A system for and method of extracting information from multiple sessions of disparate protocols into a common language is disclosed. A method of creating a record conforming to an event-based language is also disclosed. A system configured to create a record conforming to an event-based language is also disclosed. |
Citations|
| US5191525 | Jan 16, 1990 | Mar 2, 1993 | Digital Image Systems, Corporation | System and method for extraction of data from documents for subsequent processing | | US5297039 | Jan 27, 1992 | Mar 22, 1994 | Mitsubishi Denki Kabushiki Kaisha | Text search system for locating on the basis of keyword matching and keyword relationship matching | | US5319453 | Jun 22, 1989 | Jun 7, 1994 | Airtrax | Method and apparatus for video signal encoding, decoding and monitoring | | US5327544 | Aug 29, 1991 | Jul 5, 1994 | AT&T Bell Laboratories | Method and apparatus for designing gateways for computer networks | | US5475838 | Nov 30, 1993 | Dec 12, 1995 | Digital Equipment Corporation | Extensible entity management system including rule-based alarms | | US5495607 | Nov 15, 1993 | Feb 27, 1996 | Conner Peripherals, Inc. | Network management system having virtual catalog overview of files distributively stored across network domain | | US5568471 | Sep 6, 1995 | Oct 22, 1996 | International Business Machines Corporation | System and method for a workstation monitoring and control of multiple networks having different protocols | | US5673252 | May 26, 1995 | Sep 30, 1997 | Itron, Inc. | Communications protocol for remote data generating stations | | US5696899 | Nov 18, 1992 | Dec 9, 1997 | Canon Kabushiki Kaisha | Method and apparatus for adaptively determining the format of data packets carried on a local area network | | US5715397 | Dec 2, 1994 | Feb 3, 1998 | Autoentry Online, Inc. | System and method for data transfer and processing having intelligent selection of processing routing and advanced routing features | | US5787253 | May 28, 1996 | Jul 28, 1998 | The AG Group | Apparatus and method of analyzing internet activity | | US5790799 | Jun 9, 1997 | Aug 4, 1998 | Digital Equipment Corporation | System for sampling network packets by only storing the network packet that its error check code matches with the reference error check code | | US5796942 | Nov 21, 1996 | Aug 18, 1998 | Computer Associates International, Inc. | Method and apparatus for automated network-wide surveillance and security breach intervention | | US5802303 | Aug 1, 1995 | Sep 1, 1998 | Hitachi, Ltd. | Monitor data collecting method for parallel computer system | | US5819034 | Apr 28, 1994 | Oct 6, 1998 | Thomson Consumer Electronics, Inc. | Apparatus for transmitting and receiving executable applications as for a multimedia system | | US5825775 | Mar 27, 1997 | Oct 20, 1998 | Bay Networks, Inc. | Method and apparatus for managing an integrated router/hub | | US5835726 | Jun 17, 1996 | Nov 10, 1998 | Check Point Software Technologies Ltd. | System for securing the flow of and selectively modifying packets in a computer network | | US5848233 | Dec 9, 1996 | Dec 8, 1998 | Sun Microsystems, Inc. | Method and apparatus for dynamic packet filter assignment | | US5850523 | Jun 21, 1996 | Dec 15, 1998 | National Instruments Corporation | Method and system for monitoring fieldbus network with multiple packet filters | | US5892900 | Aug 30, 1996 | Apr 6, 1999 | InterTrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection | | US5982994 | Jul 8, 1996 | Nov 9, 1999 | Fujitsu Limited | Network printer apparatus and LAN network system | | US6021437 | Jul 14, 1997 | Feb 1, 2000 | Bull S.A. | Process and system for real-time monitoring of a data processing system for its administration and maintenance support in the operating phase | | US6269447 | Jul 19, 1999 | Jul 31, 2001 | Raytheon Company | Information security analysis system | | US6370587 | Jan 22, 1999 | Apr 9, 2002 | Kabushiki Kaisha Toshiba | Network interconnection device | | US6529954 | Jun 29, 1999 | Mar 4, 2003 | Wandell & Goltermann Technologies, Inc. | Knowledge based expert analysis system |
Claims1. A method of extracting information from a network session comprising a plurality of packets to create a record conforming to an event-based language comprising the steps of: - receiving a session comprising a plurality of packets that have previously been exchanged in a session between a first entity and a second entity;
- extracting information from the session;
- translating the information into an event statement describing an event between a first entity and a second entity;
- creating a record containing the event statement, wherein the event statement describes an application used for the event, and an action describing the event;
- further translating the information into a session statement describing the session of which the event is a part, wherein the record also contains the session statement;
- translating the information into a property statement describing properties of the event, wherein the record also contains the property statement;
- translating the information into a route statement describing a route through a network traveled by the event, the session or a part of the session, wherein the record also contains the route statement;
- translating the information into an alias statement describing additional information related to an identity of the first entity or the second entity, wherein the record also contains the alias statement;
- wherein the record is a condensed and simple representation of the session from which the information was extracted,
- wherein at least the translating steps are preformed in an analyzer that is in communication with a parser.
2. The method of claim 1, wherein the first entity and the second entity comprise one of the following entities: IP, IP-port, IP-user, IP-resource, host, host-port, host-user, or host-resource. 3. The method of claim 1, wherein the event statement describes the first entity and the second entity. 4. The method of claim 3, wherein the record conforms to the following structure: - “ was seen to with .”
5. The method of claim 3, wherein the application is one of the following application types: FTP, Telnet, SMTP, Domain Name Service, DHCP, AOL™ Instant Messenger, Yahoo™ Instant Messenger, HTTP, POP-2, POP-3, NNTP, Microsoft RPC, Netbios, MS File Access, SNMP, RIP, MS Instant Messenger, Lotus Notes™, Sybase™ Database, MSSQL™ Database, Oracle™ Database, Lotus Sametime™, Unix™ File Access, or IRC. 6. The method of claim 3, wherein the event statement further contains one of the following content types: Mail, HTML, DCARD, SMIME, or PGP. 7. The method of claim 3, wherein the action includes at least one of the following action types: User Login, User Logoff, Get Resource, Put Resource, Delete Resource, Send Message, Receive Message, Read Message, Delete Message, Database Query, User Login Response, User Logoff Response, Get Resource Response, Delete Resource Response, Send Message Response, Read Message Response, or Database Query Response. 8. The method of claim 1, wherein the properties of the event include at least one of the following property types: an application used, a subject of the event, or a database queried. 9. The method of claim 1, wherein the alias statement contains at least one of the following alias types: IP-Alias or User-Alias. 10. The method of claim 1, wherein the record includes metadata about the session. 11. The method of claim 10, wherein the record includes metadata about properties of the session. 12. The method of claim 11, wherein the metadata about properties of the session comprises a global property name. 13. The method of claim 1, wherein the session statement comprises times that the session of which the event is a part began and ended, a size of the session and a service type of the session. |
