System and method for interactive correlation rule design in a network security system

US 8,224,761 B1
Filed: 09/01/2005
Issued: 07/17/2012
Est. Priority Date: 09/01/2005
Status: Active Grant

First Claim

Patent Images

1. A method for generating correlation rules for events, comprising:

receiving event data for each of a plurality of events, the event data of a particular event comprising at least one attribute associated with that event;

displaying the event data for each of the plurality of events to an operator, the event data for the plurality of events having been processed according to one or more rules of a ruleset stored in a memory, the event data being displayed in a unified interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules;

receiving a selection made using the unified user interface of at least a portion of the plurality of events for which event data is displayed to the operator in the unified user interface;

generating at least one new rule that correlates the selected events, the at least one new rule generated based at least in part upon a pattern spread among the attributes associated with the selected events, the at least one new rule generated by at least one processor;

storing the at least one new rule and the selection of at least a portion of the events in the memory such that the at least one new rule is added to the ruleset stored in the memory; and

re-displaying, in the unified interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules, the event data to the operator such that the event data is correlated in accordance with the at least one new rule.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for generating correlation rules for events comprises receiving event data for each of a plurality of events, the event data of a particular event comprising at least one attribute associated with that event. The method continues by displaying the event data for each of the plurality of events to an operator. The method continues by receiving a selection of at least a portion of the events. The method continues by generating at least one rule that correlates the selected events based at least in part upon the attributes associated with the selected events. The method concludes by displaying the event data to the operator in accordance with the at least one rule.

140 Citations

View as Search Results

33 Claims

1. A method for generating correlation rules for events, comprising:
- receiving event data for each of a plurality of events, the event data of a particular event comprising at least one attribute associated with that event;
  
  displaying the event data for each of the plurality of events to an operator, the event data for the plurality of events having been processed according to one or more rules of a ruleset stored in a memory, the event data being displayed in a unified interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules;
  
  receiving a selection made using the unified user interface of at least a portion of the plurality of events for which event data is displayed to the operator in the unified user interface;
  
  generating at least one new rule that correlates the selected events, the at least one new rule generated based at least in part upon a pattern spread among the attributes associated with the selected events, the at least one new rule generated by at least one processor;
  
  storing the at least one new rule and the selection of at least a portion of the events in the memory such that the at least one new rule is added to the ruleset stored in the memory; and
  
  re-displaying, in the unified interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules, the event data to the operator such that the event data is correlated in accordance with the at least one new rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein:
    - the event data is received by one or more sensors; and
      
      at least a portion of the events comprise alerts generated in an intrusion detection system.
  - 3. The method of claim 1, wherein at least a portion of the events comprise alerts generated in a military information system.
  - 4. The method of claim 1, wherein the selection is made by the operator in response to the display of event data.
  - 5. The method of claim 1, wherein:
    - the plurality of events comprises a first event, a second event, and a third event;
      
      the selection comprises a selection of the first event and the third event; and
      
      the at least one processor generates the at least one new rule by at least identifying one or more attributes associated with the first event that are in common with one or more attributes associated with the third event.
  - 6. The method of claim 1, wherein the at least one new rule comprises a first new rule, and further comprising:
    - receiving a selection of additional events made by the operator; and
      
      generating a second new rule that correlates the initially selected events and the additionally selected events based at least in part upon the attributes associated with these events.
  - 7. The method of claim 6, wherein generating the second new rule comprises modifying the first new rule.
  - 8. The method of claim 1, wherein the at least one new rule comprises a first new rule, and further comprising:
    - receiving a deselection of events made by the operator; and
      
      generating a second new rule that correlates the initially selected events but not the deselected events based at least in part upon the attributes associated with these events.
  - 9. The method of claim 1, wherein the at least one new rule is a first new rule and further comprising:
    - requesting the operator to indicate whether the correlation of the event data in accordance with the first new rule is acceptable; and
      
      if the correlation is indicated to be unacceptable;
      
      requesting the operator to deselect at least one of the plurality of events; and
      
      generating a second new rule based at least in part on the at least one deselected event.

10. A system for generating correlation rules for events, comprising:
- at least one sensor that receives event data for each of a plurality of events, the event data of a particular event comprising at least one attribute associated with that event;
  
  at least one memory that stores a ruleset comprising a plurality of rules;
  
  at least one interface device that displays the event data for each of the plurality of events to an operator, the event data for the plurality of events having been processed according to one or more rules of the ruleset, and that receives a selection of at least a portion of the plurality of events for which event data is displayed to the operator, the interface comprising a unified interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules, the event data for each of the plurality of events being displayed to the operator using the unified user interface and the at least one selection being made using the unified user interface; and
  
  at least one processor that generates at least one new rule that correlates the selected events, the at least one new rule generated based at least in part upon a pattern spread among the attributes associated with the selected events, stores the at least one new rule and the selection of at least a portion of the events in the at least one memory such that the at least one new rule is added to the ruleset stored in the at least one memory, and redisplays, in the unified user interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules, the selected events to the operator such that the event data is correlated in accordance with the at least one new rule.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The system of claim 10, wherein the correlation is based on more than one type of attribute.
  - 12. The system of claim 10, wherein:
    - the at least one new rule is a first new rule;
      
      the at least one interface device requests the operator to indicate whether the correlation of the event data in accordance with the first new rule is acceptable; and
      
      if the correlation is indicated to be unacceptable;
      
      the at least one interface device requests the operator to deselect at least one of the plurality of events; and
      
      the at least one processor generates a second new rule based at least in part on the at least one deselected event.
  - 13. The system of claim 10, wherein at least a portion of the events comprise alerts generated in an intrusion detection system.
  - 14. The system of claim 10, wherein at least a portion of the events comprise alerts generated in a military information system.
  - 15. The system of claim 10, wherein the selection is made by the operator in response to the display of event data.
  - 16. The system of claim 10, wherein:
    - the plurality of events comprises a first event, a second event, and a third event;
      
      the selection comprises a selection of the first event and the third event; and
      
      the at least one processor generates the at least one new rule by at least identifying one or more attributes associated with the first event that are in common with one or more attributes associated with the third event.
  - 17. The system of claim 10, wherein:
    - the at least one new rule comprises a first rule;
      
      the processor receives a selection of additional events made by the operator; and
      
      the processor generates a second new rule that correlates the initially selected events and the additionally selected events based at least in part upon the attributes associated with these events.
  - 18. The system of claim 17, wherein the processor generates a second new rule by modifying the first new rule.
  - 19. The system of claim 10, wherein:
    - the at least one new rule comprises a first new rule;
      
      the processor receives a deselection of events made by the operator; and
      
      the processor generates a second new rule that correlates the initially selected events but not the deselected events based at least in part upon the attributes associated with these events.
  - 20. The system of claim 19, wherein the processor generates a second new rule by modifying the first new rule.

21. An apparatus for generating correlation rules for events, the apparatus comprising:
- at least one memory that stores a ruleset comprising a plurality of rules; and
  
  a correlation engine that;
  
  receives event data for each of a plurality of events, the event data of a particular event comprising a plurality of attributes associated with that event;
  
  displays the event data for each of the plurality of events to at least one operator, the event data for the plurality of events having been processed according to one or more rules of the ruleset, the event data being displayed in a unified interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules;
  
  receives from the at least one operator a selection made using the unified user interface of at least a portion of the plurality of events for which event data is displayed to the at least one operator in the unified user interface;
  
  generates at least one new rule that correlates the selected events, the at least one new rule generated based at least in part upon a pattern spread among the attributes associated with the selected events;
  
  stores the at least one new rule and the selection of at least a portion of the events in the at least one memory such that the at least one new rule is added to the ruleset stored in the at least one memory; and
  
  sends the event data to at least one graphical user interface in accordance with the at least one new rule such that the selected events are redisplayed, in the unified interface for displaying event data processed by rules in the ruleset and for creation of new correlation rules, to the at least one operator in such a way that the selected event data is correlated in accordance with the at least one new rule.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 22. The apparatus of claim 21, wherein at least a portion of the events comprise alerts generated in an intrusion detection system.
  - 23. The apparatus of claim 21, wherein at least a portion of the events comprise alerts generated in a military information system.
  - 24. The apparatus of claim 21, wherein:
    - the plurality of events comprises a first event, a second event, and a third event;
      
      the selection comprises a selection of the first event and the third event; and
      
      the correlation engine generates the at least one new rule by at least identifying one or more attributes associated with the first event that are in common with one or more attributes associated with the third event.
  - 25. The apparatus of claim 21, wherein the at least one new rule comprises a first new rule, and the correlation engine:
    - receives a selection of additional events made by the operator; and
      
      generates a second new rule that correlates the initially selected events and the additionally selected events based at least in part upon the attributes associated with these events.
  - 26. The apparatus of claim 25, wherein the correlation engine generates the second new rule by modifying the first new rule.
  - 27. The apparatus of claim 21, wherein the at least one new rule comprises a first new rule, and the correlation engine:
    - receives a deselection of events made by the operator; and
      
      generates a second new rule that correlates the initially selected events but not the deselected events based at least in part upon the attributes associated with these events.
  - 28. The apparatus of claim 27, wherein the correlation engine generates the second new rule by modifying the first new rule.
  - 29. The apparatus of claim 21, wherein:
    - at least one of the plurality of events is a data packet received at a network port, the at least one event associated with an attack; and
      
      in conjunction with detecting the attack, the correlation engine disables the network port.
  - 30. The apparatus of claim 21, wherein:
    - the at least one new rule is a first new rule; and
      
      the correlation engine generates a second new rule based at least in part on the selection stored in the memory.
  - 31. The apparatus of claim 21, wherein the plurality of attributes for each event comprises a source IP address, a destination IP address, a time, and a priority value.
  - 32. The apparatus of claim 21, wherein:
    - the correlation engine detects that the pattern spread among the attributes associated with the selected events is a particular IP address that is common among the selected events; and
      
      in response to detecting the pattern, the correlation engine designs the at least one new rule to generate one or more alerts for events associated with the particular IP address.
  - 33. The apparatus of claim 21, wherein:
    - the correlation engine detects that the pattern spread among the attributes associated with the selected events is based at least in part on times associated with the selected events; and
      
      in response to detecting the pattern, the correlation engine designs the at least one new rule to generate one or more alerts for events occurring between a first time and a second time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Forcepoint LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Rockwood, Troy Dean
Primary Examiner(s)
Gaffin, Jeffrey A
Assistant Examiner(s)
Buss, Benjamin

Application Number

US11/219,025
Time in Patent Office

2,511 Days
Field of Search

706/47, 706/911, 714/26, 709/223, 709/224, 716/26
US Class Current

706/47
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/1425 Traffic logging, e.g. anoma...

System and method for interactive correlation rule design in a network security system

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

140 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for interactive correlation rule design in a network security system

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

140 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links