Method and system for managing computer security information

US 7,089,428 B2
Filed: 04/27/2001
Issued: 08/08/2006
Est. Priority Date: 04/28/2000
Status: Active Grant

First Claim

Patent Images

1. A method for managing security information comprising the steps of:

receiving raw computer events with a fusion engine from one or more data sources, each data source comprising an intrusion detector that assigns a priority status to each raw computer event, each raw computer event comprising one of suspicious computer activity and a computer attack;

classifying the raw computer events with the fusion engine by assigning each raw computer event an event type parameter;

storing the raw computer events;

comparing each raw computer event and its type with computer environment information stored in a knowledge-based database;

assigning context parameters to each raw computer event based on the comparison of a respective computer event and its type with the computer environment information;

determining if a priority status of each raw computer event should be adjusted based on its assigned context parameters;

adjusting a priority status or leaving a priority status of a raw computer event in tact based on the determination step;

identifying one or more relationships between two or more raw computer events with the fusion engine to determine if the two or more raw computer events are part of a larger computer attack;

in response to identifying one or more relationships between two or more raw computer events, generating a mature correlation event message; and

displaying one or more mature correlation event messages on one or more consoles that describe relationships between raw computer events.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security management system includes a fusion engine which “fuses” or assembles information from multiple data sources and analyzes this information in order to detect relationships between raw events that may indicate malicious behavior and to provide an organized presentation of information to consoles without slowing down the processing performed by the data sources. The multiple data sources can comprise sensors or detectors that monitor network traffic or individual computers or both. The sensors can comprise devices that may be used in intrusion detection systems (IDS). The data sources can also comprise firewalls, audit systems, and other like security or IDS devices that monitor data traffic in real-time. The present invention can identify relationships between one or more real-time, raw computer events as they are received in real-time. The fusion engine can also assess and rank the risk of real-time raw events as well as mature correlation events.

238 Citations

37 Claims

1. A method for managing security information comprising the steps of:
- receiving raw computer events with a fusion engine from one or more data sources, each data source comprising an intrusion detector that assigns a priority status to each raw computer event, each raw computer event comprising one of suspicious computer activity and a computer attack;
  
  classifying the raw computer events with the fusion engine by assigning each raw computer event an event type parameter;
  
  storing the raw computer events;
  
  comparing each raw computer event and its type with computer environment information stored in a knowledge-based database;
  
  assigning context parameters to each raw computer event based on the comparison of a respective computer event and its type with the computer environment information;
  
  determining if a priority status of each raw computer event should be adjusted based on its assigned context parameters;
  
  adjusting a priority status or leaving a priority status of a raw computer event in tact based on the determination step;
  
  identifying one or more relationships between two or more raw computer events with the fusion engine to determine if the two or more raw computer events are part of a larger computer attack;
  
  in response to identifying one or more relationships between two or more raw computer events, generating a mature correlation event message; and
  
  displaying one or more mature correlation event messages on one or more consoles that describe relationships between raw computer events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the step of receiving raw computer events from one or more data sources further comprises the step of receiving real-time raw computer events from one of intrusion detection system, a detector within an intrusion detection system, and a firewall.
  - 3. The method of claim 1, wherein the step of receiving raw computer events from one or more data sources further comprises the step of receiving raw computer events from one of a file and database.
  - 4. The method of claim 1, wherein the step of classifying the raw computer events further comprises the steps of:
    - identifying an event type parameter for each raw computer event;
      
      comparing the event type parameter with an event type category of a list; and
      
      assigning each raw computer event to a corresponding event type category in the list.
  - 5. The method of claim 1, wherein the step of assigning context parameters to each raw computer event further comprises the steps of:
    - comparing parameters of each raw computer event with information in a database; and
      
      assigning additional parameters to each raw computer event relating to the environment of the raw computer event.
  - 6. The method of claim 5, wherein the additional parameters comprise one of a priority status, a vulnerability status, a historical frequency value, a source zone value, a destination zone value, a detector zone value, and a text string.
  - 7. The method of claim 1, wherein the step of adjusting a priority status or leaving a priority status of a raw computer event in tact based on the determination step further comprises the steps of:
    - identifying a priority status parameter of a raw computer event;
      
      comparing each raw computer event to information contained in a the knowledge-based database;
      
      changing the priority status parameter of a respective raw computer event if a match occurs in response to the comparison step; and
      
      leaving the priority status in tact if a match does not occur in response to the comparison step.
  - 8. The method of claim 1, wherein the step of identifying relationships between two or more raw computer events further comprises the steps of:
    - associating each raw computer event with one or more rules that correspond with a type parameter of the raw computer event; and
      
      applying each rule to its associated group of raw computer events; and
      
      determining if a computer attack or security breach has occurred based upon successful application of a rule.
  - 9. The method of claim 1, wherein the step of storing raw computer events further comprises the step of storing each raw computer event in a high speed memory device comprising random access memory (RAM).
  - 10. The method of claim 1, further comprising the step of determining the intent of a computer attack based upon the type of mature correlation event generated.
  - 11. The method of claim 1, further comprising the steps of;
    - creating a memory management list;
      
      identifying a time stamp for each raw computer event; and
      
      adding each raw computer event to the memory management list.
  - 12. The method of claim 1, further comprising the step of creating a raw computer event tracking index that identifies one or more software components that are monitoring one or more raw computer events.

13. A method for determining relationships between two or more computer events, comprising the steps of:
- receiving a plurality of raw computer events with a fusion engine from one or more intrusion detectors, each raw computer event having a first set of parameters and comprising one of suspicious computer activity and a computer attack;
  
  creating raw computer event storage areas based upon information received from a raw computer event classification database;
  
  storing each event in an event storage area based upon an event type parameter;
  
  comparing each raw computer event to data contained in a context database with the fusion engine to determine if the two or more raw computer events are part of a larger larger computer attack;
  
  adjusting a priority parameter or leaving the priority parameter in tact for each raw computer event in response to the comparison to the context database;
  
  associating each raw computer event with one or more correlation events;
  
  applying one or more rules to each raw computer event based upon the correlation event associations; and
  
  generating a mature correlation event message in response to each successful application of a rule.

14. A method for determining relationships between two or more computer events, comprising the steps of:
- receiving a plurality of raw computer events with a fusion engine from one or more intrusion detectors that assign a priority parameter to each raw computer event, each raw computer event having a first set of parameters and comprising one of suspicious computer activity and a computer attack;
  
  creating raw computer event storage areas based upon information received from a raw computer event classification database;
  
  storing each event in an event storage area based upon an event type parameter;
  
  comparing each raw computer event to data contained in a context database with the fusion engine to determine if the two or more raw computer events are part of a larger computer attack;
  
  adjusting a priority parameter or leaving the priority parameter in tack for each raw computer event in response to the comparison to the context database;
  
  associating each raw computer event with one or more correlation events;
  
  applying one or more rules corresponding with the event type parameters to each raw computer event based upon the correlation event associations; and
  
  generating a mature correlation event message in response to each successful application of a rule.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14, wherein the context database comprises any one of vulnerability values, computer event frequency values, source and destination zone values, and detector zone values.
  - 16. The method of claim 14, wherein the raw computer event classification database comprises tables that include information that categorizes raw computer events based on any one of the following:
    - how an activity indicated by a raw computer event may impact one or more target computers, how many target computers may be affected by an activity indicated by a raw computer event, and how activities indicated by respective raw computer events gain access to one or more target computers.
  - 17. A computer readable medium having computer-executable instructions for performing the steps recited in claim 14.

18. A security management system comprising:
- a plurality of data sources comprising intrusion detectors that assign a priority parameter to raw computer events;
  
  an event collector linked to the plurality of data sources;
  
  a fusion engine linked to the event collector, said fusion engine identifying relationships between two or more raw computer events generated by the data sources and adjusting each priority parameter if one or more conditions are met, the fusion engine using rules associated with event type parameters assigned to each raw computer event to determine if the two or more raw computer events are part of a larger computer attack, each raw computer event comprising one of suspicious computer activity and a computer attack; and
  
  a console linked to the event collector for displaying any output generated by the fusion engine.
- View Dependent Claims (19, 20, 21)
- - 19. The security management system of claim 18, wherein each intrusion detector runs in a kernel mode of a computer and the fusion engine runs in a user mode of the computer.
  - 20. The security management system of claim 18, wherein each intrusion detector comprises a chip, and the fusion engine comprises software running on a computer.
  - 21. The security management system of claim 18, wherein each intrusion detector comprises a board, and the fusion engine comprises software running on a computer.

22. A fusion engine comprising:
- a controller;
  
  an event reader for receiving raw computer events from intrusion detectors that assign a priority parameter to each raw computer event, each raw computer event comprising one of suspicious computer activity and a computer attack;
  
  a classifier linked to the event reader for classifying the received raw computer events;
  
  a raw computer event classification database linked to the classifier;
  
  a context based risk-adjustment processor linked to the classifier, for adjusting the priority parameters of raw computer events;
  
  a context database linked to the context based risk-adjustment processor for providing context parameters that are assigned to raw computer events and that are used by the context based risk-adjustment processor; and
  
  a rule database that comprises rules for identifying if one or more relationships exist between two or more events by determining if the two or more raw computer events are part of a larger computer attack.
- View Dependent Claims (23, 24, 25, 30)
- - 23. The fusion engine of claim 22, further comprising an event reporter, a mature event list, a memory management list, and a raw computer event tracking index.
  - 24. The fusion engine of claim 22, wherein the context database comprises any one of vulnerability values, computer event frequency values, source and destination zone values, and detector zone values.
  - 25. The fusion engine of claim 22, wherein the raw computer event classification database comprises tables that include information that categorizes raw computer events based on any one of the following:
    - how an activity indicated by a raw computer event may impact one or more target computers, how many target computers may be affected by an activity indicated by a raw computer event, and how activities indicated by respective raw computer events gain access to one or more target computers.
  - 30. The method of claim 24, wherein the first ranking comprises a priority status parameter, and the step of determining if the first ranking of each raw computer event should be adjusted based on its second ranking further comprises:
    - comparing the second ranking of each raw computer event to information contained in a context database;
      
      changing the priority status parameter of a respective raw computer event if a match occurs in response to the comparison step; and
      
      leaving the priority status in tact if a match does not occur in response to the comparison step.

26. A method for managing security information comprising the steps of:
- receiving with a fusion engine a raw computer event having a first ranking from one or more data sources comprising intrusion detectors, each raw computer event comprising one of suspicious computer activity and a computer attack;
  
  classifying the raw computer event with the fusion engine by assigning each raw computer event an event type parameter;
  
  storing the raw computer event;
  
  assigning a second ranking to the raw computer event with the fusion engine, the second ranking assesses risks of the raw computer event based upon a context of the raw computer event;
  
  determining if the first ranking each row computer event should be adjusted based on its second ranking; and
  
  identifying one or more relationships between two or more raw computer events by using rules associated with event type parameters to determine if the raw computer event is part of a larger computer attack.
- View Dependent Claims (27, 28, 29, 31)
- - 27. The method of claim 26, wherein the first ranking comprises one or more relative values measuring potential risk or damage that is associated with the raw computer event.
  - 28. The method of claim 26, wherein the step of assigning a second ranking to each raw computer event further comprises the steps of:
    - comparing parameters of each raw computer event with information in a database; and
      
      assigning additional parameters to each raw computer event relating to the environment of the raw computer event.
  - 29. The method of claim 28, wherein the additional parameters comprise at least one of a priority status, a vulnerability status, a historical frequency value, a source zone value, a destination zone value, a detector zone value, and a text string.
  - 31. A computer readable medium having computer-executable instructions for performing the steps recited in claim 26.

32. A method for managing security information comprising the steps of:
- receiving raw computer events with a fusion engine from one or more data sources comprising intrusion detectors that assign a priority status to each raw computer event, each raw computer event comprising one of suspicious computer activity and a computer attack;
  
  classifying the raw computer events with the fusion engine by assigning each raw computer event an event type parameter;
  
  assigning context parameters to each raw computer event based on the comparison of a respective computer event and its type parameter with computer environment information;
  
  determining if a priority status of each raw computer event should be adjusted based on its context parameters;
  
  grouping two or more raw computer events into a high level correlation event with the fusion engine if the two or more raw computer events are part of a larger computer attack;
  
  in response to grouping the two or more raw computer events, applying one or more rules to the raw computer events;
  
  generating a mature correlation event message if application of a rule is successful; and
  
  displaying one or more mature correlation event messages on a console that describe relationships between raw computer events.
- View Dependent Claims (33, 34, 35, 36, 37)
- - 33. The method of claim 32, wherein the step of receiving raw computer events from one or more data sources further comprises the step of receiving real-time raw computer events from one of intrusion detection system, a detector within an intrusion detection system, and a firewall.
  - 34. The method of claim 32, wherein the step of receiving raw computer events from one or more data sources further comprises the step of receiving raw computer events from one of a file and database.
  - 35. The method of claim 32, wherein the step of classifying comprises the step of categorizing a raw computer event based on any one of the following:
    - how a raw computer event may impact one or more target computers, how many target computers that may be affected by a raw computer event, and how respective raw computer events gain access to one or more target computers.
  - 36. The method of claim 32, wherein the step of grouping two or more raw computer events further comprises the step of determining a time at which a respective raw computer event occurred relative to another raw computer event.
  - 37. A computer readable medium having computer-executable instructions for performing the steps recited in claim 32.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Internet Security Systems Incorporated (International Business Machines Corporation)
Inventors
Williams, Bryan Douglas, Mezack, Derek John, Brass, Philip Charles, Farley, Timothy P., Young, George C., Hammer, John M.
Primary Examiner(s)
ZAND, KAMBIZ
Assistant Examiner(s)
ZAND, KAMBIZ

Application Number

US09/844,447
Publication Number

US 20020078381A1
Time in Patent Office

1,929 Days
Field of Search

713/200, 713/201
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2151   Time stamp

H04L 41/065   involving logical or physic...

H04L 41/0686   Additional information in t...

H04L 41/28   Restricting access to netwo...

H04L 43/00   Arrangements for monitoring...

H04L 43/16   Threshold monitoring

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Method and system for managing computer security information

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

238 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for managing computer security information

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

238 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links