METHOD AND SYSTEM FOR DISPLAYING NETWORK SECURITY INCIDENTS
First Claim
1. A method comprising:
- causing display of a table comprising rows of data arranged in columns;
wherein data displayed in the rows of the table define a set of network events that constitute a security incident;
wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events;
wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset;
wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint;
wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints;
wherein data displayed in the at least one row specifies a current relationship between the subset and a set of one or more network events defined by data displayed in another row in the table;
wherein the table is editable by a user to specify a relationship between the subset and a set of one or more network events defined by data displayed in another row in the table;
wherein the method is performed by one or more computing devices.
0 Assignments
0 Petitions
Accused Products
Abstract
A network security monitor system groups a plurality of security events into network sessions, correlates the network sessions according to a set of predefined network security event correlation rules and generates a security incident for the network sessions that satisfy one of the network security event correlation rules. The system then presents the information of the network sessions and security incidents to a user of the system in an intuitive form. The user is able to not only learn the details of a possible network attack, but also creates new security event correlation rules intuitively, including drop rules for dropping a particular type of events.
-
Citations
21 Claims
-
1. A method comprising:
-
causing display of a table comprising rows of data arranged in columns; wherein data displayed in the rows of the table define a set of network events that constitute a security incident; wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events; wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset; wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint; wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints; wherein data displayed in the at least one row specifies a current relationship between the subset and a set of one or more network events defined by data displayed in another row in the table; wherein the table is editable by a user to specify a relationship between the subset and a set of one or more network events defined by data displayed in another row in the table; wherein the method is performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable storage medium storing instructions which, when executed by one or more computing devices, cause the one or more computing devices to perform:
-
causing display of a table comprising rows of data arranged in columns; wherein data displayed in the rows of the table define a set of network events that constitute a security incident; wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events; wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset; wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint; wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints; wherein data displayed in the at least one row specifies a current relationship between the subset and a set of one or more network events defined by data displayed in another row in the table; wherein the table is editable by a user to specify a relationship between the subset and a set of one or more network events defined by data displayed in another row in the table. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A graphical user interface, comprising:
-
a table comprising rows of data arranged in columns; wherein data displayed in the rows of the table define a set of network events that constitute a security incident; wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events; wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset; wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint; wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints; wherein data displayed in the at least one row specifies a current relationship between the subset and a set of one or more network events defined by data displayed in another row in the table; wherein the table is editable by a user to specify a relationship between the subset and a set of one or more network events defined by data displayed in another row in the table. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification