Presentation of correlated events as situation classes
First Claim
Patent Images
1. A method in a data processing system for reporting security situations, comprising the steps of:
- logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute;
classifying events as groups by aggregating events with at least one attribute within the event set as an identical value;
calculating severity levels for the groups, wherein a severity level for a group is a function of a number of events comprising the group and values of common elements in the group;
reporting a group from the groups to a user as a situation, if a severity level of the group exceeds a threshold value; and
aggregating a subset of the groups into a combined group.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations”—are presented to a user or administrator.
53 Citations
18 Claims
-
1. A method in a data processing system for reporting security situations, comprising the steps of:
-
logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute; classifying events as groups by aggregating events with at least one attribute within the event set as an identical value; calculating severity levels for the groups, wherein a severity level for a group is a function of a number of events comprising the group and values of common elements in the group; reporting a group from the groups to a user as a situation, if a severity level of the group exceeds a threshold value; and aggregating a subset of the groups into a combined group. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer program product stored in a computer readable storage medium for reporting security events, comprising instructions for:
-
logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute; classifying events as groups by aggregating events with at least one attribute within the event set as an identical value; calculating severity levels for the groups, wherein a severity level for a group is a function of a number of events comprising the group and values of common elements in the group; reporting a group from the groups to a user as a situation, if a severity level of the group exceeds a threshold value; and aggregating a subset of the groups into a combined group. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A data processing system for reporting security events, comprising:
-
a bus system; a memory; a processing unit, wherein the processing unit includes at least one processor; and a set of instructions within the memory, wherein the processing unit executes the set of instructions to perform the acts of; logging events by storing event attributes as an event set, wherein each event set includes a source attribute, a target attribute and an event category attribute; classifying events as groups by aggregating events with at least one attribute within the event set as an identical value; calculating severity levels for the groups, wherein a severity level for a group is a function of a number of events comprising the group and values of common elements in the group; reporting a group from the groups to a user as a situation, if a severity level of the group exceeds a threshold value; and aggregating a subset of the groups into a combined group. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification