Presentation of correlated events as situation classes

US 7,278,160 B2
Filed: 08/16/2001
Issued: 10/02/2007
Est. Priority Date: 08/16/2001
Status: Active Grant

First Claim

Patent Images

1. A method in a data processing system for reporting security situations, comprising the steps of:

logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute;

classifying events as groups by aggregating events with at least one attribute within the event set as an identical value;

calculating severity levels for the groups, wherein a severity level for a group is a function of a number of events comprising the group and values of common elements in the group;

reporting a group from the groups to a user as a situation, if a severity level of the group exceeds a threshold value; and

aggregating a subset of the groups into a combined group.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations”—are presented to a user or administrator.

53 Citations

View as Search Results

18 Claims

1. A method in a data processing system for reporting security situations, comprising the steps of:
- logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute;
  
  classifying events as groups by aggregating events with at least one attribute within the event set as an identical value;
  
  calculating severity levels for the groups, wherein a severity level for a group is a function of a number of events comprising the group and values of common elements in the group;
  
  reporting a group from the groups to a user as a situation, if a severity level of the group exceeds a threshold value; and
  
  aggregating a subset of the groups into a combined group.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the severity levels are calculated based on at least one of the number of event sets within each of the groups, the source attribute of the event sets within each of the groups, the target attribute of the event sets within each of the groups, and the event category attribute of the event sets within each of the groups.
  - 3. The method of claim 1, wherein the events include at least one of a web server event, an electronic mail event, a Trojan horse, denial of service, a virus, a network event, an authentication failure, and an access violation.
  - 4. The method of claim 1, further comprising:
    - calculating the threshold value based on at least one of the source attribute of the event sets within the group, the target attribute of the event sets within the group, the event category attribute in each event set of the group, and the number of attributes in each event set of the group that are held constant across all of the event sets in the group.
  - 5. The method of claim 1, wherein the target attribute represents one of a computer or a collection of computers.
  - 6. The method of claim 1, wherein the source attribute represents one of a computer or a collection of computers.

7. A computer program product stored in a computer readable storage medium for reporting security events, comprising instructions for:
- logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute;
  
  classifying events as groups by aggregating events with at least one attribute within the event set as an identical value;
  
  calculating severity levels for the groups, wherein a severity level for a group is a function of a number of events comprising the group and values of common elements in the group;
  
  reporting a group from the groups to a user as a situation, if a severity level of the group exceeds a threshold value; and
  
  aggregating a subset of the groups into a combined group.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product of claim 7, wherein the severity levels are calculated based on at least one of the number of event sets within each of the groups, the source attribute of the event sets within each of the groups, the target attribute of the event sets within each of the groups, and the event category attribute of the event sets within each of the groups.
  - 9. The computer program product of claim 7, wherein the events include at least one of a web server event, an electronic mail event, a Trojan horse, denial of service, a virus, a network event, an authentication failure, and an access violation.
  - 10. The computer program product of claim 7, comprising additional instructions for:
    - calculating the threshold value based on at least one of the source attribute of the event sets within the group, the target attribute of the event sets within the group, the event category attribute in each event set of the group, and the number of attributes in each event set of the group that are held constant across all of the event sets in the group.
  - 11. The computer program product of claim 7, wherein the target attribute represents one of a computer or a collection of computers.
  - 12. The computer program product of claim 7, wherein the source attribute represents one of a computer or a collection of computers.

13. A data processing system for reporting security events, comprising:
- a bus system;
  
  a memory;
  
  a processing unit, wherein the processing unit includes at least one processor; and
  
  a set of instructions within the memory, wherein the processing unit executes the set of instructions to perform the acts of;
  
  logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute;
  
  classifying events as groups by aggregating events with at least one attribute within the event set as an identical value;
  
  calculating severity levels for the groups, wherein a severity level for a group is a function of a number of events comprising the group and values of common elements in the group;
  
  reporting a group from the groups to a user as a situation, if a severity level of the group exceeds a threshold value; and
  
  aggregating a subset of the groups into a combined group.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The data processing system of claim 13, wherein the severity levels are calculated based on at least one of the number of event sets within each of the groups, the source attribute of the event sets within each of the groups, the target attribute of the event sets within each of the groups, and the event category attribute of the event sets within each of the groups.
  - 15. The data processing system of claim 13, wherein the events include at least one of a web server event, an electronic mail event, a Trojan horse, denial of service, a virus, a network event, an authentication failure, and an access violation.
  - 16. The data processing system of claim 13, wherein the processing unit executes the set of instructions to perform the act of:
    - calculating the threshold value based on at least one of the source attribute of the event sets within the group, the target attribute of the event sets within the group, the event category attribute in each event set of the group, and the number of attributes in each event set of the group that are held constant across all of the event sets in the group.
  - 17. The data processing system of claim 13, wherein the target attribute represents one of a computer or a collection of computers.
  - 18. The data processing system of claim 13, wherein the source attribute represents one of a computer or a collection of computers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Black, Steven, Garrison, John Michael, Debar, Herve
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Chai, Longbit

Application Number

US09/931,301
Publication Number

US 20030041264A1
Time in Patent Office

2,238 Days
Field of Search

340500-506, 713200-201, 713/154, 713/188, 713/182, 726/7, 726 22- 25
US Class Current

726/23
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

Presentation of correlated events as situation classes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

53 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Presentation of correlated events as situation classes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links