Indian Patents. 224824:SYSTEM FOR AGGREGATING LOGS IN A COMPUTER NETWORK

Title of Invention	SYSTEM FOR AGGREGATING LOGS IN A COMPUTER NETWORK
Abstract	A system for aggregating logs in a computer network is disclosed. The aggregating system comprises: parsing means, tagging means, converter mean, queuing means, device identifying means an aggregation means by which desired logs are aggregated after filtration and tagging. The aggregated logs are stored in a storage means. Means for carrying out aggregation in the system are also provided.

Full Text	FORM-2 T THE PATENTS ACT, 1970 (39 of 1970) & THE PATENTS RULES, 2003 COMPLETE Specification (See section 10 and rule 13) COMPUTER NETWORKS UNIVERSITY OF PUNE an Organisation constituted under the Maharashtra State Universities Act of Ganeshkhind, Ganeshkhind Road, Pune 411 007, Maharashtra, India THE FOLLOWING SPECIFICATION PARTICULARLY DESCRIBES THE INVENTION AND THE MANNER IN WHICH IT IS TO BE PERFORMED. Field of invention: This invention relates to computer networks. Particularly, this invention relates to computer network security systems. Background of the invention: Introduction: Computers today are used to perform a variety of tasks and have played a vital role in business related functions. As a result there has been a significant growth in the number of computers being used worldwide. In the past few years there has been a need for sharing the data available at various locations on different computers. Such computers may be either located at separate locations or may be in-house as within an office. For sharing of the data, computer networks came into being. A computer network consists of a group of computers that are linked together, which enables the computers to communicate with each other. By linking computers together it is possible to share files, printers, and even Internet resources. Thus, using such a computer network it is possible to reduce the number of modems, printers and the like devices used in a set up where more than one computer is used. A person using one such computer can access the data on any computer linked to that network. Hardware resources such as printers, scanners and the like devices that are linked to the network can also be accessed. The sharing of data may be inter-nodal sharing or an intersystem sharing. In inter nodal sharing the files, hardware resources and Internet resources within an office are shared, wherein every computer may be 2 accessed individually and selectively. In intersystem sharing, the data available on the entire network can be accessed, the network being defined by a set of computers. Such computer networks consist of hardware and software components. The hardware component may consist of elements such as: (i) Desktop Computers/server computers/laptops and the like devices. (ii) Cables, connectors and the like components. (iii) Routers, switches, hubs. (iv) Network interface cards. The software component may consist of elements such as: (i) Operating systems, (ii) Installation software, which is used for the installation of the hardware components, (iii) Drivers, (iv) Protocols, which help the various computers in the network, communicate, (v) Application software, provided at the user end to access the network, typically the Internet, (vi) Anti-virus software. When such networks are used to link computers, typically in an office building, a school, across two or more buildings the network is called a Local Area Network (LAN). A Metropolitan Area Network (MAN) connects an area larger than a LAN but smaller than a WAN, typically a city block. Wide Area Network (WAN) spans a larger physical distance and is a geographically 3 dispersed collection of LANs and MANs. These networks are wired networks and hence to reduce the distance to which they can be extended Wireless LANs (WLANs) are used. A WLAN is a wireless local area network that uses radio waves as its carrier. The link with the users is wireless, to give a network connection to all users in the surrounding area. Areas may range from a single room to an entire campus. The backbone network usually uses cables, with one or more wireless access points connecting the wireless users to the wired network. The Internet has made it possible to access information located on any network across the world. By using public and private network any individual can access its information. However, the availability of confidential information over such networks poses a threat to its security, as information available may be used in an unlawful manner. Confidential information available on the network may be stolen for the purpose of duplicating and using technology for industrial and commercial benefits. If the information available on the networks of various defense organizations leaks, it may pose severe threat to the security of a country. Such and many problems may arise due the breach in security. Wired networks make use of a centralized server through which every computer in that network can be accessed. The breach in security may be at a nodal level wherein only one particular node (computer) is hacked. The breach in security may be at a system level wherein the entire network can be hacked at once. In wireless networks, there may not be a centralized server for the purpose of authentication and verification hence wireless networks are more susceptible to attacks than wired networks. 4 When businesses send confidential information using Internet as a medium of communication, they place a high value on the information sent to the destination, so that it reaches the destination without being intercepted by anyone other than the intended recipient. Therefore, companies and individuals desire a secured means of communication. Finally, connecting a system to a network can open the system itself to attacks and breaches. In case a system is compromised, the risk of losing data is very high. Hacking allows an individual to exploit the security weaknesses and loopholes to gain unauthorized access to the information available on the network. A hacker attempts to break into systems or networks by attacking the weakest and the most vulnerable link. The purpose of hacking may be either for industrial espionage, for fun or may be ideological. However, hacking or the leak of confidential information may even cause severe commercial and technological damage. Hence, there is need for stringent security measures to be installed at the points and links where the possibility of a breach in security is high. As a preliminary method of security, mechanical locks were used. Other hardware, software and biometrie locking systems are also used for security purposes. However, the aforementioned locking/securing systems can be implemented only for one machine at a time; these are also known as nodal security systems. The nodal security systems involve locking of each and every machine, which is not practically possible; also there is a possibility of an attack on a computer if it is unattended for a few minutes. In such a case, the locking/security systems mentioned above fail and the security of the system can be easily breached. 5 The use of security-managing devices/systems such as intrusion detection systems (IDS), firewalls (FW), Anti-virus systems (AVS) and the like were envisaged. The use of such security managing devices/systems employ stringent verification and authentication procedures and round-the-clock monitoring of all the data being transmitted and received by every computer in the network. Such security devices cover all the security aspects related to the entire network and all the computers of that network. An important aspect of security device involves verification, authentication and monitoring which is done by maintaining and continuously updating logs. These logs are a record of computer activity used for statistical purposes as well as backup and recovery. The log files are written by the operating system or other control program for the purpose of recording incoming dialogs, error and status messages and certain transaction details and the like. At different points in a network, the security systems/devices such as intrusion detection systems (IDS), firewalls (F) and the like security devices/systems are installed. One such device/system may produce more than several thousand kilobytes of log data in a day. The log data from firewalls, routers, servers and other network equipment are the primary sources of data for troubleshooting and are the only unimpeachable source of historical network activity information. The task of management of such huge amount of log data is therefore undertaken by the security device/system. This may reduce the effectiveness and efficiency of the security device/system as a considerable amount of time is consumed in managing the log data and thus a threat may be detected after the security has already been breached. Traditional ways of storing logs were to moving logs into files or database. Data aggregation refers to the consolidation of information into a 6 single point of storage. Event aggregation, on the other hand, is often used to describe the act of taking a number of similar alerts or events and representing them as a single message to store in the database. In the intrusion-detection system (IDS) world, this might be implemented by taking a set of intruder activities and consolidating them into a single alert. Prior Art: The following patent nos. provide prior art for the present invention: U.S. Patent Application No. 20060161816 discloses systems and methods to manage logs from log sources distributed across one or more networks using a log event management system, herein called a Thunder console. The Thunder console is a log aggregator that allows networks to deploy servers which collect, normalize, and analyze a large number of log events. These logs can be stored for a specific period of time. Alerts can be generated to communicate information regarding the log events. The disclosed tool does not provide a unified view of plurality of security logs via a single aggregated log. U.S Patent No. 6070244 discloses a computer-network security management tool capable of handling many different kinds of equipment in a standardized format despite differences in the computer security features among the diverse range of computer equipment in the computer network. The disclosed tool does not manage and monitor data logs received by the network security components. U.S Patent No. 6,760,768 discloses a multi-level network security system for a computer host device coupled to at least one computer network. The system 7 including a secure network interface Unit (SNIU) contained within a communications stack of the computer device that operates at a user layer communications protocol. The disclosed system does not aggregate and manage the log data received from the firewalls, VPNs and the like devices. This invention seeks to overcome the limitations of the prior art. Object of this invention is to manage log data produced by security devices/systems. Another object of this invention is to assist in detection and identification of a security threat before the security can be breached. Another object of this invention is to provide easy and reliable access to advanced security technologies and expertise, and to offload management functions so that they may focus on their core competencies. Another object of this invention is to monitor and maintain the required level of security in a given enterprise and to offer integrated 24x7x365 security management. Another object of this invention is to provide a unified view of plurality of security logs via a single aggregated log. Summary of the invention: In accordance with one practical embodiment of such a device/system, this invention envisages the effective use of aggregation means for Managed Security Services to save space and network communications for many network devices. 8 Brief description of the accompanying drawings: The invention will be described in detail with reference to a preferred embodiment. Reference to this embodiment does not limit the scope of the invention. In the accompanying drawings: Figure 1 illustrates an overview of the devices of the aggregation system in accordance with this invention; Figure 2a illustrates a detailed block diagram of the devices of the aggregation system and the workflow of the aggregation process; Figure 2b illustrates a detailed block diagram of the devices of the aggregation system and the workflow of the aggregation process; and Figure 3 illustrates a block diagram of the further aggregation process. Detailed description of the accompanying drawings: This invention will be described in detail with reference to the drawings 1 to 3. Figure 1 illustrates a block diagram of the devices of the aggregation system in accordance with this invention. The aggregation system (10) works in cooperation with all work stations and devices (12) of a computer network. The aggregation system comprises a collecting means (14) which collects the logs generated by each device (12) of the computer network. The aggregation means (16) aggregates the logs received and collected by the collection means (14). A further aggregator means (18) helps further aggregate logs aggregated in the aggregation means (16) and the storage means (20). 9 Figure 2a and 2b illustrate detailed block diagram of the devices of the aggregation system and the workflow of the aggregation process in accordance with this invention. The collecting means (12) receives the logs generated by each of the devices associated with at least some of the workstations in the computer network. The received logs are then filtered using the parsing means (22). The parsing means (22) filters out unimportant and redundant logs. The first block of the aggregation system is the parser system. The parsing means has pre stored "drivers" which identifies the data sent on the network and filters out known logs from the same. One needs to inform the parser if a new device is added into the system. A new "driver" needs to be introduced every time a new device is added. The parser then puts the logs into untagged memory location. The aggregation scheme is a multi-stage process where after the parser has parsed the logs, the packet classifier module takes the log and classifies the same with regards to the source of the log; this module has a set of predefined tags for each log source. The parsed logs are then tagged using tagging means (24). Each log will be processed by a tagging operation in a sequential manner. Once the tagging operation is performed the tagged logs are moved to a new memory location. Tagging of parsed logs is done in a manner such that each log can be identified on the basis of the device from which it was generated. The tagged logs are then converted to a standard format by the converting means (26). Thus the tagged logs are further processed by common log format generator. In this block there are pre stored formats and pre stored operators 10 which will convert the tagged logs into the common log format. These common logs are stored into a different memory location. The converted logs are then passed on to the queuing means (28). The Queing means will take the common log formats in the first in first queued fashion and queue the logs in the system memory acting as a queue. In the queuing means the logs queue, typically in a first come first serve manner. The queuing means (28) then passes the tagged logs to a device identifier means (30). The queuing means (28), typically works in FIFO mode. The device identifier which has a pre stored tag format, it dequeues the logs from the Aggregator Queuer and compares it with the tags in the common logs. The device identifier will further place the logs into memory area predetermined for each device type. The device identifier means (30) identifies the log generated by a particular device using the tag attached to a particular log. All logs generated by one particular device of each of the workstations on the computer network are identified and assembled in the device identifier means (30). Further a type identifier means (32) is used to assemble logs which are similar. The type identifier means (32) identifies the different type of logs based on a pre stored log types and puts them into a sub memory area for each type. The first pass of aggregator will process the logs stored in each log-type memory specific to a device within a given time x and puts the logs into different bins based on common parameters, like common Source IP and Destination port. Each type of logs has a given set of parameters. 11 For a parameters set of 5 the total number of bins would be equal to 5 C\| + 5 C2 + 5 C3 + 5 C4 + 5 C5, which is 31. Each log is assembled into a stream of logs as particularly seen in figure 2a. In the process of aggregation as particularly seen in figure 2b logs contained in each stream are put together in bins (34) which are generated dynamically in a manner such that a set of logs contained in a particular bin have common properties and similarities. The number of bins created every x second is based on the logs processed during this time window, and thus different number of bins could be created during subsequent aggregator first pass, hence these bins are called dynamic bins. Thus the bins (34) contain similar logs of one particular device of the plurality of devices and workstations on a computer network. For example one particular bin would contain logs having similar parameters and properties generated by all security devices associated with each of the workstations on a computer network. Thus similar logs are aggregated and stored in the storing means (18). The aggregated logs may be further given to a further aggregation means (16) for aggregating the aggregated logs as seen in figure 3 of the accompanying drawings. Once the first pass of aggregator has finished processing and putting logs into bins, the second pass goes through the bins and creates an aggregated log packet, which is finally stored as an aggregated log. This entire process is online and done as the logs are getting generated. Further the aggregating system (10) has a plurality of drivers which are used when additional devices are associated with the workstations of the computer network. Driver helps each component of the aggregation system (10) to identify and aggregate logs generated by the additional device. 12 In case of introduction of a new device in the network environment, one needs to update the parser driver, the pre stored tags used by packet classifier, the common log format driver and create new areas for device identifier and type identifier for the said device. The process of further aggregation is the act of using the aggregator to further aggregate the stored aggregated logs. This process can be invoked either daily, weekly, monthly and yearly or as per need. This process can be both online or offline. An Example of different types of logs generated by a subset of different devices associated with a workstation in a computer network is as follows: Firewall Connection logs Connection Drop Connection close Connection Reject VPN connect IDS/IPS Signature Match found Complete packet data Protocol anomaly URL match Content detection Router Routing update SNMP info Connection logs Connection drop System log Web server Access log Error Log Update log Secure connection log Reject log 13 Operating System User Access log Failure log Hardware logs Crash log Service log Example 1: In the experiments conducted the central logging server gets on an average 1000 Logs per second with an average size of 100bytes per logs. The test was done for 1 hr. The average amount data stored per second is about 100KB. Thus the amount of data stored within one hr is 350 MB worth of data without using the aggregator scheme. With the same test setup, the aggregator system produced about 80% saving of data, hence only storing 70 MB worth data. Example 2: In this experiment the focus was to get find out the advantage of aggregation technique in case of a system consisting of a firewall and a heavily loaded web server. The central logging server gets on an average 5000 Logs per second with an average size of 100bytes per logs. The test was done for 1 hr. The average amount data stored per second is about 500KB. Thus the amount of data store within one hr is 1.7 GB worth of data without using the aggregator scheme. With the same test setup, the aggregator system in accordance with this invention about 60% saving of data, hence only storing 600 MB of data. With the use of further aggregation at an, average 5-10% further reduction of data was seen. 14 While considerable emphasis has been placed herein on the various components of the preferred embodiment, it will be appreciated that many alterations can be made and that many modifications can be made in the preferred embodiment without departing from the principles of the invention. These and other changes in the preferred embodiment as well as other embodiments of the invention will be apparent to those skilled in the art from the disclosure herein, whereby it is to be distinctly understood that the foregoing descriptive matter is to be interpreted merely as illustrative of the invention and not as a limitation. 15 We Claim: 1. A system for aggregating logs in a computer network, said computer network comprising a plurality of work stations, at least some of said work stations typically having devices such as operating systems, applications, security systems and devices operating therewith, each of said devices generating logs, said aggregating system comprising: (i) parsing means adapted to filter out unimportant and redundant logs; (ii) tagging means adapted to tag said parsed logs; (iii) converter means adapted to convert said tagged logs to a common log format; (iv) queuing means adapted to queue said converted logs; (v) device identifying means adapted to identify the logs belonging to a particular device in said computer network; (vi) aggregation means adapted to aggregate logs belonging to a particular device in said computer network; and (vii) Storage means adapted to store said aggregated logs. 2. A system for aggregating logs in a computer network, as claimed in claim 1, in which the aggregation means is adapted to process the logs put the logs into different bins. 3. A system for aggregating logs in a computer network, as claimed in claim 1, I which the aggregation means is adapted to create a different number of bins in different time intervals, each of the bins containing similar logs of one particular device of the plurality of workstations on the computer network. 16 4. A method of aggregating logs generated by each of said device of said computer network, said method comprising the following steps: (i) Collecting logs received from each of said device of said computer Network. (ii) filtering out unimportant and redundant logs; (iii) tagging said filtered logs; (iv) converting said tagged logs into a standard format; (v) queuing of said converted logs; (vi) identifying device from which logs are received; (vii) aggregating similar logs of said similar devices; (viii) Storing aggregated logs. 5. method of aggregation as claimed in claim 5, wherein said stored logs are further aggregated. ABSTRACT A system for aggregating logs in a computer network is disclosed. The aggregating system comprises: parsing means, tagging means, converter mean, queuing means, device identifying means an aggregation means by which desired logs are aggregated after filtration and tagging. The aggregated logs are stored in a storage means. Means for carrying out aggregation in the system are also provided. 4 NOV mm

Full Text

FORM-2
T THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003
COMPLETE
Specification
(See section 10 and rule 13)
COMPUTER NETWORKS

UNIVERSITY OF PUNE
an Organisation constituted under the Maharashtra State Universities Act
of Ganeshkhind, Ganeshkhind Road, Pune 411 007,
Maharashtra, India

THE FOLLOWING SPECIFICATION PARTICULARLY DESCRIBES THE INVENTION AND THE MANNER IN WHICH IT IS TO BE PERFORMED.

Field of invention:
This invention relates to computer networks.
Particularly, this invention relates to computer network security systems.
Background of the invention: Introduction:
Computers today are used to perform a variety of tasks and have played a vital role in business related functions. As a result there has been a significant growth in the number of computers being used worldwide. In the past few years there has been a need for sharing the data available at various locations on different computers. Such computers may be either located at separate locations or may be in-house as within an office. For sharing of the data, computer networks came into being.
A computer network consists of a group of computers that are linked together, which enables the computers to communicate with each other. By linking computers together it is possible to share files, printers, and even Internet resources. Thus, using such a computer network it is possible to reduce the number of modems, printers and the like devices used in a set up where more than one computer is used. A person using one such computer can access the data on any computer linked to that network. Hardware resources such as printers, scanners and the like devices that are linked to the network can also be accessed. The sharing of data may be inter-nodal sharing or an intersystem sharing. In inter nodal sharing the files, hardware resources and Internet resources within an office are shared, wherein every computer may be
2

accessed individually and selectively. In intersystem sharing, the data available on the entire network can be accessed, the network being defined by a set of computers.
Such computer networks consist of hardware and software components. The hardware component may consist of elements such as:
(i) Desktop Computers/server computers/laptops and the like devices.
(ii) Cables, connectors and the like components.
(iii) Routers, switches, hubs.
(iv) Network interface cards.
The software component may consist of elements such as: (i) Operating systems, (ii) Installation software, which is used for the installation of the
hardware components, (iii) Drivers, (iv) Protocols, which help the various computers in the network,
communicate, (v) Application software, provided at the user end to access the network,
typically the Internet, (vi) Anti-virus software.
When such networks are used to link computers, typically in an office building, a school, across two or more buildings the network is called a Local Area Network (LAN). A Metropolitan Area Network (MAN) connects an area larger than a LAN but smaller than a WAN, typically a city block. Wide Area Network (WAN) spans a larger physical distance and is a geographically
3

dispersed collection of LANs and MANs. These networks are wired networks and hence to reduce the distance to which they can be extended Wireless LANs (WLANs) are used. A WLAN is a wireless local area network that uses radio waves as its carrier. The link with the users is wireless, to give a network connection to all users in the surrounding area. Areas may range from a single room to an entire campus. The backbone network usually uses cables, with one or more wireless access points connecting the wireless users to the wired network.
The Internet has made it possible to access information located on any network across the world. By using public and private network any individual can access its information. However, the availability of confidential information over such networks poses a threat to its security, as information available may be used in an unlawful manner. Confidential information available on the network may be stolen for the purpose of duplicating and using technology for industrial and commercial benefits. If the information available on the networks of various defense organizations leaks, it may pose severe threat to the security of a country. Such and many problems may arise due the breach in security.
Wired networks make use of a centralized server through which every computer in that network can be accessed. The breach in security may be at a nodal level wherein only one particular node (computer) is hacked. The breach in security may be at a system level wherein the entire network can be hacked at once. In wireless networks, there may not be a centralized server for the purpose of authentication and verification hence wireless networks are more susceptible to attacks than wired networks.
4

When businesses send confidential information using Internet as a medium of communication, they place a high value on the information sent to the destination, so that it reaches the destination without being intercepted by anyone other than the intended recipient. Therefore, companies and individuals desire a secured means of communication. Finally, connecting a system to a network can open the system itself to attacks and breaches. In case a system is compromised, the risk of losing data is very high.
Hacking allows an individual to exploit the security weaknesses and loopholes to gain unauthorized access to the information available on the network. A hacker attempts to break into systems or networks by attacking the weakest and the most vulnerable link. The purpose of hacking may be either for industrial espionage, for fun or may be ideological. However, hacking or the leak of confidential information may even cause severe commercial and technological damage.
Hence, there is need for stringent security measures to be installed at the points and links where the possibility of a breach in security is high. As a preliminary method of security, mechanical locks were used. Other hardware, software and biometrie locking systems are also used for security purposes. However, the aforementioned locking/securing systems can be implemented only for one machine at a time; these are also known as nodal security systems. The nodal security systems involve locking of each and every machine, which is not practically possible; also there is a possibility of an attack on a computer if it is unattended for a few minutes. In such a case, the locking/security systems mentioned above fail and the security of the system can be easily breached.
5

The use of security-managing devices/systems such as intrusion detection systems (IDS), firewalls (FW), Anti-virus systems (AVS) and the like were envisaged. The use of such security managing devices/systems employ stringent verification and authentication procedures and round-the-clock monitoring of all the data being transmitted and received by every computer in the network. Such security devices cover all the security aspects related to the entire network and all the computers of that network.
An important aspect of security device involves verification, authentication and monitoring which is done by maintaining and continuously updating logs. These logs are a record of computer activity used for statistical purposes as well as backup and recovery. The log files are written by the operating system or other control program for the purpose of recording incoming dialogs, error and status messages and certain transaction details and the like.
At different points in a network, the security systems/devices such as intrusion detection systems (IDS), firewalls (F) and the like security devices/systems are installed. One such device/system may produce more than several thousand kilobytes of log data in a day. The log data from firewalls, routers, servers and other network equipment are the primary sources of data for troubleshooting and are the only unimpeachable source of historical network activity information. The task of management of such huge amount of log data is therefore undertaken by the security device/system. This may reduce the effectiveness and efficiency of the security device/system as a considerable amount of time is consumed in managing the log data and thus a threat may be detected after the security has already been breached.
Traditional ways of storing logs were to moving logs into files or database. Data aggregation refers to the consolidation of information into a
6

single point of storage. Event aggregation, on the other hand, is often used to describe the act of taking a number of similar alerts or events and representing them as a single message to store in the database. In the intrusion-detection system (IDS) world, this might be implemented by taking a set of intruder activities and consolidating them into a single alert.
Prior Art:
The following patent nos. provide prior art for the present invention:
U.S. Patent Application No. 20060161816 discloses systems and methods to manage logs from log sources distributed across one or more networks using a log event management system, herein called a Thunder console. The Thunder console is a log aggregator that allows networks to deploy servers which collect, normalize, and analyze a large number of log events. These logs can be stored for a specific period of time. Alerts can be generated to communicate information regarding the log events. The disclosed tool does not provide a unified view of plurality of security logs via a single aggregated log.
U.S Patent No. 6070244 discloses a computer-network security management tool capable of handling many different kinds of equipment in a standardized format despite differences in the computer security features among the diverse range of computer equipment in the computer network. The disclosed tool does not manage and monitor data logs received by the network security components.
U.S Patent No. 6,760,768 discloses a multi-level network security system for a computer host device coupled to at least one computer network. The system
7

including a secure network interface Unit (SNIU) contained within a communications stack of the computer device that operates at a user layer communications protocol. The disclosed system does not aggregate and manage the log data received from the firewalls, VPNs and the like devices.
This invention seeks to overcome the limitations of the prior art.
Object of this invention is to manage log data produced by security devices/systems.
Another object of this invention is to assist in detection and identification of a security threat before the security can be breached.
Another object of this invention is to provide easy and reliable access to advanced security technologies and expertise, and to offload management functions so that they may focus on their core competencies.
Another object of this invention is to monitor and maintain the required level of security in a given enterprise and to offer integrated 24x7x365 security management.
Another object of this invention is to provide a unified view of plurality of security logs via a single aggregated log.
Summary of the invention:
In accordance with one practical embodiment of such a device/system, this invention envisages the effective use of aggregation means for Managed Security Services to save space and network communications for many network devices.
8

Brief description of the accompanying drawings:
The invention will be described in detail with reference to a preferred embodiment. Reference to this embodiment does not limit the scope of the invention.
In the accompanying drawings:
Figure 1 illustrates an overview of the devices of the aggregation system in
accordance with this invention;
Figure 2a illustrates a detailed block diagram of the devices of the aggregation
system and the workflow of the aggregation process;
Figure 2b illustrates a detailed block diagram of the devices of the aggregation
system and the workflow of the aggregation process; and
Figure 3 illustrates a block diagram of the further aggregation process.
Detailed description of the accompanying drawings:
This invention will be described in detail with reference to the drawings 1 to 3.
Figure 1 illustrates a block diagram of the devices of the aggregation system in accordance with this invention. The aggregation system (10) works in cooperation with all work stations and devices (12) of a computer network. The aggregation system comprises a collecting means (14) which collects the logs generated by each device (12) of the computer network. The aggregation means (16) aggregates the logs received and collected by the collection means (14). A further aggregator means (18) helps further aggregate logs aggregated in the aggregation means (16) and the storage means (20).
9

Figure 2a and 2b illustrate detailed block diagram of the devices of the aggregation system and the workflow of the aggregation process in accordance with this invention. The collecting means (12) receives the logs generated by each of the devices associated with at least some of the workstations in the computer network. The received logs are then filtered using the parsing means (22). The parsing means (22) filters out unimportant and redundant logs. The first block of the aggregation system is the parser system. The parsing means has pre stored "drivers" which identifies the data sent on the network and filters out known logs from the same. One needs to inform the parser if a new device is added into the system. A new "driver" needs to be introduced every time a new device is added. The parser then puts the logs into untagged memory location.
The aggregation scheme is a multi-stage process where after the parser has parsed the logs, the packet classifier module takes the log and classifies the same with regards to the source of the log; this module has a set of predefined tags for each log source. The parsed logs are then tagged using tagging means (24). Each log will be processed by a tagging operation in a sequential manner. Once the tagging operation is performed the tagged logs are moved to a new memory location.
Tagging of parsed logs is done in a manner such that each log can be identified on the basis of the device from which it was generated.
The tagged logs are then converted to a standard format by the converting means (26). Thus the tagged logs are further processed by common log format generator. In this block there are pre stored formats and pre stored operators
10

which will convert the tagged logs into the common log format. These common logs are stored into a different memory location.
The converted logs are then passed on to the queuing means (28). The Queing means will take the common log formats in the first in first queued fashion and queue the logs in the system memory acting as a queue. In the queuing means the logs queue, typically in a first come first serve manner. The queuing means (28) then passes the tagged logs to a device identifier means (30). The queuing means (28), typically works in FIFO mode. The device identifier which has a pre stored tag format, it dequeues the logs from the Aggregator Queuer and compares it with the tags in the common logs. The device identifier will further place the logs into memory area predetermined for each device type.
The device identifier means (30) identifies the log generated by a particular device using the tag attached to a particular log. All logs generated by one particular device of each of the workstations on the computer network are identified and assembled in the device identifier means (30). Further a type identifier means (32) is used to assemble logs which are similar. The type identifier means (32) identifies the different type of logs based on a pre stored log types and puts them into a sub memory area for each type.
The first pass of aggregator will process the logs stored in each log-type memory specific to a device within a given time x and puts the logs into different bins based on common parameters, like common Source IP and Destination port. Each type of logs has a given set of parameters.
11

For a parameters set of 5 the total number of bins would be equal to 5 C| + 5 C2 + 5 C3 + 5 C4 + 5 C5, which is 31. Each log is assembled into a stream of logs as particularly seen in figure 2a. In the process of aggregation as particularly seen in figure 2b logs contained in each stream are put together in bins (34) which are generated dynamically in a manner such that a set of logs contained in a particular bin have common properties and similarities. The number of bins created every x second is based on the logs processed during this time window, and thus different number of bins could be created during subsequent aggregator first pass, hence these bins are called dynamic bins. Thus the bins (34) contain similar logs of one particular device of the plurality of devices and workstations on a computer network. For example one particular bin would contain logs having similar parameters and properties generated by all security devices associated with each of the workstations on a computer network. Thus similar logs are aggregated and stored in the storing means (18).
The aggregated logs may be further given to a further aggregation means (16) for aggregating the aggregated logs as seen in figure 3 of the accompanying drawings. Once the first pass of aggregator has finished processing and putting logs into bins, the second pass goes through the bins and creates an aggregated log packet, which is finally stored as an aggregated log. This entire process is online and done as the logs are getting generated.
Further the aggregating system (10) has a plurality of drivers which are used when additional devices are associated with the workstations of the computer network. Driver helps each component of the aggregation system (10) to identify and aggregate logs generated by the additional device.
12

In case of introduction of a new device in the network environment, one needs to update the parser driver, the pre stored tags used by packet classifier, the common log format driver and create new areas for device identifier and type identifier for the said device.
The process of further aggregation is the act of using the aggregator to further aggregate the stored aggregated logs. This process can be invoked either daily, weekly, monthly and yearly or as per need. This process can be both online or offline.
An Example of different types of logs generated by a subset of different devices associated with a workstation in a computer network is as follows: Firewall

Connection logs Connection Drop Connection close Connection Reject VPN connect
IDS/IPS

Signature Match found Complete packet data Protocol anomaly URL match Content detection
Router

Routing update SNMP info Connection logs Connection drop System log
Web server

Access log Error Log Update log Secure connection log Reject log
13

Operating System

User Access log Failure log Hardware logs Crash log Service log
Example 1:
In the experiments conducted the central logging server gets on an average
1000 Logs per second with an average size of 100bytes per logs. The test was
done for 1 hr. The average amount data stored per second is about 100KB.
Thus the amount of data stored within one hr is 350 MB worth of data without
using the aggregator scheme.
With the same test setup, the aggregator system produced about 80% saving of
data, hence only storing 70 MB worth data.
Example 2:
In this experiment the focus was to get find out the advantage of aggregation
technique in case of a system consisting of a firewall and a heavily loaded web
server.
The central logging server gets on an average 5000 Logs per second with an average size of 100bytes per logs. The test was done for 1 hr. The average amount data stored per second is about 500KB. Thus the amount of data store within one hr is 1.7 GB worth of data without using the aggregator scheme.
With the same test setup, the aggregator system in accordance with this invention about 60% saving of data, hence only storing 600 MB of data. With the use of further aggregation at an, average 5-10% further reduction of data was seen.
14

While considerable emphasis has been placed herein on the various components of the preferred embodiment, it will be appreciated that many alterations can be made and that many modifications can be made in the preferred embodiment without departing from the principles of the invention. These and other changes in the preferred embodiment as well as other embodiments of the invention will be apparent to those skilled in the art from the disclosure herein, whereby it is to be distinctly understood that the foregoing descriptive matter is to be interpreted merely as illustrative of the invention and not as a limitation.
15

We Claim:
1. A system for aggregating logs in a computer network, said computer
network comprising a plurality of work stations, at least some of said
work stations typically having devices such as operating systems,
applications, security systems and devices operating therewith, each of
said devices generating logs, said aggregating system comprising:
(i) parsing means adapted to filter out unimportant and redundant
logs;
(ii) tagging means adapted to tag said parsed logs;
(iii) converter means adapted to convert said tagged logs to a
common
log format;
(iv) queuing means adapted to queue said converted logs;
(v) device identifying means adapted to identify the logs belonging to a
particular device in said computer network;
(vi) aggregation means adapted to aggregate logs belonging to a
particular device in said computer network; and (vii) Storage means adapted to store said aggregated logs.
2. A system for aggregating logs in a computer network, as claimed in claim 1, in which the aggregation means is adapted to process the logs put the logs into different bins.
3. A system for aggregating logs in a computer network, as claimed in claim 1, I which the aggregation means is adapted to create a different number of bins in different time intervals, each of the bins containing similar logs of one particular device of the plurality of workstations on the computer network.
16

4. A method of aggregating logs generated by each of said device of said
computer network, said method comprising the following steps:
(i) Collecting logs received from each of said device of said
computer Network.
(ii) filtering out unimportant and redundant logs;
(iii) tagging said filtered logs;
(iv) converting said tagged logs into a standard format;
(v) queuing of said converted logs;
(vi) identifying device from which logs are received;
(vii) aggregating similar logs of said similar devices;
(viii) Storing aggregated logs.
5. method of aggregation as claimed in claim 5, wherein said stored logs
are further aggregated.

ABSTRACT
A system for aggregating logs in a computer network is disclosed. The aggregating system comprises: parsing means, tagging means, converter mean, queuing means, device identifying means an aggregation means by which desired logs are aggregated after filtration and tagging. The aggregated logs are stored in a storage means. Means for carrying out aggregation in the system are also provided.
4 NOV mm

Documents:

1460-mum-2005-abstract(21-5-2008).doc

1460-mum-2005-abstract(21-5-2008).pdf

1460-mum-2005-abstract(granted)-(23-10-2008).pdf

1460-mum-2005-abstract.doc

1460-mum-2005-abstract.pdf

1460-mum-2005-cancelled pages(21-5-2008).pdf

1460-mum-2005-claims(granted)-(21-5-2008).doc

1460-mum-2005-claims(granted)-(21-5-2008).pdf

1460-mum-2005-claims(granted)-(23-10-2008).pdf

1460-mum-2005-claims.doc

1460-mum-2005-claims.pdf

1460-mum-2005-correspondence(21-5-2008).pdf

1460-mum-2005-correspondence(ipo)-(23-10-2008).pdf

1460-mum-2005-correspondence(ipo)-(3-11-2008).pdf

1460-mum-2005-correspondence-received-ver-02122005.pdf

1460-mum-2005-correspondence-received-ver-24112006.pdf

1460-mum-2005-description (complete).pdf

1460-mum-2005-description(granted)-(23-10-2008).pdf

1460-mum-2005-description(provisional)-(24-11-2005).pdf

1460-mum-2005-drawing(21-5-2008).pdf

1460-mum-2005-drawing(granted)-(23-10-2008).pdf

1460-mum-2005-drawing(provisional)-(24-11-2005).pdf

1460-mum-2005-drawings.pdf

1460-MUM-2005-DRWING(GRANTED)-(23-10-2008).pdf

1460-mum-2005-form 1(2-12-2005).pdf

1460-mum-2005-form 1(24-11-2005).pdf

1460-mum-2005-form 18(11-12-2006).pdf

1460-mum-2005-form 2(granted)-(21-5-2008).doc

1460-mum-2005-form 2(granted)-(21-5-2008).pdf

1460-mum-2005-form 2(granted)-(23-10-2008).pdf

1460-mum-2005-form 2(provisional)-(24-11-2005).pdf

1460-mum-2005-form 2(title page)-(complete)-(24-11-2006).pdf

1460-mum-2005-form 2(title page)-(granted)-(23-10-2008).pdf

1460-mum-2005-form 2(title page)-(provisional)-(24-11-2005).pdf

1460-mum-2005-form 3(24-11-2005).pdf

1460-mum-2005-form 5(24-11-2006).pdf

1460-mum-2005-form-1.pdf

1460-mum-2005-form-2.doc

1460-mum-2005-form-2.pdf

1460-mum-2005-form-26.pdf

1460-mum-2005-form-5.pdf

1460-mum-2005-power of attorney(30-9-1999).pdf

1460-mum-2005-specification(amended)-(21-5-2008).pdf

abstract1.jpg

« Previous Patent

Next Patent »

Patent Number

224824

Indian Patent Application Number

1460/MUM/2005

PG Journal Number

02/2009

Publication Date

09-Jan-2009

Grant Date

23-Oct-2008

Date of Filing

24-Nov-2005

Name of Patentee

UNIVERSITY OF PUNE

Applicant Address

GANESHKHIND, GANESHKHIND ROAD, PUNE 411 007, MAHARASHTRA, INDIA.

Inventors:

#	Inventor's Name	Inventor's Address
1	DR. SINGARAYAR ARUL VETHA MANICKAM	CENTER FOR INFORMATION AND NETWORK SECURITY, UNIVERSITY OF PUNE, GANESHKHIND ROAD, PUNE 411 007 MAHARASHTRA, INDIA.
2	JAYESH SHAH	Center for Information and Network Security, University of Pune, Ganeshkhind Road, Pune 411 007,
3	HARIHARAN JAYARAMAN	Center for Information and Network Security, University of Pune, Ganeshkhind Road, Pune 411 007,
4	ANIRRUDHA JOSHI	Center for Information and Network Security, University of Pune, Ganeshkhind Road, Pune 411 007,

PCT International Classification Number

G06F1/00 G06F21/00 H04L29/06

PCT International Application Number

N/A

PCT International Filing date

PCT Conventions:

#	PCT Application Number	Date of Convention	Priority Country
1			NA