Processing security-relevant events using tagged trees
First Claim
1. A computing device comprising:
- a processor; and
a memory coupled to the processor, the memory storing;
a tree object representing an execution chain of at least a first system components and a second system component of a plurality of system components, wherein the tree object comprises;
an indication of the first system component; and
an indication of the second system component;
a first data object representing the first system component;
a second data object representing the second system component; and
executable instructions;
wherein the executable instructions, when operated by the processor, cause the processor to perform operations including;
assigning, to both the first data object and the second data object, a first tag representing the tree object;
detecting a first event associated with the first system component;
in response to the first event, assigning, to the tree object, a second tag, wherein the second tag applies transitively to the data objects via the first tag;
detecting a second event subsequent to the first event and associated with the second system component; and
in response to the second event, performing a remedial action with respect to the first system component based at least in part on the second tag assigned to the tree object and the first tag assigned to the first data object.
4 Assignments
0 Petitions
Accused Products
Abstract
Devices described herein are configured to propagate tags among data objects representing system components. Such devices may detect an event associated with a plurality of system components. Based at least in part on detecting the event and on a configurable policy, the devices may propagate a tag that is assigned to a data object representing one of the plurality of system components to another data object representing another of the plurality of system components. One example of such a tag may be associated with a tree object that represents an execution chain of at least the system component represented by the data object and the other system component represented by the other data object. Another example of such a tag may be a user-specified tag of another entity that the entity associated with the devices subscribes to.
72 Citations
20 Claims
-
1. A computing device comprising:
-
a processor; and a memory coupled to the processor, the memory storing; a tree object representing an execution chain of at least a first system components and a second system component of a plurality of system components, wherein the tree object comprises; an indication of the first system component; and an indication of the second system component; a first data object representing the first system component; a second data object representing the second system component; and executable instructions; wherein the executable instructions, when operated by the processor, cause the processor to perform operations including; assigning, to both the first data object and the second data object, a first tag representing the tree object; detecting a first event associated with the first system component; in response to the first event, assigning, to the tree object, a second tag, wherein the second tag applies transitively to the data objects via the first tag; detecting a second event subsequent to the first event and associated with the second system component; and in response to the second event, performing a remedial action with respect to the first system component based at least in part on the second tag assigned to the tree object and the first tag assigned to the first data object. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method comprising:
-
performing the following operations; creating, in a computer-readable memory, a first data object representing a first system component of a monitored computing device; creating, in the computer-readable memory, a second data object representing a second system component of a monitored computing device; creating, in the computer-readable memory, a tree object representing an execution chain, the tree object comprising; an indication of the first system component; and an indication of the second system component; assigning, to both the first data object and the second data object, a first tag representing the tree object; and subsequently, performing the following operations; detecting a first event associated with the first system component; in response to the first event, assigning, to the tree object, a second tag, wherein the second tag applies transitively to the first data object and the second data object via the first tag; detecting a second event subsequent to the first event and associated with the second system component; and in response to the second event, performing a remedial action with respect to the first system component based at least in part on the second tag. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer-implemented method, comprising:
-
performing the following operations; receiving, via a network, information of a first system component and a second system component of a monitored computing device; creating, in a computer-readable memory, a first data object representing the first system component and a second data object representing the second system component; receiving, via the network, an indication of a first event associated with both the first system component and the second system component; creating, in the computer-readable memory, a tree object representing the first event, the tree object comprising; an indication of the first system component; and an indication of the second system component and subsequently, performing the following operations; assigning, to both the first data object and the second data object, a first tag representing the tree object; receiving, via the network, an indication of a second event associated with the first system component; in response to the second event, assigning, to the tree object, a second tag; receiving, via the network, an indication of a third event subsequent to the second event and associated with the second system component; and in response to the third event, performing a remedial action with respect to the first system component based at least in part on the second tag. - View Dependent Claims (17, 18, 19, 20)
-
Specification