Network security and surveillance system
First Claim
1. A computer system for facilitating a post-event reconstruction and analysis of a security breach or other catastrophic event on a computer network, the system comprising:
- network interface circuitry configured to passively and continuously capture all valid data-link-level network traffic at a network connection point to generate a packet stream, the packet stream comprising raw data packets that are transmitted on the network by other computer systems of the network;
at least one computer processor configured to process the packet stream to generate an archival data stream;
a data recording unit operatively coupled to the processor, the recording unit configured to record the archival data stream onto a non volatile storage medium to generate a low-level archival recording of network traffic, the processor incapable of modifying the recorded archival data stream;
a data playback unit operatively coupled to the processor, the playback unit configured to play back the previously recorded archival data stream as computer network traffic on the computer network at the network connection point to recreate computer network traffic events as they previously occurred when recorded, the previously recorded archival data stream is transmitted on the computer network at the network connection point and flows through the computer network as the archival data stream originally flowed through the computer network;
a first cyclic data recorder coupled to the processor that cyclically records a daily portion of the packet stream onto a second recording medium to generate a record of the network traffic; and
a second cyclic data recorder that cyclically records a daily filtered portion of the packet stream onto a third recording medium to generate a record of a portion of the network traffic.
9 Assignments
0 Petitions
Accused Products
Abstract
A network security and surveillance system passively monitors and records the traffic present on a local area network, wide area network, or other type of computer network, without interrupting or otherwise interfering with the flow of the traffic. Raw data packets present on the network are continuously routed (with optional packet encryption) to a high-capacity data recorder to generate low-level recordings for archival purposes. The raw data packets are also optionally routed to one or more cyclic data recorders to generate temporary records that are used to automatically monitor the traffic in near-real-time. A set of analysis applications and other software routines allows authorized users to interactively analyze the low-level traffic recordings to evaluate network attacks, internal and external security breaches, network problems, and other types of network events.
-
Citations
24 Claims
-
1. A computer system for facilitating a post-event reconstruction and analysis of a security breach or other catastrophic event on a computer network, the system comprising:
-
network interface circuitry configured to passively and continuously capture all valid data-link-level network traffic at a network connection point to generate a packet stream, the packet stream comprising raw data packets that are transmitted on the network by other computer systems of the network;
at least one computer processor configured to process the packet stream to generate an archival data stream;
a data recording unit operatively coupled to the processor, the recording unit configured to record the archival data stream onto a non volatile storage medium to generate a low-level archival recording of network traffic, the processor incapable of modifying the recorded archival data stream;
a data playback unit operatively coupled to the processor, the playback unit configured to play back the previously recorded archival data stream as computer network traffic on the computer network at the network connection point to recreate computer network traffic events as they previously occurred when recorded, the previously recorded archival data stream is transmitted on the computer network at the network connection point and flows through the computer network as the archival data stream originally flowed through the computer network;
a first cyclic data recorder coupled to the processor that cyclically records a daily portion of the packet stream onto a second recording medium to generate a record of the network traffic; and
a second cyclic data recorder that cyclically records a daily filtered portion of the packet stream onto a third recording medium to generate a record of a portion of the network traffic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
an automated monitoring module configured to automatically read traffic data from the first cyclic data recorder and the second cyclic data recorder and to monitor read-in traffic data for anomalies.
-
-
13. The computer system according to claim 12, wherein the automated monitoring software module is configured to trigger an alarm upon detecting a pre-specified network anomaly.
-
14. A method of generating an archival record of network traffic on a computer network, comprising the computer-implemented steps of;
-
passively and continuously capturing all valid data packets that are receivable at a connection point to the network to generate a packet stream;
processing the packet stream to generate an archival data stream;
storing the archival data stream on a non-volatile storage medium;
storing a daily portion of the packet stream onto a second recording medium to generate a record of the network traffic with a first cyclic data recorder;
storing a daily filtered portion of the packet stream onto a third recording medium to generate a record of a portion of the network traffic with a second cyclic data recorder; and
playing back the previously recorded archival data stream as computer network traffic on the computer network to recreate computer network traffic events as they previously occurred when recorded, the previously recorded archival data stream is transmitted on the computer network at the connection point and flows through the computer network as the archival data stream originally flowed through the computer network. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
reading-in and analyzing network traffic stored by the first cyclic data recorder and the second cyclic data recorder to provide automated near-real-time analysis of the network traffic.
-
-
22. A method of monitoring traffic on a computer network without adding latency to the traffic, comprising the computer-implemented steps of:
-
(a) passively and continuously capturing all valid data packets at a network connection point to generate a packet stream;
(b) writing a daily portion of the packet stream onto a recording medium to generate a record of the network traffic with a first cyclic data recorder;
(c) writing a daily filtered portion of the packet stream onto a second recording medium to generate a record of a portion of the network traffic with a second cyclic data recorder;
(d) automatically reading-in and analyzing traffic data stored on the recording medium in steps (b) and (c) to search for at least one predefined traffic anomaly, to thereby provide near-real-time analysis of the traffic, wherein the predefined anomaly relates to a particular packet stream; and
(e) playing back the previously recorded packet stream as computer network traffic on the computer network to recreate computer network traffic events as they previously occurred when recorded, the previously recorded data stream is transmitted on the computer network at the network connection point and flows through the computer network as the data stream originally flowed through the computer network. - View Dependent Claims (23, 24)
-
Specification