System and method for intruder tracking using advanced correlation in a network security system
First Claim
1. A method for correlating event information, comprising:
- receiving event information for a plurality of detected events wherein;
the event information for a particular detected event comprises a plurality of attributes associated with the particular detected event; and
the particular detected event is associated with at least one data packet in an enterprise network;
assigning a plurality of attribute values to each detected event, the attribute values of each detected event defining a point in n-dimensional space;
storing the event information for each detected event in accordance with the attribute values assigned to that detected event;
receiving a target event comprising a plurality of attributes wherein;
the target event is associated with at least one data packet that threatens the enterprise network;
the attributes of the target event are associated with attribute values; and
the attribute values of the target event define a target point in n-dimensional space;
receiving a plurality of proximity limits that define a portion of n-dimensional space surrounding the target point; and
identifying a plurality of detected events wherein the points defined by the attribute values of the identified detected events are within the portion of n-dimensional space defined by the proximity limits.
11 Assignments
0 Petitions
Accused Products
Abstract
A method for correlating event information comprises receiving event information for a plurality of detected events wherein the event information for a particular detected event comprises a plurality of attributes associated with that detected event. The method continues by assigning a plurality of attribute values to each detected event, the attribute values of each detected event defining a point in n-dimensional space. The method continues by storing the event information for each detected event in accordance with the attribute values assigned to that detected event. The method continues by receiving a target event comprising a plurality of attributes wherein the attributes of the target event are associated with attribute values and the attribute values of the target event define a target point in n-dimensional space. The method continues by receiving a plurality of proximity limits that define a portion of n-dimensional space surrounding the target point. The method concludes by identifying a plurality of detected events wherein the points defined by the attribute values of the identified detected events are within the portion of n-dimensional space defined by the proximity limits.
-
Citations
31 Claims
-
1. A method for correlating event information, comprising:
-
receiving event information for a plurality of detected events wherein; the event information for a particular detected event comprises a plurality of attributes associated with the particular detected event; and the particular detected event is associated with at least one data packet in an enterprise network; assigning a plurality of attribute values to each detected event, the attribute values of each detected event defining a point in n-dimensional space; storing the event information for each detected event in accordance with the attribute values assigned to that detected event; receiving a target event comprising a plurality of attributes wherein; the target event is associated with at least one data packet that threatens the enterprise network; the attributes of the target event are associated with attribute values; and the attribute values of the target event define a target point in n-dimensional space; receiving a plurality of proximity limits that define a portion of n-dimensional space surrounding the target point; and identifying a plurality of detected events wherein the points defined by the attribute values of the identified detected events are within the portion of n-dimensional space defined by the proximity limits. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for correlating event information, comprising:
-
at least one sensor operable to receive event information for a plurality of detected events wherein; the event information for a particular detected event comprises a plurality of attributes associated with the particular detected event; and the particular detected event is associated with at least one data packet in an enterprise network; at least one processor operable to; assign a plurality of attribute values to each detected event, the attribute values of each detected event defining a point in n-dimensional space; receive a target event comprising a plurality of attributes wherein; the target event is associated with at least one data packet that threatens the enterprise network; the attributes of the target event are associated with attribute values; and the attribute values of the target event define a target point in n-dimensional space; receive a plurality of proximity limits that define a portion of n-dimensional space surrounding the target point; and identify a plurality of detected events wherein the points defined by the attribute values of the identified detected events are within the portion of n-dimensional space defined by the proximity limits; and at least one memory module operable to store the event information for each detected event in accordance with the attribute values assigned to that detected event. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. An apparatus for correlating event information, comprising:
-
at least one processor operable to; receive event information for a plurality of detected events wherein; the event information for a particular detected event comprises a plurality of attributes associated with the particular detected event; and the particular detected event is associated with at least one data packet in an enterprise network; assign a plurality of attribute values to each detected event, the attribute values of each detected event defining a point in n-dimensional space; receive a target event comprising a plurality of attributes wherein; the target event is associated with at least one data packet that threatens the enterprise network; the attributes of the target event are associated with attribute values; and the attribute values of the target event define a target point in n-dimensional space; receive a plurality of proximity limits that define a portion of n-dimensional space surrounding the target point; and identify a plurality of detected events wherein the points defined by the attribute values of the identified detected events are within the portion of n-dimensional space defined by the proximity limits; and at least one memory module operable to store the event information for each detected event in accordance with the attribute values assigned to that detected event. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
-
Specification