SECURITY EVENT MONITORING DEVICE, METHOD, AND PROGRAM

US 20130067572A1
Filed: 09/10/2012
Published: 03/14/2013
Est. Priority Date: 09/13/2011
Status: Abandoned Application

First Claim

Patent Images

1. A security event monitoring device which detects a specific operation from logs that are records of operations conducted on a plurality of monitoring target devices connected mutually on a same local network, the security event monitoring device comprising:

a storage module which stores in advance a correlation rule that is applied when performing a correlation analysis on each of the logs;

a log collection unit which receives each of the logs from each of the monitoring target devices;

a correlation analysis unit which generates scenario candidates in which each of the logs is associated with each other by applying the correlation rule to each of the logs, and stores the scenario candidates to the storage module along with an importance degree of the scenario candidate given by the correlation rule;

a scenario candidate evaluation unit which recalculates the importance degree for each of the scenario candidates; and

a result display unit which displays/outputs the scenario candidate with the recalculated high importance degree, whereinthe scenario candidate evaluation unit comprises;

a user association degree evaluation function which enumerates possible users who may have done each of the operations contained in each of the scenario candidates, and calculates user association degrees that are relevancies of each of the users for each of the operations;

an operation association degree evaluation function which calculates operation association degrees that are relevancies between each of the operations of each of the scenario candidates; and

a scenario candidate importance degree reevaluation function which recalculates the importance degrees of each of the scenario candidates by each of the users according to the user association degrees and the operation association degrees.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The security event monitoring device includes: a storage module which stores in advance a correlation rule; a log collection unit which receives each log from each monitoring target device; a correlation analysis unit which generates scenario candidates by associating each of the logs; a scenario candidate evaluation unit which calculates the importance degrees of each scenario candidate; and a result display unit which displays/outputs the scenario candidate of a high importance degree. The scenario candidate evaluation unit includes: a user association degree evaluation function which calculates user association degrees; an operation association degree evaluation function which calculates the operation association degrees; and a scenario candidate importance reevaluation function which recalculates the importance degrees of each of the scenario candidates by each user according to the user association degrees and the operation association degrees.

34 Citations

View as Search Results

10 Claims

1. A security event monitoring device which detects a specific operation from logs that are records of operations conducted on a plurality of monitoring target devices connected mutually on a same local network, the security event monitoring device comprising:
- a storage module which stores in advance a correlation rule that is applied when performing a correlation analysis on each of the logs;
  
  a log collection unit which receives each of the logs from each of the monitoring target devices;
  
  a correlation analysis unit which generates scenario candidates in which each of the logs is associated with each other by applying the correlation rule to each of the logs, and stores the scenario candidates to the storage module along with an importance degree of the scenario candidate given by the correlation rule;
  
  a scenario candidate evaluation unit which recalculates the importance degree for each of the scenario candidates; and
  
  a result display unit which displays/outputs the scenario candidate with the recalculated high importance degree, whereinthe scenario candidate evaluation unit comprises;
  
  a user association degree evaluation function which enumerates possible users who may have done each of the operations contained in each of the scenario candidates, and calculates user association degrees that are relevancies of each of the users for each of the operations;
  
  an operation association degree evaluation function which calculates operation association degrees that are relevancies between each of the operations of each of the scenario candidates; and
  
  a scenario candidate importance degree reevaluation function which recalculates the importance degrees of each of the scenario candidates by each of the users according to the user association degrees and the operation association degrees.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The security event monitoring device as claimed in claim 1, whereinthe user association degree evaluation function enumerates the users capable of conducting an operation for the monitoring target device at a time where the operations contained in each of the scenario candidates are conducted.
  - 3. The security event monitoring device as claimed in claim 1, whereinthe user association degree evaluation function enumerates the users authorized to conduct the operations contained in each of the scenario candidates by making an inquiry to a directory service device connected externally.
  - 4. The security event monitoring device as claimed in claim 1, whereinthe operation association degree evaluation function calculates the operation association degrees from a similarity between files to be the targets of each of the operations based on an evaluation standard given in advance.
  - 5. The security event monitoring device as claimed in claim 4, whereinthe operation association degree evaluation function uses at least one selected from names, sizes, pass names, hash values, and electronic signatures of files as the targets of each of the operations as the evaluation standard of the similarity between the files.
  - 6. The security event monitoring device as claimed in claim 1, whereinthe scenario candidate importance degree reevaluation function recalculates the importance degrees of each of the scenario candidates of each of the users by integrating a total value of products of the user association degrees of the each of the users corresponding to the scenario candidate and the importance degrees of each of the operations contained in each of the scenario candidates with a total value of products of the operation association degrees between each of the operations contained in each of the scenario candidates, the importance degrees of the operations, and the importance degrees of each of the scenario candidates.
  - 7. The security event monitoring device as claimed in claim 1, whereinthe result display unit displays the scenario candidate of the high importance together with the user of the high association degree for the scenario candidate.

8. A security event monitoring method used for a security event monitoring device which detects a specific operation from logs that are records of operations conducted on a plurality of monitoring target devices connected mutually on a same local network, wherein:
- a log collection unit receives each of the logs from each of the monitoring target devices;
  
  a correlation analysis unit which generates scenario candidates in which each of the logs is associated with each other by applying a correlation rule to each of the logs;
  
  the correlation analysis unit stores each of the scenario candidates to the storage module along with importance degrees of the scenario candidates given by the correlation rule;
  
  a user association degree evaluation function of a scenario candidate evaluation unit enumerates possible users who may have done each of the operations contained in each of the scenario candidates;
  
  the user association degree evaluation function calculates the user association degrees that are relevancies of each of the users for each of the operations;
  
  an operation association degree evaluation function of the scenario candidate evaluation unit calculates operation association degrees that are relevancies between each of the operations of each of the scenario candidates;
  
  a scenario candidate importance degree recalculation function of the scenario candidate evaluation unit recalculates the importance degrees of each of the scenario candidates by each of the users according to the user association degrees and the operation association degrees; and
  
  a result display unit displays/outputs the scenario candidate of the high importance degree.

9. A non-transitory computer readable recording medium storing a security event monitoring program used in a security event monitoring device which detects a specific operation from logs that are records of operations conducted on a plurality of monitoring target devices connected mutually on a same local network, the program causing a computer provided to the security event monitoring device to execute:
- a procedure for receiving each of the logs from each of the monitoring target devices;
  
  a procedure for generating scenario candidates in which each of the logs are associated by applying a correlation rule given in advance to each of the logs;
  
  a procedure for storing each of the scenario candidates along with the importance degrees of the scenario candidates given by the correlation rule;
  
  a procedure for enumerating possible users who may have done each of the operations contained in each of the scenario candidates;
  
  a procedure for calculating user association degrees that are relevancies of each of the users for each of the operations;
  
  a procedure for calculating operation association degrees that are relevancies between each of the operations of each of the scenario candidates;
  
  a procedure for recalculating importance degrees of each of the scenario candidates by each of the users according to the user association degrees and the operation association degrees; and
  
  a procedure for displaying/outputting the scenario candidate of the high importance degree.

10. A security event monitoring device which detects a specific operation from logs that are records of operations conducted on a plurality of monitoring target devices connected mutually on a same local network, the security event monitoring device comprising:
- storage means for storing in advance a correlation rule that is applied when performing a correlation analysis on each of the logs;
  
  log collection means for receiving each of the logs from each of the monitoring target devices;
  
  correlation analysis means for generating scenario candidates in which each of the logs is associated with each other by applying the correlation rule to each of the logs, and storing the scenario candidates to the storage means along with an importance degree of the scenario candidate given by the correlation rule;
  
  scenario candidate evaluation means for recalculating the importance degree for each of the scenario candidates; and
  
  result display means for displaying/outputting the scenario candidate with the recalculated high importance degree, whereinthe scenario candidate evaluation means comprises;
  
  a user association degree evaluation function which enumerates possible users who may have done each of the operations contained in each of the scenario candidates, and calculates user association degrees that are relevancies of each of the users for each of the operations;
  
  an operation association degree evaluation function which calculates operation association degrees that are relevancies between each of the operations of each of the scenario candidates; and
  
  a scenario candidate importance degree reevaluation function which recalculates the importance degrees of each of the scenario candidates by each of the users according to the user association degrees and the operation association degrees.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Muramoto, Eiji

Application Number

US13/608,741
Publication Number

US 20130067572A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1408 by monitoring network traff...

SECURITY EVENT MONITORING DEVICE, METHOD, AND PROGRAM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

10 Claims

Specification

Use Cases

Quick Links

Others

SECURITY EVENT MONITORING DEVICE, METHOD, AND PROGRAM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

10 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others