Message parsing in a network security system

US 7,844,999 B1
Filed: 03/01/2005
Issued: 11/30/2010
Est. Priority Date: 03/01/2005
Status: Active Grant

First Claim

Patent Images

1. A method performed by a distributed agent of a network security system, the method comprising:

accessing a message in a message log, wherein the message log associates a host identifier with the message, the host identifier being an identifier of a host that sent the message to the message log;

accessing a host-specific list of multiple parsers associated with the host identifier associated with the message;

the agent attempting to parse the message using a first parser in the host-specific list;

responsive to unsuccessful parsing using the first parser, attempting to parse the message using a second parser in the host-specific list;

responsive to unsuccessful parsing using all the parsers in the host-specific list;

attempting to parse the message using a parser in a comprehensive list of multiple parsers; and

responsive to successful parsing using the parser in the comprehensive list, adding the parser to the host-specific list.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Device discovery can be made efficient using certain embodiments of the present invention. In one embodiment, the present invention includes accessing a message in a message log, wherein the message log associates a host identifier with the message, the host identifier being an identifier of a host that sent the message to the message log. Then a list of parsers associated with the host identifier associated with the message can be accessed and parsing the message using parsers from the list of parsers associated with the host identifier can be attempted. If the parsing is unsuccessful, a device type of an originator of the message can be discovered, and a parser associated with the discovered device type can be added to the list of parsers associated with the host identifier.

100 Citations

View as Search Results

30 Claims

1. A method performed by a distributed agent of a network security system, the method comprising:
- accessing a message in a message log, wherein the message log associates a host identifier with the message, the host identifier being an identifier of a host that sent the message to the message log;
  
  accessing a host-specific list of multiple parsers associated with the host identifier associated with the message;
  
  the agent attempting to parse the message using a first parser in the host-specific list;
  
  responsive to unsuccessful parsing using the first parser, attempting to parse the message using a second parser in the host-specific list;
  
  responsive to unsuccessful parsing using all the parsers in the host-specific list;
  
  attempting to parse the message using a parser in a comprehensive list of multiple parsers; and
  
  responsive to successful parsing using the parser in the comprehensive list, adding the parser to the host-specific list.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the message log comprises a text-based message log.
  - 3. The method of claim 2, wherein the message log comprises a Syslog.
  - 4. The method of claim 1, wherein the host identifier comprises an Internet protocol (IP) address.
  - 5. The method of claim 1, further comprising:
    - detecting that a timer associated with the host has run; and
      
      in response to having detected the running of the timer, attempting to parse the message using a parser in the comprehensive list.
  - 6. The method of claim 5, further comprising responsive to successful parsing using the parser in the comprehensive list, adding the parser in the comprehensive list to the host-specific list if the parser associated with the successful parsing of the message was not already on the host-specific list of multiple parsers.
  - 7. The method of claim 1, further comprising building a normalized event using the parsed message.
  - 8. The method of claim 7, wherein building the normalized event further uses the host identifier.
  - 9. The method of claim 1, wherein attempting to parse the message using the parsers from the host-specific list of multiple parsers proceeds according to a hierarchy of more specific parsers to more general parsers.
  - 10. The method of claim 9, wherein adding the parser associated with the successful parsing of the message to the host-specific list of multiple parsers comprises adding the parser in a manner that respects the hierarchy of the host-specific list.
  - 11. The method of claim 1, wherein attempting to parse the message using the parsers from the comprehensive list of multiple parsers proceeds according to a hierarchy of more specific parsers to more general parsers.

12. A distributed agent for a network security system, the distributed agent comprising:
- a log interface coupled to a message log to read a message and a host identifier of the sender of the message from the message log into the distributed agent;
  
  a parser database stored on a non-transitory machine-readable medium containing a host-specific list of multiple parsers associated with the host identifier;
  
  an event builder module coupled to the log interface and the parser database to attempt to parse the message using a first parser from the host-specific list of multiple parsers, and responsive to unsuccessful parsing using the first parser, the event builder configured to parse the message using a second parser in the host-specific list; and
  
  a device detection module to attempt to parse the message using a parser in a comprehensive list of multiple parsers in case the attempted parsing using the parsers in the host-specific list is unsuccessful for all parsers, and responsive to successfully parsing the message with a parser in the comprehensive list, the device detection module configured to add the parser to the host-specific list.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The distributed agent of claim 12, wherein the event builder module is further configured to build a normalized event by using the parsed message.
  - 14. The distributed agent of claim 12, wherein the message log comprises a text-based message log.
  - 15. The distributed agent of claim 14, wherein the message log comprises a Syslog.
  - 16. The distributed agent of claim 12, wherein the host identifier comprises an Internet protocol (IP) address.
  - 17. The distributed agent of claim 12, wherein the event builder module directs the device detection module to attempt to parse the message using a parser in the comprehensive list in response to having detected the running of a timer associated with the host identifier.
  - 18. The distributed agent of claim 12, wherein the host-specific list of multiple parsers in the parser database is organized according to a hierarchy of more specific parsers to more general parsers.
  - 19. The distributed agent of claim 12, wherein the comprehensive list of multiple parsers in the parser database is organized according to a hierarchy of more specific parsers to more general parsers.

20. A non-transitory machine-readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- accessing a message in a message log, wherein the message log associates a host identifier with the message, the host identifier being an identifier of a host that sent the message to the message log;
  
  accessing a host-specific list of multiple parsers associated with the host identifier associated with the message;
  
  attempting to parse the message using a first parser in the host-specific list;
  
  responsive to unsuccessful parsing using the first parser, attempting to parse the message using a second parser in the host-specific list;
  
  responsive to unsuccessful parsing using all the parsers in the host-specific list;
  
  attempting to parse the message using a parser in a comprehensive list of multiple parsers; and
  
  responsive to successful parsing using the parser in the comprehensive list, adding the parser to the host-specific list.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 21. The non-transitory machine-readable medium of claim 20, wherein the message log comprises a text-based message log.
  - 22. The machine-readable medium of claim 21, wherein the message log comprises a Syslog.
  - 23. The non-transitory machine-readable medium of claim 20, wherein the host identifier comprises an Internet protocol (IP) address.
  - 24. The non-transitory machine-readable medium of claim 20, wherein the instructions further cause the processor to detect that a timer associated with the host has run, and in response to having detected the running of the timer, attempt to parse the message using a parser in the comprehensive list.
  - 25. The non-transitory machine-readable medium of claim 24, wherein the instructions further cause the processor to add the parser in the comprehensive list, where the parser results in successful parsing of the message, to the host-specific list of multiple parsers if the parser associated with the successful parsing of the message were not already on the host-specific list of multiple parsers.
  - 26. The non-transitory machine-readable medium of claim 20, wherein the instructions further cause the processor to build a normalized event using the parsed message.
  - 27. The non-transitory machine-readable medium of claim 26, wherein building the normalized event further uses the host identifier.
  - 28. The non-transitory machine-readable medium of claim 20, wherein attempting to parse the message using the parsers from the host-specific list of multiple parsers proceeds according to a hierarchy of more specific parsers to more general parsers.
  - 29. The non-transitory machine-readable medium of claim 28, wherein adding the parser associated with the successful parsing of the message to the host-specific list of multiple parsers comprises adding the parser in a manner that respects the hierarchy of the host-specific list.
  - 30. The non-transitory machine-readable medium of claim 20, wherein attempting to parse the message using the parsers from the comprehensive list of multiple parsers proceeds according to a hierarchy of more specific parsers to more general parsers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Arcsight Incorporated (HP Inc.)
Inventors
Subrahmanyam, Rajiv, Aguilar-Macias, Hector
Primary Examiner(s)
Korzuch; William R
Assistant Examiner(s)
Su; Sarah

Application Number

US11/070,024
Time in Patent Office

2,100 Days
Field of Search

726/3, 726/11, 726/23, 713/151, 719/317, 719/318, 709/224, 709/225
US Class Current

726/3
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 2221/2129   Authenticate client device ...

G06F 2221/2151   Time stamp

H04L 63/0227   Filtering policies mail mes...

H04L 63/1441   Countermeasures against mal...

Message parsing in a network security system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Message parsing in a network security system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links