Abstract: Security of a plurality of registered digital documents in a system are monitored and the monitoring includes determining whether signatures associated with the registered digital documents are included in data propagating in network traffic of the system. A particular signature of a particular document in the plurality of registered digital documents is detected from the data propagating in the network. It is determined, based at least in part on the detecting, that detection of the particular signature exceeds a threshold detection rate for registered digital documents in the system. The particular signature is removed from a signature database including the signatures of the plurality of registered digital documents.

Abstract: A system and method for capturing objects and balancing systems resources in a capture system are described. An object is captured, metadata associated with the objected generated, and the object and metadata stored.

Abstract: A system and method for capturing objects and balancing systems resources in a capture system are described. An object is captured, metadata associated with the objected generated, and the object and metadata stored.

Abstract: Content leaving a local network can be captured and indexed so that queries can be performed on the captured data. In one embodiment, the present invention comprises an apparatus that connects to a network. In one embodiment, this apparatus includes a network interface module to connect the apparatus to a network, a packet capture module to intercept packets being transmitted on the network, an object assembly module to reconstruct objects being transmitted on the network from the intercepted packets, an object classification module to determine the content in the reconstructed objects, and an object store module to store the objects. This apparatus can also have a user interface to enable a user to search objects stored in the object store module.

Abstract: Packets can be read from a network interface into an application using a single kernel copy. In one embodiment, the invention includes a receiver packet memory to store captured packets, and a network interface driver operating in a kernel of a device to read packets captured by network interface hardware into the kernel by storing captured packets in the receiver packet memory. Then, an application interface can expose the receiver packet memory to an application executing on the device by representing the receiver packet memory as a virtual file.

Abstract: A file system can be provided in a capture system to efficiently read and write captured objects. In one embodiment, such a file system includes a plurality of queues to queue captured objects to be written to a disk, each queue being associated with one of a plurality of object types, and each queue containing captured objects of the type associated with each queue. A scheduler can be provided to select one of the plurality of queues, and a block manager to select a partition of a disk, the partition being associated with the object type of the captured objects in the selected queue. A disk controller configured to write contiguous blocks of data from the selected queue to the selected partition is connected to the block manager to enable writing to a disk.

Abstract: A system and method for capturing objects and balancing systems resources in a capture system are described. An object is captured, metadata associated with the objected generated, and the object and metadata stored.

Abstract: A document accessible over a network can be registered. A registered document, and the content contained therein, cannot be transmitted undetected over and off of the network. In one embodiment, the invention includes maintaining a plurality of stored signatures in a signature database, each signature being associated with one of a plurality of registered documents. In one embodiment, the invention further includes maintaining the signature database by de-registering documents by removing the signatures associated with de-registered documents. In one embodiment, the invention further includes maintaining the database by removing redundant and high detection rate signatures. In one embodiment, the invention also includes maintaining the signature database by removing signatures based on the source text used to generate the signature.

Abstract: A tag database storing tags indexing captured object can be searched efficiently. In one embodiment, such a search begins by receiving a query for one or more objects captured by a capture system, and determining whether a query time range exceeds a time range of a set of fast tables. In one embodiment, the invention further includes searching the set of fast tables if the query time range does not exceed the time range of the fast tables, the set of fast tables containing tags having meta-data related to captured objects. In one embodiment, the invention further includes searching a set of hourly tables if the query time range does exceed the time range of the fast tables. In one embodiment, the present invention further includes searching a set of daily tables if the query time range also exceeds the time range of the hourly tables.

Abstract: A document accessible over a network can be registered. A registered document, and the content contained therein, cannot be transmitted undetected over and off of the network. In one embodiment, a plurality of stored signatures are maintained in a signature database, each signature being associated with one of a plurality of registered documents. In one embodiment, the signature database is maintained by de-registering documents by removing the signatures associated with de-registered documents. In one embodiment, the database is maintained by removing redundant and high detection rate signatures. In one embodiment, the signature database is maintained by removing signatures based on the source text used to generate the signature.

Abstract: Objects captured over a network by a capture system can be indexed to provide enhanced search and content analysis capabilities. In one embodiment the objects can be indexed using a data structure having a source address field to indicate an origination address of the object, a destination address field to indicate a destination address of the object, a source port field to indicate an origination port of the object, a destination port field to indicate a destination port of the object, a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object, and a time field to indicate when the object was captured. The data structure may also store a cryptographic signature of the object to ensure the object is not altered after capture.

Abstract: Objects can be extracted from data flows captured by a capture device. Each captured object can then be classified according to content. Meta-data about captured objects can be stored in a tag. In one embodiment, the present invention includes receiving a request to present a previously captured object to a user, accessing a tag associated with the requested object, the tag containing metadata related to the object, the metadata including an object signature, and verifying that the object has not been altered since capture using the object signature before presenting the object to the user.

Abstract: A document accessible over a network can be registered. A registered document, and the content contained therein, cannot be transmitted undetected over and off of the network. In one embodiment, the invention includes maintaining a plurality of stored signatures, each signature being associated with one of a plurality of registered documents, intercepting an object being transmitted over a network, calculating a set of signatures associated with the intercepted object, and comparing the set of signatures with the plurality of stored signatures. In one embodiment, the invention can further include detecting registered content from the registered document being contained in the intercepted object, if the comparison results in a match of at least one of the signatures in the set of signatures with one or more of the plurality of stored signatures.

Abstract: Content leaving a local network can be captured and indexed so that queries can be performed on the captured data. In one embodiment, the present invention comprises an apparatus that connects to a network. In one embodiment, this apparatus includes a network interface module to connect the apparatus to a network, a packet capture module to intercept packets being transmitted on the network, an object assembly module to reconstruct objects being transmitted on the network from the intercepted packets, an object classification module to determine the content in the reconstructed objects, and an object store module to store the objects. This apparatus can also have a user interface to enable a user to search objects stored in the object store module.

Abstract: A document accessible over a network can be registered. A registered document, and the content contained therein, cannot be transmitted undetected over and off of the network. In one embodiment, the invention includes maintaining a plurality of stored signatures, each signature being associated with one of a plurality of registered documents, intercepting an object being transmitted over a network, calculating a set of signatures associated with the intercepted object, and comparing the set of signatures with the plurality of stored signatures. In one embodiment, the invention can further include detecting registered content from the registered document being contained in the intercepted object, if the comparison results in a match of at least one of the signatures in the set of signatures with one or more of the plurality of stored signatures.

Abstract: Objects captured over a network by a capture system can be indexed to provide enhanced search and content analysis capabilities. In one embodiment the objects can be indexed using a data structure having a source address field to indicate an origination address of the object, a destination address field to indicate a destination address of the object, a source port field to indicate an origination port of the object, a destination port field to indicate a destination port of the object, a content field to indicate a content type from a plurality of content types identifying a type of content contained in the object, and a time field to indicate when the object was captured. The data structure may also store a cryptographic signature of the object to ensure the object is not altered after capture.

Abstract: A system and method for capturing objects and balancing systems resources in a capture system are described. An object is captured, metadata associated with the objected generated, and the object and metadata stored.

Abstract: Content leaving a local network can be captured and indexed so that queries can be performed on the captured data. In one embodiment, the present invention comprises an apparatus that connects to a network. In one embodiment, this apparatus includes a network interface module to connect the apparatus to a network, a packet capture module to intercept packets being transmitted on the network, an object assembly module to reconstruct objects being transmitted on the network from the intercepted packets, an object classification module to determine the content in the reconstructed objects, and an object store module to store the objects. This apparatus can also have a user interface to enable a user to search objects stored in the object store module.

Abstract: A file system can be provided in a capture system to efficiently read and write captured objects. In one embodiment, such a file system includes a plurality of queues to queue captured objects to be written to a disk, each queue being associated with one of a plurality of object types, and each queue containing captured objects of the type associated with each queue. A scheduler can be provided to select one of the plurality of queues, and a block manager to select a partition of a disk, the partition being associated with the object type of the captured objects in the selected queue. A disk controller configured to write contiguous blocks of data from the selected queue to the selected partition is connected to the block manager to enable writing to a disk.

Abstract: Packets can be read from a network interface into an application using a single kernel copy. In one embodiment, the invention includes a receiver packet memory to store captured packets, and a network interface driver operating in a kernel of a device to read packets captured by network interface hardware into the kernel by storing captured packets in the receiver packet memory. Then, an application interface can expose the receiver packet memory to an application executing on the device by representing the receiver packet memory as a virtual file.