Event detection
First Claim
1. A system for event detection comprising:
- a collector operable to collect raw audit data comprising raw audit data records, the collector being at a first audit source having a first type of operating system;
a database;
an inserter, in communication with the database, operable to insert Virtual Records into the database, including both a first type of Virtual Record generated in response to a raw audit data record, and a second type of Virtual Record generated in response to a detected audit event;
a parser, in communication with the collector and the inserter, operable to convert raw audit data records in the raw audit data into Virtual Records of the first type, wherein the Virtual Records of the first type are generated in a normalized format, the normalized format having a plurality of data fields, each data field corresponding to a different category of data associated with a potential audit event, the parser converting the raw audit data records into Virtual Records of the first type by parsing the raw audit data records to identify the different categories of data for storage within the data fields; and
a detector, in communication with the parser and the inserter, operable to detect audit events in response to analyzing data arranged according to the normalized format in the Virtual Records of the first type, the detector operable to generate the second type of Virtual Record in the event one of the audit events is detected, the detector further operable to detect audit events in response to analyzing data arranged according to the normalized format in additional Virtual Records of the first type, the additional Virtual Records being converted from additional raw audit data records collected at a second audit source, the second audit source having a second type of operating system.
5 Assignments
0 Petitions
Accused Products
Abstract
A system for event detection employs a collector that collects raw audit data made up of raw audit data records at an audit source; a database; an inserter at a downstream processing location that inserts Virtual Records into the database, including both a first type of Virtual Record generated in response to a raw audit data record, and a second type of Virtual Record generated in response to a detected audit event; the inserter; a parser; coupled to the collector, that converts raw audit data records in the raw audit data into Virtual Records; a detector that detects audit events in response to the Virtual Records generated by the parser, and generates the second type of Virtual Record in the event an audit event is detected.
-
Citations
42 Claims
-
1. A system for event detection comprising:
-
a collector operable to collect raw audit data comprising raw audit data records, the collector being at a first audit source having a first type of operating system;
a database;
an inserter, in communication with the database, operable to insert Virtual Records into the database, including both a first type of Virtual Record generated in response to a raw audit data record, and a second type of Virtual Record generated in response to a detected audit event;
a parser, in communication with the collector and the inserter, operable to convert raw audit data records in the raw audit data into Virtual Records of the first type, wherein the Virtual Records of the first type are generated in a normalized format, the normalized format having a plurality of data fields, each data field corresponding to a different category of data associated with a potential audit event, the parser converting the raw audit data records into Virtual Records of the first type by parsing the raw audit data records to identify the different categories of data for storage within the data fields; and
a detector, in communication with the parser and the inserter, operable to detect audit events in response to analyzing data arranged according to the normalized format in the Virtual Records of the first type, the detector operable to generate the second type of Virtual Record in the event one of the audit events is detected, the detector further operable to detect audit events in response to analyzing data arranged according to the normalized format in additional Virtual Records of the first type, the additional Virtual Records being converted from additional raw audit data records collected at a second audit source, the second audit source having a second type of operating system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
a sender in communication with at least one of the collector, the parser, and the detector, the sender operable to send output data from the at least one of the collector, the parser, and the detector to the inserter.
-
-
3. The system of claim 2 wherein said sender includes an encryptor for encrypting output data from said at least one of the collector, the parser, and the detector before said output data is sent to the inserter.
-
4. The system of claim 2 wherein the sender is coupled to the collector, at the first audit source, and is operable to send Virtual Records of the first type from the collector to the parser, the parser being located, at a downstream process location.
-
5. The system of claim 2 wherein the sender is coupled to the parser, at the first audit source, and is operable to send Virtual Records of the first type from the parser to the detector, the detector being located at the downstream process location.
-
6. The system of claim 2 wherein the sender is coupled to the detector, at the audit source, and wherein the inserter is located at the downstream process location.
-
7. The system of claim 1 wherein an input of said detector is coupled to an output of said parser, and wherein the detector detects audit events in response to the Virtual Records of the first type generated by the parser and generates Virtual Records of the second type in response thereto.
-
8. The system of claim 1 wherein an input of said detector is coupled to an output of said inserter and where the detector detects audit events in response to analyzing Virtual Records of the first type from the inserter and generates Virtual Records of the second type in response thereto.
-
9. The system of claim 8 wherein an output of said detector is coupled to an input of said inserter wherein Virtual Records of the second type are sent from the detector to the inserter.
-
10. The system of claim 1 wherein an input of said detector is coupled to an output of said database, and wherein said detector detects audit events in response to the Virtual Records of the first type in the database and generates Virtual Records of the second type in response thereto.
-
11. The system of claim 10 wherein an output of said detector is coupled to said inserter, wherein Virtual Records of the second type generated by the detector are inserted into the database by the inserter.
-
12. The system of claim 1 herein said collector collects local information from said first audit source, along with said audit data.
-
13. The system of claim 1 wherein said database is a relational database.
-
14. The system of claim 13 further comprising:
a user interface coupled to the database, the user interface having a filter operable to filter Virtual Records in the database based on a filter criteria.
-
15. The system of claim 1 wherein said detector comprises:
a processor operable to perform a rule-based analysis of the Virtual Records of the first type generated by the parser.
-
16. The system of claim 1 wherein said detector further comprises:
a processor operable to perform a statistical analysis of the Virtual Records of the first type generated by the parser.
-
17. The system of claim 16 wherein said detector further comprises:
a processor operable to determine a mean and a standard deviation of a parameter in a set of said Virtual Records, and further operable to detect in a subsequent Virtual Record whether the parameter is more than a predetermined multiple of the standard deviation away from the mean.
-
18. The system of claim 17 wherein said detector comprises:
a processor operable to perform a rule-based analysis of the Virtual Records generated by the parser.
-
19. The system of claim 1 wherein said raw audit data is a security log generated by a computer operating system.
-
20. A method of event detection comprising:
-
collecting raw audit data at an audit source, the raw data comprising raw audit data records;
parsing the raw audit data records by converting each raw audit data record into a Virtual Record of a first type, the Virtual Records of the first type being arranged according to a normalized format, the normalized format having a plurality of data fields, each data field corresponding to a different category of data associated with a potential audit event, the parsing including converting the raw audit data records into Virtual Records of the first type by parsing the raw audit data records to identify the different categories of data for storage within the data fields;
detecting audit events in response to analyzing the different categories of data included in the Virtual Records;
generating a Virtual Record of a second type in response to each detected audit event; and
storing the Virtual Records of the first type and the Virtual Records of the second type. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
encrypting the Virtual Records of the first type.
-
-
22. The method of claim 20 wherein said detecting comprises detecting audit events in response to retrieving the stored Virtual Records of the first type.
-
23. The method of claim 20 wherein said detecting comprises detecting audit events in response to Virtual Records and event signatures.
-
24. The method of claim 20 wherein said detecting comprises detecting audit events in response to Virtual Records and a statistical analysis.
-
25. The method of claim 20 further comprising filtering the stored Virtual Records of the first type using a user interface.
-
26. The method of claim 20 wherein said detecting comprises performing rule-based analysis on the Virtual Records.
-
27. The method of claim 20 wherein said detecting comprises performing statistical analysis in the Virtual Records using audit data associated with a plurality of types of audit sources.
-
28. The method of claim 27 wherein said performing statistical analysis comprises:
-
determining a mean and a standard deviation of a parameter in a set of Virtual Records; and
determining whether in a subsequent Virtual Record the parameter is more than a predetermined multiple of the standard deviation away from the mean.
-
-
29. The method of claim 28 wherein said detecting further comprises performing rule-based analysis on the Virtual Records.
-
30. A method of event detection, the method comprising:
-
collecting raw audit data at a first audit source having a first type of operating system, the raw audit data having one or more raw audit data records;
collecting additional raw audit data at a second audit source having a second type of operating system, the additional raw audit data having one or more additional raw audit data records;
converting each of the raw audit data records and additional raw audit data records into a Virtual Record, the Virtual Record being organized using a normalized format, the Virtual Record being populated with data from the raw audit data record in response to the type of operating system of the audit source associated with the raw audit data records;
communicating the Virtual Records to a detector; and
detecting audit events in response to the detector receiving the Virtual Records, wherein the detector detects audit events in response to performing signature analysis on the Virtual Records converted from the raw audit data records and the additional raw audit data records, and wherein the detector further detects audit events in response to performing statistical analysis on the Virtual Records as compared to previously stored Virtual Records. - View Dependent Claims (31)
-
-
32. A method of event detection, the method comprising:
-
collecting raw audit data at a first audit source having a first type of operating system, the raw audit data having one or more raw audit data records;
collecting additional raw audit data at a second audit source having a second type of operating system, the additional raw audit data having one or more additional raw audit data records;
converting each of the raw audit data records and additional raw audit data records into a Virtual Record, the Virtual Record being organized using a normalized format, the Virtual Record being populated with data from the raw audit data record in response to the type of operating system of the audit source associated with the raw audit data records;
communicating the Virtual Records to a detector; and
detecting audit events in response to the detector receiving the Virtual Records, wherein the detector detects audit events in response to performing signature analysis on the Virtual Records converted from the raw audit data records and the additional raw audit data records, and wherein the detector further detects audit events in response to performing statistical analysis on the Virtual Records as compared to previously stored Virtual Records, wherein detecting audit events further comprises detecting audit events in response to combining a first set of data associated with the first type of operating system with a second set of data associated with the second type of operating system.
-
-
33. A method of event detection, the method comprising:
-
collecting raw audit data at a first audit source having a first type of operating system, the raw audit data having one or more raw audit data records;
collecting additional raw audit data at a second audit source having a second type of operating system, the additional raw audit data having one or more additional raw audit data records;
converting each of the raw audit data records and additional raw audit data records into a Virtual Record, the Virtual Record being organized using a normalized format, the Virtual Record being populated with data from the raw audit data record in response to the type of operating system of the audit source associated with the raw audit data records;
communicating the Virtual Records to a detector; and
detecting audit events in response to the detector receiving the Virtual Records, wherein the detector detects audit events in response to performing signature analysis on the Virtual Records converted from the raw audit data records and the additional raw audit data records, and wherein the detector further detects audit events in response to performing statistical analysis on the Virtual Records as compared to previously stored Virtual Records, wherein detecting audit events in response to performing signature analysis includes maintaining and monitoring state information. - View Dependent Claims (34, 35, 36, 38, 39, 40, 41, 42)
-
-
37. A method of event detection, the method comprising:
-
collecting raw audit data at a first audit source having a first type of operating system, the raw audit data having one or more raw audit data records;
collecting additional raw audit data at a second audit source having a second type of operating system, the additional raw audit data having one or more additional raw audit data records;
converting each of the raw audit data records and additional raw audit data records into a Virtual Record, the Virtual Record being organized using a normalized format, the Virtual Record being populated with data from the raw audit data record in response to the type of operating system of the audit source associated with the raw audit data records;
communicating the Virtual Records to a detector;
detecting audit events in response to the detector receiving the Virtual Records, wherein the detector detects audit events in response to performing signature analysis on the Virtual Records converted from the raw audit data records and the additional raw audit data records, and wherein the detector further detects audit events in response to performing statistical analysis on the Virtual Records as compared to previously stored Virtual Records; and
wherein the method is conducted using transparent object connectivity.
-
Specification