Adaptive data collection for root-cause analysis and intrusion detection

US 20080229421A1
Filed: 03/14/2007
Published: 09/18/2008
Est. Priority Date: 03/14/2007
Status: Active Grant

First Claim

Patent Images

1. A method for performing adaptive data collection in an endpoint of an enterprise security environment, the method comprising the steps of:

receiving a security assessment that describes an object in the environment, the security assessment being arranged to provide contextual meaning to the object and being defined with a time interval over which the security assessment is valid; and

switching from a first data collection mode to a second data collection mode responsively to the received security assessment, the second data collection mode invoking a method for collecting a larger subset of available data in the environment than is collected while in the first data collection mode.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Endpoints in an enterprise security environment are configured to adaptively switch from their normal data collection mode to a long-term, detailed data collection mode where advanced analyses are applied to the collected detailed data. Such adaptive data collection and analysis is triggered upon the receipt of a security assessment of a particular type, where a security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information (i.e., data in some context) that is collected about an object of interest. A specialized endpoint is coupled to the security assessment channel and performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to detected security incidents in the environment. The specialized endpoint is arranged to perform various analyses and processes on historical security assessments.

288 Citations

20 Claims

1. A method for performing adaptive data collection in an endpoint of an enterprise security environment, the method comprising the steps of:
- receiving a security assessment that describes an object in the environment, the security assessment being arranged to provide contextual meaning to the object and being defined with a time interval over which the security assessment is valid; and
  
  switching from a first data collection mode to a second data collection mode responsively to the received security assessment, the second data collection mode invoking a method for collecting a larger subset of available data in the environment than is collected while in the first data collection mode.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 in which the first data collection mode is arranged for invoking a method for collecting summary data describing the object and the second data collection mode is arranged for invoking a method for collecting detailed data describing the object.
  - 3. The method of claim 1 including a further step of analyzing the collected detailed data by applying an algorithm or process, the algorithm or process being arranged for determining an occurrence of a security breach.
  - 4. The method of claim 3 including a further step of generating a security assessment in response to the analyzing.
  - 5. The method of claim 3 including a further step of rolling back to the first data collection mode in response to the analyzing.
  - 6. The method of claim 1 including a further step of rolling-back to the first data collection mode upon expiration of the time interval.
  - 7. The method of claim 1 including a further step of persistently storing the collected subset in accordance with a retention policy.
  - 8. The method of claim 1 in which the object is one of host, user, destination, or enterprise.
  - 9. The method of claim 1 in which the security assessment comprises a plurality of fields, at least one of which is a fidelity field that is arranged to express a degree of confidence an endpoint has in the security assessment.

10. A method used by an endpoint for performing analysis of historical data associated with an object in an enterprise security environment, the method comprising the steps of:
- receiving a security assessment that describes the object, the security assessment being arranged to provide contextual meaning to the object and being defined with a time interval over which the security assessment is valid;
  
  storing the received security assessment in a persistent log; and
  
  analyzing security assessments in the persistent log, the analyzing including application of a security event-detecting process.
- View Dependent Claims (11, 12, 13)
- - 11. The method of claim 10 in which the analyzed security assessment are historical security assessments comprising security assessments for which the time interval has expired.
  - 12. The method of claim 10 in which the security assessment conforms to a subscription-based publish and subscribe model and the endpoint subscribes to all security assessments published by other endpoints in the environment.
  - 13. The method of claim 10 in which the steps of receiving, storing and analyzing are performed in an automated manner to generate a user-reviewable report of security event data.

14. An enterprise security management product, arranged for use with one or more endpoints in an enterprise security environment, and performing a method comprising the steps of:
- subscribing to security assessments published by the endpoints, the security assessments each comprising a semantic abstraction that describes an object in the environment, the semantic abstraction being categorized by type and being interpreted among the endpoints and the management platform using a commonly-utilized taxonomy;
  
  receiving security assessments over a communication layer operating in the environment in accordance with the subscription; and
  
  logging the received security assessments to create a security assessment history.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The management product of claim 14 in which the method includes a further step of providing an interface to enable manual approval by an administrator of an action prior to the action being taken by an endpoint.
  - 16. The management product of claim 14 in which the method includes a further step of receiving a notification from the one or more endpoints, the notification indicating a local action taken by the notifying one or more endpoints.
  - 17. The management product of claim 14 in which the method includes a further step of applying an analysis to security assessment history, the analysis being arranged to detect possible security incidents.
  - 18. The management product of claim 14 in which the method includes a further step of extracting data associated with the object from a cyclic memory store
  - 19. The management product of claim 18 in which the method includes a further step of combining the extracted data with the security assessment history in a report that is reviewable by a user.
  - 20. The management product of claim 14 in which the method includes a further step of generating a cancellation for a security assessment, the cancellation being arranged for notifying an endpoint that a security assessment has expired even when a time-to-live associated with the security assessment has not expired.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hudis, Efim, Helman, Yair, Barash, Uri, Malka, Joseph

Granted Patent

US 8,413,247 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1433 Vulnerability analysis

Adaptive data collection for root-cause analysis and intrusion detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

288 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive data collection for root-cause analysis and intrusion detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

288 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links