Advanced intelligence engine

US 9,576,243 B2
Filed: 09/13/2013
Issued: 02/21/2017
Est. Priority Date: 11/24/2010
Status: Active Grant

First Claim

Patent Images

1. A method for use in monitoring one or more platforms of one or more data systems, comprising:

receiving, at a processor, structured data generated by one or more platforms over at least one communications network;

first evaluating, by the processor engine using one of first and second rule blocks, at least some of the data;

first determining that a result of the first evaluating is a first of at least first and second outcomes, wherein the at least some of the data leading to the first outcome is identified by a time stamp that corresponds to a first time;

accessing, by the processor, a linking relationship object contained within at least one of the first and second rule blocks to determine a specified time period relative to the first time;

second evaluating, by the processor using the other of the first and second rule blocks, at least some of the data associated with one or more time stamps corresponding to a second time within the specified time period relative to the first time;

second determining, from the second evaluating, whether a result is one of at least first and second outcomes; and

analyzing the results of the first and second determining steps to determine an event of interest.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An advanced intelligence engine (AIE) for use in identifying what may be complex events or developments on one or more data platforms or networks from various types of structured or normalized data generated by one or more disparate data sources. The AIE may conduct one or more types of quantitative, correlative, behavioral and corroborative analyses to detect events from what may otherwise be considered unimportant or non-relevant information spanning one or more time periods. Events generated by the AIE may be passed to an event manager to determine whether further action is required such as reporting, remediation, and the like.

Citations

19 Claims

1. A method for use in monitoring one or more platforms of one or more data systems, comprising:
- receiving, at a processor, structured data generated by one or more platforms over at least one communications network;
  
  first evaluating, by the processor engine using one of first and second rule blocks, at least some of the data;
  
  first determining that a result of the first evaluating is a first of at least first and second outcomes, wherein the at least some of the data leading to the first outcome is identified by a time stamp that corresponds to a first time;
  
  accessing, by the processor, a linking relationship object contained within at least one of the first and second rule blocks to determine a specified time period relative to the first time;
  
  second evaluating, by the processor using the other of the first and second rule blocks, at least some of the data associated with one or more time stamps corresponding to a second time within the specified time period relative to the first time;
  
  second determining, from the second evaluating, whether a result is one of at least first and second outcomes; and
  
  analyzing the results of the first and second determining steps to determine an event of interest.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the specified relationship comprises the one or more second times occurring before the first time.
  - 3. The method of claim 1, wherein the specified relationship comprises the one or more second times occurring at the same time as or after the first time.
  - 4. The method of claim 1, wherein the first evaluating uses the second rule block and the second evaluating uses the first rule block.
  - 5. The method of claim 1, wherein the first evaluating uses the first rule block and the second evaluating uses the second rule block.
  - 6. The method of claim 1, wherein the second determining comprises second determining that the result is the first outcome, and wherein the method further comprises:
    - generating an event in response to the second determining comprising the first outcome.
  - 7. The method of claim 1, wherein the second determining comprises second determining that the result is the second outcome, and wherein the method further comprises after the second determining:
    - third evaluating, by the processor using the other of the first and second rule blocks, at least some of the data;
      
      third determining that a result of the third evaluating is a first of at least first and second outcomes, wherein the at least some of the data leading to the first outcome is identified by a time stamp that corresponds to a third time;
      
      fourth evaluating, by the processor using the one of the first and second rule block, at least some of the data associated with the time stamp corresponding to the first time having a specified relationship to the third time;
      
      fourth determining, from the fourth evaluating, whether a result is one of at least first and second outcomes, wherein the results are analyzed to determine an event of interest.
  - 8. The method of claim 7, wherein the fourth determining comprises fourth determining that the result is the first outcome, and wherein the method further comprises:
    - generating an event in response to the fourth determining comprising the first outcome.
  - 9. The method of claim 1, wherein the first evaluating comprises making a determination about a content of one or more fields of the at least some of the data, wherein the second evaluating comprises making a determination about a content of one or more fields of the at least some of the data, and wherein a content of one of the fields in the first evaluating matches a content of one of the fields in the second evaluating.
  - 10. The method of claim 9, wherein the second evaluating comprises:
    - utilizing the matching content as a key into an index structure of the at least some of the data to determine if the result is one of the first and second outcomes.

11. A system for use in monitoring one or more platforms of one or more data systems, comprising:
- a processor,a memory connected to the processor and comprising a set of computer readable instructions that are executable by the processor to;
  
  receive structured data generated by one or more platforms over at least one communications network;
  
  evaluate at least some of the received data with a first rule block to obtain a first result;
  
  determine that the first result is a first of at least first and second outcomes,wherein the at least some of the received data leading to the first outcome is identified by a time stamp that corresponds to a first time;
  
  access a linking relationship object to determine a specified time period relative to the first time;
  
  evaluate, with a second rule block, at least some of the received data associated with one or more time stamps that correspond to one or more second times within the specified time period relative to the first time to obtain a second result;
  
  determine that the second result is one of at least first and second outcomes; and
  
  analyze the results to determine an event interest.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system of claim 11, wherein the specified relationship comprises the one or more second times occurring before the first time.
  - 13. The system of claim 11, wherein the specified relationship comprises the one or more second times occurring at the same time as or after the first time.
  - 14. The system of claim 11, wherein the set of computer readable instructions determines that the second result is the first outcome, and wherein theset of computer readable instructions is executable by the processor to generate an event in response to the second rule block determining that the second result is the first outcome.
  - 15. The system of claim 11, wherein the set of computer readable instructions determines that the second result is the second outcome;
    - and wherein the set of computer readable instructions is executable by the processor to;
      
      evaluate at least some of the data to obtain a third result; and
      
      determine that the third result is a first of at least first and second outcomes, wherein the at least some of the data leading to the first outcome is identified by a time stamp that corresponds to a third time;
      
      evaluate at least some of the data associated with the time stamp corresponding to the first time having a specified relationship to the third time to obtain a fourth result; and
      
      determine whether the fourth result is one of at least first and second outcomes, wherein the results are analyzed to determine an event of interest.
  - 16. The system of claim 15, wherein the set of computer readable instructions determines that the fourth result is the first outcome, and wherein the set of computer readable instructions is executable by processor to generate an event in response to the first rule block determining that the fourth result is the first outcome.
  - 17. The system of claim 11, wherein the set of computer readable instructions evaluates the at least some of the data by making a determination about a content of one or more fields of the at least some of the data, wherein the set of computer readable instructions evaluates by making a determination about a content of one or more fields of the at least some of the data, and wherein a content of one of the fields evaluated by the first rule module matches a content of one the fields evaluated by the second rule module.
  - 18. The system of claim 17, wherein the set of computer readable instructions evaluates by utilizing the matching content as a key into an index structure of the at least some of the data to determine if the second result is one of the first and second outcomes.

19. A method for use in monitoring one or more platforms of one or more data systems, comprising:
- receiving, at a processor, structured data generated by one or more platforms over at least one communications network;
  
  first evaluating, by the processor using one of first and second rule blocks, at least some of the data;
  
  first determining that a result of the first evaluating is a first of at least first and second outcomes, wherein the at least some of the data leading to the first outcome is identified by a time stamp that corresponds to a first time;
  
  second evaluating, by the processor using the other of the first and second rule blocks, at least some of the data associated with a second time stamp corresponding to a second time;
  
  second determining, from the second evaluating, whether a result is one of at least first and second outcomes;
  
  receiving, by an event manager, results of the first and second evaluating;
  
  accessing, by the event manager, a linking relationship object that associates the first and second rule blocks to determine a specified time period;
  
  ascertaining, by the event manager, whether the first and second times are within the specified time period; and
  
  generating, by the event manager, an event in response to the ascertaining step.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Logrhythm Incorporated
Original Assignee
Logrhythm Incorporated
Inventors
Petersen, Chris, Villella, Phillip, Aisa, Brad
Primary Examiner(s)
Park, Jeong S

Application Number

US14/026,834
Publication Number

US 20140012796A1
Time in Patent Office

1,257 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/24575   using context

G06F 21/552   involving long-term monitor...

G06N 5/025   Extracting rules from data

H04L 41/069   using logs of notifications...

H04L 43/04   Processing captured monitor...

H04L 43/16   Threshold monitoring

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Advanced intelligence engine

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Advanced intelligence engine

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links