System and Method for Storing Events to Enhance Intrusion Detection
First Claim
Patent Images
1. A method comprising:
- receiving an event, the event comprising a data section containing a set of strings each containing an event field;
referencing a definition table to determine locations of event fields in the data section of the event; and
storing the event fields in a database record corresponding to event field locations referenced from the definition table.
1 Assignment
0 Petitions
Accused Products
Abstract
Storing events to enhance intrusion detection in networks is described. In one exemplary implementation, an event is received. The event includes a data section containing a set of strings each having an event field. A definition table is referenced to determine locations of event fields in the data section of the event. The event fields are stored in a database record corresponding to event field locations referenced from the definition table.
-
Citations
15 Claims
-
1. A method comprising:
-
receiving an event, the event comprising a data section containing a set of strings each containing an event field;
referencing a definition table to determine locations of event fields in the data section of the event; and
storing the event fields in a database record corresponding to event field locations referenced from the definition table. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
-
receiving an event that contains, respectively, an event identification indicating a select one of a plurality of different types of events and one or more sets of strings with each string containing an event field;
identifying the event indication in the event;
locating an entry in a definition table corresponding to the event identification of the received event;
from the located entry of the event in the definition table, the located entry containing locations of types of event fields for the event, using the definition table as a reference to locate event fields in the received event; and
for the received event, storing the located event fields in records of an event database corresponding to the types of event fields. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. One or more computer-readable media comprising computer executable instructions that, when executed, direct a computer to:
-
generate events that contain, respectively, an event identification and one or more event descriptions, the event descriptions containing one or more values in event fields, store the events in a log when a security sensitive event is performed; and
store the events in a database in a manner to enable values in the event fields to be independently searched through the use of an event definition table containing mappings of the event descriptions for each event identification, the mappings including the locations of one or more values in the event fields contained within the event descriptions. - View Dependent Claims (15)
-
Specification