公开(公告)号：WO2008052133A2

公开(公告)日：2008-05-02

申请号：PCT/US2007/082560

申请日：2007-10-25

Applicant: ARCSIGHT, INC. ,  SINGLA, Anurag ,  SAURABH, Kumar ,  TIDWELL, Kenny, C.

Inventor： SINGLA, Anurag ,  SAURABH, Kumar ,  TIDWELL, Kenny, C.

IPC: G06F17/30

CPC classification number: G06F17/30333 ,  G06F17/30492 ,  G06F17/30551 ,  H04L29/12783 ,  H04L61/35 ,  H04L63/1408 ,  H04L63/20 ,  H04L67/142

Abstract: A session table includes one or more records, where each record represents a session. Session record information is stored in various fields, such as key fields, value fields, and timestamp fields. Session information is described as keys and values in order to support query/lookup operations. A session table is associated with a filter, which describes a set of keys that can be used for records in that table. A session table is populated using data contained in security information/events. Rules are created to identify events related to session information, extract the session information, and use the session information to modify a session table. A session table is partitioned so that the number of records in each session table partition is decreased. A session table is processed periodically so that active sessions are moved to the current partition.

Abstract translation: 会话表包括一个或多个记录，其中每个记录表示会话。 会话记录信息存储在各种字段中，例如键字段，值字段和时间戳字段。 会话信息被描述为键和值以支持查询/查找操作。 会话表与过滤器相关联，过滤器描述了可用于该表中的记录的一组密钥。 使用安全信息/事件中包含的数据填充会话表。 创建规则以识别与会话信息相关的事件，提取会话信息，并使用会话信息来修改会话表。 会话表被分区，使得每个会话表分区中的记录数量减少。 周期性地处理会话表，以便将活动会话移动到当前分区。

公开(公告)号：WO2007118096A2

公开(公告)日：2007-10-18

申请号：PCT/US2007/065886

申请日：2007-04-03

Applicant: ARCSIGHT, INC. ,  AGUILAR-MACIAS, Hector ,  MANTRY, Girish

Inventor： AGUILAR-MACIAS, Hector ,  MANTRY, Girish

IPC: G06F11/00

CPC classification number: G06F11/3476 ,  G06F11/3495 ,  H04L67/22 ,  Y10S707/99936 ,  Y10S707/99937

Abstract: A system and method for building merged events from log entries received from multiple devices. Multiple log events generally contribute to a single merged event. In the described embodiment, the mapping module receives log entries associated with specific merged events and maps them to fields in the merged event data structure in accordance with mapping properties. The described embodiments of the invention use regular expressions in the merge properties to describe values that are searched for in the received log entries. A described embodiment of the present invention gives the mapping module access to the event under construction. A new conditional operator, _oneOf, is introduced that selects the first token that is bound to a value out of a list of tokens.

Abstract translation: 从从多个设备接收的日志条目构建合并事件的系统和方法。 多个日志事件通常有助于单个合并的事件。 在所描述的实施例中，映射模块接收与特定合并事件相关联的日志条目，并根据映射属性将它们映射到合并事件数据结构中的字段。 所描述的本发明的实施例在合并属性中使用正则表达式来描述在接收的日志条目中搜索的值。 本发明的一个描述的实施例给出了映射模块访问正在建造的事件。 引入了一个新的条件运算符_oneOf，它选择与令牌列表中的一个值绑定的第一个标记。

公开(公告)号：WO2011057259A1

公开(公告)日：2011-05-12

申请号：PCT/US2010/056015

申请日：2010-11-09

Applicant: ARCSIGHT, INC. ,  NJEMANZE, Hugh, S.

Inventor： NJEMANZE, Hugh, S.

IPC: G06F7/00

CPC classification number: G06F7/02 ,  G06F17/30401 ,  G06F17/3043 ,  G06F17/30654 ,  G06F2207/025

Abstract: A traditional structured data store is leveraged to provide the benefits of an unstructured full-text search system. A fixed number of "extended" columns is added to the traditional structured data store to form an "enhanced structured data store" (ESDS). The extended columns are independent of any regular columnar interpretation of the data and enable the data that they store to be searched using standard full-text query syntax/techniques that can be executed faster (as opposed to SQL syntax). In other words, the added columns act as a search index. A token is stored in an appropriate extended column based on that token's hash value. The hash value is determined using a hashing scheme, which operates based on the value of the token, rather than the meaning of the token. This enables subsequent searches to be expressed as full-text queries without degrading the ensuing search to a brute force scan.

Abstract translation: 利用传统的结构化数据存储来提供非结构化全文检索系统的优点。 固定数量的“扩展”列被添加到传统的结构化数据存储中以形成“增强结构化数据存储”（ESDS）。 扩展列独立于数据的任何常规柱状解释，并使用可以更快执行的标准全文查询语法/技术（而不是SQL语法）启用它们存储的数据进行搜索。 换句话说，添加的列充当搜索索引。 令牌根据该令牌的哈希值存储在适当的扩展列中。 使用散列方案来确定哈希值，散列方案基于令牌的值进行操作，而不是令牌的含义。 这使后续搜索能够被表达为全文查询，而不会将随后的搜索降级为暴力扫描。

公开(公告)号：WO2005107424A3

公开(公告)日：2006-03-02

申请号：PCT/US2005015933

申请日：2005-05-04

Applicant: ARCSIGHT INC ,  SAURABH KUMAR ,  TIDWELL KENNY

Inventor： SAURABH KUMAR ,  TIDWELL KENNY

IPC: H04L29/06 ,  G06F1/00 ,  G06F21/00 ,  H04L9/00

CPC classification number: H04L63/1416 ,  G06F21/552

Abstract: Patterns can be discovered in security events collected by a network security system (10). In one embodiment, the present invention includes collecting and storing security events from a variety of monitor devices (12).In one embodiment , a subset of the stored security events is provided to a manager (14) as an event stream. In one embodiment, the present invention further includes the manager discovering one or more previously unknown event patterns in the event stream.

Abstract translation: 在网络安全系统（10）收集的安全事件中可以发现模式。 在一个实施例中，本发明包括收集和存储来自各种监视器设备（12）的安全事件。在一个实施例中，所存储的安全事件的子集作为事件流提供给管理器（14）。 在一个实施例中，本发明还包括管理器发现事件流中的一个或多个先前未知的事件模式。

公开(公告)号：WO2011032094A1

公开(公告)日：2011-03-17

申请号：PCT/US2010/048641

申请日：2010-09-13

Applicant: ARCSIGHT, INC. ,  SUBRAHMANYAM, Rajiv ,  AGUILAR-MACIAS, Hector

Inventor： SUBRAHMANYAM, Rajiv ,  AGUILAR-MACIAS, Hector

IPC: G06F17/00

CPC classification number: G06N7/005

Abstract: An "unstructured event parser" analyzes an event that is in unstructured form and generates an event that is in structured form. A mapping phase determines, for a given event token, possible fields of the structured event schema to which the token could be mapped and the probabilities that the token should be mapped to those fields. Particular tokens are then mapped to particular fields of the structured event schema. By using the Naϊve Bayesian probability model, a "probabilistic mapper" determines, for a particular token and a particular field, the probability that token maps to that field. The probabilistic mapper can also be used in a "regular expression creator" that generates a regex that matches an unstructured event and a "parameter file creator" that helps a user create a parameter file for use with a parameterized normalized event generator to generate a normalized event based on an unstructured event.

Abstract translation: “非结构化事件解析器”分析非结构化形式的事件，并生成结构化形式的事件。 对于给定的事件标记，映射阶段确定可以映射令牌的结构化事件模式的可能字段以及令牌应映射到这些字段的概率。 然后将特定令牌映射到结构化事件模式的特定字段。 通过使用Na？贝叶斯概率模型，“概率映射器”对于特定令牌和特定字段确定令牌映射到该字段的概率。 概率映射器也可用于生成与非结构化事件匹配的正则表达式和“参数文件创建者”的“正则表达式创建者”，该参数文件创建者可帮助用户创建参数文件以与参数化的归一化事件生成器一起使用，以生成归一化 基于非结构化事件的事件。

公开(公告)号：WO2008052135A3

公开(公告)日：2008-05-02

申请号：PCT/US2007/082562

申请日：2007-10-25

Applicant: ARCSIGHT, INC. ,  LAHOTI, Ankur ,  HUANG, Hui ,  BEEDGEN, Christian, F.

Inventor： LAHOTI, Ankur ,  HUANG, Hui ,  BEEDGEN, Christian, F.

IPC: G06F11/00

Abstract: Λ unique identifier is assigned to a network node and is used to obtain an "asset model" corresponding to the node and to determine whether the node is a member of a particular category. An asset model is a set of information about a node (e.g., the node's role within the enterprise, software installed on the node, and known vulnerabilities/weaknesses of the node). An identifier lookup module determines a node's identifier based on characteristics of the node (such as [P address., host name, network zone, and/or MAC address), which are used as keys into lookup data structures. A category lookup module determines whether a particular node is a member of (i.e., within) a particular category using a transitive closure to model the categories (properties) that can be attached to an asset model. A transitive closure for a particular asset category is stored as a bitmap, similar to bitmap indexing.

公开(公告)号：WO2010138818A8

公开(公告)日：2011-02-17

申请号：PCT/US2010036580

申请日：2010-05-28

Applicant: ARCSIGHT INC ,  SHAH DHAVAL M ,  ALEXANDER WILLIAM M ,  AGUILAR-MACIAS HECTOR ,  JIN RUBIN

Inventor： SHAH DHAVAL M ,  ALEXANDER WILLIAM M ,  AGUILAR-MACIAS HECTOR ,  JIN RUBIN

IPC: G06F17/30

CPC classification number: G06F17/271 ,  G06F8/427

Abstract: A system for generating a parser and using the parser to parse a target file includes a target file description, an output format description, a Parser generator, a Parser, a target file, and a result object. The target file description and the output format description are included in one or more "properties files", which are text files that include one or more name/value pairs ("properties"). The target file description and the output format description are input into the Parser generator, which outputs the Parser. The target file is input into the Parser, which outputs the result object. The target file description specifies one or more parsers and/or tokenizers that can be used to parse the target file. The parsers and/or tokenizers specified by the target file description are part of the generated Parser. These parsers and/or tokenizers make the Parser more flexible, which enables the Parser to parse semi-structured data.

Abstract translation: 用于生成解析器并使用解析器来解析目标文件的系统包括目标文件描述，输出格式描述，解析器生成器，解析器，目标文件和结果对象。 目标文件描述和输出格式描述被包括在一个或多个“属性文件”中，它们是包括一个或多个名称/值对（“属性”）的文本文件。 目标文件描述和输出格式描述被输入到解析器生成器中，该分析器生成器输出解析器。 目标文件被输入到解析器中，该输出结果对象。 目标文件描述指定一个或多个可用于解析目标文件的解析器和/或记号器。 由目标文件描述指定的解析器和/或记号器是生成的解析器的一部分。 这些解析器和/或记号器使得Parser更加灵活，这使Parser能够解析半结构化数据。

公开(公告)号：WO2007118096A3

公开(公告)日：2008-09-25

申请号：PCT/US2007065886

申请日：2007-04-03

Applicant: ARCSIGHT INC ,  AGUILAR-MACIAS HECTOR ,  MANTRY GIRISH

Inventor： AGUILAR-MACIAS HECTOR ,  MANTRY GIRISH

IPC: G06F13/00 ,  G06F15/00 ,  G06F17/30 ,  H04N7/18

CPC classification number: G06F11/3476 ,  G06F11/3495 ,  H04L67/22 ,  Y10S707/99936 ,  Y10S707/99937

Abstract: A system and method for building merged events from log entries received from multiple devices. Multiple log events generally contribute to a single merged event. In the described embodiment, the mapping module (120) receives log entries associated with specific merged events and maps them to fields in the merged event data structure in accordance with mapping properties (122). The described embodiments of the invention use regular expressions in the merge properties (112) to describe values that are searched for in the received log entries. A described embodiment of the present invention gives the mapping module access to the event under construction. A new conditional operator, oneOf, i introduced that selects the first token that is bound to a value out of a list of tokens.

Abstract translation: 从从多个设备接收的日志条目构建合并事件的系统和方法。 多个日志事件通常有助于单个合并的事件。 在所描述的实施例中，映射模块（120）接收与特定合并事件相关联的日志条目，并根据映射属性将它们映射到合并事件数据结构中的字段（122）。 所描述的本发明的实施例使用合并属性（112）中的正则表达式来描述在接收的日志条目中搜索的值。 本发明的一个描述的实施例给出了映射模块访问正在建造的事件。 一个新的条件运算符，oneOf，我介绍了从令牌列表中选择绑定到一个值的第一个标记。

公开(公告)号：WO2008052133A3

公开(公告)日：2008-09-04

申请号：PCT/US2007082560

申请日：2007-10-25

Applicant: ARCSIGHT INC ,  SINGLA ANURAG ,  SAURABH KUMAR ,  TIDWELL KENNY C

Inventor： SINGLA ANURAG ,  SAURABH KUMAR ,  TIDWELL KENNY C

IPC: H04L9/00

CPC classification number: G06F17/30333 ,  G06F17/30492 ,  G06F17/30551 ,  H04L29/12783 ,  H04L61/35 ,  H04L63/1408 ,  H04L63/20 ,  H04L67/142

Abstract: A session table includes one or more records, where each record represents a session. Session record information is stored in various fields, such as key fields, value fields, and timestamp fields. Session information is described as keys and values in order to support query/lookup operations. A session table is associated with a filter, which describes a set of keys that can be used for records in that table. A session table is populated using data contained in security information/events. Rules are created to identify events related to session information, extract the session information, and use the session information to modify a session table. A session table is partitioned so that the number of records in each session table partition is decreased. A session table is processed periodically so that active sessions are moved to the current partition.

Abstract translation: 会话表包含一个或多个记录，其中每个记录代表一个会话。 会话记录信息存储在各个字段中，如关键字段，值字段和时间戳字段。 会话信息被描述为键和值以支持查询/查找操作。 会话表与过滤器相关联，该过滤器描述可用于该表中的记录的一组密钥。 会话表使用安全信息/事件中包含的数据填充。 创建规则以识别与会话信息相关的事件，提取会话信息并使用会话信息修改会话表。 会话表被分区，以便减少每个会话表分区中的记录数。 会话表会定期处理，以便将活动会话移动到当前分区。

公开(公告)号：WO2008083267A3

公开(公告)日：2008-07-10

申请号：PCT/US2007/089027

申请日：2007-12-28

Applicant: ARCSIGHT, INC. ,  HUANG, Wei ,  TANG, Wenting ,  BEEDGEN, Christian, F.

Inventor： HUANG, Wei ,  TANG, Wenting ,  BEEDGEN, Christian, F.

IPC: G06F12/00

Abstract: A logging system includes an event receiver and a storage manager. The receiver receives log data, processes it, and outputs a data "chunk." The manager receives data chunks and stores them so that they can be queried. The receiver includes buffers that store events and a metadata structure that stores metadata about the contents of the buffers. The metadata includes a unique identifier associated with the receiver, the number of events in the buffers, and, for each "field of interest," a minimum value and a maximum value that reflect the range of values of that field over all of the events in the buffers. A chunk includes the metadata structure and a compressed version of the contents of the buffers. The metadata structure acts as a search index when querying event data. The logging system can be used in conjunction with a security information/event management (SIEM) system.