Method and system for displaying network security incidents
First Claim
Patent Images
1. A method comprising:
- causing display of a table comprising rows of data arranged in columns;
wherein data displayed in the table defines a set of network events that constitute a security incident;
wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events;
wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset;
wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint;
wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints;
wherein data displayed in the at least one row specifies a current logical or temporal relationship between the subset and a set of one or more network events defined by data displayed in another row in the table;
wherein the table is editable by a user to specify a new current logical or temporal relationship between the subset of one or more network events of said set of network events displayed in one row of the at least one row in the table and a set of one or more network events defined by data displayed in another row in the table;
wherein the method is performed by one or more computing devices.
0 Assignments
0 Petitions
Accused Products
Abstract
A network security monitor system groups a plurality of security events into network sessions, correlates the network sessions according to a set of predefined network security event correlation rules and generates a security incident for the network sessions that satisfy one of the network security event correlation rules. The system then presents the information of the network sessions and security incidents to a user of the system in an intuitive form. The user is able to not only learn the details of a possible network attack, but also creates new security event correlation rules intuitively, including drop rules for dropping a particular type of events.
95 Citations
21 Claims
-
1. A method comprising:
-
causing display of a table comprising rows of data arranged in columns; wherein data displayed in the table defines a set of network events that constitute a security incident; wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events; wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset; wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint; wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints; wherein data displayed in the at least one row specifies a current logical or temporal relationship between the subset and a set of one or more network events defined by data displayed in another row in the table; wherein the table is editable by a user to specify a new current logical or temporal relationship between the subset of one or more network events of said set of network events displayed in one row of the at least one row in the table and a set of one or more network events defined by data displayed in another row in the table; wherein the method is performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer memory storing instructions which, when executed by one or more processors, cause the one or more processors to perform
causing display of a table comprising rows of data arranged in columns; -
wherein data displayed in the table defines a set of network events that constitute a security incident; wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events; wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset; wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint; wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints; wherein data displayed in the at least one row specifies a current logical or temporal relationship between the subset and a set of one or more network events defined by data displayed in another row in the table; wherein the table is editable by a user to specify a new current logical or temporal relationship between the subset of one or more network events of said set of network events displayed in one row of the at least one row in the table and a set of one or more network events defined by data displayed in another row in the table. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A graphical user interface on a display, comprising:
-
a table comprising rows of data arranged in columns; wherein data displayed in the table defines a set of network events that constitute a security incident; wherein data displayed in at least one row of the rows defines a subset of one or more network events of said set of network events; wherein data displayed in the at least one row specifies a plurality of network event constraints that define the subset; wherein the plurality of network event constraints comprises a source network address constraint, a destination network address constraint, and a network event type constraint; wherein the table is editable by a user to specify one or more network event constraints of said plurality of network event constraints; wherein data displayed in the at least one row specifies a current logical or temporal relationship between the subset and a set of one or more network events defined by data displayed in another row in the table wherein the table is editable by a user to specify a new current logical or temporal relationship between the subset of one or more network events of said set of network events displayed in one row of the at least one row in the table and a set of one or more network events defined by data displayed in another row in the table. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification