Detection of network security breaches based on analysis of network record logs
First Claim
Patent Images
1. A method, implemented in a first network device, of inspecting logs of security records in a computer network, the method comprising:
- receiving security log records from a plurality of network security devices, at the first network device;
processing the log records, including deriving keys to a table, wherein individual keys of the table are tagged with a time stamp;
determining data values from information in the log records and adding a data value including a tag field to a list of data values associated with a key if the data value is not in the list of data values associated with the key, wherein the time stamp and the tag field differ and the tag field indicates that the key has been modified by the addition of the data value since a prior evaluation;
retrieving entries of the table not having the tag field;
retrieving entries of the table having the tag field;
evaluating only those entries of the table having the tag field based on predetermined criteria to detect attempted security breaches; and
resetting the tag field upon the evaluating to indicate that the key has been evaluated since a prior modification and updating the time stamp.
2 Assignments
0 Petitions
Accused Products
Abstract
Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches.
29 Citations
42 Claims
-
1. A method, implemented in a first network device, of inspecting logs of security records in a computer network, the method comprising:
-
receiving security log records from a plurality of network security devices, at the first network device; processing the log records, including deriving keys to a table, wherein individual keys of the table are tagged with a time stamp; determining data values from information in the log records and adding a data value including a tag field to a list of data values associated with a key if the data value is not in the list of data values associated with the key, wherein the time stamp and the tag field differ and the tag field indicates that the key has been modified by the addition of the data value since a prior evaluation; retrieving entries of the table not having the tag field; retrieving entries of the table having the tag field; evaluating only those entries of the table having the tag field based on predetermined criteria to detect attempted security breaches; and resetting the tag field upon the evaluating to indicate that the key has been evaluated since a prior modification and updating the time stamp. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of inspecting logs of security records in a computer network, comprising:
-
retrieving log records from a plurality of network security devices; hashing, for each of the log records, one or more fields of the log record to generate a hash key; evaluating a hash table using the hash key; if there is no matching hash table entry, adding a new entry to the hash table; if there is a matching hash table entry, retrieving a data list associated with the hash table entry; using, for each of the log records, one of more fields of the log record to compute a data value; comparing the data value with entries in the data list to determine if there are any matching entries; inserting the data value into the data list if there are no matching entries, wherein the data value includes a tag field and a time stamp that differ, wherein the tag field indicates that the hash key has been modified by the insertion of the data value since a prior evaluation; retrieving entries of the hash table which do not have the tag field; retrieving entries of the hash table which do have the tag field; evaluating the data value based on predetermined criteria to detect attempted security breaches; resetting the tag field to indicate that the hash key has been evaluated since a prior modification; and updating the time stamp. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method of inspecting a log of security records in a computer network, comprising:
-
retrieving log records from a plurality of network security devices; hashing, for each of the log records, one or more fields of the log record to generate a hash key; evaluating a hash table using the hash key; if there is no matching hash table entry, adding a new entry to the hash table; if there is a matching hash table entry, retrieving a data list associated with the table entry; using, for each of the tog records, one or more fields of the log record to compute a data value to be inserted into the data list; evaluating the data list to determine whether the data value is included in the data list; and inserting the data value in the data list when the data value is not included in the data list and tagging the inserted data value with a time stamp associated with a predetermined time of expiration and with a tag field indicating that the data list has been modified by the insertion of the data value since a prior evaluation.
-
-
22. A computer program product, tangibly embodied in a machine-readable storage medium, the computer program product comprising instructions operable to cause a data processing apparatus in a first network device to:
-
receive log records from a plurality of network security devices, at the first network device; process the log records, including deriving keys to a table; determine data values from information in the log records and adding a data value including a time stamp and a tag field to a list of data values associated with a key if the data value is not in the list of data values associated with the key, wherein the time stamp and the tag field differ and the tag field indicates that the key has been modified by the addition of the data value since a prior evaluation; retrieving entries of the table not having the tag field; retrieving entries of the table having the tag field; evaluate only those entries of the table having respective tag fields based on predetermined criteria to detect attempted security breaches; and reset the tag fields to indicate that the keys have been evaluated since a prior modification; and update the time stamps of the evaluated entries. - View Dependent Claims (23, 24, 25, 26, 27)
-
-
28. A computer program product, tangibly embodied in a machine-readable storage medium, the computer program product comprising instructions operable to cause a data processing apparatus to:
-
retrieve log records from a plurality of network devices; hash, for each of the log records, one or more fields of the log record to generate a hash key; evaluate a hash table using the hash key; if there is no matching hash table entry, add a new entry to the hash table; if there is a matching hash table entry, retrieve a data list associated with the hash table entry; use, for each of the log records, one or more fields of the log record to compute a data value; compare the data value with entries in the data list to determine if there are any matching entries; insert the data value and an associated tag field and a time stamp into the data list if there are no matching entries, wherein the time stamp and the tag field differ and the tag field indicates that the hash key has been modified by the insertion of the data value since a prior evaluation; retrieve entries of the table that do not have the tag field; retrieve entries of the table that have the tag field; evaluate only those data values of the data list having the associated tag field based on predetermined criteria to detect attempted security breaches; and reset the respective tag field to indicate that the hash key has been evaluated since a prior modification; and update the time stamp of the evaluated data values. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. A computerprogram product, tangibly embodied in a machine-readable storage medium, for inspecting a log of security records in a computer network, the computer program product comprising instructions operable to cause a data processing apparatus to:
-
retrieve log records from a plurality of network security devices; hash, for each of the log records, one or more fields of the log record to generate a hash key; evaluate a hash table using the hash key; if there is no matching hash table entry, add a new entry to the hash table; if there is a matching hash table entry, retrieve a data list associated with the hash table entry; use, for each of the log records, one or more fields of the log record to compute a data value to be inserted into the data list; and evaluate the data list to determine whether the data value is included in the data list; and insert the data value in the data list when the data value is not included in the data list, wherein the data value is tagged with a time stamp associated with a predetermined time of expiration and with a tap field to indicate that the data list has been modified by the insertion of the data value since a prior evaluation.
-
Specification