Attack database structure

US 20040199535A1
Filed: 04/04/2003
Published: 10/07/2004
Est. Priority Date: 04/04/2003
Status: Active Grant

First Claim

Patent Images

1. A method of inspecting a log of security records in a computer network, comprising the steps of:

retrieving a log record;

processing the log record including deriving a key to a table;

determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique; and

evaluating one or more entries of the table based on predetermined criteria to detect attempted security breaches.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches.

Citations

44 Claims

1. A method of inspecting a log of security records in a computer network, comprising the steps of:
- retrieving a log record;
  
  processing the log record including deriving a key to a table;
  
  determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique; and
  
  evaluating one or more entries of the table based on predetermined criteria to detect attempted security breaches.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the table is a hash table.
  - 3. The method of claim 1, wherein the list of data values is implemented as a linked list.
  - 4. The method of claim 1, wherein the list of data values is implemented as a hash table.
  - 5. The method of claim 1, wherein the list of data values is implemented as a tree.
  - 6. The method of claim 1, wherein evaluating one or more entries of the table includes evaluating all the entries of the table.

7. A method of inspecting a log of security records in a computer network, comprising the steps of:
- retrieving a log record;
  
  hashing one or more fields of the log record to generate a hash key;
  
  evaluating a hash table using the hash key;
  
  if there is no matching hash table entry, adding a new entry to the hash table;
  
  if there is a matching hash table entry, retrieving a data list associated with the hash table entry;
  
  using one or more fields of the log record to compute a data value;
  
  comparing the data value with entries in the data list to determine if there are any matching entries;
  
  inserting the data value into the data list if there are no matching entries; and
  
  evaluating the data list based on predetermined criteria to detect attempted security breaches.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 8. The method of claim 7, wherein adding a new entry to the hash table includes generating an empty data list associated with the new entry to the hash table.
  - 9. The method of claim 7, wherein inserting a new entry in the data list includes triggering an evaluation of the data list.
  - 10. The method of claim 7, including receiving a check table operation to trigger the evaluation of the data list.
  - 11. The method of claim 7, wherein evaluating the data list based on predetermined criteria includes blocking a packet associated with the log record.
  - 12. The method of claim 7, wherein evaluating the data list based on predetermined criteria includes blocking all future packets from a same source as a packet associated with a given log record.
  - 13. The method of claim 7, wherein evaluating the data list based on predetermined criteria includes reporting an attempted security breach.
  - 14. The method of claim 7, wherein the data list is a linked list.
  - 15. The method of claim 7, wherein the data list is a hash table.
  - 16. The method of claim 7, wherein the data list is a tree.
  - 17. The method of claim 7, including evaluating the data list after a plurality of log records have been added to the data list.
  - 18. The method of claim 7, including evaluating the data list after each log record is added to the data list.
  - 19. The method of claim 7, wherein evaluating the hash table using the hash key includes processing a second hash table.
  - 20. The method of claim 19, wherein processing a second hash table includes:
    - using the matching hash table entry to retrieve a second hash table;
      
      using the hash key to evaluate the second hash table;
      
      if there is no matching second hash table entry, adding a new entry to the second hash table;
      
      if there is a matching second hash table entry, retrieving a second data list associated with the second hash table entry;
      
      comparing the data value with entries in the second data list to determine if there are any matching entries;
      
      inserting the data value in the second data list if there are no matching entries; and
      
      evaluating the second data list based on predetermined criteria to detect attempted security breaches.

21. A method of inspecting a log of security records in a computer network, comprising the steps of:
- retrieving a log record;
  
  hashing one or more fields of the log record to generate a hash key;
  
  evaluating a hash table using the hash key;
  
  if there is no matching hash table entry, adding a new entry to the hash table;
  
  if there is a matching hash table entry, retrieving a data list associated with the hash table entry;
  
  using one or more fields of the log record to compute a data value to be inserted into the data list;
  
  evaluating the data list to determine the uniqueness of the data value; and
  
  inserting the data value in the data list if the data value is unique.

22. A method of detecting a port scan comprising:
- retrieving a log record including a source address and a destination address;
  
  hashing the source address and the destination address to generate a hash key;
  
  evaluating a hash table using the hash key;
  
  if there is a matching hash table entry, retrieving a data list associated with the hash table entry;
  
  comparing the destination port with the entries in the data list to determine if there are any matching entries;
  
  inserting the destination port into the data list if there are no matching entries; and
  
  determining a port scan if the number of items in the data list exceeds a predetermined number.

23. A computer program product, tangibly embodied in an information carrier, the computer program product comprising instructions operable to cause data processing apparatus to:
- retrieve a log record;
  
  process a log record including deriving a key to a table;
  
  determine a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique; and
  
  evaluate one or more entries of the table based on predetermined criteria to detect attempted security breaches.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. The computer program product of claim 23, wherein the table is a hash table.
  - 25. The computer program product of claim 23, wherein the list of data values is implemented as a linked list.
  - 26. The computer program product of claim 23, wherein the list of data values is implemented as a hash table.
  - 27. The computer program product of claim 23, wherein the list of data values is implemented as a tree.
  - 28. The computer program product of claim 23, wherein instructions to evaluate one or more entries of the table include instructions to evaluate all the entries of the table.

29. A computer program product, tangibly embodied in an information carrier, the computer program product comprising instructions operable to cause data processing apparatus to:
- retrieve a log record;
  
  hash one or more fields of the log record to generate a hash key;
  
  evaluate a hash table using the hash key;
  
  if there is no matching hash table entry, add a new entry to the hash table;
  
  if there is a matching hash table entry, retrieve a data list associated with the hash table entry;
  
  use one or more fields of the log record to compute a data value;
  
  compare the data value with entries in the data list to determine if there are any matching entries;
  
  insert the data value into the data list if there are no matching entries; and
  
  evaluate the data list based on predetermined criteria to detect attempted security breaches.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 30. The computer program product of claim 29, wherein instructions for adding a new entry to the hash table cause the data processing apparatus to generate an empty data list associated with the new entry to the hash table.
  - 31. The computer program product of claim 29, wherein instructions for inserting a new entry in the data list cause the data processing apparatus to trigger the evaluation of the data list.
  - 32. The computer program product of claim 29, wherein instructions for issuing a check table operation cause the data processing apparatus to trigger the evaluation of the data list.
  - 33. The computer program product of claim 29, wherein instructions for evaluating the data list based on predetermined criteria cause the data processing apparatus to block a packet associated with the log record.
  - 34. The computer program product of claim 29, wherein instructions for evaluating the data list based on predetermined criteria cause the data processing apparatus to block all future packets from a same source as a packet associated with a given log record.
  - 35. The computer program product of claim 29, wherein instructions for evaluating the data list based on predetermined criteria cause the data processing apparatus to report an attempted security breach.
  - 36. The computer program product of claim 29, wherein the data list is a linked list.
  - 37. The computer program product of claim 29, wherein the data list is a hash table.
  - 38. The computer program product of claim 29, wherein the data list is a tree
  - 39. The computer program product of claim 29, wherein instructions for evaluating the data list cause the data processing apparatus to evaluate the data list after a plurality of log records have been added to the data list.
  - 40. The computer program product of claim 29, wherein instructions for evaluating the data list cause the data processing apparatus to evaluate the data list after each log record is added to the data list.
  - 41. The computer program product of claim 29, wherein instructions for evaluating the hash table using the hash key cause the data processing apparatus to process a second hash table.
  - 42. The computer program product of claim 41, wherein instructions for processing a second hash table cause the data processing apparatus to:
    - use the matching hash table entry to retrieve a second hash table;
      
      use the hash key to evaluate the second hash table;
      
      if there is no matching second hash table entry, add a new entry to the second hash table;
      
      if there is a matching second hash table entry, retrieve a second data list associated with the second hash table entry;
      
      compare the data value with entries in the second data list to determine if there are any matching entries;
      
      insert the data value in the second data list if there are no matching entries; and
      
      evaluate the second data list based on predetermined criteria to detect attempted security breaches.

43. A computer program product, tangibly embodied in an information carrier, for inspecting a log of security records in a computer network, the computer program product comprising instructions operable to cause data processing apparatus to:
- retrieve a log record;
  
  hash one or more fields of the log record to generate a hash key;
  
  evaluate a hash table using the hash key;
  
  if there is no matching hash table entry, add a new entry to the hash table;
  
  if there is a matching hash table entry, retrieve a data list associated with the hash table entry;
  
  use one or more fields of the log record to compute a data value to be inserted into the data list;
  
  evaluate the data list to determine the uniqueness of the data value; and
  
  insert the data value in the data list if the data value is unique.

44. A computer program product, tangibly embodied in an information carrier, for detecting a port scan, the computer program product comprising instructions operable to cause data processing apparatus to:
- retrieve a log record including a source address and a destination address;
  
  hash the source address and the destination address to generate a hash key;
  
  evaluate a hash table using the hash key;
  
  if there is a matching hash table entry, retrieve a data list associated with the hash table entry;
  
  compare the destination port with the entries in the data list to determine if there are any matching entries;
  
  insert the destination port into the data list if there are no matching entries; and
  
  determine a port scan if the number of items in the data list exceeds a predetermined number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Zuk, Nir

Granted Patent

US 7,325,002 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Y10S 707/99943 Generating database or data...

Attack database structure

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Attack database structure

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links