System and method for network security
First Claim
1. A system for extracting information from network data, comprising:
- an input interface connected to at least one source of network data; and
a network event sensor, communicating with the input interface, the network event sensor comprisingan interpreter module, the interpreter module scanning the network data to generate logical groupings of the network data, andan assembler module, communicating with the interpreter module, the assembler module scanning the logical groupings to generate at least one session object,wherein the network event sensor applies a lexical engine to the at least one session object recursively to identify protocols within other protocols to extract nested or underlying objects encapsulated in one or more different protocols and to identify at least one network event as at least one of a predetermined set of event types.
21 Assignments
0 Petitions
Accused Products
Abstract
A system for network security transparently occupies an observation port on the data stream, passing the entire range of network information to a dedicated interpreter. The interpreter resolves the data stream into individual data packets, which are then assembled into reconstructed network sessions according to parameters such as protocol type, source and destination addresses, source and destination ports, sequence numbers and other variables. The different types of sessions may include the traffic of many different types of users, such as e-mail, streaming video, voice-over-Internet and others. The system detects and stores the sessions into a database. A parser module may extract only the minimum information needed to reconstruct individual sessions. A backend interface permits a systems administrator to interrogate the forensic record of the network for maintenance, security and other purposes. The invention is not constrained to detect limited types of data, but rather captures and records a comprehensive record of network behavior.
111 Citations
47 Claims
-
1. A system for extracting information from network data, comprising:
-
an input interface connected to at least one source of network data; and a network event sensor, communicating with the input interface, the network event sensor comprising an interpreter module, the interpreter module scanning the network data to generate logical groupings of the network data, and an assembler module, communicating with the interpreter module, the assembler module scanning the logical groupings to generate at least one session object, wherein the network event sensor applies a lexical engine to the at least one session object recursively to identify protocols within other protocols to extract nested or underlying objects encapsulated in one or more different protocols and to identify at least one network event as at least one of a predetermined set of event types. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method for extracting information from network data, comprising the steps of:
-
receiving network data from at least one source of network data; scanning the network data to generate logical groupings of the network data; scanning the logical groupings to generate at least one session object; and recursively applying at least a lexical engine to the at least one session object to identify protocols within other protocols to extract nested or underlying objects encapsulated in one or more of the protocols and to identify more than one network event type contained in the at least one session object. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
-
Specification