Method and system for maintaining network activity data for intrusion detection
First Claim
Patent Images
1. A method for maintaining network activity data for an intrusion detection system, comprising:
- storing data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination being a subset of, and less granular than, a root keyset; and
identifying a child dataset of a root dataset through the root dataset.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for maintaining network activity data for intrusion detection includes storing data representative of network activity in datasets. The datasets include root datasets each having a root keyset and child datasets each having a child keyset with a key combination derived from and less granular than a root keyset. Child datasets are identified through their root datasets.
53 Citations
53 Claims
-
1. A method for maintaining network activity data for an intrusion detection system, comprising:
-
storing data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination being a subset of, and less granular than, a root keyset; and identifying a child dataset of a root dataset through the root dataset. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. An intrusion detection system, comprising:
-
logic encoded in computer-readable media; and the logic operable to store data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination being a subset of, and less granular than, a root keyset and further operable to identify a child dataset for a root dataset through the root dataset. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A system for maintaining data on network activity for an intrusion detection system, comprising:
-
means for storing data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination being a subset of, and less granular than, a root keyset; and means for identifying a child dataset of a root dataset through the root dataset. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46)
-
-
47. A method for maintaining data on Internet Protocol (IP) traffic for an intrusion detection system, comprising:
-
storing data representative of network activity in datasets, the datasets including root datasets each having a quad keyset comprising a source address key, a source port key, a destination address key and a destination port key and child datasets each having a dual keyset with a key combination derived from and less granular than a quad keyset of a root dataset; storing pointers for each root dataset, the pointers each identifying a child dataset having a dual keyset derived from the quad keyset of the root dataset and a sibling root dataset having a quad keyset a reverse of the quad keyset of the root dataset; and retrieving data for processing of a traffic signature by performing a single search for a root dataset having a quad keyset corresponding to the traffic signature and identifying relevant child and sibling root datasets through the pointers of the root dataset. - View Dependent Claims (48)
-
-
49. A method for maintaining network activity data for an intrusion detection system, comprising:
-
storing data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination derived from and less granular than a root keyset; identifying a child dataset of a root dataset through the root dataset; receiving a traffic signature not having a root dataset; generating a root dataset having a root keyset representative of the traffic signature; identifying all existing child and sibling root datasets of the root dataset; generating all absent child and sibling root datasets of the root dataset; and associating the child and sibling root datasets with the root dataset.
-
-
50. A method for maintaining network activity data for an intrusion detection system, comprising:
-
storing data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination derived from and less granular than a root keyset; identifying a child dataset of a root dataset through the root dataset; and retrieving data for processing a traffic signature by searching a data storage system including the datasets for an existing root dataset having a root keyset corresponding to the traffic signature and identifying all child datasets, sibling root datasets, and child datasets of the sibling root datasets through the root dataset.
-
-
51. An intrusion detection system, comprising:
-
logic encoded in computer-readable media; the logic operable to store data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination derived from and less granular than a root keyset and further operable to identify a child dataset for a root dataset through the root dataset; and the logic further operable to retrieve data for processing of a traffic signature by searching a data storage system including the datasets for an existing root dataset corresponding to the traffic signature and to identify all child datasets, sibling root datasets and child datasets of the root dataset and the sibling root dataset through the root dataset.
-
-
52. A system for maintaining data on network activity for an intrusion detection system, comprising:
-
means for storing data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination derived from and less granular than a root keyset; means for identifying a child dataset of a root dataset through the root dataset; means for receiving a traffic signature not having a root dataset; means for generating a root dataset having a root keyset representative of the traffic signature; means for identifying all existing child and sibling root datasets of the root dataset; means for generating absent child and sibling root datasets of the root dataset; and means for associating the child and sibling root datasets of the root dataset with the root dataset.
-
-
53. A system for maintaining data on network activity for an intrusion detection system, comprising:
-
means for storing data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination derived from and less granular than a root keyset; means for identifying a child dataset of a root dataset through the root dataset; means for retrieving data for processing of a traffic signature by searching a data storage system for an existing root dataset having a root keyset corresponding to the traffic signature; and means for identifying all child datasets, sibling root datasets, and child datasets of the root dataset through the root dataset.
-
Specification