System and Method for Storing Events to Enhance Intrusion Detection

US 20060101101A1
Filed: 01/03/2006
Published: 05/11/2006
Est. Priority Date: 02/13/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an event, the event comprising a data section containing a set of strings each containing an event field;

referencing a definition table to determine locations of event fields in the data section of the event; and

storing the event fields in a database record corresponding to event field locations referenced from the definition table.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Storing events to enhance intrusion detection in networks is described. In one exemplary implementation, an event is received. The event includes a data section containing a set of strings each having an event field. A definition table is referenced to determine locations of event fields in the data section of the event. The event fields are stored in a database record corresponding to event field locations referenced from the definition table.

Citations

15 Claims

1. A method comprising:
- receiving an event, the event comprising a data section containing a set of strings each containing an event field;
  
  referencing a definition table to determine locations of event fields in the data section of the event; and
  
  storing the event fields in a database record corresponding to event field locations referenced from the definition table.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, wherein the event fields are in the form of a data value.
  - 3. The method as recited in claim 1, further comprising generating the definition table by:
    - selecting one or more specific types of event fields from an event schema;
      
      ascertaining locations of the specific types of event fields in the event schema; and
      
      storing the locations of the specific types of event fields in the definition table.
  - 4. The method as recited in claim 1, wherein a portion of the set of strings pertains to a security sensitive transaction.
  - 5. The method as recited in claim 1, wherein the event is received from an event log.
  - 6. The method as recited in claim 1, wherein the event further comprises an event header section that includes an event identification indicating a select one of a plurality of different types of events.
  - 7. One or more computer-readable media comprising computer-executable instructions that, when executed, perform the method as recited in claim 1.

8. A method comprising:
- receiving an event that contains, respectively, an event identification indicating a select one of a plurality of different types of events and one or more sets of strings with each string containing an event field;
  
  identifying the event indication in the event;
  
  locating an entry in a definition table corresponding to the event identification of the received event;
  
  from the located entry of the event in the definition table, the located entry containing locations of types of event fields for the event, using the definition table as a reference to locate event fields in the received event; and
  
  for the received event, storing the located event fields in records of an event database corresponding to the types of event fields.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method as recited in claim 8, wherein the values in the event fields are in the form of a data value.
  - 10. The method as recited in claim 8, further comprising:
    - generating the definition table by;
      
      selecting one or more specific types of event fields from an event schema;
      
      ascertaining locations of the specific types of event fields in the event schema; and
      
      storing the locations of the specific types of event fields in the definition table.
  - 11. The method as recited in claim 8, wherein a portion of the set of strings pertains to a security sensitive transaction.
  - 12. The method as recited in claim 8, wherein the event is received from a security log.
  - 13. One or more computer-readable media comprising computer-executable instructions that, when executed, perform the method as recited in claim 8.

14. One or more computer-readable media comprising computer executable instructions that, when executed, direct a computer to:
- generate events that contain, respectively, an event identification and one or more event descriptions, the event descriptions containing one or more values in event fields, store the events in a log when a security sensitive event is performed; and
  
  store the events in a database in a manner to enable values in the event fields to be independently searched through the use of an event definition table containing mappings of the event descriptions for each event identification, the mappings including the locations of one or more values in the event fields contained within the event descriptions.
- View Dependent Claims (15)
- - 15. One or more computer-readable media as recited in claim 14, further comprising computer executable instructions that, when executed, direct the computer to generate the event definition table by:
    - selecting one or more value types from the event;
      
      ascertaining locations of the values in the event fields in the event that correspond to the one or more selected value types; and
      
      storing the location of the values in the event fields in fields of the definition table that corresponding to the one or more selected value types.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Pandit, Bhalchandra S., Aigner, Maximilian

Granted Patent

US 7,257,719 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 41/069   using logs of notifications...

H04L 63/1425   Traffic logging, e.g. anoma...

System and Method for Storing Events to Enhance Intrusion Detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Storing Events to Enhance Intrusion Detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links