Method of automatically classifying a set of alarms emitted by sensors for detecting intrusions of an information security system

US 20070118905A1
Filed: 12/16/2004
Published: 05/24/2007
Est. Priority Date: 12/17/2003
Status: Active Grant

First Claim

Patent Images

1. A method of automatically classifying alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a₁, . . . a_n) belonging to a plurality of attribute domains (A1, . . . , An) each of which has a partial order relationship, which method comprises the following steps:

organizing the attributes belonging to each attribute domain into a hierarchical structure including levels defined in accordance with the partial order relationship of the attribute domain, the attribute domains thus forming hierarchical structures;

constructing for each alert issued by the intrusion detection sensors (11a, 11b, 11c) a trellis specific to that alert by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure, the specific trellis including nodes corresponding to alerts linked to each other by arcs so that each node is linked to one or more parent nodes and/or to one or more child or descendant nodes;

iteratively merging each specific trellis into a general trellis;

identifying collated alerts in the general trellis by selecting the alerts that are simultaneously the most pertinent and the most general in accordance with statistical criteria and according to their attributes belonging to lower levels of the hierarchical structures; and

supplying the collated alerts to an output unit (23) of an alert management system (13) in order to provide an overview of all the alerts issued by the intrusion detection sensors (11a, 11b, 11c).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A of automatically classifying alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a₁, . . . , a_n) belonging to a plurality of attribute domains (A1, . . . , An). Attributes belonging to each attribute domain are organized into a hierarchical structure. For each alert issued by the intrusion detection sensors (11a, 11b, 11c), a trellis specific to that alert is constructed by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure. Each specific trellis is iteratively merged into a general trellis. Collated alerts in the general trellis are identified by selecting the alerts that are simultaneously the most pertinent and the most general. The collated alerts are supplied to an output unit (23) of an alert management system (13).

Citations

9 Claims

1. A method of automatically classifying alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a₁, . . . a_n) belonging to a plurality of attribute domains (A1, . . . , An) each of which has a partial order relationship, which method comprises the following steps:
- organizing the attributes belonging to each attribute domain into a hierarchical structure including levels defined in accordance with the partial order relationship of the attribute domain, the attribute domains thus forming hierarchical structures;
  
  constructing for each alert issued by the intrusion detection sensors (11a, 11b, 11c) a trellis specific to that alert by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure, the specific trellis including nodes corresponding to alerts linked to each other by arcs so that each node is linked to one or more parent nodes and/or to one or more child or descendant nodes;
  
  iteratively merging each specific trellis into a general trellis;
  
  identifying collated alerts in the general trellis by selecting the alerts that are simultaneously the most pertinent and the most general in accordance with statistical criteria and according to their attributes belonging to lower levels of the hierarchical structures; and
  
  supplying the collated alerts to an output unit (23) of an alert management system (13) in order to provide an overview of all the alerts issued by the intrusion detection sensors (11a, 11b, 11c).
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, wherein the construction of a specific trellis includes the following steps:
    - for any generalizable attribute of a given alert, recovering the generalized value of that attribute from its hierarchical structure to form a new alert more general than said given alert;
      
      adding a new node to the specific trellis corresponding to the new alert and adding an arc going from the new node of the new alert to the node of the given alert; and
      
      adding missing arcs going from the parent nodes of the given alert resulting from the generalization of the given alert in accordance with its other attributes to the node of the new alert.
  - 3. The method according to claim 1, wherein merging a given specific trellis into the general trellis includes the following steps:
    - selecting a first node corresponding to a first alert belonging to the given specific trellis and a second node corresponding to a second alert belonging to the general trellis;
      
      eliminating all the arcs coming from the parent nodes of an offspring node of the first node if said offspring node belongs to said general trellis; and
      
      adding said offspring node and all its descendants to the general trellis if said offspring node does not belong to the general trellis.
  - 4. The method according to claim 1, wherein a pertinent alert is identified when each of the sets of offspring nodes of the pertinent alert resulting from specialization of that alert in accordance with each of its attribute domains is homogeneous and when the number of elements constituting each of said sets of offspring nodes of the pertinent alert is greater than a threshold value.
  - 5. The method according to claim 1, wherein the collated alerts are associated with different groups of alerts issued by the sensors so that the groups are not mutually exclusive.
  - 6. The method according to claim 1, wherein the attribute domains include domains from the following sets:
    - alert identifiers, attack sources, attack targets, and attack dates.
  - 7. A computer program designed to execute the method according to claim 1 when it is executed by the alert management system (13).

8. Alert management system for automatically classifying alerts issued by intrusion detection sensors for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a₁, . . . , a_n) belonging to a plurality of attribute domains (A1, . . . , An) each of which has a partial order relationship, which system comprises:
- processor means for organizing the attributes belonging to each attribute domain into a hierarchical structure including levels defined in accordance with the partial order relationship of the attribute domain, the attribute domains thus forming hierarchical structures;
  
  processor means for constructing for each alert issued by the intrusion detection sensors a trellis specific to that alert by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure, the specific trellis including nodes corresponding to alerts linked to each other by arcs so that each node is linked to one or more parent nodes and/or to one or more child or descendant nodes;
  
  processor means for iteratively merging each specific trellis into a general trellis;
  
  processor means for identifying collated alerts in the general trellis by selecting the alerts that are simultaneously the most pertinent and the most general in accordance with statistical criteria and according to their attributes belonging to lower levels of the hierarchical structures; and
  
  processor means for supplying the collated alerts to an output unit (23) in order to provide an overview of all the alerts issued by the intrusion detection sensors.
- View Dependent Claims (9)
- - 9. Information security system comprising intrusion detection sensors and an alert management system according to claim 8.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Orange S.A.
Original Assignee
Orange S.A.
Inventors
Morin, Benjamin, Debar, Herve, Tombini, Elvis

Granted Patent

US 7,506,373 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06Q 20/0855   involving a third party

H04L 41/00   Arrangements for maintenanc...

H04L 41/0604   using filtering, e.g. reduc...

H04L 41/0631   using root cause analysis; ...

H04L 41/16   using machine learning or a...

H04L 63/1416   Event detection, e.g. attac...

Method of automatically classifying a set of alarms emitted by sensors for detecting intrusions of an information security system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Method of automatically classifying a set of alarms emitted by sensors for detecting intrusions of an information security system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links