Comprehensive security structure platform for network managers

US 7,127,743 B1
Filed: 08/17/2000
Issued: 10/24/2006
Est. Priority Date: 06/23/2000
Status: Expired due to Term

First Claim

Patent Images

1. A computer system for detecting and monitoring network intrusion events from log data received from network service devices in a computer network, the computer system having discrete modules associated with a function performed on the log data received, the computer system comprising:

an event parser in communication with multiple network service devices, wherein the network service devices comprise a firewall, VPN (virtual private network) server or router, an e-mail server, or any combination of two or more thereof, the event parser being able to receive log data in real time from the device, the log data including information detailing a network intrusion event received from the network service device if an intrusion has occurred, the event parser being able to parse the information to create corresponding event objects concerning the intrusion events, wherein an event object comprises information fields relevant to network security monitoring including at least information regarding a reporting device and a time stamp;

an event manager in communication with the event parser, the event manager being able to receive the event objects, the event manager being configured to evaluate the event objects according to at least one predetermined threshold condition such that, when the event objects satisfy the predetermined threshold condition, the event manager designates the event objects to be broadcast in real time;

an event broadcaster in communication with the event manager for receiving event objects designated by the event manager for broadcast, the event broadcaster being able to transmit the event objects in real time, relative to the receipt of the log data, as an intrusion alarm; and

means for alerting a user that a network intrusion event has occurred.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment includes a computer system for detecting and monitoring network intrusion events from log data received from network service devices in a computer network. An embodiment may include an event parser in communication with multiple network service devices. The event parser may parse information to create corresponding event objects concerning intrusion events. The system may include an event manager in communication with the event parser. The event manager may be configured to evaluate the event objects according to at least one predetermined threshold condition. The system may include an event broadcaster in communication with the event manager for receiving event objects designated by the event manager for broadcast. The event broadcaster may be able to transmit the event objects in real time. The system may also include means for alerting the user that a network intrusion event has occurred.

Citations

43 Claims

1. A computer system for detecting and monitoring network intrusion events from log data received from network service devices in a computer network, the computer system having discrete modules associated with a function performed on the log data received, the computer system comprising:
- an event parser in communication with multiple network service devices, wherein the network service devices comprise a firewall, VPN (virtual private network) server or router, an e-mail server, or any combination of two or more thereof, the event parser being able to receive log data in real time from the device, the log data including information detailing a network intrusion event received from the network service device if an intrusion has occurred, the event parser being able to parse the information to create corresponding event objects concerning the intrusion events, wherein an event object comprises information fields relevant to network security monitoring including at least information regarding a reporting device and a time stamp;
  
  an event manager in communication with the event parser, the event manager being able to receive the event objects, the event manager being configured to evaluate the event objects according to at least one predetermined threshold condition such that, when the event objects satisfy the predetermined threshold condition, the event manager designates the event objects to be broadcast in real time;
  
  an event broadcaster in communication with the event manager for receiving event objects designated by the event manager for broadcast, the event broadcaster being able to transmit the event objects in real time, relative to the receipt of the log data, as an intrusion alarm; and
  
  means for alerting a user that a network intrusion event has occurred.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 2. The computer system of claim 1 wherein the means for alerting the user that a network intrusion event has occurred is a graphical user interface in communication with the event broadcaster, the graphical user interface comprising a display screen for displaying an intrusion alarm and the information contained within the corresponding event object received from the event broadcaster.
  - 3. The computer system of claim 2 wherein the graphical user interface display screen comprises an alarm console, coupled to the event broadcaster, configured to display intrusion alarms, and a report console, coupled to the report servlet, configured to execute queries input by a user and display results, wherein the alarm console and event broadcaster are displayed simultaneously on the display screen.
  - 4. The computer system of claim 3 wherein the graphical user interface displays the status of network security devices in real time.
  - 5. The computer system of claim 4 wherein the graphical user interface displays the status of network security devices in summary lines, said summary lines comprising hypertext links providing access to further data.
  - 6. The computer system of claim 5 wherein the graphical user interface displays the status of network security devices in a color coded format where said color designates a particular status level for the particular device.
  - 7. The computer system of claim 3 further comprising a chat manager accessible to a user from the alarm console for executing electronic communications links between the user and others having an electronic communications link to the computer system.
  - 8. The computer system of claim 7 wherein the electronic communications link is an on-line link established through a web browser interface.
  - 9. The computer system of claim 1 wherein the information contained within the event object is read by the event manager and assigned a severity level corresponding to the event type information contained within the event object, and the predetermined threshold condition is the assigned severity level.
  - 10. The computer system of claim 9 wherein the severity level is one of seven categories for types of events contained within event objects.
  - 11. The computer system of claim 1 further comprising an event aggregator module and wherein the event parser is housed within the event aggregator module, and log data from a multiplicity of network device sources is received by the event parser.
  - 12. The computer system of claim 11 wherein the event parser reads log data posted in extensible markup language.
  - 13. The computer system of claim 3 wherein the report console is further configured to display query result data in summary lines, said summary lines comprising hypertext links providing access to further data.
  - 14. The computer system of claim 3 wherein the alarm console displays intrusion alarms in summary lines, said summary lines comprising hypertext links providing access to further data.
  - 15. The computer system of claim 1 further comprising a plurality of event parsers wherein each event parser is configured to receive log data from a predetermined network service device, the plurality of parsers each coupled to the event manager.
  - 16. The computer system of claim 2 wherein the graphic user interface is configured to allow a user to initiate queries, and the computer system further comprises:
    - means for storing event objects, said means coupled to the event parsers;
      
      a report servlet coupled to the graphic user interface, the report servlet for recalling stored event objects in response to user queries from the graphic user interface and displaying recalled event objects on the graphic user interface display screen;
      
      an application reporter coupled to the report servlet for receiving and processing user queries and for performing searches of stored event objects; and
      
      a database accessible by the application reporter, for holding stored event objects, the database configured to recall event objects in response to searches executed by the application reporter.
  - 17. The computer system of claim 16 wherein the computer system is one of a multiplicity of computer systems each having a graphic user interface and the computer system further comprises a central graphic user interface which accesses at least one of the graphic user interfaces of the multiplicity of computer systems.
  - 18. The computer system of claim 17 wherein the central graphic user interface accesses at least one of the report servlets of the multiplicity of computer systems and communicates with at least one of the databases of the multiplicity of computer systems.
  - 19. The computer system of claim 1 further comprising:
    - a network port to receive log data having a conforming message format from at least one network service device;
      
      means for transmitting the log data having a conforming message format to the event parsers, said means coupled to the network port; and
      
      a reporting agent coupled to the network port for collecting log data having a non-conforming message format from the at least one network service device and converting the log data to a conforming message format.
  - 20. The computer system of claim 19 further comprising means for filtering log data received at the network port according to one or more predetermined conditions so as to restrict receipt of corresponding log data by said transmitting means.
  - 21. The computer system of claim 20 wherein the predetermined conditions are application name, host name, internal device alarm identifications, source address, destination address, destination port, and protocol.
  - 22. The computer system of claim 19 wherein the conforming message format is syslog.
  - 23. The computer system of claim 1 further comprising means for filtering event objects received by the event manager according to one or more predetermined conditions so as to restrict the field of event objects designated for broadcast.
  - 24. The computer system of claim 23 wherein the predetermined conditions are application name, host name, event severity, internal device alarm identifications, source address, destination address, destination port, and protocol.
  - 25. The method of claim 1, wherein the event object comprises an application.
  - 26. The method of claim 1, wherein the event object comprises an event time stamp.
  - 27. The method of claim 1, wherein the event object comprises an application time stamp.
  - 28. The method of claim 1, wherein the event object comprises an address associated with the event.
  - 29. The method of claim 1, wherein the address comprises a source IP address of the event.
  - 30. The method of claim 1, wherein the event object comprises an event duration.
  - 31. The method of claim 1, wherein the event object comprises an identification number assigned by the reporting device.

32. A method for detecting and monitoring network intrusion events from log data received from network service devices in a computer network comprising the steps of:
- receiving log data in real time, the log data including information detailing at least one network intrusion event received from the network service devices, wherein the network service devices comprise a firewall, VPN (virtual private network) server or router, an e-mail server, or any combination of two or more thereof;
  
  parsing the log data information to create corresponding event objects, wherein an event object comprises information fields relevant to network security monitoring including at least information regarding a reporting device and a time stamp; and
  
  evaluating the event objects according to at least one predetermined threshold condition;
  
  where the information contained within the event objects satisfies the predetermined threshold condition, broadcasting the event object as an intrusion alarm in real time, relative to the receipt of the log data, to a display screen on a graphic user interface.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 33. The method of claim 32 wherein the graphic user interface is configured to allow a user to initiate queries, and the method further comprises the steps of:
    - storing event objects to a database accessible by an application reporter, the database for holding stored event objects, and the database configured to recall event objects in response to searches performed by the application reporter in response to user queries; and
      
      recalling stored event objects in response to user queries from the graphic user interface and displaying recalled event objects on the graphic user interface display screen.
  - 34. The method of claim 33 further comprising the steps of:
    - receiving log data in a conforming message format at a network port;
      
      transmitting the log data in a conforming message format to event parsers;
      
      collecting log data in a non-conforming message format by executing a reporting agent; and
      
      converting the log data to a conforming message format.
  - 35. The method of claim 34 wherein the conforming message format is syslog.
  - 36. The method of claim 33 wherein the stored event object is displayed as a hypertext link to further event object information and the method further comprises using a display screen interface device to open the hypertext link to reveal further event object information on at least one successive display screen frameset.
  - 37. The method of claim 32 further comprising the step of filtering log data received according to one or more predetermined conditions so as to restrict the receipt of corresponding log data.
  - 38. The method of claim 37 wherein the predetermined conditions are application name, host name, internal device alarm identifications, source address, destination address, destination port, and protocol.
  - 39. The method of claim 32 further comprising the step of opening an electronic communications link to other users on the computer system.
  - 40. The method of claim 39 further comprising the step of sending an electronic message over the communications link to other users regarding an intrusion alarm.
  - 41. The method of claim 32 wherein the event object intrusion alarm is displayed as a hypertext link to further event object information and the method further comprises using a display screen interface device to open the hypertext link to reveal further event object information on at least one successive display screen frameset.

42. A computer system for detecting and monitoring network intrusion events from log data received from network service devices in a computer network, the computer system having discrete modules associated with a function performed on the log data received, the computer system comprising:
- an event parser in communication with multiple network service devices, wherein the network service devices comprise a firewall, VPN (virtual private network) server or router, an e-mail server, or any combination of two or more thereof, the event parser being able to receive log data in real time from the devices, the log data including information detailing a network intrusion event received from the network service devices if an intrusion has occurred, the event parser being able to parse the information to create corresponding event objects concerning the intrusion events, wherein an event object comprises information fields relevant to network security monitoring including at least information regarding a reporting device and a time stamp;
  
  an event aggregator, the event aggregator being able to filter the event objects based on event type and severity;
  
  an event manager in communication with the event aggregator, the event manager being able to receive the event object, the event manager being configured to evaluate the event object according to at least one predetermined threshold condition such that, when the event object satisfies the predetermined threshold condition, the event manager designates the event object to be broadcast in real time;
  
  an event broadcaster in communication with the event manager for receiving event objects designated by the event manager for broadcast, the event broadcaster being able to transmit the event object in real time, relative to the receipt of the log data, as an intrusion alarm; and
  
  means for alerting a user that a network intrusion event has occurred.

43. A method for detecting and monitoring network intrusion events from log data received from network service devices in a computer network, wherein the network service devices comprise a firewall, VPN (virtual private network) server or router, an e-mail server, or any combination of two or more thereof, comprising the steps of:
- receiving log data in real time from multiple network security devices, the log data including information detailing at least network intrusion events received from the network service devices;
  
  parsing the log data information to create corresponding event objects, wherein an event object comprises information fields relevant to network security monitoring including at least information regarding a reporting device and a time stamp;
  
  filtering the event objects based on event type and severity; and
  
  evaluating the event objects according to at least one predetermined threshold condition;
  
  where the information contained within an event object satisfies the predetermined threshold condition, broadcasting the event object as an intrusion alarm in real time, relative to the receipt of the log data, to a display screen on a graphic user interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BlackStratus, Inc., LOG Storm Security, Inc.
Original Assignee
Netforensics Incorporated
Inventors
Amaratunge, Dhani, Asthana, Rishi, Hanrahan, Kevin, Pogaku, Shirisha, Samavenkata, K. V. Rao, Ghildiyal, Amit, Khanolkar, Rajeev, Ved, Niten, Azim, Ozakil, Hamid, Aral-Rarsh
Primary Examiner(s)
Arani, Taghi T.

Application Number

US09/640,606
Time in Patent Office

2,259 Days
Field of Search

713/201, 726/23, 726/22, 726/1, 709/223, 709/224
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1408 by monitoring network traff...

Comprehensive security structure platform for network managers

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Comprehensive security structure platform for network managers

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links