Security event management apparatus, systems, and methods

US 8,595,837 B2
Filed: 08/29/2011
Issued: 11/26/2013
Est. Priority Date: 08/29/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

an interface to receive multiple security event data streams from a plurality of hardware processing nodes, the multiple security event data streams comprising multiple security events;

a hierarchical classifier module coupled to a memory to store classification algorithms to operate on the multiple security events to provide a tree of domain-specific, categorized data streams according to arbitrary categories that are created using at least one of external knowledge or inbuilt intelligence, the arbitrary categories being dimensions;

andat least one processor to generate a hierarchy of statistical data streams from the dimensions, the statistical data streams being linked to a plurality of paths within the tree, the paths corresponding to different levels of classification.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus, systems, and methods may operate to receive multiple security event data streams from a plurality of hardware processing nodes, the multiple security event data streams comprising multiple security events. Additional operations may include extracting multiple security events from multiple security event data streams, and classifying the extracted multiple security events to form domain-specific, categorized data streams. A hierarchy of statistical data streams may then be generated from the domain-specific, categorized data streams. Additional apparatus, systems, and methods are disclosed.

20 Citations

View as Search Results

17 Claims

1. A system, comprising:
- an interface to receive multiple security event data streams from a plurality of hardware processing nodes, the multiple security event data streams comprising multiple security events;
  
  a hierarchical classifier module coupled to a memory to store classification algorithms to operate on the multiple security events to provide a tree of domain-specific, categorized data streams according to arbitrary categories that are created using at least one of external knowledge or inbuilt intelligence, the arbitrary categories being dimensions;
  
  andat least one processor to generate a hierarchy of statistical data streams from the dimensions, the statistical data streams being linked to a plurality of paths within the tree, the paths corresponding to different levels of classification.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, further comprising:
    - a graphical user interface (GUI) executed by a client node to receive the statistical data streams.
  - 3. The system of claim 1, wherein the hardware processing nodes comprise at least one of server nodes, client nodes, or storage nodes.
  - 4. The system of claim 1, wherein the at least one processor is housed together with at least one of the hardware processing nodes.
  - 5. The system of claim 1, wherein the hierarchical classifier module further comprises:
    - a contextual asset classifier having an output coupled to an input of an activity classifier.

6. A processor-implemented method to execute on one or more processors that perform the method, comprising:
- receiving multiple security event data streams from a plurality of hardware processing nodes, the multiple security event data streams comprising multiple security events;
  
  classifying the multiple security events to form a tree of domain-specific, categorized data streams according to arbitrary categories that are created using at least one of external knowledge or inbuilt intelligence, the arbitrary categories being dimensions; and
  
  generating a hierarchy of statistical data streams from the dimensions, including linking the statistical data streams to a plurality of paths within the tree, the paths corresponding to different levels of classification.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6, wherein the receiving further comprises:
    - receiving at least one of the security event data streams in response to accessing a log file stored on one of the hardware processing nodes.
  - 8. The method of claim 6, wherein the classifying further comprises:
    - classifying the multiple security events according to vulnerability categories associate with sources of the security event data streams.
  - 9. The method of claim 6, wherein the classifying further comprises:
    - classifying the multiple security events using a sequential hierarchy of classifier functions, wherein output from a first level of the classifier functions in the hierarchy provides input to a second level of the classifier functions in the hierarchy.
  - 10. The method of claim 6, further comprising:
    - receiving some of the multiple security event data streams while generating the hierarchy of the statistical data streams as part of a continuous reception and generation process.
  - 11. The method of claim 6, wherein the statistical data streams comprise multiple dimensions.

12. A processor-implemented method to execute on one or more processors that perform the method, comprising:
- extracting multiple security events from multiple security event data streams;
  
  classifying the extracted multiple security events to form a tree of domain-specific, categorized data streams according to arbitrary categories that are created using at least one of external knowledge or inbuilt intelligence, the arbitrary categories being dimensions; and
  
  generating a hierarchy of statistical data streams from the dimensions, including linking the statistical data streams to a plurality of paths within the tree, the paths corresponding to different levels of classification.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, further comprising:
    - transmitting at least some of the statistical data streams to a network interface in a client node coupled to a display.
  - 14. The method of claim 12, wherein using external knowledge the comprises:
    - accessing a database stored on a non-transitory storage medium; and
      
      receiving information as external knowledge from the database to provide context-aware classification of the extracted multiple security events.
  - 15. The method of claim 12, wherein the classifying uses a combination of classifier functions comprising a tree of multilevel, hierarchical classifiers.
  - 16. The method of claim 12, wherein the generating comprises:
    - generating the statistical data streams to include at least one of a volume-based stream or a frequency-based stream.
  - 17. The method of claim 12, wherein at least one of the extracting, the classifying, or the generating are accomplished using input/output aggregation pipelines.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus Software, Inc. (Open Text Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Antony, John Melvin, Apostolescu, Paul, Srinivasan, Pattabiraman, Adusumilli, Prathap
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US13/220,377
Publication Number

US 20130055385A1
Time in Patent Office

820 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/577 Assessing vulnerabilities a...

Security event management apparatus, systems, and methods

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Security event management apparatus, systems, and methods

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others