Rule based alerting in anomaly detection
First Claim
Patent Images
1. A method for detecting an intrusion event in a network, the method comprising:
- receiving a threshold value for a monitored network parameter, wherein the threshold value is received from a user via a user interface (UI) associated with a computer, and wherein the threshold value corresponds to an alert severity level;
receiving a threshold type for the monitored network parameter, wherein the threshold type is received from the user via the UI, and wherein the threshold type specifies either a lower limit or an upper limit for the threshold value;
receiving a time duration for the monitored network parameter, wherein the time duration is received from the user via the UI;
constructing, by the computer, a rule for detecting a network intrusion event based on the threshold value, the threshold type, and the time duration;
compiling the constructed rule for execution; and
executing the constructed rule, wherein said executing the constructed rule comprises;
generating an alert when the monitored network parameter remains above the threshold value during the entire time duration when the threshold type is an upper limit;
generating the alert when the monitored network parameter remains below the threshold value during the entire time duration when the threshold type is a lower limit; and
wherein a severity level of the alert is set to the alert severity level corresponding to the threshold value.
21 Assignments
0 Petitions
Accused Products
Abstract
A graphical user interface for constructing rules to run on an intrusion detection system is described. The user interface includes a field that specifies a first set of nodes on a network by Host-Group, a field that specifies a second set of nodes on a network by Host-Group and a field which determines whether to interpret the first and second host-group fields as Client, server, source, destination or any of these.
-
Citations
15 Claims
-
1. A method for detecting an intrusion event in a network, the method comprising:
-
receiving a threshold value for a monitored network parameter, wherein the threshold value is received from a user via a user interface (UI) associated with a computer, and wherein the threshold value corresponds to an alert severity level; receiving a threshold type for the monitored network parameter, wherein the threshold type is received from the user via the UI, and wherein the threshold type specifies either a lower limit or an upper limit for the threshold value; receiving a time duration for the monitored network parameter, wherein the time duration is received from the user via the UI; constructing, by the computer, a rule for detecting a network intrusion event based on the threshold value, the threshold type, and the time duration; compiling the constructed rule for execution; and executing the constructed rule, wherein said executing the constructed rule comprises; generating an alert when the monitored network parameter remains above the threshold value during the entire time duration when the threshold type is an upper limit; generating the alert when the monitored network parameter remains below the threshold value during the entire time duration when the threshold type is a lower limit; and wherein a severity level of the alert is set to the alert severity level corresponding to the threshold value. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A non-transitory computer-readable storage medium storing instructions which when executed by a computer cause the computer to perform a method for detecting an intrusion event in a network, the method comprising:
-
receiving a threshold value for a monitored network parameter, wherein the threshold value is received from a user via a user interface (UI) associated with the computer, and wherein the threshold value corresponds to an alert severity level; receiving a threshold type for the monitored network parameter, wherein the threshold type is received from the user via the UI, and wherein the threshold type specifies either a lower limit or an upper limit for the threshold value; receiving a time duration for the monitored network parameter, wherein the time duration is received from the user via the UI; constructing a rule for detecting a network intrusion event based on the threshold value, the threshold type, and the time duration; compiling the constructed rule for execution; and subsequently executing the constructed rule, wherein said executing the constructed rule comprises; generating an alert when the monitored network parameter remains above the threshold value during the entire time duration when the threshold type is an upper limit; generating the alert when the monitored network parameter remains below the threshold value during the entire time duration when the threshold type is a lower limit; and wherein a severity level of the alert is set to the alert severity level corresponding to the threshold value. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system for detecting an intrusion event in a network comprising:
-
a processor; and a non-transitory storage medium storing instructions which, when executed by the processor, cause the system to perform a method comprising; receiving a threshold value for a monitored network parameter, wherein the threshold value is received from a user via a user interface (UI) associated with the system, and wherein the threshold value corresponds to an alert severity level; receiving a threshold type for the monitored network parameter, wherein the threshold type is received from the user via the UI, and wherein the threshold type specifies either a lower limit or an upper limit for the threshold value; receiving a time duration for the monitored network parameter, wherein the time duration is received from the user via the UI; constructing a rule for detecting a network intrusion event based on the threshold value, the threshold type, and the time duration; compiling the constructed rule for execution; and executing the constructed rule, wherein said executing the constructed rule comprises; generating an alert when the monitored network parameter remains above the threshold value during the entire time duration when the threshold type is an upper limit; generating the alert when the monitored network parameter remains below the threshold value during the entire time duration when the threshold type is a lower limit; and wherein a severity level of the alert is set to the alert severity level corresponding to the threshold value. - View Dependent Claims (12, 13, 14, 15)
-
Specification