NETWORK SECURITY AND SURVEILLANCE SYSTEM
First Claim
1. A computer system for facilitating a post-event reconstruction and analysis of a security breach or other catastrophic event on a computer network, the system comprising:
- network interface circuitry configured to passively and continuously monitor the network at a network connection point to generate a packet stream, the packet stream comprising raw data packets that are transmitted on the network by other computer systems of the network;
at least one computer processor configured to process the packet stream to generate an archival data stream; and
a data recording unit operatively coupled to the processor, the recording unit configured to record the archival data stream onto a non-volatile storage medium to generate a low-level archival recording of network traffic.
9 Assignments
0 Petitions
Accused Products
Abstract
A network security and surveillance system passively monitors and records the traffic present on a local area network, wide area network, or other type of computer network, without interrupting or otherwise interfering with the flow of the traffic. Raw data packets present on the network are continuously routed (with optional packet encryption) to a high-capacity data recorder to generate low-level recordings for archival purposes. The raw data packets are also optionally routed to one or more cyclic data recorders to generate temporary records that are used to automatically monitor the traffic in near-real-time. A set of analysis applications and other software routines allows authorized users to interactively analyze the low-level traffic recordings to evaluate network attacks, internal and external security breaches, network problems, and other types of network events.
355 Citations
34 Claims
-
1. A computer system for facilitating a post-event reconstruction and analysis of a security breach or other catastrophic event on a computer network, the system comprising:
-
network interface circuitry configured to passively and continuously monitor the network at a network connection point to generate a packet stream, the packet stream comprising raw data packets that are transmitted on the network by other computer systems of the network;
at least one computer processor configured to process the packet stream to generate an archival data stream; and
a data recording unit operatively coupled to the processor, the recording unit configured to record the archival data stream onto a non-volatile storage medium to generate a low-level archival recording of network traffic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method of generating an archival record of network traffic on a computer network, comprising the computer-implemented steps of:
-
passively and continuously capturing data packets that are receivable at a connection point to the network to generate a packet stream;
processing the packet stream to generate an archival data stream; and
storing the archival data stream on a non-volatile storage medium. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A method of monitoring traffic on a computer network without adding latency to the traffic, comprising the computer-implemented steps of:
-
(a) passively and continuously capturing data packets at a network connection point to generate a packet stream;
(b) writing at least a portion of the packet stream to a recording medium to generate a temporary record of the traffic; and
(c) automatically reading-in and analyzing traffic data stored on the recording medium in step (b) to search for at least one predefined traffic anomaly, to thereby provide near-real-time analysis of the traffic. - View Dependent Claims (23, 24)
-
-
25. A method of automatically evaluating the operation of a network firewall computer system (“
- firewall”
), the firewall connected between an internal computer network and an external computer network, the method comprising the computer-implemented steps of;
(a) passively recording traffic on an external network side of the firewall to generate a log of external network traffic;
(b) passively recording traffic on an internal side of the firewall to generate a log of internal network traffic; and
(c) comparing the log of external traffic to the log of internal traffic to identify at least traffic sequences that have been blocked by the firewall. - View Dependent Claims (26, 27, 28, 29)
- firewall”
-
30. A system for enabling the remote monitoring of non-network events that occur on a client computer, the client computer connected to a computer network, the system comprising:
-
a non-network-event replication program which runs on the client computer, the replication program configured to monitor activity on the client computer to detect a non-network event of a pre-defined type, and configured to replicate the non-network event on the network by transmitting, on the network, a message that contains a representation of the non-network event, the replication program thereby enabling the non-network event to be monitored remotely over the network; and
a monitoring computer which is configured to record the message from the network to generate a record of the non-network event. - View Dependent Claims (31, 32, 33, 34)
-
Specification