Event monitoring and management

US 7,779,119 B2
Filed: 05/30/2007
Issued: 08/17/2010
Est. Priority Date: 06/09/2003
Status: Active Grant

First Claim

Patent Images

1. A method of event notification comprising:

receiving a first report of a condition;

sending a first notification message about said first report of said condition;

sending a second notification message about said condition at a first notification interval;

receiving subsequent reports at fixed time intervals;

sending a subsequent notification message at a second notification interval if said condition is still ongoing during said second notification interval, wherein said second notification interval has a length which is a multiple of said first notification interval, wherein said condition is one of a plurality of conditions used in determining a derived parameter having a value based on a first set of one or more of said plurality of conditions and a second set of one or more of said plurality of conditions, wherein said derived parameter has a value indicating an attack when an occurrence of said first set of one or more conditions is followed by an occurrence of said second set of one or more conditions within a predetermined time interval;

andsending a third notification message when said derived parameter indicates an attack.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described are techniques used in monitoring the performance, security and health of a system used in an industrial application. Agents included in the industrial network report data to an appliance or server. The appliance stores the data and determines when an alarm condition has occurred. Notifications are sent upon detecting an alarm condition. The alarm thresholds may be user defined. A threat thermostat controller determines a threat level used to control the connectivity of a network used in the industrial application.

Citations

34 Claims

1. A method of event notification comprising:
- receiving a first report of a condition;
  
  sending a first notification message about said first report of said condition;
  
  sending a second notification message about said condition at a first notification interval;
  
  receiving subsequent reports at fixed time intervals;
  
  sending a subsequent notification message at a second notification interval if said condition is still ongoing during said second notification interval, wherein said second notification interval has a length which is a multiple of said first notification interval, wherein said condition is one of a plurality of conditions used in determining a derived parameter having a value based on a first set of one or more of said plurality of conditions and a second set of one or more of said plurality of conditions, wherein said derived parameter has a value indicating an attack when an occurrence of said first set of one or more conditions is followed by an occurrence of said second set of one or more conditions within a predetermined time interval;
  
  andsending a third notification message when said derived parameter indicates an attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 31, 32, 33, 34)
- - 2. The method of claim 1, wherein said first report is sent from a reporting agent on a first computer system reporting about one of:
    - said first computer system and a network including said first computer system, and said notification messages are sent from a notification server on a second computer system.
  - 3. The method of claim 1, wherein notification messages are sent to a notification point at successive notification intervals wherein each of said successive notification intervals increases approximately exponentially with respect to an immediately prior notification interval.
  - 4. The method of claim 2, wherein said condition is associated with an alarm condition and an alarm condition is set when a current level of a metric is not in accordance with a predetermined threshold value.
  - 5. The method of claim 1, wherein each of said notification messages includes a first level of information about said condition and a second level of information used to perform at least one of the following:
    - determine a cause of said condition, and take a corrective action for said condition.
  - 6. The method of claim 5, wherein an option is included in a reporting agent to enable and disable reporting of said second level of information to a notification server from said agent sending said first report.
  - 7. The method of claim 5, wherein an option is used to enable and disable condition notification messages including said second level of information.
  - 8. The method of claim 4, wherein an alarm condition is associated with a first level alarm and an alarm state of said first level is maintained when a current level of a metric is in accordance with said predetermined threshold value until an acknowledgement of said alarm state at said first level is received by said notification server.
  - 9. The method of claim 8, wherein said alarm condition transitions to a second level alarm when said current level is not in accordance with said predetermined threshold and another threshold associated with a second level, and said second level alarm is maintained when a current level of a metric is in accordance with one of:
    - said predetermined threshold and said other threshold until acknowledgement of said second level alarm is received by said notification server.
  - 10. The method of claim 1, wherein reports are sent from a reporting agent executing on a computer system in an industrial network to an appliance included in said industrial network and each of said reports includes events occurring within said industrial network.
  - 11. The method of claim 4, wherein an alarm condition is determined in accordance with a plurality of weighted metrics, said plurality of weighted metrics including at least one metric about:
    - a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a level of privileges greater than a level associated with a user-level account.
  - 31. The method of claim 1, wherein said first set includes conditions based on security metrics.
  - 32. The method of claim 31, wherein said security metrics include a network intrusion detection metric, a metric based on a number of failed login attempts, and a metric based on a number of users with privileges greater than a level associated with a user-level account.
  - 33. The method of claim 1, wherein said second set of one or more conditions including resource usage metrics, wherein said resource usage metrics are used as confirmation of an occurrence of initial alert condition of an attack specified by said first set.
  - 34. The method of claim 33, wherein said derived parameter is determined using a plurality of reports received from a plurality of agents executing on a plurality of different computers, said derived parameter indicating an attack when the second set of conditions confirms an occurrence of an attack as indicated by the first set of conditions for a same set of one or more computers.

12. A method of event notification comprising:
- receiving a first report of a condition at a reporting destination;
  
  sending a first notification message from said reporting destination to a notification destination when a derived parameter indicates an attack, said derived parameter having a value based on a first set of one or more conditions and a second set of one or more conditions, wherein said derived parameter has a value indicating an attack when an occurrence of said first set of one or more conditions is followed by an occurrence of said second set of one or more conditions within a predetermined time interval; and
  
  sending a second notification message from said reporting destination to said notification destination, said second notification message including a summary of information about events occurring in a fixed time interval, said summary identifying at least one of;
  
  a source and a target associated with an attack occurring within said fixed time interval, and a percentage of events associated with said at least one of said source and said target.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, wherein said summary identifies at least one source associated with an attack, wherein said source is one of:
    - a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
  - 14. The method of claim 12, wherein said summary identifies at least one target associated with an attack, wherein said target is one of:
    - a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack.
  - 15. The method of claim 12, wherein said summary identifies a portion of a type of attack represents with respect to all attacks in said fixed time interval.

16. A computer program product for event notification comprising code that:
- receives a first report of a condition;
  
  sends a first notification message about said first report of said condition;
  
  sends a second notification message about said condition at a first notification interval;
  
  receives subsequent reports at fixed time intervals;
  
  sends a subsequent notification message at a second notification interval if said condition is still ongoing during said second notification interval, wherein said second notification interval has a length which is a multiple of said first notification interval, wherein said condition is one of a plurality of conditions used in determining a derived parameter having a value based on a first set of one or more of said plurality of conditions and a second set of one or more of said plurality of conditions, wherein said derived parameter has a value indicating an attack when an occurrence of said first set of one or more conditions is followed by an occurrence of said second set of one or more conditions within a predetermined time interval; and
  
  sends a third notification message when said derived parameter indicates an attack.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The computer program product of claim 16, wherein said first report is sent from a reporting agent on a first computer system reporting about one of:
    - said first computer system and a network including said first computer system, and said notification messages are sent from a notification server on a second computer system.
  - 18. The computer program product of claim 16, wherein notification messages are sent to a notification point at successive notification intervals wherein each of said successive notification intervals increases approximately exponentially with respect to an immediately prior notification interval.
  - 19. The computer program product of claim 17, wherein said condition is associated with an alarm condition and an alarm condition is set when a current level of a metric is not in accordance with a predetermined threshold value.
  - 20. The computer program product of claim 16, wherein each of said notification messages includes a first level of information about said condition and a second level of information used to perform at least one of the following:
    - determine a cause of said condition, and take a corrective action for said condition.
  - 21. The computer program product of claim 20, wherein an option is included in a reporting agent to enable and disable reporting of said second level of information to a notification server from said agent sending said first report.
  - 22. The computer program product of claim 20, wherein an option is used to enable and disable condition notification messages including said second level of information.
  - 23. The computer program product of claim 19, wherein an alarm condition is associated with a first level alarm and an alarm state of said first level is maintained when a current level of a metric is in accordance with said predetermined threshold value until an acknowledgement of said alarm state at said first level is received by said notification server.
  - 24. The computer program product of claim 23, wherein said alarm condition transitions to a second level alarm when said current level is not in accordance with said predetermined threshold and another threshold associated with a second level, and said second level alarm is maintained when a current level of a metric is in accordance with one of:
    - said predetermined threshold and said other threshold until acknowledgement of said second level alarm is received by said notification server.
  - 25. The computer program product of claim 16, wherein reports are sent from a reporting agent executing on a computer system in an industrial network to an appliance included in said industrial network and each of said reports includes events occurring within said industrial network.
  - 26. The computer program product of claim 19, wherein an alarm condition is determined in accordance with a plurality of weighted metrics, said plurality of weighted metrics including at least one metric about:
    - a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a level of privileges greater than a level associated with a user-level account.

27. A computer program product for event notification comprising code that:
- receives a first report of a condition at a reporting destination; and
  
  sends a first notification message from said reporting destination to a notification destination when a derived parameter indicates an attack, said derived parameter having a value based on a first set of one or more conditions and a second set of one or more conditions, wherein said derived parameter has a value indicating an attack when an occurrence of said first set of one or more conditions is followed by an occurrence of said second set of one or more conditions within a predetermined time interval;
  
  sends a second notification message from said reporting destination to said notification destination, said second notification message including a summary of information about events occurring in a fixed time interval, said summary identifying at least one of;
  
  a source and a target associated with an attack occurring within said fixed time interval, and a percentage of events associated with said at least one of said source and said target.
- View Dependent Claims (28, 29, 30)
- - 28. The computer program product of claim 27, wherein said summary identifies at least one source associated with an attack, wherein said source is one of:
    - a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
  - 29. The computer program product of claim 27, wherein said summary identifies at least one target associated with an attack, wherein said target is one of:
    - a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack.
  - 30. The computer program product of claim 27, wherein said summary identifies a portion of a type of attack represents with respect to all attacks in said fixed time interval.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Idefender, LLC
Original Assignee
Industrial Defender, Inc. (Capgemini SE)
Inventors
Ginter, Andrew, McMillan, Brad, Jensen, Brett, Lopes, Rui Manuel Martins, Hutchinson, Tom
Primary Examiner(s)
VU, VIET D

Application Number

US11/807,699
Publication Number

US 20080209033A1
Time in Patent Office

1,175 Days
Field of Search

709/217, 709/219, 709/223, 709/224, 719/318
US Class Current

709/224
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Event monitoring and management

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Event monitoring and management

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links