Mechanism to augment IPS/SIEM evidence information with process history snapshot and application window capture history

US 9,509,709 B2
Filed: 03/19/2015
Issued: 11/29/2016
Est. Priority Date: 03/19/2015
Status: Expired due to Fees

First Claim

Patent Images

1. A computer system to augment a plurality of intrusion prevention software (IPS) or Security Information and Event Management software (SIEM) evidence information, the computer system comprising:

one or more processors, one or more memories, and program instructions stored on at least one of the one or more storage devices for execution by at least one of the one or more processors coupled to memory to execute to perform;

monitoring a plurality of processes associated with a computer system, wherein a length of time associated with the monitoring is determined according to an assigned weight associated with each process within the monitored plurality of processes, and wherein the assigned weight is pre-calculated and maintained in a table corresponding to a plurality of tracked processes;

detecting, by an intrusion prevention software (IPS) or a Security Information and Event Management software (SIEM), a plurality of processes within the monitored plurality of processes that have network activity;

in response to receiving an online notification of the detection of a plurality of processes within the monitored plurality of processes that have network activity by the IPS or SIEM, identifying the detected plurality of processes that have network activity;

capturing the identified plurality of processes that have network activity, wherein the capturing comprises routinely taking a system snapshot of the identified plurality of system processes, and collecting a plurality of sequenced screen capture images associated with the identified plurality of system processes to create a first video;

storing the identified captured plurality of processes that have network activity, wherein the storing the identified captured plurality of processes that have network activity comprises storing the captured plurality of system snapshots in a first cache, and wherein the captured plurality of system snapshots stored in the first cache are indexed by a time associated with when each snapshot within the plurality of system snapshots was taken;

monitoring a plurality of selected programs associated with an operating system of the computer system;

detecting, by the IPS or the SIEM, a plurality of selected programs within the monitored plurality of selected programs that have network activity;

in response to receiving an online notification of the detection of a plurality of selected programs within the monitored plurality of selected programs that have network activity by the IPS or SIEM, identifying the detected plurality of selected programs that have network activity;

capturing a plurality of screen capture images associated with the identified plurality of selected programs, wherein the capturing comprises collecting a plurality of sequenced screen capture images of processes associated with the identified plurality of selected programs to create a second video;

storing the captured plurality of system process activity, wherein the storing the captured plurality of system process activity comprises storing the captured plurality of screen capture images in a second cache, and wherein the captured plurality of screen capture images stored in the second cache are indexed according to a process ID;

in response to a request by the IPS or the SIEM, querying the first cache and the second cache, wherein the querying is based on a detected network attack;

retrieving the stored first video and the stored second video, wherein the retrieved stored first video and the retrieved stored second video contain a plurality of network activity captured immediately prior to the detected network attack;

attaching the retrieved first video and the retrieved second video together with a network packet capture dump and a plurality of IPS and SIEM events into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and

sending an electronic notification of the single BLOB to a management console associated with the computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method to augment a plurality of IPS or SIEM evidence information is provided. The method may include monitoring a plurality of processes associated with a computer system. The method may also include identifying a plurality of processes that have network activity. The method may further include capturing the identified plurality of processes that have network activity. The method may also include storing the identified captured plurality of processes that have network activity. The method may include monitoring a plurality of selected programs associated with an operating system of the computer system. The method may also include identifying a plurality of selected programs that have network activity. The method may further include capturing a plurality of screen capture images associated with the identified plurality of selected programs. The method may include storing, by the second component the captured plurality of system process activity.

12 Citations

7 Claims

1. A computer system to augment a plurality of intrusion prevention software (IPS) or Security Information and Event Management software (SIEM) evidence information, the computer system comprising:
- one or more processors, one or more memories, and program instructions stored on at least one of the one or more storage devices for execution by at least one of the one or more processors coupled to memory to execute to perform;
  
  monitoring a plurality of processes associated with a computer system, wherein a length of time associated with the monitoring is determined according to an assigned weight associated with each process within the monitored plurality of processes, and wherein the assigned weight is pre-calculated and maintained in a table corresponding to a plurality of tracked processes;
  
  detecting, by an intrusion prevention software (IPS) or a Security Information and Event Management software (SIEM), a plurality of processes within the monitored plurality of processes that have network activity;
  
  in response to receiving an online notification of the detection of a plurality of processes within the monitored plurality of processes that have network activity by the IPS or SIEM, identifying the detected plurality of processes that have network activity;
  
  capturing the identified plurality of processes that have network activity, wherein the capturing comprises routinely taking a system snapshot of the identified plurality of system processes, and collecting a plurality of sequenced screen capture images associated with the identified plurality of system processes to create a first video;
  
  storing the identified captured plurality of processes that have network activity, wherein the storing the identified captured plurality of processes that have network activity comprises storing the captured plurality of system snapshots in a first cache, and wherein the captured plurality of system snapshots stored in the first cache are indexed by a time associated with when each snapshot within the plurality of system snapshots was taken;
  
  monitoring a plurality of selected programs associated with an operating system of the computer system;
  
  detecting, by the IPS or the SIEM, a plurality of selected programs within the monitored plurality of selected programs that have network activity;
  
  in response to receiving an online notification of the detection of a plurality of selected programs within the monitored plurality of selected programs that have network activity by the IPS or SIEM, identifying the detected plurality of selected programs that have network activity;
  
  capturing a plurality of screen capture images associated with the identified plurality of selected programs, wherein the capturing comprises collecting a plurality of sequenced screen capture images of processes associated with the identified plurality of selected programs to create a second video;
  
  storing the captured plurality of system process activity, wherein the storing the captured plurality of system process activity comprises storing the captured plurality of screen capture images in a second cache, and wherein the captured plurality of screen capture images stored in the second cache are indexed according to a process ID;
  
  in response to a request by the IPS or the SIEM, querying the first cache and the second cache, wherein the querying is based on a detected network attack;
  
  retrieving the stored first video and the stored second video, wherein the retrieved stored first video and the retrieved stored second video contain a plurality of network activity captured immediately prior to the detected network attack;
  
  attaching the retrieved first video and the retrieved second video together with a network packet capture dump and a plurality of IPS and SIEM events into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and
  
  sending an electronic notification of the single BLOB to a management console associated with the computer system.
- View Dependent Claims (2, 3, 4)
- - 2. The computer system of claim 1, wherein the monitoring is a continuous monitoring.
  - 3. The computer system of claim 1, wherein the captured plurality of system snapshots stored in the first cache are indexed by a time associated with when each snapshot within the plurality of system snapshots was taken.
  - 4. The computer system of claim 1 wherein the captured plurality of screen capture images stored in the second cache are indexed according to a process ID.

5. A computer program product to augment a plurality of intrusion prevention software (IPS) or Security Information and Event Management software (SIEM) evidence information, the computer system comprising:
- one or more non-transitory computer-readable storage devices and program instructions stored on at least one of the one or more non-transitory tangible storage devices, the program instructions executable by a processor, the program instructions comprising;
  
  program instructions to monitor, by a first component, a plurality of processes associated with a computer system, wherein a length of time associated with the monitoring is determined according to an assigned weight associated with each process within the monitored plurality of processes, and wherein the assigned weight is pre-calculated and maintained in a table corresponding to a plurality of tracked processes;
  
  program instructions to detect, by an intrusion prevention software (IPS) or a Security Information and Event Management software (SIEM), a plurality of processes within the monitored plurality of processes that have network activity;
  
  in response to receiving an online notification of the detection of a plurality of processes within the monitored plurality of processes that have network activity by the IPS or SIEM, program instructions to identify the detected plurality of processes that have network activity;
  
  program instructions to capture the identified plurality of processes that have network activity, wherein the capturing comprises routinely taking a system snapshot of the identified plurality of system processes, and collecting a plurality of sequenced screen capture images associated with the identified plurality of system processes to create a first video;
  
  program instructions to store the identified captured plurality of processes that have network activity, wherein the storing the identified captured plurality of processes that have network activity comprises storing the captured plurality of system snapshots in a first cache, and wherein the captured plurality of system snapshots stored in the first cache are indexed by a time associated with when each snapshot within the plurality of system snapshots was taken;
  
  program instructions to monitor a plurality of selected programs associated with an operating system of the computer system;
  
  program instructions to detect, by the IPS or the SIEM, a plurality of selected programs within the monitored plurality of selected programs that have network activity;
  
  in response to receiving an online notification of the detection of a plurality of selected programs within the monitored plurality of selected programs that have network activity by the IPS or SIEM, program instructions to identify the detected plurality of selected programs that have network activity;
  
  program instructions to capture a plurality of screen capture images associated with the identified plurality of selected programs, wherein the capturing comprises collecting a plurality of sequenced screen capture images of processes associated with the identified plurality of selected programs to create a second video;
  
  program instructions to store the captured plurality of system process activity, wherein the storing the captured plurality of system process activity comprises storing the captured plurality of screen capture images in a second cache, and wherein the captured plurality of screen capture images stored in the second cache are indexed according to a process ID;
  
  in response to a request by the IPS or the SIEM, program instructions to query the first cache and the second cache, wherein the querying is based on a detected network attack;
  
  program instructions to retrieve the stored first video and the stored second video, wherein the retrieved stored first video and the retrieved stored second video contain a plurality of network activity captured immediately prior to the detected network attack;
  
  program instructions to attach the retrieved first video and the retrieved second video together with a network packet capture dump and a plurality of IPS and SIEM events into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and
  
  program instructions to send an electronic notification of the single BLOB to a management console associated with the computer system.
- View Dependent Claims (6, 7)
- - 6. The computer program product of claim 5, wherein the monitoring is a continuous monitoring.
  - 7. The computer program product of claim 5, wherein the captured plurality of system snapshots stored in the first cache are indexed by a time associated with when each snapshot within the plurality of system snapshots was taken.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Lee, Chien Pang, Mahadevan, Hariharan
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
TAYLOR, SAKINAH W

Application Number

US14/662,292
Publication Number

US 20160277426A1
Time in Patent Office

621 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 16/71   Indexing; Data structures t...

G06F 16/951   Indexing; Web crawling tech...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 3/0487   using specific features pro...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Mechanism to augment IPS/SIEM evidence information with process history snapshot and application window capture history

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

7 Claims

Specification

Use Cases

Quick Links

Others

Mechanism to augment IPS/SIEM evidence information with process history snapshot and application window capture history

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

7 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others