Network security monitoring system
First Claim
1. A method of processing event messages, comprising:
- defining a graph of nodes, including a plurality of leaf nodes, a plurality of non-leaf nodes;
receiving a stream of event messages, each event message characterized by a plurality of event parameters;
for each event message, identifying leaf nodes, if any, that correspond to the event message, and for each identified leaf node, storing in association with the identified leaf node a partial solution identifying the event message; and
at predefined times, invoking each of a plurality of non-leaf nodes, wherein invoking a non-leaf node comprises evaluating an inter-event constraint associated with the non-leaf node utilizing the partial solutions stored for one or more nodes lower in the graph, and storing in association with the non-leaf node partial solutions representing sets of event messages meeting the evaluated constraint of the non-leaf node.
4 Assignments
0 Petitions
Accused Products
Abstract
A security monitoring system processes event messages related to computer network security in real time, evaluating inter-event constraints so as to identify combinations of events that are partial solutions to a predefined event correlation rule, and furthermore evaluating combinations of the partial solutions do determine if they together satisfy the predefined event correlation rule. A decision tree is formed based on the rule. Event messages are categorized into groups at leaf nodes of the tree in accordance with a plurality of intra-event constraints, and then the messages are correlated in accordance with a plurality of inter-event constraints at non-leaf nodes of the tree. When the inter-event constraint at a root node of the tree has been satisfied, a network attack alert is issued and protective actions may be taken.
-
Citations
57 Claims
-
1. A method of processing event messages, comprising:
-
defining a graph of nodes, including a plurality of leaf nodes, a plurality of non-leaf nodes; receiving a stream of event messages, each event message characterized by a plurality of event parameters; for each event message, identifying leaf nodes, if any, that correspond to the event message, and for each identified leaf node, storing in association with the identified leaf node a partial solution identifying the event message; and at predefined times, invoking each of a plurality of non-leaf nodes, wherein invoking a non-leaf node comprises evaluating an inter-event constraint associated with the non-leaf node utilizing the partial solutions stored for one or more nodes lower in the graph, and storing in association with the non-leaf node partial solutions representing sets of event messages meeting the evaluated constraint of the non-leaf node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system monitoring network security, comprising:
-
one or more central processing units for executing programs; an interface for receiving event messages; and a rule evaluation engine module executable by the one or more central processing units, the module comprising; data representing a graph of nodes, including a plurality of leaf nodes, a plurality of non-leaf nodes; instructions for receiving a stream of event messages, each event message characterized by a plurality of event parameters; instructions for identifying leaf nodes, if any, that correspond to an event message in the stream of event messages; instructions for storing in association with the identified leaf nodes a partial solution identifying the event message; and instructions for invoking each of the plurality of non-leaf nodes at predefined times, wherein invoking a non-leaf node comprises evaluating an inter-event constraint associated with the non-leaf node utilizing the partial solutions stored for one or more nodes lower in the graph, and storing in association with the non-leaf node partial solutions representing sets of event messages meeting the evaluated constraint of the non-leaf node. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A computer program product for use in conjunction with a computer system, the computer program product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising:
-
instructions for constructing a graph of nodes, including a plurality of leaf nodes, a plurality of non-leaf nodes; instructions for receiving a stream of event messages, each event message characterized by a plurality of event parameters; instructions for identifying leaf nodes, if any, that correspond to an event message in the stream of event messages; instructions for storing in association with the identified leaf nodes a partial solution identifying the event message; and instructions for invoking each of the plurality of non-leaf nodes at predefined times, wherein invoking a non-leaf node comprises evaluating an inter-event constraint associated with the non-leaf node utilizing the partial solutions stored for one or more nodes lower in the graph, and storing in association with the non-leaf node partial solutions representing sets of event messages meeting the evaluated constraint of the non-leaf node. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
-
Specification