Detection of network security breaches based on analysis of network record logs

US 7,904,479 B2
Filed: 12/06/2007
Issued: 03/08/2011
Est. Priority Date: 04/04/2003
Status: Active Grant

First Claim

Patent Images

1. A network device including an interface to receive a log of security records from a plurality of network security devices in a computer network, the network device comprising:

a processor;

the processor to process a log record, including deriving a key to a table and tagging the key with a time stamp, anddetermine a data value from information in the log record and adding the data value including a tag field to a list of data values associated with the key if the data value is not already in the list of data values, wherein the time stamp and the tag field differ, and the tag field indicates that the key has been modified by the addition of the data value since a prior evaluation;

a database to store the table; and

an evaluation engine to;

retrieve entries of the table not having the tag field,retrieve entries of the table having the tag field,evaluate entries of the table having the tag field based on predetermined criteria to detect attempted security breaches, andreset the tag field of the evaluated entries to indicate that the key has been evaluated since a prior modification, andupdate the time stamp.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches.

54 Citations

View as Search Results

21 Claims

1. A network device including an interface to receive a log of security records from a plurality of network security devices in a computer network, the network device comprising:
- a processor;
  
  the processor to process a log record, including deriving a key to a table and tagging the key with a time stamp, anddetermine a data value from information in the log record and adding the data value including a tag field to a list of data values associated with the key if the data value is not already in the list of data values, wherein the time stamp and the tag field differ, and the tag field indicates that the key has been modified by the addition of the data value since a prior evaluation;
  
  a database to store the table; and
  
  an evaluation engine to;
  
  retrieve entries of the table not having the tag field,retrieve entries of the table having the tag field,evaluate entries of the table having the tag field based on predetermined criteria to detect attempted security breaches, andreset the tag field of the evaluated entries to indicate that the key has been evaluated since a prior modification, andupdate the time stamp.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The network device of claim 1, wherein the table is a hash table.
  - 3. The network device of claim 1, wherein the list of data values is implemented as a linked list.
  - 4. The network device of claim 1, wherein the list of data values is implemented as a hash table.
  - 5. The network device of claim 1, wherein the list of data values is implemented as a tree.
  - 6. The network device of claim 1, wherein when evaluating entries of the table, the evaluation engine is configured to evaluate all the entries of the table.

7. A network device including an interface to receive a log of security records from a plurality of network security devices in a computer network, the network device comprising:
- a processor;
  
  the processor to generate a hash key based on one or more fields of a log record; and
  
  a database to store a plurality of hash tables;
  
  an evaluation engine to;
  
  evaluate one of the stored hash tables using the hash key, andadd a new entry to the evaluated hash table if a hash table entry does not match the hash key or retrieve a data list associated with the hash table entry if the hash table entry matches the hash key;
  
  the processor being further configured to;
  
  compute a data value based on the one or more fields of the log record,compare the data value with entries in the data list to identify matching entries, andinsert the data value into the data list when no matching entries are identified, wherein the data value includes a tag field and a time stamp that differ, the tag field indicating that the hash key has been modified by the insertion of the data value since a prior evaluation; and
  
  the evaluation engine being further configured to;
  
  retrieve entries of the hash table that do not have the tag field,retrieve entries of the hash table that have the tag field,evaluate the data list based on predetermined criteria to detect attempted security breaches,reset the tag field to indicate that the hash key has been evaluated since a prior modification, andupdate the time stamp.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 8. The network device of claim 7, wherein adding a new entry to the hash table includes generating an empty data list associated with the new entry to the hash table.
  - 9. The network device of claim 7, wherein inserting the data value into the data list includes triggering an evaluation of the data list.
  - 10. The network device of claim 7, wherein the evaluation engine is further configured to receive a check table operation to trigger the evaluation of the data list.
  - 11. The network device of claim 7, wherein when evaluating the data list based on predetermined criteria, the evaluation engine is further configured to block a packet associated with the log record.
  - 12. The network device of claim 7, wherein when evaluating the data list based on predetermined criteria, the evaluation engine is further configured to block future packets from a same source as a packet associated with the log record.
  - 13. The network device of claim 7, wherein when evaluating the data list based on predetermined criteria, the evaluation engine is further configured to block an attempted security attack.
  - 14. The network device of claim 7, wherein the data list is a linked list.
  - 15. The network device of claim 7, wherein the data list is a hash table.
  - 16. The network device of claim 7, wherein the data list is a tree.
  - 17. The network device of claim 7, wherein the evaluation engine is further configured to evaluate the data list after a plurality of data values have been added to the data list.
  - 18. The network device of claim 7, wherein the evaluation engine is further configured to evaluate the data list after each data value is added to the data list.
  - 19. The network device of claim 7, wherein when evaluating the hash table using the hash key, the evaluation engine is further configured to process a second hash table.
  - 20. The network device of claim 19, wherein processing a second hash table includes:
    - using a matching hash table entry to retrieve the second hash table;
      
      using the hash key to evaluate the second hash table;
      
      if there is no matching second hash table entry, adding a new entry to the second hash table;
      
      if there is a matching second hash table entry, retrieving a second data list associated with the second hash table entry;
      
      comparing the data value with entries in the second data list to determine if there are any matching entries;
      
      inserting the data value in the second data list if there are no matching entries; and
      
      evaluating the second data list based on the predetermined criteria or other predetermined criteria.

21. A system comprising:
- means for receiving a log of security records from a plurality of network security devices in a computer network,means for processing, including;
  
  means for processing a log record to derive a key to a table and tag the key with a time stamp, andmeans for determining a data value from information in the log record and adding the data value including a tag field to a list of data values associated with the key if the data value is not already in the list of data values, wherein the time stamp and the tag field differ, and the tag field indicates that the key has been modified by the addition of the data value since a prior evaluation;
  
  means for storing the table; and
  
  means for evaluating, including;
  
  means for retrieving entries of the table not having the tag field,means for retrieving entries of the table having the tag field,means for evaluating entries of the table having the tag field based on predetermined criteria to detect attempted security breaches, andmeans for resetting the tag field of the evaluated entries to indicate that the key has been evaluated since a prior modification, and update the time stamp.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Zuk, Nir
Primary Examiner(s)
Saeed; Usmaan

Application Number

US11/951,518
Publication Number

US 20080155697A1
Time in Patent Office

1,188 Days
Field of Search

707687-704, 707736-747, 707790-811, 707999001-99901, 7079991-999102
US Class Current

707/791
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Y10S 707/99943 Generating database or data...

Detection of network security breaches based on analysis of network record logs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of network security breaches based on analysis of network record logs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links