Automated change detection within a network environment
First Claim
Patent Images
1. A method comprising:
- processing, with an intrusion detection device, packet flows to identify low-level network elements associated with the packet flows, wherein the low-level network elements describe one or more network devices of a network;
assembling application-layer communications from the packet flows with protocol-specific decoders;
processing the application-layer communications with the protocol-specific decoders to identify application-layer elements;
analyzing the application-layer communications to determine whether any of the packet flows represent a network attack and, for each of the packet flows, forwarding the packet flow only when the packet flow does not represent a network attack;
generating profiling data that associates the application-layer elements of the application-layer communications with the low-level network elements of the packet flows;
maintaining, within the intrusion detection device, a correlation database that stores the profiling data describing the packet flows within the network;
defining a database trigger for the correlation database to detect database operations that have changed the profiling data stored within the correlation database, wherein the database trigger is defined to detect database operations that have utilized a specified combination of the low-level network elements and the application-layer elements, such that the database trigger fires when changes are made to the network devices of the network that are determined to expose the network to security risks; and
maintaining, within the intrusion detection device, a log to record the detected database operations by updating the log when the database trigger fires to record in the log the database operation that fired the database trigger.
1 Assignment
0 Petitions
Accused Products
Abstract
A correlation database stores profiling data that describes packet flows within a network. A network device presents a user interface by which a user defines a database trigger to detect database operations that change to the profiling data stored within the correlation database. The network device may maintain a log to record the detected database operations. The database trigger may specify a combination of low-level network elements associated with the packet flows and application-layer elements extracted from application-layer communications reassembled from the packet flows.
-
Citations
19 Claims
-
1. A method comprising:
-
processing, with an intrusion detection device, packet flows to identify low-level network elements associated with the packet flows, wherein the low-level network elements describe one or more network devices of a network; assembling application-layer communications from the packet flows with protocol-specific decoders; processing the application-layer communications with the protocol-specific decoders to identify application-layer elements; analyzing the application-layer communications to determine whether any of the packet flows represent a network attack and, for each of the packet flows, forwarding the packet flow only when the packet flow does not represent a network attack; generating profiling data that associates the application-layer elements of the application-layer communications with the low-level network elements of the packet flows; maintaining, within the intrusion detection device, a correlation database that stores the profiling data describing the packet flows within the network; defining a database trigger for the correlation database to detect database operations that have changed the profiling data stored within the correlation database, wherein the database trigger is defined to detect database operations that have utilized a specified combination of the low-level network elements and the application-layer elements, such that the database trigger fires when changes are made to the network devices of the network that are determined to expose the network to security risks; and maintaining, within the intrusion detection device, a log to record the detected database operations by updating the log when the database trigger fires to record in the log the database operation that fired the database trigger. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 16, 17, 18, 19)
-
-
9. A system comprising:
-
a flow analysis module to process packet flows and identify low-level network elements associated with the packet flows in a network, wherein the low-level network elements describe one or more network devices of the network; an analysis engine to form application-layer communications from the packet flows; a plurality of protocol-specific decoders to process the application-layer communications to generate application-layer elements and to assemble application-layer communications from the packet flows, and to analyze the application-layer communications to determine whether any of the packet flows represent a network attack; a forwarding component to, for each of the packet flows, forward the packet flow only when the packet flow does not represent a network attack, as determined by the plurality of protocol-specific decoders; a profiler to generate profiling data by correlating the application-layer elements of the application-layer communications with the low-level network elements of the packet flows; a correlation database that stores profiling data that describes the packet flows within the network; and a network device that presents a user interface by which a user defines a database trigger to detect database operations that have changed the profiling data stored within the correlation database, wherein the user interface allows the user to define the database trigger by specifying a combination of the low-level network elements and the application-layer elements that the detected database operations have utilized, such that the database trigger fires when changes are made to the network devices of the network that are determined to expose the network to security risks; and a log file maintained by the network device, wherein the network device records the detected database operations in the log file, and wherein the network device updates the log when the database trigger fires to record in the log the database operation fired the database trigger. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A computer-readable storage medium comprising instructions that cause a programmable processor within a network device to:
-
process packet flows to identify low-level network elements associated with the packet flows, wherein the low-level network elements describe one or more network devices of a network; assemble application-layer communications from the packet flows with protocol-specific decoders; process the application-layer communications with the protocol-specific decoders to identify application-layer elements; analyze the application-layer communications to determine whether any of the packet flows represent a network attack and, for each of the packet flows, forwarding the packet flow only when the packet flow does not represent a network attack; generate profiling data that associates the application-layer elements of the application-layer communications with the low-level network elements of the packet flows; present a user interface by which a user defines a database trigger to detect database operations that have changed the profiling data stored within a correlation database, wherein the profiling data describes packet flows within the network, wherein the database trigger is defined to detect database operations that have utilized a specified combination of the low-level network elements and the application-layer elements, such that the database trigger fires when changes are made to the network devices of the network that are determined to expose the network to security risks; maintain a log to record the detected database operations by updating the log when the database trigger fires to record in the log the database operation that fired the database trigger.
-
Specification