Progressive layered forensic correlation of computer network and security events

US 7,873,717 B1
Filed: 06/06/2005
Issued: 01/18/2011
Est. Priority Date: 06/06/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method for forensic analysis of events in an event listing comprising:

a security device arranging a plurality of correlation objects in a hierarchical decision tree having multiple layers, each correlation object including a correlation rule that defines a correlation that is to be performed by the correlation object, at least one of the layers having parent correlation objects to which children correlation objects are assigned;

the security device applying the decision tree to the event listing to perform a forensic analysis in an order of correlation objects that is defined by a correlation thread, the correlation thread initiating a correlation by one of the parent correlation objects which results in one of a success or failure, wherein said applying the decision tree to the event listing to perform the forensic analysis comprises the security device evaluating the event listing against the correlation rules of the correlation objects in the order defined by the correlation thread;

in the event of a success of the parent correlation object, the security device storing results of evaluating the correlation rule of the parent correlation object against the event listing in a parent event listing corresponding to the parent correlation object, the parent event listing comprising a subset of events of the event listing, and initiating, by the correlation thread, evaluating the parent event listing against the correlation rule of one of the child correlation objects assigned to the successful parent correlation object; and

in the event of a failure of the evaluating performed by the parent correlation object, the correlation thread initiates evaluating of the event listing against a correlation rule of another parent correlation object,wherein the parent correlation object defines a time frame of the event listing from which events can be drawn for the correlation,wherein a second time frame corresponding to the child correlation object is calculated relative to the time frame defined by the parent correlation object.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Rules are arranged as nodes among layers of a hierarchical decision tree. Nodes of the decision tree can be copied and re-used at other locations on the current tree, or on another tree, in a highly efficient manner. When this occurs, corresponding field values from a parent or ancestor node are automatically updated in the newly introduced node. In addition, when a decision tree is used to operate on an event repository, the results of various rules, defined as a “match” or “no match”, are stored in a common event table that is accessible by nodes at other layers of the decision tree. In addition, actions can be initiated, for example command scripts, at designated nodes of the decision tree, for example upon the occurrence of certain conditions.

28 Citations

View as Search Results

41 Claims

1. A method for forensic analysis of events in an event listing comprising:
- a security device arranging a plurality of correlation objects in a hierarchical decision tree having multiple layers, each correlation object including a correlation rule that defines a correlation that is to be performed by the correlation object, at least one of the layers having parent correlation objects to which children correlation objects are assigned;
  
  the security device applying the decision tree to the event listing to perform a forensic analysis in an order of correlation objects that is defined by a correlation thread, the correlation thread initiating a correlation by one of the parent correlation objects which results in one of a success or failure, wherein said applying the decision tree to the event listing to perform the forensic analysis comprises the security device evaluating the event listing against the correlation rules of the correlation objects in the order defined by the correlation thread;
  
  in the event of a success of the parent correlation object, the security device storing results of evaluating the correlation rule of the parent correlation object against the event listing in a parent event listing corresponding to the parent correlation object, the parent event listing comprising a subset of events of the event listing, and initiating, by the correlation thread, evaluating the parent event listing against the correlation rule of one of the child correlation objects assigned to the successful parent correlation object; and
  
  in the event of a failure of the evaluating performed by the parent correlation object, the correlation thread initiates evaluating of the event listing against a correlation rule of another parent correlation object,wherein the parent correlation object defines a time frame of the event listing from which events can be drawn for the correlation,wherein a second time frame corresponding to the child correlation object is calculated relative to the time frame defined by the parent correlation object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 wherein the events comprise at least one of network events and security-related events.
  - 3. The method of claim 1 wherein the event listing comprises one of a main event listing and a summary event listing containing de-duplicated events of the main event listing.
  - 4. The method of claim 1 wherein the correlation thread begins with higher-level correlation objects and continues to lower-level correlation objects.
  - 5. The method of claim 1 wherein the correlation thread initiates correlations by correlation objects on a same level of a decision tree in order of importance of the correlation objects sharing the same level.
  - 6. The method of claim 1 wherein a child correlation object further accesses a parent event listing corresponding to an ancestor correlation object of the parent correlation object for performing the correlation.
  - 7. The method of claim 1, wherein, in the event of a failure of the correlation performed by the child correlation object, the correlation thread initiates a correlation by another sibling child correlation object that is assigned to the successful parent correlation object.
  - 8. The method of claim 1 wherein, in the event of a success of the child correlation object, results of the correlation performed by the child correlation object are stored in a child event listing corresponding to the child correlation object, the child event listing comprising a subset of events of the event listing, and the correlation thread initiating a correlation by descendant child correlation objects assigned to the successful child correlation object, the descendant child correlation object accessing the child event listing for performing the correlation.
  - 9. The method of claim 1 wherein a success of a correlation is based on whether events match a rule query defined for a correlation object performing the correlation.
  - 10. The method of claim 9 wherein a success of a correlation is further based on whether fields of events of the correlation performed on the correlation object match.
  - 11. The method of claim 9 wherein a success of a correlation is further based on whether fields of events of the correlation performed on the correlation object do not match.
  - 12. The method of claim 9 wherein a success of the correlation of the correlation object is further based on whether a value of a field of events matching the rule query match fields of events stored in an event listing of an ancestor object.
  - 13. The method of claim 1 further comprising the object performing the correlation generating an event as a result of one of a success or a failure of the correlation, and storing the event in the event listing for access by other correlation objects in decision trees having access to the event listing.
  - 14. The method of claim 1 further comprising initiating an automation as a result of one of a success or failure of the correlation, the automation initiating an activity of the system.
  - 15. The method of claim 14 wherein the automation comprises performing a command script.
  - 16. The method of claim 15 further comprising analyzing results produced by the command script, generating an event as a result of the analysis, and storing the event in the event listing for access by other correlation objects in the decision tree.
  - 17. The method of claim 14 further comprising initiating a pause period upon initiating the automation, the pause period pausing the system to ensure completion of the automation before the correlation thread continues.
  - 18. The method of claim 1 wherein arranging a plurality of correlation objects in a hierarchical decision tree further comprises copying a correlation object from a first location on the decision tree to a second location.
  - 19. The method of claim 18 wherein the correlation thread of the copied correlation object is automatically adjusted to correspond with the second position.
  - 20. The method of claim 18 wherein children and any other descendant correlation objects of the copied correlation object are further copied and automatically adjusted to correspond with the second position of the copied correlation object.

21. A system for forensic analysis of events in an event listing comprising:
- a hardware processor;
  
  a computer-readable medium carrying at least one sequence of instructions, wherein execution of the sequence of instructions by the system causes the system to;
  
  arrange a plurality of correlation objects in a hierarchical decision tree having multiple layers, each correlation object including a correlation rule that defines a correlation that is to be performed by the correlation object, at least one of the layers having parent correlation objects to which children correlation objects are assigned;
  
  apply the decision tree to the event listing to perform a forensic analysis in an order of correlation objects that is defined by a correlation thread, the correlation thread initiating a correlation by one of the parent correlation objects which results inone of a success or failure, wherein said causing the system to apply the decision tree to the event listing to perform the forensic analysis comprises causing the system to evaluate the event listing against the correlation rules of the correlation objects in the order defined by the correlation thread; and
  
  in the event of a success of the parent correlation object, store results of the evaluating the correlation rule of the parent correlation object against the event listing in a parent event listing corresponding to the parent correlation object, the parent event listing comprising a subset of events of the event listing, and initiating, by the correlation thread, an evaluation of the parent event listing against the correlation rule of one of the child correlation objects assigned to the successful parent correlation object; and
  
  in the event of a failure of the correlation performed by \the parent correlation object, the correlation thread initiates evaluation of the event listing against a correlation rule of another parent correlation object,wherein the parent correlation object defines a time frame of the event listing from which events can be drawn for the correlation,wherein a second time frame corresponding to the child correlation object is calculated relative to the time frame defined by the parent correlation object.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 22. The system of claim 21 wherein the events comprise at least one of network events and security-related events.
  - 23. The system of claim 21 wherein the event listing comprises one of a main event listing and a summary event listing containing de-duplicated events of the main event listing.
  - 24. The system of claim 21 wherein the correlation thread begins with higher-level correlation objects and continues to lower-level correlation objects.
  - 25. The system of claim 21 wherein the correlation thread initiates correlations by correlation objects on a same level of a decision tree in order of importance of the correlation objects sharing the same level.
  - 26. The system of claim 21 wherein a child correlation object further accesses a parent event listing corresponding to an ancestor correlation object of the parent correlation object for performing the correlation.
  - 27. The system of claim 21, wherein, in the event of a failure of the correlation performed by the child correlation object, the correlation thread initiates a correlation by another sibling child correlation object that is assigned to the successful parent correlation object.
  - 28. The system of claim 21 wherein, in the event of a success of the child correlation object, results of the correlation performed by the child correlation object are stored in a child event listing corresponding to the child correlation object, the child event listing comprising a subset of events of the event listing, and the correlation thread initiating a correlation by descendant child correlation objects assigned to the successful child correlation object, the descendant child correlation object accessing the child event listing for performing the correlation.
  - 29. The system of claim 21 wherein a success of a correlation is based on whether events match a rule query defined for a correlation object performing the correlation.
  - 30. The system of claim 29 wherein a success of a correlation is further based on whether fields of events of the correlation performed on the correlation object match.
  - 31. The system of claim 29 wherein a success of a correlation is further based on whether fields of events of the correlation performed on the correlation object do not match.
  - 32. The system of claim 29 wherein a success of the correlation of the correlation object is further based on whether a value of a field of events matching the rule query match fields of events stored in an event listing of an ancestor object.
  - 33. The system of claim 21 wherein the correlation object further performs the correlation generating an event as a result of one of a success or a failure of the correlation, and storing the event in the event listing for access by other correlation objects in the decision tree.
  - 34. The system of claim 21 wherein an automation is initiated as a result of one of a success or failure of the correlation, the automation initiating an activity of the system.
  - 35. The system of claim 34 wherein the automation comprises performing a command script.
  - 36. The system of claim 35 wherein results produced by the command script are further analyzed, an event is generated as a result of the analysis, and the event is stored in the event listing for access by other correlation objects in decision trees having access to the event listing.
  - 37. The system of claim 34 wherein a pause period is initiated upon initiating the automation, the pause period pausing the system to ensure completion of the automation before the correlation thread continues.
  - 38. The system of claim 21 wherein a correlation object of the decision tree can be copied from a first location on the decision tree to a second location.
  - 39. The system of claim 38 wherein the correlation thread of the copied correlation object is automatically adjusted to correspond with the second position.
  - 40. The system of claim 38 wherein children and any other descendant correlation objects of the copied correlation object are further copied and automatically adjusted to correspond with the second position of the copied correlation object.

41. A computer-readable medium carrying at least one sequence of instructions for performing forensic analysis of events in an event listing, wherein the computer-readable medium comprises one of a hard drive medium and a portable optical medium and wherein execution of the sequence of instructions by at least one processor causes the at least one processor to perform the steps of:
- arranging a plurality of correlation objects in a hierarchical decision tree having multiple layers, each correlation object including a correlation rule that defines a correlation that is to be performed by the correlation object, at least one of the layers having parent correlation objects to which children correlation objects are assigned;
  
  applying the decision tree to the event listing to perform a forensic analysis in an order of correlation objects that is defined by a correlation thread, the correlation thread initiating a correlation by one of the parent correlation objects which results in one of a success or failure, wherein said applying the decision tree to the event listing to perform the forensic analysis comprises the security device evaluating the event listing against the correlation rules of the correlation objects in the order defined by the correlation thread; and
  
  in the event of a success of the parent correlation object, storing results of evaluating the event listing against the correlation rule of the parent correlation object in a parent event listing corresponding to the parent correlation object, the parent event listing comprising a subset of events of the event listing, and initiating, by the correlation thread, evaluating the parent event listing against the correlation rule of one of the child correlation objects assigned to the successful parent correlation object; and
  
  in the event of a failure of the evaluating performed by the parent correlation object, the correlation thread initiates evaluating of the event listing against a correlation rule of another parent correlation object,wherein the parent correlation object defines a time frame of the event listing from which events can be drawn for the correlation,wherein a second time frame corresponding to the child correlation object is calculated relative to the time frame defined by the parent correlation object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Woolway, Allan P.
Primary Examiner(s)
Serrao; Ranodhi N

Application Number

US11/145,779
Time in Patent Office

2,052 Days
Field of Search

709/223, 717/115, 726/23
US Class Current

709/223
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/0263   Rule management

H04L 63/1433   Vulnerability analysis

Progressive layered forensic correlation of computer network and security events

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

41 Claims

Specification

Use Cases

Quick Links

Others

Progressive layered forensic correlation of computer network and security events

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

41 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others