METHOD AND SYSTEM FOR DISPLAYING NETWORK SECURITY INCIDENTS

US 20100058165A1
Filed: 11/16/2009
Published: 03/04/2010
Est. Priority Date: 09/12/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

causing display of a table comprising rows of data arranged in columns;

wherein data displayed in the rows of the table define a set of network events that constitute a security incident;

wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events;

wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset;

wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint;

wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints;

wherein data displayed in the at least one row specifies a current relationship between the subset and a set of one or more network events defined by data displayed in another row in the table;

wherein the table is editable by a user to specify a relationship between the subset and a set of one or more network events defined by data displayed in another row in the table;

wherein the method is performed by one or more computing devices.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security monitor system groups a plurality of security events into network sessions, correlates the network sessions according to a set of predefined network security event correlation rules and generates a security incident for the network sessions that satisfy one of the network security event correlation rules. The system then presents the information of the network sessions and security incidents to a user of the system in an intuitive form. The user is able to not only learn the details of a possible network attack, but also creates new security event correlation rules intuitively, including drop rules for dropping a particular type of events.

Citations

21 Claims

1. A method comprising:
- causing display of a table comprising rows of data arranged in columns;
  
  wherein data displayed in the rows of the table define a set of network events that constitute a security incident;
  
  wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events;
  
  wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset;
  
  wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint;
  
  wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints;
  
  wherein data displayed in the at least one row specifies a current relationship between the subset and a set of one or more network events defined by data displayed in another row in the table;
  
  wherein the table is editable by a user to specify a relationship between the subset and a set of one or more network events defined by data displayed in another row in the table;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the plurality of network event constraints further comprises a count constraint that specifies, as a necessary condition of the security incident, a minimum number of network events that must each satisfy all other constraints of the plurality of network event constraints.
  - 3. The method of claim 1, wherein the current relationship between the subset and the set of one or more network events defined by data displayed in the other row is a logical relationship.
  - 4. The method of claim 3, wherein the logical relationship is a logical OR relationship or a logical AND relationship.
  - 5. The method of claim 1, wherein the current relationship between the subset and the set of one or more network events defined by data displayed in the other row is a temporal relationship.
  - 6. The method of claim 5, wherein the temporal relationship specifies, as a necessary condition of the security incident, that at least one network event belonging to said subset must be detected before any network event belonging to the set of one or more network events defined by data displayed in the other row is detected.
  - 7. The method of claim 1, wherein at least one of the source network address constraint and the destination network address constraint is dependent on either a source network address constraint or a destination network address constraint specified by data displayed in another row of the table.

8. A computer-readable storage medium storing instructions which, when executed by one or more computing devices, cause the one or more computing devices to perform:
- causing display of a table comprising rows of data arranged in columns;
  
  wherein data displayed in the rows of the table define a set of network events that constitute a security incident;
  
  wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events;
  
  wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset;
  
  wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint;
  
  wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints;
  
  wherein data displayed in the at least one row specifies a current relationship between the subset and a set of one or more network events defined by data displayed in another row in the table;
  
  wherein the table is editable by a user to specify a relationship between the subset and a set of one or more network events defined by data displayed in another row in the table.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage medium of claim 8, wherein the plurality of network event constraints further comprises a count constraint that specifies, as a necessary condition of the security incident, a minimum number of network events that must each satisfy all other constraints of the plurality of network event constraints.
  - 10. The computer-readable storage medium of claim 8, wherein the current relationship between the subset and the set of one or more network events defined by data displayed in the other row is a logical relationship.
  - 11. The computer-readable storage medium of claim 10, wherein the logical relationship is a logical OR relationship or a logical AND relationship.
  - 12. The computer-readable storage medium of claim 8, wherein the current relationship between the subset and the set of one or more network events defined by data displayed in the other row is a temporal relationship.
  - 13. The computer-readable storage medium of claim 12, wherein the temporal relationship specifies, as a necessary condition of the security incident, that at least one network event belonging to said subset must be detected before any network event belonging to the set of one or more network events defined by data displayed in the other row is detected.
  - 14. The computer-readable storage medium of claim 8, wherein at least one of the source network address constraint and the destination network address constraint is dependent on either a source network address constraint or a destination network address constraint specified by data displayed in another row of the table.

15. A graphical user interface, comprising:
- a table comprising rows of data arranged in columns;
  
  wherein data displayed in the rows of the table define a set of network events that constitute a security incident;
  
  wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events;
  
  wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset;
  
  wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint;
  
  wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints;
  
  wherein data displayed in the at least one row specifies a current relationship between the subset and a set of one or more network events defined by data displayed in another row in the table;
  
  wherein the table is editable by a user to specify a relationship between the subset and a set of one or more network events defined by data displayed in another row in the table.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The graphical user interface of claim 15, wherein the plurality of constraints further comprises a count constraint that specifies, as a necessary condition of the security incident, a minimum number of network events that must each satisfy all other constraints of the plurality of constraints.
  - 17. The graphical user interface of claim 15, wherein the current relationship between the subset and the set of one or more network events defined by data displayed in the other row is a logical relationship.
  - 18. The graphical user interface of claim 17, wherein the logical relationship is a logical OR relationship or a logical AND relationship.
  - 19. The graphical user interface of claim 15, wherein the current relationship between the subset and the set of one or more network events defined by data displayed in the other row is a temporal relationship.
  - 20. The graphical user interface of claim 19, wherein the temporal relationship specifies, as a necessary condition of the security incident, that at least one network event belonging to said subset must be detected before any network event belonging to the set of one or more network events defined by data displayed in the other row is detected.
  - 21. The graphical user interface of claim 15, wherein at least one of the source network address constraint and the destination network address constraint is dependent on either a source network address constraint or a destination network address constraint specified by data displayed in another row of the table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Aji Joseph, Diwakar Naramreddy, Eli Stevens, Imin T. Lee, Partha Bhattacharya
Original Assignee
Aji Joseph, Diwakar Naramreddy, Eli Stevens, Imin T. Lee, Partha Bhattacharya
Inventors
Lee, Imin T., Bhattacharya, Partha, Stevens, Eli, Joseph, Aji, Naramreddy, Diwakar

Granted Patent

US 8,423,894 B2
Time in Patent Office

Days
Field of Search
US Class Current

715/227
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

METHOD AND SYSTEM FOR DISPLAYING NETWORK SECURITY INCIDENTS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR DISPLAYING NETWORK SECURITY INCIDENTS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links