A system for network security transparently occupies an observation port on the data stream, passing the entire range of network information to a dedicated interpreter. The interpreter resolves the data stream into individual data packets, which are then assembled into reconstructed network sessions
A system for network security transparently occupies an observation port on the data stream, passing the entire range of network information to a dedicated interpreter. The interpreter resolves the data stream into individual data packets, which are then assembled into reconstructed network sessions according to parameters such as protocol type, source and destination addresses, source and destination ports, sequence numbers and other variables. The different types of sessions may include the traffic of many different types of users, such as e-mail, streaming video, voice-over-Internet and others. The system detects and stores the sessions into a database. A parser module may extract only the minimum information needed to reconstruct individual sessions. A backend interface permits a systems administrator to interrogate the forensic record of the network for maintenance, security and other purposes. The invention is not constrained to detect limited types of data, but rather captures and records a comprehensive record of network behavior.
대표청구항▼
What is claimed is: 1. A system for extracting information from network data, comprising: an input interface connected to at least one source of network data; and a network event sensor, communicating with the input interface, the network event sensor comprising an interpreter module, the interpret
What is claimed is: 1. A system for extracting information from network data, comprising: an input interface connected to at least one source of network data; and a network event sensor, communicating with the input interface, the network event sensor comprising an interpreter module, the interpreter module scanning the network data to generate logical groupings of the network data, and an assembler module, communicating with the interpreter module, the assembler module scanning the logical groupings to generate at least one session object, wherein the network event sensor applies a lexical engine to the at least one session object recursively to identify protocols within other protocols to extract nested or underlying objects encapsulated in one or more different protocols and to identify at least one network event as at least one of a predetermined set of event types. 2. The system of claim 1, wherein the at least one source of network data comprises an observation port connected to a network and continuously capturing network data from the network. 3. The system of claim 2, wherein the observation port comprises a network interface card. 4. The system of claim 3, wherein the network comprises at least one of an Ethernet network, a token ring network, and a TCP/IP network. 5. The system of claim 3, wherein the network interface card is invisible to the network. 6. The system of claim 1, wherein the at least one source of network data comprises stored network data. 7. The system of claim 6, wherein the stored network data comprise at least one of captured network files, Website mirrors, archives of Usenet files, and archives of email files. 8. The system of claim 1, wherein the logical groupings comprise packets. 9. The system of claim 1, wherein the interpreter module removes low-level encoding information from the network data to generate the logical groupings. 10. The system of claim 9, wherein the low-level encoding information removed by the interpreter module comprises hardware addressing information. 11. The system of claim 1, wherein the at least one session object comprises at least one session file. 12. The system of claim 1, wherein the assembler module scans the logical groupings by examining at least one of source address, destination address, sequence numbers, source port, and destination port to generate the at least one session object. 13. The system of claim 1, wherein the lexical engine detects the presence of at least one predefined keyword to identify the at least one of a predetermined set of event types. 14. The system of claim 13, wherein the predetermined set of event types comprises at least one of TCP, IP, UDP, SMTP, HTTP, NNTP, FTP, TELNET, DNS, RIP, BGP, MAIL, NEWS, HTML, XML, PGP, S/MIME, POP, IMAP, V-CARD, ICMP, NetBUI, IPX and SPX. 15. The system of claim 13, wherein the lexical engine accumulates a total number of occurrences for the at least one predefined keyword to identify the event type. 16. The system of claim 15, wherein the lexical engine applies a threshold to the number of occurrences to identify the event type. 17. The system of claim 1, further comprising an extractor module, the extractor module extracting the at least one network event from the at least one session object according to the at least one of a predetermined set of event types. 18. The system of claim 17, wherein the extractor module comprises a library of extractor types, each of the extractor types corresponding to at least one of the at least one of a predetermined set of event types. 19. The system of claim 18, wherein the extractor module stores a minimum subset of the network data to reconstruct the at least one network event. 20. The system of claim 19, wherein the minimum subset of the network data is stored in a database. 21. The system of claim 20, further comprising a presentation module, communicating with the database, the presentation module querying the database for information related to the at least one network event. 22. The system of claim 1, wherein the network event sensor also applies a port detection engine to the network data to identify the at least one network event. 23. The system of claim 1, wherein the at least one source of network data comprises a plurality of sources of network data. 24. A method for extracting information from network data, comprising the steps of: receiving network data from at least one source of network data; scanning the network data to generate logical groupings of the network data; scanning the logical groupings to generate at least one session object; and recursively applying at least a lexical engine to the at least one session object to identify protocols within other protocols to extract nested or underlying objects encapsulated in one or more of the protocols and to identify more than one network event type contained in the at least one session object. 25. The method of claim 24, wherein the at least one source of network data comprises an observation port connected to a network and continuously capturing network data from the network. 26. The method of claim 25, wherein the observation port comprises a network interface card. 27. The method of claim 26, wherein the network comprises at least one of an Ethernet network, a token ring network, and a TCP/IP network. 28. The method of claim 26, wherein the network interface card is invisible to the network. 29. The method of claim 24, wherein the at least one source of network data comprises stored network data. 30. The method of claim 29, wherein the stored network data comprise at least one of captured network files, Website mirrors, archives of Usenet files, and archives of email files. 31. The method of claim 24, wherein the logical groupings comprise packets. 32. The method of claim 24, further comprising a step of removing low level encoding information from the network data to generate the logical groupings. 33. The method of claim 32, wherein the low-level encoding information comprises hardware addressing information. 34. The method of claim 24, wherein the at least one session object comprises at least one session file. 35. The method of claim 24, wherein the step of scanning the logical groupings comprises a step of examining at least one of source address, destination address, sequence numbers, source port, and destination port to generate the at least one session object. 36. The method of claim 24, further comprising a step of identifying the at least one network event as at least one of a predetermined set of event types. 37. The method of claim 36, wherein the step of identifying comprises a step of detecting the presence of at least one predefined keyword to identify the at least one of a predetermined set of event types. 38. The method of claim 37, wherein the predetermined set of event types comprises at least one of TCP, IP, UDP, SMTP, HTTP, NNTP, FTP, TELNET, DNS, RIP, BGP, MAIL, NEWS, HTML, XML, PGP, S/MIME, POP, IMAP, V-CARD, ICMP, NetBUI, IPX and SPX. 39. The method of claim 37, wherein the step of detecting comprises a step of accumulating a total number of occurrences for the at least one predefined keyword to identify the event type. 40. The method of claim 39, wherein the step of detecting comprises a step of applying a threshold to the number of occurrences to identify the event type. 41. The method of claim 36, further comprising a step of extracting the at least one network event from the at least one session object according to the at least one of a predetermined set of event types. 42. The method of claim 41, wherein the step of extracting comprises a step of selecting at least one extractor module from a library of extractor types, each of the extractor types corresponding to at least one of the at least one of a predetermined set of event types. 43. The method of claim 42, further comprising a step of storing a minimum subset of the network data to reconstruct the at least one network event. 44. The method of claim 43, wherein the step of storing comprises a step of storing the minimum subset of the network data in a database. 45. The method of claim 44, further comprising a step of querying the database for information related to the at least one network event. 46. The method of claim 24, further comprising a step of applying a port detection engine to the network data to identify the at least one network event. 47. The method of claim 24, wherein the at least one source of network data comprises a plurality of sources of network data.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (38)
McCreery Timothy David ; Zabetian Mahboud, Apparatus and method of analyzing internet activity.
Joseph Kuriacose ; Jessup ; Jr. Ansley Wayne ; Dureau Vincent ; Delpuch Alain, Apparatus for transmitting and receiving executable applications as for a multimedia system.
Johnson Dennis F. (Winnipeg CAX) Marcynuk Don (Winnipeg CAX) Holowick Erwin (Winnipeg CAX), Communications protocol for remote data generating stations.
Fehskens Leonard G. (Westboro MA) Strutt Colin (Westford MA) Wong Steven K. (Chelmsford MA) Callander Jill F. (Hudson MA) Burgess Peter H. (Salisbury MA) Nelson Kathy J. (Nashua NH) Guertin Matthew J, Extensible entity management system including rule-based alarms.
Bladow Chad R. ; Devine Carol Y. ; Schwarz Edward ; Shamash Arieh ; Shoulberg Richard W. ; Wood Jeffrey A., Graphical user interface for Web enabled applications.
Boucher Laurence B. ; Blightman Stephen E. J. ; Craft Peter K. ; Higgen David A. ; Philbrick Clive M. ; Starr Daryl D., Intelligent network interface system method for protocol processing.
Radia Sanjay R. ; Lim Swee Boon ; Tsirigotis Panagiotis ; Wong Thomas K. ; Goedman Robert J. ; Patrick Michael W., Method and apparatus for dynamic packet filter assignment.
Copriviza Robert C. (Tarzana CA) Dubin Arnold M. (Calabasas CA) Ackerman Edward B. (Encino CA) Wood Jackson B. (Tarzana CA) Eakins Jeffrey S. (Claremont CA) Harmon David D. (Torrance CA), Method and apparatus for video signal encoding, decoding and monitoring.
Pisello Thomas (De Bary FL) Crossmier David (Casselberry FL) Ashton Paul (Oviedo FL), Network management system having virtual catalog overview of files distributively stored across network domain.
Chen Ty-Foune,FRX ; Caudrelier Christian,FRX ; Espie Eric,FRX ; Reix Tony,FRX, Process and system for real-time monitoring of a data processing system for its administration and maintenance support in the operating phase.
Schweitzer, Limor; Givoly, Tal; Black, Damian; Kushnir, Ori, Statistical gathering framework for extracting information from a network multi-layer stack.
Hershey Paul C. (Manassas VA) Waclawsky John G. (Frederick MD), System and method for a workstation monitoring and control of multiple networks having different protocols.
Ogawa Stuart S. ; Pierce Kevin R., System and method for data transfer and processing having intelligent selection of processing routing and advanced rout.
LeBrun Thomas Q. (Dallas) Cage Kerry (Carrollton) Arnold Dennis D. (Carrollton TX), System and method for extraction of data from documents for subsequent processing.
Shwed Gil,ILX ; Kramer Shlomo,ILX ; Zuk Nir,ILX ; Dogon Gil,ILX ; Ben-Reuven Ehud,ILX, System for securing the flow of and selectively modifying packets in a computer network.
Ginter Karl L. ; Shear Victor H. ; Sibert W. Olin ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
Kanaegami Atsushi (Kamakura JPX) Koike Kazuhiro (Kamakura JPX) Taki Hirokazu (Kamakura JPX) Ohgashi Hitoshi (Kamakura JPX), Text search system for locating on the basis of keyword matching and keyword relationship matching.
Watanabe,Yoshikazu; Yamaguchi,Nobuaki; Nomura,Yasuo; Usukura,Rie; Kimura,Atsushi; Shikata,Yasuhito; Mitsubori,Hiroyuki, Information processing apparatus, information processing method, and program.
Atkins, Jeffrey Blair; Dobson, Robert William Albert, Monitoring system for a mobile communication network for traffic analysis using a hierarchial approach.
Christopher, David A.; Hill, Nicholas P.; Weber, Jeffrey G.; Brown, William A.; Meuninck, Troy C., System for monetizing resources accessible to a mobile device server.
Christopher, David A.; Hill, Nicholas Peter; Weber, Jeffrey G.; Brown, William A.; Meuninck, Troy C., System for monetizing resources accessible to a mobile device server.
Christopher, David A.; Hill, Nicholas Peter; Weber, Jeffrey G.; Brown, William A.; Meuninck, Troy C., System for monetizing resources accessible to a mobile device server.
Roberts,Jeffrey S.; Evans,Stephen Scott; Zoran,Michael D.; Reus,Edward F., System for refining network utilization and data block sizes in the transfer of data over a network.
Shannon, Matthew Martin; Decker, Matthew James, Systems and methods for provisioning digital forensics services remotely over public and private networks.
Shannon, Matthew Martin; Decker, Matthew James, Systems and methods for remote access to computer data over public and private networks via a software switch.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.