公开(公告)号：US07644365B2

公开(公告)日：2010-01-05

申请号：US10661224

申请日：2003-09-12

申请人： Partha Bhattacharya ,  Imin Lee ,  Aji Joseph ,  Eli Stevens ,  Diwakar Naramreddy

发明人： Partha Bhattacharya ,  Imin Lee ,  Aji Joseph ,  Eli Stevens ,  Diwakar Naramreddy

IPC分类号： G06F3/00

CPC分类号： H04L63/1416

摘要： A network security monitor system groups a plurality of security events into network sessions, correlates the network sessions according to a set of predefined network security event correlation rules and generates a security incident for the network sessions that satisfy one of the network security event correlation rules. The system then presents the information of the network sessions and security incidents to a user of the system in an intuitive form. The user is able to not only learn the details of a possible network attack, but also creates new security event correlation rules intuitively, including drop rules for dropping a particular type of events.

摘要翻译： 网络安全监控系统将多个安全事件分组为网络会话，根据一组预定义的网络安全事件相关规则关联网络会话，并为满足网络安全事件相关规则之一的网络会话生成安全事件。 然后，系统以直观的形式向系统的用户呈现网络会话和安全事件的信息。 用户不仅可以学习可能的网络攻击的细节，还可以直观地创建新的安全事件关联规则，包括删除特定类型的事件的删除规则。

公开(公告)号：US07483972B2

公开(公告)日：2009-01-27

申请号：US10443946

申请日：2003-05-21

申请人： Partha Bhattacharya ,  Jan Christian Lawrence

发明人： Partha Bhattacharya ,  Jan Christian Lawrence

IPC分类号： G06F15/177 ,  G06F11/00

CPC分类号： H04L63/1416

摘要： A security monitoring system processes event messages related to computer network security in real time, evaluating inter-event constraints so as to identify combinations of events that are partial solutions to a predefined event correlation rule, and furthermore evaluating combinations of the partial solutions do determine if they together satisfy the predefined event correlation rule. A decision tree is formed based on the rule. Event messages are categorized into groups at leaf nodes of the tree in accordance with a plurality of intra-event constraints, and then the messages are correlated in accordance with a plurality of inter-event constraints at non-leaf nodes of the tree. When the inter-event constraint at a root node of the tree has been satisfied, a network attack alert is issued and protective actions may be taken.

摘要翻译： 安全监控系统实时处理与计算机网络安全相关的事件消息，评估事件间约束，以便识别作为预定事件相关规则的部分解决方案的事件的组合，此外，评估部分解决方案的组合确定是否 它们一起满足预定义的事件关联规则。 基于规则形成决策树。 根据多个事件约束，事件消息根据多个事件约束被分类为树的叶节点，然后根据树的非叶节点处的多个事件间约束来相关联。 当树的根节点上的事件间约束已经被满足时，发出网络攻击警报，并且可以采取保护措施。

公开(公告)号：US07082531B1

公开(公告)日：2006-07-25

申请号：US10006291

申请日：2001-11-30

申请人： Shigang Chen ,  Partha Bhattacharya ,  Liman Wei

发明人： Shigang Chen ,  Partha Bhattacharya ,  Liman Wei

IPC分类号： H04L9/00 ,  H04L12/28 ,  G06F15/173

CPC分类号： H04L41/12 ,  H04L63/0263

摘要： Enforcement firewalls and other security devices are located on a network for a given source node and destination node. Nodes in the network topology are programmatically identified as being part of a non-looping communication path between the source node and the destination node. These nodes may be part of a path closure set. Security devices that are part of the path closure set are identified as the enforcement security devices for the given source and destination node.

摘要翻译： 执行防火墙和其他安全设备位于给定源节点和目标节点的网络上。 网络拓扑中的节点被编程地标识为源节点和目的节点之间的非循环通信路径的一部分。 这些节点可以是路径闭合集的一部分。 作为路径关闭集的一部分的安全设备被标识为给定源和目标节点的强制安全设备。

公开(公告)号：US07036119B1

公开(公告)日：2006-04-25

申请号：US10197301

申请日：2002-07-15

申请人： Shigang Chen ,  Branimir Liker ,  Partha Bhattacharya ,  Imin Lee

发明人： Shigang Chen ,  Branimir Liker ,  Partha Bhattacharya ,  Imin Lee

IPC分类号： G06F9/45

CPC分类号： H04L41/12

摘要： A method is disclosed for creating a network topograph that includes all select objects that are in a network. A set of one or more non-select objects in the network is determined. A network topograph is created. Each select object in the network is included in the network topograph. Elements of the set are collectively represented as a single non-select object.

摘要翻译： 公开了一种用于创建包括网络中的所有选择对象的网络拓扑图的方法。 确定网络中的一个或多个非选择对象的集合。 创建网络拓扑图。 网络中的每个选择对象都包含在网络拓扑图中。 集合的元素统称为单个非选择对象。

公开(公告)号：US08423894B2

公开(公告)日：2013-04-16

申请号：US12619519

申请日：2009-11-16

申请人： Partha Bhattacharya ,  Imin T. Lee ,  Aji Joseph ,  Eli Stevens ,  Diwakar Naramreddy

发明人： Partha Bhattacharya ,  Imin T. Lee ,  Aji Joseph ,  Eli Stevens ,  Diwakar Naramreddy

IPC分类号： G06F3/00

CPC分类号： H04L63/1416

摘要： A network security monitor system groups a plurality of security events into network sessions, correlates the network sessions according to a set of predefined network security event correlation rules and generates a security incident for the network sessions that satisfy one of the network security event correlation rules. The system then presents the information of the network sessions and security incidents to a user of the system in an intuitive form. The user is able to not only learn the details of a possible network attack, but also creates new security event correlation rules intuitively, including drop rules for dropping a particular type of events.

摘要翻译： 网络安全监控系统将多个安全事件分组为网络会话，根据一组预定义的网络安全事件相关规则关联网络会话，并为满足网络安全事件相关规则之一的网络会话生成安全事件。 然后，系统以直观的形式向系统的用户呈现网络会话和安全事件的信息。 用户不仅可以学习可能的网络攻击的细节，还可以直观地创建新的安全事件关联规则，包括删除特定类型的事件的删除规则。

公开(公告)号：US07882262B2

公开(公告)日：2011-02-01

申请号：US11207329

申请日：2005-08-18

申请人： Partha Bhattacharya ,  Yuewei Wang ,  Eli Nathaniel Stevens ,  Gheorghe Mircea Sasu

发明人： Partha Bhattacharya ,  Yuewei Wang ,  Eli Nathaniel Stevens ,  Gheorghe Mircea Sasu

IPC分类号： G06F15/173 ,  G06F17/30 ,  G06F11/00

CPC分类号： G06F17/30386

摘要： A system and method of generating an overall top N query result from multiple sets of sessionized network events that correspond to different time periods include identifying a subset within each set of network events whose event attributes satisfy a predefined query, generating an aggregation result table for each identified subset of network events in accordance with an aggregation attribute, identifying matching first and second entries in first and second aggregation result tables that have a same aggregation attribute value, generating a new entry in a query result table by merging the matching first and second entries together, and selecting entries in the query result table that have highest session counts as the overall top N query result.

摘要翻译： 从对应于不同时间段的多组会话网络事件生成整个前N个查询结果的系统和方法包括：识别事件属性满足预定义查询的每组网络事件的子集，生成每个 根据聚合属性确定网络事件的子集，识别具有相同聚合属性值的第一和第二聚合结果表中的匹配第一和第二条目，通过将匹配的第一和第二条目合并，在查询结果表中生成新条目 并且选择具有最高会话计数的查询结果表中的条目作为整体前N个查询结果。

公开(公告)号：US07797419B2

公开(公告)日：2010-09-14

申请号：US11264286

申请日：2005-10-31

申请人： Partha Bhattacharya ,  Yu Liao

发明人： Partha Bhattacharya ,  Yu Liao

IPC分类号： G06F15/173

CPC分类号： H04L63/0236 ,  H04L29/12518 ,  H04L61/2514 ,  H04L61/2571 ,  H04L63/1416

摘要： An intra-session network correlation system receives a stream of network events and groups the events into different network sessions according to event parameters and corresponding network address translation (NAT) information. An event in the stream is first matched against any existing session, and then categorized using the information about a NAT device that translates a message to which the event is related. Finally, at a predefined time, a categorized event is processed to identify other categorized events in accordance with a NAT message or an expiry timer associated with the categorized event; the categorized event and identified other categorized events are grouped into the same network session.

摘要翻译： 会话内网络相关系统根据事件参数和相应的网络地址转换（NAT）信息接收网络事件流并将事件分组到不同的网络会话中。 流中的事件首先与任何现有会话相匹配，然后使用翻译与事件相关的消息的NAT设备的信息进行分类。 最后，在预定时间，处理分类事件以根据与分类事件关联的NAT消息或到期定时器来识别其他分类事件; 分类事件和识别的其他分类事件被分组到相同的网络会话中。

公开(公告)号：US07636937B1

公开(公告)日：2009-12-22

申请号：US10044019

申请日：2002-01-11

申请人： Partha Bhattacharya ,  Shigang Chen

发明人： Partha Bhattacharya ,  Shigang Chen

IPC分类号： G06F7/04 ,  G06F17/00 ,  H04L9/32 ,  G06F15/173

CPC分类号： H04L63/0263 ,  G06F21/604

摘要： Two or more access control lists that are syntactically or structurally different may be compared for functional or semantic equivalence in order to configure a security policy on a network. A first access control list is programmatically determined to be functionally equivalent to a second access control list for purpose of configuring or validating security policies on a network. In one embodiment, a box data representation facilitates comparing entries and sub-entries of the lists.

摘要翻译： 为了在网络上配置安全策略，可以比较语法或结构不同的两个或多个访问控制列表的功能或语义等价。 为了配置或验证网络上的安全策略，第一访问控制列表被编程地确定为在功能上等同于第二访问控制列表。 在一个实施例中，盒子数据表示有助于比较列表的条目和子条目。

公开(公告)号：US20070043703A1

公开(公告)日：2007-02-22

申请号：US11207329

申请日：2005-08-18

申请人： Partha Bhattacharya ,  Yuewei Wang ,  Eli Stevens ,  Gheorghe Sasu

发明人： Partha Bhattacharya ,  Yuewei Wang ,  Eli Stevens ,  Gheorghe Sasu

IPC分类号： G06F17/30

CPC分类号： G06F17/30386

摘要： A system and method of generating an overall top N query result from multiple sets of sessionized network events that correspond to different time periods include identifying a subset within each set of network events whose event attributes satisfy a predefined query, generating an aggregation result table for each identified subset of network events in accordance with an aggregation attribute, identifying matching first and second entries in first and second aggregation result tables that have a same aggregation attribute value, generating a new entry in a query result table by merging the matching first and second entries together, and selecting entries in the query result table that have highest session counts as the overall top N query result.

摘要翻译： 从对应于不同时间段的多组会话网络事件生成整个前N个查询结果的系统和方法包括：识别事件属性满足预定义查询的每组网络事件的子集，生成每个 根据聚合属性确定网络事件的子集，识别具有相同聚合属性值的第一和第二聚合结果表中的匹配第一和第二条目，通过将匹配的第一和第二条目合并，在查询结果表中生成新条目 并且选择具有最高会话计数的查询结果表中的条目作为整体前N个查询结果。

公开(公告)号：US08510432B2

公开(公告)日：2013-08-13

申请号：US12822842

申请日：2010-06-24

申请人： Partha Bhattacharya ,  Sheng Chen ,  Hongbo Zhu

发明人： Partha Bhattacharya ,  Sheng Chen ,  Hongbo Zhu

IPC分类号： G06F15/173

CPC分类号： H04L41/069

摘要： In a method and system for aggregating event information, events are received at a first plurality of nodes in a distributed system. For the events received at each node aggregated attribute information is determined in accordance with two or more rules and stored in distinct first tables, each table storing aggregated attribute information for a respective rule of the two or more rules. At each node of the first plurality of nodes, the two or more distinct first tables are transmitted to a respective node of a second set of nodes in the distributed system. At each node of the second set of nodes, two or more distinct second tables are generated by merging the aggregated attribute information in the tables transmitted to the node. Each rule of the two or more rules is evaluating using the aggregated attribute information obtained from a corresponding table of the second tables.

摘要翻译： 在用于聚合事件信息的方法和系统中，在分布式系统中的第一多个节点处接收事件。 对于在每个节点接收到的事件，根据两个或更多个规则确定聚合属性信息并存储在不同的第一表中，每个表存储用于两个或更多个规则的相应规则的聚合属性信息。 在第一多个节点的每个节点处，两个或多个不同的第一表被发送到分布式系统中的第二组节点的相应节点。 在第二组节点的每个节点处，通过将发送到节点的表中的聚合属性信息合并来生成两个或更多个不同的第二表。 两个或多个规则的每个规则是使用从第二个表的相应表获得的聚合属性信息进行评估。