Network security and surveillance system

US 6,453,345 B2
Filed: 05/07/1997
Issued: 09/17/2002
Est. Priority Date: 11/06/1996
Status: Expired due to Term

First Claim

Patent Images

1. A computer system for facilitating a post-event reconstruction and analysis of a security breach or other catastrophic event on a computer network, the system comprising:

network interface circuitry configured to passively and continuously capture all valid data-link-level network traffic at a network connection point to generate a packet stream, the packet stream comprising raw data packets that are transmitted on the network by other computer systems of the network;

at least one computer processor configured to process the packet stream to generate an archival data stream;

a data recording unit operatively coupled to the processor, the recording unit configured to record the archival data stream onto a non volatile storage medium to generate a low-level archival recording of network traffic, the processor incapable of modifying the recorded archival data stream;

a data playback unit operatively coupled to the processor, the playback unit configured to play back the previously recorded archival data stream as computer network traffic on the computer network at the network connection point to recreate computer network traffic events as they previously occurred when recorded, the previously recorded archival data stream is transmitted on the computer network at the network connection point and flows through the computer network as the archival data stream originally flowed through the computer network;

a first cyclic data recorder coupled to the processor that cyclically records a daily portion of the packet stream onto a second recording medium to generate a record of the network traffic; and

a second cyclic data recorder that cyclically records a daily filtered portion of the packet stream onto a third recording medium to generate a record of a portion of the network traffic.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security and surveillance system passively monitors and records the traffic present on a local area network, wide area network, or other type of computer network, without interrupting or otherwise interfering with the flow of the traffic. Raw data packets present on the network are continuously routed (with optional packet encryption) to a high-capacity data recorder to generate low-level recordings for archival purposes. The raw data packets are also optionally routed to one or more cyclic data recorders to generate temporary records that are used to automatically monitor the traffic in near-real-time. A set of analysis applications and other software routines allows authorized users to interactively analyze the low-level traffic recordings to evaluate network attacks, internal and external security breaches, network problems, and other types of network events.

Citations

24 Claims

1. A computer system for facilitating a post-event reconstruction and analysis of a security breach or other catastrophic event on a computer network, the system comprising:
- network interface circuitry configured to passively and continuously capture all valid data-link-level network traffic at a network connection point to generate a packet stream, the packet stream comprising raw data packets that are transmitted on the network by other computer systems of the network;
  
  at least one computer processor configured to process the packet stream to generate an archival data stream;
  
  a data recording unit operatively coupled to the processor, the recording unit configured to record the archival data stream onto a non volatile storage medium to generate a low-level archival recording of network traffic, the processor incapable of modifying the recorded archival data stream;
  
  a data playback unit operatively coupled to the processor, the playback unit configured to play back the previously recorded archival data stream as computer network traffic on the computer network at the network connection point to recreate computer network traffic events as they previously occurred when recorded, the previously recorded archival data stream is transmitted on the computer network at the network connection point and flows through the computer network as the archival data stream originally flowed through the computer network;
  
  a first cyclic data recorder coupled to the processor that cyclically records a daily portion of the packet stream onto a second recording medium to generate a record of the network traffic; and
  
  a second cyclic data recorder that cyclically records a daily filtered portion of the packet stream onto a third recording medium to generate a record of a portion of the network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer system according to claim 1, wherein the network circuitry and the processor are configured such that the archival data stream contains sufficient information to reconstruct substantially all valid data packets that are receivable at the network connection point.
  - 3. The computer system according to claim 1, wherein the packet stream comprises substantially all valid data-link-level traffic that is presented at the network connection point.
  - 4. The computer system according to claim 1, wherein the processor is configured to insert packet timestamps into the packet stream, the packet timestamps forming a part of the archival recording and reflecting network transmission times of packets contained within the recording.
  - 5. The computer system according to claim 1, wherein the processor is configured to apply an encryption method to the packet stream, so that the raw data packets of the packet stream are stored on the non-volatile storage medium in an encrypted form.
  - 6. The computer system according to claim 1, wherein the processor is configured to implement a bad-packet filter to filter out packets of at least one predetermined type from the packet stream, the bad packet filter reducing a storage burden for the storage of network traffic onto the storage medium.
  - 7. The computer system according to claim 6, further including filter configuration software which allows a user of the computer system to selectively enable and disable the bad-packet filter, and wherein the archival data stream contains all valid packet data receivable at the connection point when the bad-packet filter is set to a disabled state.
  - 8. The computer system according to claim 1, wherein the storage medium comprises magnetic tape.
  - 9. The computer system according to claim 8, wherein the data recording unit comprises an automated tape library.
  - 10. The computer system according to claim 1, wherein the data recording unit is configured to operate as a write-once storage device.
  - 11. The computer system according to claim 1, further comprising interactive traffic analysis software for enabling a user to interactively view and analyze traffic data stored in the archival recording in an off-line analysis mode, the interactive traffic analysis software including a search engine for enabling the user to conduct interactive searches of the traffic data.
  - 12. The computer system according to claim 1, further comprising:
13. The computer system according to claim 12, wherein the automated monitoring software module is configured to trigger an alarm upon detecting a pre-specified network anomaly.

14. A method of generating an archival record of network traffic on a computer network, comprising the computer-implemented steps of;
- passively and continuously capturing all valid data packets that are receivable at a connection point to the network to generate a packet stream;
  
  processing the packet stream to generate an archival data stream;
  
  storing the archival data stream on a non-volatile storage medium;
  
  storing a daily portion of the packet stream onto a second recording medium to generate a record of the network traffic with a first cyclic data recorder;
  
  storing a daily filtered portion of the packet stream onto a third recording medium to generate a record of a portion of the network traffic with a second cyclic data recorder; and
  
  playing back the previously recorded archival data stream as computer network traffic on the computer network to recreate computer network traffic events as they previously occurred when recorded, the previously recorded archival data stream is transmitted on the computer network at the connection point and flows through the computer network as the archival data stream originally flowed through the computer network.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method according to claim 14, wherein the step of capturing comprises monitoring the network traffic with a network interface card that resides within a host computer, the network interface card configured to operate in a receive-only mode in which all data-link-level traffic present at the connection point is forwarded to the host computer.
  - 16. The method according to claim 15, wherein the step of storing comprises sending the archival data stream from the host computer to a peripheral storage device that is configured to operate in a write-once recording mode.
  - 17. The method according to claim 14, wherein the step of processing the packet stream comprises inserting timestamps into the packet stream to facilitate a subsequent reconstruction of events on the network.
  - 18. The method according to claim 14, wherein the step of processing the packet stream comprises encrypting at least a portion of the packet stream.
  - 19. The method according to claim 14, wherein the step of storing comprises writing the archival data stream to magnetic tape.
  - 20. The method according to claim 19, wherein the step of writing is performed at least in-part by an automated tape library.
  - 21. The method according to claim 14, further comprising the computer implemented steps of:

22. A method of monitoring traffic on a computer network without adding latency to the traffic, comprising the computer-implemented steps of:
- (a) passively and continuously capturing all valid data packets at a network connection point to generate a packet stream;
  
  (b) writing a daily portion of the packet stream onto a recording medium to generate a record of the network traffic with a first cyclic data recorder;
  
  (c) writing a daily filtered portion of the packet stream onto a second recording medium to generate a record of a portion of the network traffic with a second cyclic data recorder;
  
  (d) automatically reading-in and analyzing traffic data stored on the recording medium in steps (b) and (c) to search for at least one predefined traffic anomaly, to thereby provide near-real-time analysis of the traffic, wherein the predefined anomaly relates to a particular packet stream; and
  
  (e) playing back the previously recorded packet stream as computer network traffic on the computer network to recreate computer network traffic events as they previously occurred when recorded, the previously recorded data stream is transmitted on the computer network at the network connection point and flows through the computer network as the data stream originally flowed through the computer network.
- View Dependent Claims (23, 24)
- - 23. The method according to claim 22, wherein the step of writing is performed using a cyclic recording device.
  - 24. The method according to claim 22, wherein the step of automatically reading-in and analyzing traffic data comprises performing at least one virus check on the traffic data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DataDirect Networks Incorporated
Original Assignee
DataDirect Networks Incorporated
Inventors
Trcka, Milan V., Jones, Mark R., Fallon, Kenneth T., Walker, Ronald W.
Primary Examiner(s)
Burgess, Glenton B.
Assistant Examiner(s)
SALAD, ABDULLAHI ELMI

Application Number

US08/852,759
Publication Number

US 20010039579A1
Time in Patent Office

1,959 Days
Field of Search

709/224, 709/225, 709/231, 709/229, 709/223, 713/200, 713/201, 714/4, 714/39, 714/47
US Class Current

709/224
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 2221/2151   Time stamp

H04L 63/0272   Virtual private networks

H04L 63/1425   Traffic logging, e.g. anoma...

Network security and surveillance system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Network security and surveillance system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links