Tracking Changing State Data to Assist in Computer Network Security

US 20080104046A1
Filed: 10/24/2007
Published: 05/01/2008
Est. Priority Date: 10/25/2006
Status: Active Grant

First Claim

Patent Images

1. A method for maintaining state information using a session table, the session table comprising one or more session records, a session record comprising one or more key fields and one or more timestamp fields and one or more value fields, the method comprising:

identifying a security event, wherein the security event comprises a timestamp and information about operation of a networked device;

determining a query key based on one or more fields of the security event;

querying the session table using the timestamp and the query key; and

returning a query result.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A session table includes one or more records, where each record represents a session. Session record information is stored in various fields, such as key fields, value fields, and timestamp fields. Session information is described as keys and values in order to support query/lookup operations. A session table is associated with a filter, which describes a set of keys that can be used for records in that table. A session table is populated using data contained in security information/events. Rules are created to identify events related to session information, extract the session information, and use the session information to modify a session table. A session table is partitioned so that the number of records in each session table partition is decreased. A session table is processed periodically so that active sessions are moved to the current partition.

Citations

22 Claims

1. A method for maintaining state information using a session table, the session table comprising one or more session records, a session record comprising one or more key fields and one or more timestamp fields and one or more value fields, the method comprising:
- identifying a security event, wherein the security event comprises a timestamp and information about operation of a networked device;
  
  determining a query key based on one or more fields of the security event;
  
  querying the session table using the timestamp and the query key; and
  
  returning a query result.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein the session record includes information extracted from an event.
  - 3. The method of claim 1, wherein the one or more key fields comprise an Internet Protocol (IP) address.
  - 4. The method of claim 1, wherein the one or more value fields comprise one of a hostname and a Media Access Control (MAC) address.
  - 5. The method of claim 1, wherein the networked device comprises one of a firewall, an intrusion detection system, and a server.
  - 6. The method of claim 1, wherein the query key comprises a hashcode.
  - 7. The method of claim 1, wherein the session record comprises a first timestamp field indicating a start time and a second timestamp field indicating an end time.
  - 8. The method of claim 7, wherein the end time is implicitly determined based on a session start event.
  - 9. The method of claim 7, wherein the start time is implicitly determined based on a session termination event.
  - 10. The method of claim 7, wherein querying the session table using the timestamp and the query key comprises determining a session record whose start time is earlier than the timestamp and whose end time is later than the timestamp.
  - 11. The method of claim 1, wherein querying the session table using the timestamp and the query key comprises testing the query key against a filter associated with the session table.
  - 12. The method of claim 1, wherein querying the session table using the timestamp and the query key comprises waiting a minimum amount of time.
  - 13. The method of claim 1, wherein querying the session table using the timestamp and the query key comprises waiting a maximum amount of time.
  - 14. The method of claim 1, wherein the session record comprises a timestamp field indicating a creation time of the session record.
  - 15. The method of claim 1, wherein the session table is partitioned.
  - 16. The method of claim 15, wherein querying the session table using the timestamp and the query key comprises querying a partition of the session table using the timestamp and the query key.
  - 17. The method of claim 15, wherein a session record that describes a session that extends across a partition boundary is divided into multiple session records.
  - 18. The method of claim 17, wherein each record of the multiple session records includes an annotation to indicate that the record is part of a larger session.
  - 19. The method of claim 18, wherein the annotation comprises one of a flag and a timestamp indicating an overall-session start time.
  - 20. The method of claim 1, wherein the session table is partitioned by session start time, and wherein querying the session table using the timestamp and the query key comprises:
    - determining a partition of the session table based on the timestamp; and
      
      querying the determined partition using the timestamp and the query key.

21. A computer program product for maintaining state information using a session table, the session table comprising one or more session records, a session record comprising one or more key fields and one or more timestamp fields and one or more value fields, the computer program product comprising a computer-readable medium containing computer program code for performing a method, the method comprising:
- identifying a security event, wherein the security event comprises a timestamp and information about operation of a networked device;
  
  determining a query key based on one or more fields of the security event;
  
  querying the session table using the timestamp and the query key; and
  
  returning a query result.

22. An apparatus for maintaining state information using a session table, the session table comprising one or more session records, a session record comprising one or more key fields and one or more timestamp fields and one or more value fields, the apparatus comprising:
- a security event module configured to identify a security event, wherein the security event comprises a timestamp and information about operation of a networked device;
  
  a query key module configured to determine a query key based on one or more fields of the security event;
  
  a querying module configured to query the session table using the timestamp and the query key; and
  
  a result module configured to return q query result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Arcsight Incorporated (HP Inc.)
Inventors
Singla, Anurag, Tidwell, Kenny, Saurabh, Kumar

Granted Patent

US 9,824,107 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/4
CPC Class Codes

G06F 16/2264   Multidimensional index stru...

G06F 16/24557   Efficient disk access durin...

G06F 16/2477   Temporal data queries

H04L 61/35   involving non-standard use ...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

H04L 67/142   Managing session states for...

Tracking Changing State Data to Assist in Computer Network Security

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Tracking Changing State Data to Assist in Computer Network Security

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links