Management of computer security events across distributed systems

US 8,087,087 B1
Filed: 06/06/2003
Issued: 12/27/2011
Est. Priority Date: 06/06/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for managing system events in a network, comprising:

receiving, by a computer, a system event initiated by an initiating client associated with a user, wherein the system event comprises a plurality of data elements associated with respective ones of a plurality of system event attributes;

evaluating the plurality of data elements of the system event against a security policy and determining that the system event fails to conform to the security policy for the user, wherein the security policy defines permitted actions for different users in accordance with the plurality of system event attributes;

determining a greatest of a plurality of significance factors assigned to a plurality of data groups that are associated with the plurality of data elements of the system event;

determining whether the system event matches a special attention rule in accordance with the plurality of data elements, wherein the special attention rule defines a prohibited action;

if the system event does not match the special attention rule and the system event fails the security policy, assigning to the system event the greatest of the plurality of significance factors as a severity level; and

if the system event matches the special attentions rule and the system event fails the security policy,comparing the greatest of the plurality of significance factors against a pre-assigned severity level that was pre-assigned to the special attention rule; and

assigning to the system event a greater of the greatest of the plurality of significance factors and the pre-assigned severity level as a severity level.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer receives a system event initiated by an initiating client associated with a user. The system event comprises a plurality of data elements associated with respective ones of a plurality of system event attributes. It is determined that the system event fails to conform to the security policy. A greatest of a plurality of significance factors assigned to a plurality of data groups that are associated with the plurality of data elements of the system event is determined. If the system event does not match a special attention rule, the greatest of the plurality of significance factors is assigned to the system event as a severity level. If the system event matches the special attentions rule, then a greater of the greatest of the plurality of significance factors and the pre-assigned severity level is assigned to the system event as a severity level.

32 Citations

View as Search Results

24 Claims

1. A method for managing system events in a network, comprising:
- receiving, by a computer, a system event initiated by an initiating client associated with a user, wherein the system event comprises a plurality of data elements associated with respective ones of a plurality of system event attributes;
  
  evaluating the plurality of data elements of the system event against a security policy and determining that the system event fails to conform to the security policy for the user, wherein the security policy defines permitted actions for different users in accordance with the plurality of system event attributes;
  
  determining a greatest of a plurality of significance factors assigned to a plurality of data groups that are associated with the plurality of data elements of the system event;
  
  determining whether the system event matches a special attention rule in accordance with the plurality of data elements, wherein the special attention rule defines a prohibited action;
  
  if the system event does not match the special attention rule and the system event fails the security policy, assigning to the system event the greatest of the plurality of significance factors as a severity level; and
  
  if the system event matches the special attentions rule and the system event fails the security policy,comparing the greatest of the plurality of significance factors against a pre-assigned severity level that was pre-assigned to the special attention rule; and
  
  assigning to the system event a greater of the greatest of the plurality of significance factors and the pre-assigned severity level as a severity level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising normalizing the system event according to the plurality of system event attributes to generate a normalized system event.
  - 3. The method of claim 2, wherein said normalizing the system event according to the plurality of system event attributes comprises associating a first of the plurality of data elements to a data field corresponding to a first of the plurality of system event attributes of the normalized system event.
  - 4. The method of claim 3, wherein plurality of data elements comprises at least one of the identity of the initiating client and an identity of a recipient client that is acted upon by the system event.
  - 5. The method of claim 3 wherein the identity comprises one of:
    - an Internet Protocol address, a workstation name, an email address, and a fully-qualified host name.
  - 6. The method of claim 1 further comprising:
    - receiving a second system event initiated by a second initiating client associated with a second user, wherein the system event comprises a second plurality of data elements associated with respective ones of the plurality of system event attributes;
      
      comparing the second plurality of data elements of the system event to the security policy and determining that the second system event conforms to the security policy for the second user;
      
      determining a greatest of a second plurality of significance factors assigned to a second plurality of data groups that are associated with the second plurality of data elements of the second system event;
      
      computing a conforming severity level as the greatest of the second plurality of significance factors divided by a coefficient common to the second plurality of significance factors; and
      
      assigning to the second system event the conforming severity level as a severity level.
  - 7. The method of claim 1 further comprising generating a solution to the event based on the severity level.
  - 8. The method of claim 7 wherein the solution comprises generation of an immediate alert, an email message, an instant message, or a report.
  - 9. The method of claim 1 wherein the network is a distributed network.

10. A system for managing system events in a network, comprising:
- a processor;
  
  a storage media having a security policy stored therein, the security policy defining permitted actions for different users in accordance with a plurality of system event attributes; and
  
  a storage media encoded with program instructions executable by the processor, the program instructions to;
  
  receive a system event initiated by an initiating client associated with a user, the system event configured to act on a recipient client, wherein the system event comprises a plurality of data elements associated with respective ones of a plurality of system event attributes;
  
  evaluate the plurality of data elements of the system event against the security policy to determine whether the system event conforms to the security policy for the user;
  
  determine a greatest of a plurality of significance factors assigned to a plurality of data groups that are associated with the plurality of data elements of the system event;
  
  determine whether the system event matches a special attention rule in accordance with the plurality of data elements, wherein the special attention rule defines a prohibited action;
  
  if the system event does not match the special attention rule and the system event fails the security policy, assign to the system event the greatest of the plurality of significance factors as a severity level; and
  
  if the system event matches the special attentions rule and fails the security policy,compare the greatest of the plurality of significance factors against a pre-assigned severity level that was pre-assigned to the special attention rule; and
  
  assign to the system event a greater of the greatest of the plurality of significance factors and the pre-assigned severity level as a severity level for the system event.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The system of claim 10, wherein the storage media also has program instructions to normalize the system event according to the plurality of system event attributes to generate a normalized system event.
  - 12. The system of claim 10, wherein the program instructions to normalize the system event according to the plurality of system event attributes comprises program instructions to associate a first of the plurality of data elements to a data field corresponding to a first of the plurality of system event attributes of the normalized system event.
  - 13. The system of claim 12 wherein the plurality of data elements comprises at least one of identity of the initiating client and an identity of a recipient client that is acted upon by the system event.
  - 14. The system of claim 12 wherein the identity comprises one of:
    - a workstation name, an Internet Protocol address, an email address, and a fully-qualified host name.
  - 15. The system of claim 10, wherein the plurality of data elements comprise at least one of:
    - the identity of a user initiating the system event;
      
      the type of system event that was initiated;
      
      the time at which the system event occurred;
      
      the system or device on which the system event occurred; and
      
      the file, device, or setting that was accessed by the system event.
  - 16. The system of claim 10, wherein the storage media further has program instruction to:
    - compute a conforming severity level as the greatest of the plurality of significance factors divided by a coefficient common to the plurality of significance factors if the system event conforms to the security policy; and
      
      assign the conforming severity level as a severity level to the system event that conforms to the security policy.
  - 17. The system of claim 10 wherein a solution to the system event is generated based on the severity level.
  - 18. The system of claim 17 wherein the solution comprises generation of an immediate alert, an email message, an instant message, or a report.
  - 19. The system of claim 10 wherein the network is a distributed network.

20. A non-transitory computer-readable storage medium comprising program instructions executable to:
- receive a system event initiated by an initiating client associated with a user, wherein the system event comprises a plurality of data elements associated with respective ones of a plurality of system event attributes;
  
  evaluate the plurality of data elements of the system event against the security policy to determine whether the system event conforms to the security policy for the user;
  
  wherein the security policy defines permitted actions for different users in accordance with the plurality of system event attributes;
  
  determine a greatest of a plurality of significance factors assigned to a plurality of data groups that are associated with the plurality of data elements of the system event;
  
  determine whether the system event matches a special attention rule in accordance with the plurality of data elements, wherein the special attention rule defines a prohibited action;
  
  if the system event does not match the special attention rule and the system event fails the security policy, assign to the system event the greatest of the plurality of significance factors as a severity level; and
  
  if the system event matches the special attentions rule and fails the security policy,compare the greatest of the plurality of significance factors against a pre-assigned severity level that was pre-assigned to the special attention rule; and
  
  assign to the system event a greater of the greatest of the plurality of significance factors and the pre-assigned severity level as a severity level.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The non-transitory computer-readable storage medium of claim 20 further comprising program instructions to normalize the system event in accordance with the plurality of system event attributes for evaluation.
  - 22. The non-transitory computer-readable storage medium of claim 21, wherein the program instructions to normalize the system event in accordance with the plurality of system event attributes comprises program instructions to assign the plurality of data elements from the system event to respective ones of attribute fields that corresponds to the plurality of system event attributes.
  - 23. The non-transitory computer-readable storage medium of claim 22, wherein the plurality of system event attributes comprise at least two of a time attribute, an event type attribute, a platform attribute, a user source attribute, a machine origin attribute, a user recipient attribute, and a machine target attribute.
  - 24. The non-transitory computer-readable storage medium of claim 21, wherein the program instructions to normalize the system event further comprising program instructions to:
    - for each of the plurality of data elements,determine a set of data groups assigned to the one of the plurality system event attributes associated with the data element; and
      
      determine which data group of the set of data groups corresponds to the data element; and
      
      associate the corresponding one of the set of data groups to the data element.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
van Oorschot, Johannes P. M., Vogel, Emil S. A., Nentjes, Ide W. H., Hillenaar, Arthur W., Snoeck, Eddy, Houtekamer, Gilles E.
Primary Examiner(s)
LEMMA, SAMSON B

Application Number

US10/455,940
Time in Patent Office

3,126 Days
Field of Search

726/25, 726/1, 726/3, 726/6
US Class Current

726/25
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/1416 Event detection, e.g. attac...

Management of computer security events across distributed systems

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Management of computer security events across distributed systems

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links