System and method for merging network events and security events via superimposing data
First Claim
1. A method for gathering a plurality of data and representing the results in a computer environment, the method comprising:
- collecting the plurality of data, the plurality of data comprising network flow data, network alerts and system log data collectively comprising events, the events sharing a same derived key in an in-memory sliding window;
superimposing, using a processor, the events sharing the same derived key in the in-memory sliding window into a single record to form superimposed events;
superimposing, using the processor, associated attributes from the plurality of data into a cross relationship to form superimposed attributes, the cross relationship being a collection of unique attribute pairings;
storing the superimposed events in a first computer readable data store; and
storing the superimposed attributes in a second computer readable data store.
1 Assignment
0 Petitions
Accused Products
Abstract
An integrated network flow and security information management system and method is provided, more particularly, an integrated network flow and security information management system and method which leverages a process of superimposing and cross referencing common events and attributes in order to increase the speed of searches, completeness of searches and size of dataset (flow data). In particular, the process of superimposing may increase the amount of information that can be processed, while accelerating the search, thereby providing the user with more responsive acts of pivoting and scoping leading to a more complete response to network errors and threats.
-
Citations
19 Claims
-
1. A method for gathering a plurality of data and representing the results in a computer environment, the method comprising:
-
collecting the plurality of data, the plurality of data comprising network flow data, network alerts and system log data collectively comprising events, the events sharing a same derived key in an in-memory sliding window; superimposing, using a processor, the events sharing the same derived key in the in-memory sliding window into a single record to form superimposed events; superimposing, using the processor, associated attributes from the plurality of data into a cross relationship to form superimposed attributes, the cross relationship being a collection of unique attribute pairings; storing the superimposed events in a first computer readable data store; and storing the superimposed attributes in a second computer readable data store. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprising:
-
receiving network events at a first network node, the received network events containing a plurality of attributes and related values; superimposing, using a processor, the received network events to form superimposed events prior to their storage in a first computer readable data store, the superimposed events sharing a same derived key in an in-memory sliding window; examining each of the plurality of attributes to identify associated attributes; superimposing, using a processor, the associated attributes in a cross relationship prior to their storage in a second computer readable data store, the cross relationship being a collection of unique attribute pairings; storing the superimposed events in the first computer readable data store; and storing the superimposed attributes in the second computer readable data store. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. A method comprising:
-
receiving a first plurality of messages at a network node in a first timeframe and receiving a second plurality of messages at the network node in a second timeframe, each of the first and second plurality of received messages comprising a plurality of attribute-value pairs, each of the plurality of attribute-value pairs in each of the first and second plurality of received messages corresponding to at least one network event; deriving keys, using a processor, for each of the first and second plurality of received messages from at least one of the plurality of attribute-value pairs in the respective received message; superimposing the first plurality of received messages, using a processor, by merging the first plurality of received messages that have a same derived key value into a first superimposed record; superimposing the second plurality of received messages, using a processor, by merging the second plurality of received messages that have a same derived key value into a second superimposed record; superimposing the pluralities of attribute-value pairs, using a processor, by cross-relating each of the plurality of attribute-value pairs for each of the first and second plurality of received messages to each other attribute-value pair of the plurality of attribute-value pairs in the respective received message; storing the first and second superimposed records in a first computer readable data store; and storing the superimposed attribute-value pairs in a second computer readable data store. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification