Method and system for reducing the volume of audit data and normalizing the audit data received from heterogeneous sources

US 6,134,664 A
Filed: 07/06/1998
Issued: 10/17/2000
Est. Priority Date: 07/06/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of reducing the volume of native audits received from at least one operating system, each of the native audits being in a particular format, comprising:

identifying the particular format for each of the received native audits;

comparing each of the received identified native audits against at least one template and determining if each of the native audits matches at least one template; and

eliminating all of the matched native audits before a misuse and intrusion detection engine further analyzes the native audits.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of reducing the volume of native audit data from further analysis by a misuse and intrusion detection engine is disclosed. Typically, more than ninety percent of the volume of audit information received from heterogeneous operating systems does not need to be analyzed by a misuse and intrusion detection engine because this audit information can be filtered out as not posing a security threat. Advantageously, by reducing (eliminating) the volume of audit information, a misuse and intrusion engine can more quickly determine whether a security threat exists because the volume of data that the engine must consider is drastically reduced. Also, advantageously, the audit information that is forwarded to the engine is normalized to a standard format, thereby reducing the computational requirements of the engine. The method of reducing the volume of native audit data includes comparing each of the native audits against at least one template and against at least one native audit. By matching the native audits against templates of native audits that do not pose security threats, the native audits that do not pose security threats can be reduced out from further consideration. The native audits that are determined to pose potential security threats are transformed into a standardized format for further analysis by a misuse and intrusion detection engine.

211 Citations

21 Claims

1. A method of reducing the volume of native audits received from at least one operating system, each of the native audits being in a particular format, comprising:
- identifying the particular format for each of the received native audits;
  
  comparing each of the received identified native audits against at least one template and determining if each of the native audits matches at least one template; and
  
  eliminating all of the matched native audits before a misuse and intrusion detection engine further analyzes the native audits.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising transforming selected ones of the native audits to a standardized output.
  - 3. The method of claim 2, further comprising outputting the transformed audits to a transformed audit storage device.
  - 4. The method of claim 2, comprising associating each of the native audits with an output template for transforming the native audit to the standardized output format.
  - 5. The method of claim 1, wherein the native audits comprise at least one of system audit trails;
    - system log file data; and
      
      data from third party applications and programs.
  - 6. The method of claim 1, comprising associating each of the native audits with a global format template, each of the global format templates including a listing of additional templates against which each of the associated native audits should be compared.
  - 7. The method of claim 1, further comprising outputting the native audits to a native audit storage device.
  - 8. The method of claim 1, comprising comparing one of the received native audits against a single template and either reducing the native audit and sending the native audit to a native audit storage device or transforming the native audit and sending the transformed audit to the transformed audit storage device.
  - 9. The method of claim 1, comprising comparing one of the received native audits against a plurality of templates and either reducing the native audit and sending the native audit to a native audit storage device or transforming the native audit and sending the transformed audit to the transformed audit storage device.
  - 10. The method of claim 1, comprising comparing a plurality of the received native audits against a plurality of templates and either reducing the plurality of native audits and sending the plurality of native audits to a native audit storage device or transforming the plurality of native audits and sending the plurality of transformed audits to the transformed audit storage device.
  - 11. The method of claim 10, wherein the native audits are in one of a contextual format or a positional format.
  - 12. The method of claim 1, comprising setting up at least one possible scenario and comparing the received native audits against the at least one possible scenario and activating the at least one possible scenario to become an in-progress scenario.
  - 13. The method of claim 12, comprising comparing subsequently received native audits against the in-progress scenario, a successfully completed scenario becoming an elimination list.
  - 14. The method of claim 13, comprising comparing each of the received native audits against the elimination list and if the received native audit matches a record on the elimination list, reducing the matched native audit.
  - 15. The method of claim 1, wherein each template describes a weighting system using barriers and boundaries so that a potential misuse or intrusion can be detected before it occurs.

16. An article of manufacture which includes instructions for reducing the volume of native audits received from at least one operating system, each of the native audits being in a particular format, wherein the instructions are on a computer readable medium to be executed by a computer system, comprising:
- identifying the particular format for each of the received native audits;
  
  compare each of the received identified native audits against at least one template and determine if each of the native audits matches at least one template; and
  
  eliminate all of the matched native audits before a misuse and intrusion detection engine further analyzes the native audits.
- View Dependent Claims (17)
- - 17. The article of claim 16, wherein each template describes a weighting system using barriers and boundaries so that a potential misuse or intrusion can be detected before it occurs.

18. A computer architecture for reducing the volume of native audits received from at least one operating system, each of the native audits being of particular format, comprising:
- identifying means for identifying a particular format for each of the received native audits;
  
  comparing means for comparing each of the received identified native audits against at least one template and determining if each of the native audits matches at least one template; and
  
  eliminating means for eliminating of the native audits before a misuse and intrusion detection engine further analyzes the native audits.
- View Dependent Claims (19)
- - 19. The computer architecture of claim 18, wherein each template describes a weighting system using barriers and boundaries so that a potential misuse or intrusion can be detected before it occurs.

20. A computer system, comprising:
- a processor; and
  
  a memory coupled to said processor, the memory having stored therein sequences of instructions for reducing the volume of native audits received from at least one operating system, each of the native audits being in a particular format, the instructions which, when executed by said processor, causes the processor to perform the steps of;
  
  identifying a particular format for each of the received identified native audits;
  
  compare each of the received identified native audits against at least one template and determine if each of the native audits matches at least one template; and
  
  eliminate all of the matched audits before a misuse and intrusion detection engine further analyzes the native audits.
- View Dependent Claims (21)
- - 21. The computer system of claim 20, wherein each template describes a weighting system using barriers and boundaries so that a potential misuse or intrusion can be detected before it occurs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Northrop Grumman Systems Corporation (Northrop Grumman Corporation)
Original Assignee
PRC, Inc. (Arthur D. Little, Inc.)
Inventors
Walker, Jeffrey H.
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
ELISCA, PIERRE E

Application Number

US09/109,866
Time in Patent Office

834 Days
Field of Search

713/200, 713/201, 713/202, 709/229, 380/3, 380/200, 380/4, 380/201, 380/35, 380/202, 380/30, 380/203, 380/51
US Class Current

726/22
CPC Class Codes

G06F 11/3476 Data logging G06F11/14, G06...

G06F 21/552 involving long-term monitor...

Method and system for reducing the volume of audit data and normalizing the audit data received from heterogeneous sources

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

211 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for reducing the volume of audit data and normalizing the audit data received from heterogeneous sources

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

211 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links