Mechanism to augment IPS/SIEM evidence information with process history snapshot and application window capture history
First Claim
1. A computer program product comprising:
- one or more computer readable storage media and program instructions stored on the one or more computer readable storage media, the program instructions comprising;
program instructions to, responsive to detecting network activity on an operating system (OS) process actively operating on a computer system, identify the OS process;
program instructions to, responsive to identifying the OS process, capture one or more graphical representations of each graphical user interface (GUI) window of the OS process;
program instructions to calculate a weight for the OS process, wherein the weight for the OS process quantitatively indicates a risk level for network attacks on the OS process;
program instructions to store a first file including a sequence of the one or more graphical representations of each GUI window of the OS process;
program instructions to store a second file including the process activity of the OS process, wherein the first file and the second file are video files retrieved by an intrusion prevention software/security information and event management software (IPS/SIEM), and wherein the packet information is a packet capture dump and event information is IPS/SIEM event information, and wherein the program instructions to store the first file and the second file comprise;
program instructions to allocate a number of storage resources in a storage repository to store the first file, based on the calculated weight for the OS process whereby a first OS process having a greater calculated weight is allocated a greater number of storage resources in the storage repository to store the first file compared to a second OS process having a lesser calculated weight; and
program instructions to allocate a number of storage resources in the storage repository to store the second file, based on the calculated weight for the OS process, whereby the first OS process having the greater calculated weight is allocated a greater number of storage resources in the storage repository to store the second file compared to the second OS process having the lesser calculated weight;
program instructions to store a second file including the process activity of the OS process;
program instructions to, responsive to detecting a network attack, retrieve the first file and the second file;
program instructions to attach the first file and the second file together with packet information and event information into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and
program instructions to send an electronic notification of the single BLOB to a management console associated with the computer system.
1 Assignment
0 Petitions
Accused Products
Abstract
A method to augment a plurality of IPS or SIEM evidence information is provided. The method may include monitoring a plurality of processes associated with a computer system. The method may also include identifying a plurality of processes that have network activity. The method may further include capturing the identified plurality of processes that have network activity. The method may also include storing the identified captured plurality of processes that have network activity. The method may include monitoring a plurality of selected programs associated with an operating system of the computer system. The method may also include identifying a plurality of selected programs that have network activity. The method may further include capturing a plurality of screen capture images associated with the identified plurality of selected programs. The method may include storing, by the second component the captured plurality of system process activity.
-
Citations
7 Claims
-
1. A computer program product comprising:
-
one or more computer readable storage media and program instructions stored on the one or more computer readable storage media, the program instructions comprising; program instructions to, responsive to detecting network activity on an operating system (OS) process actively operating on a computer system, identify the OS process; program instructions to, responsive to identifying the OS process, capture one or more graphical representations of each graphical user interface (GUI) window of the OS process; program instructions to calculate a weight for the OS process, wherein the weight for the OS process quantitatively indicates a risk level for network attacks on the OS process; program instructions to store a first file including a sequence of the one or more graphical representations of each GUI window of the OS process; program instructions to store a second file including the process activity of the OS process, wherein the first file and the second file are video files retrieved by an intrusion prevention software/security information and event management software (IPS/SIEM), and wherein the packet information is a packet capture dump and event information is IPS/SIEM event information, and wherein the program instructions to store the first file and the second file comprise; program instructions to allocate a number of storage resources in a storage repository to store the first file, based on the calculated weight for the OS process whereby a first OS process having a greater calculated weight is allocated a greater number of storage resources in the storage repository to store the first file compared to a second OS process having a lesser calculated weight; and program instructions to allocate a number of storage resources in the storage repository to store the second file, based on the calculated weight for the OS process, whereby the first OS process having the greater calculated weight is allocated a greater number of storage resources in the storage repository to store the second file compared to the second OS process having the lesser calculated weight; program instructions to store a second file including the process activity of the OS process; program instructions to, responsive to detecting a network attack, retrieve the first file and the second file; program instructions to attach the first file and the second file together with packet information and event information into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and program instructions to send an electronic notification of the single BLOB to a management console associated with the computer system. - View Dependent Claims (2, 3, 4)
-
-
5. A computer system comprising:
-
one or more computer processors; one or more computer readable storage media; program instructions stored on the computer readable storage media for execution by at least one of the one or more processors, the program instructions comprising; program instructions to, responsive to detecting network activity on an operating system (OS) process actively operating on a computer system, identify the OS process; program instructions to, responsive to identifying the OS process, capture one or more graphical representations of each graphical user interface (GUI) window of the OS process; program instructions to calculate a weight for the OS process, wherein the weight for the OS process quantitatively indicates a risk level for network attacks on the OS process; program instructions to store a first file including a sequence of the one or more graphical representations of each GUI window of the OS process; program instructions to store a second file including the process activity of the OS process, wherein the first file and the second file are video files retrieved by an intrusion prevention software/security information and event management software (IPS/SIEM), and wherein the packet information is a packet capture dump and event information is IPS/SIEM event information, and wherein the program instructions to store the first file and the second file comprise; program instructions to allocate a number of storage resources in a storage repository to store the first file, based on the calculated weight for the OS process whereby a first OS process having a greater calculated weight is allocated a greater number of storage resources in the storage repository to store the first file compared to a second OS process having a lesser calculated weight; and program instructions to allocate a number of storage resources in the storage repository to store the second file, based on the calculated weight for the OS process, whereby the first OS process having the greater calculated weight is allocated a greater number of storage resources in the storage repository to store the second file compared to the second OS process having the lesser calculated weight; program instructions to, responsive to detecting a network attack, retrieve the first file and the second file, wherein the first file and the second file are video files retrieved by an intrusion prevention software/security information and event management software (IPS/SIEM), and wherein the packet information is a packet capture dump and event information is IPS/SIEM event information; program instructions to attach the first file and the second file together with packet information and event information into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and program instructions to send an electronic notification of the single BLOB to a management console associated with the computer system. - View Dependent Claims (6, 7)
-
Specification