Generation of alerts in an event management system based upon risk

US 9,282,114 B1
Filed: 06/30/2011
Issued: 03/08/2016
Est. Priority Date: 06/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method for generating alerts by an event management device, comprising:

receiving, by the event management device, a request for access from a client device;

transmitting, by the event management device and in response to receiving the request, an authentication webpage to the client device, the authentication webpage including a beacon configured to execute on the client device when the webpage is displayed on the client device to retrieve a client device profile characteristic;

receiving, by the event management device, logon event information from an event device in response to a logon event associated between the event device and the client device, the logon event information including authentication input from the authentication webpage;

receiving, by the event management device, a risk assessment from a risk assessment device, the risk assessment based upon a web device profile characteristic associated with the logon event, the web device profile characteristic having been gathered by the beacon executing on the client device in the authentication webpage transmitted to the client device;

correlating, by the event management device, the logon event information and the risk assessment; and

in response to detecting the logon event as corresponding to an authentication attack, generating, by the event management device, an alert having an associated priority level based upon the risk assessment;

wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying click stream information associated with a web page accessed by the client device, andwherein the method further comprises;

receiving, by the event management device, in response to the request for access to an enterprise network access device from a client device, a first client geographical location based upon the web device profile characteristic associated with the logon event gathered by the beacon executing on the client device;

subsequently receiving, by the event management device, in response to a request for access to a website in the enterprise network, at least a second client geographical location based upon a second set of web device profile characteristics gathered by a second beacon executing on the device from which the request was received; and

in response to detecting a difference between the first and second geographical locations, generating, by the risk assessment device, a risk assessment based upon the difference.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments relate to the generation of alerts in an event management system based upon risk. When an event device associated with the event management system, presents a logon page to a client device, the event device includes a beacon as part of the page to monitor and collect web device profile characteristics related to the client device. In response to a logon attempt by the client device, an event management device receives a notification regarding logon attempt and a risk assessment associated with the web device profile characteristics of the client device. Based upon a correlation of the notification and the corresponding risk assessment, the event management device can generate an alert, such as a SIEM alert, and can include an indication of priority, whether relatively low or high, and/or a confidence factor, whether or not the alert can be suppressed as part of the alert.

87 Citations

View as Search Results

23 Claims

1. A method for generating alerts by an event management device, comprising:
- receiving, by the event management device, a request for access from a client device;
  
  transmitting, by the event management device and in response to receiving the request, an authentication webpage to the client device, the authentication webpage including a beacon configured to execute on the client device when the webpage is displayed on the client device to retrieve a client device profile characteristic;
  
  receiving, by the event management device, logon event information from an event device in response to a logon event associated between the event device and the client device, the logon event information including authentication input from the authentication webpage;
  
  receiving, by the event management device, a risk assessment from a risk assessment device, the risk assessment based upon a web device profile characteristic associated with the logon event, the web device profile characteristic having been gathered by the beacon executing on the client device in the authentication webpage transmitted to the client device;
  
  correlating, by the event management device, the logon event information and the risk assessment; and
  
  in response to detecting the logon event as corresponding to an authentication attack, generating, by the event management device, an alert having an associated priority level based upon the risk assessment;
  
  wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying click stream information associated with a web page accessed by the client device, andwherein the method further comprises;
  
  receiving, by the event management device, in response to the request for access to an enterprise network access device from a client device, a first client geographical location based upon the web device profile characteristic associated with the logon event gathered by the beacon executing on the client device;
  
  subsequently receiving, by the event management device, in response to a request for access to a website in the enterprise network, at least a second client geographical location based upon a second set of web device profile characteristics gathered by a second beacon executing on the device from which the request was received; and
  
  in response to detecting a difference between the first and second geographical locations, generating, by the risk assessment device, a risk assessment based upon the difference.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein generating the alert having the associated priority level comprises:
    - generating, by the event management device, an alert having a first priority level based upon correlating of the logon event information and the risk assessment when the risk assessment is indicative of a first risk level; and
      
      generating, by the event management device, an alert having a second priority level, the second priority level being lower than the first priority level, based upon correlating of the logon event information and the risk assessment when the risk assessment is indicative of a second risk level, the second risk level being lower than the first risk level.
  - 3. The method of claim 1, wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying a geographic location associated with the client device.
  - 4. The method of claim 1, wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying a change in geographic location of the client device between a first logon event associated with the client device and a second logon event associated with the client device.
  - 5. The method of claim 1, wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying a computer device asset associated with the client device.
  - 6. The method of claim 1, wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying compliance information associated with the client device.
  - 7. The method of claim 1, wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic retrieved by a beacon associated with a web page presented to the client device prior to the logon event.
  - 8. The method of claim 1, further comprising:
    - receiving, by the event management device, web device profile characteristic information from the risk assessment device in response to the logon event associated between the event device and the client device;
      
      comparing, by the event management device, the web device profile characteristic information to entries in an aggregate information database, the aggregate information database including an aggregate of web device profile characteristic information received over time; and
      
      in response to detecting a lack of correspondence between the web device profile characteristic information and the entries in the aggregate information database, generating, by the event management device, a report regarding the client device associated with the received web device profile characteristic information.
  - 9. The method of claim 8, wherein:
    - receiving web device profile characteristic information from the event device in response to the logon event associated between the event device and the client device comprises receiving, by the event management device, client device asset information from the risk assessment device in response to the logon event associated between the event device and the client device; and
      
      comparing the web device profile characteristic information to entries in the aggregate information database, comprises comparing, by the event management device, the client device asset information with entries in an aggregate asset information portion of the aggregate information database, the aggregate asset information collected over time.
  - 10. The method of claim 8, wherein:
    - receiving web device profile characteristic information from the event device in response to the logon event associated between the event device and the client device comprises receiving, by the event management device, client device compliance information from the risk assessment device in response to the logon event associated between the event device and the client device; and
      
      comparing the web device profile characteristic information to entries in the aggregate information database, comprises comparing, by the event management device, the client device compliance information with entries in an aggregate compliance information portion of the aggregate information database, the aggregate compliance information collected over time.
  - 11. The method of claim 1 wherein generating the alert having the associated priority level based upon the risk assessment includes:
    - providing, from the event management device to a security information and event management (SIEM) device, a SIEM alert which includes (i) a priority indicator identifying a level of priority within a predefined priority range, and (ii) a confidence factor indicating whether the SIEM device is permitted to suppress the SIEM alert, the SIEM alert operating as a notification of relative importance of the logon event to security risk of an enterprise network.
  - 12. The method of claim 11 wherein the SIEM alert is provided from the event management device to the SIEM device during a common window of time;
    - wherein the method further comprises providing, from the event management device to the SIEM device, other SIEM alerts which include respective priority indicators and confidence factors during the common window of time; and
      
      wherein the respective priority indicators of the other SIEM alerts and the priority indicator of the SIEM alert enable the SIEM device to prioritize, for the common window of time, the SIEM alert and the other SIEM alerts in accordance to relative importance to enable an administrator of the SIEM device to attend to potential enterprise network attacks in real time.
  - 13. The method of claim 1 wherein the web device profile characteristic having been gathered by the beacon executing on the client device includes at least one of geographical location, browser version, browser vulnerability, click stream values, client behavior, client device assets, and device compliance information.
  - 14. The method of claim 1, further comprising receiving first client device asset information, in response to the request for access to the enterprise network access device from the client device, and subsequently receiving second client device asset information, in response to the request for access to a website in the enterprise network from the client device, second set of web device profile characteristics gathered by a second beacon executing on the client device.
  - 15. The method of claim 14, further comprising:
    - generating, by the event management device, an alert having a first priority level based upon correlating of the logon event information and the risk assessment when the risk assessment is indicative of a first risk level;
      
      generating, by the event management device, an alert having a second priority level, the second priority level being lower than the first priority level, based upon correlating of the logon event information and the risk assessment when the risk assessment is indicative of a second risk level, the second risk level being lower than the first risk level;
      
      wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying a geographic location associated with the client device;
      
      wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying a change in geographic location of the client device between a first logon event associated with the client device and a second logon event associated with the client device;
      
      wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying a computer device asset associated with the client device;
      
      wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying compliance information associated with the client device; and
      
      wherein receiving the risk assessment from the risk assessment device comprises receiving, by the event management device, the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic retrieved by a beacon associated with a web page presented to the client device prior to the logon event.

16. An event management device, comprising:
- a communications interface;
  
  a controller disposed in electrical communication with the communications interface, the controller configured to;
  
  receive a request for access from a client device;
  
  transmit an authentication webpage to the client including a beacon to retrieve a client device profile characteristic;
  
  receive logon event information from an event device in response to a logon event associated between the event device and the client device, the logon event information including authentication input from the authentication webpage;
  
  receive a risk assessment from a risk assessment device, the risk assessment based upon a web device profile characteristic associated with the logon event, the web device profile characteristic having been gathered by the beacon executing on the client device in the authentication webpage transmitted to the client device;
  
  correlate the logon event information and the risk assessment; and
  
  in response to detecting the logon event as corresponding to an authentication attack, generate an alert having an associated priority level based upon the risk assessment;
  
  wherein when receiving the risk assessment from the risk assessment device the controller is configured to receive the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying click stream information associated with a web page accessed by the client device,wherein the controller is further configured to;
  
  receive, by the event management device, in response to the request for access to an enterprise network access device from a client device, a first client geographical location based upon the web device profile characteristic associated with the logon event gathered by the beacon executing on the client device;
  
  subsequently receive, by the event management device, in response to a request for access to a website in the enterprise network, at least a second client geographical location based upon a second set of web device profile characteristics gathered by a second beacon executing on the device from which the request was received; and
  
  in response to detecting a difference between the first and second geographical locations, generate, by the risk assessment device, a risk assessment based upon the difference.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The event management device of claim 16, wherein when generating the alert having the associated priority level, the controller is configured to:
    - generate an alert having a first priority level based upon correlation of the logon event information and the risk assessment when the risk assessment is indicative of a first risk level; and
      
      generate an alert having a second priority level, the second priority level being lower than the first priority level, based upon correlation of the logon event information and the risk assessment when the risk assessment is indicative of a second risk level, the second risk level being lower than the first risk level.
  - 18. The event management device of claim 16, wherein when receiving the risk assessment from the risk assessment device the controller is configured to receive the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying a geographic location associated with the client device.
  - 19. The event management device of claim 16, wherein when receiving the risk assessment from the risk assessment device the controller is configured to receive the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying a change in geographic location of the client device between a first logon event associated with the client device and a second logon event associated with the client device.
  - 20. The event management device of claim 16, wherein when receiving the risk assessment from the risk assessment device the controller is configured to receive the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic identifying a computer device asset associated with the client device.
  - 21. The event management device of claim 16, wherein when receiving the risk assessment from the risk assessment device the controller is configured to receive the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic configured as compliance information associated with the client device.
  - 22. The event management device of claim 16, wherein when receiving the risk assessment from the risk assessment device the controller is configured to receive the risk assessment based upon the web device profile characteristic associated with the logon event, the web device profile characteristic retrieved by a beacon associated with a web page presented to the client device prior to the logon event.

23. A computer program product having a non-transitory computer-readable medium including computer program logic encoded thereon that, when performed on a controller of an event management device causes the event management device to:
- receive a request for access from a client device;
  
  transmit, in response to receiving the request, an authentication webpage to the client device, the webpage including a beacon configured to execute on the client device when the webpage is displayed on the client device to retrieve a client device profile characteristic;
  
  receive logon event information in response to a logon event associated between the event device and the client device, the logon event information including authentication input from the authentication webpage;
  
  receive a risk assessment based upon a web device profile characteristic associated with the logon event, the web device profile characteristic having been gathered by the beacon executing on the client device in the authentication webpage transmitted to the client device;
  
  correlate the logon event information and the risk assessment; and
  
  in response to detecting the logon event as corresponding to an authentication attack, generate an alert having an associated priority level based upon the risk assessment;
  
  wherein receiving web device profile characteristic information from the event device in response to the logon event associated between the event device and the client device comprises receiving, by the event management device, click stream information from the risk assessment device in response to the logon event associated between the event device and the client device; and
  
  comparing the web device profile characteristic information to entries in the aggregate information database, comprises comparing, by the event management device, the client device click stream information with entries in a known click stream information portion of the aggregate information database,wherein the event management device is further caused to;
  
  receive, by the event management device, in response to the request for access to an enterprise network access device from a client device, a first client geographical location based upon the web device profile characteristic associated with the logon event gathered by the beacon executing on the client device;
  
  subsequently receive, by the event management device, in response to a request for access to a website in the enterprise network, at least a second client geographical location based upon a second set of web device profile characteristics gathered by a second beacon executing on the device from which the request was received; and
  
  in response to detecting a difference between the first and second geographical locations, generate, by the risk assessment device, a risk assessment based upon the difference.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Dotan, Yedidya, Friedman, Lawrence N., Zolfonoon, Riaz, Nair, Manoj
Primary Examiner(s)
Parsons, Theodore C

Application Number

US13/172,999
Time in Patent Office

1,713 Days
Field of Search

726/23, 726/25
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/107   wherein the security polici...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04W 12/67   Risk-dependent, e.g. select...

Generation of alerts in an event management system based upon risk

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

87 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Generation of alerts in an event management system based upon risk

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links