Adaptive data collection for root-cause analysis and intrusion detection

US 8,413,247 B2
Filed: 03/14/2007
Issued: 04/02/2013
Est. Priority Date: 03/14/2007
Status: Active Grant

First Claim

Patent Images

1. A method for performing adaptive data collection in an endpoint of an enterprise security environment, the method comprising the steps of:

receiving a security assessment at a server that describes an object in the environment, the security assessment being a tentative assignment of security meaning to information relating to the object and further comprising a plurality of fields, at least one of the fields is a fidelity field that is arranged to express a degree of confidence an endpoint has in the security assessment, the security assessment being arranged to provide contextual meaning to the object and being defined with an estimated time interval over which the security assessment is valid;

switching from a first data collection mode to a second data collection mode in the server responsively to the received security assessment, the second data collection mode collecting a larger subset of available data in the environment than is collected while in the first data collection mode;

analyzing the collected larger subset of available data; and

rolling-back to the first data collection mode upon expiration of the estimated time interval.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Endpoints in an enterprise security environment are configured to adaptively switch from their normal data collection mode to a long-term, detailed data collection mode where advanced analyses are applied to the collected detailed data. Such adaptive data collection and analysis is triggered upon the receipt of a security assessment of a particular type, where a security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information (i.e., data in some context) that is collected about an object of interest. A specialized endpoint is coupled to the security assessment channel and performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to detected security incidents in the environment. The specialized endpoint is arranged to perform various analyses and processes on historical security assessments.

233 Citations

20 Claims

1. A method for performing adaptive data collection in an endpoint of an enterprise security environment, the method comprising the steps of:
- receiving a security assessment at a server that describes an object in the environment, the security assessment being a tentative assignment of security meaning to information relating to the object and further comprising a plurality of fields, at least one of the fields is a fidelity field that is arranged to express a degree of confidence an endpoint has in the security assessment, the security assessment being arranged to provide contextual meaning to the object and being defined with an estimated time interval over which the security assessment is valid;
  
  switching from a first data collection mode to a second data collection mode in the server responsively to the received security assessment, the second data collection mode collecting a larger subset of available data in the environment than is collected while in the first data collection mode;
  
  analyzing the collected larger subset of available data; and
  
  rolling-back to the first data collection mode upon expiration of the estimated time interval.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 in which the first data collection mode is arranged for collecting summary data describing the object and the second data collection mode is arranged for collecting detailed data describing the object.
  - 3. The method of claim 2, wherein said analyzing the collected larger subset of available data comprises analyzing the collected detailed data by applying an algorithm or process, the algorithm or process being arranged for determining an occurrence of a security breach.
  - 4. The method of claim 3 including a further step of generating a security assessment in response to the analyzing the collected larger subset of available data.
  - 5. The method of claim 3 including a further step of rolling back to the first data collection mode in response to the analyzing the collected larger subset of available data.
  - 6. The method of claim 1 including a further step of persistently storing the collected subset in accordance with a retention policy.
  - 7. The method of claim 1 in which the object is one of host, user, destination, or enterprise.

8. An enterprise security management product configured to perform adaptive data collection in an endpoint of an enterprise security environment, the product comprising:
- an endpoint coupled to a security assessment channel, the endpoint including a server, the security assessment channel configured to receive a security assessment that describes an object in the environment, the security assessment being a tentative assignment of security meaning to information relating to the object and further comprising a plurality of fields, at least one of the fields is a fidelity field that is arranged to express a degree of confidence an endpoint has in the security assessment, the security assessment being arranged to provide contextual meaning to the object and being defined with an estimated time interval over which the security assessment is valid;
  
  the endpoint configured to switch from a first data collection mode to a second data collection mode responsively to the received security assessment, the second data collection mode collecting a larger subset of available data in the environment than is collected while in the first data collection mode;
  
  the endpoint configured to analyze the collected larger subset of available data; and
  
  the endpoint configured to roll-back to the first data collection mode upon expiration of the estimated time interval.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The product of claim 8, wherein the first data collection mode is configured to collect summary data describing the object and the second data collection mode is configured to collect detailed data describing the object.
  - 10. The product of claim 9, wherein the endpoint is configured to analyze the collected detailed data by applying an algorithm or process, the algorithm or process being arranged for determining an occurrence of a security breach.
  - 11. The product of claim 10, wherein the endpoint is configured to generate a security assessment in response to the analysis of the collected detailed data.
  - 12. The product of claim 10, wherein the endpoint is configured to roll back to the first data collection mode in response to the analysis of the collected detailed data.
  - 13. The product of claim 8, wherein the endpoint is configured to persistently store the collected subset in accordance with a retention policy.
  - 14. The product of claim 8, wherein the object is one of host, user, destination, or enterprise.

15. An endpoint, comprising:
- a computer coupled to a security assessment channel, the security assessment channel configured to receive a security assessment at a server that describes an object in the environment, the security assessment being a tentative assignment of security meaning to information relating to the object and further comprising a plurality of fields, at least one of the fields is a fidelity field that is arranged to express a degree of confidence an endpoint has in the security assessment, the security assessment being arranged to provide contextual meaning to the object and being defined with an estimated time interval over which the security assessment is valid;
  
  the computer configured to switch from a first data collection mode to a second data collection mode responsively to the received security assessment, the second data collection mode collecting a larger subset of available data in the environment than is collected while in the first data collection mode;
  
  the computer configured to analyze the collected larger subset of available data; and
  
  the computer configured to roll-back to the first data collection mode upon expiration of the estimated time interval.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The endpoint of claim 15, wherein the first data collection mode is arranged for collecting summary data describing the object and the second data collection mode is arranged for collecting detailed data describing the object.
  - 17. The endpoint of claim 15, where in the object is one of host, user, destination, or enterprise.
  - 18. The endpoint of claim 16, wherein the computer is configured to roll back to the first data collection mode in response to the analysis of the collected detailed data.
  - 19. The endpoint of claim 16, wherein the computer is configured to analyze the collected detailed data by applying an algorithm or process, the algorithm or process being arranged for determining an occurrence of a security breach.
  - 20. The endpoint of claim 16, wherein the computer is configured to generate a security assessment in response to the analysis of the collected detailed data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hudis, Efim, Helman, Yair, Malka, Joseph, Barash, Uri
Primary Examiner(s)
Dada, Beemnet
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US11/717,978
Publication Number

US 20080229421A1
Time in Patent Office

2,211 Days
Field of Search

713/156, 726/25, 726/26, 709/223, 709/224
US Class Current

726/25
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1433 Vulnerability analysis

Adaptive data collection for root-cause analysis and intrusion detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

233 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive data collection for root-cause analysis and intrusion detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

233 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links