Extracting forensic indicators from activity logs
First Claim
Patent Images
1. A method for computer system forensics, comprising:
- receiving an identification of a time of occurrence of an anomalous event in a computer network comprising multiple host computers;
collecting logs of activity of entities in the computer network;
making a comparison between first entries in at least one of the logs collected within a predefined time interval of the time of the occurrence of the anomalous event, and second entries in the at least one of the logs collected outside the predefined time interval; and
based on the comparison, extracting from the logs a forensic indicator associated with the anomalous event.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for computer system forensics includes receiving an identification of a time of occurrence of an anomalous event in a computer network including multiple host computers. Logs of activity of entities in the computer network are collected. A comparison is made between first entries in at least one of the logs collected within a predefined time interval of the time of the occurrence of the anomalous event, and second entries in the at least one of the logs collected outside the predefined time interval. Based on the comparison, a forensic indicator associated with the anomalous event is extracted from the logs.
28 Citations
18 Claims
-
1. A method for computer system forensics, comprising:
-
receiving an identification of a time of occurrence of an anomalous event in a computer network comprising multiple host computers; collecting logs of activity of entities in the computer network; making a comparison between first entries in at least one of the logs collected within a predefined time interval of the time of the occurrence of the anomalous event, and second entries in the at least one of the logs collected outside the predefined time interval; and based on the comparison, extracting from the logs a forensic indicator associated with the anomalous event. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. Apparatus for computer system forensics, comprising:
-
an interface, which is configured to receive an identification of a time of occurrence of an anomalous event in a computer network comprising multiple host computers; and a processor, which is configured to collect logs of activity of entities in the computer network, to make a comparison between first entries in at least one of the logs collected within a predefined time interval of the time of the occurrence of the anomalous event, and second entries in the at least one of the logs collected outside the predefined time interval, and based on the comparison, to extract from the logs a forensic indicator associated with the anomalous event. - View Dependent Claims (8, 9, 10, 11, 12)
-
- 13. A computer software product, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive an identification of a time of occurrence of an anomalous event in a computer network comprising multiple host computers, to collect logs of activity of entities in the computer network, to make a comparison between first entries in at least one of the logs collected within a predefined time interval of the time of the occurrence of the anomalous event, and second entries in the at least one of the logs collected outside the predefined time interval, and based on the comparison, to extract from the logs a forensic indicator associated with the anomalous event.
Specification