Security incident manager

US 20070180107A1
Filed: 07/18/2006
Published: 08/02/2007
Est. Priority Date: 07/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method of managing security incidents including the steps of:

receiving a raw event from a monitored device;

assigning a respective score for each of severity, relevance, and credibility to the raw event; and

forwarding the raw event to an event processor based on the respective scores.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security incident manger includes events and network flows in the analysis of an attack to better identify the magnitude of the attack and how to handle the situation. The raw events are reported by monitored devices and the incident manager may request network flows from various devices corresponding to a raw event. The manager then assigns a variable score to the severity, the relevance and the credibility of the event to determine its next processing steps. Those events that appear to be a likely and effective attack are classified as offenses. Offenses are stored in order to provide additional data for evaluating future events and for building a “rap sheet” against repeat attackers and repeat events.

51 Citations

View as Search Results

14 Claims

1. A method of managing security incidents including the steps of:
- receiving a raw event from a monitored device;
  
  assigning a respective score for each of severity, relevance, and credibility to the raw event; and
  
  forwarding the raw event to an event processor based on the respective scores.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising the step of:
    - transforming the raw event into a normalized event.
  - 3. The method of claim 1, wherein the raw event is received via one of a syslog channel or SNMP.
  - 4. The method of claim 1, wherein the step of assigning a respective score includes the step of adjusting a predetermined score for at least one of severity, relevance, and credibility.
  - 5. The method of claim 1, further comprising the steps of:
    - receiving a plurality of raw events and collating more than one of the plurality of events into an event flow.
  - 6. The method of claim 1, further comprising the step of:
    - identifying one category from among a plurality of categories to assign to the raw event.
  - 7. The method of claim 1, further comprising the steps of:
    - determining a target of the raw event; and
      
      evaluating a vulnerability of the target.
  - 8. The method of claim 7, wherein the vulnerability is determined based on an active scan of the target.
  - 9. The method of claim 7, wherein the vulnerability is determined based on a passive scan of traffic involving the target.
  - 10. The method of claim 7, wherein the respective score for at least one of relevance, credibility, and severity is based in part on the vulnerability.
  - 11. The method of claim 1, further comprising the step of:
    - identifying the raw event as an offense.
  - 12. The method of claim 11, further comprising the step of:
    - storing an offense for future access.
  - 13. The method of claim 11, further comprising the steps of:
    - assigning a respective score for each of severity, relevance, and credibility to the offense; and
      
      remediating the offense based on the respective scores of the offense.
  - 14. The method of claim 1, further comprising the steps of:
    - based on the respective scores, requesting a network flow related to the raw event; and
      
      forwarding the raw event and the network flow to the event processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Qi Labs, Inc.
Inventors
Bird, William, Newton, Christopher

Granted Patent

US 8,209,759 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Security incident manager

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Security incident manager

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others