement et le second équipement vont commencer par établir un premier échange en utilisant le protocole TCP sur le port 21 puis ils vont se mettre d'accord pour transférer le fichier proprement dit en utilisant FTP-DATA qui utilise le protocole TCP sur un port de numéro variable supérieur à 1024. L'ensemble de ces échanges constitue une session.  For example, as is well known, when a first device wishes to transfer a file using a FTP protocol to a second device, the first device and the second device will start by establishing a first exchange using the TCP protocol on the port. 21 then they will agree to transfer the file itself using FTP-DATA which uses the TCP protocol on a variable number port greater than 1024. All of these exchanges constitute a session.
On appellera alors sous-session, ou simplement flux de données, le premier échange TCP sur port 21 d'une part et le transfert en FTP-DATA d'autre part. La première sous-session sera appelée sous-session parente, ou flux parent, en ce qu'elle permet d'échanger les données entre les deux équipements permettant l'établissement de la seconde sous-session qui sera donc appelée sous-session enfant, ou flux enfant. We will then call sub-session, or simply data stream, the first TCP exchange on port 21 on the one hand and transfer to FTP-DATA on the other hand. The first sub-session will be called parent sub-session, or parent stream, in that it allows to exchange the data between the two equipments allowing the establishment of the second sub-session which will thus be called child sub-session, or child flow.
Pour surveiller une session, le système 5 met en œuvre le procédé suivant, figure 2.  To monitor a session, the system 5 implements the following method, FIG.
En analysant les données transférées, le système détecte, étape 1 1 , établissement d'une session applicative sous la forme d'un flux parent.  By analyzing the data transferred, the system detects, step 1 1, establishment of an application session in the form of a parent stream.
Le système 5 analyse, étape 1 3, alors le flux parent à la recherche de données d'établissement d'un flux enfant. Par exemple, dans le cadre d'une session FTP, le système 5 va analyser les paquets émis pour déterminer le numéro du port sur lequel va s'effectuer le transfert de fichier.  The system 5 analyzes, step 1 3, then the parent stream looking for establishment data of a child stream. For example, in the context of an FTP session, the system 5 will analyze the transmitted packets to determine the number of the port on which the file transfer will take place.
Une fois ces données recueillies, le système 5 génère, étape 1 5, une signature, dite clé parent, à partir de ces données. Par exemple, pour une session FTP, le système 5 génère une signature à partir des adresses I P de l'équipement source et de l'équipement récepteur et du numéro de port. Cette signature est, par exemple, une valeur de hachage de ces données.  Once these data are collected, the system 5 generates, step 1 5, a signature, called parent key, from these data. For example, for an FTP session, the system 5 generates a signature from the I P addresses of the source equipment and the receiving equipment and the port number. This signature is, for example, a hash value of this data.
Cette clé parent est stockée, étape 1 7, par le système 5.  This parent key is stored, step 1 7, by the system 5.
Le système 5 surveille alors, étape 1 9, les flux pouvant correspondre au flux enfant car mettant en œuvre, par exemple, un protocole compatible avec celui-ci.  The system 5 then monitors, step 1 9, the flows that can correspond to the child stream because implementing, for example, a protocol compatible with it.
Pour chacun de ces flux, il calcule, étape 21 , une signature. Le calcul de cette signature est similaire au calcul de la clé parent. Par exemple, pour la session FTP, il calcule la clé de hachage des adresses I P des deux équipements et du numéro de port.  For each of these flows, it calculates, step 21, a signature. The calculation of this signature is similar to the calculation of the parent key. For example, for the FTP session, it calculates the hash key of the I P addresses of the two devices and the port number.
Cette signature est comparée, étape 23, à la clé parent.  This signature is compared, step 23, to the parent key.
Si la comparaison est positive, le flux correspondant est alors, étape 25, le flux enfant recherché.  If the comparison is positive, then the corresponding stream is, step 25, the desired child stream.
Dans un souci explicatif, la description ci-dessus se limite à un flux parent et un flux enfant. Cependant le procédé se généralise sans difficulté à une pluralité de flux parents et de flux enfants.  For explanatory purposes, the description above is limited to a parent stream and a child stream. However, the method is generalized without difficulty to a plurality of parent flows and child flows.
Ainsi, si une session se compose d'un flux parent et d'une pluralité de flux enfants, le système calcule autant de clés parents que nécessaire et il surveille l'ensemble des flux jusqu'à ce que la totalité des flux enfants soit trouvée. Thus, if a session consists of a parent stream and a plurality of child streams, the system calculates as many parent keys as necessary and monitors all flows until all child flows are found.
Réciproquement, plusieurs sessions, et donc plusieurs flux parents, peuvent être surveillés en parallèle.  Conversely, several sessions, and therefore several parent streams, can be monitored in parallel.
La comparaison des signatures de flux est faite alors sur l'ensemble des clés parents jusqu'à ce qu'une clé parent corresponde, définissant ainsi la session de rattachement. Si aucune clé ne correspond, cela veut dire que le flux n'appartient à aucune session surveillée.  The comparison of the flow signatures is then made on all the parent keys until a parent key matches, thus defining the attachment session. If no key matches, it means that the stream does not belong to any monitored session.
Le procédé s'applique également sans difficulté à des sessions comportant des héritages multiples en cascade, c'est-à-dire qu'un flux enfant comporte des données d'établissement d'un autre flux et se comporte comme un flux parent pour cet autre flux qui en est alors son flux enfant. Basé sur les données d'établissement transportées par le flux enfant, le système définit une clé parent sur laquelle sont comparées les signatures des flux enfants potentiels.  The method also applies smoothly to sessions with multiple cascading inheritances, i.e., a child stream has establishment data of another stream and behaves like a parent stream for that stream. other flow that is then its child flow. Based on the settlement data carried by the child stream, the system sets a parent key on which the signatures of the prospective child flows are compared.
L'implémentation détaillée du procédé peut prendre différentes formes en fonction des caractéristiques techniques recherchées et des capacités de traitement du système.  The detailed implementation of the process can take different forms depending on the desired technical characteristics and the processing capabilities of the system.
Par exemple, l'ensemble des clés parents peut correspondre à un vecteur d'index ordonné dont un des attributs est le nom de session. Une fois la signature d'un flux calculé, la recherche et la comparaison avec la ou les clés parents et l'attribution du flux à une session correspondent alors à une opération sur des index, opération informatique extrêmement efficace en termes de ressources utilisées et de rapidité. Cela permet également de mutualiser les opérations de surveillance d'une multitude de sessions.  For example, the set of parent keys may correspond to an ordered index vector, one of whose attributes is the session name. Once the signature of a calculated flow, the search and comparison with the parent key (s) and the allocation of the flow to a session then correspond to an operation on indexes, a computer operation that is extremely efficient in terms of resources used and speed. It also makes it possible to pool the monitoring operations of a multitude of sessions.
Le système de surveillance 5 comprend donc, figure 3 :  The monitoring system 5 thus comprises, FIG.
• un premier analyseur 31 de flux pour rechercher dans le flux parent les données permettant l'établissement du flux enfant ; A first stream parser 31 for searching the parent stream for the data enabling the child stream to be established;
• un premier générateur 33 de signature, dite clé parente, à partir de ces données ; A first signature generator 33, called the parent key, from these data;
• une mémoire de stockage 35 de la signature ;  A storage memory 35 of the signature;
• un second analyseur 37 de flux pour auditer des flux de données utilisant le second protocole sur le réseau de données ; • un second générateur 39 de signature pour chacun de ces flux ;A second stream analyzer 37 for auditing data streams using the second protocol on the data network; A second signature generator 39 for each of these streams;
• un comparateur 41 de la signature de chacun de ces flux à la clé parente ; et • a comparator 41 of the signature of each of these streams to the parent key; and
• un étiqueteur 43 pour attacher le flux correspondant à la signature, si le résultat du comparateur est positif, en tant que flux enfant de la session.  A tagger 43 for attaching the stream corresponding to the signature, if the result of the comparator is positive, as a child stream of the session.
Ce système de surveillance est réalisable sous forme d'un circuit électronique spécialisé ou bien en programmant spécifiquement un ordinateur avec un programme d'ordinateur comprenant des instructions de code de programme enregistrées sur un support lisible par un ordinateur, pour mettre en œuvre les étapes du procédé de surveillance lorsque le programme fonctionne sur un ordinateur. Cet ordinateur comporte en particulier une interface réseau lui permettant d'écouter les transmissions réalisées sur le réseau, des mémoires volatiles à accès aléatoire reliées à une unité de calcul pour générer les clés et signatures, des mémoires de stockage pouvant être, par exemple, un disque dur magnétique pour stocker en particulier les règles de formation des signatures.  This monitoring system is feasible in the form of a dedicated electronic circuit or by specifically programming a computer with a computer program comprising program code instructions recorded on a computer-readable medium, to implement the steps of the program. monitoring process when the program is running on a computer. This computer comprises in particular a network interface enabling it to listen to the transmissions carried out on the network, volatile random access memories connected to a computing unit to generate the keys and signatures, storage memories that can be, for example, a magnetic hard disk to store especially the rules of formation of signatures.
Un mode de réalisation particulièrement intéressant de ce système consiste en le décomposer en plusieurs dispositifs décentralisés, figure 4. Une première série de dispositifs 50 installés au plus près des flux comportent les analyseurs de flux 31 , 37 et les générateurs de signature 33, 39. Chacun comporte alors une interface de communication 52 avec un dispositif 54 de centralisation comportant, outre une interface de communication 56 en liaison avec les interfaces 52, la mémoire de stockage 35 des signatures ainsi que le comparateur 41 de la signature et l'étiqueteur 43. Ce dernier élément peut également se trouver dans les premiers dispositifs 50 afin d'étiqueter les flux au plus près de leur production.  A particularly interesting embodiment of this system consists of breaking it up into several decentralized devices, FIG. 4. A first series of devices 50 installed closest to the streams comprises the flow analyzers 31, 37 and the signature generators 33, 39. Each then comprises a communication interface 52 with a centralization device 54 comprising, in addition to a communication interface 56 in connection with the interfaces 52, the storage memory 35 of the signatures as well as the comparator 41 of the signature and the tagger 43. The latter element can also be found in the first devices 50 in order to label the flows as close to their production.
L'invention a été illustrée et décrite en détail dans les dessins et la description précédente. Celle-ci doit être considérée comme illustrative et donnée à titre d'exemple et non comme limitant l'invention a cette seule description. De nombreuses variantes de réalisation sont possibles.  The invention has been illustrated and described in detail in the drawings and the foregoing description. This must be considered as illustrative and given by way of example and not as limiting the invention to this description alone. Many alternative embodiments are possible.
En particulier, le système de surveillance peut ne comprendre en fait qu'un seul analyseur de flux et qu'un seul générateur de signature capables d'auditer les flux et de générer les signatures aussi bien pour les flux parents que pour les flux enfants. Ou bien, pour des raisons de rapidité, ceux-ci peuvent être aussi nombreux qu'il y a de types de protocoles. In particular, the monitoring system may actually include only one flow analyzer and one signature generator capable of auditing feeds and generating signatures for parent feeds as well. only for child flows. Or, for reasons of speed, these can be as numerous as there are types of protocols.
Dans les revendications, le mot « comprenant » n'exclue pas d'autres éléments et l'article indéfini « un/une » n'exclue pas une pluralité.  In the claims, the word "comprising" does not exclude other elements and the indefinite article "one" does not exclude a plurality.

Claims

REVENDICATIONS
Procédé de surveillance d'une session de communication sur un réseau de données, ladite session comprenant un premier flux de données, dit flux parent, utilisant un premier protocole, ledit flux parent comprenant des données permettant l'établissement d'un second flux de données, dit flux enfant, utilisant un second protocole pour ladite session, ledit procédé comprenant: A method of monitoring a communication session on a data network, said session comprising a first data stream, said parent stream, using a first protocol, said parent stream comprising data for establishing a second data stream , said child stream, using a second protocol for said session, said method comprising:
• rechercher (13) dans le flux parent les données permettant l'établissement du flux enfant ;  • search (13) in the parent stream the data allowing the establishment of the child stream;
• générer (15) et stocker (17) une signature, dite clé parente, à partir desdites données ;  Generating (15) and storing (17) a signature, called a parent key, from said data;
• auditer (19) des flux de données utilisant le second protocole sur ledit réseau de données ;  • auditing (19) data streams using the second protocol on said data network;
• créer (21 ) une signature pour chacun desdits flux ;  Creating (21) a signature for each of said streams;
• comparer (23) ladite signature de chacun desdits flux à la clé parente ; et • comparing (23) said signature of each of said streams to the parent key; and
• si la comparaison est positive, déterminer (25) que le flux de données correspondant est le flux enfant de ladite session. • if the comparison is positive, determine (25) that the corresponding data stream is the child stream of said session.
Procédé selon la revendication 1 , caractérisé en ce que la session comportant une pluralité déterminée de flux enfants, les flux de données sont audités jusqu'à ce que l'ensemble des flux enfants soit déterminé. Method according to claim 1, characterized in that the session comprising a determined plurality of child flows, the data flows are audited until all the child flows are determined.
Procédé selon la revendication 1 ou 2, caractérisé en ce que ledit flux enfant comprenant des données permettant l'établissement d'un troisième flux de données utilisant un troisième protocole pour ladite session, une signature est générée à partir desdites données, et des flux de données utilisant le troisième protocole sont audités jusqu'à la détermination du flux de données correspondant à la session. Method according to claim 1 or 2, characterized in that said child stream comprising data enabling the establishment of a third data stream using a third protocol for said session, a signature is generated from said data, and data flows. data using the third protocol are audited until the data flow corresponding to the session is determined.
Procédé selon l'une quelconque des revendications précédentes, caractérisé en ce que ledit procédé surveillant une pluralité de sessions comprenant chacune un flux parent pour lequel est générée et stockée une clé parente, pour chacun des dits flux utilisant le second protocole, la signature est comparée à chacune des clés parentes pour déterminer si ledit flux est, ou non, le flux enfant d'une desdites sessions. 5. Produit programme d'ordinateur comprenant des instructions de code de programme enregistrées sur un support lisible par un ordinateur, pour mettre en œuvre les étapes du procédé selon l'une quelconque des revendications 1 à 4 lorsque ledit programme fonctionne sur un ordinateur. 6. Système de surveillance d'une session de communication sur un réseau de données, ladite session comprenant un premier flux de données, dit flux parent, utilisant un premier protocole, ledit flux parent comprenant des données permettant l'établissement d'un second flux de données, dit flux enfant, utilisant un second protocole pour ladite session, ledit système comprenant: Method according to any of the preceding claims, characterized in that said method monitors a plurality of sessions each comprising a parent stream for which is generated and stored a parent key, for each of said streams using the second protocol, the signature is compared to each of the parent keys to determine if said stream is, or not, the child stream of one of said sessions. A computer program product comprising program code instructions recorded on a computer readable medium, for carrying out the steps of the method according to any one of claims 1 to 4 when said program is running on a computer. A system for monitoring a communication session on a data network, said session comprising a first data stream, said parent stream, using a first protocol, said parent stream comprising data enabling the establishment of a second stream. a child stream, using a second protocol for said session, said system comprising:
• un premier analyseur de flux (31 ) pour rechercher dans le flux parent les données permettant l'établissement du flux enfant ;  A first stream analyzer (31) for searching the parent stream for data enabling the child stream to be established;
• un premier générateur de signature (33) , dite clé parente, à partir desdites données ;  A first signature generator (33), called the parent key, from said data;
· une mémoire de stockage (35) de ladite signature ;  A storage memory (35) of said signature;
• un second analyseur de flux (37) pour auditer des flux de données utilisant le second protocole sur ledit réseau de données ;  A second stream analyzer (37) for auditing data streams using the second protocol on said data network;
• un second générateur de signature (39) pour chacun desdits flux ;  A second signature generator (39) for each of said streams;
• un comparateur (41 ) de ladite signature de chacun desdits flux à la clé parente ; et  • a comparator (41) of said signature of each of said streams to the parent key; and
• un étiqueteur (43) pour attacher le flux correspondant à la signature, si le résultat du comparateur est positif, en tant que flux enfant de ladite session. 7. Système selon la revendication 6, caractérisé en ce qu'il comporte aux moins deux dispositifs reliés par un réseau de données, un premier dispositif comportant au moins la mémoire de stockage, le comparateur de signature et l'étiqueteur et le second dispositif comportant au moins le premier analyseur de flux et le premier générateur de signature et une interface pour transmettre la signature générée au premier dispositif. A tagger (43) for attaching the stream corresponding to the signature, if the result of the comparator is positive, as a child stream of said session. 7. System according to claim 6, characterized in that it comprises at least two devices connected by a data network, a first device comprising at least the storage memory, the signature comparator and the tagger and the second device comprising at least first flow analyzer and the first signature generator and an interface for transmitting the generated signature to the first device.
8. Système selon la revendication 7, caractérisé en ce qu'il comporte au moins un troisième dispositif relié au premier dispositif par le réseau de données et comportant au moins le second analyseur de flux et le second générateur de signature et une interface pour transmettre la signature générée au premier dispositif. 8. System according to claim 7, characterized in that it comprises at least a third device connected to the first device by the data network and comprising at least the second flow analyzer and the second signature generator and an interface for transmitting the signal. generated signature at the first device.
EP10763796A 2009-09-09 2010-09-01 Supervision of a communication session comprising several flows over a data network Withdrawn EP2476237A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0956161A FR2949934B1 (en) 2009-09-09 2009-09-09 MONITORING A COMMUNICATION SESSION COMPRISING SEVERAL FLOWS ON A DATA NETWORK
PCT/FR2010/051823 WO2011030045A1 (en) 2009-09-09 2010-09-01 Supervision of a communication session comprising several flows over a data network

Publications (1)

Publication Number Publication Date
EP2476237A1 true EP2476237A1 (en) 2012-07-18

Family

ID=42079062

Family Applications (1)

Application Number Title Priority Date Filing Date
EP10763796A Withdrawn EP2476237A1 (en) 2009-09-09 2010-09-01 Supervision of a communication session comprising several flows over a data network

Country Status (9)

Country Link
US (1) US20120166666A1 (en)
EP (1) EP2476237A1 (en)
JP (1) JP5696147B2 (en)
KR (1) KR101703805B1 (en)
CN (1) CN102714652B (en)
CA (1) CA2773247A1 (en)
FR (1) FR2949934B1 (en)
SG (1) SG179043A1 (en)
WO (1) WO2011030045A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9246687B2 (en) * 2007-02-28 2016-01-26 Broadcom Corporation Method for authorizing and authenticating data
US10320749B2 (en) * 2016-11-07 2019-06-11 Nicira, Inc. Firewall rule creation in a virtualized computing environment
WO2018141392A1 (en) * 2017-02-02 2018-08-09 NEC Laboratories Europe GmbH Firewall support for multipath connections
US10834011B2 (en) * 2017-06-29 2020-11-10 Itron Global Sarl Packet servicing priority based on communication initialization
FR3089373B1 (en) * 2018-12-03 2020-11-27 Thales Sa Method and device for measuring a parameter representative of a transmission time in an encrypted communication tunnel
CN111198807B (en) * 2019-12-18 2023-10-27 中移(杭州)信息技术有限公司 Data stream analysis method, device, computer equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040054927A1 (en) * 2002-05-08 2004-03-18 Stonesoft Corporation Handling related connections in a firewall
US20040177106A1 (en) * 2003-03-06 2004-09-09 Rose Kenneth M. Apparatus and method for filtering IP packets
US20050238010A1 (en) * 2004-04-26 2005-10-27 Rina Panigrahy Programmable packet parsing processor
US7212522B1 (en) * 1998-09-30 2007-05-01 Cisco Technology, Inc. Communicating voice over a packet-switching network

Family Cites Families (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6680933B1 (en) * 1999-09-23 2004-01-20 Nortel Networks Limited Telecommunications switches and methods for their operation
US6816455B2 (en) * 2001-05-09 2004-11-09 Telecom Italia S.P.A. Dynamic packet filter utilizing session tracking
US8004971B1 (en) * 2001-05-24 2011-08-23 F5 Networks, Inc. Method and system for scaling network traffic managers using connection keys
US7387849B2 (en) * 2002-03-14 2008-06-17 Questair Technologies Inc. Hydrogen recycle for solid oxide fuel cell
US6856991B1 (en) * 2002-03-19 2005-02-15 Cisco Technology, Inc. Method and apparatus for routing data to a load balanced server using MPLS packet labels
TWI222144B (en) * 2002-07-23 2004-10-11 Nanya Technology Corp Test device for detecting the overlay shift between active area and deep trench capacitor in DRAM and the detection method thereof
US7953841B2 (en) * 2002-08-22 2011-05-31 Jds Uniphase Corporation Monitoring an RTP data stream based on a phone call
US7020130B2 (en) * 2003-03-13 2006-03-28 Mci, Inc. Method and apparatus for providing integrated voice and data services over a common interface device
US20070050777A1 (en) * 2003-06-09 2007-03-01 Hutchinson Thomas W Duration of alerts and scanning of large data stores
US20050023801A1 (en) * 2003-07-31 2005-02-03 Adley Finley Fin-ray tote-a-load
GB0321426D0 (en) * 2003-09-12 2003-10-15 Ericsson Telefon Ab L M Data sharing in a multimedia communication system
US20050182836A1 (en) * 2004-02-17 2005-08-18 Johnson Teddy C. Method for transparently auditing employee and contractor FTP usage
US7535905B2 (en) * 2004-03-31 2009-05-19 Microsoft Corporation Signing and validating session initiation protocol routing headers
US7995611B2 (en) * 2004-06-29 2011-08-09 Apsect Software, Inc. Method and apparatus for dynamic VoIP phone protocol selection
US8194640B2 (en) * 2004-12-31 2012-06-05 Genband Us Llc Voice over IP (VoIP) network infrastructure components and method
US7624446B1 (en) * 2005-01-25 2009-11-24 Symantec Corporation Efficient signature packing for an intrusion detection system
US7580356B1 (en) * 2005-06-24 2009-08-25 Packeteer, Inc. Method and system for dynamically capturing flow traffic data
JP4073931B2 (en) * 2005-08-08 2008-04-09 株式会社ソニー・コンピュータエンタテインメント Terminal, communication apparatus, communication establishment method and authentication method
JP2007068093A (en) * 2005-09-02 2007-03-15 Nippon Telegraph & Telephone East Corp Ip telephone failure zone carving system and method
WO2007076883A1 (en) * 2005-12-30 2007-07-12 Telecom Italia S.P.A. Method and system for secure communication between a public network and a local network
EP1989822B1 (en) * 2006-01-25 2017-11-29 Orange Reliability system for multicast data transmission
US8010689B2 (en) * 2006-05-22 2011-08-30 Mcafee, Inc. Locational tagging in a capture system
EP1871038B1 (en) * 2006-06-23 2010-06-02 Nippon Office Automation Co., Ltd. Network protocol and session analyser
US7940657B2 (en) * 2006-12-01 2011-05-10 Sonus Networks, Inc. Identifying attackers on a network
EP2090061A2 (en) * 2006-12-01 2009-08-19 Sonus Networks, Inc. Filtering and policing for defending against denial of service attacks a network
US9917844B2 (en) * 2006-12-17 2018-03-13 Fortinet, Inc. Detection of undesired computer files using digital certificates
US7706291B2 (en) * 2007-08-01 2010-04-27 Zeugma Systems Inc. Monitoring quality of experience on a per subscriber, per session basis
US8413111B2 (en) * 2008-10-02 2013-04-02 Actiance, Inc. Techniques for dynamic updating and loading of custom application detectors
US8578491B2 (en) * 2008-12-11 2013-11-05 Alcatel Lucent Network based malware detection and reporting
WO2010129961A2 (en) * 2009-05-08 2010-11-11 Sable Networks, Inc Method and apparatus for controlling data communication sessions
US8068504B2 (en) * 2009-05-18 2011-11-29 Tresys Technology, Llc One-way router

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7212522B1 (en) * 1998-09-30 2007-05-01 Cisco Technology, Inc. Communicating voice over a packet-switching network
US20040054927A1 (en) * 2002-05-08 2004-03-18 Stonesoft Corporation Handling related connections in a firewall
US20040177106A1 (en) * 2003-03-06 2004-09-09 Rose Kenneth M. Apparatus and method for filtering IP packets
US20050238010A1 (en) * 2004-04-26 2005-10-27 Rina Panigrahy Programmable packet parsing processor

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of WO2011030045A1 *

Also Published As

Publication number Publication date
JP2013504915A (en) 2013-02-07
KR101703805B1 (en) 2017-02-07
CA2773247A1 (en) 2011-03-17
KR20120082415A (en) 2012-07-23
CN102714652B (en) 2016-01-20
WO2011030045A1 (en) 2011-03-17
CN102714652A (en) 2012-10-03
FR2949934A1 (en) 2011-03-11
JP5696147B2 (en) 2015-04-08
US20120166666A1 (en) 2012-06-28
FR2949934B1 (en) 2011-10-28
SG179043A1 (en) 2012-04-27

Similar Documents

Publication Publication Date Title
JP7157222B2 (en) Session security split and application profiler
Park et al. Towards automated application signature generation for traffic identification
EP2476237A1 (en) Supervision of a communication session comprising several flows over a data network
EP2832069B1 (en) System for supervising the security of an architecture
WO2021152262A1 (en) Method for monitoring data exchanged on a network and device for detecting intrusions
Mazhar Rathore et al. Exploiting encrypted and tunneled multimedia calls in high-speed big data environment
EP2705644A1 (en) Method for detecting intrusions on a set of virtual resources
EP3545641A1 (en) Searchable encryption method
EP2767060B1 (en) Gateway, and method, computer program and storage means corresponding thereto
FR2902954A1 (en) Entity e.g. web server, inventory storage system for e.g. firewall, has child/terminal nodes linked to parent node by relation so that entity versions and group of versions of child or terminal nodes form part of parent node version group
CA2859027A1 (en) Detection process for unsolicited intrusions in an information network, associated device, computer program product and storage means
EP2979222A1 (en) Method for storing data in a computer system performing data deduplication
EP3123700A1 (en) Method for caching a piece of content in a content distribution network
WO2018224747A1 (en) Non-intrusive method of detecting security flaws of a computer program
FR3083659A1 (en) IDENTIFICATION OF PROTOCOL OF A DATA STREAM
EP3123691A1 (en) Method of processing a message in an interconnection device
EP3729768A1 (en) Method for automatically constructing computer attack scenarios, computer program product and associated construction system
WO2015197987A1 (en) Method and device for obtaining data packets transmitted in a communication network comprising a plurality of sub-networks
EP2464068B1 (en) System for overall management of personalised filtering based on a secured information exchange circuit and related method
FR2844368A1 (en) Event handling method for a computer network, especially for handling SNMP traps in an IP network, whereby an addition event transformation module is provided improve event sorting, classification and handling
FR2917556A1 (en) DETECTION OF ANOMALY IN THE TRAFFIC OF SERVICE ENTITIES THROUGH A PACKET NETWORK
FR2987534A1 (en) NETWORK INVENTORY METHOD.
FR3022721A1 (en) METHOD AND DEVICE FOR PROCESSING DATA PACKETS ISSUED IN A COMMUNICATION NETWORK
FR2896897A1 (en) Security incident detecting method for use in telecommunication network e.g. enterprise Intranet, involves constructing directed graph, identifying connection component in directed graph, and determining incident indicator
EP2850779A1 (en) Monitoring system, method and corresponding computer program

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20120305

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: QOSMOS TECH

17Q First examination report despatched

Effective date: 20180123

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20190731