NETWORK SECURITY AND SURVEILLANCE SYSTEM

US 20010039579A1
Filed: 05/07/1997
Published: 11/08/2001
Est. Priority Date: 11/06/1996
Status: Active Grant

First Claim

Patent Images

1. A computer system for facilitating a post-event reconstruction and analysis of a security breach or other catastrophic event on a computer network, the system comprising:

network interface circuitry configured to passively and continuously monitor the network at a network connection point to generate a packet stream, the packet stream comprising raw data packets that are transmitted on the network by other computer systems of the network;

at least one computer processor configured to process the packet stream to generate an archival data stream; and

a data recording unit operatively coupled to the processor, the recording unit configured to record the archival data stream onto a non-volatile storage medium to generate a low-level archival recording of network traffic.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security and surveillance system passively monitors and records the traffic present on a local area network, wide area network, or other type of computer network, without interrupting or otherwise interfering with the flow of the traffic. Raw data packets present on the network are continuously routed (with optional packet encryption) to a high-capacity data recorder to generate low-level recordings for archival purposes. The raw data packets are also optionally routed to one or more cyclic data recorders to generate temporary records that are used to automatically monitor the traffic in near-real-time. A set of analysis applications and other software routines allows authorized users to interactively analyze the low-level traffic recordings to evaluate network attacks, internal and external security breaches, network problems, and other types of network events.

355 Citations

34 Claims

1. A computer system for facilitating a post-event reconstruction and analysis of a security breach or other catastrophic event on a computer network, the system comprising:
- network interface circuitry configured to passively and continuously monitor the network at a network connection point to generate a packet stream, the packet stream comprising raw data packets that are transmitted on the network by other computer systems of the network;
  
  at least one computer processor configured to process the packet stream to generate an archival data stream; and
  
  a data recording unit operatively coupled to the processor, the recording unit configured to record the archival data stream onto a non-volatile storage medium to generate a low-level archival recording of network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer system according to claim 1, wherein the network circuitry and the processor are configured such that the archival data stream contains sufficient information to reconstruct substantially all valid data packets that are receivable at the network connection point.
  - 3. The computer system according to claim 1, wherein the packet stream comprises substantially all valid data-link-level traffic that is presented at the network connection point.
  - 4. The computer system according to claim 1, wherein the processor is configured to insert packet timestamps into the packet stream, the packet timestamps forming a part of the archival recording and reflecting network transmission times of packets contained within the recording.
  - 5. The computer system according to claim 1, wherein the processor is configured to apply an encryption method to the packet stream, so that the raw data packets of the packet stream are stored on the non-volatile storage medium in an encrypted form.
  - 6. The computer system according to claim 1, wherein the processor is configured to implement a bad-packet filter to filter out packets of at least one predetermined type from the packet stream, the bad packet filter reducing a storage burden for the storage of network traffic onto the storage medium.
  - 7. The computer system according to claim 6, further including filter configuration software which allows a user of the computer system to selectively enable and disable the bad-packet filter, and wherein the archival data stream contains all valid packet data receivable at the connection point when the bad-packet filter is set to a disabled state.
  - 8. The computer system according to claim 1, wherein the storage medium comprises magnetic tape.
  - 9. The computer system according to claim 8, wherein the data recording unit comprises an automated tape library.
  - 10. The computer system according to claim 1, wherein the data recording unit is configured to operate as a write-once storage device.
  - 11. The computer system according to claim 1, further comprising interactive traffic analysis software for enabling a user to interactively view and analyze traffic data stored in the archival recording in an off-line analysis mode, the interactive traffic analysis software including a search engine for enabling the user to conduct interactive searches of the traffic data.
  - 12. The computer system according to claim 1, further comprising:
    - at least one cyclic data recorder that cyclically records at least a portion of the packet stream onto a second recording medium to generate a temporary record of at least some of the network traffic; and
      
      an automated monitoring software module which runs on the computer system, the automated monitoring module configured to automatically read traffic data from the cyclic data recorder and to monitor read-in traffic data for anomalies.
  - 13. The computer system according to claim 12, wherein the automated monitoring software module is configured to trigger an alarm upon detecting a pre-specified network anomaly.

14. A method of generating an archival record of network traffic on a computer network, comprising the computer-implemented steps of:
- passively and continuously capturing data packets that are receivable at a connection point to the network to generate a packet stream;
  
  processing the packet stream to generate an archival data stream; and
  
  storing the archival data stream on a non-volatile storage medium.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method according to claim 14, wherein the step of capturing comprises monitoring the network traffic with a network interface card that resides within a host computer, the network interface card configured to operate in a receive-only mode in which all data-link-level traffic present at the connection point is forwarded to the host computer.
  - 16. The method according to claim 15, wherein the step of storing comprises sending the archival data stream from the host computer to a peripheral storage device that is configured to operate in a write-once recording mode.
  - 17. The method according to claim 14, wherein the step of processing the packet stream comprises inserting timestamps into the packet stream to facilitate a subsequent reconstruction of events on the network.
  - 18. The method according to claim 14, wherein the step of processing the packet stream comprises encrypting at least a portion of the packet stream.
  - 19. The method according to claim 14, wherein the step of storing comprises writing the archival data stream to magnetic tape.
  - 20. The method according to claim 19, wherein the step of writing is performed at least in-part by an automated tape library.
  - 21. The method according to claim 14, further comprising the computer-implemented steps of:
    - storing at least a portion of the packet stream to a second recording medium with a cyclic data recorder to generate a temporary record of the network traffic; and
      
      reading-in and analyzing network traffic stored by the cyclic data recorder to provide automated near-real-time analysis of the network traffic.

22. A method of monitoring traffic on a computer network without adding latency to the traffic, comprising the computer-implemented steps of:
- (a) passively and continuously capturing data packets at a network connection point to generate a packet stream;
  
  (b) writing at least a portion of the packet stream to a recording medium to generate a temporary record of the traffic; and
  
  (c) automatically reading-in and analyzing traffic data stored on the recording medium in step (b) to search for at least one predefined traffic anomaly, to thereby provide near-real-time analysis of the traffic.
- View Dependent Claims (23, 24)
- - 23. The method according to claim 22, wherein the step of writing is performed using a cyclic recording device.
  - 24. The method according to claim 22, wherein the step of automatically reading-in and analyzing traffic data comprises performing at least one virus check on the traffic data.

25. A method of automatically evaluating the operation of a network firewall computer system (“
- firewall”
  
  ), the firewall connected between an internal computer network and an external computer network, the method comprising the computer-implemented steps of;
  
  (a) passively recording traffic on an external network side of the firewall to generate a log of external network traffic;
  
  (b) passively recording traffic on an internal side of the firewall to generate a log of internal network traffic; and
  
  (c) comparing the log of external traffic to the log of internal traffic to identify at least traffic sequences that have been blocked by the firewall.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The method according to claim 25, wherein at least one of steps (a) and (b) is performed using a computer system that is separate from the network firewall computer system.
  - 27. The method according to claim 25, wherein steps (a) and (b) are performed by a single computer system that is configured as a passive entity of both the internal network and the external network.
  - 28. The method according to claim 25, wherein step (a) comprises recording data link level traffic of the external network.
  - 29. The method according to claim 25, further comprising the step of comparing a result of step (c) with information contained in an access log file of the firewall to check for discrepancies between the access log file and an actual operation of the firewall.

30. A system for enabling the remote monitoring of non-network events that occur on a client computer, the client computer connected to a computer network, the system comprising:
- a non-network-event replication program which runs on the client computer, the replication program configured to monitor activity on the client computer to detect a non-network event of a pre-defined type, and configured to replicate the non-network event on the network by transmitting, on the network, a message that contains a representation of the non-network event, the replication program thereby enabling the non-network event to be monitored remotely over the network; and
  
  a monitoring computer which is configured to record the message from the network to generate a record of the non-network event.
- View Dependent Claims (31, 32, 33, 34)
- - 31. The system according to claim 30, wherein the replication program is configured to run in a background mode on the client computer, such that the remote monitoring of non-network events is substantially invisible to a user of the client computer.
  - 32. The system according to claim 30, wherein the replication program is configured to replicate an access by a user of the computer to a network other than the computer network.
  - 33. The system according to claim 30, wherein the monitoring computer is configured to record the message from the network passively.
  - 34. The system according to claim 30, wherein the monitoring computer is configured to operate as a passive entity of the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DataDirect Networks Incorporated
Original Assignee
DataDirect Networks Incorporated
Inventors
TRCKA, MILAN V., JONES, MARK R., FALLON, KENNETH T., WALKER, RONALD W.

Granted Patent

US 6,453,345 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 2221/2151   Time stamp

H04L 63/0272   Virtual private networks

H04L 63/1425   Traffic logging, e.g. anoma...

NETWORK SECURITY AND SURVEILLANCE SYSTEM

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

355 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK SECURITY AND SURVEILLANCE SYSTEM

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

355 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links