公开(公告)号：WO2008052133A2

公开(公告)日：2008-05-02

申请号：PCT/US2007/082560

申请日：2007-10-25

Applicant: ARCSIGHT, INC. ,  SINGLA, Anurag ,  SAURABH, Kumar ,  TIDWELL, Kenny, C.

Inventor： SINGLA, Anurag ,  SAURABH, Kumar ,  TIDWELL, Kenny, C.

IPC: G06F17/30

CPC classification number: G06F17/30333 ,  G06F17/30492 ,  G06F17/30551 ,  H04L29/12783 ,  H04L61/35 ,  H04L63/1408 ,  H04L63/20 ,  H04L67/142

Abstract: A session table includes one or more records, where each record represents a session. Session record information is stored in various fields, such as key fields, value fields, and timestamp fields. Session information is described as keys and values in order to support query/lookup operations. A session table is associated with a filter, which describes a set of keys that can be used for records in that table. A session table is populated using data contained in security information/events. Rules are created to identify events related to session information, extract the session information, and use the session information to modify a session table. A session table is partitioned so that the number of records in each session table partition is decreased. A session table is processed periodically so that active sessions are moved to the current partition.

Abstract translation: 会话表包括一个或多个记录，其中每个记录表示会话。 会话记录信息存储在各种字段中，例如键字段，值字段和时间戳字段。 会话信息被描述为键和值以支持查询/查找操作。 会话表与过滤器相关联，过滤器描述了可用于该表中的记录的一组密钥。 使用安全信息/事件中包含的数据填充会话表。 创建规则以识别与会话信息相关的事件，提取会话信息，并使用会话信息来修改会话表。 会话表被分区，使得每个会话表分区中的记录数量减少。 周期性地处理会话表，以便将活动会话移动到当前分区。

公开(公告)号：WO2008052133A3

公开(公告)日：2008-09-04

申请号：PCT/US2007082560

申请日：2007-10-25

Applicant: ARCSIGHT INC ,  SINGLA ANURAG ,  SAURABH KUMAR ,  TIDWELL KENNY C

Inventor： SINGLA ANURAG ,  SAURABH KUMAR ,  TIDWELL KENNY C

IPC: H04L9/00

CPC classification number: G06F17/30333 ,  G06F17/30492 ,  G06F17/30551 ,  H04L29/12783 ,  H04L61/35 ,  H04L63/1408 ,  H04L63/20 ,  H04L67/142

Abstract: A session table includes one or more records, where each record represents a session. Session record information is stored in various fields, such as key fields, value fields, and timestamp fields. Session information is described as keys and values in order to support query/lookup operations. A session table is associated with a filter, which describes a set of keys that can be used for records in that table. A session table is populated using data contained in security information/events. Rules are created to identify events related to session information, extract the session information, and use the session information to modify a session table. A session table is partitioned so that the number of records in each session table partition is decreased. A session table is processed periodically so that active sessions are moved to the current partition.

Abstract translation: 会话表包含一个或多个记录，其中每个记录代表一个会话。 会话记录信息存储在各个字段中，如关键字段，值字段和时间戳字段。 会话信息被描述为键和值以支持查询/查找操作。 会话表与过滤器相关联，该过滤器描述可用于该表中的记录的一组密钥。 会话表使用安全信息/事件中包含的数据填充。 创建规则以识别与会话信息相关的事件，提取会话信息并使用会话信息修改会话表。 会话表被分区，以便减少每个会话表分区中的记录数。 会话表会定期处理，以便将活动会话移动到当前分区。

公开(公告)号：WO2005107424A3

公开(公告)日：2006-03-02

申请号：PCT/US2005015933

申请日：2005-05-04

Applicant: ARCSIGHT INC ,  SAURABH KUMAR ,  TIDWELL KENNY

Inventor： SAURABH KUMAR ,  TIDWELL KENNY

IPC: H04L29/06 ,  G06F1/00 ,  G06F21/00 ,  H04L9/00

CPC classification number: H04L63/1416 ,  G06F21/552

Abstract: Patterns can be discovered in security events collected by a network security system (10). In one embodiment, the present invention includes collecting and storing security events from a variety of monitor devices (12).In one embodiment , a subset of the stored security events is provided to a manager (14) as an event stream. In one embodiment, the present invention further includes the manager discovering one or more previously unknown event patterns in the event stream.

Abstract translation: 在网络安全系统（10）收集的安全事件中可以发现模式。 在一个实施例中，本发明包括收集和存储来自各种监视器设备（12）的安全事件。在一个实施例中，所存储的安全事件的子集作为事件流提供给管理器（14）。 在一个实施例中，本发明还包括管理器发现事件流中的一个或多个先前未知的事件模式。

公开(公告)号：WO2005107424A2

公开(公告)日：2005-11-17

申请号：PCT/US2005/015933

申请日：2005-05-04

Applicant: ARCSIGHT, INC. ,  SAURABH, Kumar ,  TIDWELL, Kenny

Inventor： SAURABH, Kumar ,  TIDWELL, Kenny

IPC: G06F21/00 ,  H04L9/00 ,  H04L29/06

CPC classification number: H04L63/1416 ,  G06F21/552

Abstract: Patterns can be discovered in security events collected by a network security system. In one embodiment, the present invention includes collecting and storing security events from a variety of monitor devices. In one embodiment, a subset of the stored security events is provided to a manager as an event stream. In one embodiment, the present invention further includes the manager discovering one or more previously unknown event patterns in the event stream.

Abstract translation: 在网络安全系统收集的安全事件中可以发现模式。 在一个实施例中，本发明包括收集和存储来自各种监视器装置的安全事件。 在一个实施例中，存储的安全事件的子集作为事件流被提供给管理器。 在一个实施例中，本发明还包括管理器发现事件流中的一个或多个先前未知的事件模式。