Intrusion threat detection
First Claim
Patent Images
1. A method of monitoring for security information about an access system, comprising the steps of:
- detecting an access system event in said access system wherein;
the access system event is associated with a user having an identity profile maintained at said access system, said identity profile includes a plurality of attributes having attribute values; and
the access system event is associated with one or more event types;
storing the access system event as an audit log entry in an audit log in a plurality of audit logs, wherein the audit log is associated with at least one of the one or more event types associated with the access system event;
monitoring the audit log with an audit log sensor for events associated with at least one of the one or more event types associated with the access system event;
accessing instructions for an event type associated with said access system event, wherein said instructions specify that a value of one or more attributes of said plurality of attributes in said identity profile is to be added to said audit log entry;
accessing said identity profile for said user in response to said instructions;
adding said value of one or more attributes of said plurality of attributes in said identity profile of said user to said audit log entry in accordance with said instructions; and
storing said audit log entry including said one or more attribute values in an application server; and
sending a set of log entries including the audit log entry to a security server.
5 Assignments
0 Petitions
Accused Products
Abstract
A system is disclosed that can be used to monitor for an attempted intrusion of an access system. The system detects an access system event in the access system and determines whether the access system event is of a type that is being monitored. If the access system event is of a type that is being monitored, the system reports information about the access system event. This information can be used by a rules engine or other process to determine if the access system event was part of an attempted intrusion of the access system.
142 Citations
43 Claims
-
1. A method of monitoring for security information about an access system, comprising the steps of:
-
detecting an access system event in said access system wherein; the access system event is associated with a user having an identity profile maintained at said access system, said identity profile includes a plurality of attributes having attribute values; and the access system event is associated with one or more event types; storing the access system event as an audit log entry in an audit log in a plurality of audit logs, wherein the audit log is associated with at least one of the one or more event types associated with the access system event; monitoring the audit log with an audit log sensor for events associated with at least one of the one or more event types associated with the access system event; accessing instructions for an event type associated with said access system event, wherein said instructions specify that a value of one or more attributes of said plurality of attributes in said identity profile is to be added to said audit log entry; accessing said identity profile for said user in response to said instructions; adding said value of one or more attributes of said plurality of attributes in said identity profile of said user to said audit log entry in accordance with said instructions; and storing said audit log entry including said one or more attribute values in an application server; and sending a set of log entries including the audit log entry to a security server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method of security monitoring, comprising the steps of:
-
detecting an access system event in an access system, said access system includes an access management system and an identity management system, said identity management system includes identity profiles for a plurality of users, said identity profiles include attributes and at least a subset of said attributes include attribute values, wherein at least one of said attribute values in an identity profile for a first user is used to determine whether said first user is permitted to access a resource associated with said access system, wherein the access system event is associated with one or more event types; storing the access system event as an audit log entry in an audit log in a plurality of audit logs, wherein the audit log is associated with at least one of the one or more event types associated with the access system event; monitoring the audit log with an audit log sensor for events associated with at least one of the one or more event types associated with the access system event; storing said audit log entry including said one or more attribute values in an application server; and sending a set of log entries including the audit log entry to a security server. - View Dependent Claims (22, 23, 24, 25, 26)
-
-
27. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
-
receiving a request from a user for a resource; determining that said resource is protected by one or more access rules of an access system; determining whether said user is permitted to access said resource using said one or more access rules and an identity profile for said user maintained at said access system; logging an indication of whether said user is permitted to access said resource based on said one or more access rules and said identity profile; monitoring said logging to detect that an access system event has occurred, wherein the access system event is associated with one or more event types; storing the access system event as an audit log entry in an audit log in a plurality of audit logs, wherein the audit log is associated with at least one of the one or more event types associated with the access system event; monitoring the audit log with an audit log sensor for events associated with at least one of the one or more event types associated with the access system event; storing said audit log entry including said one or more attribute values in an application server; and sending a set of log entries including the audit log entry to a security server. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35)
-
-
36. An access system, comprising:
-
a communication interface;
one or more storage devices; andone or more processors in communication with said one or more storage devices and said communication interface, said one or more processors programmed to perform a method comprising the steps of; receiving a request from a user for a resource, determining a policy domain of said resource, said policy domain includes a set of one or more policies, determining whether said resource is associated with a policy in said set of one or more policies, if said resource is associated with a policy in said set of one or more policies, determining whether said user is permitted to access said resource using an access rule associated with said policy with which said resource is associated, if said resource is not associated with a policy in said set of one or more policies, determining whether said user is permitted to access said resource using an access rule that is associated with said policy domain but not a policy in said set of one or more policies, logging an indication of whether said user is permitted to access said resource based on said access rule associated with said policy of which said resource is associated or said access rule that is associated with said policy domain but not a policy of said set of one or more policies, monitoring said logging to detect that an access system event has occurred, wherein the access system event is associated with one or more event types; storing the access system event as an audit log entry in an audit log in a plurality of audit logs, wherein the audit log is associated with at least one of the one or more event types associated with the access system event; monitoring the audit log with an audit log sensor for events associated with at least one of the one or more event types associated with the access system event; storing said audit log entry including said one or more attribute values in an application server; and sending a set of log entries including the audit log entry to a security server. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43)
-
Specification