US20100085888A1 - Method and apparatus for analyzing source internet protocol activity in a network - Google Patents
Method and apparatus for analyzing source internet protocol activity in a network Download PDFInfo
- Publication number
- US20100085888A1 US20100085888A1 US12/633,761 US63376109A US2010085888A1 US 20100085888 A1 US20100085888 A1 US 20100085888A1 US 63376109 A US63376109 A US 63376109A US 2010085888 A1 US2010085888 A1 US 2010085888A1
- Authority
- US
- United States
- Prior art keywords
- network
- facilities
- sip
- activity
- statistics
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
Definitions
- Embodiments of the present invention generally relate to network monitoring and, more particularly, to a method and apparatus for analyzing source internet protocol (IP) activity in a network.
- IP internet protocol
- IP internet Protocol
- SIP Source IP Address
- SIP activity is reviewed manually by a network security analyst.
- the network security analyst typically chooses to manually execute queries to explain the abnormal SIP activity, such as port sweeping and scanning.
- Such manual processing of log data is time consuming.
- a SIP address is obtained.
- Log data collected over a predefined time period by a plurality of network facilities is automatically queried using the SIP address as parametric input to generate a report.
- the report includes sample activity for the SIP and statistics for targeted network facilities, firewall activity, targeted network spaces, and targeted IP addresses.
- FIG. 1 is a block diagram depicting a network architecture in accordance with one or more aspects of the invention
- FIG. 2 is a flow diagram depicting an exemplary embodiment of a method for analyzing SIP activity in a network in accordance with one or more aspects of the invention.
- FIG. 3 is a block diagram depicting an exemplary embodiment of a computer suitable for implementing the processes and methods described herein.
- FIG. 1 is a block diagram depicting a network architecture 100 in accordance with one or more aspects of the invention.
- the network architecture 100 illustratively includes a network 102 , network facilities 104 - 1 through 104 -N (collectively referred to as network facilities 104 ), a database server 106 , and a computer 108 (where N is an integer greater than zero).
- the network 102 comprises a packet network configured to propagate packets in accordance with a particular network protocol, such as internet protocol (IP), and transport protocol, such as transmission control protocol (TCP), user datagram protocol (UDP), and the like.
- IP internet protocol
- TCP transmission control protocol
- UDP user datagram protocol
- the network facilities 104 include routers, firewalls, proxy servers, web servers, and like type network devices known in the art.
- the network facilities 104 are configured to generate log data, which are exported to the database server 106 .
- the log data for a network element includes entries that list actions that have occurred with respect to the network facility.
- the entries include information associated with actions, such as source IP address, target IP address, source port/protocol, target port/protocol, user identifier (ID), a message indicating result of the action, and like type log parameters known in the art.
- the database server 112 is configured to collect log data 114 from the network facilities 104 in the network 102 .
- the log data 114 includes events associated with log entries produced by the network facilities 104 .
- the log data 114 may be collected periodically. Older data may be expunged from the database server 112 after a predefined time period.
- Each of the network facilities 104 may produce log data having a different format.
- the log data from the network facilities 104 may be normalized before being stored by the database server 106 . That is, each event maintained by the database server 112 may have predefined fields. For example, each event may include fields for date/time, facility, source IP address, facility IP address, target IP address, protocol, source port, target port, type of action, message, and interface.
- the database server 106 may implement any database platform known in the art.
- the computer 108 is configured to implement a source IP (SIP) activity analyzer 112 .
- the SIP activity analyzer 112 is executed using an input SIP address.
- the SIP address may be input by a network security analyst.
- the SIP activity analyzer 112 may automatically process a SIP address from a file having a list of SIP addresses to be processed.
- the SIP activity analyzer 112 automatically queries the log data 114 in the database server 106 within a predefined time window using the SIP address as parametric input.
- the SIP activity analyzer 112 automatically generates a report having sample activity for the SIP address within the network, as well as various statistics for targeted network elements, firewall activity, targeted network spaces, and targeted IP addresses.
- the SIP activity analyzer 112 is triggered in response to an alarm generated within the network.
- the SIP activity analyzer 112 receives the alarm identifier and time period of the alarm in addition to the SIP address.
- the report produced by the SIP activity analyzer 112 may be displayed to a network operator on a display 109 using, for example, a graphical user interface (GUI).
- GUI graphical user interface
- a link to the results of the SIP activity analyzer 112 (e.g., a hyperlink) is stored within an alarm entry, which is then displayed on the GUI.
- a network operator may access the results of the SIP activity analyzer 112 via the link. Operation of the SIP activity analyzer 112 is described below.
- the network architecture 100 is merely illustrative and that the SIP activity analyzer 112 may be employed in a myriad of network architectures.
- the SIP activity analyzer 112 is configured to process log data produced by various network facilities using input SIP addresses and produce reports including statistics for the SIP addresses.
- FIG. 2 is a flow diagram depicting an exemplary embodiment of a method 200 for analyzing SIP activity in a network in accordance with one or more aspects of the invention.
- the method 200 may be performed by the SIP activity analyzer 112 of FIG. 1 .
- the method 200 begins at step 201 .
- a SIP address is obtained as input.
- the SIP address may be obtained from a network operator, or from a file of SIP addresses to be processed.
- a report for the SIP address is initialized for the SIP address and a particular time period. As discussed below, multiple queries are made on log data collected from various network facilities to obtain various statistics associated with the SIP address.
- the report is generated for the SIP address and contains statistics associated with a particular time window within the log data. The time period is referred to as the analysis period.
- exemplary session identifiers include virtual private network (VPN) session identifiers or dynamic host control protocol (DHCP) session identifiers.
- VPN virtual private network
- DHCP dynamic host control protocol
- a particular SIP address may be assigned to multiple users within the analysis period (i.e., a SIP address may be used for multiple sessions).
- Each of the sessions is assigned a particular identifier by the network.
- Session identifier data 207 may be analyzed to derive session identifiers for the SIP address. If the SIP address is associated with any session identifiers, the method 200 proceeds from step 206 to step 208 , where user statistics are added to the report.
- Each session identifier is associated with a particular user.
- the user statistics added to the report may include, for each user, logon date/time, logoff date/time, or internet service provider (ISP) address where the user logged in from, or any combination of such data.
- the method 200 proceeds from step 208 to step 210 . If the SIP address is not associated with any session identifiers, the method 200 proceeds from step 206 to step 210 .
- the log data is queried within the analysis period using the SIP to obtain statistics for targeted network facilities.
- the statistics include the number of events associated with the SIP address across the network elements (e.g., the report may indicate that there were X number of events reported on Y number of network facilities for the SIP address).
- the statistics may also include a list of identifiers for the network facilities along with a counts and percentage of events associated with each of the network facilities for the SIP (e.g., network facility A—600 events, 60%; network facility B—400 events, 40%).
- the statistics may also include a number of times the SIP address targeted various network facilities using a number of port/protocol combinations (e.g., the report may indicate that the SIP address targeted various network facilities Z number of times with W number of port/protocol combinations).
- the statistics captured at step 210 may include any combination of the aforementioned data.
- the log data is queried within the analysis period using the SIP to obtain statistics for firewall activity.
- the statistics may include firewall activity based on port/protocol activity.
- the report may indicate that the SIP address targeted various firewalls X number of times with Y number of port/protocol combinations).
- the firewall port/protocol activity may be separated into counts and percentages (e.g., firewall A—3 port/protocol combinations, 30%; firewall B—7 port/protocol combinations, 70%).
- the statistics may include firewall activity based on type of event, such as allows, drops, etc.
- the report may indicate that there was Z number of types of activity.
- the firewall type activity may be separated into counts and percentages (e.g., firewall A—100 allows, 200 drops, 30%; firewall B—400 allows, 300 drops, 70%). The percentages may be based on total number of event types or per event type.
- the statistics may include firewall activity based on interface (e.g., the report may indicate that activity for the SIP address was logged on W number of firewall interfaces).
- the firewall interface activity may be separated into counts and percentages (e.g., interface A—100 events, 33%, interface B—200 events, 66%).
- the statistics captured at step 212 may include any combination of the aforementioned data.
- the log data is queried within the analysis period using the SIP to obtain statistics for targeted network space.
- the statistics may include the number of C-class networks that were targeted by the SIP address, as well as counts and percentages for individual C-class networks.
- C-class networks have an IP address range of 192.0.0.0 through 223.255.255.255.
- the report may indicate that the SIP address targeted X number of C-class networks.
- the report may also list the C-class networks and include corresponding counts and percentages for activity for the SIP address (e.g., network A—8 events, 80%; network B—2 events, 20%).
- Statistics may be gathered for other classes of networks in addition to, or as an alternative to, the C-class networks.
- Statistics may also be reported based on the networks in general, regardless of class (e.g., the SIP address targeted Y number of networks).
- the statistics may also include whether a corporate Intranet was targeted or whether a particular local subnet was targeted by the SIP address. If any such network spaces were targeted, the report may include the percent of SIP address activity (e.g., the report may indicate that the percent of activity targeting the corporate Intranet is Z %).
- the statistics captured at step 214 may include any combination of the aforementioned data.
- the log data is queried within the analysis period using the SIP to obtain the number of unique target IP addresses for the SIP address.
- log data is queried within the analysis period using the SIP to obtain a snapshot of activity for the SIP.
- the report may include descriptions for a predefined number of events recorded in the log data for the SIP address.
- all of the captured statistics are added to the report. The method 200 ends at step 299 .
- FIG. 3 is a block diagram depicting an exemplary embodiment of a computer 300 suitable for implementing the processes and methods described herein.
- the computer 300 may be used to implement the SIP activity analyzer 112 and the method 200 .
- the computer 300 includes a central processing unit (CPU) 301 , a memory 303 , various support circuits 304 , and an I/O interface 302 .
- the CPU 301 may be any type of microprocessor known in the art.
- the support circuits 304 for the CPU 301 include conventional cache, power supplies, clock circuits, data registers, I/O interfaces, and the like.
- the I/O interface 302 may be directly coupled to the memory 303 or coupled through the CPU 301 .
- the I/O interface 302 may be coupled to various input devices 312 and output devices 311 , such as a conventional keyboard, mouse, printer, and the like.
- the memory 303 may store all or portions of one or more programs and/or data to implement the processes and methods described herein. Notably, the memory 303 may store program code to be executed by the CPU 301 for performing the method 200 of FIG. 2 and implement the SIP activity analyzer 112 of FIG. 1 .
- the invention may be implemented in hardware, software, or a combination of hardware and software. Such implementations may include a number of processors independently executing various programs and dedicated hardware, such as ASICs.
- the computer 300 may be programmed with an operating system, which may be OS/2, Java Virtual Machine, Linux, Solaris, Unix, Windows, Windows95, Windows98, Windows NT, Windows2000, WindowsME, and WindowsXP, among other known platforms. At least a portion of an operating system may be disposed in the memory 303 .
- the memory 303 may include one or more of the following random access memory, read only memory, magneto-resistive read/write memory, optical read/write memory, cache memory, magnetic read/write memory, and the like, as well as signal-bearing media as described below.
- An aspect of the invention is implemented as a program product for use with a computer system.
- Program(s) of the program product defines functions of embodiments and can be contained on a variety of signal-bearing media, which include, but are not limited to: (i) information permanently stored on non-writable storage media (e.g., read-only memory devices within a computer such as CD-ROM or DVD-ROM disks readable by a CD-ROM drive or a DVD drive); (ii) alterable information stored on writable storage media (e.g., floppy disks within a diskette drive or hard-disk drive or read/writable CD or read/writable DVD); or (iii) information conveyed to a computer by a communications medium, such as through a computer or telephone network, including wireless communications.
- a communications medium such as through a computer or telephone network, including wireless communications.
- the latter embodiment specifically includes information downloaded from the Internet and other networks.
- Such signal-bearing media when carrying computer
Abstract
Method and apparatus for analyzing source Internet protocol (SIP) activity in a network is described. In one example, a SIP address is obtained. Log data collected over a predefined time period by a plurality of network facilities is automatically queried using the SIP address as parametric input to generate a report. The report includes sample activity for the SIP and statistics for targeted network facilities, firewall activity, targeted network spaces, and targeted IP addresses.
Description
- This application is a continuation of U.S. patent application Ser. No. 11/323,011, filed Dec. 30, 2005, which is currently allowed, and is herein incorporated by reference in its entirety.
- 1. Field of the Invention
- Embodiments of the present invention generally relate to network monitoring and, more particularly, to a method and apparatus for analyzing source internet protocol (IP) activity in a network.
- 2. Description of the Related Art
- Networks typically monitor for abnormal activities that may suggest some type of malicious attack is underway. When an event takes place an alarm is generated and a review of the activity leading to the event begins. One type of activity (that is reviewed) is internet Protocol (IP) activity emanating from a host computer. Each computer is identified by the Source IP Address (SIP). A review of SIP activity also includes actions taken by various network elements in the network in response to requests from the host identified with the SIP. Conventionally, SIP activity is reviewed manually by a network security analyst. The network security analyst typically chooses to manually execute queries to explain the abnormal SIP activity, such as port sweeping and scanning. However, such manual processing of log data is time consuming. By the time a network security analyst detects abnormal activity, the security of the network may be compromised, resulting in the loss or exposure of sensitive information and the ability of the network to function. Accordingly, there exists a need in the art for an improved method and apparatus for analyzing SIP activity in a network.
- Method and apparatus for analyzing source internet protocol (SIP) activity in a network is described. In one embodiment, a SIP address is obtained. Log data collected over a predefined time period by a plurality of network facilities is automatically queried using the SIP address as parametric input to generate a report. The report includes sample activity for the SIP and statistics for targeted network facilities, firewall activity, targeted network spaces, and targeted IP addresses. By generating the report automatically, the time it takes to run queries as part of SIP analysis is reduced, allowing a network analyst to quickly identify actions to be taken (e.g., further analysis, mitigation, escalation).
- So that the manner in which the above recited features of the present invention can be understood in detail, a more particular description of the invention, briefly summarized above, may be had by reference to embodiments, some of which are illustrated in the appended drawings. It is to be noted, however, that the appended drawings illustrate only typical embodiments of this invention and are therefore not to be considered limiting of its scope, for the invention may admit to other equally effective embodiments.
-
FIG. 1 is a block diagram depicting a network architecture in accordance with one or more aspects of the invention; -
FIG. 2 is a flow diagram depicting an exemplary embodiment of a method for analyzing SIP activity in a network in accordance with one or more aspects of the invention; and -
FIG. 3 is a block diagram depicting an exemplary embodiment of a computer suitable for implementing the processes and methods described herein. -
FIG. 1 is a block diagram depicting anetwork architecture 100 in accordance with one or more aspects of the invention. Thenetwork architecture 100 illustratively includes anetwork 102, network facilities 104-1 through 104-N (collectively referred to as network facilities 104), adatabase server 106, and a computer 108 (where N is an integer greater than zero). Thenetwork 102 comprises a packet network configured to propagate packets in accordance with a particular network protocol, such as internet protocol (IP), and transport protocol, such as transmission control protocol (TCP), user datagram protocol (UDP), and the like. - The
network facilities 104 include routers, firewalls, proxy servers, web servers, and like type network devices known in the art. Thenetwork facilities 104 are configured to generate log data, which are exported to thedatabase server 106. The log data for a network element includes entries that list actions that have occurred with respect to the network facility. The entries include information associated with actions, such as source IP address, target IP address, source port/protocol, target port/protocol, user identifier (ID), a message indicating result of the action, and like type log parameters known in the art. - The
database server 112 is configured to collectlog data 114 from thenetwork facilities 104 in thenetwork 102. Thelog data 114 includes events associated with log entries produced by thenetwork facilities 104. Thelog data 114 may be collected periodically. Older data may be expunged from thedatabase server 112 after a predefined time period. Each of thenetwork facilities 104 may produce log data having a different format. The log data from thenetwork facilities 104 may be normalized before being stored by thedatabase server 106. That is, each event maintained by thedatabase server 112 may have predefined fields. For example, each event may include fields for date/time, facility, source IP address, facility IP address, target IP address, protocol, source port, target port, type of action, message, and interface. Thedatabase server 106 may implement any database platform known in the art. - The
computer 108 is configured to implement a source IP (SIP)activity analyzer 112. TheSIP activity analyzer 112 is executed using an input SIP address. For example, the SIP address may be input by a network security analyst. Alternatively, theSIP activity analyzer 112 may automatically process a SIP address from a file having a list of SIP addresses to be processed. In either case, theSIP activity analyzer 112 automatically queries thelog data 114 in thedatabase server 106 within a predefined time window using the SIP address as parametric input. TheSIP activity analyzer 112 automatically generates a report having sample activity for the SIP address within the network, as well as various statistics for targeted network elements, firewall activity, targeted network spaces, and targeted IP addresses. In one embodiment, theSIP activity analyzer 112 is triggered in response to an alarm generated within the network. In such an embodiment, theSIP activity analyzer 112 receives the alarm identifier and time period of the alarm in addition to the SIP address. - The report produced by the
SIP activity analyzer 112 may be displayed to a network operator on a display 109 using, for example, a graphical user interface (GUI). In another embodiment, a link to the results of the SIP activity analyzer 112 (e.g., a hyperlink) is stored within an alarm entry, which is then displayed on the GUI. When viewing the alarm entry, a network operator may access the results of theSIP activity analyzer 112 via the link. Operation of theSIP activity analyzer 112 is described below. Those skilled in the art will appreciate that thenetwork architecture 100 is merely illustrative and that theSIP activity analyzer 112 may be employed in a myriad of network architectures. In general, theSIP activity analyzer 112 is configured to process log data produced by various network facilities using input SIP addresses and produce reports including statistics for the SIP addresses. -
FIG. 2 is a flow diagram depicting an exemplary embodiment of a method 200 for analyzing SIP activity in a network in accordance with one or more aspects of the invention. The method 200 may be performed by theSIP activity analyzer 112 ofFIG. 1 . The method 200 begins atstep 201. Atstep 202, a SIP address is obtained as input. The SIP address may be obtained from a network operator, or from a file of SIP addresses to be processed. Atstep 204, a report for the SIP address is initialized for the SIP address and a particular time period. As discussed below, multiple queries are made on log data collected from various network facilities to obtain various statistics associated with the SIP address. The report is generated for the SIP address and contains statistics associated with a particular time window within the log data. The time period is referred to as the analysis period. - At
step 206, a determination is made whether the SIP address is associated with any session identifiers. Exemplary session identifiers include virtual private network (VPN) session identifiers or dynamic host control protocol (DHCP) session identifiers. Notably, a particular SIP address may be assigned to multiple users within the analysis period (i.e., a SIP address may be used for multiple sessions). Each of the sessions is assigned a particular identifier by the network.Session identifier data 207 may be analyzed to derive session identifiers for the SIP address. If the SIP address is associated with any session identifiers, the method 200 proceeds fromstep 206 to step 208, where user statistics are added to the report. Each session identifier is associated with a particular user. The user statistics added to the report may include, for each user, logon date/time, logoff date/time, or internet service provider (ISP) address where the user logged in from, or any combination of such data. The method 200 proceeds fromstep 208 to step 210. If the SIP address is not associated with any session identifiers, the method 200 proceeds fromstep 206 to step 210. - At
step 210, the log data is queried within the analysis period using the SIP to obtain statistics for targeted network facilities. In one embodiment, the statistics include the number of events associated with the SIP address across the network elements (e.g., the report may indicate that there were X number of events reported on Y number of network facilities for the SIP address). The statistics may also include a list of identifiers for the network facilities along with a counts and percentage of events associated with each of the network facilities for the SIP (e.g., network facility A—600 events, 60%; network facility B—400 events, 40%). The statistics may also include a number of times the SIP address targeted various network facilities using a number of port/protocol combinations (e.g., the report may indicate that the SIP address targeted various network facilities Z number of times with W number of port/protocol combinations). The statistics captured atstep 210 may include any combination of the aforementioned data. - At
step 212, the log data is queried within the analysis period using the SIP to obtain statistics for firewall activity. For example, the statistics may include firewall activity based on port/protocol activity. (e.g., the report may indicate that the SIP address targeted various firewalls X number of times with Y number of port/protocol combinations). The firewall port/protocol activity may be separated into counts and percentages (e.g., firewall A—3 port/protocol combinations, 30%; firewall B—7 port/protocol combinations, 70%). The statistics may include firewall activity based on type of event, such as allows, drops, etc. The report may indicate that there was Z number of types of activity. The firewall type activity may be separated into counts and percentages (e.g., firewall A—100 allows, 200 drops, 30%; firewall B—400 allows, 300 drops, 70%). The percentages may be based on total number of event types or per event type. The statistics may include firewall activity based on interface (e.g., the report may indicate that activity for the SIP address was logged on W number of firewall interfaces). The firewall interface activity may be separated into counts and percentages (e.g., interface A—100 events, 33%, interface B—200 events, 66%). The statistics captured atstep 212 may include any combination of the aforementioned data. - At
step 214, the log data is queried within the analysis period using the SIP to obtain statistics for targeted network space. For example, the statistics may include the number of C-class networks that were targeted by the SIP address, as well as counts and percentages for individual C-class networks. As is well known in the art, C-class networks have an IP address range of 192.0.0.0 through 223.255.255.255. The report may indicate that the SIP address targeted X number of C-class networks. The report may also list the C-class networks and include corresponding counts and percentages for activity for the SIP address (e.g., network A—8 events, 80%; network B—2 events, 20%). Statistics may be gathered for other classes of networks in addition to, or as an alternative to, the C-class networks. Statistics may also be reported based on the networks in general, regardless of class (e.g., the SIP address targeted Y number of networks). The statistics may also include whether a corporate Intranet was targeted or whether a particular local subnet was targeted by the SIP address. If any such network spaces were targeted, the report may include the percent of SIP address activity (e.g., the report may indicate that the percent of activity targeting the corporate Intranet is Z %). The statistics captured atstep 214 may include any combination of the aforementioned data. - At
step 216, the log data is queried within the analysis period using the SIP to obtain the number of unique target IP addresses for the SIP address. Atstep 218, log data is queried within the analysis period using the SIP to obtain a snapshot of activity for the SIP. For example, the report may include descriptions for a predefined number of events recorded in the log data for the SIP address. Atstep 220, all of the captured statistics are added to the report. The method 200 ends atstep 299. -
FIG. 3 is a block diagram depicting an exemplary embodiment of a computer 300 suitable for implementing the processes and methods described herein. Notably, the computer 300 may be used to implement theSIP activity analyzer 112 and the method 200. The computer 300 includes a central processing unit (CPU) 301, a memory 303, various support circuits 304, and an I/O interface 302. The CPU 301 may be any type of microprocessor known in the art. The support circuits 304 for the CPU 301 include conventional cache, power supplies, clock circuits, data registers, I/O interfaces, and the like. The I/O interface 302 may be directly coupled to the memory 303 or coupled through the CPU 301. The I/O interface 302 may be coupled to various input devices 312 and output devices 311, such as a conventional keyboard, mouse, printer, and the like. - The memory 303 may store all or portions of one or more programs and/or data to implement the processes and methods described herein. Notably, the memory 303 may store program code to be executed by the CPU 301 for performing the method 200 of
FIG. 2 and implement theSIP activity analyzer 112 ofFIG. 1 . Although one or more aspects of the invention are disclosed as being implemented as a computer executing a software program, those skilled in the art will appreciate that the invention may be implemented in hardware, software, or a combination of hardware and software. Such implementations may include a number of processors independently executing various programs and dedicated hardware, such as ASICs. - The computer 300 may be programmed with an operating system, which may be OS/2, Java Virtual Machine, Linux, Solaris, Unix, Windows, Windows95, Windows98, Windows NT, Windows2000, WindowsME, and WindowsXP, among other known platforms. At least a portion of an operating system may be disposed in the memory 303. The memory 303 may include one or more of the following random access memory, read only memory, magneto-resistive read/write memory, optical read/write memory, cache memory, magnetic read/write memory, and the like, as well as signal-bearing media as described below.
- An aspect of the invention is implemented as a program product for use with a computer system. Program(s) of the program product defines functions of embodiments and can be contained on a variety of signal-bearing media, which include, but are not limited to: (i) information permanently stored on non-writable storage media (e.g., read-only memory devices within a computer such as CD-ROM or DVD-ROM disks readable by a CD-ROM drive or a DVD drive); (ii) alterable information stored on writable storage media (e.g., floppy disks within a diskette drive or hard-disk drive or read/writable CD or read/writable DVD); or (iii) information conveyed to a computer by a communications medium, such as through a computer or telephone network, including wireless communications. The latter embodiment specifically includes information downloaded from the Internet and other networks. Such signal-bearing media, when carrying computer-readable instructions that direct functions of the invention, represent embodiments of the invention.
- While the foregoing is directed to embodiments of the present invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow.
Claims (15)
1. A method of analyzing source internet protocol (SIP) activity in a network, comprising:
obtaining a SIP address; and
automatically querying log data collected over a predefined time period by a plurality of network facilities using the SIP address as parametric input to generate a report having sample activity for the SIP address and statistics for targeted network facilities, firewall activity, targeted network spaces, and targeted IP addresses.
2. The method of claim 1 , wherein the automatically querying comprises:
adding user statistics to the report if the SIP address is associated with one or more session identifiers.
3. The method of claim 2 , wherein the one or more session identifiers comprise one or more virtual private network (VPN) session identifiers or one or more dynamic host control protocol (DHCP) session identifiers respectively associated with one or more users, and wherein the user statistics comprise, for each of the one or more users, at least one of: logon time, logoff time, or internet service provider (ISP) address.
4. The method of claim 1 , wherein the statistics for targeted network facilities include at least one of: a number of events recorded in the log data across the plurality of facilities, a number of the plurality of facilities reporting events in the log data, a list of the plurality of facilities, or a percentage of events across the plurality of facilities.
5. The method of claim 1 , further comprising:
displaying the report on a graphical user interface (GUI).
6. Apparatus for analyzing source internet protocol (SIP) activity in a network, comprising:
means for obtaining a SIP address; and
means for automatically querying log data collected over a predefined time period by a plurality of network facilities using the SIP address as parametric input to generate a report having sample activity for the SIP address and statistics for targeted network facilities, firewall activity, targeted network spaces, and targeted IP addresses.
7. The apparatus of claim 6 , wherein the means for automatically querying comprises:
means for adding user statistics to the report if the SIP address is associated with one or more session identifiers.
8. The apparatus of claim 7 , wherein the one or more session identifiers comprise one or more virtual private network (VPN) session identifiers or one or more dynamic host control protocol (DHCP) session identifiers respectively associated with one or more users, and wherein the user statistics comprise, for each of the one or more users, at least one of: logon time, logoff time, or internet service provider (ISP) address.
9. The apparatus of claim 6 , wherein the statistics for targeted network facilities include at least one of: a number of events recorded in the log data across the plurality of facilities, a number of the plurality of facilities reporting events in the log data, a list of the plurality of facilities, or a percentage of events across the plurality of facilities.
10. The apparatus of claim 6 , further comprising:
means for displaying the report on a graphical user interface (GUI).
11. A computer readable medium having stored thereon instructions that, when executed by a processor, cause the processor to perform a method of analyzing source internet protocol (SIP) activity in a network, comprising:
obtaining a SIP address; and
automatically querying log data collected over a predefined time period by a plurality of network facilities using the SIP address as parametric input to generate a report having sample activity for the SIP address and statistics for targeted network facilities, firewall activity, targeted network spaces, and targeted IP addresses.
12. The computer readable medium of claim 11 , wherein the automatically querying comprises:
adding user statistics to the report if the SIP address is associated with one or more session identifiers.
13. The computer readable medium of claim 13 , wherein the one or more session identifiers comprise one or more virtual private network (VPN) session identifiers or one or more dynamic host control protocol (DHCP) session identifiers respectively associated with one or more users, and wherein the user statistics comprise, for each of the one or more users, at least one of: logon time, logoff time, or internet service provider (ISP) address.
14. The computer readable medium of claim 11 , wherein the statistics for targeted network facilities include at least one of: a number of events recorded in the log data across the plurality of facilities, a number of the plurality of facilities reporting events in the log data, a list of the plurality of facilities, or a percentage of events across the plurality of facilities.
15. The computer readable medium of claim 1 , further comprising:
displaying the report on a graphical user interface (GUI).
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/633,761 US20100085888A1 (en) | 2005-12-30 | 2009-12-08 | Method and apparatus for analyzing source internet protocol activity in a network |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/323,011 US7639621B1 (en) | 2005-12-30 | 2005-12-30 | Method and apparatus for analyzing source internet protocol activity in a network |
US12/633,761 US20100085888A1 (en) | 2005-12-30 | 2009-12-08 | Method and apparatus for analyzing source internet protocol activity in a network |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/323,011 Continuation US7639621B1 (en) | 2005-12-30 | 2005-12-30 | Method and apparatus for analyzing source internet protocol activity in a network |
Publications (1)
Publication Number | Publication Date |
---|---|
US20100085888A1 true US20100085888A1 (en) | 2010-04-08 |
Family
ID=41433042
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/323,011 Active 2027-12-23 US7639621B1 (en) | 2005-12-30 | 2005-12-30 | Method and apparatus for analyzing source internet protocol activity in a network |
US12/633,761 Abandoned US20100085888A1 (en) | 2005-12-30 | 2009-12-08 | Method and apparatus for analyzing source internet protocol activity in a network |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/323,011 Active 2027-12-23 US7639621B1 (en) | 2005-12-30 | 2005-12-30 | Method and apparatus for analyzing source internet protocol activity in a network |
Country Status (1)
Country | Link |
---|---|
US (2) | US7639621B1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103178982A (en) * | 2011-12-23 | 2013-06-26 | 阿里巴巴集团控股有限公司 | Method and device for analyzing log |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7639621B1 (en) * | 2005-12-30 | 2009-12-29 | At&T Corp. | Method and apparatus for analyzing source internet protocol activity in a network |
WO2018100432A1 (en) * | 2016-12-02 | 2018-06-07 | Secude Ag | Data stream surveillance, intelligence and reporting |
WO2018170120A1 (en) * | 2017-03-15 | 2018-09-20 | Thomson Reuters Global Resources Unlimited Company | Systems and methods for detecting and locating unsecured sensors in a network |
CN113206768B (en) * | 2021-03-31 | 2022-07-12 | 新华三信息安全技术有限公司 | Network performance testing method and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5787253A (en) * | 1996-05-28 | 1998-07-28 | The Ag Group | Apparatus and method of analyzing internet activity |
US7376969B1 (en) * | 2002-12-02 | 2008-05-20 | Arcsight, Inc. | Real time monitoring and analysis of events from multiple network security devices |
US7484097B2 (en) * | 2002-04-04 | 2009-01-27 | Symantec Corporation | Method and system for communicating data to and from network security devices |
US7639621B1 (en) * | 2005-12-30 | 2009-12-29 | At&T Corp. | Method and apparatus for analyzing source internet protocol activity in a network |
-
2005
- 2005-12-30 US US11/323,011 patent/US7639621B1/en active Active
-
2009
- 2009-12-08 US US12/633,761 patent/US20100085888A1/en not_active Abandoned
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5787253A (en) * | 1996-05-28 | 1998-07-28 | The Ag Group | Apparatus and method of analyzing internet activity |
US7484097B2 (en) * | 2002-04-04 | 2009-01-27 | Symantec Corporation | Method and system for communicating data to and from network security devices |
US7376969B1 (en) * | 2002-12-02 | 2008-05-20 | Arcsight, Inc. | Real time monitoring and analysis of events from multiple network security devices |
US7639621B1 (en) * | 2005-12-30 | 2009-12-29 | At&T Corp. | Method and apparatus for analyzing source internet protocol activity in a network |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103178982A (en) * | 2011-12-23 | 2013-06-26 | 阿里巴巴集团控股有限公司 | Method and device for analyzing log |
Also Published As
Publication number | Publication date |
---|---|
US7639621B1 (en) | 2009-12-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8516573B1 (en) | Method and apparatus for port scan detection in a network | |
US20200280572A1 (en) | Dga behavior detection | |
JP6599946B2 (en) | Malicious threat detection by time series graph analysis | |
US7984504B2 (en) | Network risk analysis | |
US8375120B2 (en) | Domain name system security network | |
US20030191989A1 (en) | Methods, systems and computer program products for triggered data collection and correlation of status and/or state in distributed data processing systems | |
US11882135B2 (en) | Machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration, automation and response (SOAR) platform | |
US7114183B1 (en) | Network adaptive baseline monitoring system and method | |
US7761918B2 (en) | System and method for scanning a network | |
US8423894B2 (en) | Method and system for displaying network security incidents | |
US20070011317A1 (en) | Methods and apparatus for analyzing and management of application traffic on networks | |
US20150128267A1 (en) | Context-aware network forensics | |
US7805762B2 (en) | Method and system for reducing the false alarm rate of network intrusion detection systems | |
US20080209541A1 (en) | Computer Network Intrusion Detection System and Method | |
Bailey et al. | Data reduction for the scalable automated analysis of distributed darknet traffic | |
JP2004318552A (en) | Device, method and program for supporting ids log analysis | |
WO2004012063A2 (en) | Intrusion detection system | |
US8146146B1 (en) | Method and apparatus for integrated network security alert information retrieval | |
US20100085888A1 (en) | Method and apparatus for analyzing source internet protocol activity in a network | |
US7451145B1 (en) | Method and apparatus for recursively analyzing log file data in a network | |
JP4161989B2 (en) | Network monitoring system | |
EP3293938A1 (en) | Method and system for detecting suspicious administrative activity | |
JP4825767B2 (en) | Abnormality detection device, program, and recording medium | |
JP4188203B2 (en) | Log analysis apparatus, log analysis method, and log analysis program | |
Berger-Sabbatel et al. | Analysis of malware network activity |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: AT&T CORP., NEW YORK Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LAROSA, JEANETTE;SPIELMAN, CHAIM;SIGNING DATES FROM 20060516 TO 20060612;REEL/FRAME:025750/0598 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |