Feedback mechanism to minimize false assertions of a network intrusion

US 7,774,839 B2
Filed: 11/03/2003
Issued: 08/10/2010
Est. Priority Date: 11/04/2002
Status: Active Grant

First Claim

Patent Images

1. A graphical user interface rendered on a display associated with an intrusion detection system, the graphical user interface comprising:

a field that depicts a summary of anomalies identified as part of an event that is detected in a network, the summary indicating event severity details of the event; and

an alert action region including a control to permit a user to snooze future alerts related to the event in the summary for a period of time.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A graphical user interface for an intrusion detection system is described. The graphical user interface includes a field that depicts a summary of anomalies identified as part of a event that is detected in a network, the summary indicating event severity details of the event and an alert action region including a control to permit a user to snooze future alerts related to the event in the summary for a period of time.

77 Citations

View as Search Results

25 Claims

1. A graphical user interface rendered on a display associated with an intrusion detection system, the graphical user interface comprising:
- a field that depicts a summary of anomalies identified as part of an event that is detected in a network, the summary indicating event severity details of the event; and
  
  an alert action region including a control to permit a user to snooze future alerts related to the event in the summary for a period of time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The graphical user interface of claim 1 wherein the snooze control feature is selected based on event types and roles of hosts.
  - 3. The graphical user interface of claim 1 further comprising:
    - a control to allow a user to clear an alert if the alert appears on an overview page that provides an operator with an aggregated view of network status.
  - 4. The graphical user interface of claim 3 wherein an event details region of the graphical user interface depicts anomalies that were used to classify the event.
  - 5. The graphical user interface of claim 1 wherein details of events include values of source, destination, and protocol that caused an event to be raised.
  - 6. The graphical user interface of claim 1 wherein event severity is coded by an indicia.
  - 7. The graphical user interface of claim 1 wherein the interface includes a control to clear a selected alert.
  - 8. The graphical user interface of claim 1 wherein the interface includes a details control that allows a user to observe details about a selected anomaly.
  - 9. The graphical user interface of claim 1 wherein the details control presents a list of IP addresses to which a host attempted to connect to.

10. A method comprises:
- providing an operator with a list of events identified by an intrusion detection system, within the list of events being information indicating event severity, with event severity determined for an event, by the event having a percentage relationship to an established threshold for issuing an event notification;
  
  displaying details of a selected one of the events to a user; and
  
  providing on a graphical user interface a snooze control to allow a user to snooze future alerts related to the selected event.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 11. The method of claim 10 the snooze control allows an event to be snoozed for a fixed period of time.
  - 12. The method of claim 10 wherein the snooze control is for selected event types and roles.
  - 13. The method of claim 10 further comprising:
    - clearing a selected alert from the list of events.
  - 14. The method of claim 13 further comprising:
    - displaying anomalies that were used to classify the event.
  - 15. The method of claim 14 further comprising:
    - displaying event details that indicate historically normal operating conditions of a host and current operating conditions of a host to allow the operator to take an appropriate action.
  - 16. The method of claim 15 wherein one of the operating conditions displayed is normal and current connection rates of the host.
  - 17. The method of claim 15 wherein the type of events include worm propagation, unauthorized access, denial of service attacks, and historical anomaly.
  - 18. The method of claim 10 further comprising:
    - displaying event details including destination and source fields populated with IP addresses and role classification of the host in the network.
  - 19. The method of claim 10 further comprising:
    - displaying actions taken by the operator for the particular event.
  - 20. The method of claim 10 further comprising:
    - displaying network statistics associated with network flows; and
      
      displaying a ranking of hosts in the network according to a network statistical measure.
  - 21. The method of claim 20 wherein the network statistics are a number of bytes per second and packets per second of each type of protocol observed in the system.

22. A computer program product residing on a computer readable medium for producing a graphical user interface for an intrusion detection system, the computer program product comprising instructions for causing a computer to:
- render a graphical user interface on an output device, the graphical user interface comprising;
  
  a field that depicts a summary of anomalies identified as part of an event that is detected in a network, the summary indicating event severity details of the event;
  
  an alert action region including a control to permit a user to snooze future alerts related to the event in the summary for a period of time.
- View Dependent Claims (23, 24, 25)
- - 23. The computer program product of claim 22 wherein the snooze control is selected based on event types and roles of hosts.
  - 24. The graphical user interface of claim 22 further comprising instructions to render in the graphical user interface:
    - a control to allow a user to clear an alert if the alert appears on an overview page that provides an operator with an aggregated view of network status.
  - 25. The computer program product of claim 22 wherein an event details region of the graphical user interface depicts anomalies that were used to classify the event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Nazzal, Robert N.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
GEE, JASON KAI YIN

Application Number

US10/701,157
Publication Number

US 20040261030A1
Time in Patent Office

2,472 Days
Field of Search

726/22, 726/23, 726/24
US Class Current

726/22
CPC Class Codes

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

Feedback mechanism to minimize false assertions of a network intrusion

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Feedback mechanism to minimize false assertions of a network intrusion

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links