Correlation engine with support for time-based rules

US 8,176,527 B1
Filed: 12/02/2002
Issued: 05/08/2012
Est. Priority Date: 12/02/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, by a computer processor, a plurality of base events, wherein a base event originated in an event log entry that was generated by a network component, and wherein the base event includes a time attribute that indicates when the network component generated the event log entry;

identifying a first rule that indicates a threshold number of base events and a first time period;

determining how many base events include a time attribute that falls within the first time period;

determining whether the threshold number of base events exceeds the number of base events that include a time attribute that falls within the first time period;

when the threshold number of base events does not exceed the number of base events whose time attributes fall within the first time period, generating a first stage meta-event;

identifying a second rule that indicates a threshold number of first stage meta-events and a second time period;

when the threshold number of first stage meta-events does not exceed a number of first stage meta-events whose time attributes fall within the second time period, generating a second stage meta-event;

detecting additional second stage meta-events;

determining an amount of time that has passed since a most-recent second stage meta-event was detected; and

when a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, generating a third stage meta-event.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A rules engine with support for time-based rules is disclosed. A method performed by the rules engine, comprises receiving security events generated by a number of network devices. The security events are aggregated. One or more time-based rules are provided to a RETE engine. The aggregated security events are provided to the RETE engine at specific times associated with the time-based rules. The security events are cross-correlated with the one or more time-based rules; and one or more first stage meta-events are reported.

184 Citations

View as Search Results

22 Claims

1. A computer-implemented method, comprising:
- receiving, by a computer processor, a plurality of base events, wherein a base event originated in an event log entry that was generated by a network component, and wherein the base event includes a time attribute that indicates when the network component generated the event log entry;
  
  identifying a first rule that indicates a threshold number of base events and a first time period;
  
  determining how many base events include a time attribute that falls within the first time period;
  
  determining whether the threshold number of base events exceeds the number of base events that include a time attribute that falls within the first time period;
  
  when the threshold number of base events does not exceed the number of base events whose time attributes fall within the first time period, generating a first stage meta-event;
  
  identifying a second rule that indicates a threshold number of first stage meta-events and a second time period;
  
  when the threshold number of first stage meta-events does not exceed a number of first stage meta-events whose time attributes fall within the second time period, generating a second stage meta-event;
  
  detecting additional second stage meta-events;
  
  determining an amount of time that has passed since a most-recent second stage meta-event was detected; and
  
  when a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, generating a third stage meta-event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, wherein the network component comprises an intrusion detection system.
  - 3. The method of claim 1, further comprising activating the first rule dynamically.
  - 4. The method of claim 1, further comprising detecting improper rule syntax.
  - 5. The method of claim 1, further comprising detecting a loop condition generated by the first rule.
  - 6. The method of claim 1, further comprising detecting rule feedback.
  - 7. The method of claim 1, further comprising performing an action specified by the first rule to notify an individual of the first-stage meta-event.
  - 8. The method of claim 1, further comprising aligning timelines of base events generated by different devices.
  - 17. The method of claim 1, further comprising filtering the plurality of base events based on a condition before determining how many base events include a time attribute that falls within the first time period.
  - 18. The method of claim 17, wherein filtering the plurality of base events based on the condition comprises discarding the base events that do not satisfy the condition.
  - 19. The method of claim 1, further comprising aggregating the plurality of base events before determining how many base events include a time attribute that falls within the first time period.
  - 20. The method of claim 1, wherein the plurality of base events was generated by one or more network devices.
  - 21. The method of claim 1, wherein detecting additional second stage meta-events comprises adjusting the second time period of the second rule.
  - 22. The method of claim 1, further comprising deactivating the first rule dynamically.

9. A system, comprising:
- hardware means for receiving a plurality of base events, wherein a base event originated in an event log entry that was generated by a network component, and wherein the base event includes a time attribute that indicates when the network component generated the event log entry;
  
  hardware means for identifying a first rule that indicates a threshold number of base events and a first time period;
  
  hardware means for determining how many base events include a time attribute that falls within the first time period;
  
  hardware means for determining whether the threshold number of base events exceeds the number of base events that include a time attribute that falls within the first time period;
  
  hardware means for generating, when the threshold number of base events does not exceed the number of base events whose time attributes fall within the first time period, a first stage meta-event;
  
  hardware means for identifying a second rule that indicates a threshold number of first stage meta-events and a second time period;
  
  hardware means for generating, when the threshold number of first stage meta-events does not exceed a number of first stage meta-events whose time attributes fall within the second time period, a second stage meta-event;
  
  hardware means for detecting additional second stage meta-events;
  
  hardware means for determining an amount of time that has passed since a most-recent second stage meta-event was detected; and
  
  hardware means for generating, when a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, a third stage meta-event.
- View Dependent Claims (10, 11, 12)
- - 10. The system of claim 9, further comprising means for activating and deactivating the first rule dynamically.
  - 11. The system of claim 9, further comprising means for performing an action specified by the first rule to notify an individual of the first stage meta-event.
  - 12. The system of claim 9, further comprising means for aligning timelines of base events from two or more heterogeneous security sources.

13. A computer readable non-transitory storage medium, having stored thereon computer-readable instructions, which when executed in a computer system, cause the computer system to:
- receive a plurality of base events, wherein a base event originated in an event log entry that was generated by a network component, and wherein the base event includes a time attribute that indicates when the network component generated the event log entry;
  
  identify a first rule that indicates a threshold number of base events and a first time period;
  
  determine how many base events include a time attribute that falls within the first time period;
  
  determine whether the threshold number of base events exceeds the number of base events that include a time attribute that falls within the first time period;
  
  generate, when the threshold number of base events does not exceed the number of base events whose time attributes fall within the first time period, a first stage meta-event;
  
  identify a second rule that indicates a threshold number of first stage meta-events and a second time period;
  
  generate, when the threshold number of first stage meta-events does not exceed a number of first stage meta-events whose time attributes fall within the second time period, a second stage meta-event;
  
  detect additional second stage meta-events;
  
  determine an amount of time that has passed since a most-recent second stage meta-event was detected; and
  
  generate, when a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, a third stage meta-event.
- View Dependent Claims (14, 15, 16)
- - 14. The computer readable non-transitory storage medium of claim 13, further having stored thereon computer-readable instructions, which when executed in the computer system, cause the computer system to activate and deactivate the first rule dynamically.
  - 15. The computer readable non-transitory storage medium of claim 13, further having stored thereon computer-readable instructions, which when executed in the computer system, cause the computer system to perform an action specified by the first rule to notify an individual of the first-stage meta-event.
  - 16. The computer readable non-transitory storage medium of claim 13, further having stored thereon computer-readable instructions, which when executed in the computer system, cause the computer system to align timelines of base events from two or more heterogeneous security sources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Njemanze, Hugh S., Kothari, Pravin S., Dash, Debabrata, Wang, Shijie
Primary Examiner(s)
Moorthy, Aravind
Assistant Examiner(s)
Pan, Joseph

Application Number

US10/308,767
Time in Patent Office

3,445 Days
Field of Search

713/1, 713/2, 713/188, 713/194, 380/200, 380/201, 380/255, 380/277, 726/2, 726/22, 726 23- 25, 709223-224
US Class Current

726/2
CPC Class Codes

G06F 21/554 involving event detection a...

G06Q 10/06 Resources, workflows, human...

Correlation engine with support for time-based rules

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

184 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Correlation engine with support for time-based rules

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

184 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links