Method of managing alerts issued by intrusion detection sensors of an information security system

US 20070150579A1
Filed: 12/16/2004
Published: 06/28/2007
Est. Priority Date: 12/17/2003
Status: Active Grant

First Claim

Patent Images

1. A method of managing alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) including an alert management system (13), each alert being defined by an alert identifier and an alert content, which method includes the following steps:

associating with each of the alerts issued by the intrusion detection sensors (11a, 11b, 11c) a description including a conjunction of valued attributes belonging to attribute domains;

organizing the valued attributes belonging to each attribute domain into a taxonomic structure defining generalization relationships between said valued attributes, the plurality of attribute domains thus forming a plurality of taxonomic structures;

completing the description of each of said alerts with sets of values induced by the taxonomic structures on the basis of the valued attributes of said alerts to form complete alerts; and

storing said complete alerts in a logic file system (21) to enable them to be consulted.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of managing alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) including an alert management system (13), each alert being defined by an alert identifier and an alert content. Each of the alerts issued by the intrusion detection sensors (11a, 11b, 11c) is associated with a description including a conjunction of valued attributes belonging to attribute domains. The valued attributes belonging to each attribute domain are organized into a taxonomic structure defining generalization relationships between said valued attributes, the plurality of attribute domains thus forming a plurality of taxonomic structures. The description of each of said alerts is completed with sets of values induced by the taxonomic structures on the basis of the valued attributes of said alerts to form complete alerts. The complete alerts are stored in a logic file system (21) to enable them to be consulted.

50 Citations

View as Search Results

13 Claims

1. A method of managing alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) including an alert management system (13), each alert being defined by an alert identifier and an alert content, which method includes the following steps:
- associating with each of the alerts issued by the intrusion detection sensors (11a, 11b, 11c) a description including a conjunction of valued attributes belonging to attribute domains;
  
  organizing the valued attributes belonging to each attribute domain into a taxonomic structure defining generalization relationships between said valued attributes, the plurality of attribute domains thus forming a plurality of taxonomic structures;
  
  completing the description of each of said alerts with sets of values induced by the taxonomic structures on the basis of the valued attributes of said alerts to form complete alerts; and
  
  storing said complete alerts in a logic file system (21) to enable them to be consulted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method according to claim 1, wherein complete alerts are consulted by successively interrogating and/or browsing said complete alerts so that the alert management system (13) responds to a request by supplying pertinent valued attributes enabling a subset of complete alerts to be distinguished in a set of complete alerts satisfying the request in order to enable said request to be refined.
  - 3. The method according to claim 2, wherein the pertinent valued attributes assigned the highest priority are those that are most general, given the taxonomic structures.
  - 4. The method according to claim 2, wherein the alert management system (13) further responds to the request by supplying alert identifiers satisfying the request and whose description cannot be refined with respect to said request. supplying alert identifiers satisfying the request and whose description cannot be refined with respect to said request.
  - 5. The method according to claim 1, wherein the alert identifier is a pair consisting of an identifier of the intrusion detection sensor (11a, 11b, 11c) that produces the alert and an alert serial number assigned by said sensor.
  - 6. The method according to claim 1, wherein the content of each alert includes a text message supplied by the corresponding intrusion detection sensor (11a, 11b, 11c).
  - 7. The method according to claim 1, wherein each valued attribute includes an attribute identifier and an attribute value.
  - 8. The method according to claim 7, wherein each attribute identifier is associated with one of the following attribute domains:
    - attack domain, attacker identity domain, victim identity domain, and attack date domain.
  - 9. The method according to claim 1, wherein the description of a given alert is completed by recovering recursively from generalization relationships of the taxonomic structures a set including the more general valued attributes not already included in the description of another alert completed previously.
  - 10. The method according to claim 1, wherein the valued attributes in the taxonomic structure are organized in accordance with an acyclic directed graph.
  - 11. A computer program designed to execute the method according to claim 1, when it is executed by the alert management system (13).

12. Alert management system for managing alerts issued by intrusion detection sensors (11a, 11b, 11c), each alert being defined by an alert identifier and an alert content, which system includes:
- processor means for associating with each of the alerts issued by the intrusion detection sensors (11a, 11b, 11c) a description including a conjunction of valued attributes belonging to attribute domains;
  
  processor means for organizing the valued attributes belonging to each attribute domain into a taxonomic structure defining generalization relationships between said valued attributes, the plurality of attribute domains thus forming a plurality of taxonomic structures;
  
  processor means for completing the description of each of said alerts with sets of values induced by the taxonomic structures on the basis of the valued attributes of said alerts to form complete alerts; and
  
  processor means for storing said complete alerts in a logic file system (21) to enable them to be consulted.
- View Dependent Claims (13)
- - 13. Information security system comprising intrusion detection sensors and an alert management system according to claim 12.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Orange S.A.
Original Assignee
Orange S.A.
Inventors
Morin, Benjamin, Debar, Herve

Granted Patent

US 7,810,157 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 43/12 Network monitoring probes

H04L 63/1425 Traffic logging, e.g. anoma...

Method of managing alerts issued by intrusion detection sensors of an information security system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method of managing alerts issued by intrusion detection sensors of an information security system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links