Pattern discovery in a network security system

US 20050251860A1
Filed: 05/04/2004
Published: 11/10/2005
Est. Priority Date: 05/04/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an event stream comprising a plurality of security events; and

discovering one or more previously unknown event patterns in the received event stream.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Patterns can be discovered in security events collected by a network security system. In one embodiment, the present invention includes collecting and storing security events from a variety of monitor devices. In one embodiment, a subset of the stored security events is provided to a manager as an event stream. In one embodiment, the present invention further includes the manager discovering one or more previously unknown event patterns in the event stream.

88 Citations

View as Search Results

27 Claims

1. A method comprising:
- receiving an event stream comprising a plurality of security events; and
  
  discovering one or more previously unknown event patterns in the received event stream.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein discovering the one or more event patterns comprises filtering the event stream into a plurality of transactions based on transaction parameters.
  - 3. The method of claim 2, wherein the transaction parameters include an interval of time.
  - 4. The method of claim 2, wherein the transaction parameters include a source address.
  - 5. The method of claim 2, wherein the transaction parameters include a source address and a destination address.
  - 6. The method of claim 2, wherein discovering the one or more event patterns further comprises building a transaction tree using the plurality of transactions.
  - 7. The method of claim 6, wherein discovering the one or more event patterns further comprises parsing the transaction tree by observing drops in support.
  - 8. The method of claim 1, further comprising providing a user an option to convert the discovered one or more event patterns into one or more event correlation rules.
  - 9. The method of claim 1, further comprising creating a new event correlation rule using at least one of the one or more discovered event patterns.
  - 10. The method of claim 1, receiving the event stream comprises receiving the event stream from an event database storing previously collected security events.

11. A user interface for a network security system comprising:
- a rule generation tool configured to convert a selected newly identified pattern into a correlation rule in response to a user action.
- View Dependent Claims (12, 13)
- - 12. The user interface of claim 11, wherein the user action comprises a single mouse-click.
  - 13. The user interface of claim 11, further comprising a pattern discovery tool configured to allow a user to select a subset of previously stored security events, wherein the network security system discovers previously unknown patterns in the selected subset of security events in response to the user selection.

14. A network security system comprising:
- an event database storing a plurality of security events; and
  
  a pattern discovery module to discover one or more previously unknown event patterns in an event stream, the event stream comprising a subset of the plurality of security events stored in the event database.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The network security system of claim 14, wherein the pattern discovery module comprises a plurality of transaction filters to filter the event stream into a plurality of transactions based on transaction parameters.
  - 16. The network security system of claim 15, wherein the transaction parameters include an interval of time.
  - 17. The network security system of claim 15, wherein the transaction parameters include a source address.
  - 18. The network security system of claim 15, wherein the transaction parameters include a source address and a destination address.
  - 19. The network security system of claim 15, wherein the pattern discovery module comprises a tree builder to build a transaction tree using the plurality of transactions.
  - 20. The network security system of claim 19, wherein the pattern discovery module further comprises a tree parser to parse the transaction tree by observing drops in support.
  - 21. The network security system of claim 14, further comprising a user interface to provide a user a tool to convert the discovered one or more event patterns into one or more event correlation rules.

22. A machine-readable medium having stored thereon data representing instructions that, when executed by a processor of a network security system, cause the processor to perform operations comprising:
- discovering one or more previously unknown event patterns in an event stream, the event stream comprising a selected subset security events previously stored by the network security system.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The machine-readable medium of claim 22, wherein discovering the one or more event patterns comprises filtering the event stream into a plurality of transactions based on transaction parameters.
  - 24. The machine-readable medium of claim 23, wherein discovering the one or more event patterns further comprises building a transaction tree using the plurality of transactions.
  - 25. The machine-readable medium of claim 24, wherein discovering the one or more event patterns further comprises parsing the transaction tree by observing drops in support.
  - 26. The machine-readable medium of claim 22, further comprising providing a user an option to convert the discovered one or more event patterns into one or more event correlation rules.
  - 27. The machine-readable medium of claim 22, further comprising creating a new event correlation rule using at least one of the one or more discovered event patterns.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Arcsight Incorporated (HP Inc.)
Inventors
Tidwell, Kenny, Saurabh, Kumar

Granted Patent

US 7,509,677 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1416 Event detection, e.g. attac...

Pattern discovery in a network security system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

88 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Pattern discovery in a network security system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links