System and method for storing events to enhance intrusion detection
First Claim
Patent Images
1. A method comprising:
- receiving an event, the event comprising a data section containing a set of strings each containing an event field;
referencing a definition table to determine locations of event fields in the data section of the event; and
storing the event fields in a database record corresponding to event field locations referenced from the definition table.
2 Assignments
0 Petitions
Accused Products
Abstract
Storing events to enhance intrusion detection in networks is described. In one exemplary implementation, an event is received. The event includes a data section containing a set of strings each having an event field. A definition table is referenced to determine locations of event fields in the data section of the event. The event fields are stored in a database record corresponding to event field locations referenced from the definition table.
79 Citations
33 Claims
-
1. A method comprising:
-
receiving an event, the event comprising a data section containing a set of strings each containing an event field;
referencing a definition table to determine locations of event fields in the data section of the event; and
storing the event fields in a database record corresponding to event field locations referenced from the definition table. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
-
receiving an event that contains, respectively, an event identification indicating a select one of a plurality of different types of events and one or more sets of strings with each string containing an event field;
identifying the event indication in the event;
locating an entry in a definition table corresponding to the event identification of the received event;
from the located entry of the event in the definition table, the located entry containing locations of types of event fields for the event, using the definition table as a reference to locate event fields in the received event; and
for the received event, storing the located event fields in records of an event database corresponding to the types of event fields. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A system for maintaining records of events comprising:
-
an event receiver module, configured to receive an event that contains, respectively, an event identification indicator and strings containing event fields each specifying a different component aspects of the event; and
an event-processing module, configured to reference an event definition table to determine locations of event fields in the event, and store the event fields in a record of a database according to the different component aspect specified by the event field. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. One or more computer-readable media having stored thereon a computer program that, when executed by one or more processors, causes the one or more processors to:
-
receive an event that contains, respectively, an event identification indicating a select one of a plurality of different types of events and one or more sets of strings with each string containing an event field;
identify the event indication in the event;
locate an entry in a definition table corresponding to the event identification of the received event;
from the located entry of the event in the definition table, the located entry containing locations of types of event fields for the event, use the definition table as a reference to locate event fields in the received event; and
for the received event, store the located event fields in records of an event database corresponding to the types of event fields. - View Dependent Claims (26)
-
-
27. A system for storing events, comprising:
-
client computers, configured to generate events that contain, respectively, an event identification indicator and one or more strings, the strings containing event fields;
an event definition table specifying locations of the event fields; and
means for storing the one or more event fields from generated events in records of a database appurtenant to the locations specified by the event definition table. - View Dependent Claims (28, 29, 30)
-
-
31. One or more computer-readable media comprising computer executable instructions that, when executed, direct a computer to:
-
generate events that contain, respectively, an event identification and one or more event descriptions, the event descriptions containing one or more values in the event fields, and store the events strings in a log when a security sensitive event is performed; and
store the events in a database in a manner to enable values in the event fields to be independently searched through the use of an event definition table containing mappings of the event descriptions for each event identification, the mappings including the locations of one or more values in the event fields contained within the event descriptions. - View Dependent Claims (32, 33)
-
Specification