Progressive layered forensic correlation of computer network and security events
First Claim
1. A method for forensic analysis of events in an event listing comprising:
- a security device arranging a plurality of correlation objects in a hierarchical decision tree having multiple layers, each correlation object including a correlation rule that defines a correlation that is to be performed by the correlation object, at least one of the layers having parent correlation objects to which children correlation objects are assigned;
the security device applying the decision tree to the event listing to perform a forensic analysis in an order of correlation objects that is defined by a correlation thread, the correlation thread initiating a correlation by one of the parent correlation objects which results in one of a success or failure, wherein said applying the decision tree to the event listing to perform the forensic analysis comprises the security device evaluating the event listing against the correlation rules of the correlation objects in the order defined by the correlation thread;
in the event of a success of the parent correlation object, the security device storing results of evaluating the correlation rule of the parent correlation object against the event listing in a parent event listing corresponding to the parent correlation object, the parent event listing comprising a subset of events of the event listing, and initiating, by the correlation thread, evaluating the parent event listing against the correlation rule of one of the child correlation objects assigned to the successful parent correlation object; and
in the event of a failure of the evaluating performed by the parent correlation object, the correlation thread initiates evaluating of the event listing against a correlation rule of another parent correlation object,wherein the parent correlation object defines a time frame of the event listing from which events can be drawn for the correlation,wherein a second time frame corresponding to the child correlation object is calculated relative to the time frame defined by the parent correlation object.
4 Assignments
0 Petitions
Accused Products
Abstract
Rules are arranged as nodes among layers of a hierarchical decision tree. Nodes of the decision tree can be copied and re-used at other locations on the current tree, or on another tree, in a highly efficient manner. When this occurs, corresponding field values from a parent or ancestor node are automatically updated in the newly introduced node. In addition, when a decision tree is used to operate on an event repository, the results of various rules, defined as a “match” or “no match”, are stored in a common event table that is accessible by nodes at other layers of the decision tree. In addition, actions can be initiated, for example command scripts, at designated nodes of the decision tree, for example upon the occurrence of certain conditions.
28 Citations
41 Claims
-
1. A method for forensic analysis of events in an event listing comprising:
-
a security device arranging a plurality of correlation objects in a hierarchical decision tree having multiple layers, each correlation object including a correlation rule that defines a correlation that is to be performed by the correlation object, at least one of the layers having parent correlation objects to which children correlation objects are assigned; the security device applying the decision tree to the event listing to perform a forensic analysis in an order of correlation objects that is defined by a correlation thread, the correlation thread initiating a correlation by one of the parent correlation objects which results in one of a success or failure, wherein said applying the decision tree to the event listing to perform the forensic analysis comprises the security device evaluating the event listing against the correlation rules of the correlation objects in the order defined by the correlation thread; in the event of a success of the parent correlation object, the security device storing results of evaluating the correlation rule of the parent correlation object against the event listing in a parent event listing corresponding to the parent correlation object, the parent event listing comprising a subset of events of the event listing, and initiating, by the correlation thread, evaluating the parent event listing against the correlation rule of one of the child correlation objects assigned to the successful parent correlation object; and in the event of a failure of the evaluating performed by the parent correlation object, the correlation thread initiates evaluating of the event listing against a correlation rule of another parent correlation object, wherein the parent correlation object defines a time frame of the event listing from which events can be drawn for the correlation, wherein a second time frame corresponding to the child correlation object is calculated relative to the time frame defined by the parent correlation object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system for forensic analysis of events in an event listing comprising:
-
a hardware processor; a computer-readable medium carrying at least one sequence of instructions, wherein execution of the sequence of instructions by the system causes the system to; arrange a plurality of correlation objects in a hierarchical decision tree having multiple layers, each correlation object including a correlation rule that defines a correlation that is to be performed by the correlation object, at least one of the layers having parent correlation objects to which children correlation objects are assigned; apply the decision tree to the event listing to perform a forensic analysis in an order of correlation objects that is defined by a correlation thread, the correlation thread initiating a correlation by one of the parent correlation objects which results in one of a success or failure, wherein said causing the system to apply the decision tree to the event listing to perform the forensic analysis comprises causing the system to evaluate the event listing against the correlation rules of the correlation objects in the order defined by the correlation thread; and in the event of a success of the parent correlation object, store results of the evaluating the correlation rule of the parent correlation object against the event listing in a parent event listing corresponding to the parent correlation object, the parent event listing comprising a subset of events of the event listing, and initiating, by the correlation thread, an evaluation of the parent event listing against the correlation rule of one of the child correlation objects assigned to the successful parent correlation object; and in the event of a failure of the correlation performed by \the parent correlation object, the correlation thread initiates evaluation of the event listing against a correlation rule of another parent correlation object, wherein the parent correlation object defines a time frame of the event listing from which events can be drawn for the correlation, wherein a second time frame corresponding to the child correlation object is calculated relative to the time frame defined by the parent correlation object. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
-
41. A computer-readable medium carrying at least one sequence of instructions for performing forensic analysis of events in an event listing, wherein the computer-readable medium comprises one of a hard drive medium and a portable optical medium and wherein execution of the sequence of instructions by at least one processor causes the at least one processor to perform the steps of:
-
arranging a plurality of correlation objects in a hierarchical decision tree having multiple layers, each correlation object including a correlation rule that defines a correlation that is to be performed by the correlation object, at least one of the layers having parent correlation objects to which children correlation objects are assigned; applying the decision tree to the event listing to perform a forensic analysis in an order of correlation objects that is defined by a correlation thread, the correlation thread initiating a correlation by one of the parent correlation objects which results in one of a success or failure, wherein said applying the decision tree to the event listing to perform the forensic analysis comprises the security device evaluating the event listing against the correlation rules of the correlation objects in the order defined by the correlation thread; and in the event of a success of the parent correlation object, storing results of evaluating the event listing against the correlation rule of the parent correlation object in a parent event listing corresponding to the parent correlation object, the parent event listing comprising a subset of events of the event listing, and initiating, by the correlation thread, evaluating the parent event listing against the correlation rule of one of the child correlation objects assigned to the successful parent correlation object; and in the event of a failure of the evaluating performed by the parent correlation object, the correlation thread initiates evaluating of the event listing against a correlation rule of another parent correlation object, wherein the parent correlation object defines a time frame of the event listing from which events can be drawn for the correlation, wherein a second time frame corresponding to the child correlation object is calculated relative to the time frame defined by the parent correlation object.
-
Specification