Network event capture and retention system
First Claim
1. A method, comprising:
- collecting and storing a plurality of transmission events comprised within a packet payload reported by one or more nodes of a network, into one or more data structures by,ascertaining one or more characteristics of each of one or selected said plurality of transmission events, andcreating said one or more data structures based on each of said one or more characteristics,wherein each of said one or more data structures comprises one or more observation records generated from one or more of said plurality of transmission events and stored based on said one or more characteristics;
extracting one or more data elements and at least one data feature comprising content of a message from each of said plurality of transmission events stored in said one or more data structures;
creating one or more indices based on said stored data element, for each or for selected said one or more data structures,wherein at least one of said one or more indices comprises at least one indicator of a location of said one or more data elements; and
creating one or more summaries for said each or of said selected data structures of said one or more data structures,wherein at least one of said one or more summaries comprises one or more data features of said one or more transmission events for determining the presences of at least one or more data features in any of said one or more transmission events or in selected said one or more transmission events.
23 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus are provided to monitor and analyze activity occurring on a networked computer system. In some embodiments, a method is provided for capturing, in a data structure, at least a portion of a notification describing a network event provided by a node on a computer network, identifying a data element (e.g., an IP address of the node) within the notification, and updating an index and/or summary based on the data element. The data structure may be stored in a file system maintained on a site, and sites may exchange information related to the notification data stored on each. In some embodiments, a query which is issued to a site may be processed using data transferred from other sites, and/or may be split into one or more additional queries which may be transmitted for processing to other sites.
38 Citations
20 Claims
-
1. A method, comprising:
-
collecting and storing a plurality of transmission events comprised within a packet payload reported by one or more nodes of a network, into one or more data structures by, ascertaining one or more characteristics of each of one or selected said plurality of transmission events, and creating said one or more data structures based on each of said one or more characteristics, wherein each of said one or more data structures comprises one or more observation records generated from one or more of said plurality of transmission events and stored based on said one or more characteristics; extracting one or more data elements and at least one data feature comprising content of a message from each of said plurality of transmission events stored in said one or more data structures; creating one or more indices based on said stored data element, for each or for selected said one or more data structures, wherein at least one of said one or more indices comprises at least one indicator of a location of said one or more data elements; and creating one or more summaries for said each or of said selected data structures of said one or more data structures, wherein at least one of said one or more summaries comprises one or more data features of said one or more transmission events for determining the presences of at least one or more data features in any of said one or more transmission events or in selected said one or more transmission events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus, comprising:
-
a first controller processor, configured to collect and store a plurality of transmission events comprised within a packet payload reported by one or more nodes of a network, into one or more data structures, said first controller processor ascertaining one or more characteristics of each of one or selected said plurality of transmission events, and creating said one or more data structures based on each of said one or more characteristics, wherein each of said one or more data structures comprises one or more observation records generated from one or more of said plurality of transmission events and stored based on said one or more characteristics; a second controller processor, configured to extract one or more data elements and at least one data feature comprising content of a message from each of said plurality of transmission events stored in said one or more data structures; a third controller processor, configured to create one or more indices based on said stored data element, for each or for selected said one or more data structures, wherein at least one of said one or more indices comprises at least one indicator of a location of said one or more data elements, and further configured to create one or more summaries for said each of the one or selected of said one or more data structures, wherein at least one of said one or more summaries comprises one or more data features of said one or more transmission events for determining the presences of at least one or more data features in any of said one or selected of said one or more transmission events; and a memory, configured to store said one or more indices and said one or more summaries. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-usable medium, comprising computer readable instructions stored thereon for execution by a processor to perform a method comprising:
-
collecting and storing a plurality of transmission events comprised within a packet payload reported by one or more nodes of a network, into one or more data structures by, ascertaining one or more characteristics of each of one or selected said plurality of transmission events, and creating said one or more data structures based on each of said one or more characteristics, wherein each of said one or more data structures comprises one or more observation records generated from one or more of said plurality of transmission events and stored based on said one or more characteristics; extracting one or more data elements and at least one data feature comprising content of a message from each of said plurality of transmission events stored in said one or more data structures; creating one or more indices based on said stored data element, for said each of the one or selected of said one or more data structures, wherein at least one of said one or more indices comprises at least one indicator of a location of said one or more data elements; and creating one or more summaries for said each of the one or selected data structures of said one or more data structures, wherein at least one of said one or more summaries comprises one or more data features of said one or more transmission events for determining the presences of at least one or more data features in any of said one or more transmission events or in selected said one or more transmission events.
-
Specification