Method and apparatus for detecting a multi-stage event

US 9,836,600 B2
Filed: 03/31/2014
Issued: 12/05/2017
Est. Priority Date: 03/29/2013
Status: Active Grant

First Claim

Patent Images

1. A multi-stage event detector device, comprising:

at least one processor and a memory operably coupled thereto, the at least one processor being configured to execute instructions stored in the memory to at least generate main and subprocesses, each main and sub-process being configured to generate and initiate one or more detection agents each of which is configured to be triggered by detecting the occurrence of a trigger event or series of events and to report back to its generating process or sub-process upon being so triggered, andwherein each generated process or sub-process is configured to respond to receipt of a report from a triggered detection agent by either (a) reporting a detection of a multi-stage event or part thereof to either a parent process or sub-process or to an overall software control module, or (b) generating and initiating a second detection agent or a second subprocess, wherein the generated process or sub-process that generated and initiated the second agent or second sub-process remains active, andwherein different processes and sub-processes are configured to operate in parallel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multi-stage event detector for monitoring a system, the multi-stage event detector including: a process generator operable to generate main and sub-processes, each main and sub-process being operable to generate and initiate a detection agent each of which is operable to be triggered by detecting the occurrence of a trigger event and to report back to its generating process or sub-process upon being so triggered. Each process or sub-process is operable to respond to receipt of a report from a triggered detection agent by reporting the detection of a multi-stage event to an overall controller.

24 Citations

19 Claims

1. A multi-stage event detector device, comprising:
- at least one processor and a memory operably coupled thereto, the at least one processor being configured to execute instructions stored in the memory to at least generate main and subprocesses, each main and sub-process being configured to generate and initiate one or more detection agents each of which is configured to be triggered by detecting the occurrence of a trigger event or series of events and to report back to its generating process or sub-process upon being so triggered, andwherein each generated process or sub-process is configured to respond to receipt of a report from a triggered detection agent by either (a) reporting a detection of a multi-stage event or part thereof to either a parent process or sub-process or to an overall software control module, or (b) generating and initiating a second detection agent or a second subprocess, wherein the generated process or sub-process that generated and initiated the second agent or second sub-process remains active, andwherein different processes and sub-processes are configured to operate in parallel.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The multi-stage event detector device according to claim 1, further comprising:
    - a store comprising conditions; and
      
      a user interface configured to enable a security expert user to input to the store values that are used to trigger event conditions used by the detection agents.
  - 3. The multi-stage event detector device according to claim 1, wherein the at least one processor is further configured to determine whether a multi-stage event is occurring before the entirety of the event has occurred or has been detected and, responsive to such a determination, notify a user.
  - 4. The multi-stage event detector device according to claim 1, wherein when a detection agent instantiated by a main process is triggered, as part of the trigger it identifies a distinguishing characteristic of the event and the trigger then causes the main process to instantiate a sub-process that generates a detection agent looking for a trigger indicating that a second stage of the pattern of the main process has been triggered, wherein the trigger condition includes an aspect that depends upon the distinguishing characteristic identified by the detection agent instantiated by the main process, to cause the multi-stage event detector device to be configured to distinguish between different multi-stage events of the same type occurring during overlapping periods of time but being distinguishable from one another by means of a distinguishing characteristic.
  - 5. The multi-stage event detector device according to claim 1, wherein each generated process and sub-process remains active until one of the following conditions occurs:
    - a final stage is reached, the respective generated process or sub-process is manually destroyed, and the respective generated process or sub-process is automatically destroyed by the multi-stage event detector device.
  - 6. The multi-stage event detector device according to claim 1, wherein each generated process and sub-process remains active until one of the following conditions occurs:
    - a final stage is reached, the respective generated process or sub-process is manually destroyed, and the respective generated process or sub-process is automatically destroyed upon a timeout.

7. A method of detecting the occurrence of a multi-stage event within a system being monitored, the method comprising:
- generating, using processing resources including at least one processor and a memory, main and sub-processes, each main and sub-process being configured to generate and initiate one or more detection agents each of which is configured to be triggered by detecting the occurrence of a trigger event or series of events and to report back to its generating process or sub-process upon being so triggered, and wherein each process or sub-process is configured to respond to receipt of a report from a triggered detection agent by either (a) reporting the detection of a multi-stage event or part thereof to either a parent process or sub-process or to an overall software control module, or (b) generating and initiating a second detection agent or a second sub-process, wherein the generated process or sub-process that generated and initiated the second agent or second sub-process remains active; and
  
  detecting, using the processing resources, the occurrence of a multi-stage event in dependence upon the triggering of one or more detection agents,wherein different processes and sub-processes are configured to operate in parallel.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method according to claim 7, further comprising storing to a data store input values, from a security expert user, that are used to trigger event conditions used by the detection agents.
  - 9. The method according to claim 7, further comprising notifying a user in response to a determination that a multi-stage event is occurring before the entirety of the event has occurred or has been detected.
  - 10. The method according to claim 7, wherein when a detection agent instantiated by a main process is triggered, as part of the trigger it identifies a distinguishing characteristic of the event and the trigger then causes the main process to instantiate a sub-process that generates a detection agent looking for a trigger indicating that a second stage of the pattern of the main process has been triggered, wherein the trigger condition includes an aspect that depends upon the distinguishing characteristic identified by the detection agent instantiated by the main process, in distinguishing between different multi-stage events of the same type occurring during overlapping periods of time but being distinguishable from one another by means of a distinguishing characteristic.
  - 11. The method according to claim 7, wherein each generated process and sub-process remains active until one of the following conditions occurs:
    - a final stage is reached, the respective generated process or sub-process is manually destroyed, and the respective generated process or sub-process is automatically destroyed by the multi-stage event detector device.
  - 12. The method according to claim 7, wherein each generated process and sub-process remains active until one of the following conditions occurs:
    - a final stage is reached, the respective generated process or sub-process is manually destroyed, and the respective generated process or sub-process is automatically destroyed upon a timeout.

13. A multi-stage event detector device, comprising:
- at least one processor and a memory operably coupled thereto, the at least one processor being configured to execute instructions stored in the memory to at least generate main and subprocesses, each main and sub-process being configured to generate and initiate one or more detection agents, each being configured to be triggered by detecting the occurrence of a trigger event or series of events and to report back to its generating process or sub-process upon being so triggered;
  
  wherein each generated process or sub-process is configured to perform both of, and selectively execute one of, responding to receipt of a report from a triggered detection agent by either (a) reporting a detection of a multi-stage event or part thereof to either (i) a parent process or sub-process or (ii) an overall software control module, and (b) generating and initiating a second detection agent or a second sub-process;
  
  wherein the generated process or sub-process that generated and initiated the second agent or second sub-process remains active,wherein at least one of the trigger events or series of events is associated with plural different attacks, and wherein different processes and sub-processes are configured to operate in parallel.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The multi-stage event detector device according to claim 13, further comprising a data store configured to store user-specified trigger event conditions received via a user interface.
  - 15. The multi-stage event detector device according to claim 13, wherein the at least one processor is further configured to determine whether a multi-stage event is occurring before the entirety of the event has occurred or has been detected and, responsive to such a determination, notify a user.
  - 16. The multi-stage event detector device according to claim 13, wherein the at least one processor is further configured to generate main and sub-processes which, in turn, are configured to generate and initiate one or more detection agents, each of which is further configured, when instantiated by a main process and subsequently triggered, to identify, as part of the trigger, a distinguishing characteristic of the event and then to cause the main process to instantiate a sub-process that generates a detection agent looking for a trigger indicating that a second stage of a pattern of the main process, which pattern comprises at least a first and a second stage, has been triggered, wherein the trigger condition includes an aspect that depends on the distinguishing characteristic identified by the detection agent instantiated by the main process, to cause the multi-stage event detector device to distinguish between different multi-stage events of the same type occurring during overlapping periods of time but being distinguishable from one another by means of a distinguishing characteristic.
  - 17. The multi-stage event detector device according to claim 13, wherein each generated process and sub-process remains active until one of the following conditions occurs:
    - a final stage is reached, the respective generated process or sub-process is manually destroyed, and the respective generated process or sub-process is automatically destroyed by the multi-stage event detector device.
  - 18. The multi-stage event detector device according to claim 13, wherein each generated process and sub-process remains active until one of the following conditions occurs:
    - a final stage is reached, the respective generated process or sub-process is manually destroyed, and the respective generated process or sub-process is automatically destroyed upon a timeout.

19. A non-transitory computer readable storage medium comprising instructions that, when executed by a processor of a computer, perform functionality comprising:
- generating main and sub-processes, each main and sub-process being configured to generate and initiate one or more detection agents each of which is configured to be triggered by detecting the occurrence of a trigger event or series of events and to report back to its generating process or sub-process upon being so triggered, and wherein each process or sub-process is configured to respond to receipt of a report from a triggered detection agent by either (a) reporting the detection of a multi-stage event or part thereof to either a parent process or subprocess or to an overall software control module, or (b) generating and initiating a second detection agent or a second sub-process, wherein the generated process or sub-process that generated and initiated the second agent or second sub-process remains active; and
  
  detecting the occurrence of a multi-stage event in dependence upon the triggering of one or more detection agents,wherein different processes and sub-processes are configured to operate in parallel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
British Telecommunications PLC (BT Group PLC)
Original Assignee
British Telecommunications PLC (BT Group PLC)
Inventors
Herwono, Ian, Cui, Zhan
Primary Examiner(s)
Lewis, Lisa
Assistant Examiner(s)
Bucknor, Olanrewaju

Application Number

US14/781,163
Publication Number

US 20160055334A1
Time in Patent Office

1,345 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Method and apparatus for detecting a multi-stage event

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting a multi-stage event

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links