Mechanism to augment IPS/SIEM evidence information with process history snapshot and application window capture history

US 9,906,547 B2
Filed: 08/26/2016
Issued: 02/27/2018
Est. Priority Date: 03/19/2015
Status: Active Grant

First Claim

Patent Images

1. A computer program product comprising:

one or more computer readable storage media and program instructions stored on the one or more computer readable storage media, the program instructions comprising;

program instructions to, responsive to detecting network activity on an operating system (OS) process actively operating on a computer system, identify the OS process;

program instructions to, responsive to identifying the OS process, capture one or more graphical representations of each graphical user interface (GUI) window of the OS process;

program instructions to calculate a weight for the OS process, wherein the weight for the OS process quantitatively indicates a risk level for network attacks on the OS process;

program instructions to store a first file including a sequence of the one or more graphical representations of each GUI window of the OS process;

program instructions to store a second file including the process activity of the OS process, wherein the first file and the second file are video files retrieved by an intrusion prevention software/security information and event management software (IPS/SIEM), and wherein the packet information is a packet capture dump and event information is IPS/SIEM event information, and wherein the program instructions to store the first file and the second file comprise;

program instructions to allocate a number of storage resources in a storage repository to store the first file, based on the calculated weight for the OS process whereby a first OS process having a greater calculated weight is allocated a greater number of storage resources in the storage repository to store the first file compared to a second OS process having a lesser calculated weight; and

program instructions to allocate a number of storage resources in the storage repository to store the second file, based on the calculated weight for the OS process, whereby the first OS process having the greater calculated weight is allocated a greater number of storage resources in the storage repository to store the second file compared to the second OS process having the lesser calculated weight;

program instructions to store a second file including the process activity of the OS process;

program instructions to, responsive to detecting a network attack, retrieve the first file and the second file;

program instructions to attach the first file and the second file together with packet information and event information into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and

program instructions to send an electronic notification of the single BLOB to a management console associated with the computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method to augment a plurality of IPS or SIEM evidence information is provided. The method may include monitoring a plurality of processes associated with a computer system. The method may also include identifying a plurality of processes that have network activity. The method may further include capturing the identified plurality of processes that have network activity. The method may also include storing the identified captured plurality of processes that have network activity. The method may include monitoring a plurality of selected programs associated with an operating system of the computer system. The method may also include identifying a plurality of selected programs that have network activity. The method may further include capturing a plurality of screen capture images associated with the identified plurality of selected programs. The method may include storing, by the second component the captured plurality of system process activity.

Citations

7 Claims

1. A computer program product comprising:
- one or more computer readable storage media and program instructions stored on the one or more computer readable storage media, the program instructions comprising;
  
  program instructions to, responsive to detecting network activity on an operating system (OS) process actively operating on a computer system, identify the OS process;
  
  program instructions to, responsive to identifying the OS process, capture one or more graphical representations of each graphical user interface (GUI) window of the OS process;
  
  program instructions to calculate a weight for the OS process, wherein the weight for the OS process quantitatively indicates a risk level for network attacks on the OS process;
  
  program instructions to store a first file including a sequence of the one or more graphical representations of each GUI window of the OS process;
  
  program instructions to store a second file including the process activity of the OS process, wherein the first file and the second file are video files retrieved by an intrusion prevention software/security information and event management software (IPS/SIEM), and wherein the packet information is a packet capture dump and event information is IPS/SIEM event information, and wherein the program instructions to store the first file and the second file comprise;
  
  program instructions to allocate a number of storage resources in a storage repository to store the first file, based on the calculated weight for the OS process whereby a first OS process having a greater calculated weight is allocated a greater number of storage resources in the storage repository to store the first file compared to a second OS process having a lesser calculated weight; and
  
  program instructions to allocate a number of storage resources in the storage repository to store the second file, based on the calculated weight for the OS process, whereby the first OS process having the greater calculated weight is allocated a greater number of storage resources in the storage repository to store the second file compared to the second OS process having the lesser calculated weight;
  
  program instructions to store a second file including the process activity of the OS process;
  
  program instructions to, responsive to detecting a network attack, retrieve the first file and the second file;
  
  program instructions to attach the first file and the second file together with packet information and event information into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and
  
  program instructions to send an electronic notification of the single BLOB to a management console associated with the computer system.
- View Dependent Claims (2, 3, 4)
- - 2. The computer program product of claim 1, wherein the one or more graphical representations of each GUI window of the OS process is a screen capture of each GUI window of the OS process, including one or more delta algorithms describing changes between each GUI window.
  - 3. The computer program product of claim 1, wherein the program instructions to calculate the weight for the OS process comprise:
    - program instructions to determine process parameters for the OS process, wherein one of the process parameters for the OS process indicates a number of network sockets opened for OS process; and
      
      program instructions to calculate the weight for the OS process based on the process parameters for the OS process.
  - 4. The computer program product of claim 3, wherein one of the process parameters of the OS process includes an indication whether the OS process receives a user input.

5. A computer system comprising:
- one or more computer processors;
  
  one or more computer readable storage media;
  
  program instructions stored on the computer readable storage media for execution by at least one of the one or more processors, the program instructions comprising;
  
  program instructions to, responsive to detecting network activity on an operating system (OS) process actively operating on a computer system, identify the OS process;
  
  program instructions to, responsive to identifying the OS process, capture one or more graphical representations of each graphical user interface (GUI) window of the OS process;
  
  program instructions to calculate a weight for the OS process, wherein the weight for the OS process quantitatively indicates a risk level for network attacks on the OS process;
  
  program instructions to store a first file including a sequence of the one or more graphical representations of each GUI window of the OS process;
  
  program instructions to store a second file including the process activity of the OS process, wherein the first file and the second file are video files retrieved by an intrusion prevention software/security information and event management software (IPS/SIEM), and wherein the packet information is a packet capture dump and event information is IPS/SIEM event information, and wherein the program instructions to store the first file and the second file comprise;
  
  program instructions to allocate a number of storage resources in a storage repository to store the first file, based on the calculated weight for the OS process whereby a first OS process having a greater calculated weight is allocated a greater number of storage resources in the storage repository to store the first file compared to a second OS process having a lesser calculated weight; and
  
  program instructions to allocate a number of storage resources in the storage repository to store the second file, based on the calculated weight for the OS process, whereby the first OS process having the greater calculated weight is allocated a greater number of storage resources in the storage repository to store the second file compared to the second OS process having the lesser calculated weight;
  
  program instructions to, responsive to detecting a network attack, retrieve the first file and the second file, wherein the first file and the second file are video files retrieved by an intrusion prevention software/security information and event management software (IPS/SIEM), and wherein the packet information is a packet capture dump and event information is IPS/SIEM event information;
  
  program instructions to attach the first file and the second file together with packet information and event information into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and
  
  program instructions to send an electronic notification of the single BLOB to a management console associated with the computer system.
- View Dependent Claims (6, 7)
- - 6. The computer system of claim 5, wherein the one or more graphical representations of each GUI window of the OS process is a screen capture of each GUI window of the OS process, including one or more delta algorithms describing changes between each GUI window.
  - 7. The computer system of claim 5, wherein the program instructions to calculate the weight for the OS process comprise:
    - program instructions to determine process parameters for the OS process, wherein one of the process parameters for the OS process indicates a number of network sockets opened for OS process; and
      
      program instructions to calculate the weight for the OS process based on the process parameters for the OS process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Lee, Chien Pang, Mahadevan, Hariharan
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
TAYLOR, SAKINAH W

Application Number

US15/248,012
Publication Number

US 20160364571A1
Time in Patent Office

550 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 16/71   Indexing; Data structures t...

G06F 16/951   Indexing; Web crawling tech...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 3/0487   using specific features pro...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Mechanism to augment IPS/SIEM evidence information with process history snapshot and application window capture history

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanism to augment IPS/SIEM evidence information with process history snapshot and application window capture history

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links