Method and system for creating a record for one or more computer security incidents

US 9,027,121 B2
Filed: 07/13/2007
Issued: 05/05/2015
Est. Priority Date: 10/10/2000
Status: Active Grant

First Claim

Patent Images

1. A computer program product for creating a record of one or more computer security incidents, said computer program product comprising:

a computer-readable, tangible storage device;

first program instructions to record information about a computer security incident and a date stamp or time stamp for the computer security incident, the computer security incident information identifying one or more attacks received from a network computer that occur prior to an actual computer security threat;

second program instructions, responsive to the computer security incident information, to classify the computer security incident and identify one or more computer security procedures corresponding to the classification, each of said computer security procedures comprising one or more steps for investigating or mitigating the computer security incident;

third program instructions to generate a display of said one or more computer security procedures;

fourth program instructions to receive a selection from a user of one of said computer security procedures and one or more steps of the selected computer security procedure to mitigate the one or more attacks; and

fifth program instructions to generate and output a record comprising the computer security incident information, results of execution of the selected one or more steps of the selected computer security procedure, an identity of the user who selected the computer security procedure, and the date stamp and time stamp for the computer security incident,wherein the fifth program instructions record the results of the executed computer security procedure with a digital signature to enable detection of any attempted modification of the record, whereby integrity of the record can be monitored, andwherein said first, second, third, fourth and fifth program instructions are stored on said computer-readable, tangible storage device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security management system can log, investigate, respond, and track computer security incidents that can occur in a networked computer system. In other words, the security management system can produce a security record of information related to the tracking of suspicious computer activity or actual computer security threats, such as denial of service attacks or other similar compromises to computers or computer networks. The security record can include, but is not limited to, date and times of computer security incidents, a name for a particular security incident, a security management system user, and a potential source of the computer security incident. The security record can be designed as a running log that saves or records all activity of a computer incident source as well as the activity of the security team responding to the computer incident source. To produce the security record, all data that relates to a computer incident and all data that relates to a computer incident response can be sent to a separate protected database, where data is protected by digital signature algorithms (DSAs).

264 Citations

19 Claims

1. A computer program product for creating a record of one or more computer security incidents, said computer program product comprising:
- a computer-readable, tangible storage device;
  
  first program instructions to record information about a computer security incident and a date stamp or time stamp for the computer security incident, the computer security incident information identifying one or more attacks received from a network computer that occur prior to an actual computer security threat;
  
  second program instructions, responsive to the computer security incident information, to classify the computer security incident and identify one or more computer security procedures corresponding to the classification, each of said computer security procedures comprising one or more steps for investigating or mitigating the computer security incident;
  
  third program instructions to generate a display of said one or more computer security procedures;
  
  fourth program instructions to receive a selection from a user of one of said computer security procedures and one or more steps of the selected computer security procedure to mitigate the one or more attacks; and
  
  fifth program instructions to generate and output a record comprising the computer security incident information, results of execution of the selected one or more steps of the selected computer security procedure, an identity of the user who selected the computer security procedure, and the date stamp and time stamp for the computer security incident,wherein the fifth program instructions record the results of the executed computer security procedure with a digital signature to enable detection of any attempted modification of the record, whereby integrity of the record can be monitored, andwherein said first, second, third, fourth and fifth program instructions are stored on said computer-readable, tangible storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer program product of claim 1, further comprising sixth program instructions to execute the selected one or more steps of the selected computer security, and wherein the sixth program instructions are stored on said computer-readable, tangible storage device.
  - 3. The computer program product of claim 1, further comprising sixth program instructions to automatically select a default computer security procedure, and wherein the sixth program instructions are stored on said computer-readable, tangible storage device.
  - 4. The computer program product of claim 2, wherein the results of execution of the selected one or more steps of the selected executed computer security procedure identify the executed one or more steps.
  - 5. The computer program product of claim 3, further comprising sixth program instructions to predict future actions of a source of the computer security incident based on a sequence of actions taken by the source, and wherein the sixth program instructions are stored on said computer-readable, tangible storage device.
  - 6. The computer program product of claim 5, wherein the sixth program instructions predict future actions of the source by determining whether the sequence of actions taken by the source matches a known sequence.
  - 7. The computer program product of claim 4, further comprising sixth program instructions to identify a computer capable of executing a step in the selected computer security procedure, and wherein the sixth program instructions are stored on said computer-readable, tangible storage device.

8. A computer program product for creating a record of one or more computer security incidents, said computer program product comprising:
- a computer-readable, tangible storage device;
  
  first program instructions to record information about a computer security incident and a date stamp or time stamp for the computer security incident, the computer security incident information identifying one or more attacks received from a network computer that occur prior to an actual computer security threat;
  
  second program instructions, responsive to the computer security incident information, to classify the computer security incident and identify one or more computer security procedures corresponding to the classification, each of said computer security procedures comprising one or more steps for investigating or mitigating the computer security incident;
  
  third program instructions to generate a display of said one or more computer security procedures;
  
  fourth program instructions to receive a selection from a user of one of said computer security procedures and one or more steps of the selected computer security procedure to mitigate the one or more attacks;
  
  fifth program instructions to identify a computer capable of executing a step in the selected computer security procedure; and
  
  sixth program instructions to generate and output a record comprising the computer security incident information, results of execution of the selected one or more steps of the selected computer security procedure, an identity of the user who selected the computer security procedure, and the date stamp and time stamp for the computer security incident,wherein the sixth program instructions record the results of the executed computer security procedure with a digital signature to enable detection of any attempted modification of the record, whereby integrity of the record can be monitored, andwherein said first, second, third, fourth, fifth, and sixth program instructions are stored on said computer-readable, tangible storage device.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer program product of claim 8, further comprising seventh program instructions to access a table comprising computer locations and step information;
    - and compare a step to be executed in a computer security procedure with computer locations listed in the table, and wherein the seventh program instructions are stored on said computer-readable, tangible storage device.
  - 10. The computer program product of claim 9, further comprising eighth program instructions to determine if a match exists between the step to be executed and the computer locations;
    - and if one or more matches exist, displaying the matching information or automatically selecting an appropriate location, and wherein the eighth program instructions are stored on said computer-readable, tangible storage device.
  - 11. The computer program product of claim 10, further comprising ninth program instructions to display a substitute computer location if a match does not exist, and wherein the ninth program instructions are stored on said computer-readable, tangible storage device.
  - 12. The computer program product of claim 9, wherein the table further comprises Internet address ranges, the program product further comprising eighth program instructions to compare an Internet address of a source of a computer security incident with the Internet address ranges of the table, and wherein the eighth program instructions are stored on said computer-readable, tangible storage device.
  - 13. The computer program product of claim 8, wherein the identified computer is strategically located relative to a source of a computer security incident.

14. A computer system for creating a record of one or more computer security incidents, said computer system comprising:
- a CPU, computer-readable memory, and a computer-readable, tangible storage device;
  
  first program instructions to record information about a computer security incident and a date stamp or time stamp for the computer security incident, the computer security incident information identifying one or more attacks received from a network computer that occur prior to an actual computer security threat;
  
  second program instructions, responsive to the computer security incident information, to classify the computer security incident and identify one or more computer security procedures corresponding to the classification, each of said computer security procedures comprising one or more steps for investigating or mitigating the computer security incident;
  
  third program instructions to generate a display of said one or more computer security procedures;
  
  fourth program instructions to receive a selection from a user of one of said computer security procedures and one or more steps of the selected computer security procedure to mitigate the one or more attacks; and
  
  fifth program instructions to generate and output a record comprising the computer security incident information, results of execution of the selected one or more steps of the selected computer security procedure, and the date stamp and time stamp for the computer security incidentwherein the fifth program instructions record the results of the executed computer security procedure with a digital signature to enable detection of any attempted modification of the record, whereby integrity of the record can be monitored, andwherein said first, second, third, fourth and fifth program instructions are stored on said computer-readable, tangible storage device for execution by the CPU via the computer-readable memory.
- View Dependent Claims (15, 16, 17)
- - 15. The computer system of claim 14, further comprising sixth program instructions to identify a computer capable of executing a step in the selected computer security procedure, wherein the identified computer is strategically located relative to a source of a computer security incident, and wherein the sixth program instructions are stored on said computer-readable, tangible storage device.
  - 16. The computer system of claim 14, further comprising sixth program instructions to predict future actions of a source of the computer security incident based on a sequence of actions taken by the source, and wherein the sixth program instructions are stored on said computer-readable, tangible storage device.
  - 17. The computer system of claim 16, wherein the sixth program instructions predict future actions of the source by determining whether the sequence of actions taken by the source matches a known sequence.

18. A computer program product for creating a record of one or more computer security incidents, said computer program product comprising:
- a computer-readable, tangible storage device;
  
  first program instructions to record information about a computer security incident and a date stamp or time stamp for the computer security incident, the computer security incident information identifying one or more attacks received from a network computer that occur prior to an actual computer security threat;
  
  second program instructions, responsive to the computer security incident information, to classify the computer security incident and identify one or more computer security procedures corresponding to the classification, each of said computer security procedures comprising one or more steps for investigating or mitigating the computer security incident;
  
  third program instructions to generate a display of said one or more computer security procedures;
  
  fourth program instructions to receive a selection from a user of one of said computer security procedures and one or more steps of the selected computer security procedure to mitigate the one or more attacks;
  
  fifth program instructions to generate and output a record comprising the computer security incident information, results of execution of the selected one or more steps of the selected computer security procedure, an identity of the user who selected the computer security procedure, and the date stamp and time stamp for the computer security incident; and
  
  sixth program instructions to predict future actions of a source of the computer security incident based on a sequence of actions taken by the source, and wherein the sixth program instructions are stored on said computer-readable, tangible storage device,wherein said first, second, third, fourth, fifth, and sixth program instructions are stored on said computer-readable, tangible storage device.

19. A computer system for creating a record of one or more computer security incidents, said computer system comprising:
- a CPU, computer-readable memory, and a computer-readable, tangible storage device;
  
  first program instructions to record information about a computer security incident and a date stamp or time stamp for the computer security incident, the computer security incident information identifying one or more attacks received from a network computer that occur prior to an actual computer security threat;
  
  second program instructions, responsive to the computer security incident information, to classify the computer security incident and identify one or more computer security procedures corresponding to the classification, each of said computer security procedures comprising one or more steps for investigating or mitigating the computer security incident;
  
  third program instructions to generate a display of said one or more computer security procedures;
  
  fourth program instructions to receive a selection from a user of one of said computer security procedures and one or more steps of the selected computer security procedure to mitigate the one or more attacks;
  
  fifth program instructions to generate and output a record comprising the computer security incident information, results of execution of the selected one or more steps of the selected computer security procedure, and the date stamp and time stamp for the computer security incident; and
  
  sixth program instructions to predict future actions of a source of the computer security incident based on a sequence of actions taken by the source, and wherein the sixth program instructions are stored on said computer-readable, tangible storage device,wherein said first, second, third, fourth, fifth, and sixth program instructions are stored on said computer-readable, tangible storage device for execution by the CPU via the computer-readable memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Ge, Rixin, Hubbard, Charles, Hammer, John M., Burke, Charles D.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US11/777,489
Publication Number

US 20080016569A1
Time in Patent Office

2,853 Days
Field of Search

726/3, 726/5, 726/6, 726/13, 726/18, 726 22- 25, 709/201, 709/203, 709/223, 709/224, 709/250, 709/318, 711/202, 711/205, 711/207, 711/217, 713/167, 713/178, 713/154, 713/155, 707/687, 707/694, 707/705, 707/706, 707/732, 707/751, 707/752, 707/758, 380/202, 380/230, 380/234
US Class Current

726/22
CPC Class Codes

G06F 21/554 involving event detection a...

Method and system for creating a record for one or more computer security incidents

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

264 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Method and system for creating a record for one or more computer security incidents

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

264 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others