Monitoring events in a computer network

US 7,750,910 B2
Filed: 10/31/2007
Issued: 07/06/2010
Est. Priority Date: 03/12/2003
Status: Expired due to Fees

First Claim

Patent Images

1. An article of manufacture comprising a tangible computer readable medium having computer readable code means embodied therein for causing monitoring network activities, the computer readable program code means in said article of manufacture, when executed by a computer, cause the computer to effect monitoring network activities as a time-ordered sequence of events in a computer network, each event having attributes triggered by an intrusion-detection system, each event being characterized by a given set of attributes called dimensions, each event forming an n-dimensional space, the step of monitoring comprising:

said computer network triggering said events, each event being provided with attribute values allocated to a given set of attributes of said each event, each attribute having a particular attribute value,simultaneously monitoring each particular attribute value of various event attributes from said given set of attributes versus the arrival time of said each event,providing an event display with a cross plot having x and y coordinate axes, the x-axis presenting a time period and the y-axis presenting an attribute value range, and visualizing data along said x and y coordinate axes, said axes being attribute axes,determining a primary attribute of said each event, said primary attribute being selected from the given set of attributes, each said primary attribute of said each event to be presented with a corresponding attribute value on the y-axis of the cross plot,allocating a first display label to the events indicating the attribute value of the primary attribute of each event, providing a pattern algorithm to detect whether an arrived event is part of the given pattern on the basis of a comparison of the attributes allocated to the given pattern and of the attributes assigned to the arrived event, providing a mapping algorithm to map any attribute value of an attribute selected from the given set of attributes onto the y-axis of the cross plot,allocating a second display label to said each event indicating the attribute values of the attributes being uncovered as part of the given pattern,plotting all events that arrived within the time period and including an attribute value allocated to the primary attribute into the cross plot with the first display label indicating the primary attribute, the position of the first display label of said each event in the cross plot being determined on the basis of the attribute value of the primary attribute of the event and its arrival time,plotting all events that arrived within the time period and being detected by means of the pattern algorithm as part of the given pattern into the cross plot with the second display label indicating the given pattern, the position of the second display label of said each event in the cross plot being determined by the mapping algorithm on the basis of the attribute value of the attribute of the event being uncovered as part of the given pattern and its arrival time, anddisplaying a secondary attribute of said each event together with the primary attribute on said display.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Monitoring events triggered by a computer network. Each event being provided with attribute values allocated to a given set of attributes, and providing an event display, determining a primary attribute and a corresponding display label of the events selected from the given set of attributes presented with attribute values on a cross plot, providing a pattern algorithm to detect whether an arrived event is part of a given pattern, providing a mapping algorithm to map attribute values on the cross plot, allocating a second display label to the events indicating the attributes uncovered as part of the given pattern, plotting events arriving and including an attribute value allocated to a primary attribute into the cross plot, and plotting events arriving within the time period and detected by the pattern algorithm as part of the given pattern into the cross plot with the second display label indicating the given pattern.

Citations

11 Claims

1. An article of manufacture comprising a tangible computer readable medium having computer readable code means embodied therein for causing monitoring network activities, the computer readable program code means in said article of manufacture, when executed by a computer, cause the computer to effect monitoring network activities as a time-ordered sequence of events in a computer network, each event having attributes triggered by an intrusion-detection system, each event being characterized by a given set of attributes called dimensions, each event forming an n-dimensional space, the step of monitoring comprising:
- said computer network triggering said events, each event being provided with attribute values allocated to a given set of attributes of said each event, each attribute having a particular attribute value,simultaneously monitoring each particular attribute value of various event attributes from said given set of attributes versus the arrival time of said each event,providing an event display with a cross plot having x and y coordinate axes, the x-axis presenting a time period and the y-axis presenting an attribute value range, and visualizing data along said x and y coordinate axes, said axes being attribute axes,determining a primary attribute of said each event, said primary attribute being selected from the given set of attributes, each said primary attribute of said each event to be presented with a corresponding attribute value on the y-axis of the cross plot,allocating a first display label to the events indicating the attribute value of the primary attribute of each event, providing a pattern algorithm to detect whether an arrived event is part of the given pattern on the basis of a comparison of the attributes allocated to the given pattern and of the attributes assigned to the arrived event, providing a mapping algorithm to map any attribute value of an attribute selected from the given set of attributes onto the y-axis of the cross plot,allocating a second display label to said each event indicating the attribute values of the attributes being uncovered as part of the given pattern,plotting all events that arrived within the time period and including an attribute value allocated to the primary attribute into the cross plot with the first display label indicating the primary attribute, the position of the first display label of said each event in the cross plot being determined on the basis of the attribute value of the primary attribute of the event and its arrival time,plotting all events that arrived within the time period and being detected by means of the pattern algorithm as part of the given pattern into the cross plot with the second display label indicating the given pattern, the position of the second display label of said each event in the cross plot being determined by the mapping algorithm on the basis of the attribute value of the attribute of the event being uncovered as part of the given pattern and its arrival time, anddisplaying a secondary attribute of said each event together with the primary attribute on said display.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. An article of manufacture as recited in claim 1, the computer readable program code means in said article of manufacture further comprising computer readable program code means for causing a computer to effect:
    - recording the attribute values and the arrival time of a new event, determining on the basis of the recorded attribute values of event whether or not the newly arrived event includes an attribute value of the primary attribute, and if the newly arrived event includes the attribute value for the primary attribute shifting the x-axis of the cross plot so that the time period being presented on the x-axis covers the arrival time of the event, andplotting the event arrived within the shifted time period into the cross plot with the first display label indicating the primary attribute.
  - 3. An article of manufacture as recited in claim 2, the computer readable program code means in said article of manufacture further comprising computer readable program code means for causing a computer to effect:
    - determining on the basis of the recorded attribute values of event whether or not the newly arrived event is part of the given pattern on the basis of a comparison of the attributes allocated to the given pattern and of the attributes assigned to the arrived event,if the newly arrived event includes an attribute value of the given pattern adding the event to the previous events being detected as part of the given pattern, andredrawing all the events being associated with given pattern in the cross plot.
  - 4. An article of manufacture as recited in claim 3, the computer readable program code means in said article of manufacture further comprising computer readable program code means for causing a computer to effect:
    - when the newly arrived event does not include an attribute value of the given pattern, determining on the basis of the recorded attribute values of all previous arrived events by means of the pattern algorithm whether or not the newly arrived event is part of a new pattern on the basis of a comparison of the attributes allocated to the new pattern and of the attributes assigned to the arrived events;
      
      when the newly arrived event forms together with previous recorded events the new pattern, allocating a third display label to the events indicating the attribute values of the attributes being uncovered as part of the new pattern; and
      
      plotting the all events being detected by means of the pattern algorithm as part of the new pattern into the cross plot with the third display label indicating the new pattern, the position of the third display label of said each event in the cross plot being determined by the mapping algorithm on the basis of the attribute value of the attribute of the event being uncovered as part of the new pattern and its arrival time.
  - 5. An article of manufacture as recited in claim 2, the computer readable program code means in said article of manufacture further comprising computer readable program code means for causing a computer to effect:
    - removing all the events including an attribute value allocated to the primary attribute from the cross plot, if a primary attribute to be presented with its attribute values on the y-axis of the cross plot is changed, allocating a fourth display label to the events indicating the attribute values of the new primary attribute, andplotting all the events arrived within the time period and including an attribute value allocated to the new primary attribute into the cross plot with the fourth display label indicating the new primary attribute, the position of the fourth display label of said each event in the cross plot being determined on the basis of the attribute value of the primary attribute of the event and its arrival time.
  - 6. An article of manufacture as recited in claim 1, the computer readable program code means in said article of manufacture further comprising computer readable program code means for causing a computer to effect:
    - plotting all attribute values recorded for an event with the respective display label into the cross plot if the event is selected by an operator, and displaying textual information associated with the selected event on the event display.
  - 7. An article of manufacture as recited in claim 1, wherein the pattern algorithm is suitable to perform multi-attribute pattern recognition.
  - 8. An article of manufacture as recited in claim 1, wherein each display label includes a specific color and/or a specific mark layout.
  - 9. An article of manufacture as recited in claim 1, wherein all events being uncovered as part of the pattern are clustered by the corresponding display label.
  - 10. An article of manufacture as recited in claim 1, the computer readable program code means in said article of manufacture further comprising computer readable program code means for causing a computer to effect:
    - recording the attribute values and the arrival time of a new event, determining on the basis of the recorded attribute values of event whether or not the newly arrived event includes an attribute value of the primary attribute, and if the newly arrived event includes the attribute value for the primary attribute shifting the x-axis of the cross plot so that the time period being presented on the x-axis covers the arrival time of the event,plotting the event arrived within the shifted time period into the cross plot with the first display label indicating the primary attribute;
      
      determining on the basis of the recorded attribute values of event whether or not the newly arrived event is part of the given pattern on the basis of a comparison of the attributes allocated to the given pattern and of the attributes assigned to the arrived event;
      
      if the newly arrived event includes an attribute value of the given pattern adding the event to the previous events being detected as part of the given pattern;
      
      redrawing all the events being associated with given pattern in the cross plot;
      
      when the newly arrived event does not include an attribute value of the given pattern, determining on the basis of the recorded attribute values of all previous arrived events by means of the pattern algorithm whether or not the newly arrived event is part of a new pattern on the basis of a comparison of the attributes allocated to the new pattern and of the attributes assigned to the arrived events;
      
      when the newly arrived event forms together with previous recorded events the new pattern, allocating a third display label to the events indicating the attribute values of the attributes being uncovered as part of the new pattern; and
      
      plotting the all events being detected by means of the pattern algorithm as part of the new pattern into the cross plot with the third display label indicating the new pattern, the position of the third display label of event in the cross plot being determined by the mapping algorithm on the basis of the attribute value of the attribute of the event being uncovered as part of the new pattern and its arrival time.
  - 11. An article of manufacture as recited in claim 10, the computer readable program code means in said article of manufacture further comprising computer readable program code means for causing a computer to effect:
    - removing all the events including an attribute value allocated to the primary attribute from the cross plot, if a primary attribute to be presented with its attribute values on the y-axis of the cross plot is changed, allocating a fourth display label to the events indicating the attribute values of the new primary attribute, andplotting all the events arrived within the time period and including an attribute value allocated to the new primary attribute into the cross plot with the fourth display label indicating the new primary attribute, the position of the fourth display label of each event in the cross plot being determined on the basis of the attribute value of the primary attribute of the event and its arrival time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Stolze, Markus, Pawlitzek, Rene, Hild, Stefan G.
Primary Examiner(s)
WANG, JIN CHENG

Application Number

US11/932,028
Publication Number

US 20080065765A1
Time in Patent Office

979 Days
Field of Search

345/440, 345/440.1, 345/440.2, 345/441, 345/442, 707/6, 707/102
US Class Current

345/440
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 41/0631   using root cause analysis; ...

H04L 41/22   comprising specially adapte...

H04L 63/1408   by monitoring network traff...

H04L 67/75   Indicating network or usage...

H04L 69/329   in the application layer [O...

Y10S 707/99936   Pattern matching access

Monitoring events in a computer network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring events in a computer network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links