Events from network flows
First Claim
1. A system comprising a hardware processor;
- and a memory to store data used by the hardware processor, wherein the hardware processor is operative to;
receive a plurality of network flows from a network;
read, from the memory, a flow-specific criteria for each one event-type of a plurality of event-types, wherein for each one event-type of the plurality of event-types, the flow-specific criteria of the one event-type is defined to identify if each one network flow of the plurality of network flows potentially forms part of one or more events of the one event-type when each one network flow of the plurality of network flows is examined independently of all other ones of the plurality of network flows with respect to the flow-specific criteria of the one event-type;
for each one event-type of the plurality of event-types, compare each one network flow of the plurality of network flows to the flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria of the one event-type;
for each one event-type of the plurality of event-types, for each one network flow of the plurality of network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow satisfying the flow-specific criteria of the one event-type to a proto-event of the one-event type, the proto-event being assigned at least two network flows of the plurality of network flows, wherein the plurality of event-types includes a plurality of proto-events, each one event-type of the plurality of event-types including at least one proto-event;
read, from the memory, an aggregation criteria for one of the event-types, wherein the aggregation criteria is defined to identify an event in the proto-event of the one event-type from the at least two networks flows in the proto-event of the one event-type when the at least two network flows that form part of the proto-event of the one event-type are examined together as a group; and
test different combinations of the at least two network flows assigned to the proto-event of the one event-type against the aggregation criteria of the one event-type to determine if one combination of the different combinations of the at least two network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the at least two network flows of the proto-event.
5 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, a system includes a processor to receive network flows, for each of one of a plurality of event-types, compare each one of the network flows to a flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria, for each one of the event-types, for each one of the network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow to a proto-event of the one-event type, test different combinations of the network flows assigned to the proto-event of the one event-type against aggregation criteria of the one event-type to determine if one combination of the network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the network flows of the proto-event. Related apparatus and methods are also described.
12 Citations
20 Claims
-
1. A system comprising a hardware processor;
- and a memory to store data used by the hardware processor, wherein the hardware processor is operative to;
receive a plurality of network flows from a network; read, from the memory, a flow-specific criteria for each one event-type of a plurality of event-types, wherein for each one event-type of the plurality of event-types, the flow-specific criteria of the one event-type is defined to identify if each one network flow of the plurality of network flows potentially forms part of one or more events of the one event-type when each one network flow of the plurality of network flows is examined independently of all other ones of the plurality of network flows with respect to the flow-specific criteria of the one event-type; for each one event-type of the plurality of event-types, compare each one network flow of the plurality of network flows to the flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria of the one event-type; for each one event-type of the plurality of event-types, for each one network flow of the plurality of network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow satisfying the flow-specific criteria of the one event-type to a proto-event of the one-event type, the proto-event being assigned at least two network flows of the plurality of network flows, wherein the plurality of event-types includes a plurality of proto-events, each one event-type of the plurality of event-types including at least one proto-event; read, from the memory, an aggregation criteria for one of the event-types, wherein the aggregation criteria is defined to identify an event in the proto-event of the one event-type from the at least two networks flows in the proto-event of the one event-type when the at least two network flows that form part of the proto-event of the one event-type are examined together as a group; and test different combinations of the at least two network flows assigned to the proto-event of the one event-type against the aggregation criteria of the one event-type to determine if one combination of the different combinations of the at least two network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the at least two network flows of the proto-event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- and a memory to store data used by the hardware processor, wherein the hardware processor is operative to;
-
16. A method comprising:
-
receiving a plurality of network flows from a network; reading, from a memory, a flow-specific criteria for each one event-type of a plurality of event-types, wherein for each one event-type of the plurality event-types, the flow-specific criteria of the one event-type is defined to identify if each one network flow of the plurality network flows potentially forms part of one or more events of the one event-type when each one network flow of the plurality of network flows is examined independently of all other ones of the plurality of network flows with respect to the flow-specific criteria of the one event-type; for each one event-type of the plurality of event-types, comparing each one network flow of the plurality of network flows to the flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria of the one event-type; for each one event-type of the plurality of event-types, for each one network flow of the plurality of network flows satisfying the flow-specific criteria of the one event-type, assigning the one network flow satisfying the flow-specific criteria of the one event-type to a proto-event of the one-event type, the proto-event being assigned at least two network flows of the plurality of network flows, wherein the plurality of event-types includes a plurality of proto-events, each one event-type of the plurality of event-types including at least one proto-event; reading, from the memory, an aggregation criteria for one of the event-types, wherein the aggregation criteria is defined to identify an event in the proto-event of the one event-type from the at least two networks flows in the proto-event of the one event-type when the at least two network flows that form part of the proto-event of the one event-type are examined together as a group; and testing different combinations of the at least two network flows assigned to the proto-event of the one event-type against the aggregation criteria of the one event-type to determine if one combination of the different combinations of the at least two network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the at least two network flows of the proto-event. - View Dependent Claims (17, 18)
-
-
19. A system comprising a hardware processor;
- and a memory to store data used by the hardware processor, wherein the hardware processor is operative to;
receive a plurality of network flows from a network; read, from the memory, a flow-specific criteria for each one event-type of a plurality of event-types, wherein for each one event-type of the plurality of event-types, the flow-specific criteria of the one event-type is defined to identify if each one network flow of the plurality of network flows potentially forms part of one or more events of the one event-type when each one network flow of the plurality of network flows is examined independently of all other ones of the plurality of network flows with respect to the flow-specific criteria of the one event-type; for each one event-type of the plurality of event-types, compare each one network flow of the plurality of network flows to the flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria of the one event-type; for each one event-type of the plurality of event-types, for each one network flow of the plurality of network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow satisfying the flow-specific criteria of the one event-type to a proto-event of the one-event type, the proto-event being assigned at least two network flows of the plurality of network flows, wherein the plurality of event-types includes a plurality of proto-events, each one event-type of the plurality of event-types including at least one proto-event; read, from the memory, an aggregation criteria for one of the event-types, wherein the aggregation criteria is defined to identify an event in the proto-event of the one event-type from the at least two networks flows in the proto-event of the one event-type when the at least two network flows that form part of the proto-event of the one event-type are examined together as a group; test different combinations of the at least two network flows assigned to the proto-event of the one event-type against the aggregation criteria of the one event-type to determine if one combination of the different combinations of the at least two network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the at least two network flows of the proto-event; and identify a suspicious event based on applying the flow-specific criteria and the aggregation criteria for at least one event-type of the plurality of event-types. - View Dependent Claims (20)
- and a memory to store data used by the hardware processor, wherein the hardware processor is operative to;
Specification