Method and system for gathering and contextualizing multiple events to identify potential security incidents

US 9,948,678 B2
Filed: 10/27/2015
Issued: 04/17/2018
Est. Priority Date: 10/27/2015
Status: Active Grant

First Claim

Patent Images

1. A method of gathering and contextualizing multiple security events in a fault-tolerant server, comprising:

collecting a plurality of event logs generated by a plurality of disparate and unrelated event-generation components associated with the fault-tolerant server;

scanning a plurality of data items from the plurality of event logs within the fault-tolerant server and retrieving a plurality of platform-specific data related to the plurality of data items, the platform-specific data comprising user actions and attributes of one or more users and data items other than security events logged by a log generation application or agent running within the fault-tolerant server;

aggregating the plurality of event logs and the plurality of platform-specific data into a plurality of unassociated events data;

routing the plurality of unassociated events data to a security context engine;

contextualizing, by the security context engine, the plurality of unassociated events data to identify a previously unidentified incident pattern in real-time, generating threat assessment rules based on a security context, wherein contextualizing comprises;

parsing the plurality of unassociated events data in real-time to categorize information included within the plurality of unassociated events data into different category types to generate contextualized events data, and sending the contextualized events data to a database; and

applying, by an event profiler, a security context map in real-time to the contextualized events data to identify a security incident and sending the identified security incident to an analysis engine, wherein the security context map identifying relationships between one or more category types and a weighting factor for the one or more category types, wherein the security context map includes a set of relationships between security events data and platform-specific data comprising user actions and events other than security events logged by a log generation application or agent running within the fault-tolerant server;

evaluating, by the analysis engine, the identified security incident against one or more of the threat assessment rules in the database, by;

identifying the one or more threat assessment rules associated with the fault-tolerant server; and

comparing the identified security incident against each of the one or more threat assessment rules; and

generating a security notification if at least one of the one or more of the threat assessment rules indicates a security threat, based on the identified security incident.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for aggregating and correlating disparate and unrelated events to enable faster security event detection. A plurality of event logs generated by a number of disparate, unrelated, independent components of a fault-tolerant server and platform-specific data are contextualized through the use of a security context map, enabling unrelated events to be correlated to identify security incidents indicative of security threats. User- or system-generated rules may then be applied to the contextualized data to enable more sophisticated security breach identification.

25 Citations

View as Search Results

15 Claims

1. A method of gathering and contextualizing multiple security events in a fault-tolerant server, comprising:
- collecting a plurality of event logs generated by a plurality of disparate and unrelated event-generation components associated with the fault-tolerant server;
  
  scanning a plurality of data items from the plurality of event logs within the fault-tolerant server and retrieving a plurality of platform-specific data related to the plurality of data items, the platform-specific data comprising user actions and attributes of one or more users and data items other than security events logged by a log generation application or agent running within the fault-tolerant server;
  
  aggregating the plurality of event logs and the plurality of platform-specific data into a plurality of unassociated events data;
  
  routing the plurality of unassociated events data to a security context engine;
  
  contextualizing, by the security context engine, the plurality of unassociated events data to identify a previously unidentified incident pattern in real-time, generating threat assessment rules based on a security context, wherein contextualizing comprises;
  
  parsing the plurality of unassociated events data in real-time to categorize information included within the plurality of unassociated events data into different category types to generate contextualized events data, and sending the contextualized events data to a database; and
  
  applying, by an event profiler, a security context map in real-time to the contextualized events data to identify a security incident and sending the identified security incident to an analysis engine, wherein the security context map identifying relationships between one or more category types and a weighting factor for the one or more category types, wherein the security context map includes a set of relationships between security events data and platform-specific data comprising user actions and events other than security events logged by a log generation application or agent running within the fault-tolerant server;
  
  evaluating, by the analysis engine, the identified security incident against one or more of the threat assessment rules in the database, by;
  
  identifying the one or more threat assessment rules associated with the fault-tolerant server; and
  
  comparing the identified security incident against each of the one or more threat assessment rules; and
  
  generating a security notification if at least one of the one or more of the threat assessment rules indicates a security threat, based on the identified security incident.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the plurality of disparate and unrelated event-generation components of the fault-tolerant server comprising one or more of:
    - software applications running on the server;
      
      processing hardware;
      
      terminals connected to the fault-tolerant server;
      
      software agents running on the fault-tolerant server or other mission critical systems;
      
      operating systems, either running on the fault-tolerant system or on one or more peripheral terminals or systems connected therewith;
      
      other mission critical systems;
      
      or networking components.
  - 3. The method of claim 2, wherein the fault-tolerant server is a NonStop server, and the plurality of disparate and unrelated event-generation components of the fault-tolerant server further comprises one or more of:
    - XYGATE components;
      
      or a Safeguard subsystem.
  - 4. The method of claim 1, further comprising:
    - a service bus receiving the plurality of event logs and the plurality of platform-specific data.
  - 5. The method of claim 1, wherein identifying the one or more threat assessment rules comprising:
    - retrieving the identified one or more threat assessment rules stored within the database; and
      
      sending the retrieved one or more threat assessment rules to a rules engine.
  - 6. The method of claim 1, wherein identifying the one or more threat assessment rules comprising:
    - sending the unassociated events data to a security context generator, analyzing the plurality of event logs against the plurality of platform-specific data; and
      
      generating the threat assessment rules based on the analyzing.
  - 7. The method of claim 6, further comprising:
    - retrieving a set of security parameters associated with the fault-tolerant server from the database;
      
      analyzing the plurality of event logs against the plurality of platform-specific data and the set of security parameters; and
      
      generating a threat assessment rule based on the analyzing.
  - 8. The method of claim 6, further comprising storing the generated threat assessment rule in the database.
  - 9. The method of claim 1, wherein each threat assessment rule is associated with a threat value, and generating the security notification comprises generating a threat level indicator based on the threat value determined by the evaluation.
  - 10. The method of claim 1, wherein the retrieved platform-specific data comprises operational data concerning internal hardware of the fault-tolerant server.
  - 11. The method of claim 10, wherein the operational data comprises data concerning CPU usage or memory usage.
  - 12. The method of claim 1, wherein the retrieved platform-specific data comprises data regarding at least one of the following:
    - files, applications, processes, and databases.
  - 13. The method of claim 12, wherein the retrieved platform-specific data comprises data regarding at least one of the following:
    - a file format, data regarding an owner of a data item, a creation date, number of extents allocated, whether and when data was modified, and security associated with a data file.
  - 14. The method of claim 1, wherein the retrieved platform-specific data comprises data regarding at least one of the following:
    - when a user'"'"'s access rights or account expires, when a user'"'"'s password expires, how often a password must be changed within a system, and when a user'"'"'s account was created or modified.
  - 15. The method of claim 14, wherein the retrieved platform-specific data comprises data regarding when a user'"'"'s account was created or modified.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
XYPRO Technology Corporation
Original Assignee
XYPRO Technology Corporation
Inventors
Tcherchian, Stephen, Mabugat, Noel, Alonzo, Jorge, Burgess, Rayna, Uroff, Scott
Primary Examiner(s)
Thiaw, Catherine
Assistant Examiner(s)
An, Wayne

Application Number

US14/923,841
Publication Number

US 20170118245A1
Time in Patent Office

903 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Method and system for gathering and contextualizing multiple events to identify potential security incidents

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for gathering and contextualizing multiple events to identify potential security incidents

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links