Attack database structure
First Claim
Patent Images
1. A method of inspecting a log of security records in a computer network, comprising the steps of:
- retrieving a log record;
processing the log record including deriving a key to a table;
determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique; and
evaluating one or more entries of the table based on predetermined criteria to detect attempted security breaches.
2 Assignments
0 Petitions
Accused Products
Abstract
Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches.
-
Citations
44 Claims
-
1. A method of inspecting a log of security records in a computer network, comprising the steps of:
-
retrieving a log record;
processing the log record including deriving a key to a table;
determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique; and
evaluating one or more entries of the table based on predetermined criteria to detect attempted security breaches. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of inspecting a log of security records in a computer network, comprising the steps of:
-
retrieving a log record;
hashing one or more fields of the log record to generate a hash key;
evaluating a hash table using the hash key;
if there is no matching hash table entry, adding a new entry to the hash table;
if there is a matching hash table entry, retrieving a data list associated with the hash table entry;
using one or more fields of the log record to compute a data value;
comparing the data value with entries in the data list to determine if there are any matching entries;
inserting the data value into the data list if there are no matching entries; and
evaluating the data list based on predetermined criteria to detect attempted security breaches. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method of inspecting a log of security records in a computer network, comprising the steps of:
-
retrieving a log record;
hashing one or more fields of the log record to generate a hash key;
evaluating a hash table using the hash key;
if there is no matching hash table entry, adding a new entry to the hash table;
if there is a matching hash table entry, retrieving a data list associated with the hash table entry;
using one or more fields of the log record to compute a data value to be inserted into the data list;
evaluating the data list to determine the uniqueness of the data value; and
inserting the data value in the data list if the data value is unique.
-
-
22. A method of detecting a port scan comprising:
-
retrieving a log record including a source address and a destination address;
hashing the source address and the destination address to generate a hash key;
evaluating a hash table using the hash key;
if there is a matching hash table entry, retrieving a data list associated with the hash table entry;
comparing the destination port with the entries in the data list to determine if there are any matching entries;
inserting the destination port into the data list if there are no matching entries; and
determining a port scan if the number of items in the data list exceeds a predetermined number.
-
-
23. A computer program product, tangibly embodied in an information carrier, the computer program product comprising instructions operable to cause data processing apparatus to:
-
retrieve a log record;
process a log record including deriving a key to a table;
determine a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique; and
evaluate one or more entries of the table based on predetermined criteria to detect attempted security breaches. - View Dependent Claims (24, 25, 26, 27, 28)
-
-
29. A computer program product, tangibly embodied in an information carrier, the computer program product comprising instructions operable to cause data processing apparatus to:
-
retrieve a log record;
hash one or more fields of the log record to generate a hash key;
evaluate a hash table using the hash key;
if there is no matching hash table entry, add a new entry to the hash table;
if there is a matching hash table entry, retrieve a data list associated with the hash table entry;
use one or more fields of the log record to compute a data value;
compare the data value with entries in the data list to determine if there are any matching entries;
insert the data value into the data list if there are no matching entries; and
evaluate the data list based on predetermined criteria to detect attempted security breaches. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A computer program product, tangibly embodied in an information carrier, for inspecting a log of security records in a computer network, the computer program product comprising instructions operable to cause data processing apparatus to:
-
retrieve a log record;
hash one or more fields of the log record to generate a hash key;
evaluate a hash table using the hash key;
if there is no matching hash table entry, add a new entry to the hash table;
if there is a matching hash table entry, retrieve a data list associated with the hash table entry;
use one or more fields of the log record to compute a data value to be inserted into the data list;
evaluate the data list to determine the uniqueness of the data value; and
insert the data value in the data list if the data value is unique.
-
-
44. A computer program product, tangibly embodied in an information carrier, for detecting a port scan, the computer program product comprising instructions operable to cause data processing apparatus to:
-
retrieve a log record including a source address and a destination address;
hash the source address and the destination address to generate a hash key;
evaluate a hash table using the hash key;
if there is a matching hash table entry, retrieve a data list associated with the hash table entry;
compare the destination port with the entries in the data list to determine if there are any matching entries;
insert the destination port into the data list if there are no matching entries; and
determine a port scan if the number of items in the data list exceeds a predetermined number.
-
Specification