Security incident identification and prioritization

US 7,356,843 B1
Filed: 10/01/2003
Issued: 04/08/2008
Est. Priority Date: 10/01/2003
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a computer environment, comprising:

providing an archive index that includes for each of one or more stored objects a corresponding archive index entry indicative of a state of the stored object at an archive time with which the entry is associated;

comparing with the archive index a system index generated at a system index time subsequent to the archive time;

generating based on the comparison a first event if the comparison indicates that a first stored object associated with the system index has been modified since the archive time; and

determining whether a correlation exists between the first event and a second event generated in connection with a monitoring process associated with the computer environment.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for protecting a computer environment. The technique comprises providing an index; comparing a first event with the index; determining whether the first event is unusual; and determining whether a security incident associated with the first event has occurred.

Citations

18 Claims

1. A method for protecting a computer environment, comprising:
- providing an archive index that includes for each of one or more stored objects a corresponding archive index entry indicative of a state of the stored object at an archive time with which the entry is associated;
  
  comparing with the archive index a system index generated at a system index time subsequent to the archive time;
  
  generating based on the comparison a first event if the comparison indicates that a first stored object associated with the system index has been modified since the archive time; and
  
  determining whether a correlation exists between the first event and a second event generated in connection with a monitoring process associated with the computer environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A method for protecting a computer environment as recited in claim 1, wherein the first event indicates that a file has been modified.
  - 3. A method for protecting a computer environment as recited in claim 1, wherein comparing includes looking up an identifier of a file in the archive index.
  - 4. A method for protecting a computer environment as recited in claim 3, wherein the identifier includes a signature.
  - 5. A method for protecting a computer environment as recited in claim 3, wherein the identifier includes a signature generated by a hash function.
  - 6. A method for protecting a computer environment as recited in claim 3, wherein the identifier includes a signature generated by a checksum function.
  - 7. A method for protecting a computer environment as recited in claim 1, wherein the first event indicates that a file has been modified, and comparing includes comparing a number of occurrences of the file in the index with a threshold.
  - 8. A method for protecting a computer environment as recited in claim 1, wherein the first event indicates that a file has been modified, and comparing includes comparing a number of occurrences of the file in the archive index with a threshold.
  - 9. A method for protecting a computer environment as recited in claim 1, further comprising determining a priority of a security incident if it is determined that a correlation exists between the first event and the second event.
  - 10. A method for protecting a computer environment as recited in claim 1, further comprising determining a degree of unusualness for the first event.
  - 11. A method for protecting a computer environment as recited in claim 1, further comprising determining a degree of unusualness for the first event and determining a priority of a security incident based on the degree of unusualness.
  - 12. A method for protecting a computer environment as recited in claim 1, wherein the archive index includes a file signature.
  - 13. A method for protecting a computer environment as recited in claim 1, wherein the archive index includes file revision information.
  - 14. A method for protecting a computer environment as recited in claim 1, wherein the archive index is stored in a database.
  - 15. A method for protecting a computer environment as recited in claim 1, wherein the archive index is stored in an extensible markup language (XML) file.
  - 16. A method for protecting a computer environment as recited in claim 1, wherein the archive index is cached.

17. A system for protecting a computer environment, comprising:
- a processor configured to provide an archive index that includes for each of one or more stored objects a corresponding archive index entry indicative of a state of the stored object at an archive time with which the entry is associated, compare with the archive index a system index generated at a system index time subsequent to the archive time, generate based on the comparison a first event if the comparison indicates that a first stored object associated with the system index has been modified since the archive time, and determine whether a correlation exists between the first event and a second event generated in connection with a monitoring process associated with the computer environment; and
  
  a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions.

18. A computer program product for protecting a computer environment, the computer program product being embodied in a tangible computer readable storage medium and comprising computer instructions for:
- providing an archive index that includes for each of one or more stored objects a corresponding archive index entry indicative of a state of the stored object at an archive time with which the entry is associated;
  
  comparing with the archive index a system index generated at a system index time subsequent to the archive time;
  
  generating based on the comparison a first event if the comparison indicates that a first stored object associated with the system index has been modified since the archive time; and
  
  determining whether a correlation exists between the first event and a second event generated in connection with a monitoring process associated with the computer environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Kingsford, Bryan E.
Primary Examiner(s)
Truong; Thanhnga B.

Application Number

US10/677,630
Time in Patent Office

1,651 Days
Field of Search

707/10, 707/100, 707/204, 707/200, 713/165, 713/167, 713/176, 726 22- 25, 705/51
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/64   Protecting data integrity, ...

Y10S 707/99953   Recoverability

Security incident identification and prioritization

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Security incident identification and prioritization

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links