Network security management is generally concerned with collecting data from network devices that reflects network activity and operation of the devices, and analyzing the data to enhance security. For example, the data can be analyzed to identify an attack on the network or a network device, and determine which user or machine is responsible. If the attack is ongoing, a countermeasure can be performed to thwart the attack or mitigate the damage caused by the attack. The data that is collected usually originates in a message (such as an event, alert, or alarm) or an entry in a log file, which is generated by a network device. Examples of network devices include firewalls, intrusion detection systems, servers, switches, routers, etc.
Each message or log file entry is stored for future use. The stored messages or log file entries may be queried to identify information relevant to the attack or analysis. To facilitate the searching of the messages or log file entries, the data may be stored in a relational database. Upon receiving the queries, the relational database may identify and return relevant messages or log files. The returned messages or log files may be processed (e.g., filtered or sorted) and then presented to a user.
The relational database is capable of handling a large amount of data. However, the relational database can perform certain types of queries but not others. Hence, a user must carefully craft query operators and conditions to be compatible with the relational database. In some occasions, the user may have to perform subsequent processing on a query result obtained from the relational database to obtain a desired result. Moreover, the relational database often requires access to a slower secondary storage device (e.g., hard disk) in order to perform a query.
The figures depict an embodiment for purposes of illustration only. One skilled in the art will readily recognize from the following description that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles described herein.