Comprehensive security structure platform for network managers

US 7,877,804 B2
Filed: 09/07/2006
Issued: 01/25/2011
Est. Priority Date: 06/23/2000
Status: Active Grant

First Claim

Patent Images

1. A computer system for detecting and monitoring network intrusion events from log data received from network service devices in a computer network, the computer system having discrete modules associated with a function performed on the log data received, the computer system comprising:

an event parser in communication with multiple network service devices, the event parser being able to receive log data in real time from the device, the log data including information detailing a network intrusion event received from the network service device if an intrusion has occurred, the event parser being able to parse the information to create corresponding event objects concerning the intrusion events, wherein an event object comprises information fields relevant to network security monitoring including at least information regarding a reporting device and a time stamp;

an event manager in communication with the event parser, the event manager being able to receive the event objects, the event manager being configured to evaluate the event objects according to at least one predetermined threshold condition such that, when the event objects satisfy the predetermined threshold condition, the event manager designates the event objects to be transmitted in real time;

an event transmitter in communication with the event manager for receiving event objects designated by the event manager for transmission, the event transmitter being able to transmit the event objects in real time, relative to the receipt of the log data, as an intrusion alarm; and

means for alerting a user that a network intrusion event has occurred.

View all claims

20 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system and method for detecting and monitoring network intrusion events from log data received from network service devices in a computer network, the computer system having discrete modules associated with a function performed on the log data received. An event parser in communication with at least one network service device is able to receive log data in real time from the device, and create an event object. An event manager in communication with the event parser is able to receive the event object and evaluate the event object according to at least one predetermined threshold condition such that, when the event object satisfies the predetermined threshold condition, the event manager designates the event object to be broadcast in real time. An event broadcaster in communication with the event manager receives event objects designated by the event manager for broadcast. The event broadcaster transmits the event object in real time as an intrusion alarm.

37 Citations

View as Search Results

43 Claims

1. A computer system for detecting and monitoring network intrusion events from log data received from network service devices in a computer network, the computer system having discrete modules associated with a function performed on the log data received, the computer system comprising:
- an event parser in communication with multiple network service devices, the event parser being able to receive log data in real time from the device, the log data including information detailing a network intrusion event received from the network service device if an intrusion has occurred, the event parser being able to parse the information to create corresponding event objects concerning the intrusion events, wherein an event object comprises information fields relevant to network security monitoring including at least information regarding a reporting device and a time stamp;
  
  an event manager in communication with the event parser, the event manager being able to receive the event objects, the event manager being configured to evaluate the event objects according to at least one predetermined threshold condition such that, when the event objects satisfy the predetermined threshold condition, the event manager designates the event objects to be transmitted in real time;
  
  an event transmitter in communication with the event manager for receiving event objects designated by the event manager for transmission, the event transmitter being able to transmit the event objects in real time, relative to the receipt of the log data, as an intrusion alarm; and
  
  means for alerting a user that a network intrusion event has occurred.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 2. The computer system of claim 1, wherein the means for alerting the user that a network intrusion event has occurred is a user interface in communication with the event transmitter, the user interface comprising a display screen for displaying an intrusion alarm and the information contained within the corresponding event object received from the event transmitter.
  - 3. The computer system of claim 2, wherein the user interface display screen comprises an alarm console, coupled to the event transmitter, configured to display intrusion alarms, and a report console, coupled to the report servlet, configured to execute queries input by a user and display results.
  - 4. The computer system of claim 3, wherein the report console is further configured to display query result data in summary lines, said summary lines comprising hypertext links providing access to further data.
  - 5. The computer system of claim 3, wherein the alarm console displays intrusion alarms in summary lines, said summary lines comprising hypertext links providing access to further data.
  - 6. The computer system of claim 3, wherein the user interface displays the status of network security devices in real time.
  - 7. The computer system of claim 6, wherein the user interface displays the status of network security devices in summary lines, said summary lines comprising hypertext links providing access to further data.
  - 8. The computer system of claim 7, wherein the user interface displays the status of network security devices in a color coded format where said color designates a particular status level for the particular device.
  - 9. The computer system of claim 3, further comprising a chat manager accessible to a user from the alarm console for executing electronic communications links between the user and others having an electronic communications link to the computer system.
  - 10. The computer system of claim 9, wherein the electronic communications link is an on-line link established through a web browser interface.
  - 11. The computer system of claim 2, wherein the user interface is configured to allow a user to initiate queries, and the computer system further comprises:
    - means for storing event objects, said means coupled to the event parsers;
      
      a report servlet coupled to the user interface, the report servlet for recalling stored event objects in response to user queries from the user interface and displaying recalled event objects on the user interface display screen;
      
      an application reporter coupled to the report servlet for receiving and processing user queries and for performing searches of stored event objects; and
      
      a database accessible by the application reporter, for holding stored event objects, the database configured to recall event objects in response to searches executed by the application reporter.
  - 12. The computer system of claim 11, wherein the computer system is one of a multiplicity of computer systems each having a user interface and the computer system further comprises a central user interface which accesses at least one of the user interfaces of the multiplicity of computer systems.
  - 13. The computer system of claim 12, wherein the central user interface accesses at least one of the report servlets of the multiplicity of computer systems and communicates with at least one of the databases of the multiplicity of computer systems.
  - 14. The computer system of claim 1, further comprising:
    - a network port to receive log data having a conforming message format from at least one network service device;
      
      means for transmitting the log data having a conforming message format to the event parsers, and means coupled to the network port; and
      
      a reporting agent coupled to the network port for collecting log data having a non-conforming message format from the at least one network service device and converting the log data to a conforming message format.
  - 15. The computer system of claim 14, wherein the conforming message format is syslog.
  - 16. The computer system of claim 14, further comprising means for filtering log data received at the network port according to one or more predetermined conditions so as to restrict receipt of corresponding log data by said transmitting means.
  - 17. The computer system of claim 16, wherein the predetermined conditions are application name, host name, internal device alarm identifications, source, address, destination address, destination port, and protocol.
  - 18. The computer system of claim 1, further comprising a plurality of event parsers wherein each event parser is configured to receive log data from a predetermined network service device, the plurality of parsers each coupled to the event manager.
  - 19. The computer system of claim 1, wherein the information contained within the event object is read by the event manager and assigned a severity level corresponding to the event type information contained within the event object, and the predetermined threshold condition is the assigned severity level.
  - 20. The computer system of claim 19, wherein the severity level is one of seven categories for types of events contained within event objects.
  - 21. The computer system of claim 1, further comprising an event aggregator module and wherein the event parser is housed within the event aggregator module, and log data from a multiplicity of network device sources is received by the event parser.
  - 22. The computer system of claim 21, wherein the event parser reads log data posted in extensible markup language.
  - 23. The computer system of claim 1, further comprising means for filtering event objects received by the event manager according to one or more predetermined conditions so as to restrict the field of event objects designated for transmission.
  - 24. The computer system of claim 23, wherein the predetermined conditions are application name, host name, event severity, internal device alarm identifications, source address, destination address, destination port, and protocol.
  - 25. The method of claim 1, wherein the event object further comprises an application.
  - 26. The method of claim 1, wherein the event object further comprises an event time stamp.
  - 27. The method of claim 1, wherein the event object further comprises an application time stamp.
  - 28. The method of claim 1, wherein the event object further comprises an address associated with the event.
  - 29. The method of claim 1, wherein the address comprises a source IP address of the event.
  - 30. The method of claim 1, wherein the event object further comprises an event duration.
  - 31. The method of claim 1, wherein the event object further comprises an identification number assigned by the reporting device.

32. A method for detecting and monitoring network intrusion events from log data received from network service devices in a computer network comprising the steps of:
- receiving log data in real time, the log data including information detailing at least one network intrusion event received from the network service devices;
  
  parsing the log data information to create corresponding event objects, wherein an event object comprises information fields relevant to network security monitoring including at least information regarding a reporting device and a time stamp; and
  
  evaluating the event objects according to at least one predetermined threshold condition;
  
  where the information contained within the event objects satisfies the predetermined threshold condition, transmitting the event object as an intrusion alarm in real time, relative to the receipt of the log data, to a display screen on a user interface.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 33. The method of claim 32, wherein the user interface is configured to allow a user to initiate queries, and the method further comprises the steps of:
    - storing event objects to a database accessible by an application reporter, the database for holding stored event objects, and the database configured to recall event objects in response to searches performed by the application reporter in response to user queries; and
      
      recalling stored event objects in response to user queries from the user interface and displaying recalled event objects on the user interface display screen.
  - 34. The method of claim 33, further comprising the steps of:
    - receiving log data in a conforming message format at a network port;
      
      transmitting the log data in a conforming message format to event parsers;
      
      collecting log data in a non-conforming message format by executing a reporting agent; and
      
      converting the log data to a conforming message format.
  - 35. The method of claim 34, wherein the conforming message format is syslog.
  - 36. The method of claim 33, wherein the stored event object is displayed as a hypertext link to further event object information and the method further comprises using a display screen interface device to open the hypertext link to reveal further event object information on at least one successive display screen frameset.
  - 37. The method of claim 32, wherein the event object intrusion alarm is displayed as a hypertext link to further event object information and the method further comprises using a display screen interface device to open the hypertext link to reveal further event object information on at least one successive display screen frameset.
  - 38. The method of claim 32, further comprising the step of filtering log data received according to one or more predetermined conditions so as to restrict the receipt of corresponding log data.
  - 39. The method of claim 38, wherein the predetermined conditions are application name, host name, internal device alarm identifications, source address, destination address, destination port, and protocol.
  - 40. The method of claim 32, further comprising the step of opening an electronic communications link to other users on the computer system.
  - 41. The method of claim 40, further comprising the step of sending an electronic message over the communications link to other users regarding an intrusion alarm.

42. A computer system for detecting and monitoring network intrusion events from log data received from network service devices in a computer network, the computer system having discrete modules associated with a function performed on the log data received, the computer system comprising:
- an event parser in communication with multiple network service devices, the event parser being able to receive log data in real time from the devices, the log data including information detailing a network intrusion event received from the network service devices if an intrusion has occurred, the event parser being able to parse the information to create corresponding event objects concerning the intrusion events, wherein an event object comprises information fields relevant to network security monitoring including at least information regarding a reporting device and a time stamp;
  
  an event aggregator, the event aggregator being able to filter the event objects based on event type and severity;
  
  an event manager in communication with the event aggregator, the event manager being able to receive the event object, the event manager being configured to evaluate the event object according to at least one predetermined threshold condition such that, when the event object satisfies the predetermined threshold condition, the event manager designates the event object to be transmitted in real time;
  
  an event transmitter in communication with the event manager for receiving event objects designated by the event manager for transmission, the event transmitter being able to transmit the event object in real time, relative to the receipt of the log data, as an intrusion alarm; and
  
  means for alerting a user that a network intrusion event has occurred.

43. A method for detecting and monitoring network intrusion events from log data received from network service devices in a computer network, comprising the steps of:
- receiving log data in real time from multiple network security devices, the log data including information detailing at least network intrusion events received from the network service devices;
  
  parsing the log data information to create corresponding event objects, wherein an event object comprises information fields relevant to network security monitoring including at least information regarding a reporting device and a time stamp;
  
  filtering the event objects based on event type and severity; and
  
  evaluating the event objects according to at least one predetermined threshold condition;
  
  where the information contained within an event object satisfies the predetermined threshold condition, transmitting the event object as an intrusion alarm in real time, relative to the receipt of the log data, to a display screen on a user interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BlackStratus, Inc., LOG Storm Security, Inc.
Original Assignee
Netforensics Incorporated
Inventors
Amaratunge, Dhani, Asthana, Rishi, Hanrahan, Kevin, Pogaku, Shirisha, Samavenkata, K. V. Rao, Hamid, Araf Karsh, Ghildiyal, Amit, Khanolkar, Rajeev, Ved, Niten, Azim, Ozakil
Primary Examiner(s)
NGUYEN, MINH DIEU T

Application Number

US11/470,736
Publication Number

US 20070234426A1
Time in Patent Office

1,601 Days
Field of Search

726/1, 726 22- 23, 713151-153, 709/223, 709/224
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1408 by monitoring network traff...

Comprehensive security structure platform for network managers

First Claim

20 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Comprehensive security structure platform for network managers

First Claim

20 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links