Presentation of correlated events as situation classes
First Claim
Patent Images
1. A method in a data processing system for reporting security situations, comprising the steps of:
- logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute;
classifying events as groups by aggregating events with at least one attribute within the event set as an identical value; and
calculating severity levels for the groups;
reporting a group from the groups to a user as a situation, if a severity level of the group exceeds a threshold value.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations”—are presented to a user or administrator.
102 Citations
21 Claims
-
1. A method in a data processing system for reporting security situations, comprising the steps of:
-
logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute;
classifying events as groups by aggregating events with at least one attribute within the event set as an identical value; and
calculating severity levels for the groups;
reporting a group from the groups to a user as a situation, if a severity level of the group exceeds a threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product in a computer readable medium for reporting security events, comprising instructions for:
- logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute;
classifying events as groups by aggregating events with at least one attribute within the event set as an identical value; and
calculating severity levels for the groups;
reporting a group from the groups to a user as a situation, if a severity level of the group exceeds a threshold value. - View Dependent Claims (9, 10, 11, 12, 13, 14)
- logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute;
-
15. A data processing system for reporting security events, comprising:
-
a bus system;
a memory;
a processing unit, wherein the processing unit includes at least one processor; and
a set of instructions within the memory, wherein the processing unit executes the set of instructions to perform the acts of;
logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute;
classifying events as groups by aggregating events with at least one attribute within the event set as an identical value; and
calculating severity levels for the groups;
reporting a group from the groups to a user as a situation, if a severity level of the group exceeds a threshold value. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification