DETECTING NETWORK INTRUSION AND ANOMALY INCIDENTS
First Claim
1. A computer-implemented data processing method comprising:
- using computing apparatus, receiving one or more data streams, determining one or more characteristics of the one or more data streams, and based on the one or more characteristics of the one or more data streams, determining one or more tags for the one or more data streams;
using computing apparatus, determining whether the one or more tags indicate one or more malicious patterns representative of network intrusions;
using computing apparatus, in response to determining that the one or more tags indicate one or more malicious patterns representative of network intrusions;
generating, based on the one or more tags, one or more aggregated alert streams;
applying one or more rules to the one or more aggregated alert streams and receiving a result indicating whether a network intrusion is in progress;
in response to receiving the result indicating that the network intrusion is in progress, determining and executing one or more remedial actions.
1 Assignment
0 Petitions
Accused Products
Abstract
In an embodiment, a method comprises: using computing apparatus, receiving one or more data streams, determining one or more characteristics of the one or more data streams, and based on the one or more characteristics of the one or more data streams, determining one or more tags for the one or more data streams; determining whether the one or more tags indicate one or more malicious patterns representative of network intrusions; in response to determining that the one or more tags indicate one or more malicious patterns representative of network intrusions: generating, based on the one or more tags, one or more aggregated alert streams; applying one or more rules to the one or more aggregated alert streams and receiving a result indicating whether a network intrusion is in progress; in response thereto, determining and executing one or more remedial actions.
-
Citations
20 Claims
-
1. A computer-implemented data processing method comprising:
-
using computing apparatus, receiving one or more data streams, determining one or more characteristics of the one or more data streams, and based on the one or more characteristics of the one or more data streams, determining one or more tags for the one or more data streams; using computing apparatus, determining whether the one or more tags indicate one or more malicious patterns representative of network intrusions; using computing apparatus, in response to determining that the one or more tags indicate one or more malicious patterns representative of network intrusions; generating, based on the one or more tags, one or more aggregated alert streams; applying one or more rules to the one or more aggregated alert streams and receiving a result indicating whether a network intrusion is in progress; in response to receiving the result indicating that the network intrusion is in progress, determining and executing one or more remedial actions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer system comprising:
-
one or more processors; a stream database unit coupled to the one or more processors and configured to use computing apparatus to; receive one or more data streams; determine one or more characteristics of the one or more data streams; based on the one or more characteristics of the one or more data streams, determine one or more tags for the one or more data streams; determine whether the one or more tags indicate one or more malicious patterns representative of network intrusions; in response to determining that the one or more tags indicate one or more malicious patterns representative of network intrusions, generate, based on the one or more tags, one or more aggregated alert streams; a rule engine configured to; apply one or more rules to the one or more aggregated alert streams and receive a result indicating whether a network intrusion is in progress; in response to receiving the result indicating that the network intrusion is in progress, determine and execute one or more remedial action. - View Dependent Claims (10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium storing one or more instructions which, when executed by one or more processors, cause performing:
-
using the one or more processors, receiving one or more data streams, determining one or more characteristics of the one or more data streams, and based on the one or more characteristics of the one or more data streams, determining one or more tags for the one or more data streams; using the one or more processors, determining whether the one or more tags indicate one or more malicious patterns representative of network intrusions; using the one or more processors, in response to determining that the one or more tags indicate one or more malicious patterns representative of network intrusions; generating, based on the one or more tags, one or more aggregated alert streams; applying one or more rules to the one or more aggregated alert streams to determine whether a network intrusion is in progress; in response to determining that the network intrusion is in progress, determining and executing one or more remedial action. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification