Method and apparatus for automated network-wide surveillance and security breach intervention

US 5,796,942 A
Filed: 11/21/1996
Issued: 08/18/1998
Est. Priority Date: 11/21/1996
Status: Expired due to Term

First Claim

Patent Images

1. A network surveillance system for conducting surveillance on a network independent of a network server comprises:

a network driver for capturing data on a network, said data not necessarily addressed to said surveillance system;

a handler process for receiving data from said network driver and storing said data in real time;

a plurality of record files for receiving network data and storing said data before further examination;

a scanner process for designating one of said plurality of record files as a receive file while reading data from another of said plurality of record files and for using said data to construct a plurality of session data streams, said session data streams providing a sequential reconstruction of network data traffic organized by session;

a session window scanner for reading a window of data in one of said plurality of session data streams;

a set of surveillance rules defining data patterns which, when met, will trigger a surveillance alert; and

an alerts handler for responding to fired rules and taking defined actions.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network surveillance system includes a handler process (10) for capturing network packets and filtering invalid packets, a first and second continuously sorted record file (15a, 15b), and a scanner process (30) for scanning all sessions occurring on the network and checking for the presence of certain rules (38). When a rule is met, indicating a security incident, a variety of appropriate actions may be taken, including notifying a network security officer via electronic or other mail or recording or terminating a network session. The surveillance system operates completely independently of any other network traffic and the network file server and therefore has no impact on network performance. According to a further embodiment, the invention may include remote surveillance agents (100a-c) for gathering network packets at a remote location and transferring them to a server (110) for analysis by a network surveillance system.

582 Citations

20 Claims

1. A network surveillance system for conducting surveillance on a network independent of a network server comprises:
- a network driver for capturing data on a network, said data not necessarily addressed to said surveillance system;
  
  a handler process for receiving data from said network driver and storing said data in real time;
  
  a plurality of record files for receiving network data and storing said data before further examination;
  
  a scanner process for designating one of said plurality of record files as a receive file while reading data from another of said plurality of record files and for using said data to construct a plurality of session data streams, said session data streams providing a sequential reconstruction of network data traffic organized by session;
  
  a session window scanner for reading a window of data in one of said plurality of session data streams;
  
  a set of surveillance rules defining data patterns which, when met, will trigger a surveillance alert; and
  
  an alerts handler for responding to fired rules and taking defined actions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The device according to claim 1 further comprising:
    - a user interface allowing a user to view sessions in real time and to access a plurality of data bases containing session events maintained by said scanner process.
  - 3. The device according to claim 1 wherein said handler process filters certain network data and adds an indication of the time when certain network data is received from the network.
  - 4. The device according to claim 1 wherein said plurality of record files are continuously sorted according to a record index.
  - 5. The device according to claim 1 wherein said session window includes an overlap portion of previously examined data from said session data base in order to test for rules that would apply to data contained in more than one record.
  - 6. The device according to claim 5 wherein said session window overlap is determined by the longest text string that could trigger a rule.
  - 7. The device according to claim 1 wherein said alerts handler may respond to an alert by transmitting a message to a specified plurality of destinations.
  - 8. The device according to claim 1 wherein said alerts handler may respond to an alert by forcing a user session to terminate.
  - 9. The device according to claim 1 wherein said alerts handler may respond to an alert by recording a session.
  - 10. A fixed computer readeable medium containing computer executable program code, which, when loaded into an appropriately configured computer system will cause the computer to embodiment the device of claim 1.

11. A method for for conducting surveillance on a network comprises:
- capturing data on a network;
  
  storing said data in real time in one of a plurality of record files;
  
  using said data to construct a plurality of session data streams, said session data streams providing a sequential reconstruction of network data traffic organized by session;
  
  reading a window of data in one of said plurality of session data streams;
  
  testing said window of data against a set of surveillance rules; and
  
  responding to fired rules by taking defined interventions.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method according to claim 11 further comprising presenting a view of reconstructed sessions to a user in real time.
  - 13. The method according to claim 11 further comprising filtering certain network data packets before storing.
  - 14. The method according to claim 11 further comprising continuously sorting record files.
  - 15. The method according to claim 11 further comprising examining an overlap portion of previously examined data in order to test rules that would apply to data contained in more than one record.
  - 16. The method according to claim 15 wherein said session window overlap is determined by the longest text string that could trigger a rule.
  - 17. The method according to claim 11 further comprising responding to an alert by transmitting a message to a specified plurality of destinations.
  - 18. The method according to claim 11 further comprising responding to an alert by forcing a user session to terminate.
  - 19. The method according to claim 11 further comprising responding to an alert by recording a session.
  - 20. A fixed computer readeable medium containing computer executable program code, which, when loaded into an appropriately configured computer system will cause the computer to embodiment the method of claim 11.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Esbensen, Daniel
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
Baderman, Scott T.

Application Number

US08/749,352
Time in Patent Office

635 Days
Field of Search

395/187.01, 395/186, 395/200.57, 395/200.58, 395/200.59, 364/286.4
US Class Current

726/13
CPC Class Codes

H04L 43/00 Arrangements for monitoring...

H04L 63/1408 by monitoring network traff...

Method and apparatus for automated network-wide surveillance and security breach intervention

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

582 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for automated network-wide surveillance and security breach intervention

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

582 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links