TW200837571A - Real-time identification of an asset model and categorization of an asset to assist in computer network security - Google Patents

Abstract

A unique identifier is assigned to a network node and is used to obtain an "asset model" corresponding to the node and to determine whether the node is a member of a particular category. An asset model is a set of information about a node (e.g., the node's role within the enterprise, software installed on the node, and known vulnerabilities/weaknesses of the node). An identifier lookup module determines a node's identifier based on characteristics of the node (such as IP address, host name, network zone, and/or MAC address), which are used as keys into lookup data structures. A category lookup module determines whether a particular node is a member of (i.e., within) a particular category using a transitive closure to model the categories (properties) that can be attached to an asset model. A transitive closure for a particular asset category is stored as a bitmap, similar to bitmap indexing.

Description

200837571 IX. DESCRIPTION OF THE INVENTION: TECHNICAL FIELD OF THE INVENTION The present invention generally relates to security information/event management (SIM or SIEM) and is directed to accessing a network node (eg, an event node) One of the models so that the model data can be used in conjunction with security information/events. [Prior Art] f

The Security Information/Event Management (SIM or SIEM) area generally relates to: 1} 攸 Network and network devices collect negatives that reflect network activity and/or the operation of such devices' and 2) analyze the data to enhance safety. For example, the data can be analyzed to identify attacks on the network or a network device and determine which user or machine is responsible. If the attack is in progress, a countermeasure can be implemented to block the attack or mitigate the damage caused by the attack. The poor material collected is typically initiated by one of the messages generated by a network device (e.g., an event, alert, or alert) or a log file. The message or item generally indicates one or more computer network devices ("network nodes") involved in the network activity. Example %, the message or item may refer to: the node to which the activity is directed ("target node,") and/or the section initiated by the activity (source node). The official can identify and use only the collected data. Survey-attack, but with additional information such as information about the indicated network nodes, is often useful. About, network-point information (called π-asset model) can include (example =·:: The network protocol (10) address, the host name of the node, the node to which the node belongs, the role of the node in the enterprise, one of the nodes is open 126191.doc 200837571 and the software on the point of 4 (ie, the operation) System and application) / ie, known shortcomings or weaknesses (called, shortcomings of exposure). The access to the asset model during the full analysis of Rifeng 2 can be taken in batch mode or ie full analysis of events In batch mode, when receiving security information /, store it. Analyze the stored security later: In immediate mode, when receiving security information/events;: Analyze it near-instantaneously : Let security analysis instantly Or near instant), must be instant (or close to = access to the asset model. This is difficult to achieve because firmware is generated every minute, and each event indicates one or more nodes. For example, one ^ _ events / sec and One of the four nodes/events event rate is generated (7), and the coffee is clicked/shifted. For each node, its asset model is identified and accessed. People need to - access the asset model in an efficient way so that it can be knotted Δ Female full-featured information/event to instantiate the method of the asset model. [Summary] - hn receive - or multiple events and analyze the events to speculate on the attack. An event description involves - computer network devices (called the network The action of saving the road. - The event includes reference to one or more nodes (for example, the node pointed to by the action ("target node" and/or node source node initiated by the action), which is called Node reference, |.-node reference includes eves, such as Internet Protocol (IP) address, network area, host name, media access control (Mac) address, and asset identifier (assets called the asset) ID block Used to store a unique identifier assigned to a network node (1〇). When the manager receives an event for the first time, the node reference 12619l.doc 200837571 is the ID field of the shell. One identifier corresponding to the "asset model" of the node is stored in the 1〇 field of the asset. The (1) is used to obtain the network node corresponding to the network node associated with the ID (4) and the (4) network node. Whether it is a member of a specific category - the manager accesses the asset model of the network node in order to perform a security analysis.

The asset model is a collection of information about a network node. This information may include, for example, the network protocol (Ip) address of the node, the host name of the node, the network to which the node belongs, the role of the node within the enterprise, the open itch on the node, and the installation on the node. The software (eg, operating system and application private) and the known shortcomings or weaknesses of the node - list (called, the shortcomings of exposure. ^ Physicians include - identifier module and _ category module. The identifier module provides functionality associated with the _ID assigned to the network node and includes a lookup module and a management module. The lookup module is based on various characteristics of a network node (eg, IP address, The host name, network area, and/or media access control (MAC) address are used to determine the m of the network node. These pieces of information are used to place one or more lookup data structures (eg, lookup tables) ): If the i key is successfully accessed (for example, find one of the values associated with the index key), the value is returned (which is the ID of the asset model of the node). The management module keeps track of which Ϊ D is assigned to the network node and which D has not been assigned. The category module provides category-related functionality and includes a look-up module and management module. The look-up module determines _specific network nodes (assets), and no-specific categories (ie, belonging to a special category) One of the members of the category. For the purpose of: Deciding to use the category information for the category module. Class (4) Use - Transfer 126191.doc 200837571 Package (tc) to model the classification (characteristic) that can be attached to an asset model A hierarchical and dynamic space. The TC is stored in the memory as a set of meta-maps, where the one-bit mapping corresponds to a specific asset class or group. One of the one-dimensional mappings represents 0/1 bits. Whether there is a link between the specific asset class/group and an asset. The only 10 of an asset is used as an index for placing a transfer closure bit map. The management module updates the category data as needed. This paper describes a computer-based system for extracting security incidents from heterogeneous sources that formalizes such events into a common schema and interconnects such formalized events with rules to create an intermediary The system (an embodiment of which is embodied as a computer software) implements aggregation, correlation, detection, and investigative tracking of suspicious network activities from multiple security devices. The system also supports response management and random query resolution. Means, report and replay for discriminant analysis, and graphical visualization of cyber threats and activities. Although the system will be described with reference to various illustrated examples, these examples should not be construed as limiting the broader spirit of the invention. For example, the examples herein are illustrative of distributed agents, managers, and consoles, which are one embodiment of the present invention. The general concepts and extensions of the present invention are much broader and extend to Any computer-based or network-based security system, and a, the components that can be passed to the system and the information that is passed from the components of the system, and the data that is available to the components of the system. The present invention has been described in terms of the present invention, but it is not intended to be an exhaustive example and should not be viewed as such. 126191.doc -10- 200837571 Some of the subsequent detailed descriptions are based on algorithms and symbolic representations of operations on data in computer memory. These performances have shown that the computer science and technology are used to convey the work of other people who are familiar with the technology, and in the general case, the algorithm is designed to produce a desired One of the results of a self-consistent sequence of steps. These steps are those steps that require entity manipulation of the number of entities. Usually, but not necessarily, the number of electrical or magnetic signals that are manipulated, transmitted, combined, compared, and otherwise manipulated in quantities such as nb. A system that has proven to be convenient at times (mainly based on commonly used bits, values, elements, symbols, characters, 4 Bu 5 slaves / u lights, 70 浯, numbers or similar: but 'should remember all this Terms and similar terms should be related to the appropriate number of entities and are only used in the convenience of such quantities. Unless otherwise expressly stated, it should be understood that throughout the description, such as "processing" or " "or" operation " or "decision" or "display" or a similar term means a computer system or: an action and program of an electronic computing device that is expressed in the memory and memory of the computer system. Operate for the physical (electronic) quantity of data = convert it to the same amount of data in the computer system memory or register or other such greedy storage, transmission or display device. DETAILED DESCRIPTION OF THE INVENTION One embodiment of the present invention is exemplified in a computer software, i.e., a computer readable command that indicates such processing when executed by one or more = 3⁄4 processors/systems U perform Awkward actions. Such computer software can reside in - or multiple computer readable media 'such as hard disk drive, CD_R〇M, DVD-R (10), only 12619l.doc 200837571 mouthpieces, masterpiece And writing to memory, etc. Such software can be distributed on one or more of these media, or it can be made available across one or more computer networks (such as the Internet). The computerized stylization, reproduction, and processing techniques described herein are merely simple examples of types of stylized, reproducible, and processing techniques that can be used to implement various aspects of the present invention, regardless of the format. The scope of the patent application will be clearly understood that these examples should not be construed as limiting the invention. System Architecture Figure 1 illustrates a high-level diagram of one of the environments with a security information/event management system ίο according to one embodiment. 1 includes an agent 12, one or more managers 14 and one or more consoles 16 (which may include a browser-based console version). In some embodiments, To combine agents, managers, and/or consoles in a single platform or across two, three, or more platforms (for example, in the illustrated example). The scalability of a computer network or system growth. The agent 12 provides software programs that capture and filter high-efficiency, instant (or near-instant) local event data from various network security devices and/or applications. The primary source is commonly used network components, including firewalls, intrusion detection systems, and operating system logs. Agent 12 can collect events from any source that generates event logs or messages, and can be located on the local device, within the network. Merge points and/or operate through simple Network Management Protocol (SNMP) traps. The agent 12 can be configured through manual and automated procedures and via a configuration file associated with 126191.doc -12-200837571. Each agent 12 may include one or more software modules including a - normalization component, a time correction component - an aggregation component, a batch component, a - parser component, a transport component, and/or other further components. These components can be activated and/or deactivated by configuring appropriate commands in the building. The manager 14 is a server-based component that incorporates, merges, and crosses the f-materials received from the agents by employing a ruler and a centralized event database. . (4) The role of the device 14 is to acquire and store all real-time and historical event data (via the database manager 22): a complete enterprise-wide security activity picture. The manager 14 also provides centralized management, notification (through-or multiple notifiers 24) and reports, as well as a knowledge base 28 and case management workflow. The management can be deployed on any computer hardware platform - the specific embodiment uses a relational database management system (e.g., a database) to implement the event data storage component. The communication between the official pirate 14 and the agent 12 can be two-way (e.g., the f-processor 14 can send commands to the platform host agents 12) and encrypted. In some equipment, the manager 14 can act as a concentrator for multiple agents 12 and can forward information to other managers (e.g., deployed to a corporate headquarters). The manager 14 includes - or a plurality of agent management H26 for receiving event data messages transmitted by the agents 12. In the case of implementing two-way communication with the agents 12, the agent manager 2 can be used to send messages to the agents 12. If encryption is used for communication between the agent and the manager (this is optional), the agent manager % 126191.doc -13- 200837571 is responsible for encrypting the material information of the program 12 received from the agent 12. The solution will be developed to these agents. The main console 16 is based on a computer (such as the Work Safety Specialist), which allows the professional to perform routine management and operational rule making, accident investigation and reporting. Access to the escrow, raw = ^ dish vision, the generation of the child control to allow multiple security early in the morning have their own? , system and event database, and each professional has eight points of view that are appropriate to their responsibilities, ^ ^ ι| μ -, r and knowledge base. A single... association rule, police, report. ^ & state 14 can support multiple consoles 16. In some embodiments, this version can be used to provide access to security events, a story-based case. That is, the management of documents, reports, notifications, and handheld computers (which replaces Lu Lili 2 = including access to a person or a web page 1 / web page (4) 11 to access the shell-name components to connect one The main control console 16 is a certain belly or full neighboring power t. The access to the far-fledged gentleman h dry a 3⁄4 king mouth P power month b and oblique to Feng Wei console 16 security professionals to... The user has a special P-communication station communication system that is bidirectional and may be encrypted. Between the 514 and the above-mentioned architecture, the system is intrinsic. This is why the centralized or decentralized ring brothers are useful because of A single instance and use a six-fly July to worry about only one of her 1010 έ ^ access control list to divide the user. Or, 哕" can choose to deploy separate two for each of several groups 10 and merge the results into the "" the main control department's 现 现 全 全 全 全 全 全 全 配置 配置 配置 配置 配置 配置 配置 配置 配置 配置 配置 配置 配置 配置 配置 此 此 此 此 此 此 此 此 此 此 此 此 此 此 此 此 此 此 此 此Groups will be mainly used. It is also possible to work with System 2: Groups of business hours. The company is working in a company class, and each business unit in the company's class 126191.doc •14-200837571 works separately and supports the roll-to-centralized management function. The US application filed on December 2, 2002 is the first. The security information/event management system is further described in 〇/3〇8, 415, the entire contents of which are incorporated herein by reference. Introduction to the asset model r-manager 14 pure- or multiple events and analysis The event is a speculative attack. An event description involves a computer network device (called one, one of the network nodes. The exemplary network node includes a laptop or desktop computer, a server (such as an email server). , access control feeder and domain name system (deleted) server), Xiao Huoqiang, routing device, intrusion detection system, virtual private network (VPN) system and printer. Medium, - event indication - or multiple nodes (eg, the node to which the action is directed ("target node, and/or node initiated by the action ("source node"))° in this particular embodiment , the event includes For each node - reference (called "&"; node reference "). The node reference includes multiple shelves, such as Internet Protocol (IP) address, network area, host name, media access control (MAC) address and asset identifier (asset ID), (-network area system - network fragment... tag identifies a network area and is used to distinguish private address space from each other). By using an ip address to address a network section, some devices (such as a multi-connection server) can be addressed via multiple address-addresses of the address. In this case, each _ιρ bit The address is handled as a separate network node. Therefore, a single-device can, for example, accommodate a network node. The asset m block is used to store one unique identifier assigned to a network node 126191.doc, 15·200837571. When the manager receives an event for the first time, the node's reference to the lean ID block is an empty block. Later, an identifier of the asset model '' corresponding to the node is stored in the asset ID block. In a specific embodiment, the ID is used to obtain an asset model corresponding to the network node to which the ID is associated. In another embodiment, the ID is used to determine whether the network node is a member of a particular class (described below). An asset model is a collection of information about one of the network nodes. This information may include (eg, the IP address of the f=point, the host name of the node, the network to which the node belongs, the roles of the 'in the industry, one of the nodes open, and the The software on the node (for example, the operating system and the application). In a specific implementation: the '-asset model includes a list of known shortcomings or weaknesses of the node' which is called "exposure of exposure." Generally defined as a configuration or condition of one of the nodes, it is possible (4) to produce an effect that is not the desired effect of the node manufacturer. The management access-network node asset model for performing security: analysis. An event can be described as an attempt to exploit - or a number of known vulnerabilities, called "the weak point utilized". The manager (4) determines the weakest exposure of the target of 5 hai target node (蕤?#此甘,1 , έ (finely accessing the asset model of the node) and the receiver will compare it with the exploited weak & . If a weak point is simultaneously presented as an exposure weakness and a US-free release (iv) _, all of which are bowed; The party: the number in the step-by-step description of the threat. As another example, consider the "/incorporated into this. Quasi, 1 two to be awkward - one of the standards in the F-Bai processing standard (FIPS)

However, according to Ichiro, she will be divided into A ” and sub-machine tolerance. 126191.doc -16- 200837571

class. An event can describe one of the actions that can cause a confidentiality failure on a special point. The manager 14 may notice this event and decide how critical the secret is for the point (by accessing the asset model of the node). If the confidentiality is critical, then a - ticket can be generated to track the violation. 4. A network node (asset) can be classified to describe its characteristics. One type (4) is implemented as a ''group.) For example, to specify that a particular node is executing the Windows 2GG3A1 server operating system, the node's assets are placed on

^ M, 7A11Categ-ies/〇peratingSystems/Microsoft/Windows/ 2〇〇3SerVer". Categories can be hierarchical. For example, "2003Server" is a subcategory of "Windows", and category "Wind〇 Ws,,, category, subclass of MiCr〇S〇ft, and so on. Another example of a hierarchical category is geographic classification (for example, continent/country/state/region). Given a node reference and a category, the manager 14 can determine whether the node is a member of the category (i.e., belongs to the category). It is also possible to classify an asset group, as well as a network area and a network area group. Therefore, security analysis involves identifying and accessing an asset module and checking the category member Berg. To perform security analysis on the fly (or close to instant μ), the model identification and access and category checking should also be performed on-the-fly (or near-instant). This is difficult to achieve because thousands of events are generated per minute, and each event Indicating one or more node references. For example, one event rate of one of 5,000 events/second and 4 nodes reference/event generates 20, node reference/second. For each node reference, identify its asset model and Performing a number of categories of membership checks. Manager Architecture 126191.doc -17- 200837571 Figure 2 is a computer 200 for use as a security information/event management system, first 10 manager 14 according to one embodiment. A high-order block diagram showing at least one processor 2〇2 coupled to a busbar 2〇4. A memory 2〇6 storage device 208, a keyboard 210, a graphics adapter 212, and a pointing device 214 and a network adapter 216 are also coupled to the bus bar 2〇 4. In one embodiment, the functionality of the bus bar 204 is provided by an interconnected chip set. To the graphics adapter 212 The storage device 208 is any device capable of storing data, such as a hard disk drive, a CD-ROM (CD_R〇M), a DVD, or a solid-state memory device. The memory 206 stores instructions used by the processor 202 and The device 214 can be a mouse, a trackball or other type of pointing device' and is used in combination with the keyboard 21 to input data into the computer. "Hai graphics adapter 212 displays images and other information on the display 218. The network adapter 216 couples the computer 2 to a regional or wide area network. As is known in the art, in addition to the one shown in FIG. The computer 2 may have different components and/or other components. In addition, the computer may lack specific graphical components. For example, one of the computers 14 used as a manager 14 may lack a keyboard 210, pointing The device 214, the graphics adapter 212, and/or the display 218. In addition, the storage device 208 can be attached to the local end of the computer 200 and/or retired (e.g., embodied in a storage area network (SAN)). Fortunately, human agent private 12 (example A SmartConnector from the division of Cupertin, Calif., receives a message from a sensor about a network node. The agent 12 then processes the message to generate an event. In a 126191-doc -18. 200837571 embodiment The event representation includes a data structure of one or more fields, wherein each of the blocks may include a value. The value of a 依据 position is determined according to the message received from the sensor. The agent is managed The device 14 (eg, enterprise security management software from ArcSight Corporation) transmits the event for storage and analysis. The manager 14 includes a module (not shown) called an event asset parser (EAR). Reviewing an event can include a node reference. The EAR module associates this node reference with its corresponding asset model and marks the node reference with a unique identifier (ID). For example, the EAR module modifies the event by storing the (1) in the asset 10 field of the node reference (which was previously an empty block). In one embodiment, an event includes references to four nodes: network traffic source, network traffic destination, agent host, and sensor host reporting events. For each node reference, the EAR module associates the node reference with its corresponding asset model and marks the node reference with a unique ID. 3 is a high level block diagram of one of the modules within a manager 14 of a security information/event management system 10 in accordance with an embodiment. As shown in FIG. 3, one embodiment of the -fi processor 14 includes an identifier module 3A and a class module 31A. In addition to the modules shown in the figures, other embodiments may have different and/or additional modules. For example, the manager 14 can include the modules shown in Figure 1, but Figure 3 omits these modules for the sake of brevity. In addition, the functions may be distributed among the modules in a manner different from that described herein. ~ The identifier module 300 provides functionality associated with a unique identifier 126191.doc -19.200837571 assigned to a network node. In a specific embodiment, one is based on an integer (eg, the original data type "int" represents a value p in a particular embodiment, one (four) "local" unique. For example, A particular management hack is only unique - but not necessarily unique across multiple managers. In another embodiment, - (10) - universal only identifier (umD) or a globally unique identifier (GUID). In this particular embodiment, one (1) is "global" unique. For example, it is unique across multiple managers. The storage-uuid* GUID requires at least 16 bytes of memory. Integer-based values require less memory. Since more than one million m may need to be stored in memory at the same time, the difference in memory is more pronounced. In a specific embodiment, the ID is used for Obtaining an asset model corresponding to one of the associated network nodes. For example, an asset management module (not shown) maintains the asset model §fL and returns an asset model when accepting an inquiry using an ID. The asset model is based on (for example An object data structure (using an object-oriented stylized language such as Java). In another embodiment, the ID is used to determine whether the network node is a member of a particular category. In the specific embodiment, the identifier module 3 includes a lookup module 320, a management module 330, a gap table 340, and one or more lookup tables 350. The lookup module 320 is based on the network node. Various features to determine the ID of a network node. These features are present in the node reference within the event, as described above. Depending on the node's IP address, host name, network area, and/or media access control The (MAC) address determines the IQ of a particular network node. 126191.doc -20- 200837571 In one embodiment, these pieces of information are used to place one or more lookup data structures (see Table 35). 〇, as described below). If a query is successful (for example, find one of the values associated with the index key), then return the value (which is the D of the node's asset model). Displaying a network in accordance with a specific embodiment A flow chart of one of the methods associated with one of the identifiers associated with the node. Before the start of the method 4, the information about a network node has been received. This information includes one of the following or an item of the Point 1P address, network area, host name, and MAC bit address 1. Try a lookup 410 by using the MAC address of the node. If a successful match is generated, the 1]0 is returned. If the mac reference does not produce a successful match, then the node is accessed by using the node's scary address and network area. If a successful match is generated, the ID 420 is returned. If the ip lookup does not result in a successful match, then try to access 44 by using the host name and network area of the point. If the result is a successful match, the ID 420 is returned. If the host name lookup does not produce a successful match, then one of the IP locations of the node is confiscated by using the network region of the node. The scope of the asset is to try to look up 45. If a successful match is generated, the ID 42 is returned. In a specific embodiment, the order of each lookup (MAC lookup, ιρ lookup, host name lookup and The asset range reference is configurable. The lookup module 320 uses the lookup tables 35 to determine the ID of a network node based on various characteristics of the network node. In one embodiment, there are four types of views. Table 350: IP Address/Network Area Lookup Table, Host Name/Network Area 126191.doc -21 - 200837571 Domain Lookup Table, MAC Address Lookup Table, and Asset Range Lookup Table. With the Asset Management Module (above Said to fill each lookup table of the lookup tables. IP address / network area lookup In a specific embodiment, an ip address lookup table uses the index key of the original data type nint" (integer) And value. Used to perform a check One of the index keys represents a 32-bit integer of one IP address. The value returned by a lookup is the integer ID of the corresponding asset model. Since the ip address is only in one network area (unique, therefore each A network area has its own lookup table. 1 In one embodiment, the lookup table is customized and optimized to present a lower sigmoid use and/or face velocity. The table may be a hash map or an array. Figure 5 shows an exemplary data structure for a „> address lookup table. The illustrated shell structure includes an open addressing hash map 5〇〇 and a direct access array. 5 10. In a conventional implementation of open addressing hash mapping, three arrays are used, one array for storing index keys, one array for storing values, and one array of C columns for indicating whether pairs of index keys and values are valid. Here, the index key (ΙΡ address) is stored with a value (ID) in a single integer array 5〇〇. In the illustrated embodiment, an index key and its associated values are adjacent to each other (eg, Placed adjacent to each other in the array to obtain more Cache memory locality. In other words, by using an array to interleave an index key array with the value of a value array - open addressing material mapping. Implementing an open addressing hash map by using a - single-array It has been known to those skilled in the art, and in the data structure / hash table wiki book this (4) Ming, tt^http./en.wikibooks.o^^^^^^^ 〇126191.doc - 22- 200837571 The ip address may be invalid in a network area. In a specific embodiment, an invalid address is used in a lookup data structure to indicate that the corresponding value (in this case, an ID) is empty. A direct access array 5 10 can be used in which each value (here an ID) is stored as an element of the array. The index of the element in the array is determined by the index key (here, an Ip address). In a specific embodiment, '-f is quoted to be equal to the offset of the address of the address in the range of the m address. For example, consider a network area that includes one of the IP addresses ranging from 192 168 〇 1〇〇 to 192 168 〇 2〇〇. The IP address 192.168.0.150 will have an index equal to 5 , because its offset is 50 from the lower end of the range. Therefore, (1) will be stored in array[5〇], where array is the name of the array and 5 is placed into the index of the array. In this way, ;f must store the _ index key. Alternatively, it is converted to an index, which is then used to access a particular element of the array. Consider another network area and its IP address range (for example, 192.168.0.0 to 192.168.G.255). If the lp address in this range is densely populated (this will be the case), then the - straight (four) column is used. This provides a faster lookup when saving the secret, since it is not necessary to explicitly store the private IP address in the lookup table. The right IP address is only sparsely populated in a network area, and direct array lookups can result in a fairly large memory negative #, instead using a hash map. In a specific embodiment, the internal data structure type used for the 1] address lookup table is used according to the 1st address in the IP address associated with the network area (eg 'i true charge degree' ). You can view the data structure (such as change) 〇 host name/network area view between the array and the hash area if the IP address is filled with the density change 500. The network, the same way & the domain is unique, so each network area has its own main building 幺 ΤΠ 铖 % % IP IP lookup table. In a specific embodiment, the look-up table is customized and suspended to present lower memory usage and/or high speed.

In one embodiment, host name lookups are performed by having Kodak's history use two lookup tables. Each of the readings can be known as a hash map or an array. Figure 6 shows the two lookup tables for reviewing host name lookups. For the sake of simplicity, the lookup tables are illustrated in a column/row format, with each list showing a pair of index keys/values. : Machine name and domain name. The system is divided into "test" (the machine name such as a host name is divided into two parts, the host name is called "testarcsighte") and "quote arcsight.com" (domain name). One - lookup table _ use the original data The value of the index key and the original data type (integer) of the string is used to execute the m-key system representation—the domain name is a string (interpreted as "DN1"). By referring to the value returned, the __ integer reference to the second table 61G of the network domain name & is explained. This avoids wasting memory by storing multiple copies of the same domain name. The second space lookup table 61 uses the index key and value of the original data type "int" (integer). For performing a lookup - the index key representation - the machine name and a domain name - an integer (Explanation is "MN1/DN1") (see 126191.doc -24-200837571 Exemplary Implementation 下文). ± ^ ',) Fine--Review of the returned value is the integer ID of the corresponding asset model ( Illustrated as "ID1. In a specific embodiment, the index key of one of the lookup tables 610 is based on the machine name - the integer hash and the integer reference of the domain name (eg ' As stored in the domain name table. In a specific embodiment, a machine name is stored as a utf_8 (8-bit-e conversion format) byte array for compressed storage. , then encode a child 为 as UTF_ 1 6, j: 卜料姐 a» This is for the mother word The memory machine name that requires 2 bytes only contains Ascn characters, then the uth code only needs 1 byte for each character, which is the actual situation most of the time. (DoD, ', Internet host Table specification (rfc %2) specifies that the host name should contain only ASCII characters.) In the conventional implementation of open addressing hash mapping, three arrays are used! The array is used to store index keys, and the array is used for storage. An array is used to indicate whether each pair of index keys and values is valid. Here, for the second lookup table 610, the index keys (representing - machine name and - domain name integer) and values (four) - Stored in a - single-integer array. - Index keys and their off: values are placed adjacent to each other (eg, adjacent to each other) in the array to obtain a more L-faster locality. In other words, An open-position hash map is implemented by interleaving an index key array with a value of an array of values using an array. In a specific embodiment, by using an integer matrix 针对 for each table item (eg, Each host name corresponds to an array) to implement the first Refer to Table 610. This array includes the machine name utf_8 byte array, machine name 126191.doc -25- 200837571 code, domain name reference and association 1D. Since the object is not used, the associated burden of the disk is avoided. This further reduces the use of memory. It also improves the locality of the cache memory unit, thereby increasing performance.

In the open addressing hash map, compute-hybrid, extract the item at that point and test the index key to determine if a single element exists. Here, the domain name is combined with the first table_ for obtaining the domain name reference. In the specific implementation, in order to optimize the index key check, the obtained McCaw (an integer) is compared with the reference (also an integer) stored in the item. Next, one of the machine names is hashed (an integer, which is calculated as part of the hash calculation referred to herein), and compared to the hash (also - integer) stored in the item. Finally, the machine name string is compared to the string stored in the project. The value returned is the integer ID of the asset model associated with the given host name. The MAC address refers to the MAC lookup table 600 using the original data type "long,, (long integer) index key and the original data type "int" (integer) value. For performing a lookup of one of the index keys A 64-bit integer representing one of the MAC addresses. The value returned by a lookback is the integer ID of the corresponding asset model. Since the MAC address is globally unique, only one MAC lookup table is used. In a specific embodiment The lookup table is customized and optimized to present lower memory usage and/or high speed. The customized table can be a hash map or an array. Figure 7 shows a lookup table for a MAC address. An exemplary data structure. The illustrated data structure is an open-addressed hash map 70. In the conventional implementation of open addressing 126191.doc -26-200837571, three arrays are used: - array for the reservoir , the index, the array is used to store the value - the array is used to indicate whether each pair of index keys and values is valid. Here the 'index key (MAC address) and the value (four) system - , : are stored in an early integer array. An index key and its associated value are each other The eye mail (for example, 'adjacent to each other') is placed in the array to obtain better memory locality. Drag, eve, Mm + , 〃丨 奂 3, hunting by using - array and let - index key array Interleaved with the value matrix values to implement - open positioning hash maps.

A specific MAC address may be invalid. In one embodiment, an invalid address is used in a look-up tribute structure to indicate that the corresponding value (here an ID) is empty. Asset Range Lookup For execution - look up one of the index keys together to represent the IP address of the _lp address range. By checking the value returned, the integer ID of the corresponding asset model. Since the IP address is unique only within the network area, each network area has its own asset range lookup table. Before performing the review, check the IP address of interest to determine the address range 0 that will include the IP address. The management module 3 3 G tracks which Ds have been assigned to the network node and which IDs have not been private. send. The official module 33 provides an I when requested. (For example, for association with a new network node). The IDs are established close to each other to minimize the gap therebetween. When a network node (and its associated shell) is removed from a system, the gap may begin to appear between the ιs used. In a specific embodiment, the management module 33() performs the following procedure for the gap between 1 and ·. At the time of initial loading, a gap table is established (gap table 126191.doc • 27-200837571 340) . When adding a new network node (and thus establishing a new asset model) & send _ ID. If there is a gap ', it is used in a gap. If the gap does not exist, create and use a new ID. The modulo, and 330, uses the gap table 340 to manage the gaps between the IDs, as described above. The category module 31G provides functionality with category (4). In retrospect, you can classify and classify U (Beiyin classification to describe its characteristics. A category is implemented as a group, and, for example, in order to specify that a particular node is executing the windows 003 servo w operating system, the assets of the node are placed in the group. Group /AllCategories/OperatingSystems/Microsoft/Windows/2003

The identification in Server can be hierarchical. For example, "2003Server, a subclass of Wlnd〇WS, and a category of "Windows," is a subclass of lcrosoft, and so on. Another example of a hierarchical class is also a knife handler ( For example, continent/country/state/area. It is also possible to classify an asset group, as well as a network area and a network area group. In the illustrated embodiment, the category module 3丨〇 The system includes a lookup module 360, a government module 37, a category data 38, and an update data. The lookup module 360 determines whether a particular network node (asset) is a specific category (not a 'special category' One of the members. For example, the question may be, is this family member or a member of any of the child category?, for this decision, the category module 310 uses the category information 38〇. The 380 uses a recursive closure (TC) to model one of the classifications (characteristics) that can be attached to a lean model. The Tc is basically a non-cyclic graph (DAG), where a link may Existence 126191.doc -28- 200837571 Between each source (aneesor) (a category or group) and each child's birth rate. The existence of a link indicates that the child's assets are one of the original categories or groups or the source's child category Or any of the categories or members of the group. The link is built on top of the parent-child link that already exists in the DAG. The existence of the stomach fTC link is (1) time efficiency to check one Whether the child (asset) is a child of any given parent (category or group). Consider the above categories: A11Categories/0peratingSystems/ M1Cros〇ft/WlndGws/fine (10). Whether the operating system is executing is not as interested in knowing that the node is performing a normal Microsoft operating system (such as 'can be any type'). If there is no link between the ^Microsoft" category and the node, then a tree search will have to be performed. (tree walk). For example, a search may begin in the soft category and search for a match between the subwoofers. Alternatively, a search may begin at the network node. Search. A tree-like search consumes an unpredictable amount of time, but in theory it will always be more complete than a link between all sub-category categories in all source categories (ie, - transfer). 0 (1) access is more expensive. The disadvantage of using _ TC is that it requires f 许 许 汛 汛 汛 汛 ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance ance At a speed of 5, _ per second, with each event - 4 (four) point phase and every - section time phase G into a Beibeige check (corresponding to a total of 2, 〇〇〇, 检查 check per second Instant access. If the data structure (for example, the least recently used, ie LRU) is stored in 126191.doc -29- 200837571 in the secondary storage or as - neither fast nor cover the box "fast way Take, the performance of the category check is - the specific implementation of the shot, the TC data structure qualification check. # in the memory so that the category can be quickly executed in the storage case - the transfer closure system as a - bit map set - Storage two: in the body 'one of the meta-maps - bit array, and each - cited. / f Boolean Value (Boolean Value). This is similar to the bit map mapping 4C 7C map corresponds to a specific Asset class or group. One of the one-dimensional maps 〇 / Shi Li i-bit π Whether there is a surname between a particular asset class/group and a poor production - ^, , Ό. There are 1 million assets and 1 on the right, and 1 (1) billion Bit^Storage Review The gastric karyotype is identified by an ID (which is an integer value). In one embodiment, it is used as an index of one of the placement-transfer closure bit maps. Classified in about 30 categories in a total of i, _ categories, the probability that a particular asset belongs to a particular category is 3〇/1,000=3%. 3% of the bits are set (ie, 'have a different value than the other bits.) Therefore, the one-bit mapping will be very sparse. In a particular embodiment, 'compressed by using a technique such as word-aligned mixing- Bitmap 'in order to reduce memory requirements. When performing - class checking, an uncompressed bit map is used—the meta-mapped bit map is faster. In a specific embodiment, it is used to accept The bit map of the frequently checked category is stored in an uncompressed form, but is used to accept less frequent The bit map of the checked category is stored as a compact cost 126191.doc -30 - 200837571 较小 one of the smaller cost implementations for most of the increased average class check effect. This is checked by the number of additional memory requirements. The extremely fast category check, from the management module 370, updates the category data 38〇 as needed. The asset model can change over time' and the update will move the closure data structure. If the one-dimensional mapping is compressed, it is updated. Including unzipping it, applying an update, and again

Update 'regardless of whether it is compressed or not. In another embodiment, if a one-bit mapping is compressed, it is not immediately updated. Alternatively, the update is temporarily stored (in update material 390) and later applied to the same bit map in conjunction with other updates (e.g., via a periodic (e.g., once per minute) task). Since decompressing and compressing a one-dimensional mapping is time consuming, it is faster to map the bitmap once, decompress it, perform multiple updates, and then compress the bit map. In this particular embodiment, when the request includes a category check of a compressed bit map, the temporary update store (update data 390) is accessed to determine if there are any updates. If the lookup fails in the temporary update store (which is smaller and therefore supports faster lookup), then a lookup is performed on the compressed bit map. If the j-bit mapping is uncompressed, it is immediately updated. The management module 370 uses the update profile 390 to delay updating the category of metadata 380, as described above. It is not intended to limit the scope of the invention. Therefore, φ is limited by the scope of the patent application. From the above description, the above description is for explaining the operation of the preferred embodiment. The scope of the present invention is only subject to the spirit and scope of the present invention by 126191.doc-31-200837571. Many changes are covered. BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 is a high-order diagram showing one of the environments of a security two/king body/event processing system according to a specific embodiment. Figure 2 is a high level block diagram of a computer used as one of the managers of the _Anwen Wang/Xinxun/Event Management System in accordance with one embodiment. / Figure 3 is a high level block diagram of a module within a manager of a security information/event management system in accordance with an embodiment. Figure 4 is a flow chart showing one of the methods for determining an identifier associated with a point, a point, or a point, in accordance with an embodiment. Figure 5 shows an exemplary data structure for an IP address lookup table. Figure 6 shows two lookup tables for performing host name lookups. Figure 7 shows an exemplary data structure for a MAC address lookup table. The drawings depict a specific embodiment for purposes of illustration only. It will be readily apparent to those skilled in the art that the description of the structure and methods described herein may be substituted without departing from the principles described herein. [Main component symbol description] 10 Security information/event management system 12 Agent 14 Manager 16 Console 18 Rule engine 20 Centralized event database 22 Database manager 126191.doc 32· 200837571 / l 24 Notifier 26 Agent Manager 28 Knowledge Base 200 Computer 202 Processor 204 Bus Bar 206 Memory 208 Storage Device 210 Keyboard 212 Graphics Adapter 214 Pointing Device 216 Network Adapter 218 Display 300 Identifier Module 310 Category Module 320 View Module 330 Management Module 340 Gap Table 350 Lookup Table 360 Review Module 370 Management Module 380 Category Information 390 Update Data 500 Open Address Hash Mapping/Integer Array 126191.doc • 33 200837571 510 Direct Access Array 600 MAC Lookup Table 610 Second Lookup Table 700 Open Addressing Hash Mapping 126191.doc -34-

Claims (1)

200837571 X. The scope of application for patents: 1. 'A method for unique identifiers associated with a network node, which includes: ▲4, 罔路_点的相关—Internet The path protocol (IP) address to query an IP address lookup data structure; return the unique identifier associated with the network node; and perform one of the following steps: Γ use the unique identifier returned Obtaining one of the asset models associated with the network node; and determining whether the network node is a member of a category by using a unique identifier returned by 亥 。. 2. The method of claim 1, wherein the unique identification associated with the network node is a value of one of the original data types, int, and (integer). The method of the Moonperson 1, wherein the IP address lookup data structure comprises a table comprising one or more pairs, and a pair of addresses corresponding to a particular network node are associated with the particular network node One of the unique identifiers. 4. The method of claim 3, wherein the IP address associated with the network node is one of the original data type, int" (integer). 5. The method of claim 3, wherein the querying the IP address by using the 1P address associated with the network node comprises: determining the IP bit associated with the "Hai network node One of the addresses. 6. The method of claim 3, wherein the table is an open addressing hash map. 7. The method of claim 3, wherein the table is open-addressed hash map by using only one array of 126191.doc 200837571. 8. The method of claim 1, wherein the 1] address reference data structure comprises an array comprising one or more elements, an element is stored at an index, the element comprising the specific network node Association of one unique identifier The index is determined by one of the Ip addresses associated with the particular network node. The method of claim 2, wherein querying the IP address query data structure by using the 41: address associated with the network node comprises: determining an index according to the IP address associated with the network node. , "month X long term 1 method, wherein the 1P address access data structure is configured to use - the table-based implementation automatically changes to the basic implementation. The method of item 1 wherein (4) the address structure of the access data structure is automatically changed to a table-based decision 兮 ^ 1 by using the returned identifier to \ '" Whether the network node is a member of the category: ::: Recursive closure 'The recursive closure includes one or more links between a number of::Γ" nodes, and the source node represents a two-two node representation - a network node, a link indicating a member of a child η / original lang point; shift = make:: the only identifier passed back to the category to query the recursive back - Boolean value indicating the network Whether the road node is 126191.doc 200837571 of this category. 13. The method of claim 12, the farmer's character and the category to query the recursion to::::: the only one of the unique identifiers associated with the identification ^^, 疋 卽 传 该 该Is there a link between the silk dots of this category? One of the members of the association is the beginning of the festival 14 · as requested! The method, which determines the jade w-hunting by the use of the only one returned, then the final decision is that the network node is, the member of the 4 other categories contains: , the bit maps the sentence person... a number of bits, one element 佶, 耵 contains 殁 members; 7 values ^ a network node is, the category - by using the unique identifier returned by the query And w research, returning a Bolling value indicating that the network is other members. °海颊15: The method of claim 14 wherein the query of the bit map is performed by using the returned unique identifier: by using the unique identifier returned as a bit into the bit An index of the meta map to identify one of the bits within the bit map; and returning the value of the identified bit. A method for determining a unique identifier of a network node association, comprising: querying a first lookup table by using a domain name associated with the network node, the first lookup table One or more pairs, one pair containing a domain name associated with a particular network node and one of the second lookup tables 126191.doc 200837571: The second two lookup table contains one or more pairs, a pair Included in the specific network% - the host name is associated with one of the unique identifiers of the destined network node; the box is queried by using one of the host names of the network to query the second lookup table; The unique identifier associated with the network connection point; and perform one of the following steps: The unique identifier returned by λ is used to obtain an asset model associated with the network node; and the unique identifier returned by ^ is used to determine whether the network node is a member of a category. The computer program product includes a computer readable medium, and the computer island includes a computer code for executing a method. The method includes: querying an IP address lookup table by using one of the Internet Protocol (IP) addresses associated with the network node, the ιρ address lookup table including one or more pairs, a pair of a particular network node associated with one of the unique identifiers associated with the particular network node; returning the unique identifier associated with the network node; and performing one of the following steps: using the returned a unique identifier to obtain an asset model associated with the network node; and use the unique identifier returned to determine whether the network node is a member of a category 126191.doc 200837571. 1 8· A device for determining a unique identifier of a network node association, comprising: a query module configured to use one of the Internet Protocol (IP) addresses associated with the network node Querying an IP address lookup table, the IP address lookup table comprising one or more pairs, a pair of unique identifiers associated with the IP address of one of the specific network node associations associated with the particular network node; Returning module 'which is configured to return the unique identifier associated with the network node; and one of the following modules: an asset model module configured to use the uniquely returned An identifier to obtain an asset model associated with the network node; and a class module configured to use the unique identifier returned to determine whether the network node is a member of a category. .doc