Method and system for obtaining and analyzing forensic data in a distributed computer infrastructure

US 10,257,216 B2
Filed: 04/23/2015
Issued: 04/09/2019
Est. Priority Date: 06/16/2014
Status: Active Grant

First Claim

Patent Images

1. A system for obtaining and analyzing forensic data in a distributed computer infrastructure, said system comprising:

multiple computation devices;

at least one monitoring unit;

at least one analysis unit; and

an operating unit;

wherein said computation devices are connected to one another via a communication network, and each computation device is configured to detect security events and to send them to the monitoring unit, and the monitoring unit is configured to rate the received security events and to assign them a danger category,wherein when there is insufficient information for assigning a danger category, each computation device is configured to receive instructions for collecting additional forensic data for rating the security event and to send the collected, additional data to the monitoring unit, and the monitoring unit is configured to transmit instructions for collecting additional data to the computation device, and, following reception of the collected, additional data, to evaluate said data and to use them for fresh rating and assignment of a danger category,wherein the analysis unit is configured to transmit a software agent to the computation device for installation and activation on the computation device, and wherein the software agent is configured to ascertain additional data in the computation device and to send them to the analysis unit,wherein the analysis unit processes the additional data and sends the processed additional data to the monitoring unit,wherein the monitoring unit again rates the security events by assigning a weighting factor to the security events and the processed additional data and by assigning a danger category if the sum of the weighting factors exceeds a threshold value, and the monitoring unit reports the danger category to the operating unit, andwherein the operating unit takes an action based on the reported danger category.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for obtaining and analyzing forensic data in a distributed computer infrastructure. The system includes a plurality of computing devices and at least one monitoring unit, which are connected to each other via a communication network. Every computing device is configured to detect security events and send same to the monitoring unit. The monitoring unit is configured to evaluate the received security events and assign same to a danger category, wherein if there is a lack of information for assigning a danger category, the computing device is configured in such a manner as to receive instructions for gathering additional forensic data and to send the additional data via an analysis unit to the monitoring unit. The monitoring unit is configured in such a manner as to transmit instructions to the computing device for gathering additional data and to use same for re-evaluation and assigning of a danger category.

Citations

14 Claims

1. A system for obtaining and analyzing forensic data in a distributed computer infrastructure, said system comprising:
- multiple computation devices;
  
  at least one monitoring unit;
  
  at least one analysis unit; and
  
  an operating unit;
  
  wherein said computation devices are connected to one another via a communication network, and each computation device is configured to detect security events and to send them to the monitoring unit, and the monitoring unit is configured to rate the received security events and to assign them a danger category,wherein when there is insufficient information for assigning a danger category, each computation device is configured to receive instructions for collecting additional forensic data for rating the security event and to send the collected, additional data to the monitoring unit, and the monitoring unit is configured to transmit instructions for collecting additional data to the computation device, and, following reception of the collected, additional data, to evaluate said data and to use them for fresh rating and assignment of a danger category,wherein the analysis unit is configured to transmit a software agent to the computation device for installation and activation on the computation device, and wherein the software agent is configured to ascertain additional data in the computation device and to send them to the analysis unit,wherein the analysis unit processes the additional data and sends the processed additional data to the monitoring unit,wherein the monitoring unit again rates the security events by assigning a weighting factor to the security events and the processed additional data and by assigning a danger category if the sum of the weighting factors exceeds a threshold value, and the monitoring unit reports the danger category to the operating unit, andwherein the operating unit takes an action based on the reported danger category.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system as claimed in claim 1, wherein the action taken by the operating unit comprises disabling a network gateway.
  - 3. The system as claimed in claim 1, wherein the software agent is configured to take the type of the security events rated in the monitoring unit as a basis for collecting different additional data in the computation device.
  - 4. The system as claimed in claim 3, wherein the software agent is designed to collect metadata from files and/or entries in a register for configuration data and/or protocol entries from an antivirus program in the computation device as additional data.
  - 5. The system as claimed in claim 3, wherein the software agent transmits the additional data to the analysis unit in compressed form.
  - 6. The system as claimed in claim 1, wherein the monitoring unit is designed to perform rating of an individual security event by assigning a weighting factor on the basis of the relevance of the security event.
  - 7. The system as claimed in claim 6, wherein the monitoring unit is designed to assign a particular danger category to one or more security events if the sum of the weighting factors of the individual security events exceeds a prescribed threshold value and predetermined conditions are satisfied.

8. A method for a distributed computer infrastructure having an operating unit, multiple computation devices and at least one monitoring unit, which are connected to one another via a communication network, said communication network have network gateways, the method comprising the steps of:
- detecting, by each computation device, security events in the computation device;
  
  transmitting the security events to the monitoring unit;
  
  rating, by the monitoring unit, the individual security events;
  
  assigning a danger category in the monitoring unit, wherein when there is insufficient information for assigning a danger category, additional data relevant to the security event are requested from at least one computation device;
  
  transmitting, to the monitoring unit, the additional data to be evaluated on the basis of security-oriented aspects, wherein the security events and the evaluated additional data are again rated by assigning a weighting factor, and a danger category is assigned if the sum of the weighting factors exceed a threshold value, wherein a software agent that ascertains the additional data in the computation device and sends them to the monitoring unit is transmitted to the computation device and installed and activated on the computation device;
  
  reporting the danger category to the operating unit; and
  
  disabling, by the operating unit, particular network gateways based upon the danger category.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method as claimed in claim 8, wherein an individual security event is rated by assigning a weighting factor on the basis of the relevance of the security event.
  - 10. The method as claimed in claim 8, wherein one or more security events is/are assigned a particular danger category if additionally prescribed conditions are satisfied.
  - 11. The method as claimed in claim 8, wherein different additional data are collected in the computation device on the basis of the type of the security events rated in the monitoring unit.
  - 12. The method as claimed in claim 8, wherein the additional collected data are transmitted in compressed form.
  - 13. The method of claim 8, wherein the method is implemented by a computer readable program code having program commands, wherein the computer readable program code having program commands is stored on a computer program product comprising a non-transitory computer readable hardware storage device.

14. A system in a distributed computer infrastructure, said system comprising:
- multiple computation devices;
  
  at least one monitoring unit;
  
  at least one analysis unit; and
  
  an operating unit for disabling network gateways;
  
  wherein said computation devices are connected to one another via a communication network, and each computation device is configured to detect security events and to send them to the monitoring unit, and the monitoring unit is configured to rate the received security events and to assign them a danger category,wherein when there is insufficient information for assigning a danger category, each computation device is configured to receive instructions for collecting additional forensic data for rating the security event and to send the collected, additional data to the monitoring unit, and the monitoring unit is configured to transmit instructions for collecting additional data to the computation device, and, following reception of the collected, additional data, to evaluate said data on the basis of security-oriented aspects and to use them for fresh rating and assignment of a danger category,wherein the analysis unit is configured to transmit a software agent to the computation device for installation and activation on the computation device, and wherein the software agent is configured to ascertain additional data in the computation device and to send them to the analysis unit,wherein the analysis unit processes the additional data and sends the processed additional data to the monitoring unit,wherein the monitoring unit again rates the security events by assigning a weighting factor to the security events and the processed additional data and by assigning a danger category if the sum of the weighting factors exceeds a threshold value, and the monitoring unit reports the danger category to the operating unit, andwherein the operating unit disables particular network gateways of the network gateways based upon the reported danger category.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens AG
Original Assignee
Siemens AG
Inventors
Busser, Jens-Uwe, Cuellar, Jorge, Munzert, Michael, Patzlaff, Heiko, Stijohann, Jan
Primary Examiner(s)
Bechtel, Kevin

Application Number

US15/306,162
Publication Number

US 20170142148A1
Time in Patent Office

1,447 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 41/046   comprising network manageme...

H04L 41/20   Network management software...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 69/04   Protocols for data compress...

Method and system for obtaining and analyzing forensic data in a distributed computer infrastructure

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for obtaining and analyzing forensic data in a distributed computer infrastructure

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links