Tracking Changing State Data to Assist in Computer Network Security
First Claim
1. A method for maintaining state information using a session table, the session table comprising one or more session records, a session record comprising one or more key fields and one or more timestamp fields and one or more value fields, the method comprising:
- identifying a security event, wherein the security event comprises a timestamp and information about operation of a networked device;
determining a query key based on one or more fields of the security event;
querying the session table using the timestamp and the query key; and
returning a query result.
11 Assignments
0 Petitions
Accused Products
Abstract
A session table includes one or more records, where each record represents a session. Session record information is stored in various fields, such as key fields, value fields, and timestamp fields. Session information is described as keys and values in order to support query/lookup operations. A session table is associated with a filter, which describes a set of keys that can be used for records in that table. A session table is populated using data contained in security information/events. Rules are created to identify events related to session information, extract the session information, and use the session information to modify a session table. A session table is partitioned so that the number of records in each session table partition is decreased. A session table is processed periodically so that active sessions are moved to the current partition.
-
Citations
22 Claims
-
1. A method for maintaining state information using a session table, the session table comprising one or more session records, a session record comprising one or more key fields and one or more timestamp fields and one or more value fields, the method comprising:
-
identifying a security event, wherein the security event comprises a timestamp and information about operation of a networked device;
determining a query key based on one or more fields of the security event;
querying the session table using the timestamp and the query key; and
returning a query result. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer program product for maintaining state information using a session table, the session table comprising one or more session records, a session record comprising one or more key fields and one or more timestamp fields and one or more value fields, the computer program product comprising a computer-readable medium containing computer program code for performing a method, the method comprising:
-
identifying a security event, wherein the security event comprises a timestamp and information about operation of a networked device;
determining a query key based on one or more fields of the security event;
querying the session table using the timestamp and the query key; and
returning a query result.
-
-
22. An apparatus for maintaining state information using a session table, the session table comprising one or more session records, a session record comprising one or more key fields and one or more timestamp fields and one or more value fields, the apparatus comprising:
-
a security event module configured to identify a security event, wherein the security event comprises a timestamp and information about operation of a networked device;
a query key module configured to determine a query key based on one or more fields of the security event;
a querying module configured to query the session table using the timestamp and the query key; and
a result module configured to return q query result.
-
Specification