Method and System for Managing Computer Security Information

US 20020078381A1
Filed: 04/27/2001
Published: 06/20/2002
Est. Priority Date: 04/28/2000
Status: Active Grant

First Claim

Patent Images

1. A method for managing security information comprising the steps of:

receiving raw events from one or more data sources;

classifying the raw events;

storing the raw events;

assigning a ranking to each raw event;

identifying relationships between two or more raw events;

in response to identifying any relationships between two or more raw events, generating a mature correlation event message; and

displaying one or more mature correlation event messages on a console that describe relationships between raw events.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Abstract of Disclosure

A security management system includes a fusion engine which "fuses" or assembles information from multiple data sources and analyzes this information in order to detect relationships between raw events that may indicate malicious behavior and to provide an organized presentation of information to consoles without slowing down the processing performed by the data sources. The multiple data sources can comprise sensors or detectors that monitor network traffic or individual computers or both. The sensors can comprise devices that may be used in intrusion detection systems (IDS). The data sources can also comprise firewalls, audit systems, and other like security or IDS devices that monitor data traffic in real-time. The present invention can identify relationships between one or more real-time, raw computer events as they are received in real-time. The fusion engine can also assess and rank the risk of real-time raw events as well as mature correlation events.

404 Citations

41 Claims

1. A method for managing security information comprising the steps of:
- receiving raw events from one or more data sources;
  
  classifying the raw events;
  
  storing the raw events;
  
  assigning a ranking to each raw event;
  
  identifying relationships between two or more raw events;
  
  in response to identifying any relationships between two or more raw events, generating a mature correlation event message; and
  
  displaying one or more mature correlation event messages on a console that describe relationships between raw events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 38)
- - 2. The method of claim 1, wherein each raw event comprises suspicious computer activity detected by one of an automated system and human observation.
  - 3. The method of claim 1, wherein the step of receiving raw events from one or more data sources further comprises the step of receiving real-time raw events from one of intrusion detection system, a detector within an intrusion detection system, and a firewall.
  - 4. The method of claim 1, wherein the step of receiving raw events from one or more data sources further comprises the step of receiving raw events from one of a file and database.
  - 5. The method of claim 1, wherein the step of classifying the raw events further comprises the steps of:
6. The method of claim 1, wherein the step of assigning a ranking to each raw event further comprises the steps of:
- comparing parameters of each raw event with information in a database; and
  
  assigning additional parameters to each raw event relating to the environment of the raw event.
7. The method of claim 6, wherein the additional parameters comprise one of a priority status, a vulnerability status, a historical frequency value, a source zone value, a destination zone value, a detector zone value, and a priority change reason text string.
8. The method of claim 1, wherein the step of assigning a ranking to each raw event further comprises the steps of:
- identifying a priority status parameter of a raw event;
  
  comparing each raw event to information contained in a context database;
  
  changing the priority status parameter of a respective raw event if a match occurs in response to the comparison step; and
  
  leaving the priority status in tact if a match does not occur in response to the comparison step.
9. The method of claim 1, wherein the step of identifying relationships between two or more raw events further comprises the steps of:
- associating each raw event with one or more rules that correspond with a type parameter of the raw event; and
  
  applying each rule to its associated group of raw events; and
  
  determining if a computer attack or security breach has occurred based upon successful application of a rule.
10. The method of claim 1, wherein the step of storing raw events further comprises the step of storing each raw event in a high speed memory device comprising random access memory (RAM).
11. The method of claim 1, further comprising the step of determining the intent of a computer attack based upon the type of mature correlation event generated.
12. The method of claim 1, further comprising the steps of:
- creating a memory management list;
  
  identifying a time stamp for each raw event; and
  
  adding each raw event to the memory management list.
13. The method of claim 1, further comprising the step of creating a raw event tracking index that identifies one or more software components that are monitoring one or more raw events.
38. A computer readable medium having computer-executable instructions for performing the steps recited in claim 1.

14. A method for determining relationships between two or more computer events, comprising the steps of:
- receiving a plurality of raw events having a first set of parameters;
  
  creating raw event storage areas based upon information received from a raw event classification database;
  
  storing each event in an event storage area based upon an event type parameter;
  
  comparing each raw event to data contained in a context database;
  
  adjusting a priority parameter or leaving the priority parameter in tact for each raw event in response to the comparison to the context database;
  
  associating each raw event with one or more correlation events ;
  
  applying one or more rules to each event based upon the correlation event associations; and
  
  generating a mature correlation event message in response to each successful application of a rule.
- View Dependent Claims (15, 16, 17, 39)
- - 15. The method of claim 14, wherein each raw event comprises suspicious computer activity detected by one of an automated system and human observation.
  - 16. The method of claim 14, wherein the context database comprises any one of vulnerability values, computer event frequency values, source and destination zone values, and detector zone values.
  - 17. The method of claim 14, wherein the raw event classification database comprises tables that include information that categorizes raw events based on any one of the following:
    - how an activity indicated by a raw event may impact one or more target computers, how many target computers may be affected by an activity indicated by a raw event, and how activities indicated by respective raw events gain access to one or more target computers.
  - 39. A computer readable medium having computer-executable instructions for performing the steps recited in claim 14.

18. A security management system comprising:
- a plurality of data sources;
  
  an event collector linked to the plurality of data sources;
  
  a fusion engine linked to the event collector, said fusion engine identifying relationships between two or more raw events generated by the data sources; and
  
  a console linked to the event collector for displaying any output generated by the fusion engine.
- View Dependent Claims (19, 20, 21)
- - 19. The security management system of claim 18, further comprising a detector, the detector running in a kernel mode of a computer and the fusion engine running in a user mode of the computer.
  - 20. The security management system of claim 18, further comprising a detector chip, and the fusion engine comprising software running on a computer.
  - 21. The security management system of claim 18, further comprising a detector board, and the fusion engine comprising software running on a computer.

22. A fusion engine comprising:
- a controller;
  
  an event reader for receiving raw events;
  
  a classifier linked to the event reader for classifying the received raw events;
  
  a raw event classification database linked to the classifier;
  
  a context based risk-adjustment processor linked to the classifier, for adjusting priorities of raw events;
  
  a context database linked to the context based risk-adjustment processor; and
  
  a rule database, for determining if relationships exist between two or more events.
- View Dependent Claims (23, 24, 25)
- - 23. The fusion engine of claim 22, further comprising an event reporter, a mature event list, a memory management list, and a raw event tracking index .
  - 24. The fusion engine of claim 22, wherein the context database comprises any one of vulnerability values, computer event frequency values, source and destination zone values, and detector zone values.
  - 25. The fusion engine of claim 22, wherein the raw event classification database comprises tables that include information that categorizes raw events based on any one of the following:
    - how an activity indicated by a raw event may impact one or more target computers, how many target computers may be affected by an activity indicated by a raw event, and how activities indicated by respective raw events gain access to one or more target computers.

26. A method for managing security information comprising the steps of:
- receiving a raw event having a first ranking from one or more data sources;
  
  classifying the raw event;
  
  storing the raw event; and
  
  assigning a second ranking to the raw event, whereby the second ranking assesses risks of the raw event based upon a context of the raw event.
- View Dependent Claims (27, 28, 29, 30, 40)
- - 27. The method of claim 26, wherein the first ranking comprises one or more relative values measuring potential risk or damage that is associated with an activity indicated by the raw event.
  - 28. The method of claim 26, wherein the step of assigning a second ranking to each raw event further comprises the steps of:
29. The method of claim 28, wherein the additional parameters comprise at least one of a priority status, a vulnerability status, a historical frequency value, a source zone value, a destination zone value, a detector zone value, and a priority change reason text string.
30. The method of claim 26, wherein the step of assigning a second ranking to each raw event further comprises the steps of:
- identifying a priority status parameter of a raw event;
  
  comparing each raw event to information contained in a context database;
  
  changing the priority status parameter of a respective raw event if a match occurs in response to the comparison step; and
  
  leaving the priority status in tact if a match does not occur in response to the comparison step.
40. A computer readable medium having computer-executable instructions for performing the steps recited in claim 26.

31. A method for managing security information comprising the steps of:
- receiving raw events from one or more data sources;
  
  classifying the raw events;
  
  grouping two or more raw events into a high level correlation event;
  
  in response to grouping the two or more raw events, generating a mature correlation event message; and
  
  displaying one or more mature correlation event messages on a console that describe relationships between raw events, whereby a number of events displayed on the console can be substantially minimized.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 41)
- - 32. The method of claim 31, wherein each raw event comprises suspicious computer activity detected by one of an automated system and human observation.
  - 33. The method of claim 31, wherein the step of receiving raw events from one or more data sources further comprises the step of receiving real-time raw events from one of intrusion detection system, a detector within an intrusion detection system, and a firewall.
  - 34. The method of claim 31, wherein the step of receiving raw events from one or more data sources further comprises the step of receiving raw events from one of a file and database.
  - 35. The method of claim 31, wherein the step of classifying the raw events further comprises the steps of:
36. The method of claim 31, wherein the step of classifying comprises the step of categorizing a raw event based on any one of the following:
- how an activity indicated by a raw event may impact one or more target computers, how many target computers may be affected by an activity indicated by a raw event, and how activities indicated by respective raw events gain access to one or more target computers.
37. The method of claim 31, wherein the step of grouping two or more raw events further comprises the step of determining a time at which a respective raw event occurred relative to another raw event.
41. A computer readable medium having computer-executable instructions for performing the steps recited in claim 31.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Internet Security Systems Incorporated (International Business Machines Corporation)
Inventors
Williams, Bryan Douglas, Mezack, Derek John, Brass, Philip Charles, Farley, Timothy P., Young, George C., Hammer, John M.

Granted Patent

US 7,089,428 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2151   Time stamp

H04L 41/065   involving logical or physic...

H04L 41/0686   Additional information in t...

H04L 41/28   Restricting access to netwo...

H04L 43/00   Arrangements for monitoring...

H04L 43/16   Threshold monitoring

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Method and System for Managing Computer Security Information

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

404 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Method and System for Managing Computer Security Information

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

404 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links