Method and system for reducing the volume of audit data and normalizing the audit data received from heterogeneous sources
First Claim
1. A method of reducing the volume of native audits received from at least one operating system, each of the native audits being in a particular format, comprising:
- identifying the particular format for each of the received native audits;
comparing each of the received identified native audits against at least one template and determining if each of the native audits matches at least one template; and
eliminating all of the matched native audits before a misuse and intrusion detection engine further analyzes the native audits.
3 Assignments
0 Petitions
Accused Products
Abstract
A method of reducing the volume of native audit data from further analysis by a misuse and intrusion detection engine is disclosed. Typically, more than ninety percent of the volume of audit information received from heterogeneous operating systems does not need to be analyzed by a misuse and intrusion detection engine because this audit information can be filtered out as not posing a security threat. Advantageously, by reducing (eliminating) the volume of audit information, a misuse and intrusion engine can more quickly determine whether a security threat exists because the volume of data that the engine must consider is drastically reduced. Also, advantageously, the audit information that is forwarded to the engine is normalized to a standard format, thereby reducing the computational requirements of the engine. The method of reducing the volume of native audit data includes comparing each of the native audits against at least one template and against at least one native audit. By matching the native audits against templates of native audits that do not pose security threats, the native audits that do not pose security threats can be reduced out from further consideration. The native audits that are determined to pose potential security threats are transformed into a standardized format for further analysis by a misuse and intrusion detection engine.
211 Citations
21 Claims
-
1. A method of reducing the volume of native audits received from at least one operating system, each of the native audits being in a particular format, comprising:
-
identifying the particular format for each of the received native audits; comparing each of the received identified native audits against at least one template and determining if each of the native audits matches at least one template; and eliminating all of the matched native audits before a misuse and intrusion detection engine further analyzes the native audits. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. An article of manufacture which includes instructions for reducing the volume of native audits received from at least one operating system, each of the native audits being in a particular format, wherein the instructions are on a computer readable medium to be executed by a computer system, comprising:
-
identifying the particular format for each of the received native audits; compare each of the received identified native audits against at least one template and determine if each of the native audits matches at least one template; and eliminate all of the matched native audits before a misuse and intrusion detection engine further analyzes the native audits. - View Dependent Claims (17)
-
-
18. A computer architecture for reducing the volume of native audits received from at least one operating system, each of the native audits being of particular format, comprising:
-
identifying means for identifying a particular format for each of the received native audits; comparing means for comparing each of the received identified native audits against at least one template and determining if each of the native audits matches at least one template; and eliminating means for eliminating of the native audits before a misuse and intrusion detection engine further analyzes the native audits. - View Dependent Claims (19)
-
-
20. A computer system, comprising:
-
a processor; and a memory coupled to said processor, the memory having stored therein sequences of instructions for reducing the volume of native audits received from at least one operating system, each of the native audits being in a particular format, the instructions which, when executed by said processor, causes the processor to perform the steps of; identifying a particular format for each of the received identified native audits; compare each of the received identified native audits against at least one template and determine if each of the native audits matches at least one template; and eliminate all of the matched audits before a misuse and intrusion detection engine further analyzes the native audits. - View Dependent Claims (21)
-
Specification