DETECTION OF NETWORK SECURITY BREACHES BASED ON ANALYSIS OF NETWORK RECORD LOGS

US 20110185426A1
Filed: 01/26/2011
Published: 07/28/2011
Est. Priority Date: 04/04/2003
Status: Active Grant

First Claim

Patent Images

1-44. -44. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches.

Citations

64 Claims

1-44. -44. (canceled)

45. A system comprising:
- a network device to;
  
  retrieve each of a plurality of entries of a table structure,identify, based on a tag of each of the plurality of entries, a modified entry, of the plurality of entries, where the modified entry includes a data value that has been associated with the modified entry subsequent to a prior evaluation of the table structure,evaluate data values associated with the modified entry to detect an attempted security breach, andmodify, upon completion of the evaluation, the tag of the modified entry to cause the modified entry to no longer be identified as a modified entry.
- View Dependent Claims (46, 47, 48, 49, 50, 51)
- - 46. The system of claim 45, where the network device is further to:
    - generate, based on one or more fields of a log record, a value,identify, based on the value, a first entry, of the plurality of entries, of the table structure,associate, when the value does not match another value of a list of values associated with the first entry the value with the list of values, andinsert the tag into the first entry to form the modified entry.
  - 47. The system of claim 46, where the network device is further to:
    - receive, from at least a first security device, a plurality of log records, where the plurality of log records includes the log record,process each of the plurality of log records, upon being received, to generate a data value corresponding to each of the plurality of log records.
  - 48. The system of claim 46, where the network device is further to:
    - receive, from at least a first security device, a record of logs, where the record of logs identifies a plurality of individual log records, including the log record,retrieve, in response to receiving the record of logs, each of the plurality of individual log records, andprocess each of the plurality of individual log records to generate a data value corresponding to each of the individual log records.
  - 49. The system of claim 45, where, when modifying the tag field, the network device is to:
    - remove the tag from the first entry.
  - 50. The system of claim 45, where the tag identifies the modified entry as having been modified during a predetermined period.
  - 51. The system of claim 50, where the predetermined period comprises a period defined by consecutive evaluations of the data structure.

52. A method comprising:
- generating, by a network device and based on at least one field of a log record, a key;
  
  evaluating, by the network device, a data structure to identify an entry corresponding to the generated key;
  
  retrieving, by the network device, a data list associated with the identified entry;
  
  comparing, by the network device, the data list to a value, where the value is generated using one or more fields of the log record;
  
  determining, by the network device, whether the data list includes a list entry that matches the value;
  
  inserting, by the network device and when the data list does not include the list entry that matches the value, the value into the data list;
  
  tagging, by the network device and when the data list does not include the list entry that matches the value, the entry in the data structure with a time stamp corresponding to the tagging;
  
  determining, by the network device and based on the tagging, whether each entry of the data structure is expired;
  
  deleting, by the network device, each expired entry of the data structure;
  
  evaluating, by the network device, each data list associated with each unexpired entry of the data structure to detect an attempted security breach; and
  
  generating, by the network device, a response to the identified attempted security intrusion.
- View Dependent Claims (53, 54, 55)
- - 53. The method of claim 52, where inserting the value further comprises:
    - inserting a tag into the entry in the data structure where the tag indicates that the data list associated with the entry in the data structure has been modified during a predetermined period, andwhere evaluating each data list associated with each unexpired entry further comprises;
      
      determining whether each unexpired entry includes the tag; and
      
      evaluating each data list associated with each unexpired entry of the data structure that includes the tag to detect an attempted security breach.
  - 54. The method of claim 53, where inserting the value further comprises:
    - inserting a time stamp into the entry in the data structure, where the time stamp is different than the tag.
  - 55. The method of claim 53, where evaluating each data list associated with each unexpired entry further comprises:
    - removing, upon evaluating the data list, the tag from the associated entry in the data structure.

56. A method comprising:
- generating, by the network device and based on at least a first field of a log record associated with a network event, a data value;
  
  identifying, by the network device and based on the generated data value, a first entry in a table structure;
  
  comparing, by the network device, the data value to other data values, associated with the first entry in the table structure, to identify a matching data value corresponding to the data value;
  
  associating, by the network device and only when the generated data value does not match a data value in the other data values, the generated data value and a tag with the first entry in the table structure, the tag indicating that the first entry has been modified in the table structure;
  
  identifying, by the network device and based on the tag being associated with the first entry in the table structure, the first entry in the table structure as having been modified;
  
  evaluating, by the network device and based on identifying the first entry in the table structure as having been modified, the first entry in the table structure to detect an attempted security breach; and
  
  disassociating, by the network device and upon completion of the evaluation, the first entry in the table structure from the tag.
- View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64)
- - 57. The method of claim 56, where the identifying the first entry further comprises:
    - determining, based on the tag, the first entry in the table structure as having been modified during a predetermined period.
  - 58. The method of claim 57, where the predetermined period comprises a period defined by consecutive evaluations of the table structure.
  - 59. The method of claim 56, where associating the data value and the tag further comprises:
    - inserting a time stamp into the data value, where the time stamp is different than the tag.
  - 60. The method of claim 56, where the table structure comprises a plurality of entries, including the first entry, andwhere the identifying the first entry in the table structure as having been modified further comprises:
    - retrieving each of the plurality of entries;
      
      determining whether each of the plurality of entries is associated with a tag;
      
      evaluating, based on predetermined criteria, each of the plurality of entries determined to be associated with the tag to detect the attempted security breach; and
      
      disassociating, upon completion of the evaluation, the tag from each of the plurality of entries determined to be associated with the tag.
  - 61. The method of claim 56, where associating the tag with the first entry in the table structure comprises:
    - inserting a tag into the first entry in the table structure.
  - 62. The method of claim 61, where disassociating the first entry in the table structure comprises:
    - removing the tag from the first entry in the table structure.
  - 63. The method of claim 56, further comprising:
    - receiving a plurality of individual log records, including the log record, upon each of the plurality of individual log records being generated; and
      
      processing each of the plurality of individual log records, upon being received, to generate the data value.
  - 64. The method of claim 56, further comprising:
    - receiving a record of logs, where the record of logs identifies a plurality of individual log records, including the log record; and
      
      retrieving, based on the record of logs, the log record.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
ZUK, Nir

Granted Patent

US 8,326,881 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Y10S 707/99943 Generating database or data...

DETECTION OF NETWORK SECURITY BREACHES BASED ON ANALYSIS OF NETWORK RECORD LOGS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

64 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTION OF NETWORK SECURITY BREACHES BASED ON ANALYSIS OF NETWORK RECORD LOGS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

64 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links