Event detection

US 6,347,374 B1
Filed: 06/05/1998
Issued: 02/12/2002
Est. Priority Date: 06/05/1998
Status: Expired due to Term

First Claim

Patent Images

1. A system for event detection comprising:

a collector operable to collect raw audit data comprising raw audit data records, the collector being at a first audit source having a first type of operating system;

a database;

an inserter, in communication with the database, operable to insert Virtual Records into the database, including both a first type of Virtual Record generated in response to a raw audit data record, and a second type of Virtual Record generated in response to a detected audit event;

a parser, in communication with the collector and the inserter, operable to convert raw audit data records in the raw audit data into Virtual Records of the first type, wherein the Virtual Records of the first type are generated in a normalized format, the normalized format having a plurality of data fields, each data field corresponding to a different category of data associated with a potential audit event, the parser converting the raw audit data records into Virtual Records of the first type by parsing the raw audit data records to identify the different categories of data for storage within the data fields; and

a detector, in communication with the parser and the inserter, operable to detect audit events in response to analyzing data arranged according to the normalized format in the Virtual Records of the first type, the detector operable to generate the second type of Virtual Record in the event one of the audit events is detected, the detector further operable to detect audit events in response to analyzing data arranged according to the normalized format in additional Virtual Records of the first type, the additional Virtual Records being converted from additional raw audit data records collected at a second audit source, the second audit source having a second type of operating system.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for event detection employs a collector that collects raw audit data made up of raw audit data records at an audit source; a database; an inserter at a downstream processing location that inserts Virtual Records into the database, including both a first type of Virtual Record generated in response to a raw audit data record, and a second type of Virtual Record generated in response to a detected audit event; the inserter; a parser; coupled to the collector, that converts raw audit data records in the raw audit data into Virtual Records; a detector that detects audit events in response to the Virtual Records generated by the parser, and generates the second type of Virtual Record in the event an audit event is detected.

Citations

42 Claims

1. A system for event detection comprising:
- a collector operable to collect raw audit data comprising raw audit data records, the collector being at a first audit source having a first type of operating system;
  
  a database;
  
  an inserter, in communication with the database, operable to insert Virtual Records into the database, including both a first type of Virtual Record generated in response to a raw audit data record, and a second type of Virtual Record generated in response to a detected audit event;
  
  a parser, in communication with the collector and the inserter, operable to convert raw audit data records in the raw audit data into Virtual Records of the first type, wherein the Virtual Records of the first type are generated in a normalized format, the normalized format having a plurality of data fields, each data field corresponding to a different category of data associated with a potential audit event, the parser converting the raw audit data records into Virtual Records of the first type by parsing the raw audit data records to identify the different categories of data for storage within the data fields; and
  
  a detector, in communication with the parser and the inserter, operable to detect audit events in response to analyzing data arranged according to the normalized format in the Virtual Records of the first type, the detector operable to generate the second type of Virtual Record in the event one of the audit events is detected, the detector further operable to detect audit events in response to analyzing data arranged according to the normalized format in additional Virtual Records of the first type, the additional Virtual Records being converted from additional raw audit data records collected at a second audit source, the second audit source having a second type of operating system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The system of claim 1 further comprising:
3. The system of claim 2 wherein said sender includes an encryptor for encrypting output data from said at least one of the collector, the parser, and the detector before said output data is sent to the inserter.
4. The system of claim 2 wherein the sender is coupled to the collector, at the first audit source, and is operable to send Virtual Records of the first type from the collector to the parser, the parser being located, at a downstream process location.
5. The system of claim 2 wherein the sender is coupled to the parser, at the first audit source, and is operable to send Virtual Records of the first type from the parser to the detector, the detector being located at the downstream process location.
6. The system of claim 2 wherein the sender is coupled to the detector, at the audit source, and wherein the inserter is located at the downstream process location.
7. The system of claim 1 wherein an input of said detector is coupled to an output of said parser, and wherein the detector detects audit events in response to the Virtual Records of the first type generated by the parser and generates Virtual Records of the second type in response thereto.
8. The system of claim 1 wherein an input of said detector is coupled to an output of said inserter and where the detector detects audit events in response to analyzing Virtual Records of the first type from the inserter and generates Virtual Records of the second type in response thereto.
9. The system of claim 8 wherein an output of said detector is coupled to an input of said inserter wherein Virtual Records of the second type are sent from the detector to the inserter.
10. The system of claim 1 wherein an input of said detector is coupled to an output of said database, and wherein said detector detects audit events in response to the Virtual Records of the first type in the database and generates Virtual Records of the second type in response thereto.
11. The system of claim 10 wherein an output of said detector is coupled to said inserter, wherein Virtual Records of the second type generated by the detector are inserted into the database by the inserter.
12. The system of claim 1 herein said collector collects local information from said first audit source, along with said audit data.
13. The system of claim 1 wherein said database is a relational database.
14. The system of claim 13 further comprising:
- a user interface coupled to the database, the user interface having a filter operable to filter Virtual Records in the database based on a filter criteria.
15. The system of claim 1 wherein said detector comprises:
- a processor operable to perform a rule-based analysis of the Virtual Records of the first type generated by the parser.
16. The system of claim 1 wherein said detector further comprises:
- a processor operable to perform a statistical analysis of the Virtual Records of the first type generated by the parser.
17. The system of claim 16 wherein said detector further comprises:
- a processor operable to determine a mean and a standard deviation of a parameter in a set of said Virtual Records, and further operable to detect in a subsequent Virtual Record whether the parameter is more than a predetermined multiple of the standard deviation away from the mean.
18. The system of claim 17 wherein said detector comprises:
- a processor operable to perform a rule-based analysis of the Virtual Records generated by the parser.
19. The system of claim 1 wherein said raw audit data is a security log generated by a computer operating system.

20. A method of event detection comprising:
- collecting raw audit data at an audit source, the raw data comprising raw audit data records;
  
  parsing the raw audit data records by converting each raw audit data record into a Virtual Record of a first type, the Virtual Records of the first type being arranged according to a normalized format, the normalized format having a plurality of data fields, each data field corresponding to a different category of data associated with a potential audit event, the parsing including converting the raw audit data records into Virtual Records of the first type by parsing the raw audit data records to identify the different categories of data for storage within the data fields;
  
  detecting audit events in response to analyzing the different categories of data included in the Virtual Records;
  
  generating a Virtual Record of a second type in response to each detected audit event; and
  
  storing the Virtual Records of the first type and the Virtual Records of the second type.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 21. The method of claim 20 further comprising:
22. The method of claim 20 wherein said detecting comprises detecting audit events in response to retrieving the stored Virtual Records of the first type.
23. The method of claim 20 wherein said detecting comprises detecting audit events in response to Virtual Records and event signatures.
24. The method of claim 20 wherein said detecting comprises detecting audit events in response to Virtual Records and a statistical analysis.
25. The method of claim 20 further comprising filtering the stored Virtual Records of the first type using a user interface.
26. The method of claim 20 wherein said detecting comprises performing rule-based analysis on the Virtual Records.
27. The method of claim 20 wherein said detecting comprises performing statistical analysis in the Virtual Records using audit data associated with a plurality of types of audit sources.
28. The method of claim 27 wherein said performing statistical analysis comprises:
- determining a mean and a standard deviation of a parameter in a set of Virtual Records; and
  
  determining whether in a subsequent Virtual Record the parameter is more than a predetermined multiple of the standard deviation away from the mean.
29. The method of claim 28 wherein said detecting further comprises performing rule-based analysis on the Virtual Records.

30. A method of event detection, the method comprising:
- collecting raw audit data at a first audit source having a first type of operating system, the raw audit data having one or more raw audit data records;
  
  collecting additional raw audit data at a second audit source having a second type of operating system, the additional raw audit data having one or more additional raw audit data records;
  
  converting each of the raw audit data records and additional raw audit data records into a Virtual Record, the Virtual Record being organized using a normalized format, the Virtual Record being populated with data from the raw audit data record in response to the type of operating system of the audit source associated with the raw audit data records;
  
  communicating the Virtual Records to a detector; and
  
  detecting audit events in response to the detector receiving the Virtual Records, wherein the detector detects audit events in response to performing signature analysis on the Virtual Records converted from the raw audit data records and the additional raw audit data records, and wherein the detector further detects audit events in response to performing statistical analysis on the Virtual Records as compared to previously stored Virtual Records.
- View Dependent Claims (31)
- - 31. The method of claim 30, wherein detecting audit events further comprises detecting audit events wherein the detector is located at a different node of the network from the first and second audit sources.

32. A method of event detection, the method comprising:
- collecting raw audit data at a first audit source having a first type of operating system, the raw audit data having one or more raw audit data records;
  
  collecting additional raw audit data at a second audit source having a second type of operating system, the additional raw audit data having one or more additional raw audit data records;
  
  converting each of the raw audit data records and additional raw audit data records into a Virtual Record, the Virtual Record being organized using a normalized format, the Virtual Record being populated with data from the raw audit data record in response to the type of operating system of the audit source associated with the raw audit data records;
  
  communicating the Virtual Records to a detector; and
  
  detecting audit events in response to the detector receiving the Virtual Records, wherein the detector detects audit events in response to performing signature analysis on the Virtual Records converted from the raw audit data records and the additional raw audit data records, and wherein the detector further detects audit events in response to performing statistical analysis on the Virtual Records as compared to previously stored Virtual Records, wherein detecting audit events further comprises detecting audit events in response to combining a first set of data associated with the first type of operating system with a second set of data associated with the second type of operating system.

33. A method of event detection, the method comprising:
- collecting raw audit data at a first audit source having a first type of operating system, the raw audit data having one or more raw audit data records;
  
  collecting additional raw audit data at a second audit source having a second type of operating system, the additional raw audit data having one or more additional raw audit data records;
  
  converting each of the raw audit data records and additional raw audit data records into a Virtual Record, the Virtual Record being organized using a normalized format, the Virtual Record being populated with data from the raw audit data record in response to the type of operating system of the audit source associated with the raw audit data records;
  
  communicating the Virtual Records to a detector; and
  
  detecting audit events in response to the detector receiving the Virtual Records, wherein the detector detects audit events in response to performing signature analysis on the Virtual Records converted from the raw audit data records and the additional raw audit data records, and wherein the detector further detects audit events in response to performing statistical analysis on the Virtual Records as compared to previously stored Virtual Records, wherein detecting audit events in response to performing signature analysis includes maintaining and monitoring state information.
- View Dependent Claims (34, 35, 36, 38, 39, 40, 41, 42)
- - 34. The method of claim 33, wherein detecting audit events further comprises accessing a database of audit events.
  - 35. The method of claim 33, wherein detecting audit events further comprises accessing a database of audit events, the database being configurable by a user to add or delete categories used to identify audit events.
  - 36. The method of claim 35, wherein the categories include users, platforms, events, and intervals.
  - 38. The method of claim 33, wherein communicating the Virtual Records further comprises encrypting the Virtual Records prior to communication.
  - 39. The method of claim 33, wherein the raw audit data records each include audit data associated with an event or portion of an event taking place at the first audit source.
  - 40. The method of claim 33, wherein converting each of the raw audit data records further comprises accessing ancillary information from a local system associated with the first audit source.
  - 41. The method of claim 33, wherein communicating the Virtual Records further comprises communicating the Virtual Records in real-time upon conversion.
  - 42. The method of claim 33, and further comprising archiving the raw audit data records.

37. A method of event detection, the method comprising:
- collecting raw audit data at a first audit source having a first type of operating system, the raw audit data having one or more raw audit data records;
  
  collecting additional raw audit data at a second audit source having a second type of operating system, the additional raw audit data having one or more additional raw audit data records;
  
  converting each of the raw audit data records and additional raw audit data records into a Virtual Record, the Virtual Record being organized using a normalized format, the Virtual Record being populated with data from the raw audit data record in response to the type of operating system of the audit source associated with the raw audit data records;
  
  communicating the Virtual Records to a detector;
  
  detecting audit events in response to the detector receiving the Virtual Records, wherein the detector detects audit events in response to performing signature analysis on the Virtual Records converted from the raw audit data records and the additional raw audit data records, and wherein the detector further detects audit events in response to performing statistical analysis on the Virtual Records as compared to previously stored Virtual Records; and
  
  wherein the method is conducted using transparent object connectivity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intrusion, Inc.
Original Assignee
Intrusion, Inc.
Inventors
Webster, David J., Drake, David L.
Primary Examiner(s)
Peeso, Thomas R.
Assistant Examiner(s)
JACK, TODD M

Application Number

US09/092,660
Time in Patent Office

1,348 Days
Field of Search

709/224, 713/200, 713/201
US Class Current

726/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 41/0631   using root cause analysis; ...

H04L 41/0654   using network fault recover...

H04L 41/16   using machine learning or a...

H04L 43/0811   by checking connectivity

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Event detection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Event detection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links