Event sequence detection
First Claim
1. An event sequence detection method, comprising having or defining an event sequence including two or more stages in order, each of the stages including one or more events, having or defining a filtering function for each of said stages, each filtering function providing a TRUE indication, when one of the events belonging to the respective event is received, and a FALSE indication otherwise, having or defining at least one binding function for each of the stages such that a pair of binding functions in two successive stages links the events in these two successive stages, continuously receiving event data, continuously evaluating the received event data with the filtering functions, when the evaluation results in a TRUE indication from one of the filter functions, deriving at least one key value from the received event data by the corresponding at least one binding function, determining that said sequence has been detected, when a TRUE indication has been obtained in each stage in a timely order and the derived key values link the detected events in the successive stages.
9 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to event sequence detection suitable for an intrusion detection system (IDS), for example. An event sequence including two or more stages in order, each of the stages including one or more events, is defined. Also defined is a filtering function for each of the stages, each filtering function providing a TRUE indication, when one of the events belonging to the respective event is received, and a FALSE indication otherwise. Still further at least one binding function for each of the stages is defined such that a pair of binding functions in two successive stages links the events in these two successive stages. Received event data is continuously evaluated with the filtering functions. When the evaluation results in a TRUE indication from one of the filter functions, at least one key value is derived from the received event data by the corresponding at least one binding function. Finally, it is determined that that the sequence has been detected, when a TRUE indication has been obtained in each stage in a timely order and the derived key values link the detected events in the successive stages.
23 Citations
17 Claims
-
1. An event sequence detection method, comprising
having or defining an event sequence including two or more stages in order, each of the stages including one or more events, having or defining a filtering function for each of said stages, each filtering function providing a TRUE indication, when one of the events belonging to the respective event is received, and a FALSE indication otherwise, having or defining at least one binding function for each of the stages such that a pair of binding functions in two successive stages links the events in these two successive stages, continuously receiving event data, continuously evaluating the received event data with the filtering functions, when the evaluation results in a TRUE indication from one of the filter functions, deriving at least one key value from the received event data by the corresponding at least one binding function, determining that said sequence has been detected, when a TRUE indication has been obtained in each stage in a timely order and the derived key values link the detected events in the successive stages.
-
6. An event sequence detection method, comprising
having or defining an event sequence including two or more stages in order, each of the stages including one or more events, having or defining a filtering function for each of said stages, each filtering function providing a TRUE indication, when one of the events belonging to the respective event is received, and a FALSE indication otherwise, evaluating the filtering functions with the event data, if the filtering function of the one of the stages evaluates to TRUE, a binding function associated with the respective stage is evaluated for extracting a first key from the event data. if the stage, which evaluates to TRUE, is the first stage, it is checked whether the event and the first key already exist in a table associated with the first stage, and the if checking result is negative, the event and the first key are added to the table, if the stage, which evaluates to TRUE, is some other than the first stage, it is checked, whether there is an entry with the first key in the table of the previous stage, if the checking result is negative, nothing is done, and if the checking result is confirmative, another binding function associated with the current stage is evaluated for extracting a second key from the event data and the table associated with the current stage is checked for whether the event and the second key do exist in the table, and if the latter checking result is negative, the event and the second key are added to the table, if the stage, which evaluates to TRUE, is the last stage, it is checked, whether there is an entry with the first key in the table of the previous stage, and if the checking result is negative, nothing is done, and if the checking result is confirmative, it is determined that a sequence of events has been detected.
-
8. An event sequence detection method, comprising
having or defining an event sequence including two or more events, having or defining a filtering function and an associated binding function for each event, each filtering function providing a TRUE indication, when the respective event is received, and a FALSE indication otherwise, continuously receiving event data, continuously evaluating the received event data with the filtering functions, each time when the evaluation results in a TRUE indication from one of the filter functions, registering the corresponding event and a key value derived from the received event data by the corresponding binding function, determining the event sequence as detected, if all events of the event sequence with mutually matching key values are registered within a time window.
-
9. An event sequence detection method, comprising
having or defining an event sequence including two or more stages each of the stages including one or more events, having or defining a filtering function for each of said stages, each filtering function providing a TRUE indication, when one of the events belonging to the respective event is received, and a FALSE indication otherwise, evaluating the filtering functions with the event data, if the filtering function of the one of the stages evaluates to TRUE, a binding function associated with the respective stage is evaluated for extracting a key from the event data, checking whether the key already exists in a table associated with the set of stages, if the key is not found in the table, the event with the key is added to the table, if the key is found in the table, it is checked whether an event for the current stage is already recorded for the key, if no event for the current stage is already recorded for the key, the event is added to the table in connection with the key and the current stage, checking whether the key has an event recorded for each stage, and if the key has an event recorded for each stage, determining that the event sequence has been detected.
-
11. An event sequence detection method, comprising
having or defining an event sequence including two or more stages each of the stages including one or more events, having or defining a filtering function for each of said stages, each filtering function providing a TRUE indication, when one of the events belonging to the respective event is received, and a FALSE indication otherwise, evaluating the filtering functions with the event data, if the filtering function of the one of the stages evaluates to TRUE, a binding function associated with the respective stage is evaluated for extracting a key from the event data, checking whether the key already exists in a table associated with the set of stages, if the key is not found in the table, the event with the key is added to the table, if the key is found in the table, it is checked whether an event for the current stage is already recorded for the key, if no event for the current stage is already recorded for the key, the event is added to the table in connection with the key and the current stage, if an event for the current stage is already recorded for the key, incrementing the number of events with this key and stage, checking whether the key has a predetermined number of events recorded for each stage, and if the key has a predetermined number of events recorded for each stage, determining that the event sequence has been detected.
-
12. An event sequence detector block for execution by a processor in a data communications network environment, comprising:
-
a computer readable memory, and a routine stored on a the computer readable memory and adapted to be implemented on the processor, wherein the routine;
has a predefined event sequence including two or more stages in order, each of the stages including one or more events, has a predefined filtering function for each of said stages, each filtering function providing a TRUE indication, when one of the events belonging to the respective event is received, and a FALSE indication otherwise, has at least one predefined binding function for each of the stages such that a pair of binding functions in two successive stages links the events in these two successive stages, continuously receives event data, continuously evaluates the received event data with the filtering functions, when the evaluation results in a TRUE indication from one of the filter functions, derives at least one key value from the received event data by the corresponding at least one binding function, determines that said sequence has been detected, when a TRUE indication has been obtained in each stage in a timely order and the derived key values link the detected events in the successive stages. - View Dependent Claims (13, 15)
-
-
14. An event sequence detector block for execution by a processor in a data communications network environment, comprising:
-
a computer readable memory, and a routine stored on a the computer readable memory and adapted to be implemented on the processor, wherein the routine;
has a predefined event sequence including two or more events, has a predefined filtering function and an associated binding function for each event, each filtering function providing a TRUE indication, when the respective event is received, and a FALSE indication otherwise, continuously receives event data, continuously evaluates the received event data with the filtering functions, each time when the evaluation results in a TRUE indication from one of the filter functions, registers the corresponding event and a key value derived from the received event data by the corresponding binding function, determines the event sequence as detected, if all events of the event sequence with mutually matching key values are registered.
-
Specification