Mechanism to augment IPS/SIEM evidence information with process history snapshot and application window capture history
First Claim
1. A method comprising:
- responsive to detecting network activity on an operating system (OS) process actively operating on a computer system, identifying, by the one or more computer processors, the OS process;
responsive to identifying the OS process, capturing, by the one or more computer processors, one or more graphical representations of each graphical user interface (GUI) window of the OS process;
responsive to identifying the OS process, recording, by the one or more computer processors, process activity of the OS process;
calculating, by the one or more computer processors, a weight for the OS process, wherein the weight for the OS process quantitatively indicates a risk level for network attacks on the OS process;
storing, by the one or more computer processors, a first file including a sequence of the one or more graphical representations of each GUI window of the OS process;
storing, by the one or more computer processors, a second file including the process activity of the OS process, wherein the first file and the second file are video files retrieved by an intrusion prevention software/security information and event management software (IPS/SIEM), and wherein the packet information is a packet capture dump and event information is IPS/SIEM event information, and wherein the steps of storing the first file and the second file comprise;
allocating, by the one or more computer processors, a number of storage resources in a storage repository to store the first file, based on the calculated weight for the OS process whereby a first OS process having a greater calculated weight is allocated a greater number of storage resources in the storage repository to store the first file compared to a second OS process having a lesser calculated weight; and
allocating, by the one or more computer processors, a number of storage resources in the storage repository to store the second file, based on the calculated weight for the OS process, whereby the first OS process having the greater calculated weight is allocated a greater number of storage resources in the storage repository to store the second file compared to the second OS process having the lesser calculated weight;
responsive to detecting a network attack, retrieving, by the one or more computer processors, the first file and the second file;
attaching, by the one or more computer processors, the first file and the second file together with packet information and event information into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and
sending, by the one or more computer processors, an electronic notification of the single BLOB to a management console associated with the computer system.
1 Assignment
0 Petitions
Accused Products
Abstract
A method to augment a plurality of IPS or SIEM evidence information is provided. The method may include monitoring a plurality of processes associated with a computer system. The method may also include identifying a plurality of processes that have network activity. The method may further include capturing the identified plurality of processes that have network activity. The method may also include storing the identified captured plurality of processes that have network activity. The method may include monitoring a plurality of selected programs associated with an operating system of the computer system. The method may also include identifying a plurality of selected programs that have network activity. The method may further include capturing a plurality of screen capture images associated with the identified plurality of selected programs. The method may include storing, by the second component the captured plurality of system process activity.
20 Citations
4 Claims
-
1. A method comprising:
-
responsive to detecting network activity on an operating system (OS) process actively operating on a computer system, identifying, by the one or more computer processors, the OS process; responsive to identifying the OS process, capturing, by the one or more computer processors, one or more graphical representations of each graphical user interface (GUI) window of the OS process; responsive to identifying the OS process, recording, by the one or more computer processors, process activity of the OS process; calculating, by the one or more computer processors, a weight for the OS process, wherein the weight for the OS process quantitatively indicates a risk level for network attacks on the OS process; storing, by the one or more computer processors, a first file including a sequence of the one or more graphical representations of each GUI window of the OS process; storing, by the one or more computer processors, a second file including the process activity of the OS process, wherein the first file and the second file are video files retrieved by an intrusion prevention software/security information and event management software (IPS/SIEM), and wherein the packet information is a packet capture dump and event information is IPS/SIEM event information, and wherein the steps of storing the first file and the second file comprise; allocating, by the one or more computer processors, a number of storage resources in a storage repository to store the first file, based on the calculated weight for the OS process whereby a first OS process having a greater calculated weight is allocated a greater number of storage resources in the storage repository to store the first file compared to a second OS process having a lesser calculated weight; and allocating, by the one or more computer processors, a number of storage resources in the storage repository to store the second file, based on the calculated weight for the OS process, whereby the first OS process having the greater calculated weight is allocated a greater number of storage resources in the storage repository to store the second file compared to the second OS process having the lesser calculated weight; responsive to detecting a network attack, retrieving, by the one or more computer processors, the first file and the second file; attaching, by the one or more computer processors, the first file and the second file together with packet information and event information into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and sending, by the one or more computer processors, an electronic notification of the single BLOB to a management console associated with the computer system. - View Dependent Claims (2, 3, 4)
-
Specification