TW200837585A - Tracking changing state data to assist in computer network security - Google Patents

Abstract

A session table includes one or more records, where each record represents a session. Session record information is stored in various fields, such as key fields, value fields, and timestamp fields. Session information is described as keys and values in order to support query/lookup operations. A session table is associated with a filter, which describes a set of keys that can be used for records in that table. A session table is populated using data contained in security information/events. Rules are created to identify events related to session information, extract the session information, and use the session information to modify a session table. A session table is partitioned so that the number of records in each session table partition is decreased. A session table is processed periodically so that active sessions are moved to the current partition.

Description

200837585 IX. INSTRUCTIONS OF THE INVENTION: TECHNICAL FIELD OF THE INVENTION The present invention generally relates to a tracking system for tracking event management (SIM or 嶋) or special-real world: 1): ^ status data. Μ Combine security information/events to use [prior art] data to reflect network activity and/or operation of such devices, and 2) analyze the data to enhance security. For example, the data can be analyzed to identify attacks on the network device and determine which user or machine is responsible. If the attack is in progress, a resistance measure can be enforced to block the attack or mitigate - the data is generally initiated by a network device that produces a strike, warning, or alert (eg, a device that includes a second case) The example network port 'into the detection system and the server. The message or project - generally includes a time stamp reflecting when the network activity occurs., the official can use the collected data to identify and investigate It is often useful to have additional information (such as network status). Network status includes, for example, various devices in the network and such devices are connected (eg, 'network topology'). Has a state, which includes various attributes, such as hardware attributes (eg, the device's media access control (MAC) address), logical attributes (eg, I Internet Protocol (IP) assigned to the device) Address), ownership attribute (for example, the person or entity that owns the device 126190.doc 200837585), geographic attributes (such as body attributes (for example, installed on the skirt - two: body, 敕 (for example, current login) Device: Into the attribute sleeve [> user], program attributes (for example, the fire moon is placed on the (four) set of _ program) and the network is a function of the network connection) 忒 the employment pair has been identified For the attacker's discretion, π is on the heart of the message. The message "may "show the source device of the attack (for example, by the device: , ). Then you can use this 1p address to identify Other information as part of the same-attack. However, knowing which Ip address is assigned to it--such as 'as indicated by the device's MAC address or host name' is also used if the device/IP is known. The address can be returned to the device by any representation of the IP address, and 'if the user is logged into the device, the device can be traced back to the user. If such users are known The position can be traced back to the position of the user, and can be considered in conjunction with the received message and the actions described in the message. Unfortunately, it is not easy to decide at any given time. The state of the network. This is because the state is not constant. It varies over time. In particular, the state of each device changes over time. For example, the address assigned to a device can be leased by different Dynamic Host Configuration Protocol (DHCP), using different virtual private networks ( VPN) or Network Address Translation (NAT) changes over time. As another example, users of a device can change over time due to various people logging in and logging out. Therefore, useful systems are not only useful. Know the current state of the network and also know the past state of the network. Since the attributes of a particular device can change, it is known that the correct attribute at any given time 126190.doc 200837585 will be for the same machine or user. It is useful to correlate events. Consider the user who is trying to board the person - the second machine - on the - machine. If the user attempts to log in ten times within five minutes and fails each time, the occurrence will be flagged for review as it may indicate an attack. It is assumed that each-failed person has a message including one of the ιρ addresses of the first machine. An attack is identified if the first machine has the same IP address for all ten failed logins. On the other hand, if the first machine changes the IP address during the attack, some messages will indicate a first IP address and other messages will indicate a first: IP address. Since neither IP address is used for all ten failed logins, there is no markup for inspection. This is called a false negative. In this case, knowing the state of the network at the time of the possible attack will be useful. For example, at the time of each failed login message, it will be useful to know which device the 1st address is assigned to (e.g., depending on the MAC address or host name). If this is known, then even if the failed logins are from different addresses, the 1P addresses can be traced back to the same device and an attack will be identified. This is made possible because the MAC address and host name changes are not as frequent as the Ip address. In other words, the IP address is more transient than the MAC address and host name. It should be noted that changing the IP address may also cause an error alert. With regard to the above example, u consider the four failed logins from one source device and the failed logins from another source. Each login occurs within a five-hour time span and points to the same machine. Although the source devices are not the same, and they never have the same IP address at the same time, each device has the same IP address when the device causes a failed login. Since this same ip address exists in all ten failed login messages, this occurrence is flagged for review. This is called a false positive. There is a need for a method of maintaining and querying changes to large-scale data in an efficient manner so that the information can be used immediately in conjunction with security information/events. SUMMARY OF THE INVENTION The network state changes over time. In particular, the state of each device changes over time. If the state attribute (such as the Internet Protocol (ιρ) address) changes over time, the specific value of the attribute is valid for a specific time period (which we call "session"). In general, you can think of the session as two entities (eg "-

An association between a device and a site or a person and an asset that is valid for a particular time period. Information for the session can be used in conjunction with other resources, such as other information collected from such networks and/or network devices, or in the event of a security information event. In-session information can be used to correlate, audit, link actions to users, associate users with business positions, identify devices, implement company policies, report events, reports, etc. based on users and/or positions. For example, it is possible to identify and/or investigate attacks or anomalous behaviors based on rules to associate information with other funds, —, and Bessie. Safety Information/Events Includes a day stamp that reflects when a network activity occurs. When these events are combined into one's and (3) sects, the session's poor news is reflected in the time of the political time between the time stamps. For each type of session, keep a period of ^, ^ φ ^ / table. A schedule includes one or more δ recorded </ br> wherein the parent record represents a 曰 4. The session information is stored in 126190.doc -9 - 200837585 in each field. In general, these fields contain a structure description for one of the session information (schema^ each structure description includes three types of blocks: index key block, value block and timestamp block 1 support query/view operation The information is described as an index key and a value. The -session table can be associated with a filter that describes a set of conditions that define the data managed by the session table (eg, can be used in a table) Record one of the index key sets). By using the - filter and the second control

The time required to assess an event can be reduced with the duration information, as unnecessary review of the information for the session is eliminated. One way to fill a session is to use the information contained in the security news/event. Establish rules to identify events related to the duration information, capture session information, and use the duration information to modify—the schedule (for example, by establishing, modifying, or terminating-session records). Depending on the event to start and end the session may result in an inaccurate schedule. These problems can be solved by making the second rule based on the received event implicitly the boundary of the meeting.

There may be a -delay between the start or end of the session and the time it takes to enter this information into a schedule. Sometimes the delay is small. In this case, sometimes the delay is greater before the security event is closed to the session data. In this case, the information of the session can be two because there is an attempt to correlate between the information of the session between the stomach and the various ampoule events. In the specific embodiment, in this case, the association is performed again to utilize the meeting information of the late reception. The word ^ W table is cut so that the number of records in each session table partition area is reduced by 126190.doc -10- 200837585. This reduces the amount of resources required to perform each 杳%#%. Periodic processing of the com/tables to make the roles ^ partitions. This feature is called "the period of the roll, and the case is to be used in the case of the rain. The first time to ensure that the system will be closed in one session~ will be located in the current segment. In other words, the current site Split the volume to #前分区 so that the amount of money required for the session can be easily obtained in the J-knife j Q of the month (four) = the roll-up of the session makes access to a divided area. Because the only need to query the current [embodiment] :: refer to the various graphical examples to illustrate the system, but should not be used to limit the broader spirit and scope of the present invention. For example, the example description of this 2 Safety information/events, schedules and records, which are more extensive in one month. The general concept and extension of the present invention are, and can be extended to any computer-based or network-based 126190. Doc 1 and 'the information that can be passed to the components of the system and the messages passed from the system' and the structure of the data that can be used by the components of the system: (4) The examples are presented in an attempt to further illustrate the invention, not as a t The purpose of the non-returning example, therefore It should be treated as such. 2, and some parts of the description of the back-to-back are presented in terms of the data in a computer memory: the algorithm and symbolic representation of the algorithm. These algorithms show: Table π It is used by computer science and technology technicians to convey the essence of their health to other people who are familiar with the technology. In this article and in January, the broad legal system is conceived to produce one of the desired results. Just step 3] steps such as Hai are those steps that need to be manipulated on the entity quantity entity. Usually, but not necessarily, these quantities use electrical or magnetic signals that can be stored, transferred, combined, compared, and otherwise manipulated. Forms. It has proven convenient at times (mainly for common reasons) to refer to such signals as bits, values, elements, symbols, characters, terms, numbers or the like. However, § should have all of this and Similar terms should be related to the number of appropriate entities' and are only used for convenience markings of these quantities. Unless otherwise expressly stated, Bu Yingyue uses the entire article in the description, such as &quot;processing&quot; or "计曾" Or "transfer" or "decision" or "display" or similar terms to refer to the operation and program of a computer system or class of electronic § singular devices, the register and memory of the computer system The information contained in the physical (electronic) quantity is manipulated and converted into the computer system memory or register or other such information storage, transmission or display device as the entity quantity data. An embodiment of the present invention is exemplified in a computer software, that is, a computer readable command that instructs the processor/system to execute when executed by one or more: brain processors/systems The action of the computer. This type of computer software can reside in one or more computer-readable scorpions such as hard disk drives, CD_R〇M, DVD-ROM, vista, hidden and written. Memory and more. Such software can be distributed = one or more media of this j media, or such software can be made available for downloading such as: or multiple computer networks (such as the Internet). Regardless of the format, the computerized stylization, reproduction, and processing techniques described herein are only for === 1⁄4. The scope of the patent application for the stylization, reproduction, and processing techniques of the various aspects of the invention will be It is clear that 126190.doc -12- 200837585 Chu understands that these speculations should constitute any introductory presentation of the invention - as explained above - the network state is not constant, it changes over time. The state of each device ... varies with time. If a state attribute (such as an Internet Protocol (π&gt;) address) changes over time, then a particular value of the attribute is valid for the material time period (which we call "session"). The information associated with the session (&quot;session information) includes, for example: a first timestamp indicating the beginning of the session; a second time note indicating the end of the session (if the meeting The period has ended; a third time note, indicating the establishment of a session (as described below); and one or more materials valid during the session. Consider a device that has been leased by a Dynamic Host Configuration Protocol (DHCP) to receive an IP address. The one or more pieces of data may include, for example, an address (and, if the (four) address is not unique worldwide, a network area including the cake address and b) a device that accepts the assigned IP address An indication (such as the host name and/or media access control (MAC) address of the device) (the network area is a network segment). A tag identifies a network area and is used to distinguish private address spaces from each other. Similarly, consideration has been made by a virtual private network (VPN) login to receive one of the devices. In addition to (a) and (b) above, the one or more pieces of information may also include a username used to initiate the VPN login. As another example, consideration has been made by network address translation (NAT) to characterize one device with a single address. Here, the one or more pieces of data may include a sentence-Ip address (and, if the IP address is not unique worldwide, a network including the address 126190.doc -13-200837585 area) And b) accepting one of the devices assigned to the address via the translation (eg, the host name and/or actual IP address and source of the device). You can also use the duration to model other device state properties. Consideration allows other users to access one of the first device destination devices "" from a second device ("source device,"). The one or more pieces of data may include: an IP address of the destination device (and may be a network area); ... one of the source devices indicates (eg, the host name and/or IP address of the source device and Γ

Cj, Kushiro area), and c) other login information (for example, the username used in the source machine and/or the username used at the destination machine). The above information is about the Internet, but many different types of information are valid for a specific time period and can therefore be used by using the duration. For example, you can model the physical world by using the duration. A shellfish product (such as a computer) can be owned by one person or entity or assigned to a person or entity. A person can exist in a physical location. You can assign a -phone number to one person. Each state of these states is temporary and can therefore be modeled by using a session. In general, a session can be viewed as a relationship between two entities (e.g., a device and an address or a person--asset) that is valid for a particular time: period. Session information can be used in conjunction with other information such as other data storage or security events collected by the Internet and/or network devices. In-session information can be used to correlate, audit, associate actions with users, associate users with business positions, identify device users and/or positions to implement company policies, filter events, reports, and more. 126190.doc -14- 200837585 For example, if an employee needs to swipe his or her ID card when entering and leaving the office, the following reports may be generated: the average number of hours employees spend working and the time mode in which employees enter and leave the office. As another example, it is possible to identify and/or investigate attacks or anomalous behaviors based on rules and other information. Review security information/events • Includes timestamps that reflect when network activity occurred. When these events are associated with the duration information, the information of the session is reflected in the time of the time (the effective session. The exemplary association includes: a) Identifying the event associated with the specific person, ie The device/person schedule determines which device is owned or assigned to the person. The device to which the device has been logged in and the device from which it has been accessed. Identify events initiated from such devices. b) Identify one of the logins from a location other than the user's location. entry period table determines which user names and source devices have been logged into a target mourning. - Data storage determines which real people correspond to the user names C: Beauty and where the source devices are located. - The location/personal schedule determines where these real people are located (for example, based on a card or ID card that has recently entered a room or building). The positions of the real persons are compared to the locations of the source devices. A moving average is determined from the attack generated by the machine accessing the network via the VPN (comparing the attack-related (10) address contained in the message with the address in a νρΝ session table). d) Decide to access the user from the network via Qing (the „&gt; address associated with the attack and the π address in the side schedule 126190.doc -15- 200837585 The moving average. The name of the user who determines one of the attacks generated in the matching match. e) The identification is initiated on the machine—attacking the dream of launching the attack. The eight-input indication and the user who indicated that the attack was initiated - the time has been reduced, and has been logged into the user of the machine. In the beginning, the user name is logged into the device. The bean entry schedule is determined at the time of implementation. In the example, a combination of a recruiting, grouping, and triggering is required to be associated with other constructs (the aggregation can be used in many aspects, such as the second two: the heterogeneous condition set. - the rule estimates the incoming event, used to associate by using rules) The sub-use list, the session list # baa /, the other structure k (such as the M month list and the threat level operation) associate the shell machines from different events, and are used to infer the meaning of the importance of the event, Instant actions should be initiated at the event. Back to the right = special case No. 10/308, 415. Step-by-step description of the association and rules, the eight kings' order is incorporated by reference. The structure of the session data is stored in each class, and - A timetable. For example, a session schedule maintains information about the duration of the clothing and IP address and another session includes information about the duration of the event associated with the person and the asset. A schedule includes one or more records. Each record represents a session. For example, a device/Ip address session will describe a time period in which a particular IP address is assigned to a particular device. This record will be stored in the -device/IP address. In a specific example, a session table is similar to a one-period list, which is ArcSightTM Enterprise Security Management (ESM) 4. 〇 (available from Cupertin, California (^ ArcSight) 126190) .doc • 16 - 200837585 A feature. f: The review period information includes, for example: - a timestamp, which refers to the beginning of the μ session; a second timestamp indicating the end of the session (if The session has ended); - a third time stamp indicating the establishment of a session (One or more materials as described below and valid during the session. This information is stored in the session record. The third time is the time to record when the session is established. It should be noted that the network delay There may be a time gap between the beginning of a session and the establishment of a record corresponding to the session. The session information is stored in each of the blocks. In general, these fields contain information for the session. One structural description. Different types of meeting information may have different structural descriptions. Figure 1 shows an exemplary structural description for different types of meeting information. The graphic structure description is dirty ρ, 卿, τ, and Production ownership. Figure, each rectangle represents a block 0 mother, and the port structure description includes two types of blocker · index key block, value place and time stamp block. In a specific embodiment, for support query / The query operation describes the information as an index key and a value. (The query operation is used to access the information of the session table A and is further described below.) In this specific example, the #f period table will specify One or more fields of a record are used as index keys ("primary barriers"). One or more of the other records will be used as values (value intercepts). For example, in a device Μ address schedule, the IP address (and ri total bh, 罔, 罔 区域) can be used as an index key, while other 9 J Λ (for example, host name) And MAC address) can be used as the value 0 126190.doc 200837585 The time interception block (including the start time field standing time field) contains one of the above mentioned (except = two and: not finished, In this case, the end time and the end time are used to identify the valid period for the given instance of the index. For example, the index key and a specific The time of the note, if the index key is mapped to; = ' then the appropriate value block set is its start time and one of the timestamps surrounding the timestamp. ' Figure 1 shows the description of the key field for each structure, Timestamps and value interceptors. One or more index keys are part of the structure description. "It is also the information of the session. In this way, the (4) table maps or binds the key to one of the values. Mapping of values. For example, '-a session query will contain one or more index keys ( &quot;Query index key and the query result will contain - or multiple values combined with one or more index keys. Since a session can be considered as an association between two entities, so the index key represents one Entity and this value represents another entity. Between different sessions (and therefore between different records), the information contained in some (4) may be the same. For example, 'If a day is assigned a first address Another-曰 assignment-second address to a device, each session record will contain the same alarm 1 / and u bei (for example, the device's MAC address or host name) for the device. 'If an IP address is assigned to a first device and another day is assigned to a second device, then each session record will contain the same greed for the IP address. The pen record contains the same position 126190.doc 200837585 information and this field information determines the index key, then an index key needs to be mapped to two different information sets (a collection is for a session). For example, Put the meeting information collection in a list and let the cable The value of the key ^ is the list to implement this functionality. As mentioned above, the start time and end time block values are used to identify which session information is valid in any given time instance. In a specific embodiment, according to the opening of each session:

l Time’_ Classify the meeting information collections in this list. This reduces the time required to perform a review. In a specific embodiment, the trick list is implemented as / 畎 畎 叩 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一 一In this particular embodiment, the hash map index key can be considered a tuple of index key block values. ::Hatch mapping value is one for one or more meeting information sets; technique: material: structure (memory interval data structure, this is similar to chain chowder = structure: one tree is used == item 1 Department II information collection). One interval can efficiently dog ° & 彳 树 tree-like lean structure. - The internal tree is such that all intervals of ', ', and 'a given interval or point overlap.

This is a Jg B ^ BB as an endpoint. In order to use the start time and end time of the session, the first event must be associated with the information in the session table. The time is used in the matching case, the end of the event (the meeting period! The choice is made - the appropriate use of the security event is used - the maximum:: the open end of the project (ie, the session has not been terminated), time as An interval end time. The data structure used to represent the interval 126190.doc -19- 200837585 tree can be changed. ^ p] M - In a specific embodiment, if each table is indexed with the index key 70, and The number of implementations. If the number is limited, use the array-based storage of the stalk of the session. The memory of the ancient hall is compared with the number of records in the table. (4) Memory requirements are (n) The mode grows, where n is the number of records loaded in the \:, 4 session table. Regarding the lookup time, the right m is the number of _ index keys in the session table (based on the index key to block the tuple And the average number of items in each P-only key, the time required to perform a lookup is 0 (logp)e here, m*p=0 (9) for a session table and its chronological complexity The general operation performed is as follows: Query a session value field (for example, for a given event) Correlation) System 〇 (1〇g P). Update—The end time of the record is 〇(i〇gp). Insert a new record system (log p). These low time sequence complexity enable querying the session table. Instantly maintain, so that the information of the session can be obtained in real time, etc., and the session information applicable to a specific security event is defined, and a correlation=number function is defined. a name of one of the k-numbers; a session table for extracting the session information; and mapping the event field to one of the index key blocks in the session table. According to this definition, the side session table Identify the corresponding items and make them available for association. The relevant k-numbers can be chained in order to access the information from different sources. Users can not only specify multiple sources of information from which to access the information but also identify the use of this The order in which the source of the data will be used. For example, the user can specify whether the DHCP information and the VPN information can be 庐 126190.doc -20- 200837585. The MAC address can be retrieved from any information and then come from Different The information is combined for association. △ In the specific embodiment, a session table can be associated with a filter. The filter description defines a set of conditions for the data managed by the session table (eg 'is available One of the records in the table is a set of index keys. For example, if the table stores DHCP information and the index key is an address, the router can describe the range of IP addresses (for example, by the Cong (4) The server assigns ft ;: bits :). By using the -pass buffer, the time required to compare the available session information 〇# is reduced, because the elimination of the information of the session information is not necessary = the reference is avoided. Get one of the events of the session and read the timetable. This is used as a goalkeeper. f in the 'direction-table query, filtering in a specific embodiment, the period of the period of time to look up one of the event nurses "as follows: identification needs - will query the index key Lu, according to the event (four) data, decide that After the index key = before, the data of the dance test against the table is stored in the table and 3 = test, then the test may be required (for example, &quot;-read. If the index key is not Passing the range), then # &quot; _ is not in the IP address of the device.] Do not store the required data in the table without performing the check. You can take various methods to file (for example - archive , J period table. - Mode is from the - road device, which can be spooned in, rain into the shell material. The file can be located in any type of any type of sub-wide 3 any format (comma separated value (CSV) grid For example, you can rotate the file by including one of the information that needs to be associated with the security 126190.doc •21·200837585 news/event. It is considered as a database of one of the business positions within an organization. The HR data is output from the database to a file and then entered into a session table so that the data can be obtained for association, etc. This information can be used, for example, based on a user's business duties* The network access policy is enforced on a non-by-device or _Ip address.

Another way to fill the t-term is to use a directory service to extract data from the data store. These directory services can be accessed via various protocols, such as Lightweight Directory Access Protocol (LDAP) or X.500. Another way is to use the software agent (or SmartC〇nnectors from the eight (10) company) to transmit the required data in the form of an event. In this case, one or more rules can be used to handle the events. Specifically, the rules can extract session data from such events and use this asset to populate the schedule. The ^-method is the data structure on which the session data is actually entered into the list of sessions. For example, if the in-session list is stored in the “Repository (see below), the in-session data can be entered directly into the database.另 The other way to fill a session is to use the information contained in the safety information/event. Establish rules to identify events related to the duration information. The duration of the meeting will be tfl and (4) will be modified to - the schedule (for example: = establish &quot;, modify or terminate - the duration of the record). When the event occurs (3) Read) or the stored past events (&quot;Batch the rules of these rules. T contends 126190.doc -22- 200837585 according to the event fill - the schedule table - the sample system DHcp_, and the use of job P Information (eg, lease assignment events) is used to establish a C-Phase schedule. For example, a DHCP response message causes a rule to be established and a merging period begins (ie, adding a record to the DHCP session table). -Mcp release ^ Cause - rule termination - session (ie, add an end time to one of the existing records in the DHCp session table). Dependency events to start and end the session may result in an inaccurate schedule. For example Network latency can cause events to be delayed and/or disrupted. Also, certain events may never arrive, such as an optional DHCP release message. These issues can be based on received events by using rules. Implicitly decided Boundary be solved. In one implementation embodiment 'do not overlap for the duration of f inquiry will be implicitly manifold of the boundary.

C Depending on the type of session information involved, the session information may be overlapping or non-overlapping. If the duration information is non-overlapping, this means that there is only one valid session (and therefore only one valid session record) at any time. DHCp information is an example of non-overlapping session information. This is because, for a given network area, an IP address (index key) can be assigned to only one device (value) by the DHCP server at any given time. This assignment can later be changed to another device, but as of this time the device has been removed from the same IP address. Qing Information is another example of non-overlapping period funding. On a given network area, the VPN software assigns an IP address to only one user/machine at any given time instance based on its identity. If the duration information overlaps, this means that at any given time instance, 126190.doc •23- 200837585 For a given index key, there can be multiple valid sessions (and therefore there can be multiple valid sessions) recording). Login information is an example of overlapping meeting information. This is because for a given network area, the instance can be logged into the _IP address (index key) by multiple users (values) at any given time. The overlapping/non-overlapping nature of the session information affects the type of value returned in the query-session table. For example, if a session table contains non-overlapping information, then based on the -index key/time note, a successful lookup will return a collection of only one session. On the other hand, if a session table contains overlapping information, a successful review by one of the -index key/timestamp pairs will return multiple collections of session information (eg, a list of each of the project session information collections, As mentioned above). The U location of the session boundary determines the H U session termination disk implicit session segmentation. The termination of an implicit session includes the decision that an existing session has ended in the event that it has not actually received a terminating event. When the inbound event of the index key for the existing ten-session is reached, the previous session of the index key is terminated and the information is included in the start event of the session to establish and start - New session. (A function in the period is also called _,, on-site) or,, in progress, the duration of the session, its system _ record does not include an end time time stamp period.) This _ meeting _ start event generally IkDHCP will occur (4) because the DHcp server does not remember the expiration event. In a specific embodiment, the 'implicit session termination system is as follows: Spring 1 session: When the initial event arrives, the index key block is determined. And use its cable: key to create a hash code. For a pre-existing one corresponding to the hash code 126190.doc -24- 200837585 check the relevant schedule in the middle of the session. If you find a pre- The existence of the effect of the 'scheduled period' must have terminated this period 'because the period information can not be overlapped.' The will-time record is placed at the end of the session record time; Come,: Pre-existing meeting By using the information in the beginning of the session to establish (corresponding to the same hash code) and start a new session. f Example of implicit session termination · According to one of the records in a session, Assign an Ip address in a given network area (index key) A specific host name and MAC address (192.168.0.1, international area 1) ==&gt; (host name '11:11:11:11:11:11), 2〇〇7年1〇12日日下午^ Point. On the afternoon of October 12, 2007, lm, a session start event arrives, which maps the same „&gt; address in the same area (index key) to a different device (192·168· 0·1, international area 1)=&gt;(host name 2,22:22:22_22 this ^ The beginning of the session will result in the termination of the first session (end time is October 12th afternoon!! point) And establish and start a second session (starting at η o'clock on the afternoon of October 12, 2007). Implicit session split takes two forms. In this first form, for a term that has been terminated 'one The termination of the session is reached. If the termination time of the new arrival event is earlier than the end time 2 currently stored in the corresponding session record, the new session termination time is stored in the session record; This can happen if the previous session end time is derived by using an implicit session termination. Implicit session split (first) Example of form): According to one of the records in one session, one session is terminated on the afternoon of October 12, 2007. The terminating event of one session arrives at 'the corresponding record of this session period' - (10) year and month η 126190.doc -25- 200837585 终止10:30 pm termination time. The end time in the period record is changed from U point to 2 〇〇 7 years 1 〇 in the afternoon of the 2nd, 7th, 1st, 12th On the 12th, the next 10:30 〇 In the second form of implicit session segmentation, a session start event or meeting. The end event arrives, and its time stamp corresponds to an existing session. The existing session can be an ongoing session or a terminated session. If the value stored in the existing session is different from the value stored in the event, then split (the existing session, and generate and start a new session in the middle. Example of implicit session segmentation (second form): According to a schedule, one session S1 begins in 2008! It is at J:00 on the afternoon of the month and ends at 12:00 on the afternoon of January, 2008, and the session S2 begins on January 1, 2008. At the U-day afternoon, the U-point is in the state of action. When an event arrives, it indicates that there is a session S3 that begins at 6 pm on January 1, 2008. The session S1 is divided into two to start in 2008. On the afternoon of the 1st of the month, it ends at (6) (10), and at 6 pm on the 1st of the month. The S3 is established so that it will start at 2 pm in January, 2008, and end at 2 pm in January 2008. At 11 o'clock on the 1st, the session S2 will remain at the beginning of the session at 11:00 pm on the 1st of January. The start or end of the session will be entered into the schedule of the session. There may be a delay between them. Sometimes the delay is small. For example, if a scheduled event is generated by a device in Japan, the beta is collected and processed in the United States. It may take a second or more. In this case, it may be useful to wait before attempting to correlate a security event with the session data. If the association is attempted too quickly, then the session data May be outdated or even non-existent. Waiting for a correlation with a security incident is called, berthing" 126190.doc -26 - 200837585 (parking) the security incident. In a specific embodiment, if there is a session data, then the full female The event is parked for a minimum waiting time. It is hoped that the session data will be updated during the waiting time (if needed) and then available for correlation. In a specific embodiment, if there is no meeting data, then - Security event berth _ maximum waiting time. It is hoped that the session data will be loaded during the waiting time (if needed) and then available for correlation. ; = The delay is large. For example, the meeting from _ employee badge (4) (4) The mouth can be imported between the instruments (for example, in a ^ / 夂 夂 processing) rather than on-the-fly (for example, when a badge is swiped), in this case The information of the session will be waived on this day, because it has been tried to correlate between the whole events at that time. In one heart and mind; two news and various women, then + Jin Yi 4, body only in the case In this case, the relationship between the stubborn and the obsolete to use the late connection can be repeated in the window of one of the past security events (for example, in the event of a second situation. For example, the event) - ^ "Safety re-received in the small 4 α 相互 相互 相互 互 互 互 互 互 互 互 互 互 互 互 互 互 互 互 互 互 互 互 互 ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( The period data is stored in -Separation 2. Explicitly stated the terminology of each period of the data and the use of the registration period 2: (: If the 'for the job P will be used for future reference to the meeting materials, will be Feibei 4 - the schedule table. In a hair storage device (such as a hard disk drive) /. The table is stored in a persistent non-swing period. In the specific embodiment, the sample is in the data table of a schedule. And a significant increase, so that the number of records produced by the time can be a large schedule of time 126190.doc 27- 200837585. Executing a query for a larger table is much more expensive than for a smaller table execution-query (in terms of computer resources such as processor time). In a specific implementation, the schedule is divided such that the number of records in each partition table is reduced. This reduces the amount of resources required to perform each query. In a specific embodiment, the schedule is divided by the start time of the combination. Review each record in a session table to include - start time and time. The value of this timestamp determines the partition that holds the record in 兮7μ疋. In a specific embodiment, each partition defines a 24-hour period. For example, a first partition represents 12:59 am on the day of 2007 (1), and at 11:59 pm on the day of the second day, while a second partition on behalf of 9 J represents 12:00 on January 2, 2007. 00 to 2:00 pm on the 2nd of the month. In this particular embodiment, the data for a period of value equivalent to -year will be stored in a secret partition rather than a large schedule. You can take the batch mode or the day-to-day 杳 仏 3 3 3 3 to instantly correlate. In batch mode: ^ When you receive security information/events, store them. In the future, the stocks of the women's poverty/events will be correlated with the information of the session (exactly, the information on the time period in which the time stamps of such events are valid). In the immediate mode, when a security message/event is received, it is immediately or immediately and immediately associated with the session information. In order for this correlation to occur immediately, the session data must be kept on-the-fly and must support instant queries. This is difficult to achieve because thousands of events are generated per minute, and each event can include one or more references to the duration information (eg, the MAC to be used to determine the assigned IP addresses) Address _ or multiple acknowledgments or 126190.doc -28- 200837585 to be used to determine one or more host names of users who have logged into the host). For example, one event rate of one 5,000 events/second and two session reference/events yields 10,000 session reference/second.

In a specific embodiment, the portion of the schedule is also held in a volatile memory (for example, a cache or random access memory (RAM)) to support faster access. Used for updates and/or queries. For example, if the session is segmented in long-term storage, the current segment (or a portion thereof) is also stored in volatile memory. Typically, the portion of the schedule in the volatile memory will include the duration of the session and may also include a period of time that has been terminated recently (e.g., within the last ten minutes). Since most of the instant updates and queries will be related to active and recently terminated sessions, storing these sessions in volatile memory will reduce the number of resources and sources required to perform each update and query. In a particular embodiment, the portion of the schedule that is kept in volatile memory is initially stored from a long-term storage. The number of records to be stored in volatile memory is green

/, in the long_save order to maintain the duration of the session, as H / collect updates and periodically apply to the session table. For example, the update is collected as a period of - minutes and then stored in the session table. I have already cut the schedule for a period of time, and the positioning-specific period may also be costly. For example, if you go to A and then start, and the start time of σ-S, you must search for each branch cycle = to 4 sessions. In a particular embodiment, the session is processed to cause the active session to move to the current partition. This 126190.doc -29- 200837585 feature is called "memory roll-up", 1 its record will be in the current partition role in the case of the former-segmented volume &quot; to the current split two make the information system ( The system is stored in the volatile memory-s, and the information is reported in the area. (4) The volume is reduced, so that the amount of resources can be reduced in the access (4), because only the number of resources required for the t and t periods is needed! The current partition. After the roll-up of the session, the vortex yV 丨 丨 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心 心, through a scheduled task to implement the session = ❹ « scheduling for periodic execution (for example, if the segmentation is based on each partition boundary). The specific cycle is configurable: if - The period extends from the division to another division (for example, because the distance = the division is based on the date and because the session is on two different days), the association is based on the boundary of the division. The period is divided into multiple sessions, and each session is stored in a different segment. For example, the first division on behalf of one of the first divisions from 12:00 on January 1, 2007 to 11:59 on January 1, 2007 and on January 2, 2007 to January 2007 One of the second divisions at 11:59 pm on the 2nd of the month was taken in Cowley. The first session began at 11:00 pm on January 1, 2007 and ended at 1:00 on January 2, 2:7. 00. The roll-up will divide the section into two sessions: (a) 11:00 pm on January 1, 2007 to 11:59 pm on the 2nd and 7th year ui; and (b) 2007 From 2:00 am on January 2 to 1:00 am on January 2, 2007. 126190.doc -30· 200837585 Session a will be stored in the first partition as a - terminated period, and The session b will be stored in the second divisional order (also as a term of termination). If the session is about the lotus root information, then it is targeted at Congyong on January 1st at 11:00 and 2007. Year! On the 2nd of the 2nd, the time between 1: 〇〇 戮 all events, a given 1] address and network area will match the same - host name % and MAC address, and with the Period splitting has nothing to do. As another example, the pair begins in 2〇〇7年一〇月1 曰 2: 〇〇 and 2 〇〇 7 years! On the 5th of the next month, the period will be considered. During the year of the chest (7) ^ day, the session will be divided into five sessions ( _ session is on the 1st of the month, one session is for October 2, one session is for 1 month, 3 days, one session is for October 4th and one session is for 1 month 5th The special four-session period is stored in the divisional zone of the session storage period in which the termination period is stored in its individual divisions, f ==session (10) and 5 days). Second: In the specific example, the 'session period' includes: in the beginning of the session: (or in the period beginning in the previous segment, - the car is the early standard), determine which period function in. For each of the two phases, the duration of the session is based on multiple sessions of the segment. For a 刀^ knife wind to, (3) / month one of the terminated parts, the part is added to a ^ (four) to terminate at the boundary time of the partition. For a n 4 stop portion, the portion is added to the # front partition to cause 1 to start at the partition boundary time. Then, words: Depending on the length of the entire session, you can combine the duration of the split. It is clear that the right session ends at the time of the boundary of the partition, and the division-partition 126190.doc •31-f

200837585 Including - starting at the edge of the segment, then these sessions have a mutual-index key and value to determine the duration of the entire (unsegmented) session (four). (4) In the case of the case, when the part-session period is divided into multiple session parts, a certain method is used to annotate each part of the session to indicate its system-larger part. This helps in deciding an entire r to go to 八 / (4) = session part. For example, add one or two to the record for each session period as another H to add the start time of the entire (unsegmented) session to the record for each session portion. In this example, the corresponding session part will have the same start time for the entire session, except for the same index key and value. The above description is provided to illustrate the operation of the specific embodiments and is not intended to limit the scope of the invention. Accordingly, the invention is limited only by the scope of the accompanying claims. From the above description, many variations of the spirit and scope of the invention will be apparent to those skilled in the art. [Simple description of the diagram] Figure 1 shows an exemplary structural description for different types of session information. The drawings depict a specific embodiment for purposes of illustration only. It will be readily apparent to those skilled in the art that the description of the structure and methods described herein may be substituted without departing from the principles described herein. 126190.doc -32-

Claims (1)

200837585 X. Patent application scope: 1 · A method for maintaining state information by using a session table, the session table contains one or more session records, and one session record contains one or more index key columns And one or more timestamp fields and one or more value fields, the method comprising: identifying a security event, wherein the security event includes a timestamp and information about operation of a network device; Determining a query index key according to one or more of the security events; ', querying the session table by using the timestamp and the query index key; and returning a query result. 2. The method of claim 1, wherein the session record includes information extracted from an event. 3. The method of claim i, wherein the one or more index key blocks comprise an Internet Protocol (Ip) address. 4. The method of item 1 wherein the one or more value blocks comprise - one of the host-name media access control (mac) addresses. 5. Two! : Item: The method 'where the network device includes - one of a firewall, a detection system, and a server. ;· ΠΓ1 method, wherein the query index key contains a hash code.乂: No: 1 method 'where the session record contains instructions - start time 戮 2: timestamp block and indication - end time - second time 126190.doc 200837585 η ί 8 · as determined by the method of claim 7 The end time. 9. The method of claim 7 determines the start time. 1〇·如: Qing method 7 method, which uses the timestamp and the query index key to check the 4 (four) period table contains: the decision start time is earlier than the iTFi i 士 士 士 』 蜀 I έ 、,,, mouth The time is later than one of the time stamps. U. The method of claim 1, wherein the querying the index key to query the session table comprises: testing the query index key against a table associated with the session table. 12. The method of claim 1, wherein the timestamp and the query key are used to check that the schedule includes: waiting for a minimum amount of time. The method of claim 1, wherein the timestamp and the query key are used to query the session table to include: waiting for a maximum amount of time. 14· Shiming's method of seeking items, in which the period record package ^ λ. The day should not be / °, one of the time stamps of the establishment time. The method of claim 1, wherein the session table is divided. 16. The method of claim 15, wherein the query is performed using the time and the query key to query: the time stamp is used to match the time stamp to the index. One of the partitions. 17. The method of claim 15, wherein the description extends across a segmentation according to a session start event, implicitly based on a session termination event, and the session record of the session of the land boundary is divided into Multiple sessions are recorded. 18. The method of claim 17, wherein each of the plurality of session records includes a resolution to indicate that the record is part of a larger session. Zoneside Recording 126190.doc 200837585 19. 20. The method of claim 1, wherein the time table is borrowed, and wherein the time stamp is used to: the segmentation time is divided by the start time of the session and the query index key is used to query the timestamp to determine the One of the partitions of the schedule; and the timestamp is used to record the cut. Query the index key to query the determined score C Computer program 8/period table for maintaining status information by using a session table contains one or more session records, one session record I or eve index key block and/or multiple A timestamp field and one or two value blocks, the computer program product includes a computer readable medium, "Electric Moon Hunger Capture Media contains a computer code for performing a method, the method includes: 4 a security event, wherein the security event includes a timestamp and information about an operation of a network device; determining a query index key according to one or more of the security events; using the timestamp to record the query The index key to query the session table; and return a query result. 22. A device for maintaining state information by using a session table, the "J table contains one or more session records, one session The record contains one or more index key blocks and one or more timestamp blocks and one or more value blocks 126190.doc 200837585. The device includes: a security event module configured to identify a security thing The security event includes a timestamp and information about operation of a network device; a query index key module configured to determine a query index key according to one or more of the security events; A query module configured to query the schedule by using the timestamp and the query index key; and a result module configured to return a query result. 126190.doc