PATTERN SCANNER AND EDITOR FOR SECURITY AUDIT SYSTEMS
First Claim
1. A method, in a data processing system, for processing a security log data structure entry, comprising:
- receiving an unrecognized security log entry, wherein the unrecognized security log entry is an entry in a raw security log data structure that is not able to be recognized by security audit agents based on already defined data patterns;
identifying first portions of the unrecognized security log entry that are recognized based on the already defined data patterns and second portions of the unrecognized security log entry that are not recognized;
providing a first user interface for receiving user input associating sub-patterns to the second portions of the unrecognized security log entry, wherein the first user interface identifies the first portions of the unrecognized security log entry as being recognized;
generating a new data pattern based on the association of sub-patterns to the second portions of the unrecognized security log entry; and
applying the new data pattern to a subsequent security log entry in one or more raw security log data structures to thereby extract security event data for generation of a security event.
1 Assignment
0 Petitions
Accused Products
Abstract
A pattern scanner is provided for identifying which portions of a security log entry is unrecognizable by currently defined data patterns. Furthermore, an editor is provided for identifying portions of the security log entry that are recognizable by sub-patterns of the currently defined data patterns and portions of the security log entry that are not recognizable. The editor further provides a user interface through which a user may associated sub-patterns with portions of the security log entry that are not recognized. Moreover, a user interface may be provided for defining new sub-patterns that may be applied to recognizing portions of security log entries. A data pattern based on a combination of sub-patterns for the recognized and unrecognized portions of the security log entry may then be automatically generated.
24 Citations
27 Claims
-
1. A method, in a data processing system, for processing a security log data structure entry, comprising:
-
receiving an unrecognized security log entry, wherein the unrecognized security log entry is an entry in a raw security log data structure that is not able to be recognized by security audit agents based on already defined data patterns; identifying first portions of the unrecognized security log entry that are recognized based on the already defined data patterns and second portions of the unrecognized security log entry that are not recognized; providing a first user interface for receiving user input associating sub-patterns to the second portions of the unrecognized security log entry, wherein the first user interface identifies the first portions of the unrecognized security log entry as being recognized; generating a new data pattern based on the association of sub-patterns to the second portions of the unrecognized security log entry; and applying the new data pattern to a subsequent security log entry in one or more raw security log data structures to thereby extract security event data for generation of a security event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer program product comprising a computer recordable medium having a computer readable program recorded thereon, wherein the computer readable program, when executed on a computing device, causes the computing device to:
-
receive an unrecognized security log entry, wherein the unrecognized security log entry is an entry in a raw security log data structure that is not able to be recognized by security audit agents based on already defined data patterns; identify first portions of the unrecognized security log entry that are recognized based on the already defined data patterns and second portions of the unrecognized security log entry that are not recognized; provide a first user interface for receiving user input associating sub-patterns to the second portions of the unrecognized security log entry, wherein the first user interface identifies the first portions of the unrecognized security log entry as being recognized; generate a new data pattern based on the association of sub-patterns to the second portions of the unrecognized security log entry; and apply the new data pattern to a subsequent security log entry in one or more raw security log data structures to thereby extract security event data for generation of a security event. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An apparatus, comprising:
-
a processor; and a memory coupled to the processor, wherein the memory comprises instructions which, when executed by the processor, cause the processor to; receive an unrecognized security log entry, wherein the unrecognized security log entry is an entry in a raw security log data structure that is not able to be recognized by security audit agents based on already defined data patterns; identify first portions of the unrecognized security log entry that are recognized based on the already defined data patterns and second portions of the unrecognized security log entry that are not recognized; provide a first user interface for receiving user input associating sub-patterns to the second portions of the unrecognized security log entry, wherein the first user interface identifies the first portions of the unrecognized security log entry as being recognized; generate a new data pattern based on the association of sub-patterns to the second portions of the unrecognized security log entry; and apply the new data pattern to a subsequent security log entry in one or more raw security log data structures to thereby extract security event data for generation of a security event. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
Specification