Detection of network security breaches based on analysis of network record logs

US 9,413,777 B2
Filed: 09/14/2012
Issued: 08/09/2016
Est. Priority Date: 04/04/2003
Status: Expired due to Term

First Claim

Patent Images

1. A system comprising:

a device, including a memory, to;

obtain information relating to one or more network events;

determine, using the information relating to the one or more network events, an evaluation strategy associated with detecting one or more attempted security breaches;

identify, using the evaluation strategy, a plurality of different tests;

generate using the evaluation strategy;

a first value for a first test of the plurality of different tests, anda second value for a second test of the plurality of different tests;

update, using the first value, a first table that is associated with the first test;

update, using the second value, a second table that is associated with the second test,the second table being different than the first table;

perform the first test, based on an evaluation of the updated first table, to determine whether a first security breach has been attempted,when performing the first test, the device is to compare one or more first values, associated with an entry in the updated first table, to first criteria to determine whether the first security breach has been attempted,the entry in the updated first table being associated with the first value,the one or more first values including information identifying one or more first ports associated with the device,each first value, of the one or more first values, being a unique port number and being tagged to expire after a first duration of time,the first criteria relating to a first quantity of ports, andthe first security breach being attempted when a quantity, of the one or more first ports identified by the one or more first values, exceeds the first quantity of ports; and

perform the second test, based on an evaluation of the updated second table, to determine whether a second security breach has been attempted,when performing the second test, the device is to compare one or more second values, associated with an entry in the updated second table, to second criteria to determine whether the second security breach has been attempted,the entry in the updated second table being associated with the second value,the one or more second values including information identifying one or more second ports associated with the device,each second value, of the one or more second values, being a unique port number and being tagged to expire after a second duration of time,the second criteria relating to a second quantity of ports, andthe second security breach being attempted when a quantity, of the one or more second ports identified by the one or more second values, exceeds the second quantity of ports.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches.

Citations

20 Claims

1. A system comprising:
- a device, including a memory, to;
  
  obtain information relating to one or more network events;
  
  determine, using the information relating to the one or more network events, an evaluation strategy associated with detecting one or more attempted security breaches;
  
  identify, using the evaluation strategy, a plurality of different tests;
  
  generate using the evaluation strategy;
  
  a first value for a first test of the plurality of different tests, anda second value for a second test of the plurality of different tests;
  
  update, using the first value, a first table that is associated with the first test;
  
  update, using the second value, a second table that is associated with the second test,the second table being different than the first table;
  
  perform the first test, based on an evaluation of the updated first table, to determine whether a first security breach has been attempted,when performing the first test, the device is to compare one or more first values, associated with an entry in the updated first table, to first criteria to determine whether the first security breach has been attempted,the entry in the updated first table being associated with the first value,the one or more first values including information identifying one or more first ports associated with the device,each first value, of the one or more first values, being a unique port number and being tagged to expire after a first duration of time,the first criteria relating to a first quantity of ports, andthe first security breach being attempted when a quantity, of the one or more first ports identified by the one or more first values, exceeds the first quantity of ports; and
  
  perform the second test, based on an evaluation of the updated second table, to determine whether a second security breach has been attempted,when performing the second test, the device is to compare one or more second values, associated with an entry in the updated second table, to second criteria to determine whether the second security breach has been attempted,the entry in the updated second table being associated with the second value,the one or more second values including information identifying one or more second ports associated with the device,each second value, of the one or more second values, being a unique port number and being tagged to expire after a second duration of time,the second criteria relating to a second quantity of ports, andthe second security breach being attempted when a quantity, of the one or more second ports identified by the one or more second values, exceeds the second quantity of ports.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, where the device is further to:
    - generate a third value based on the information relating to the one or more network events,where, when determining the evaluation strategy, the device is to determine the evaluation strategy further based on the third value.
  - 3. The system of claim 1, where, when identifying the plurality of different tests, the device is to:
    - identify, using the evaluation strategy, a plurality of different types of tests and a quantity of tests.
  - 4. The system of claim 1, where the first value and the second value correspond to a same value, andwhere the device is further to:
    - evaluate, using the same value, the updated first table and the updated second table.
  - 5. The system of claim 1, where the device is further to:
    - determine that the first security breach has been attempted after performing the first test; and
      
      notify a security device that the first security breach has been attempted.
  - 6. The system of claim 1, where the entry, in the updated first table, includes a pointer to the one or more first values.
  - 7. The system of claim 1, where the entry, in the updated second table, includes a pointer to the one or more second values.

8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions which, when executed by a device, cause the device to obtain information relating to one or more network events;
  
  one or more instructions which, when executed by the device, cause the device to determine, using the information relating to the one or more network events, an evaluation strategy associated with detecting one or more attempted security breaches;
  
  one or more instructions which, when executed by the device, cause the device to identify, using the evaluation strategy, a plurality of different tests;
  
  one or more instructions which, when executed by the device, cause the device to generate using the evaluation strategy;
  
  a first value for a first test of the plurality of different tests, anda second value for a second test of the plurality of different tests;
  
  one or more instructions which, when executed by the device, cause the device to update, using the first value, a first table that is associated with the first test;
  
  one or more instructions which, when executed by the device, cause the device to update, using the second value, a second table that is associated with the second test,the second table being different than the first table;
  
  one or more instructions which, when executed by the device, cause the device to perform the first test, based on an evaluation of the updated first table, to determine whether a first security breach has been attempted,the one or more instructions to perform the first test including one or more instructions to compare one or more first values, associated with an entry in the updated first table, to a first quantity of values to determine whether the first security breach has been attempted,the entry in the updated first table being associated with the first value, the one or more first values including information identifying one or more first ports associated with the device,each first value, of the one or more first values, being a unique port number and being tagged to expire after a first duration of time, andthe first security breach being attempted when the one or more first values exceed the first quantity of values; and
  
  one or more instructions which, when executed by the device, cause the device to perform the second test, based on an evaluation of the updated second table, to determine whether a second security breach has been attempted,the one or more instructions to perform the second test including one or more instructions to compare one or more second values, associated with an entry in the updated second table, to a second quantity of values to determine whether the second security breach has been attempted,the entry in the updated second table being associated with the second value, the one or more second values including information identifying one or more second ports associated with the device, each second value, of the one or more second values, being a unique port number and being tagged to expire after a second duration of time, andthe second security breach being attempted when the one or more second values exceeds the second quantity of values.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The non-transitory computer-readable medium of claim 8, where the device is associated with a network, andwhere the one or more instructions to obtain the information relating to the one or more network events include:
    - one or more instructions to obtain the information relating to the one or more network events from a security device associated with the network.
  - 10. The non-transitory computer-readable medium of claim 8, the instructions further comprising:
    - one or more instructions to determine that the first security breach has been attempted; and
      
      one or more instructions to notify a security device that the first security breach has been attempted.
  - 11. The non-transitory computer-readable medium of claim 8, the instructions further comprising:
    - one or more instructions to determine that the second security breach has been attempted; and
      
      one or more instructions to cause packets, from a source associated with the second security breach, to be blocked.
  - 12. The non-transitory computer-readable medium of claim 11, where the one or more instructions to cause the packets to be blocked include:
    - one or more instructions to communicate, to a security device, a rule to block the packets from the source associated with the second security breach.
  - 13. The non-transitory computer-readable medium of claim 11, where:
    - the entry, in the updated first table, includes a pointer to the one or more first values; and
      
      the entry, in the updated second table, includes a pointer to the one or more second values.

14. A computer-implemented method comprising:
- obtaining, by a computer device, information relating to one or more network events;
  
  determining, by the device and using the information relating to the one or more network events, an evaluation strategy associated with detecting one or more attempted security breaches;
  
  identifying, by the device and using the evaluation strategy, a plurality of different tests;
  
  generating by the device and using the evaluation strategy;
  
  a first value for a first test of the plurality of different tests, anda second value for a second test of the plurality of different tests;
  
  updating, by the device and using the first value, a first table that is associated with the first test;
  
  updating, by the device and using the second value, a second table that is associated with the second test,the second table being different than the first table;
  
  performing, by the device and based on an evaluation of the updated first table, the first test to determine whether a first security breach has been attempted,performing the first test including comparing one or more first values, associated with an entry in the updated first table, to a first quantity of values to determine whether the first security breach has been attempted,the entry in the updated first table being associated with the first value, the one or more first values including information identifying one or more first ports associated with the device;
  
  each first value, of the one or more first values, being a unique port number and being tagged to expire after a first duration of time, andthe first security breach being attempted when the one or more first values exceed the first quantity of values; and
  
  performing, by the device and based on an evaluation of the updated second table, the second test to determine whether a second security breach has been attempted,performing the second test including comparing one or more second values, associated with an entry in the updated second table, to a second quantity of values to determine whether the second security breach has been attempted,the entry in the updated second table being associated with the second value,the one or more second values including information identifying one or more second ports associated with the device, each second value, of the one or more second values, being a unique port number and being tagged to expire after a first duration of time andthe second security breach being attempted when the one or more second values exceed the second quantity of values.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, further comprising:
    - generating a third value based on the information relating to the one or more network events,where determining the evaluation strategy includes determining the evaluation strategy further based on the third value.
  - 16. The method of claim 14, where identifying the plurality of different tests includes:
    - identifying, using the evaluation strategy, a plurality of different types of tests and a quantity of tests.
  - 17. The method of claim 14, where the first value and the second value correspond to a same value, andwhere the method further comprises:
    - evaluating, using the same value, the updated first table and the updated second table.
  - 18. The method of claim 14, further comprising:
    - determining that the first security breach has been attempted after performing the first test; and
      
      notifying a security device that the first security breach has been attempted.
  - 19. The method of claim 14, where the entry, in the updated first table, is associated with the one or more first values.
  - 20. The method of claim 14, where the entry, in the updated second table, is associated with the one or more second values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Zuk, Nir
Primary Examiner(s)
Truong, Cam-Y

Application Number

US13/615,903
Publication Number

US 20130067575A1
Time in Patent Office

1,425 Days
Field of Search

707/783, 707/791, 726/23
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Y10S 707/99943 Generating database or data...

Detection of network security breaches based on analysis of network record logs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of network security breaches based on analysis of network record logs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links