Network-based alert management
DCFirst Claim
Patent Images
1. A computer-implemented method of managing alerts in a network comprising:
- receiving alerts from network sensors;
consolidating the alerts that are indicative of a common incident; and
generating output reflecting the consolidated alerts.
2 Assignments
Litigations
0 Petitions
Accused Products
Abstract
A method of managing alerts in a network including receiving alerts from network sensors, consolidating the alerts that are indicative of a common incident and generating output reflecting the consolidated alerts.
-
Citations
57 Claims
-
1. A computer-implemented method of managing alerts in a network comprising:
-
receiving alerts from network sensors;
consolidating the alerts that are indicative of a common incident; and
generating output reflecting the consolidated alerts. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
a mapping between one or more network hosts and one or more corresponding environment features selected from the following group;
{operating systems (o/s), o/s versions, hosted services/applications}; and
a relevance rating for each of one or more types of attacks mapped against the corresponding environment features.
-
-
18. The computer-implemented method of claim 6 wherein the output reflecting the consolidated alerts includes a meta-significance score reflecting a blending of the significance scores for each of the consolidated alerts.
-
19. The computer-implemented method of claim 1 further comprising correlating common incidents.
-
20. The computer-implemented method of claim 1 further comprising filtering the alerts.
-
21. The computer-implemented method of claim 20 wherein filtering comprises comparing the alerts to user-specified filters.
-
22. The computer-implemented method of claim 21 wherein the user-specified filters are dynamically configurable.
-
23. The computer-implemented method of claim 1 wherein the consolidated alerts comprise alerts produced by a single network sensor.
-
24. The computer-implemented method of claim 1 wherein the consolidated alerts comprise alerts produced by different network sensors.
-
25. The computer-implemented method of claim 1 wherein consolidating the alerts further comprises identifying the alerts that are indicative of a common incident based upon one or more alert parameters selected from the following group:
- {attack type, timestamp, network security component identification (ID), user ID, process ID, <
IP, port addresses>
for a source and a target of a suspicious activity}.
- {attack type, timestamp, network security component identification (ID), user ID, process ID, <
-
26. The computer-implemented method of claim 1 wherein generating output comprises generating one or more subscriber-specific reports.
-
27. The computer-implemented method of claim 26 wherein the subscriber-specific reports are based on one or more subscriber-customizable criteria.
-
28. The computer-implemented method of claim 27 wherein the subscriber-customizable criteria are dynamically configurable.
-
29. The computer-implemented method of claim 27 wherein the subscriber-customizable criteria comprise one or more transport options.
-
30. The computer-implemented method of claim 29 wherein the transport options comprise one or more options selected from the following group:
- {E-mail, XML, HTML, writing out to a file}.
-
31. The computer-implemented method of claim 1 wherein the output is automatically input to a data base management system.
-
32. The computer-implemented method of claim 1 further comprising sending the output over one or more secure communications links to one or more subscribers.
-
33. The computer-implemented method of claim 1 wherein receiving alerts further comprises dynamically modifying a set of network sensors from whom the alerts are received.
-
34. The computer-implemented method of claim 1 wherein the network sensors comprise heterogeneous network sensors.
-
35. The computer-implemented method of claim 1, wherein the received alerts include one or more filtered alerts.
-
36. The computer-implemented method of claim 1, wherein the received alerts include one or more alerts tagged with corresponding significance scores.
-
37. The computer-implemented method of claim 1, wherein the received alerts include one or more consolidated alerts, as to which the method of claim 1 is applied in recursive fashion.
-
38. The computer-implemented method of claim 1, further comprising processing the alerts to produce one or more internal reports, and wherein consolidating comprises consolidating the internal reports that are indicative of a common incident to produce one or more incident reports.
-
39. A computer program, residing on a computer-readable medium, comprising instructions causing a computer to:
-
receive alerts from a plurality of network sensors;
consolidate the alerts that are indicative of a common incident; and
generate output reflecting the consolidated alerts. - View Dependent Claims (40, 41)
format the alerts;
filter the alerts; and
tag one or more of the alerts with corresponding significance scores.
-
-
41. The computer program of claim 39 wherein the network sensors comprise heterogeneous network sensors.
-
42. In a computer network that has a plurality of security or fault monitoring devices of various types, each of which generates an alert when an attack or anomalous incident is detected, a method for managing alerts comprising the steps of:
-
ranking network resources and services based on their actual or perceived importance to effective operation of the network;
receiving alerts from the security or fault monitoring devices;
ranking each alert based on a potential or actual impact of each alert'"'"'s underlying attack or incident on effective operation of the network;
grouping alerts that may relate to a common attack or incident; and
generating a report that shows at least a subset of the alert groups and that indicates a potential or actual impact of each alert group'"'"'s underlying attack or incident on effective operation of the network.
-
-
43. In a computer network that has a plurality of security or fault monitoring devices of various types, each of which generates an alert when an attack or anomalous incident is detected, a method for managing alerts comprising the steps of:
-
ranking network resources and services based on their actual or perceived importance to effective operation of the network;
receiving alerts from the security or fault monitoring devices;
grouping alerts that may relate to a common attack or incident;
ranking each alert group based on a potential or actual impact of each alert group'"'"'s underlying attack or incident on effective operation of the network; and
generating a report that shows at least a subset of the alert groups and that indicates a potential or actual impact of each alert group'"'"'s underlying attack or incident on effective operation of the network.
-
-
44. In a computer network that has a plurality of security or fault monitoring devices of various types, each of which generates an alert when an attack or anomalous incident is detected, a method for managing alerts comprising the steps of:
-
receiving alerts from the security or fault monitoring devices;
grouping alerts that may relate to a common attack or incident;
ranking each alert group based on a potential or actual impact of each alert group'"'"'s underlying attack or incident on effective operation of the network; and
generating a report that shows at least a subset of the alert groups and that indicates a potential or actual impact of each alert group'"'"'s underlying attack or incident on effective operation of the network. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
firewalls;
intrusion detection systems;
antivirus software;
security scanners;
network management probes;
network service appliances;
authentication services; and
host and application security services.
-
-
46. The method of claim 44 further comprising the step of identifying critical network services and resources.
-
47. The method of claim 44 further comprising the step of ranking network resources and services based on their actual or perceived importance to effective operation of the network.
-
48. The method of claim 44 further comprising the step of identifying a set of alert classes or types.
-
49. The method of claim 48 wherein the set of alert classes or types is selected from the following group:
-
privilege subversion;
use subversion;
denial of service;
intelligence gathering;
access violations;
integrity violations;
system environment corruption;
user environment corruption;
asset distress; and
suspicious usage.
-
-
50. The method of claim 49 further comprising the step of ranking the alert classes or types based on actual or perceived impact of the underlying attacks or incidents on effective operation of the network.
-
51. The method of claim 44 wherein the alerts are grouped based on alert attributes selected from the following group:
-
common source;
common connection;
common host-based session;
common alert type or class; and
information about alert equivalence from an external data base.
-
-
52. The method of claim 44 wherein the alert groups are ranked based on criteria selected from the following group:
-
attack outcome;
attack vulnerability;
target of the attack;
alert class;
attacker identity; and
user identity.
-
-
53. The method of claim 52 wherein the criteria are assigned weights that are dynamically adjustable.
-
54. The method of claim 44 wherein the alert report further includes information selected from the following group:
-
alert class;
alert group rank, duration of the attack or incident; and
name, location, and version of the security or fault monitoring devices that generated alerts.
-
-
55. In a computer network, a method for ranking alerts that are indicative of an attack or an anomalous incident, the method comprising the steps of:
-
identifying and ranking different types of attacks or incidents according to their actual or perceived impact on effective operation of the network;
identifying and ranking network resources or services according to their actual or perceived importance to effective operation of the network;
determining vulnerability of network resources to different types of attacks or incidents; and
assigning a relevance score to an alert based on the type of the underlying attack or incident, the target of the attack-or incident, and the vulnerability of the target. - View Dependent Claims (56, 57)
-
Specification