DETECTION OF NETWORK SECURITY BREACHES BASED ON ANALYSIS OF NETWORK RECORD LOGS
2 Assignments
0 Petitions
Accused Products
Abstract
Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches.
-
Citations
64 Claims
-
1-44. -44. (canceled)
-
45. A system comprising:
a network device to; retrieve each of a plurality of entries of a table structure, identify, based on a tag of each of the plurality of entries, a modified entry, of the plurality of entries, where the modified entry includes a data value that has been associated with the modified entry subsequent to a prior evaluation of the table structure, evaluate data values associated with the modified entry to detect an attempted security breach, and modify, upon completion of the evaluation, the tag of the modified entry to cause the modified entry to no longer be identified as a modified entry. - View Dependent Claims (46, 47, 48, 49, 50, 51)
-
52. A method comprising:
-
generating, by a network device and based on at least one field of a log record, a key; evaluating, by the network device, a data structure to identify an entry corresponding to the generated key; retrieving, by the network device, a data list associated with the identified entry; comparing, by the network device, the data list to a value, where the value is generated using one or more fields of the log record; determining, by the network device, whether the data list includes a list entry that matches the value; inserting, by the network device and when the data list does not include the list entry that matches the value, the value into the data list; tagging, by the network device and when the data list does not include the list entry that matches the value, the entry in the data structure with a time stamp corresponding to the tagging; determining, by the network device and based on the tagging, whether each entry of the data structure is expired; deleting, by the network device, each expired entry of the data structure; evaluating, by the network device, each data list associated with each unexpired entry of the data structure to detect an attempted security breach; and generating, by the network device, a response to the identified attempted security intrusion. - View Dependent Claims (53, 54, 55)
-
-
56. A method comprising:
-
generating, by the network device and based on at least a first field of a log record associated with a network event, a data value; identifying, by the network device and based on the generated data value, a first entry in a table structure; comparing, by the network device, the data value to other data values, associated with the first entry in the table structure, to identify a matching data value corresponding to the data value; associating, by the network device and only when the generated data value does not match a data value in the other data values, the generated data value and a tag with the first entry in the table structure, the tag indicating that the first entry has been modified in the table structure; identifying, by the network device and based on the tag being associated with the first entry in the table structure, the first entry in the table structure as having been modified; evaluating, by the network device and based on identifying the first entry in the table structure as having been modified, the first entry in the table structure to detect an attempted security breach; and disassociating, by the network device and upon completion of the evaluation, the first entry in the table structure from the tag. - View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64)
-
Specification