Method and system for managing computer security information
First Claim
1. A method for managing security information comprising the steps of:
- receiving raw computer events with a fusion engine from one or more data sources, each data source comprising an intrusion detector that assigns a priority status to each raw computer event, each raw computer event comprising one of suspicious computer activity and a computer attack;
classifying the raw computer events with the fusion engine by assigning each raw computer event an event type parameter;
storing the raw computer events;
comparing each raw computer event and its type with computer environment information stored in a knowledge-based database;
assigning context parameters to each raw computer event based on the comparison of a respective computer event and its type with the computer environment information;
determining if a priority status of each raw computer event should be adjusted based on its assigned context parameters;
adjusting a priority status or leaving a priority status of a raw computer event in tact based on the determination step;
identifying one or more relationships between two or more raw computer events with the fusion engine to determine if the two or more raw computer events are part of a larger computer attack;
in response to identifying one or more relationships between two or more raw computer events, generating a mature correlation event message; and
displaying one or more mature correlation event messages on one or more consoles that describe relationships between raw computer events.
4 Assignments
0 Petitions
Accused Products
Abstract
A security management system includes a fusion engine which “fuses” or assembles information from multiple data sources and analyzes this information in order to detect relationships between raw events that may indicate malicious behavior and to provide an organized presentation of information to consoles without slowing down the processing performed by the data sources. The multiple data sources can comprise sensors or detectors that monitor network traffic or individual computers or both. The sensors can comprise devices that may be used in intrusion detection systems (IDS). The data sources can also comprise firewalls, audit systems, and other like security or IDS devices that monitor data traffic in real-time. The present invention can identify relationships between one or more real-time, raw computer events as they are received in real-time. The fusion engine can also assess and rank the risk of real-time raw events as well as mature correlation events.
238 Citations
37 Claims
-
1. A method for managing security information comprising the steps of:
-
receiving raw computer events with a fusion engine from one or more data sources, each data source comprising an intrusion detector that assigns a priority status to each raw computer event, each raw computer event comprising one of suspicious computer activity and a computer attack;
classifying the raw computer events with the fusion engine by assigning each raw computer event an event type parameter;
storing the raw computer events;
comparing each raw computer event and its type with computer environment information stored in a knowledge-based database;
assigning context parameters to each raw computer event based on the comparison of a respective computer event and its type with the computer environment information;
determining if a priority status of each raw computer event should be adjusted based on its assigned context parameters;
adjusting a priority status or leaving a priority status of a raw computer event in tact based on the determination step;
identifying one or more relationships between two or more raw computer events with the fusion engine to determine if the two or more raw computer events are part of a larger computer attack;
in response to identifying one or more relationships between two or more raw computer events, generating a mature correlation event message; and
displaying one or more mature correlation event messages on one or more consoles that describe relationships between raw computer events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for determining relationships between two or more computer events, comprising the steps of:
-
receiving a plurality of raw computer events with a fusion engine from one or more intrusion detectors, each raw computer event having a first set of parameters and comprising one of suspicious computer activity and a computer attack;
creating raw computer event storage areas based upon information received from a raw computer event classification database;
storing each event in an event storage area based upon an event type parameter;
comparing each raw computer event to data contained in a context database with the fusion engine to determine if the two or more raw computer events are part of a larger larger computer attack;
adjusting a priority parameter or leaving the priority parameter in tact for each raw computer event in response to the comparison to the context database;
associating each raw computer event with one or more correlation events;
applying one or more rules to each raw computer event based upon the correlation event associations; and
generating a mature correlation event message in response to each successful application of a rule.
-
-
14. A method for determining relationships between two or more computer events, comprising the steps of:
-
receiving a plurality of raw computer events with a fusion engine from one or more intrusion detectors that assign a priority parameter to each raw computer event, each raw computer event having a first set of parameters and comprising one of suspicious computer activity and a computer attack;
creating raw computer event storage areas based upon information received from a raw computer event classification database;
storing each event in an event storage area based upon an event type parameter;
comparing each raw computer event to data contained in a context database with the fusion engine to determine if the two or more raw computer events are part of a larger computer attack;
adjusting a priority parameter or leaving the priority parameter in tack for each raw computer event in response to the comparison to the context database;
associating each raw computer event with one or more correlation events;
applying one or more rules corresponding with the event type parameters to each raw computer event based upon the correlation event associations; and
generating a mature correlation event message in response to each successful application of a rule. - View Dependent Claims (15, 16, 17)
-
-
18. A security management system comprising:
-
a plurality of data sources comprising intrusion detectors that assign a priority parameter to raw computer events;
an event collector linked to the plurality of data sources;
a fusion engine linked to the event collector, said fusion engine identifying relationships between two or more raw computer events generated by the data sources and adjusting each priority parameter if one or more conditions are met, the fusion engine using rules associated with event type parameters assigned to each raw computer event to determine if the two or more raw computer events are part of a larger computer attack, each raw computer event comprising one of suspicious computer activity and a computer attack; and
a console linked to the event collector for displaying any output generated by the fusion engine. - View Dependent Claims (19, 20, 21)
-
-
22. A fusion engine comprising:
-
a controller;
an event reader for receiving raw computer events from intrusion detectors that assign a priority parameter to each raw computer event, each raw computer event comprising one of suspicious computer activity and a computer attack;
a classifier linked to the event reader for classifying the received raw computer events;
a raw computer event classification database linked to the classifier;
a context based risk-adjustment processor linked to the classifier, for adjusting the priority parameters of raw computer events;
a context database linked to the context based risk-adjustment processor for providing context parameters that are assigned to raw computer events and that are used by the context based risk-adjustment processor; and
a rule database that comprises rules for identifying if one or more relationships exist between two or more events by determining if the two or more raw computer events are part of a larger computer attack. - View Dependent Claims (23, 24, 25, 30)
-
-
26. A method for managing security information comprising the steps of:
-
receiving with a fusion engine a raw computer event having a first ranking from one or more data sources comprising intrusion detectors, each raw computer event comprising one of suspicious computer activity and a computer attack;
classifying the raw computer event with the fusion engine by assigning each raw computer event an event type parameter;
storing the raw computer event;
assigning a second ranking to the raw computer event with the fusion engine, the second ranking assesses risks of the raw computer event based upon a context of the raw computer event;
determining if the first ranking each row computer event should be adjusted based on its second ranking; and
identifying one or more relationships between two or more raw computer events by using rules associated with event type parameters to determine if the raw computer event is part of a larger computer attack. - View Dependent Claims (27, 28, 29, 31)
-
-
32. A method for managing security information comprising the steps of:
-
receiving raw computer events with a fusion engine from one or more data sources comprising intrusion detectors that assign a priority status to each raw computer event, each raw computer event comprising one of suspicious computer activity and a computer attack;
classifying the raw computer events with the fusion engine by assigning each raw computer event an event type parameter;
assigning context parameters to each raw computer event based on the comparison of a respective computer event and its type parameter with computer environment information;
determining if a priority status of each raw computer event should be adjusted based on its context parameters;
grouping two or more raw computer events into a high level correlation event with the fusion engine if the two or more raw computer events are part of a larger computer attack;
in response to grouping the two or more raw computer events, applying one or more rules to the raw computer events;
generating a mature correlation event message if application of a rule is successful; and
displaying one or more mature correlation event messages on a console that describe relationships between raw computer events. - View Dependent Claims (33, 34, 35, 36, 37)
-
Specification