Hierarchical correlation of intrusion detection events
First Claim
1. A method in a data processing system for reporting security situations, comprising the steps of:
- logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute;
classifying events as groups by aggregating events with at least one attribute within the event set as an identical value;
calculating severity levels for the groups;
calculating delta severities from the severity levels; and
propagating the delta severities to a higher-level correlation server.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations” are established from groups whose severity exceeds a threshold value. These groups and situations are then propagated up a hierarchical arrangement of systems and further aggregated so as to provide summary information over a larger group of systems. This hierarchical scheme allows for scalability of the event correlation process across larger networks of systems.
49 Citations
30 Claims
-
1. A method in a data processing system for reporting security situations, comprising the steps of:
-
logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute;
classifying events as groups by aggregating events with at least one attribute within the event set as an identical value;
calculating severity levels for the groups;
calculating delta severities from the severity levels; and
propagating the delta severities to a higher-level correlation server. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, in a data processing system, of establishing a severity level for multiple groups of computers, comprising:
-
receiving a plurality of delta severity levels;
performing a first mathematical operation on the plurality of delta severity levels to form a new delta severity level;
if the data processing system is the top level of a hierarchy of servers, performing a second mathematical operation on the new delta severity level and a stored severity level to form a new severity level; and
if the data processing system is not the top level of a hierarchy of servers, propagating the new delta severity level to a higher-level correlation server. - View Dependent Claims (9, 10)
-
-
11. A computer program product in a computer readable medium for reporting security events, comprising instructions for:
-
logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute;
classifying events as groups by aggregating events with at least one attribute within the event set as an identical value;
calculating severity levels for the groups;
calculating delta severities from the severity levels; and
propagating the delta severities to a higher-level correlation server. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A computer program product in a computer readable medium, containing instruction code operable in a data processing system, comprising instructions for:
-
receiving a plurality of delta severity levels;
performing a first mathematical operation on the plurality of delta severity levels to form a new delta severity level;
if the data processing system is the top level of a hierarchy of servers, performing a second mathematical operation on the new delta severity level and a stored severity level to form a new severity level; and
if the data processing system is not the top level of a hierarchy of servers, propagating the new delta severity level to a higher-level correlation server. - View Dependent Claims (19, 20)
-
-
21. A data processing system for reporting security events, comprising:
-
a bus system;
a memory;
a processing unit, wherein the processing unit includes at least one processor; and
a set of instructions within the memory, wherein the processing unit executes the set of instructions to perform the acts of;
logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute;
classifying events as groups by aggregating events with at least one attribute within the event set as an identical value;
calculating severity levels for the groups;
calculating delta severities from the severity levels; and
propagating the delta severities to a higher-level correlation server. - View Dependent Claims (22, 23, 24, 25, 26, 27)
-
-
28. A data processing system for reporting security events, comprising:
-
a bus system;
a memory;
a processing unit, wherein the processing unit includes at least one processor; and
a set of instructions within the memory, wherein the processing unit executes the set of instructions to perform the acts of;
receiving a plurality of delta severity levels;
performing a first mathematical operation on the plurality of delta severity levels to form a new delta severity level;
if the data processing system is the top level of a hierarchy of servers, performing a second mathematical operation on the new delta severity level and a stored severity level to form a new severity level; and
if the data processing system is not the top level of a hierarchy of servers, propagating the new delta severity level to a higher-level correlation server. - View Dependent Claims (29, 30)
-
Specification