PATTERN SCANNER AND EDITOR FOR SECURITY AUDIT SYSTEMS

US 20090297043A1
Filed: 05/28/2008
Published: 12/03/2009
Est. Priority Date: 05/28/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method, in a data processing system, for processing a security log data structure entry, comprising:

receiving an unrecognized security log entry, wherein the unrecognized security log entry is an entry in a raw security log data structure that is not able to be recognized by security audit agents based on already defined data patterns;

identifying first portions of the unrecognized security log entry that are recognized based on the already defined data patterns and second portions of the unrecognized security log entry that are not recognized;

providing a first user interface for receiving user input associating sub-patterns to the second portions of the unrecognized security log entry, wherein the first user interface identifies the first portions of the unrecognized security log entry as being recognized;

generating a new data pattern based on the association of sub-patterns to the second portions of the unrecognized security log entry; and

applying the new data pattern to a subsequent security log entry in one or more raw security log data structures to thereby extract security event data for generation of a security event.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A pattern scanner is provided for identifying which portions of a security log entry is unrecognizable by currently defined data patterns. Furthermore, an editor is provided for identifying portions of the security log entry that are recognizable by sub-patterns of the currently defined data patterns and portions of the security log entry that are not recognizable. The editor further provides a user interface through which a user may associated sub-patterns with portions of the security log entry that are not recognized. Moreover, a user interface may be provided for defining new sub-patterns that may be applied to recognizing portions of security log entries. A data pattern based on a combination of sub-patterns for the recognized and unrecognized portions of the security log entry may then be automatically generated.

24 Citations

View as Search Results

27 Claims

1. A method, in a data processing system, for processing a security log data structure entry, comprising:
- receiving an unrecognized security log entry, wherein the unrecognized security log entry is an entry in a raw security log data structure that is not able to be recognized by security audit agents based on already defined data patterns;
  
  identifying first portions of the unrecognized security log entry that are recognized based on the already defined data patterns and second portions of the unrecognized security log entry that are not recognized;
  
  providing a first user interface for receiving user input associating sub-patterns to the second portions of the unrecognized security log entry, wherein the first user interface identifies the first portions of the unrecognized security log entry as being recognized;
  
  generating a new data pattern based on the association of sub-patterns to the second portions of the unrecognized security log entry; and
  
  applying the new data pattern to a subsequent security log entry in one or more raw security log data structures to thereby extract security event data for generation of a security event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein identifying first portions and second portions of the unrecognized security log entry comprises:
    - applying pre-defined sub-patterns of the already defined data patterns to portions of the unrecognized security log entry; and
      
      determining if the pre-defined sub-patterns match one or more of the portions of the unrecognized security log entry, wherein if a pre-defined sub-pattern matches a portion of the unrecognized security log entry, the portion is marked as a first portion of the unrecognized security log entry and the pre-defined sub-pattern is associated with the portion.
  - 3. The method of claim 2, wherein the new data pattern is generated based on a combination of pre-defined sub-patterns matching first portions of the unrecognized security log entry and sub-patterns associated with the second portions of the unrecognized security log entry.
  - 4. The method of claim 1, further comprising:
    - receiving user input for associating a log attribute type, from a plurality of defined log attribute types, with one or more of the first portions and second portions of the unrecognized security log entry, wherein the log attribute type has an associated sub-pattern.
  - 5. The method of claim 4, further comprising:
    - providing a second user interface for defining a new log attribute type to be added to the plurality of defined log attribute types, the new log attribute type having an associated sub-pattern; and
      
      associating the new log attribute type with one or more of the second portions of the unrecognized security log entry.
  - 6. The method of claim 4, wherein the first user interface displays a copy of the unrecognized security log entry and identifies the first portions of the unrecognized security log entry as being recognized by displaying an indication of log attribute types associated with the first portions in the first user interface in association with a display of the first portions, and wherein the second portions are displayed without an indication of any associated log attribute types.
  - 7. The method of claim 6, wherein the indication of log attribute types is color coded based on the log attribute type with each log attribute type having a different color for display of the log attribute type'"'"'s indicator.
  - 8. The method of claim 6, wherein the unrecognized security log entry comprises a plurality of log attributes having constant-variable pairs, and wherein the display of the copy of the unrecognized security log entry compresses the constants of the constant-variable pairs such that they are not displayed.
  - 9. The method of claim 6, wherein the indication of log attribute types comprises call-out boxes with lines associating the call-out boxes with their associated first portions, and wherein the call-out boxes display a name of the log attribute type.

10. A computer program product comprising a computer recordable medium having a computer readable program recorded thereon, wherein the computer readable program, when executed on a computing device, causes the computing device to:
- receive an unrecognized security log entry, wherein the unrecognized security log entry is an entry in a raw security log data structure that is not able to be recognized by security audit agents based on already defined data patterns;
  
  identify first portions of the unrecognized security log entry that are recognized based on the already defined data patterns and second portions of the unrecognized security log entry that are not recognized;
  
  provide a first user interface for receiving user input associating sub-patterns to the second portions of the unrecognized security log entry, wherein the first user interface identifies the first portions of the unrecognized security log entry as being recognized;
  
  generate a new data pattern based on the association of sub-patterns to the second portions of the unrecognized security log entry; and
  
  apply the new data pattern to a subsequent security log entry in one or more raw security log data structures to thereby extract security event data for generation of a security event.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer program product of claim 10, wherein the computer readable program causes the computing device to identify first portions and second portions of the unrecognized security log entry by:
    - applying pre-defined sub-patterns of the already defined data patterns to portions of the unrecognized security log entry; and
      
      determining if the pre-defined sub-patterns match one or more of the portions of the unrecognized security log entry, wherein if a pre-defined sub-pattern matches a portion of the unrecognized security log entry, the portion is marked as a first portion of the unrecognized security log entry and the pre-defined sub-pattern is associated with the portion.
  - 12. The computer program product of claim 11, wherein the new data pattern is generated based on a combination of pre-defined sub-patterns matching first portions of the unrecognized security log entry and sub-patterns associated with the second portions of the unrecognized security log entry.
  - 13. The computer program product of claim 10, wherein the computer readable program further causes the computing device to:
    - receive user input for associating a log attribute type, from a plurality of defined log attribute types, with one or more of the first portions and second portions of the unrecognized security log entry, wherein the log attribute type has an associated sub-pattern.
  - 14. The computer program product of claim 13, wherein the computer readable program further causes the computing device to:
    - provide a second user interface for defining a new log attribute type to be added to the plurality of defined log attribute types, the new log attribute type having an associated sub-pattern; and
      
      associate the new log attribute type with one or more of the second portions of the unrecognized security log entry.
  - 15. The computer program product of claim 13, wherein the first user interface displays a copy of the unrecognized security log entry and identifies the first portions of the unrecognized security log entry as being recognized by displaying an indication of log attribute types associated with the first portions in the first user interface in association with a display of the first portions, and wherein the second portions are displayed without an indication of any associated log attribute types.
  - 16. The computer program product of claim 15, wherein the indication of log attribute types is color coded based on the log attribute type with each log attribute type having a different color for display of the log attribute type'"'"'s indicator.
  - 17. The computer program product of claim 15, wherein the unrecognized security log entry comprises a plurality of log attributes having constant-variable pairs, and wherein the display of the copy of the unrecognized security log entry compresses the constants of the constant-variable pairs such that they are not displayed.
  - 18. The computer program product of claim 15, wherein the indication of log attribute types comprises call-out boxes with lines associating the call-out boxes with their associated first portions, and wherein the call-out boxes display a name of the log attribute type.

19. An apparatus, comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory comprises instructions which, when executed by the processor, cause the processor to;
  
  receive an unrecognized security log entry, wherein the unrecognized security log entry is an entry in a raw security log data structure that is not able to be recognized by security audit agents based on already defined data patterns;
  
  identify first portions of the unrecognized security log entry that are recognized based on the already defined data patterns and second portions of the unrecognized security log entry that are not recognized;
  
  provide a first user interface for receiving user input associating sub-patterns to the second portions of the unrecognized security log entry, wherein the first user interface identifies the first portions of the unrecognized security log entry as being recognized;
  
  generate a new data pattern based on the association of sub-patterns to the second portions of the unrecognized security log entry; and
  
  apply the new data pattern to a subsequent security log entry in one or more raw security log data structures to thereby extract security event data for generation of a security event.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The apparatus of claim 19, wherein the instructions cause the processor to identify first portions and second portions of the unrecognized security log entry by:
    - applying pre-defined sub-patterns of the already defined data patterns to portions of the unrecognized security log entry; and
      
      determining if the pre-defined sub-patterns match one or more of the portions of the unrecognized security log entry, wherein if a pre-defined sub-pattern matches a portion of the unrecognized security log entry, the portion is marked as a first portion of the unrecognized security log entry and the pre-defined sub-pattern is associated with the portion.
  - 21. The apparatus of claim 20, wherein the new data pattern is generated based on a combination of pre-defined sub-patterns matching first portions of the unrecognized security log entry and sub-patterns associated with the second portions of the unrecognized security log entry.
  - 22. The apparatus of claim 19, wherein the instructions further cause the processor to:
    - receive user input for associating a log attribute type, from a plurality of defined log attribute types, with one or more of the first portions and second portions of the unrecognized security log entry, wherein the log attribute type has an associated sub-pattern.
  - 23. The apparatus of claim 22, wherein the instructions further cause the processor to:
    - provide a second user interface for defining a new log attribute type to be added to the plurality of defined log attribute types, the new log attribute type having an associated sub-pattern; and
      
      associate the new log attribute type with one or more of the second portions of the unrecognized security log entry.
  - 24. The apparatus of claim 22, wherein the first user interface displays a copy of the unrecognized security log entry and identifies the first portions of the unrecognized security log entry as being recognized by displaying an indication of log attribute types associated with the first portions in the first user interface in association with a display of the first portions, and wherein the second portions are displayed without an indication of any associated log attribute types.
  - 25. The apparatus of claim 24, wherein the indication of log attribute types is color coded based on the log attribute type with each log attribute type having a different color for display of the log attribute type'"'"'s indicator.
  - 26. The apparatus of claim 24, wherein the unrecognized security log entry comprises a plurality of log attributes having constant-variable pairs, and wherein the display of the copy of the unrecognized security log entry compresses the constants of the constant-variable pairs such that they are not displayed.
  - 27. The apparatus of claim 24, wherein the indication of log attribute types comprises call-out boxes with lines associating the call-out boxes with their associated first portions, and wherein the call-out boxes display a name of the log attribute type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Wang, Ping, Yu, Jean X., Hinton, Heather M., Xiao, Hang

Application Number

US12/127,925
Publication Number

US 20090297043A1
Time in Patent Office

Days
Field of Search
US Class Current

382/219
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

PATTERN SCANNER AND EDITOR FOR SECURITY AUDIT SYSTEMS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

PATTERN SCANNER AND EDITOR FOR SECURITY AUDIT SYSTEMS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links