Network Security Monitoring and Correlation System and Method of Using Same

US 20180234310A1
Filed: 08/03/2016
Published: 08/16/2018
Est. Priority Date: 08/03/2015
Status: Active Grant

First Claim

Patent Images

1. A network visualization system, comprising:

an application server comprising a non-transitory computer readable medium having stored thereon software instructions for programming the application server to perform server operations including;

retrieving network traffic metadata and discrete data pertaining to a monitored network;

processing the network traffic metadata by normalizing the network traffic metadata and constructing a graph data structure, the graph data structure comprising;

one or more vertices representing computer hosts; and

one or more edges representing connections between two computer hosts;

processing the discrete data by adding the discrete data to the one or more edges in the graph data structure; and

a client application comprising a non-transitory computer readable medium having stored thereon software instructions for programming the application server to perform client operations including generating a three-dimensional visualization of the monitored network by parsing the graph data structure received from the server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security monitoring and correlation system for providing a three-dimensional visualization of network traffic overlaid with security alerts and other relevant discrete data. The system may comprise an application server communicably linked to a client. The server functions to retrieve network traffic metadata and relevant discrete data associated with individual computer hosts and connections in the monitored network, process the network traffic data by building a graph data structure, and then embedding within the graph data structure one or more layers of additional information about the individual computer hosts and connections derived from the discrete data. The client functions to produce a three-dimensional visualization of the network environment by parsing the graph data structure received from the server and then spawning computer hosts and connections in the 3-D environment. The client will then add the overlay information to the appropriate hosts or connections, with the overlay information preferably being represented within the 3-D environment as a particular color, shape, size, position, or a changing dynamic value.

Citations

19 Claims

1. A network visualization system, comprising:
- an application server comprising a non-transitory computer readable medium having stored thereon software instructions for programming the application server to perform server operations including;
  
  retrieving network traffic metadata and discrete data pertaining to a monitored network;
  
  processing the network traffic metadata by normalizing the network traffic metadata and constructing a graph data structure, the graph data structure comprising;
  
  one or more vertices representing computer hosts; and
  
  one or more edges representing connections between two computer hosts;
  
  processing the discrete data by adding the discrete data to the one or more edges in the graph data structure; and
  
  a client application comprising a non-transitory computer readable medium having stored thereon software instructions for programming the application server to perform client operations including generating a three-dimensional visualization of the monitored network by parsing the graph data structure received from the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The network visualization system of claim 1, wherein the process of retrieving network traffic metadata and discrete data pertaining to the monitored network includes querying a system database for network traffic metadata and discrete data collected by one or more data collectors during a snapshot timeframe.
  - 3. The network visualization system of claim 2, wherein the process of normalizing the network traffic metadata includes extracting normalized fields metadata elements from the network traffic metadata and populating an intermediary array, wherein the normalized fields metadata elements comprise a destination host identifier, a destination host port, a source host identifier, and a source host port.
  - 4. The network visualization system of claim 3, wherein the processing of the network traffic metadata further includes extracting non-normalized fields metadata elements from the network traffic metadata and populating a nested array, wherein the non-normalized fields metadata elements define network traffic additional information pertaining to the one or more vertices or the one or more edges of the graph data structure.
  - 5. The network visualization system of claim 4, wherein the processing of the network traffic metadata further includes adding the additional network traffic information to the one or more vertices or the one or more edges of the graph data structure.
  - 6. The network visualization system of claim 5, wherein the processing of the discrete data further includes extracting discrete data elements from the discrete data and populating the nested array, wherein the discrete data elements define discrete data additional information pertaining to the one or more vertices or the one or more edges of the graph data structure.
  - 7. The network visualization system of claim 6, wherein the processing of the discrete data further includes adding the discrete data additional information to the one or more vertices or the one or more edges of the graph data structure.
  - 8. The network visualization system of claim 7, wherein the process of generating the three-dimensional visualization of the monitored network includes spawning the computer hosts as a first three-dimensional object in a 3-D environment.
  - 9. The network visualization system of claim 8, wherein the process of generating the three-dimensional visualization of the monitored network further includes spawning the connections as a second three-dimensional object in the 3-D environment.
  - 10. The network visualization system of claim 9, wherein the process of generating the three-dimensional visualization of the monitored network further includes representing the discrete data additional information as a particular color, a particular shape, a particular size, a particular position, or a particular changing dynamic value in the 3-D environment.

11. A method of visualizing a monitored computer network, the method comprising:
- retrieving network traffic metadata and discrete data pertaining to a monitored network;
  
  processing the network traffic metadata by embedding the network traffic metadata into a graph data structure, the graph data structure comprising;
  
  one or more vertices representing computer hosts; and
  
  one or more edges representing connections between two computer hosts;
  
  processing the discrete data by adding the discrete data to the one or more edges in the graph data structure;
  
  generating a three-dimensional visualization of the monitored network; and
  
  displaying the three-dimensional visualization of the monitored network overlaid with the discrete data.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein retrieving network traffic metadata and discrete data pertaining to the monitored network includes querying a system database for network traffic metadata and discrete data collected by one or more data collectors during a snapshot timeframe.
  - 13. The method of claim 12, wherein processing the network traffic metadata further includes normalizing the network traffic metadata by extracting normalized fields metadata elements from the network traffic metadata and populating an intermediary array, wherein the normalized fields metadata elements comprise a destination host identifier, a destination host port, a source host identifier, and a source host port.
  - 14. The method of claim 13, wherein the processing of the network traffic metadata further includes extracting non-normalized fields metadata elements from the network traffic metadata and populating a nested array, wherein the non-normalized fields metadata elements define network traffic additional information pertaining to the one or more vertices or the one or more edges of the graph data structure.
  - 15. The method of claim 14, wherein the processing of the network traffic metadata further includes adding the additional network traffic information to the one or more vertices or the one or more edges of the graph data structure.
  - 16. The method of claim 15, wherein the processing of the discrete data further includes extracting discrete data elements from the discrete data and populating the nested array, wherein the discrete data elements define discrete data additional information pertaining to the one or more vertices or the one or more edges of the graph data structure.
  - 17. The method of claim 16, wherein the processing of the discrete data further includes adding the discrete data additional information to the one or more vertices or the one or more edges of the graph data structure.
  - 18. The method of claim 17, wherein the process of generating the three-dimensional visualization of the monitored network includes:
    - spawning the computer hosts as a first three-dimensional object in a 3-D environment;
      
      spawning the connections as a second three-dimensional object in the 3-D environment; and
      
      representing the discrete data additional information as a particular color, a particular shape, a particular size, a particular position, or a particular changing dynamic value in the 3-D environment.

19. A network visualization system, comprising:
- an application server comprising;
  
  a retrieval engine module for retrieving network traffic metadata and discrete data pertaining to a monitored network;
  
  a graph generator module for processing the network metadata and building a graph data structure, wherein the graph data structure includes one or more vertices representing computer hosts and one or more edges representing connections between two computer hosts; and
  
  an overlay generator module for processing the discrete data by adding the discrete data to the one or more edges in the graph data structure; and
  
  a client application comprising;
  
  a network worker module communicably linked to the application server;
  
  a 3-D object generator module for creating a simulated 3-D environment;
  
  a communicator module for spawning one or more primary three-dimensional objects in the 3-D environment representing computer hosts in the monitored network, and for spawning one or more secondary three-dimensional objects in the 3-D environment representing the connections between two computer hosts in the monitored network; and
  
  a graphical user interface for displaying the simulated 3-D environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Viewpoint Software LLC
Original Assignee
Ingalls Information Security IP, LLC
Inventors
Ingalls, Jason, Richards, Adam, Perinelli, Eugenio, Piccinelli, Nicola, Arena, Riccardo

Granted Patent

US 10,965,561 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

H04L 43/045   for graphical visualisation...

H04L 43/06   Generation of reports

H04L 43/12   Network monitoring probes

H04L 63/1425   Traffic logging, e.g. anoma...

Network Security Monitoring and Correlation System and Method of Using Same

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Network Security Monitoring and Correlation System and Method of Using Same

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links