SYSTEMS AND METHODS FOR DISTRIBUTED RULE-BASED CORRELATION OF EVENTS

US 20140165200A1
Filed: 07/29/2011
Published: 06/12/2014
Est. Priority Date: 07/29/2011
Status: Active Grant

First Claim

Patent Images

1. A method for distributed correlation of events, the method comprising:

receiving, at a computing device, a notification of a partial match of a distributed rule by an event of a first subset of events, wherein the notification comprises a set of properties of the event of the first subset of events;

evaluating the distributed rule using the set of properties of the event of the first subset of events and a set of properties of an event of a second subset of events;

determining a complete match of the rule based on the evaluation; and

generating a correlation event.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for distributed rule-based correlation of events are provided. A notification of a partial match of a distributed rule by an event of a first subset of events is received. The notification includes a set of properties of the event of the first subset of events. The distributed rule is evaluated using the set of properties of the event of the first subset of events and a set of properties of an event of a second subset of events. A complete match of the rule is determined based on the evaluation, and a correlation event is generated.

149 Citations

15 Claims

1. A method for distributed correlation of events, the method comprising:
- receiving, at a computing device, a notification of a partial match of a distributed rule by an event of a first subset of events, wherein the notification comprises a set of properties of the event of the first subset of events;
  
  evaluating the distributed rule using the set of properties of the event of the first subset of events and a set of properties of an event of a second subset of events;
  
  determining a complete match of the rule based on the evaluation; and
  
  generating a correlation event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving, at the computing device, the event of the second subset of events;
      
      evaluating the rule using a set of properties of the event of the second subset of events; and
      
      determining a partial match of the rule by the event of the second subset of events.
  - 3. The method of claim 1, wherein the event of the first subset of events is received at a second computing device, and wherein the notification of the partial match by the event of the first subset of events is generated by the second computing device.
  - 4. The method of claim 1, wherein the set of properties of the event of the first subset of events includes an event timestamp, an event identifier, a set of aggregation fields, and a set of join fields.
  - 5. The method of claim 1, wherein evaluating the distributed rule comprises:
    - aggregating the event of the first subset of events and the event of the second subset of events; and
      
      determining whether each set of conditions of the distributed rule are satisfied based on the aggregation.
  - 6. The method of claim 1, further comprising:
    - detecting, by the computing device, an update to a local copy of a data list; and
      
      synchronizing a master copy of the data list with the local copy.
  - 7. The method of claim 1, wherein data validation is performed on a local copy of a data list prior to evaluating a lookup request on the local copy.
  - 8. The method of claim 7, wherein the lookup request is batched until the local copy of the data list is validated.

9. A system for distributed correlation of events, the system comprising:
- a first processor of a first computer system and configured to;
  
  receive events of a first subset of events; and
  
  generate a notification of a partial match of a distributed rule by an event of the first subset of events, wherein the notification comprises a set of properties of the event of the first subset of events; and
  
  a second processor of a second computer system and configured to;
  
  receive events of a second subset of events;
  
  receive the notification;
  
  evaluate the distributed rule using the set of properties of the event of the first subset of events and a set of properties of an event of the second subset of events;
  
  determine a complete match of the rule based on the evaluation; and
  
  generate a correlation event.
- View Dependent Claims (10, 11, 12)
- - 10. The system of claim 9, wherein the set of properties of the event of the first subset of events includes an event timestamp, an event identifier, a set of aggregation fields, and a set of join fields.
  - 11. The system of claim 9, wherein the second processor is configured to evaluate the distributed rule by:
    - aggregating the event of the first subset of events and the event of the second subset of events; and
      
      determining whether each set of conditions of the distributed rule are satisfied based on the aggregation.
  - 12. The system of claim 9, wherein the second processor is configured to:
    - detect an update to a local copy of a data list; and
      
      synchronize a master copy of the data list with the local copy.

13. A non-transitory computer-readable medium storing a plurality of instructions to control a data processor to correlate events, the plurality of instructions comprising instructions that cause the data processor to:
- receive a notification of a partial match of a distributed rule by an event of a first subset of events, wherein the notification comprises a set of properties of the event of the first subset of events;
  
  evaluate the distributed rule using the set of properties of the event of the first subset of events and a set of properties of an event of a second subset of events;
  
  determine a complete match of the rule based on the evaluation; and
  
  generate a correlation event.
- View Dependent Claims (14, 15)
- - 14. The non-transitory computer-readable medium of claim 13, wherein the instructions that cause the data processor to evaluate the distributed rule comprise instructions that cause the data processor to:
    - aggregate the event of the first subset of events and the event of the second subset of events; and
      
      determine whether each set of conditions of the distributed rule are satisfied based on the aggregation.
  - 15. The non-transitory computer-readable medium of claim 13, wherein the plurality of instructions further comprise instructions that cause the data processor to:
    - detect an update to a local copy of a data list; and
      
      synchronize a master copy of the data list with the local copy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
entIT Software LLC (Open Text Corporation)
Inventors
Singla, Anurag

Granted Patent

US 9,571,508 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06Q 10/10   Office automation; Time man...

H04L 63/1416   Event detection, e.g. attac...

SYSTEMS AND METHODS FOR DISTRIBUTED RULE-BASED CORRELATION OF EVENTS

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

149 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR DISTRIBUTED RULE-BASED CORRELATION OF EVENTS

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

149 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links