Mechanism to augment IPS/SIEM evidence information with process history snapshot and application window capture history
First Claim
1. A computer system to augment a plurality of intrusion prevention software (IPS) or Security Information and Event Management software (SIEM) evidence information, the computer system comprising:
- one or more processors, one or more memories, and program instructions stored on at least one of the one or more storage devices for execution by at least one of the one or more processors coupled to memory to execute to perform;
monitoring a plurality of processes associated with a computer system, wherein a length of time associated with the monitoring is determined according to an assigned weight associated with each process within the monitored plurality of processes, and wherein the assigned weight is pre-calculated and maintained in a table corresponding to a plurality of tracked processes;
detecting, by an intrusion prevention software (IPS) or a Security Information and Event Management software (SIEM), a plurality of processes within the monitored plurality of processes that have network activity;
in response to receiving an online notification of the detection of a plurality of processes within the monitored plurality of processes that have network activity by the IPS or SIEM, identifying the detected plurality of processes that have network activity;
capturing the identified plurality of processes that have network activity, wherein the capturing comprises routinely taking a system snapshot of the identified plurality of system processes, and collecting a plurality of sequenced screen capture images associated with the identified plurality of system processes to create a first video;
storing the identified captured plurality of processes that have network activity, wherein the storing the identified captured plurality of processes that have network activity comprises storing the captured plurality of system snapshots in a first cache, and wherein the captured plurality of system snapshots stored in the first cache are indexed by a time associated with when each snapshot within the plurality of system snapshots was taken;
monitoring a plurality of selected programs associated with an operating system of the computer system;
detecting, by the IPS or the SIEM, a plurality of selected programs within the monitored plurality of selected programs that have network activity;
in response to receiving an online notification of the detection of a plurality of selected programs within the monitored plurality of selected programs that have network activity by the IPS or SIEM, identifying the detected plurality of selected programs that have network activity;
capturing a plurality of screen capture images associated with the identified plurality of selected programs, wherein the capturing comprises collecting a plurality of sequenced screen capture images of processes associated with the identified plurality of selected programs to create a second video;
storing the captured plurality of system process activity, wherein the storing the captured plurality of system process activity comprises storing the captured plurality of screen capture images in a second cache, and wherein the captured plurality of screen capture images stored in the second cache are indexed according to a process ID;
in response to a request by the IPS or the SIEM, querying the first cache and the second cache, wherein the querying is based on a detected network attack;
retrieving the stored first video and the stored second video, wherein the retrieved stored first video and the retrieved stored second video contain a plurality of network activity captured immediately prior to the detected network attack;
attaching the retrieved first video and the retrieved second video together with a network packet capture dump and a plurality of IPS and SIEM events into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and
sending an electronic notification of the single BLOB to a management console associated with the computer system.
1 Assignment
0 Petitions
Accused Products
Abstract
A method to augment a plurality of IPS or SIEM evidence information is provided. The method may include monitoring a plurality of processes associated with a computer system. The method may also include identifying a plurality of processes that have network activity. The method may further include capturing the identified plurality of processes that have network activity. The method may also include storing the identified captured plurality of processes that have network activity. The method may include monitoring a plurality of selected programs associated with an operating system of the computer system. The method may also include identifying a plurality of selected programs that have network activity. The method may further include capturing a plurality of screen capture images associated with the identified plurality of selected programs. The method may include storing, by the second component the captured plurality of system process activity.
12 Citations
7 Claims
-
1. A computer system to augment a plurality of intrusion prevention software (IPS) or Security Information and Event Management software (SIEM) evidence information, the computer system comprising:
-
one or more processors, one or more memories, and program instructions stored on at least one of the one or more storage devices for execution by at least one of the one or more processors coupled to memory to execute to perform; monitoring a plurality of processes associated with a computer system, wherein a length of time associated with the monitoring is determined according to an assigned weight associated with each process within the monitored plurality of processes, and wherein the assigned weight is pre-calculated and maintained in a table corresponding to a plurality of tracked processes; detecting, by an intrusion prevention software (IPS) or a Security Information and Event Management software (SIEM), a plurality of processes within the monitored plurality of processes that have network activity; in response to receiving an online notification of the detection of a plurality of processes within the monitored plurality of processes that have network activity by the IPS or SIEM, identifying the detected plurality of processes that have network activity; capturing the identified plurality of processes that have network activity, wherein the capturing comprises routinely taking a system snapshot of the identified plurality of system processes, and collecting a plurality of sequenced screen capture images associated with the identified plurality of system processes to create a first video; storing the identified captured plurality of processes that have network activity, wherein the storing the identified captured plurality of processes that have network activity comprises storing the captured plurality of system snapshots in a first cache, and wherein the captured plurality of system snapshots stored in the first cache are indexed by a time associated with when each snapshot within the plurality of system snapshots was taken; monitoring a plurality of selected programs associated with an operating system of the computer system; detecting, by the IPS or the SIEM, a plurality of selected programs within the monitored plurality of selected programs that have network activity; in response to receiving an online notification of the detection of a plurality of selected programs within the monitored plurality of selected programs that have network activity by the IPS or SIEM, identifying the detected plurality of selected programs that have network activity; capturing a plurality of screen capture images associated with the identified plurality of selected programs, wherein the capturing comprises collecting a plurality of sequenced screen capture images of processes associated with the identified plurality of selected programs to create a second video; storing the captured plurality of system process activity, wherein the storing the captured plurality of system process activity comprises storing the captured plurality of screen capture images in a second cache, and wherein the captured plurality of screen capture images stored in the second cache are indexed according to a process ID; in response to a request by the IPS or the SIEM, querying the first cache and the second cache, wherein the querying is based on a detected network attack; retrieving the stored first video and the stored second video, wherein the retrieved stored first video and the retrieved stored second video contain a plurality of network activity captured immediately prior to the detected network attack; attaching the retrieved first video and the retrieved second video together with a network packet capture dump and a plurality of IPS and SIEM events into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and sending an electronic notification of the single BLOB to a management console associated with the computer system. - View Dependent Claims (2, 3, 4)
-
-
5. A computer program product to augment a plurality of intrusion prevention software (IPS) or Security Information and Event Management software (SIEM) evidence information, the computer system comprising:
-
one or more non-transitory computer-readable storage devices and program instructions stored on at least one of the one or more non-transitory tangible storage devices, the program instructions executable by a processor, the program instructions comprising; program instructions to monitor, by a first component, a plurality of processes associated with a computer system, wherein a length of time associated with the monitoring is determined according to an assigned weight associated with each process within the monitored plurality of processes, and wherein the assigned weight is pre-calculated and maintained in a table corresponding to a plurality of tracked processes; program instructions to detect, by an intrusion prevention software (IPS) or a Security Information and Event Management software (SIEM), a plurality of processes within the monitored plurality of processes that have network activity; in response to receiving an online notification of the detection of a plurality of processes within the monitored plurality of processes that have network activity by the IPS or SIEM, program instructions to identify the detected plurality of processes that have network activity; program instructions to capture the identified plurality of processes that have network activity, wherein the capturing comprises routinely taking a system snapshot of the identified plurality of system processes, and collecting a plurality of sequenced screen capture images associated with the identified plurality of system processes to create a first video; program instructions to store the identified captured plurality of processes that have network activity, wherein the storing the identified captured plurality of processes that have network activity comprises storing the captured plurality of system snapshots in a first cache, and wherein the captured plurality of system snapshots stored in the first cache are indexed by a time associated with when each snapshot within the plurality of system snapshots was taken; program instructions to monitor a plurality of selected programs associated with an operating system of the computer system; program instructions to detect, by the IPS or the SIEM, a plurality of selected programs within the monitored plurality of selected programs that have network activity; in response to receiving an online notification of the detection of a plurality of selected programs within the monitored plurality of selected programs that have network activity by the IPS or SIEM, program instructions to identify the detected plurality of selected programs that have network activity; program instructions to capture a plurality of screen capture images associated with the identified plurality of selected programs, wherein the capturing comprises collecting a plurality of sequenced screen capture images of processes associated with the identified plurality of selected programs to create a second video; program instructions to store the captured plurality of system process activity, wherein the storing the captured plurality of system process activity comprises storing the captured plurality of screen capture images in a second cache, and wherein the captured plurality of screen capture images stored in the second cache are indexed according to a process ID; in response to a request by the IPS or the SIEM, program instructions to query the first cache and the second cache, wherein the querying is based on a detected network attack; program instructions to retrieve the stored first video and the stored second video, wherein the retrieved stored first video and the retrieved stored second video contain a plurality of network activity captured immediately prior to the detected network attack; program instructions to attach the retrieved first video and the retrieved second video together with a network packet capture dump and a plurality of IPS and SIEM events into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and program instructions to send an electronic notification of the single BLOB to a management console associated with the computer system. - View Dependent Claims (6, 7)
-
Specification