Method and system for displaying network security incidents

US 8,423,894 B2
Filed: 11/16/2009
Issued: 04/16/2013
Est. Priority Date: 09/12/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

causing display of a table comprising rows of data arranged in columns;

wherein data displayed in the table defines a set of network events that constitute a security incident;

wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events;

wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset;

wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint;

wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints;

wherein data displayed in the at least one row specifies a current logical or temporal relationship between the subset and a set of one or more network events defined by data displayed in another row in the table;

wherein the table is editable by a user to specify a new current logical or temporal relationship between the subset of one or more network events of said set of network events displayed in one row of the at least one row in the table and a set of one or more network events defined by data displayed in another row in the table;

wherein the method is performed by one or more computing devices.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security monitor system groups a plurality of security events into network sessions, correlates the network sessions according to a set of predefined network security event correlation rules and generates a security incident for the network sessions that satisfy one of the network security event correlation rules. The system then presents the information of the network sessions and security incidents to a user of the system in an intuitive form. The user is able to not only learn the details of a possible network attack, but also creates new security event correlation rules intuitively, including drop rules for dropping a particular type of events.

95 Citations

View as Search Results

21 Claims

1. A method comprising:
- causing display of a table comprising rows of data arranged in columns;
  
  wherein data displayed in the table defines a set of network events that constitute a security incident;
  
  wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events;
  
  wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset;
  
  wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint;
  
  wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints;
  
  wherein data displayed in the at least one row specifies a current logical or temporal relationship between the subset and a set of one or more network events defined by data displayed in another row in the table;
  
  wherein the table is editable by a user to specify a new current logical or temporal relationship between the subset of one or more network events of said set of network events displayed in one row of the at least one row in the table and a set of one or more network events defined by data displayed in another row in the table;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the plurality of network event constraints further comprises a count constraint that specifies, as a necessary condition of the security incident, a minimum number of network events that must each satisfy all other constraints of the plurality of network event constraints.
  - 3. The method of claim 1, wherein the current logical or temporal relationship between the subset and the set of one or more network events defined by data displayed in the another row is a logical relationship.
  - 4. The method of claim 3, wherein the logical relationship is a logical OR relationship or a logical AND relationship.
  - 5. The method of claim 1, wherein the current logical or temporal relationship between the subset and the set of one or more network events defined by data displayed in the another row is a temporal relationship.
  - 6. The method of claim 5, wherein the temporal relationship specifies, as a necessary condition of the security incident, that at least one network event belonging to said subset must be detected before any network event belonging to the set of one or more network events defined by data displayed in the other row is detected.
  - 7. The method of claim 1, wherein at least one of the source network address constraint and the destination network address constraint is dependent on either a source network address constraint or a destination network address constraint specified by data displayed in another row of the table.

8. A computer memory storing instructions which, when executed by one or more processors, cause the one or more processors to performcausing display of a table comprising rows of data arranged in columns;
- wherein data displayed in the table defines a set of network events that constitute a security incident;
  
  wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events;
  
  wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset;
  
  wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint;
  
  wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints;
  
  wherein data displayed in the at least one row specifies a current logical or temporal relationship between the subset and a set of one or more network events defined by data displayed in another row in the table;
  
  wherein the table is editable by a user to specify a new current logical or temporal relationship between the subset of one or more network events of said set of network events displayed in one row of the at least one row in the table and a set of one or more network events defined by data displayed in another row in the table.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer memory of claim 8, wherein the plurality of network event constraints further comprises a count constraint that specifies, as a necessary condition of the security incident, a minimum number of network events that must each satisfy all other constraints of the plurality of network event constraints.
  - 10. The computer memory of claim 8, wherein the current logical or temporal relationship between the subset and the set of one or more network events defined by data displayed in the another row is a logical relationship.
  - 11. The computer memory of claim 10, wherein the logical relationship is a logical OR relationship or a logical AND relationship.
  - 12. The computer memory of claim 8, wherein the current logical or temporal relationship between the subset and the set of one or more network events defined by data displayed in the another row is a temporal relationship.
  - 13. The computer memory of claim 12, wherein the temporal relationship specifies, as a necessary condition of the security incident, that at least one network event belonging to said subset must be detected before any network event belonging to the set of one or more network events defined by data displayed in the other row is detected.
  - 14. The computer memory of claim 8, wherein at least one of the source network address constraint and the destination network address constraint is dependent on either a source network address constraint or a destination network address constraint specified by data displayed in another row of the table.

15. A graphical user interface on a display, comprising:
- a table comprising rows of data arranged in columns;
  
  wherein data displayed in the table defines a set of network events that constitute a security incident;
  
  wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events;
  
  wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset;
  
  wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint;
  
  wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints;
  
  wherein data displayed in the at least one row specifies a current logical or temporal relationship between the subset and a set of one or more network events defined by data displayed in another row in the table wherein the table is editable by a user to specify a new current logical or temporal relationship between the subset of one or more network events of said set of network events displayed in one row of the at least one row in the table and a set of one or more network events defined by data displayed in another row in the table.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The graphical user interface of claim 15, wherein the plurality of constraints further comprises a count constraint that specifies, as a necessary condition of the security incident, a minimum number of network events that must each satisfy all other constraints of the plurality of constraints.
  - 17. The graphical user interface of claim 15, wherein the current logical or temporal relationship between the subset and the set of one or more network events defined by data displayed in the another row is a logical relationship.
  - 18. The graphical user interface of claim 17, wherein the logical relationship is a logical OR relationship or a logical AND relationship.
  - 19. The graphical user interface of claim 15, wherein the current logical or temporal relationship between the subset and the set of one or more network events defined by data displayed in the another row is a temporal relationship.
  - 20. The graphical user interface of claim 19, wherein the temporal relationship specifies, as a necessary condition of the security incident, that at least one network event belonging to said subset must be detected before any network event belonging to the set of one or more network events defined by data displayed in the other row is detected.
  - 21. The graphical user interface of claim 15, wherein at least one of the source network address constraint and the destination network address constraint is dependent on either a source network address constraint or a destination network address constraint specified by data displayed in another row of the table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Bhattacharya, Partha, Lee, Imin T., Joseph, Aji, Stevens, Eli, Naramreddy, Diwakar
Primary Examiner(s)
Bashore, William
Assistant Examiner(s)
TRAN, MYLINH T

Application Number

US12/619,519
Publication Number

US 20100058165A1
Time in Patent Office

1,247 Days
Field of Search

715/734, 715/736, 715/733
US Class Current

715/734
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

Method and system for displaying network security incidents

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for displaying network security incidents

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links