Method and system for obtaining and analyzing forensic data in a distributed computer infrastructure
First Claim
1. A system for obtaining and analyzing forensic data in a distributed computer infrastructure, said system comprising:
- multiple computation devices;
at least one monitoring unit;
at least one analysis unit; and
an operating unit;
wherein said computation devices are connected to one another via a communication network, and each computation device is configured to detect security events and to send them to the monitoring unit, and the monitoring unit is configured to rate the received security events and to assign them a danger category,wherein when there is insufficient information for assigning a danger category, each computation device is configured to receive instructions for collecting additional forensic data for rating the security event and to send the collected, additional data to the monitoring unit, and the monitoring unit is configured to transmit instructions for collecting additional data to the computation device, and, following reception of the collected, additional data, to evaluate said data and to use them for fresh rating and assignment of a danger category,wherein the analysis unit is configured to transmit a software agent to the computation device for installation and activation on the computation device, and wherein the software agent is configured to ascertain additional data in the computation device and to send them to the analysis unit,wherein the analysis unit processes the additional data and sends the processed additional data to the monitoring unit,wherein the monitoring unit again rates the security events by assigning a weighting factor to the security events and the processed additional data and by assigning a danger category if the sum of the weighting factors exceeds a threshold value, and the monitoring unit reports the danger category to the operating unit, andwherein the operating unit takes an action based on the reported danger category.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for obtaining and analyzing forensic data in a distributed computer infrastructure. The system includes a plurality of computing devices and at least one monitoring unit, which are connected to each other via a communication network. Every computing device is configured to detect security events and send same to the monitoring unit. The monitoring unit is configured to evaluate the received security events and assign same to a danger category, wherein if there is a lack of information for assigning a danger category, the computing device is configured in such a manner as to receive instructions for gathering additional forensic data and to send the additional data via an analysis unit to the monitoring unit. The monitoring unit is configured in such a manner as to transmit instructions to the computing device for gathering additional data and to use same for re-evaluation and assigning of a danger category.
-
Citations
14 Claims
-
1. A system for obtaining and analyzing forensic data in a distributed computer infrastructure, said system comprising:
-
multiple computation devices; at least one monitoring unit; at least one analysis unit; and an operating unit; wherein said computation devices are connected to one another via a communication network, and each computation device is configured to detect security events and to send them to the monitoring unit, and the monitoring unit is configured to rate the received security events and to assign them a danger category, wherein when there is insufficient information for assigning a danger category, each computation device is configured to receive instructions for collecting additional forensic data for rating the security event and to send the collected, additional data to the monitoring unit, and the monitoring unit is configured to transmit instructions for collecting additional data to the computation device, and, following reception of the collected, additional data, to evaluate said data and to use them for fresh rating and assignment of a danger category, wherein the analysis unit is configured to transmit a software agent to the computation device for installation and activation on the computation device, and wherein the software agent is configured to ascertain additional data in the computation device and to send them to the analysis unit, wherein the analysis unit processes the additional data and sends the processed additional data to the monitoring unit, wherein the monitoring unit again rates the security events by assigning a weighting factor to the security events and the processed additional data and by assigning a danger category if the sum of the weighting factors exceeds a threshold value, and the monitoring unit reports the danger category to the operating unit, and wherein the operating unit takes an action based on the reported danger category. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for a distributed computer infrastructure having an operating unit, multiple computation devices and at least one monitoring unit, which are connected to one another via a communication network, said communication network have network gateways, the method comprising the steps of:
-
detecting, by each computation device, security events in the computation device; transmitting the security events to the monitoring unit; rating, by the monitoring unit, the individual security events; assigning a danger category in the monitoring unit, wherein when there is insufficient information for assigning a danger category, additional data relevant to the security event are requested from at least one computation device; transmitting, to the monitoring unit, the additional data to be evaluated on the basis of security-oriented aspects, wherein the security events and the evaluated additional data are again rated by assigning a weighting factor, and a danger category is assigned if the sum of the weighting factors exceed a threshold value, wherein a software agent that ascertains the additional data in the computation device and sends them to the monitoring unit is transmitted to the computation device and installed and activated on the computation device; reporting the danger category to the operating unit; and disabling, by the operating unit, particular network gateways based upon the danger category. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A system in a distributed computer infrastructure, said system comprising:
-
multiple computation devices; at least one monitoring unit; at least one analysis unit; and an operating unit for disabling network gateways; wherein said computation devices are connected to one another via a communication network, and each computation device is configured to detect security events and to send them to the monitoring unit, and the monitoring unit is configured to rate the received security events and to assign them a danger category, wherein when there is insufficient information for assigning a danger category, each computation device is configured to receive instructions for collecting additional forensic data for rating the security event and to send the collected, additional data to the monitoring unit, and the monitoring unit is configured to transmit instructions for collecting additional data to the computation device, and, following reception of the collected, additional data, to evaluate said data on the basis of security-oriented aspects and to use them for fresh rating and assignment of a danger category, wherein the analysis unit is configured to transmit a software agent to the computation device for installation and activation on the computation device, and wherein the software agent is configured to ascertain additional data in the computation device and to send them to the analysis unit, wherein the analysis unit processes the additional data and sends the processed additional data to the monitoring unit, wherein the monitoring unit again rates the security events by assigning a weighting factor to the security events and the processed additional data and by assigning a danger category if the sum of the weighting factors exceeds a threshold value, and the monitoring unit reports the danger category to the operating unit, and wherein the operating unit disables particular network gateways of the network gateways based upon the reported danger category.
-
Specification