Some embodiments described herein relate to observing operating characteristics of a computer network, for example, by monitoring automated suspicious activity reports generated by network filter device. When suspicious activity is detected, data from a firewall can be gathered and additional suspicious events can be identified. Suspicious events can be grouped or characterized, and a report can be generated and sent, for example, to an analyst.
Many computer networks contain confidential or sensitive data that provides a ripe target for criminals and spies. Therefore network administrators should be aware of activities on their network which can lead to and/or provide indications of a breach. In large organizations and/or on high-traffic networks, however, suspicious behavior may be very difficult for network administrators to identify.
A number of tools have been developed to assist network administrators to observe operating characteristics of a computer network. Some tools developed for private and/or relatively small networks involve deep access to network traffic, for example, to monitor for real-time traffic patterns or threat behaviors. Such tools are inappropriate for some networks, however, such as particularly large networks or networks where the operation of such intrusive monitoring presents its own unacceptable security risks. Networks operated by governmental agencies, for example, are generally unsuitable for such tools.
The United States Computer Emergency Readiness Team (US-CERT) has developed an intrusion detection system known as Einstein, Einstein 3 Accelerated, or E3A to assist governmental agencies in monitoring their networks. E3A is operable to detect suspicious behavior on a network, such as an attempt by a networked computer to access a suspicious internet location. Every time E3A detects a suspicious activity, it generates an automatic email message intended to alert network administrators. The automatic email messages, however, are often voluminous and unsuitable for identifying patterns of suspicious behavior. A need therefore exists for systems, methods, apparatus, and media for detecting and observing operating characteristics of a computer network using alert messages from a network filter device, such as E3A, and additional data, such as firewall data, which can be used to detect patterns of suspicious behavior, identify previously undetected suspicious behavior, provide summary reports of suspicious behavior, etc.