System and method for merging network events and security events via superimposing data

US 9,336,287 B2
Filed: 09/25/2014
Issued: 05/10/2016
Est. Priority Date: 09/26/2013
Status: Active Grant

First Claim

Patent Images

1. A method for gathering a plurality of data and representing the results in a computer environment, the method comprising:

collecting the plurality of data, the plurality of data comprising network flow data, network alerts and system log data collectively comprising events, the events sharing a same derived key in an in-memory sliding window;

superimposing, using a processor, the events sharing the same derived key in the in-memory sliding window into a single record to form superimposed events;

superimposing, using the processor, associated attributes from the plurality of data into a cross relationship to form superimposed attributes, the cross relationship being a collection of unique attribute pairings;

storing the superimposed events in a first computer readable data store; and

storing the superimposed attributes in a second computer readable data store.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An integrated network flow and security information management system and method is provided, more particularly, an integrated network flow and security information management system and method which leverages a process of superimposing and cross referencing common events and attributes in order to increase the speed of searches, completeness of searches and size of dataset (flow data). In particular, the process of superimposing may increase the amount of information that can be processed, while accelerating the search, thereby providing the user with more responsive acts of pivoting and scoping leading to a more complete response to network errors and threats.

Citations

19 Claims

1. A method for gathering a plurality of data and representing the results in a computer environment, the method comprising:
- collecting the plurality of data, the plurality of data comprising network flow data, network alerts and system log data collectively comprising events, the events sharing a same derived key in an in-memory sliding window;
  
  superimposing, using a processor, the events sharing the same derived key in the in-memory sliding window into a single record to form superimposed events;
  
  superimposing, using the processor, associated attributes from the plurality of data into a cross relationship to form superimposed attributes, the cross relationship being a collection of unique attribute pairings;
  
  storing the superimposed events in a first computer readable data store; and
  
  storing the superimposed attributes in a second computer readable data store.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the collecting further comprises collecting security event data, network event data, actionable intelligence, analysis results, or a combination thereof.
  - 3. The method of claim 1 wherein events are information that combine a flow tuple into a derived key.
  - 4. The method of claim 3 wherein the flow tuple comprises a source address, a destination address and a protocol.
  - 5. The method of claim 4 wherein the flow tuple further comprises a source port and a destination port.

6. A method comprising:
- receiving network events at a first network node, the received network events containing a plurality of attributes and related values;
  
  superimposing, using a processor, the received network events to form superimposed events prior to their storage in a first computer readable data store, the superimposed events sharing a same derived key in an in-memory sliding window;
  
  examining each of the plurality of attributes to identify associated attributes;
  
  superimposing, using a processor, the associated attributes in a cross relationship prior to their storage in a second computer readable data store, the cross relationship being a collection of unique attribute pairings;
  
  storing the superimposed events in the first computer readable data store; and
  
  storing the superimposed attributes in the second computer readable data store.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The method of claim 6 wherein each of the plurality of attributes has a predefined relationship schema that specifies the superimpose action to be taken for all associated attributes.
  - 8. The method of claim 6 further comprising:
    - creating a new summary record in a current window when an examined attribute is new and does not exist in the current window.
  - 9. The method of claim 6 further comprising:
    - superimposing all associated attributes to a corresponding record following a pre-defined relationship schema when an examined attribute exists in a current window.
  - 10. The method of claim 6 wherein each of the superimposed attributes has a collection of cross relationships when stored in the second computer readable data store.
  - 11. The method of claim 10 further comprising:
    - converting the collection of cross relationships into a single tree structure.
  - 12. The method of claim 11 further comprising:
    - storing the single tree structure into the second computer readable data store with the value associated with the attribute as its key.

13. A method comprising:
- receiving a first plurality of messages at a network node in a first timeframe and receiving a second plurality of messages at the network node in a second timeframe, each of the first and second plurality of received messages comprising a plurality of attribute-value pairs, each of the plurality of attribute-value pairs in each of the first and second plurality of received messages corresponding to at least one network event;
  
  deriving keys, using a processor, for each of the first and second plurality of received messages from at least one of the plurality of attribute-value pairs in the respective received message;
  
  superimposing the first plurality of received messages, using a processor, by merging the first plurality of received messages that have a same derived key value into a first superimposed record;
  
  superimposing the second plurality of received messages, using a processor, by merging the second plurality of received messages that have a same derived key value into a second superimposed record;
  
  superimposing the pluralities of attribute-value pairs, using a processor, by cross-relating each of the plurality of attribute-value pairs for each of the first and second plurality of received messages to each other attribute-value pair of the plurality of attribute-value pairs in the respective received message;
  
  storing the first and second superimposed records in a first computer readable data store; and
  
  storing the superimposed attribute-value pairs in a second computer readable data store.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13 wherein the at least one network event is a communication over a network.
  - 15. The method of claim 13 wherein each of the derived keys comprises an address of a source network node of the respective network event, an address of a destination network node of the respective network event, and a protocol of the respective network event.
  - 16. The method of claim 15 wherein each of the derived keys further comprise a port of the source network node of the respective network event and a port of the destination network node of the respective network event.
  - 17. The method of claim 13, wherein each of the superimposed attribute-value pairs has a collection of cross relationships when stored in the second computer readable data store.
  - 18. The method of claim 17 further comprising:
    - converting the collection of cross relationships into a single tree structure.
  - 19. The method of claim 18 further comprising:
    - storing the single tree structure into the second computer readable data store with the value of the attribute-value pair as the key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Securitydo Corporation
Original Assignee
Securitydo Corporation
Inventors
Jordan, Christopher, Luo, Kun
Primary Examiner(s)
BAROT, BHARAT

Application Number

US14/497,060
Publication Number

US 20150088868A1
Time in Patent Office

593 Days
Field of Search

709202-203, 709223-224
US Class Current

1/1
CPC Class Codes

G06F 16/2228   Indexing structures

G06F 16/2246   Trees, e.g. B+trees

G06F 16/248   Presentation of query results

G06F 16/284   Relational databases

G06F 16/957   Browsing optimisation, e.g....

G06F 40/117   Tagging; Marking up details...

H04L 63/1408   by monitoring network traff...

System and method for merging network events and security events via superimposing data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for merging network events and security events via superimposing data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links