DETECTION OF NETWORK SECURITY BREACHES BASED ON ANALYSIS OF NETWORK RECORD LOGS
2 Assignments
0 Petitions
Accused Products
Abstract
Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches.
-
Citations
65 Claims
-
1-44. -44. (canceled)
-
45. A network device including an interface to receive a log of security records from a plurality of network security devices in a computer network, the network device comprising:
-
a processing engine to; process a log record, including deriving a key to a table and tagging the key with a time stamp, and determine a data value from information in the log record and adding the data value including a tag field to a list of data values associated with the key if the data value is not already in the list of data values, wherein the time stamp and the tag field differ, and the tag field indicates that the key has been modified by the addition of the data value since a prior evaluation; a database to store the table; and an evaluation engine to; retrieve ones of the entries of the table not having the tag field, retrieve ones of the entries of the table having the tag field, evaluate ones of the entries of the table having the tag field based on predetermined criteria, and reset the tag field of the evaluated ones of the entries to indicate that the key has been evaluated since a prior modification and to indicate the time stamp. - View Dependent Claims (46, 47, 48, 49, 50)
-
-
51. A network device including an interface to receive a log of security records from a plurality of network security devices in a computer network, the network device comprising:
-
a processing engine to generate a hash key based on one or more fields of a log record; and a database to store a plurality of hash tables; an evaluation engine to; evaluate one of the stored hash tables using the hash key, and add a new entry to the evaluated hash table if a hash table entry does not match the hash key or retrieve a data list associated with the hash table entry if the hash table entry matches the hash key; the processing engine being further configured to; compute a data value based on the one or more fields of the log record, compare the data value with entries in the data list to identify matching entries, and insert the data value into the data list when no matching entries are identified, wherein the data value includes a tag field and a time stamp that differ, the tag field indicating that the hash key has been modified by the insertion of the data value since a prior evaluation; and the evaluation engine being further configured to; retrieve ones of the entries of the hash table that do not have the tag field, retrieve ones of the entries of the hash table that have the tag field, evaluate the data list based on predetermined criteria to detect attempted security breaches, reset the tag field to indicate that the hash key has been evaluated since a prior modification, and update the time stamp. - View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
-
-
65. A system comprising:
-
means for receiving a log of security records from a plurality of network security devices in a computer network, means for processing, including; means for processing a log record to derive a key to a table and tag the key with a time stamp, and means for determining a data value from information in the log record and adding the data value including a tag field to a list of data values associated with the key if the data value is not already in the list of data values, wherein the time stamp and the tag field differ, and the tag field indicates that the key has been modified by the addition of the data value since a prior evaluation; means for storing the table; and means for evaluating, including; means for retrieving ones of the entries of the table not having the tag field, means for retrieving ones of the entries of the table having the tag field, means for evaluating ones of the entries of the table having the tag field based on predetermined criteria, and means for resetting the tag field of the evaluated ones of the entries to indicate that the key has been evaluated since a prior modification and to indicate the time stamp.
-
Specification