Method and apparatus for automated network-wide surveillance and security breach intervention
First Claim
1. A network surveillance system for conducting surveillance on a network independent of a network server comprises:
- a network driver for capturing data on a network, said data not necessarily addressed to said surveillance system;
a handler process for receiving data from said network driver and storing said data in real time;
a plurality of record files for receiving network data and storing said data before further examination;
a scanner process for designating one of said plurality of record files as a receive file while reading data from another of said plurality of record files and for using said data to construct a plurality of session data streams, said session data streams providing a sequential reconstruction of network data traffic organized by session;
a session window scanner for reading a window of data in one of said plurality of session data streams;
a set of surveillance rules defining data patterns which, when met, will trigger a surveillance alert; and
an alerts handler for responding to fired rules and taking defined actions.
8 Assignments
0 Petitions
Accused Products
Abstract
A network surveillance system includes a handler process (10) for capturing network packets and filtering invalid packets, a first and second continuously sorted record file (15a, 15b), and a scanner process (30) for scanning all sessions occurring on the network and checking for the presence of certain rules (38). When a rule is met, indicating a security incident, a variety of appropriate actions may be taken, including notifying a network security officer via electronic or other mail or recording or terminating a network session. The surveillance system operates completely independently of any other network traffic and the network file server and therefore has no impact on network performance. According to a further embodiment, the invention may include remote surveillance agents (100a-c) for gathering network packets at a remote location and transferring them to a server (110) for analysis by a network surveillance system.
582 Citations
20 Claims
-
1. A network surveillance system for conducting surveillance on a network independent of a network server comprises:
-
a network driver for capturing data on a network, said data not necessarily addressed to said surveillance system; a handler process for receiving data from said network driver and storing said data in real time; a plurality of record files for receiving network data and storing said data before further examination; a scanner process for designating one of said plurality of record files as a receive file while reading data from another of said plurality of record files and for using said data to construct a plurality of session data streams, said session data streams providing a sequential reconstruction of network data traffic organized by session; a session window scanner for reading a window of data in one of said plurality of session data streams; a set of surveillance rules defining data patterns which, when met, will trigger a surveillance alert; and an alerts handler for responding to fired rules and taking defined actions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for for conducting surveillance on a network comprises:
-
capturing data on a network; storing said data in real time in one of a plurality of record files; using said data to construct a plurality of session data streams, said session data streams providing a sequential reconstruction of network data traffic organized by session; reading a window of data in one of said plurality of session data streams; testing said window of data against a set of surveillance rules; and responding to fired rules by taking defined interventions. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification