System, method and computer program product for correlating information from a plurality of sensors

US 7,313,821 B1
Filed: 04/13/2006
Issued: 12/25/2007
Est. Priority Date: 04/13/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

receiving information from a plurality of sensors associated with at least one computer, the information relating to events that have occurred at the at least one computer;

correlating the information;

conditionally reacting based on the information;

generating a map of the information utilizing at least one correlation unit;

creating instructions based on the map at the at least one correlation unit; and

transmitting the instructions to at least one of the sensors;

wherein the instructions are transmitted as a data vector;

wherein the data vector is a 3-dimensional data vector that comprises;

a destination port dimension;

a source internet protocol (IP) address dimension; and

a destination IP address dimension; and

wherein values in the 3-dimensional data vector are utilized as coordinates for plotting the information on the map.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system, method and computer program product are provided. In use, information from a plurality of sensors associated with at least one computer is received, where such information relates to events that have occurred at the at least one computer. Thereafter, the information is correlated, and a reaction is conditionally performed based on the information.

Citations

19 Claims

1. A method, comprising:
- receiving information from a plurality of sensors associated with at least one computer, the information relating to events that have occurred at the at least one computer;
  
  correlating the information;
  
  conditionally reacting based on the information;
  
  generating a map of the information utilizing at least one correlation unit;
  
  creating instructions based on the map at the at least one correlation unit; and
  
  transmitting the instructions to at least one of the sensors;
  
  wherein the instructions are transmitted as a data vector;
  
  wherein the data vector is a 3-dimensional data vector that comprises;
  
  a destination port dimension;
  
  a source internet protocol (IP) address dimension; and
  
  a destination IP address dimension; and
  
  wherein values in the 3-dimensional data vector are utilized as coordinates for plotting the information on the map.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the sensors include software processes.
  - 3. The method of claim 1, wherein the sensors include hardware units.
  - 4. The method of claim 1, wherein the information is correlated utilizing the at least one correlation unit.
  - 5. The method of claim 1, wherein the information identifies potentially undesirable activity detected by the sensors.
  - 6. The method of claim 1, wherein the information is translated into a hash at the plurality of sensors.
  - 7. The method of claim 1, wherein the plurality of sensors filter the information prior to the information being correlated.
  - 8. The method of claim 1, further comprising transmitting the information from the plurality of sensors to the at least one correlation unit utilizing a first abstract transmission protocol, where the at least one correlation unit correlates the information.
  - 9. The method of claim 8, wherein the first abstract transmission protocol transforms the information into a universal format.
  - 10. The method of claim 8, wherein the information and the instructions are transmitted with a severity indicator, location information for routing, a timestamp, and sensor type information.
  - 11. The method of claim 1, further comprising transmitting the map or a derivative of the map from the at least one correlation unit to an additional correlation unit at a next hierarchical level.
  - 12. The method of claim 1, wherein the instructions identify at least one action to be taken by the at least one sensor.
  - 13. The method of claim 8, wherein the instructions are transmitted to the at least one sensor utilizing a second abstract transmission protocol, the second abstract transmission protocol having a universal format.
  - 14. The method of claim 8, wherein the information and the instructions are each transmitted as data vectors.
  - 15. The method of claim 5, wherein each element in each data vector includes a type identifier and an associated value.
  - 16. The method of claim 8, wherein the information and the instructions are transmitted with at least one of a severity indicator, location information for routing, a timestamp, and sensor type information.
  - 17. The method of claim 1, wherein the reacting is carried out to counter terrorism by generating responses and reacting based on the correlated information.

18. A computer program product embodied on a computer readable medium, comprising:
- computer code for receiving information from a plurality of sensors associated with at least one computer, the information relating to events that have occurred at the at least one computer;
  
  computer code for correlating the information;
  
  computer code for conditionally reacting based on the information;
  
  computer code for generating a map of the information utilizing at least one correlation unit;
  
  computer code for creating instructions based on the map at the at least one correlation unit; and
  
  computer code for transmitting the instructions to at least one of the sensors;
  
  wherein the instructions are transmitted as a data vector;
  
  wherein the data vector is a 3-dimensional data vector that comprises;
  
  a destination port dimension;
  
  a source internet protocol (IP) address dimension; and
  
  a destination IP address dimension; and
  
  wherein values in the 3-dimensional data vector are utilized as coordinates for plotting the information on the map.

19. A system, comprising:
- a plurality of sensors associated with at least one computer for communicating information utilizing a network, the information relating to events that have occurred at the at least one computer;
  
  at least one correlation unit for receiving and correlating the information, the at least one correlation unit further adapted to generate a map of the information;
  
  creating instructions based on the map, and transmit the instructions to at least one of the sensors;
  
  wherein the instructions are transmitted as a data vector;
  
  wherein the data vector is a 3-dimensional data vector that comprises;
  
  a destination port dimension;
  
  a source internet protocol (IP) address dimension; and
  
  a destination IP address dimension; and
  
  wherein values in the 3-dimensional data vector are utilized as coordinates for plotting the information on the map.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Steiner, Thomas C. H., Mayr, Johannes, Schlemmer, Andreas
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US11/404,422
Time in Patent Office

621 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

System, method and computer program product for correlating information from a plurality of sensors

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and computer program product for correlating information from a plurality of sensors

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links