Correlation engine with support for time-based rules
First Claim
Patent Images
1. A computer-implemented method, comprising:
- receiving, by a computer processor, a plurality of base events, wherein a base event originated in an event log entry that was generated by a network component, and wherein the base event includes a time attribute that indicates when the network component generated the event log entry;
identifying a first rule that indicates a threshold number of base events and a first time period;
determining how many base events include a time attribute that falls within the first time period;
determining whether the threshold number of base events exceeds the number of base events that include a time attribute that falls within the first time period;
when the threshold number of base events does not exceed the number of base events whose time attributes fall within the first time period, generating a first stage meta-event;
identifying a second rule that indicates a threshold number of first stage meta-events and a second time period;
when the threshold number of first stage meta-events does not exceed a number of first stage meta-events whose time attributes fall within the second time period, generating a second stage meta-event;
detecting additional second stage meta-events;
determining an amount of time that has passed since a most-recent second stage meta-event was detected; and
when a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, generating a third stage meta-event.
11 Assignments
0 Petitions
Accused Products
Abstract
A rules engine with support for time-based rules is disclosed. A method performed by the rules engine, comprises receiving security events generated by a number of network devices. The security events are aggregated. One or more time-based rules are provided to a RETE engine. The aggregated security events are provided to the RETE engine at specific times associated with the time-based rules. The security events are cross-correlated with the one or more time-based rules; and one or more first stage meta-events are reported.
184 Citations
22 Claims
-
1. A computer-implemented method, comprising:
-
receiving, by a computer processor, a plurality of base events, wherein a base event originated in an event log entry that was generated by a network component, and wherein the base event includes a time attribute that indicates when the network component generated the event log entry; identifying a first rule that indicates a threshold number of base events and a first time period; determining how many base events include a time attribute that falls within the first time period; determining whether the threshold number of base events exceeds the number of base events that include a time attribute that falls within the first time period; when the threshold number of base events does not exceed the number of base events whose time attributes fall within the first time period, generating a first stage meta-event; identifying a second rule that indicates a threshold number of first stage meta-events and a second time period; when the threshold number of first stage meta-events does not exceed a number of first stage meta-events whose time attributes fall within the second time period, generating a second stage meta-event; detecting additional second stage meta-events; determining an amount of time that has passed since a most-recent second stage meta-event was detected; and when a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, generating a third stage meta-event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 17, 18, 19, 20, 21, 22)
-
-
9. A system, comprising:
-
hardware means for receiving a plurality of base events, wherein a base event originated in an event log entry that was generated by a network component, and wherein the base event includes a time attribute that indicates when the network component generated the event log entry; hardware means for identifying a first rule that indicates a threshold number of base events and a first time period; hardware means for determining how many base events include a time attribute that falls within the first time period; hardware means for determining whether the threshold number of base events exceeds the number of base events that include a time attribute that falls within the first time period; hardware means for generating, when the threshold number of base events does not exceed the number of base events whose time attributes fall within the first time period, a first stage meta-event; hardware means for identifying a second rule that indicates a threshold number of first stage meta-events and a second time period; hardware means for generating, when the threshold number of first stage meta-events does not exceed a number of first stage meta-events whose time attributes fall within the second time period, a second stage meta-event; hardware means for detecting additional second stage meta-events; hardware means for determining an amount of time that has passed since a most-recent second stage meta-event was detected; and hardware means for generating, when a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, a third stage meta-event. - View Dependent Claims (10, 11, 12)
-
-
13. A computer readable non-transitory storage medium, having stored thereon computer-readable instructions, which when executed in a computer system, cause the computer system to:
-
receive a plurality of base events, wherein a base event originated in an event log entry that was generated by a network component, and wherein the base event includes a time attribute that indicates when the network component generated the event log entry; identify a first rule that indicates a threshold number of base events and a first time period; determine how many base events include a time attribute that falls within the first time period; determine whether the threshold number of base events exceeds the number of base events that include a time attribute that falls within the first time period; generate, when the threshold number of base events does not exceed the number of base events whose time attributes fall within the first time period, a first stage meta-event; identify a second rule that indicates a threshold number of first stage meta-events and a second time period; generate, when the threshold number of first stage meta-events does not exceed a number of first stage meta-events whose time attributes fall within the second time period, a second stage meta-event; detect additional second stage meta-events; determine an amount of time that has passed since a most-recent second stage meta-event was detected; and generate, when a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, a third stage meta-event. - View Dependent Claims (14, 15, 16)
-
Specification