Abstract: In a method and system for collecting event information, XML documents specifying event parsing logic for respective groups of related events are loaded. Representations for the parsing logic contained in the plurality of XML documents are stored in one or more parsing trees. Events are received, including events in a plurality of groups of events. The received events are processed in accordance with the event parsing logic in the one or more parsing trees. The received events are also processed in accordance with stored program instructions that are independent of the parsing logic for the plurality of groups of events. Event information for the received events is stored. The stored event information includes information determined in accordance with the event parsing logic in at least one or more parsing trees.

Abstract: A method is disclosed for creating a network topograph that includes all select objects that are in a network. A set of one or more non-select objects in the network is determined. A network topograph is created. Each select object in the network is included in the network topograph. Elements of the set are collectively represented as a single non-select object.

Abstract: A method and system is disclosed for creating and tracking network sessions. A request to access a network is received from an entity. The entity is authenticated after the request is received. Authenticated identity information associated with the entity, network address information associated with the entity, and network location information associated with the entity is collected. An information set is created. The information set comprises and binds together the authenticated identity information, the network address information, and the network location information. The information set indicates a present association among the authenticated identity information, the network address information, and the network location information. The information set is stored in a session record in a centralized database. The session record represents a session in which the entity accesses the network. The session record is one of a plurality of session records that are stored in the centralized database.

Abstract: A system and method of generating an overall top N query result from multiple sets of sessionized network events that correspond to different time periods include identifying a subset within each set of network events whose event attributes satisfy a predefined query, generating an aggregation result table for each identified subset of network events in accordance with an aggregation attribute, identifying matching first and second entries in first and second aggregation result tables that have a same aggregation attribute value, generating a new entry in a query result table by merging the matching first and second entries together, and selecting entries in the query result table that have highest session counts as the overall top N query result.

Abstract: In a method and system for aggregating event information, events are received at a first plurality of nodes in a distributed system. For the events received at each node aggregated attribute information is determined in accordance with two or more rules and stored in distinct first tables, each table storing aggregated attribute information for a respective rule of the two or more rules. At each node of the first plurality of nodes, the two or more distinct first tables are transmitted to a respective node of a second set of nodes in the distributed system. At each node of the second set of nodes, two or more distinct second tables are generated by merging the aggregated attribute information in the tables transmitted to the node. Each rule of the two or more rules is evaluating using the aggregated attribute information obtained from a corresponding table of the second tables.

Abstract: In a method and system for collecting event information, XML documents specifying event parsing logic for respective groups of related events are loaded. Representations for the parsing logic contained in the plurality of XML documents are stored in one or more parsing trees. Events are received, including events in a plurality of groups of events. The received events are processed in accordance with the event parsing logic in the one or more parsing trees. The received events are also processed in accordance with stored program instructions that are independent of the parsing logic for the plurality of groups of events. Event information for the received events is stored. The stored event information includes information determined in accordance with the event parsing logic in at least one or more parsing trees.

Abstract: An intra-session network correlation system receives a stream of network events and groups the events into different network sessions according to event parameters and corresponding network address translation (NAT) information. An event in the stream is first matched against any existing session, and then categorized using the information about a NAT device that translates a message to which the event is related. Finally, at a predefined time, a categorized event is processed to identify other categorized events in accordance with a NAT message or an expiry timer associated with the categorized event; the categorized event and identified other categorized events are grouped into the same network session.

Abstract: A network security monitor system groups a plurality of security events into network sessions, correlates the network sessions according to a set of predefined network security event correlation rules and generates a security incident for the network sessions that satisfy one of the network security event correlation rules. The system then presents the information of the network sessions and security incidents to a user of the system in an intuitive form. The user is able to not only learn the details of a possible network attack, but also creates new security event correlation rules intuitively, including drop rules for dropping a particular type of events.

Abstract: A network security monitor system groups a plurality of security events into network sessions, correlates the network sessions according to a set of predefined network security event correlation rules and generates a security incident for the network sessions that satisfy one of the network security event correlation rules. The system then presents the information of the network sessions and security incidents to a user of the system in an intuitive form. The user is able to not only learn the details of a possible network attack, but also creates new security event correlation rules intuitively, including drop rules for dropping a particular type of events.

Abstract: Two or more access control lists that are syntactically or structurally different may be compared for functional or semantic equivalence in order to configure a security policy on a network. A first access control list is programmatically determined to be functionally equivalent to a second access control list for purpose of configuring or validating security policies on a network. In one embodiment, a box data representation facilitates comparing entries and sub-entries of the lists.

Abstract: A security monitoring system processes event messages related to computer network security in real time, evaluating inter-event constraints so as to identify combinations of events that are partial solutions to a predefined event correlation rule, and furthermore evaluating combinations of the partial solutions do determine if they together satisfy the predefined event correlation rule. A decision tree is formed based on the rule. Event messages are categorized into groups at leaf nodes of the tree in accordance with a plurality of intra-event constraints, and then the messages are correlated in accordance with a plurality of inter-event constraints at non-leaf nodes of the tree. When the inter-event constraint at a root node of the tree has been satisfied, a network attack alert is issued and protective actions may be taken.

Abstract: A method and system is disclosed for creating and tracking network sessions. A request to access a network is received from an entity. The entity is authenticated after the request is received. Authenticated identity information associated with the entity, network address information associated with the entity, and network location information associated with the entity is collected. An information set is created. The information set comprises and binds together the authenticated identity information, the network address information, and the network location information. The information set indicates a present association among the authenticated identity information, the network address information, and the network location information. The information set is stored in a session record in a centralized database. The session record represents a session in which the entity accesses the network. The session record is one of a plurality of session records that are stored in the centralized database.

Abstract: A system and method of generating an overall top N query result from multiple sets of sessionized network events that correspond to different time periods include identifying a subset within each set of network events whose event attributes satisfy a predefined query, generating an aggregation result table for each identified subset of network events in accordance with an aggregation attribute, identifying matching first and second entries in first and second aggregation result tables that have a same aggregation attribute value, generating a new entry in a query result table by merging the matching first and second entries together, and selecting entries in the query result table that have highest session counts as the overall top N query result.

Abstract: According to one embodiment, the number of tunnels on a network may be reduced. A set of tunnels are selected which exchange data packets between a first security device and a second security device. Each tunnel in the set of tunnels specify a dimensional range for data packets that are subject to that tunnel. A super tunnel is determined to replace the set of tunnels, so that a dimensional range of the data packets that are made subject to the super tunnel encompass a dimensional range of the data packets that were made subject to the set of tunnels. A determination is made as to whether the super tunnel excludes data packets that are permitted by the first security device and the second security device, but not subject to any one of the tunnels other than tunnels in the set of tunnels.

Abstract: A method and apparatus for deploying configuration instructions to security devices in order to implement a security policy on a network are disclosed. An address translation alteration performed on packets communicated between a management source and a plurality of security devices, resulting from implementation of a proposed new network security policy, is detected. One or more sets of security devices are identified that would each have one or more configuration dependencies as a result of the address translation alteration. Configuration instructions are sent from the management source to each of the one or more sets of security devices using an order determined by the identified configuration dependencies. The configuration instructions are used to implement the security policy on the network. As a result, firewalls and similar devices are properly configured for a new policy without inadvertently causing traffic blockages arising from configuration dependencies.

Abstract: Enforcement firewalls and other security devices are located on a network for a given source node and destination node. Nodes in the network topology are programmatically identified as being part of a non-looping communication path between the source node and the destination node. These nodes may be part of a path closure set. Security devices that are part of the path closure set are identified as the enforcement security devices for the given source and destination node.

Abstract: A method is disclosed for creating a network topograph that includes all select objects that are in a network. A set of one or more non-select objects in the network is determined. A network topograph is created. Each select object in the network is included in the network topograph. Elements of the set are collectively represented as a single non-select object.

Abstract: An intra-session network correlation system receives a stream of network events and groups the events into different network sessions according to event parameters and corresponding network address translation (NAT) information. An event in the stream is first matched against any existing session, and then categorized using the information about a NAT device that translates a message to which the event is related. Finally, at a predefined time, a categorized event is processed to identify other categorized events in accordance with a NAT message or an expiry timer associated with the categorized event; the categorized event and identified other categorized events are grouped into the same network session.

Abstract: A method is disclosed for creating a network topograph that includes all select objects that are in a network. A set of one or more non-select objects in the network is determined. A network topograph is created. Each select object in the network is included in the network topograph. Elements of the set are collectively represented as a single non-select object.

Abstract: A method is disclosed for removing redundancies from a list of data structures. A list of data structures is sorted by first attribute into sub-lists having a common first attribute. Each of these sub-lists is sorted by second attribute into sub-lists having a common first attribute and a common second attribute. Each of these sub-lists is combined into a single combined data structure that includes a third attribute set. Each third attribute set includes third attributes of the data structures in the sub-list from which the combined data structure including that set was formed.