Scoring and interpreting change data through inference by correlating with change catalogs

US 8,996,684 B2
Filed: 12/08/2009
Issued: 03/31/2015
Est. Priority Date: 12/08/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a monitor server, change data associated with a plurality of changes captured on a target host, the target host providing the change data in response to detecting the plurality of changes, wherein the change data includes at least one rule change detected on the target host;

determining, by the monitor server, whether the at least one rule change is in compliance with one or more compliance policies, thereby generating test results;

analyzing, by the monitor server, the test results in order to group the change data into clusters; and

correlating, by the monitor server, the clusters with at least one change catalog that includes a plurality of expected rule violations in order to classify the clusters with at least one potential reason for the plurality of changes.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and articles for receiving, by a monitor server, change data associated with a change captured on a target host, are described herein. In various embodiments, the target host may have provided the change data in response to detecting the change, and the change data may include one or more rules, settings, and/or parameters. Further, in some embodiments, the monitor server may then group the change data into clusters and may correlate the clusters with a change catalog in order to provide a possible reason or cause for the cluster of changes. Once the change data have been classified as clusters, a report may be generated providing classification or categorization and cluster information for the various changes. In various embodiments, the generating may comprise generating a report to the target host and/or to an administrative user.

Citations

25 Claims

1. A method comprising:
- receiving, by a monitor server, change data associated with a plurality of changes captured on a target host, the target host providing the change data in response to detecting the plurality of changes, wherein the change data includes at least one rule change detected on the target host;
  
  determining, by the monitor server, whether the at least one rule change is in compliance with one or more compliance policies, thereby generating test results;
  
  analyzing, by the monitor server, the test results in order to group the change data into clusters; and
  
  correlating, by the monitor server, the clusters with at least one change catalog that includes a plurality of expected rule violations in order to classify the clusters with at least one potential reason for the plurality of changes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 20, 21)
- - 2. The method of claim 1, further comprising generating a report to the target host, an administrative user, or the target host and an administrative user, wherein the report relates to the correlation of the clusters.
  - 3. The method of claim 1, further comprising:
    - determining, by the monitor server, whether one or more rules, settings, or parameters violate least one of the compliance policies; and
      
      generating, by the monitor server, one or more test results based at least on the results of the determining.
  - 4. The method of claim 3, wherein each of the compliance policies includes one or more of a rule, a change name, one or more waivers from the policy, and an expression for evaluating element data of the change.
  - 5. The method of claim 3, further comprising filtering, by the monitor server, the received change data and conditionally performing the determining based on a result of the filtering.
  - 6. The method of claim 3, wherein the determining comprises evaluating an expression of at least one of the compliance policies against element data specified in the change data.
  - 7. The method of claim 3, further comprising:
    - analyzing, by the monitor server, the one or more test results in order to group the one or more test results into test result clusters; and
      
      correlating, by the monitor server, the test result clusters with the at least one change catalog in order to classify the test result clusters relating to at least one potential reason for the plurality of changes in order to categorize at least some of the test result clusters.
  - 8. The method of claim 7, further comprising generating a report to the target host or an administrative user, wherein the report relates to the correlation of the test result clusters.
  - 20. The method of claim 1, wherein the change catalog identifies expected changes that occur during an event, and wherein the method further comprises generating a report indicating that the change data corresponds to expected changes that occur during the event.
  - 21. The method of claim 20, wherein the event is a new software application being loaded onto the target host.

9. A monitor server comprising:
- a processor;
  
  a change database for storing change data associated with a plurality of changes captured on a target host, the target host providing the change data in response to detecting the plurality of changes, wherein the change data includes an identifier of a rule or a collection policy responsible for the captured change; and
  
  logic communicatively coupled to the change database and configured to be operated by the processor to;
  
  receive the change data;
  
  store the change data in the change database;
  
  analyze the change data in order to group the change data into clusters, wherein the plurality of changes is grouped with a respective cluster of the clusters; and
  
  correlate the clusters with one or more expected rule violations or collection policy changes stored in the at least one change catalog in order to classify the clusters with at least one potential reason for the plurality of changes.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 22, 23)
- - 10. The monitor server of claim 9, wherein the at least one change catalog is located within the change database.
  - 11. The monitor server of claim 9, wherein the logic is further configured to be operated by the processor to:
    - generate a report to the target host or an administrative user, wherein the report relates to the correlation of the clusters.
  - 12. The monitor server of claim 9, wherein the logic is further configured to be operated by the processor to:
    - determine whether the rule or agent collection policy violates one or more compliance policies; and
      
      generate one or more test results based at least on the results of the determining.
  - 13. The monitor server of claim 12, wherein the compliance policies ensure that the target host is in compliance with one or more standards.
  - 14. The monitor server of claim 12, wherein the logic is further configured to be operated by the processor to:
    - filter the received change data and conditionally perform the determining based on a result of the filtering.
  - 15. The monitor server of claim 12, wherein the logic is further configured to be operated by the processor to:
    - evaluate an expression of at least one of the compliance policies against element data specified in the change data.
  - 16. The monitor server of claim 12, wherein the logic is further configured to be operated by the processor to:
    - analyze the one or more test results in order to group the one or more test results into test result clusters; and
      
      correlate the test result clusters with at least one change catalog in order to classify the test result clusters relating to at least one potential reason for the plurality of changes in order to categorize at least some of the test result clusters.
  - 17. The monitor server of claim 16, wherein the logic is further configured to be operated by the processor to:
    - generate a report to the target host, an administrative user, or the target host and an administrative user, wherein the report relates to the correlation of the test result clusters.
  - 22. The monitor server of claim 9, wherein the change catalog identifies expected changes that occur during an event, and wherein the method further comprises generating a report indicating that the change data corresponds to expected changes that occur during the event.
  - 23. The monitor server of claim 22, wherein the event is a new software application being loaded onto the target host.

18. An article of manufacture comprising:
- a non-transitory storage medium; and
  
  a plurality of programming instructions stored on the storage medium and configured to program a monitor server to;
  
  receive change data associated with a plurality of changes captured on a target host, the target host providing the change data in response to detecting the plurality of changes, wherein the change data includes an identification of the rule or collection policy responsible for the capturing of the change data, and wherein the change data includes element data of an element of the target host for which at least one of the plurality of changes are detected;
  
  filter the received change data to conditionally determine whether element data meets one or more compliance policies, the determining comprising evaluating an expression of at least one of the compliance policies against at least a portion of the element data;
  
  analyze the filtered change data in order to group the change data into clusters; and
  
  correlate the clusters with at least one change catalog in order to classify the clusters with at least one potential reason for the plurality of changes.
- View Dependent Claims (19, 24, 25)
- - 19. The article of claim 18, wherein the plurality of programming instructions are configured to generate a report based at least on the results of the correlating by the monitor server.
  - 24. The article of claim 18, wherein the change catalog identifies expected changes that occur during an event, and wherein the method further comprises generating a report indicating that the change data corresponds to expected changes that occur during the event.
  - 25. The article of claim 24, wherein the event is a new software application being loaded onto the target host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
Tripwire Incorporated (Belden Inc.)
Inventors
Good, Tom, Kim, Gene, Whitlock, David
Primary Examiner(s)
Feild, Lynn
Assistant Examiner(s)
Emdadi, Keyvan

Application Number

US12/633,743
Publication Number

US 20110138039A1
Time in Patent Office

1,939 Days
Field of Search

709/224
US Class Current

709/224
CPC Class Codes

G06F 16/2358 Change logging, detection, ...

G06F 16/24573 using data annotations, e.g...

Scoring and interpreting change data through inference by correlating with change catalogs

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Scoring and interpreting change data through inference by correlating with change catalogs

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links