公开(公告)号：US08407335B1

公开(公告)日：2013-03-26

申请号：US12141202

申请日：2008-06-18

申请人： Christopher A. Church ,  Paul Fisher ,  Eugene Golovinsky ,  Pavel S Trakhtman ,  Mikhail Govshteyn

发明人： Christopher A. Church ,  Paul Fisher ,  Eugene Golovinsky ,  Pavel S Trakhtman ,  Mikhail Govshteyn

IPC分类号： G06F15/173 ,  G06F15/16 ,  G06F11/00

CPC分类号： G06F11/3082 ,  G06F11/0709 ,  G06F11/0787 ,  G06F11/3006

摘要： An appliance is co-located on a network with computing devices. Log messages generated by the computing devices are collected by the appliance, filtered based on the content and stored in transmission priority queues based on the content. The appliance packetizes the log messages based on the transmission priority queue and the available bandwidth and compresses the packet. The appliance encrypts the packet, digitally signs the encrypted packet and sends the packet to a first data center over a public network. The first data center stores the packet in reliable storage and performs processing on the data. A copy of the packet is sent to a second data center that stores the copy and performs processing on the copied data. The appliance deletes the packet from its buffer after it has received acknowledgement that the second data center has received the packet.

摘要翻译： 设备与计算设备共同位于网络上。 由计算设备生成的日志消息由设备收集，基于内容过滤并基于内容存储在传输优先级队列中。 设备根据传输优先级队列和可用带宽对日志消息进行分组，并压缩报文。 设备加密数据包，对加密的数据包进行数字签名，并通过公共网络将数据包发送到第一个数据中心。 第一个数据中心将数据包存储在可靠的存储器中，并对数据进行处理。 数据包的副本被发送到存储复制的第二数据中心，并对复制的数据执行处理。 在收到第二个数据中心收到数据包的确认后，设备会从缓冲区中删除数据包。

公开(公告)号：US08156553B1

公开(公告)日：2012-04-10

申请号：US12171713

申请日：2008-07-11

申请人： Christopher Church ,  Eugene Golovinsky ,  Mikhail Govshteyn

发明人： Christopher Church ,  Eugene Golovinsky ,  Mikhail Govshteyn

IPC分类号： G06F11/00

CPC分类号： G06Q10/06

摘要： Systems and methods for correlating log messages into actionable incidents. Some embodiments implement a method which includes comparing a plurality of disparate log messages to a plurality of incident descriptions. The disparate log messages can be parsed. When the messages correlate with an incident description an incident case can be created. Workflow steps can be associated with the incident case and output along with the incident case. Additional disparate log messages can be compared to the incident expressions and, when additional messages correlate with the correlated incident description, the incident case can be adjusted. In some embodiments, the adjustment can include adding workflow steps to the incident case. Results of various workflow steps can be monitored and adjustments can be made accordingly. In some embodiments, the results can include out-of-bounds activities.

摘要翻译： 将日志消息与可执行事件相关联的系统和方法。 一些实施例实现一种方法，其包括将多个不同的日志消息与多个事件描述进行比较。 可以解析不同的日志消息。 当消息与事件描述相关时，可以创建事件案例。 工作流程步骤可以与事件案例和输出以及事件案例相关联。 可以将额外的不同日志消息与事件表达式进行比较，并且当附加消息与相关事件描述相关时，可以调整事件情况。 在一些实施例中，调整可以包括向事件案例添加工作流步骤。 可以监控各种工作流步骤的结果，并进行相应的调整。 在一些实施例中，结果可以包括超出范围的活动。

公开(公告)号：US10200388B2

公开(公告)日：2019-02-05

申请号：US15054488

申请日：2016-02-26

申请人： Alert Logic, Inc.

发明人： Donovan Kolbly

IPC分类号： G06F11/00 ,  H04L29/06 ,  G06F15/167

摘要： Active memory for managing network telemetry information, or other types of information stored as objects, has objects partially-serialized to allow greater amounts of information to store in a memory of a given size with slightly increased retrieval times. Storing additional information in an active memory provides an overall increase in network security platform responsiveness by allowing a greater amount of information to be accessible from the active memory instead of archive.

公开(公告)号：US08079081B1

公开(公告)日：2011-12-13

申请号：US12163733

申请日：2008-06-27

申请人： Anton Lavrik ,  Pavel Trakhtman ,  Paul Fisher ,  Eugene Golovinsky

发明人： Anton Lavrik ,  Pavel Trakhtman ,  Paul Fisher ,  Eugene Golovinsky

IPC分类号： H04L29/06

CPC分类号： H04L41/069 ,  H04L63/102 ,  H04L63/12 ,  H04L63/1416

摘要： Methods and systems for normalizing log messages. Some methods include obtaining a freeform log message from one of many disparate programs. The methods can include determining which program originated the message and, based on that, determining a signature which matches the message. Using the signature, a parsing expression may be determined with which to extract information from a portion of the message. The time from obtaining the message to extracting the information can be about the same for all messages and can be about 1/40,000th of a second. In some embodiments, a generic signature of the message may be output. A version of the message may be reconstructed based on the generic signature and information. When more than one message signatures matches the reconstructed message, one of the matching signatures can be adjusted. The parsing expression can be the first of an ordered list of expressions which successfully evaluates the log message.

摘要翻译： 用于规范化日志消息的方法和系统 一些方法包括从许多不同的程序之一获取一个自由格式的日志消息。 所述方法可以包括确定哪个程序发起消息，并且基于此，确定与消息匹配的签名。 使用签名，可以确定解析表达式，以从消息的一部分中提取信息。 从获取消息到提取信息的时间对于所有消息可以是大致相同的，并且可以是大约1/40,000秒。 在一些实施例中，可以输出消息的通用签名。 可以基于通用签名和信息重建消息的版本。 当多于一个消息签名与重构消息匹配时，可以调整匹配签名中的一个。 解析表达式可以是成功评估日志消息的表达式的有序列表中的第一个。

公开(公告)号：US10462170B1

公开(公告)日：2019-10-29

申请号：US15819376

申请日：2017-11-21

申请人： Alert Logic, Inc.

发明人： Dagen Wang ,  Ian Rickey

IPC分类号： G06N20/00 ,  H04L29/06 ,  G06F16/2458 ,  G06N5/02 ,  G06F21/55

摘要： This disclosure provides a new automated threat detection using synchronized log and Snort streams. Time segments from a log stream are correlated by time to time segments from a Snort stream that have been identified as indicating “true” incidents. To determine whether a correlated time segment is “good” or “bad,” features are extracted from the correlated time segment and used to determine tuples associated therewith, each tuple containing a message type, a location, and an out of vocabulary word in the correlated time segment. A multidimensional feature vector containing a select number of the tuples is generated and provided as input to a machine learning module which determines, based on machine intelligence, whether the correlated time segment indicates a true incident.

公开(公告)号：US08578393B1

公开(公告)日：2013-11-05

申请号：US12141209

申请日：2008-06-18

申请人： Paul Fisher ,  Eugene Golovinsky ,  Pavel S Trakhtman

发明人： Paul Fisher ,  Eugene Golovinsky ,  Pavel S Trakhtman

IPC分类号： G06F9/44

CPC分类号： G06F11/3476 ,  G06F9/44521

摘要： A log message collection system selects a configured host and fetches a log message. The log message collection system examines the fetched message to identify one or more DLLs necessary to translating the log message and determines whether the necessary DLL(s) have been loaded into a cache. If so, the log message is translated. If the DLLs are not in the cache, the log message collection system fetches from the log message host only the DLLs necessary to translate that fetched message. After the message is translated, the log message collection system fetches the next log message, identifies the necessary DLLs for that log message, and fetches the DLLs necessary to translate that message.

摘要翻译： 日志消息收集系统选择配置的主机并获取日志消息。 日志消息收集系统检查所获取的消息以识别翻译日志消息所需的一个或多个DLL，并确定是否已将必需的DLL加载到高速缓存中。 如果是这样，日志消息被翻译。 如果DLL不在缓存中，则日志消息收集系统从日志消息主机中只提取翻译该消息所需的DLL。 消息被翻译后，日志消息收集系统将获取下一个日志消息，标识该日志消息所需的DLL，并获取翻译该消息所需的DLL。

公开(公告)号：US20220247763A1

公开(公告)日：2022-08-04

申请号：US17590219

申请日：2022-02-01

申请人： Alert Logic, Inc.

发明人： Evgeny Bob ,  Paul Fisher ,  Hugues Martel

IPC分类号： H04L9/40 ,  H04L67/1097 ,  H04L45/42

摘要： A configurable system and method for automatically taking in streams of log data from various sources, dynamically parsing, normalizing the data and routing it to subsystems of an analytics engine. The routed data may undergo aggregating and other enrichment based on content, rules and data, so as to generate useful event observations, which may recursively be fed back into the system's data ingestion stream to further enhance the usefulness of the system's outputs, in real-time, in the context of computer system and data security.

公开(公告)号：US10805326B1

公开(公告)日：2020-10-13

申请号：US15819357

申请日：2017-11-21

申请人： Alert Logic, Inc.

发明人： Dagen Wang ,  Ian Rickey

IPC分类号： G06F21/55 ,  H04L29/06

摘要： A network security system collects event data over a long duration and mines the event data to identify unique conversations between each unique pair of a source network address and a destination network address. Events in each unique conversation are associated with signature identifiers that identify different types of attacks. Each signature thus identified is assigned with a unique visual clue. The unique visual clue has a particular visual character that reflects a number of occurrences of a particular event. For payload sizes associated with the event, a spatial scale representation is determined. The network security system generates a visualization relative to a conversation timeline for presentation on a user interface. The visualization contains unique visual clues for the different types of attacks associated with the signature identifiers and the spatial scale representation of the payload sizes associated with the events associated with the signature identifiers.

公开(公告)号：US10462178B2

公开(公告)日：2019-10-29

申请号：US14450509

申请日：2014-08-04

申请人： Alert Logic, Inc.

发明人： Michael S. Curtis ,  Audian H. Paxson ,  Eva E. Bunker ,  Nelson W. Bunker ,  Kevin M. Mitchell

IPC分类号： H04L29/06 ,  G06F21/57

摘要： A management platform that allows security and compliance users to view risks and vulnerabilities in their environment with the added context of what other mitigating security countermeasures are associated with that vulnerability and that are applicable and/or available within the overall security architecture. Additionally, the platform allows users to take one or more actions from controlling the operation of a security countermeasure for mitigation purposes to documenting the awareness of a security countermeasure that is in place.

公开(公告)号：US10460104B2

公开(公告)日：2019-10-29

申请号：US16131894

申请日：2018-09-14

申请人： Alert Logic, Inc.

发明人： Ryan J. Berg ,  John J. Danahy ,  Kirk R. Swidowski ,  Stephen C. Carlucci ,  Christopher Baron

IPC分类号： G06F21/55 ,  G06F21/56 ,  G06N20/00 ,  G06F21/57

摘要： A security system and method secures and responds to security threats in a computer having a CPU, a Kernel/OS, and software applications. A data collector intercepts a selection of first tier calls between the CPU and Kernel/OS and/or second tier calls between the Kernel/Operating System and the applications, and stores information pertaining thereof. An Analytic Engine maps the stored first and second tier call information to a rulebase containing patterns of security threats, to generate a threat analysis, and then responds to the threat analysis. The Analytic Engine enlarges or contracts the selection of first and second tier calls to increase or decrease specificity of the threat analysis. A Management Module generates user interfaces accessible remotely by a user device, to update the rulebase and configure the collector, the Kernel module, and the Analytic Engine.