Detection of network security breaches based on analysis of network record logs

US 8,326,881 B2
Filed: 01/26/2011
Issued: 12/04/2012
Est. Priority Date: 04/04/2003
Status: Expired due to Term

First Claim

Patent Images

1. A system comprising:

a network device, that includes a processor and a memory, to;

process, for detecting one or more attempted security breaches, each of a plurality of log records to generate a respective value corresponding to each of the plurality of log records,identify, based on the value corresponding to a log record of the plurality of log records, a first entry of a plurality of entries of a data structure,generate, based on one or more fields of the log record, a data value,associate the data value with a list of values associated with the first entry, when the data value does not match another value of the list of values,insert a tag into the first entry to form a modified entry after associating the data value with the list of values,analyze each of the plurality of entries of the data structure,identify, based on the tag of the first entry of the plurality of entries and the data value, the modified entry,perform, after identifying the modified entry, an evaluation of the data value associated with the modified entry to detect an attempted security breach, andmodify, upon completion of the evaluation of the data value, the tag of the modified entry to cause the modified entry to no longer be identified as a modified entry.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches.

67 Citations

View as Search Results

25 Claims

1. A system comprising:
- a network device, that includes a processor and a memory, to;
  
  process, for detecting one or more attempted security breaches, each of a plurality of log records to generate a respective value corresponding to each of the plurality of log records,identify, based on the value corresponding to a log record of the plurality of log records, a first entry of a plurality of entries of a data structure,generate, based on one or more fields of the log record, a data value,associate the data value with a list of values associated with the first entry, when the data value does not match another value of the list of values,insert a tag into the first entry to form a modified entry after associating the data value with the list of values,analyze each of the plurality of entries of the data structure,identify, based on the tag of the first entry of the plurality of entries and the data value, the modified entry,perform, after identifying the modified entry, an evaluation of the data value associated with the modified entry to detect an attempted security breach, andmodify, upon completion of the evaluation of the data value, the tag of the modified entry to cause the modified entry to no longer be identified as a modified entry.
- View Dependent Claims (2, 3, 4, 22, 23)
- - 2. The system of claim 1, where, when modifying the tag, the network device is to:
    - remove the tag from the modified entry.
  - 3. The system of claim 1, where the tag identifies the modified entry as having been modified during a particular period.
  - 4. The system of claim 3, where the particular period comprises a period defined by consecutive evaluations of the data structure.
  - 22. The system of claim 1, where, when performing the evaluation of the data value associated with the modified entry to detect the attempted security breach, the network device is to:
    - compare the data value to particular criteria; and
      
      detect the attempted security breach based on comparing the data value to the particular criteria.
  - 23. The system of claim 22, where the network device is further to:
    - block, based on detecting the attempted security breach, packets from a source that is identified based on the log record.

5. A method comprising:
- generating, by a network device and based on at least one field of a log record, a key;
  
  evaluating, by the network device, a data structure to identify an entry corresponding to the generated key;
  
  retrieving, by the network device, a data list associated with the identified entry;
  
  comparing, by the network device, the data list to a value, the value being generated using one or more fields of the log record;
  
  determining, by the network device, whether the data list includes a list entry that matches the value;
  
  inserting, by the network device and when the data list does not include the list entry that matches the value, the value into the data list;
  
  tagging, by the network device and when the data list does not include the list entry that matches the value, the identified entry in the data structure with a time stamp corresponding to the tagging;
  
  determining, by the network device and based on a tag associated with each entry of the data structure, whether each entry of the data structure is expired;
  
  deleting, by the network device, each expired entry of the data structure;
  
  evaluating, by the network device, each data list, associated with each unexpired entry of the data structure, to detect an attempted security breach; and
  
  generating, by the network device, a response to detecting the attempted security breach.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5, where inserting the value comprises:
    - inserting the tag into the identified entry in the data structure, the tag of the identified entry indicating that the data list, associated with the identified entry in the data structure, has been modified during a particular period, andwhere evaluating each data list associated with each unexpired entry comprises;
      
      determining whether each unexpired entry includes the tag; and
      
      evaluating each data list, associated with each unexpired entry of the data structure that includes the tag, to detect an attempted security breach.
  - 7. The method of claim 5, where inserting the value comprises:
    - inserting a time stamp into the identified entry in the data structure, the time stamp being different than the tag associated with the identified entry.
  - 8. The method of claim 5, where evaluating each data list associated with each unexpired entry comprises:
    - removing, upon evaluating the data list, the tag from the associated unexpired entry in the data structure.

9. A method comprising:
- generating, by the network device and based on at least one field of a log record associated with a network event, a data value;
  
  identifying, by the network device and based on a particular value that is generated based on fields of the log record, a first entry in a data structure;
  
  comparing, by the network device, the generated data value to other data values, associated with the first entry in the data structure, to identify a matching data value corresponding to the generated data value;
  
  associating, by the network device and only when the generated data value does not match a data value in the other data values, the generated data value and a tag with the first entry in the data structure, the tag indicating that the first entry has been modified in the data structure;
  
  identifying, by the network device and based on the tag being associated with the first entry in the data structure, the first entry in the data structure as having been modified;
  
  evaluating, by the network device and based on identifying the first entry in the data structure as having been modified, the first entry in the data structure to detect an attempted security breach; and
  
  disassociating, by the network device and upon completion of the evaluating, the first entry, in the data structure, from the tag.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, where identifying the first entry comprises:
    - determining, based on the tag, the first entry in the data structure as having been modified during a particular period.
  - 11. The method of claim 10, where the particular period comprises a period defined by consecutive evaluations of the data structure.
  - 12. The method of claim 9, where associating the generated data value and the tag comprises:
    - inserting a time stamp into the generated data value, the time stamp being different than the tag.
  - 13. The method of claim 9, where the data structure comprises a plurality of entries including the first entry, andwhere identifying the first entry in the data structure as having been modified comprises:
    - retrieving each of the plurality of entries;
      
      determining whether each of the plurality of entries is associated with a tag;
      
      evaluating, based on particular criteria, each of the plurality of entries determined to be associated with the tag to detect the attempted security breach; and
      
      disassociating, upon completion of evaluating each of the plurality of entries, the tag from each of the plurality of entries determined to be associated with the tag.
  - 14. The method of claim 9, where associating the tag with the first entry in the data structure comprises:
    - inserting a tag into the first entry in the data structure.
  - 15. The method of claim 14, where disassociating the first entry in the data structure comprises:
    - removing the tag from the first entry in the data structure.
  - 16. The method of claim 9, further comprising:
    - receiving a plurality of individual log records, including the log record, upon each of the plurality of individual log records being generated; and
      
      processing each of the plurality of individual log records, upon being received,where processing the log record includes processing the log record to generate the data value.
  - 17. The method of claim 9, further comprising:
    - receiving a record of logs, the record of logs identifying a plurality of individual log records including the log record; and
      
      retrieving, based on receiving the record of logs, the log record.

18. A non-transitory computer-readable medium comprising:
- a plurality of instructions which, when executed by a device, cause the device to;
  
  process, for detecting one or more attempted security breaches, each of a plurality of log records to generate a respective value corresponding to each of the plurality of log records,identify, based on the value corresponding to a log record of the plurality of log records, a first entry of a plurality of entries of a data structure,generate, based on one or more fields of the log record, a data value,associate the data value with a list of values associated with the first entry, when the data value does not match another value of the list of values,insert a tag into the first entry to form a modified entry after associating the data value with the list of values,analyze each of the plurality of entries of the data structure;
  
  identify, based on the tag of the first entry, the modified entry;
  
  perform, after identifying the modified entry, an evaluation of the data value associated with the modified entry to detect an attempted security breach; and
  
  modify, upon completion of the evaluation of the data values, the tag of the modified entry to cause the modified entry to no longer be identified as a modified entry.
- View Dependent Claims (19, 20, 21, 24, 25)
- - 19. The non-transitory computer-readable medium of claim 18, where one or more instructions, of the plurality of instructions, to modify the tag include:
    - one or more instructions to remove the tag from the modified entry.
  - 20. The non-transitory computer-readable medium of claim 18, where the tag identifies the modified entry as having been modified during a particular period.
  - 21. The non-transitory computer-readable medium of claim 20, where the particular period comprises a period defined by consecutive evaluations of the data structure.
  - 24. The non-transitory computer-readable medium of claim 18, where one or more instructions, of the plurality of instructions, to perform the evaluation of the data value associated with the modified entry to detect the attempted security breach, include:
    - one or more instructions to identify, using the log record, a plurality of tests; and
      
      one or more instructions to perform the plurality of tests on the log record to detect the attempted security breach.
  - 25. The non-transitory computer-readable medium of claim 18, the plurality of instructions further comprising:
    - one or more instructions to detect the attempted security breach based on the evaluation of the data value associated with the modified entry; and
      
      one or more instructions to block, based on detecting the attempted security breach, packets from a source that is identified based on the log record.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Zuk, Nir
Primary Examiner(s)
Saeed, Usmaan

Application Number

US13/014,339
Publication Number

US 20110185426A1
Time in Patent Office

678 Days
Field of Search

None
US Class Current

707/791
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Y10S 707/99943 Generating database or data...

Detection of network security breaches based on analysis of network record logs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of network security breaches based on analysis of network record logs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links