MECHANISM TO AUGMENT IPS/SIEM EVIDENCE INFORMATION WITH PROCESS HISTORY SNAPSHOT AND APPLICATION WINDOW CAPTURE HISTORY

US 20170034202A1
Filed: 10/12/2016
Published: 02/02/2017
Est. Priority Date: 03/19/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

responsive to detecting network activity on an operating system (OS) process actively operating on a computer system, identifying, by the one or more computer processors, the OS process;

responsive to identifying the OS process, capturing, by the one or more computer processors, one or more graphical representations of each graphical user interface (GUI) window of the OS process;

responsive to identifying the OS process, recording, by the one or more computer processors, process activity of the OS process;

storing, by the one or more computer processors, a first file including a sequence of the one or more graphical representations of each GUI window of the OS process;

storing, by the one or more computer processors, a second file including the process activity of the OS process;

responsive to detecting a network attack, retrieving, by the one or more computer processors, the first file and the second file;

attaching, by the one or more computer processors, the first file and the second file together with packet information and event information into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and

sending, by the one or more computer processors, an electronic notification of the single BLOB to a management console associated with the computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method to augment a plurality of IPS or SIEM evidence information is provided. The method may include monitoring a plurality of processes associated with a computer system. The method may also include identifying a plurality of processes that have network activity. The method may further include capturing the identified plurality of processes that have network activity. The method may also include storing the identified captured plurality of processes that have network activity. The method may include monitoring a plurality of selected programs associated with an operating system of the computer system. The method may also include identifying a plurality of selected programs that have network activity. The method may further include capturing a plurality of screen capture images associated with the identified plurality of selected programs. The method may include storing, by the second component the captured plurality of system process activity.

8 Citations

7 Claims

1. A method comprising:
- responsive to detecting network activity on an operating system (OS) process actively operating on a computer system, identifying, by the one or more computer processors, the OS process;
  
  responsive to identifying the OS process, capturing, by the one or more computer processors, one or more graphical representations of each graphical user interface (GUI) window of the OS process;
  
  responsive to identifying the OS process, recording, by the one or more computer processors, process activity of the OS process;
  
  storing, by the one or more computer processors, a first file including a sequence of the one or more graphical representations of each GUI window of the OS process;
  
  storing, by the one or more computer processors, a second file including the process activity of the OS process;
  
  responsive to detecting a network attack, retrieving, by the one or more computer processors, the first file and the second file;
  
  attaching, by the one or more computer processors, the first file and the second file together with packet information and event information into a single Binary Large OBject (BLOB), wherein the single BLOB is a collection of binary data stored as a single entity in a database management system; and
  
  sending, by the one or more computer processors, an electronic notification of the single BLOB to a management console associated with the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the first file and the second file are video files retrieved by an intrusion prevention software/security information and event management software (IPS/SIEM), and wherein the packet information is a packet capture dump and event information is IPS/SIEM event information.
  - 3. The method of claim 1, wherein the one or more graphical representations of each GUI window of the OS process is a screen capture of each GUI window of the OS process, including one or more delta algorithms describing changes between each GUI window.
  - 4. The method of claim 1, further comprising:
    - calculating, by the one or more computer processors, a weight for the OS process, wherein the weight for the OS process quantitatively indicates a risk level for network attacks on the OS process.
  - 5. The method of claim 4, wherein the steps of storing the first file and the second file comprise:
    - allocating, by the one or more computer processors, a number of storage resources in a storage repository to store the first file, based on the calculated weight for the OS process whereby a first OS process having a greater calculated weight is allocated a greater number of storage resources in the storage repository to store the first file compared to a second OS process having a lesser calculated weight; and
      
      allocating, by the one or more computer processors, a number of storage resources in the storage repository to store the second file, based on the calculated weight for the OS process, whereby the first OS process having the greater calculated weight is allocated a greater number of storage resources in the storage repository to store the second file compared to the second OS process having the lesser calculated weight.
  - 6. The method of claim 4, wherein the step of calculating the weight for the OS process comprises:
    - determining, by the one or more computer processors, process parameters for the OS process, wherein one of the process parameters for the OS process indicates a number of network sockets opened for OS process; and
      
      calculating, by the one or more computer processors, the weight for the OS process based on the process parameters for the OS process.
  - 7. The method of claim 6, wherein one of the process parameters of the OS process includes an indication whether the OS process receives a user input.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Lee, Chien Pang, Mahadevan, Hariharan

Granted Patent

US 9,906,548 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/71   Indexing; Data structures t...

G06F 16/951   Indexing; Web crawling tech...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 3/0487   using specific features pro...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

MECHANISM TO AUGMENT IPS/SIEM EVIDENCE INFORMATION WITH PROCESS HISTORY SNAPSHOT AND APPLICATION WINDOW CAPTURE HISTORY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

8 Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

MECHANISM TO AUGMENT IPS/SIEM EVIDENCE INFORMATION WITH PROCESS HISTORY SNAPSHOT AND APPLICATION WINDOW CAPTURE HISTORY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links