| 摘要 |
In one embodiment, a system includes a processor to receive network flows, for each of one of a plurality of event-types, compare each one of the network flows to a flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria, for each one of the event-types, for each one of the network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow to a proto-event of the one-event type, test different combinations of the network flows assigned to the proto-event of the one event-type against aggregation criteria of the one event-type to determine if one combination of the network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the network flows of the proto-event. Related apparatus and methods are also described. |
| 主权项 |
1. A system comprising a hardware processor; and a memory to store data used by the hardware processor, wherein the hardware processor is operative to:
receive a plurality of network flows from a network; read, from the memory, a flow-specific criteria for each one event-type of a plurality of event-types, wherein for each one event-type of the plurality of event-types, the flow-specific criteria of the one event-type is defined to identify if each one network flow of the plurality of network flows potentially forms part of one or more events of the one event-type when each one network flow of the plurality of network flows is examined independently of all other ones of the plurality of network flows with respect to the flow-specific criteria of the one event-type; for each one event-type of the plurality of event-types, compare each one network flow of the plurality of network flows to the flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria of the one event-type; for each one event-type of the plurality of event-types, for each one network flow of the plurality of network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow satisfying the flow-specific criteria of the one event-type to a proto-event of the one-event type, the proto-event being assigned at least two network flows of the plurality of network flows, wherein the plurality of event-types includes a plurality of proto-events, each one event-type of the plurality of event-types including at least one proto-event; read, from the memory, an aggregation criteria for one of the event-types, wherein the aggregation criteria is defined to identify an event in the proto-event of the one event-type from the at least two networks flows in the proto-event of the one event-type when the at least two network flows that form part of the proto-event of the one event-type are examined together as a group; and test different combinations of the at least two network flows assigned to the proto-event of the one event-type against the aggregation criteria of the one event-type to determine if one combination of the different combinations of the at least two network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the at least two network flows of the proto-event. |
