Method and System for Managing Computer Security Information
First Claim
1. A method for managing security information comprising the steps of:
- receiving raw events from one or more data sources;
classifying the raw events;
storing the raw events;
assigning a ranking to each raw event;
identifying relationships between two or more raw events;
in response to identifying any relationships between two or more raw events, generating a mature correlation event message; and
displaying one or more mature correlation event messages on a console that describe relationships between raw events.
4 Assignments
0 Petitions
Accused Products
Abstract
A security management system includes a fusion engine which "fuses" or assembles information from multiple data sources and analyzes this information in order to detect relationships between raw events that may indicate malicious behavior and to provide an organized presentation of information to consoles without slowing down the processing performed by the data sources. The multiple data sources can comprise sensors or detectors that monitor network traffic or individual computers or both. The sensors can comprise devices that may be used in intrusion detection systems (IDS). The data sources can also comprise firewalls, audit systems, and other like security or IDS devices that monitor data traffic in real-time. The present invention can identify relationships between one or more real-time, raw computer events as they are received in real-time. The fusion engine can also assess and rank the risk of real-time raw events as well as mature correlation events.
-
Citations
41 Claims
-
1. A method for managing security information comprising the steps of:
-
receiving raw events from one or more data sources; classifying the raw events; storing the raw events; assigning a ranking to each raw event; identifying relationships between two or more raw events; in response to identifying any relationships between two or more raw events, generating a mature correlation event message; and displaying one or more mature correlation event messages on a console that describe relationships between raw events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 38)
identifying an event type parameter for each raw event; comparing the event type parameter with an event type category of a list; and assigning each raw event to a corresponding event type category in the list.
-
-
6. The method of claim 1, wherein the step of assigning a ranking to each raw event further comprises the steps of:
-
comparing parameters of each raw event with information in a database; and assigning additional parameters to each raw event relating to the environment of the raw event.
-
-
7. The method of claim 6, wherein the additional parameters comprise one of a priority status, a vulnerability status, a historical frequency value, a source zone value, a destination zone value, a detector zone value, and a priority change reason text string.
-
8. The method of claim 1, wherein the step of assigning a ranking to each raw event further comprises the steps of:
-
identifying a priority status parameter of a raw event; comparing each raw event to information contained in a context database; changing the priority status parameter of a respective raw event if a match occurs in response to the comparison step; and leaving the priority status in tact if a match does not occur in response to the comparison step.
-
-
9. The method of claim 1, wherein the step of identifying relationships between two or more raw events further comprises the steps of:
-
associating each raw event with one or more rules that correspond with a type parameter of the raw event; and applying each rule to its associated group of raw events; and determining if a computer attack or security breach has occurred based upon successful application of a rule.
-
-
10. The method of claim 1, wherein the step of storing raw events further comprises the step of storing each raw event in a high speed memory device comprising random access memory (RAM).
-
11. The method of claim 1, further comprising the step of determining the intent of a computer attack based upon the type of mature correlation event generated.
-
12. The method of claim 1, further comprising the steps of:
-
creating a memory management list; identifying a time stamp for each raw event; and adding each raw event to the memory management list.
-
-
13. The method of claim 1, further comprising the step of creating a raw event tracking index that identifies one or more software components that are monitoring one or more raw events.
-
38. A computer readable medium having computer-executable instructions for performing the steps recited in claim 1.
-
14. A method for determining relationships between two or more computer events, comprising the steps of:
-
receiving a plurality of raw events having a first set of parameters; creating raw event storage areas based upon information received from a raw event classification database; storing each event in an event storage area based upon an event type parameter; comparing each raw event to data contained in a context database; adjusting a priority parameter or leaving the priority parameter in tact for each raw event in response to the comparison to the context database; associating each raw event with one or more correlation events ; applying one or more rules to each event based upon the correlation event associations; and generating a mature correlation event message in response to each successful application of a rule. - View Dependent Claims (15, 16, 17, 39)
-
-
18. A security management system comprising:
-
a plurality of data sources; an event collector linked to the plurality of data sources; a fusion engine linked to the event collector, said fusion engine identifying relationships between two or more raw events generated by the data sources; and a console linked to the event collector for displaying any output generated by the fusion engine. - View Dependent Claims (19, 20, 21)
-
-
22. A fusion engine comprising:
-
a controller; an event reader for receiving raw events; a classifier linked to the event reader for classifying the received raw events; a raw event classification database linked to the classifier; a context based risk-adjustment processor linked to the classifier, for adjusting priorities of raw events; a context database linked to the context based risk-adjustment processor; and a rule database, for determining if relationships exist between two or more events. - View Dependent Claims (23, 24, 25)
-
-
26. A method for managing security information comprising the steps of:
-
receiving a raw event having a first ranking from one or more data sources; classifying the raw event; storing the raw event; and assigning a second ranking to the raw event, whereby the second ranking assesses risks of the raw event based upon a context of the raw event. - View Dependent Claims (27, 28, 29, 30, 40)
comparing parameters of each raw event with information in a database; and assigning additional parameters to each raw event relating to the environment of the raw event.
-
-
29. The method of claim 28, wherein the additional parameters comprise at least one of a priority status, a vulnerability status, a historical frequency value, a source zone value, a destination zone value, a detector zone value, and a priority change reason text string.
-
30. The method of claim 26, wherein the step of assigning a second ranking to each raw event further comprises the steps of:
-
identifying a priority status parameter of a raw event; comparing each raw event to information contained in a context database; changing the priority status parameter of a respective raw event if a match occurs in response to the comparison step; and leaving the priority status in tact if a match does not occur in response to the comparison step.
-
-
40. A computer readable medium having computer-executable instructions for performing the steps recited in claim 26.
-
31. A method for managing security information comprising the steps of:
-
receiving raw events from one or more data sources; classifying the raw events; grouping two or more raw events into a high level correlation event; in response to grouping the two or more raw events, generating a mature correlation event message; and displaying one or more mature correlation event messages on a console that describe relationships between raw events, whereby a number of events displayed on the console can be substantially minimized. - View Dependent Claims (32, 33, 34, 35, 36, 37, 41)
identifying an event type parameter for each raw event; comparing the event type parameter with an event type category of a list; and assigning each raw event to a corresponding event type category in the list.
-
-
36. The method of claim 31, wherein the step of classifying comprises the step of categorizing a raw event based on any one of the following:
- how an activity indicated by a raw event may impact one or more target computers, how many target computers may be affected by an activity indicated by a raw event, and how activities indicated by respective raw events gain access to one or more target computers.
-
37. The method of claim 31, wherein the step of grouping two or more raw events further comprises the step of determining a time at which a respective raw event occurred relative to another raw event.
-
41. A computer readable medium having computer-executable instructions for performing the steps recited in claim 31.
Specification