[특허]Correlation engine with support for time-based rules

Correlation engine with support for time-based rules 원문보기

IPC분류정보
국가/구분	United States(US) Patent 등록
국제특허분류(IPC7판)	G06F-007/04
출원번호	US-0308767 (2002-12-02)
등록번호	US-8176527 (2012-05-08)
발명자 / 주소	Njemanze, Hugh S. Kothari, Pravin S. Dash, Debabrata Wang, Shijie
출원인 / 주소	Hewlett-Packard Development Company, L. P.
인용정보	피인용 횟수 : 32 인용 특허 : 51

초록 ▼

A rules engine with support for time-based rules is disclosed. A method performed by the rules engine, comprises receiving security events generated by a number of network devices. The security events are aggregated. One or more time-based rules are provided to a RETE engine. The aggregated security events are provided to the RETE engine at specific times associated with the time-based rules. The security events are cross-correlated with the one or more time-based rules; and one or more first stage meta-events are reported.

대표청구항 ▼

1. A computer-implemented method, comprising: receiving, by a computer processor, a plurality of base events, wherein a base event originated in an event log entry that was generated by a network component, and wherein the base event includes a time attribute that indicates when the network component generated the event log entry;identifying a first rule that indicates a threshold number of base events and a first time period;determining how many base events include a time attribute that falls within the first time period;determining whether the threshold number of base events exceeds the number of base events that include a time attribute that falls within the first time period;when the threshold number of base events does not exceed the number of base events whose time attributes fall within the first time period, generating a first stage meta-event;identifying a second rule that indicates a threshold number of first stage meta-events and a second time period;when the threshold number of first stage meta-events does not exceed a number of first stage meta-events whose time attributes fall within the second time period, generating a second stage meta-event;detecting additional second stage meta-events;determining an amount of time that has passed since a most-recent second stage meta-event was detected; andwhen a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, generating a third stage meta-event. 2. The method of claim 1, wherein the network component comprises an intrusion detection system. 3. The method of claim 1, further comprising activating the first rule dynamically. 4. The method of claim 1, further comprising detecting improper rule syntax. 5. The method of claim 1, further comprising detecting a loop condition generated by the first rule. 6. The method of claim 1, further comprising detecting rule feedback. 7. The method of claim 1, further comprising performing an action specified by the first rule to notify an individual of the first-stage meta-event. 8. The method of claim 1, further comprising aligning timelines of base events generated by different devices. 9. A system, comprising: hardware means for receiving a plurality of base events, wherein a base event originated in an event log entry that was generated by a network component, and wherein the base event includes a time attribute that indicates when the network component generated the event log entry;hardware means for identifying a first rule that indicates a threshold number of base events and a first time period;hardware means for determining how many base events include a time attribute that falls within the first time period;hardware means for determining whether the threshold number of base events exceeds the number of base events that include a time attribute that falls within the first time period;hardware means for generating, when the threshold number of base events does not exceed the number of base events whose time attributes fall within the first time period, a first stage meta-event;hardware means for identifying a second rule that indicates a threshold number of first stage meta-events and a second time period;hardware means for generating, when the threshold number of first stage meta-events does not exceed a number of first stage meta-events whose time attributes fall within the second time period, a second stage meta-event;hardware means for detecting additional second stage meta-events;hardware means for determining an amount of time that has passed since a most-recent second stage meta-event was detected; andhardware means for generating, when a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, a third stage meta-event. 10. The system of claim 9, further comprising means for activating and deactivating the first rule dynamically. 11. The system of claim 9, further comprising means for performing an action specified by the first rule to notify an individual of the first stage meta-event. 12. The system of claim 9, further comprising means for aligning timelines of base events from two or more heterogeneous security sources. 13. A computer readable non-transitory storage medium, having stored thereon computer-readable instructions, which when executed in a computer system, cause the computer system to: receive a plurality of base events, wherein a base event originated in an event log entry that was generated by a network component, and wherein the base event includes a time attribute that indicates when the network component generated the event log entry;identify a first rule that indicates a threshold number of base events and a first time period;determine how many base events include a time attribute that falls within the first time period;determine whether the threshold number of base events exceeds the number of base events that include a time attribute that falls within the first time period;generate, when the threshold number of base events does not exceed the number of base events whose time attributes fall within the first time period, a first stage meta-event;identify a second rule that indicates a threshold number of first stage meta-events and a second time period;generate, when the threshold number of first stage meta-events does not exceed a number of first stage meta-events whose time attributes fall within the second time period, a second stage meta-event;detect additional second stage meta-events;determine an amount of time that has passed since a most-recent second stage meta-event was detected; andgenerate, when a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, a third stage meta-event. 14. The computer readable non-transitory storage medium of claim 13, further having stored thereon computer-readable instructions, which when executed in the computer system, cause the computer system to activate and deactivate the first rule dynamically. 15. The computer readable non-transitory storage medium of claim 13, further having stored thereon computer-readable instructions, which when executed in the computer system, cause the computer system to perform an action specified by the first rule to notify an individual of the first-stage meta-event. 16. The computer readable non-transitory storage medium of claim 13, further having stored thereon computer-readable instructions, which when executed in the computer system, cause the computer system to align timelines of base events from two or more heterogeneous security sources. 17. The method of claim 1, further comprising filtering the plurality of base events based on a condition before determining how many base events include a time attribute that falls within the first time period. 18. The method of claim 17, wherein filtering the plurality of base events based on the condition comprises discarding the base events that do not satisfy the condition. 19. The method of claim 1, further comprising aggregating the plurality of base events before determining how many base events include a time attribute that falls within the first time period. 20. The method of claim 1, wherein the plurality of base events was generated by one or more network devices. 21. The method of claim 1, wherein detecting additional second stage meta-events comprises adjusting the second time period of the second rule. 22. The method of claim 1, further comprising deactivating the first rule dynamically.

이 특허에 인용된 특허 (51)

Ko,Cheuk W., Automatically generating valid behavior specifications for intrusion detection.
상세보기
Underwood, Roy Aaron, Codes table framework design in an E-commerce architecture.
상세보기
Khanolkar,Rajeev; Azim,Ozakil; Asthana,Rishi; Ved,Niten; Hanrahan,Kevin; Ghildiyal,Amit; Pogaku,Shirisha; Amaratunge,Dhani; Samavenkata,K. V. Rao; Hamid,Aral Rarsh, Comprehensive security structure platform for network managers.
상세보기
Orchier Jonathan ; Soriano Raymond ; Salvaterra Louis ; Ardito Dario ; Byreddy Anil, Computer network security management system.
상세보기
Kodavalla Hanuma ; Joshi Ashok Madhukar ; Chatterjee Sumanta ; McCready Bruce, Database system with methods for appending data records by partitioning an object into multiple page chains.
상세보기
Valente, Luis Filipe Pereira; Cooper, Geoffrey Howard; Shaw, Robert Allen; Sherlock, Kieran Gerard, Declarative language for specifying a security policy.
상세보기
Schneier Bruce ; Kelsey John, Digital signature with auditing bits.
상세보기
Brock, Ashley Anderson; Kim, Nathaniel Wook; Lingafelt, Charles Steven, Dynamic intrusion detection for computer systems.
상세보기
Julie Lynn Huff ; Tracy Glenn Shelanskey ; Sheila Ann Jackson, Dynamic system defense for information warfare.
상세보기
Schneier Bruce ; Kelsey John M., Event auditing system.
상세보기
Perfit, Michael Adam; Buchanan, Darin L.; Samek, Scott J.; Butler, Timothy W.; Mancini, Elizabeth; Arena, Michael J.; Wise, Karen G.; Farrar, Michael B.; Uftring, Michael D.; Wilson, Theodore J.; Ant, Event manager for use in fraud detection.
상세보기
Njemanze,Hugh S., Expression editor.
상세보기
Black,Steven; Debar,Herve; Garrison,John Michael; Wespi,Andreas, Hierarchical correlation of intrusion detection events.
상세보기
Phillip Andrew Porras ; Alfonso Valdes, Hierarchical event monitoring and analysis.
상세보기
Godwin,Debbie Ann; Walters,Rodney Eldon, Host-based systematic attack detection tool.
상세보기
Bruton, III,David Aro; Jakubik,Patricia; LiVecchi,Patrick Michael; Overby, Jr.,Linwood Hugh, Integrated intrusion detection services.
상세보기
Bardsley,Jeffrey Scott; Brock,Ashley Anderson; Kim,Nathaniel Wook; Lingafelt,Charles Steven, Limiting the output of alerts generated by an intrusion detection sensor during a denial of service attack.
상세보기
Aviram Cohen ; Ishai Kedem, Management of orphan tracks.
상세보기
Grainger, Steven Phillip, Method and apparatus for an intruder detection reporting and response system.
상세보기
Schneier Bruce, Method and apparatus for analyzing information systems using stored tree database structures.
상세보기
Hrabik,Michael; Guilfoyle,Jeffrey; Mac Beaver,Edward, Method and apparatus for verifying the integrity and security of computer networks and implementing counter measures.
상세보기
Black, Steven C.; Debar, Herve; Garrison, John Michael; Swart, RoseAnne, Method and apparatus in a data processing system for managing situations from correlated events.
상세보기
Campbell, Wayne A.; Walker, Jeffrey H., Method and system for detecting intrusion into and misuse of a data processing system.
상세보기
Smaha Stephen E. (Austin TX) Snapp Steven R. (Austin TX), Method and system for detecting intrusion into and misuse of a data processing system.
상세보기
Bhattacharya,Partha; Liao,Yu, Method and system for determining intra-session event correlation across network address translation devices.
상세보기
Bhattacharya, Partha; Lee, Imin; Joseph, Aji; Stevens, Eli; Naramreddy, Diwakar, Method and system for displaying network security incidents.
상세보기
Schneier,Bruce; Gross,Andrew H.; Callas,Jonathan D., Method and system for dynamic network intrusion monitoring, detection and response.
상세보기
Bennett,Andrew Jonathan; Franklin,David Richard; Stewart,Kristian Jon, Method and system for efficient distribution of network event data.
상세보기
Hideaki Taruguchi JP; Shigeo Tsunoda JP, Method and system for embedding electronic watermark information in main information.
상세보기
Farley,Timothy P.; Hammer,John M.; Williams,Bryan Douglas; Brass,Philip Charles; Young,George C.; Mezack,Derek John, Method and system for managing computer security information.
상세보기
Beardsley, Brent Cameron; Benhase, Michael Thomas; Martin, Douglas A.; Morton, Robert Louis; Todd, Kenneth Wayne, Method and system for managing meta data.
상세보기
Secor, Peter; Tokarsky, Tim; Perelman, Shoel, Method and system for network event impact analysis and correlation with network administrators, management policies and procedures.
상세보기
Steinberg, Louis A.; Wetstone, Evan R.; Belousov, Arkadiy; Deuel, John, Method and system for reducing false alarms in network fault management systems.
상세보기
Walker Jeffrey H., Method and system for reducing the volume of audit data and normalizing the audit data received from heterogeneous sources.
상세보기
Njemanze,Hugh S.; Aguilar Macias,Hector; Beedgen,Christian Friedrich, Method for batching events for transmission by software agent.
상세보기
Black,Steven; Debar,Herve; Garrison,John Michael; Wespi,Andreas, Method, apparatus, and program for associating related heterogeneous events in an event handler.
상세보기
Faigon Anat ; Kotmire Girish ; Raab Ilan ; Romero Robert Magnus, Network fault correlation.
상세보기
Bhattacharya,Partha; Lawrence,Jan Christian, Network security monitoring system.
상세보기
Porras Phillip A. ; Valdes Alfonso, Network surveillance.
상세보기
Porras, Phillip Andrew; Valdes, Alfonso, Network surveillance.
상세보기
Porras, Phillip Andrew; Valdes, Alfonso, Network surveillance.
상세보기
Porras, Phillip Andrew; Fong, Martin Wayne, Network-based alert management.
상세보기
Black,Steven; Debar,Herve; Garrison,John Michael, Presentation of correlated events as situation classes.
상세보기
Njemanze,Hugh S.; Kothari,Pravin S., Real time monitoring and analysis of events from multiple network security devices.
상세보기
Michael D. Ladwig, System and method for ensuring and managing situation awareness.
상세보기
Hsieh Francis ; Manring Brad, System and method for network integrity management.
상세보기
Barker, Geoffrey T.; Alexander, Bruce; Talley, Paul, System and method for providing configurable security monitoring utilizing an integrated information portal.
상세보기
Beavers,John B., System and method for tracking and filtering alerts in an enterprise and generating alert indications for analysis.
상세보기
Parish,Sandy; Goostree,Peter, System and method for tracking computer viruses.
상세보기
Bernhard Thomas ; Escamilla Terry ; Leddy William ; Letsinger Richard ; Marks Crosby ; Smaha Steven E. ; Snapp Steven R., System, method and computer program product for automatic response to computer system misuse using active response modules.
상세보기
Tidwell,Kenny; Saurabh,Kumar; Dash,Debabrata; Njemanze,Hugh S.; Kothari,Pravin S., Threat detection in a network security system.
상세보기

이 특허를 인용한 특허 (32)

Kalinichenko, Michael, Application of nested behavioral rules for anti-malware processing.
상세보기
Nakamura, Takatoshi; Sako, Yoichiro; Kawakami, Itaru; Takehara, Mitsuru; Abe, Yuichi, Chronology providing method, chronology providing apparatus, and recording medium containing chronology providing program.
상세보기
Vangala, Vipindeep, Diagnostic framework in computing systems.
상세보기
Boteler, Aaron; Norton, Marc, Digital filter correlation engine.
상세보기
Bu, Tian; Chen, Aiyou; Vander Wiel, Scott Alan; Woo, Thomas, Evaluation of a fast and robust worm detection algorithm.
상세보기
Hassanzadeh, Amin; Modi, Shimon; Mulchandani, Shaan; Negm, Walid, Event correlation across heterogeneous operations.
상세보기
Hassanzadeh, Amin; Modi, Shimon; Mulchandani, Shaan; Negm, Walid, Event correlation across heterogeneous operations.
상세보기
Hassanzadeh, Amin; Modi, Shimon; Mulchandani, Shaan; Negm, Walid, Event correlation across heterogeneous operations.
상세보기
Huang, Wei; Zhou, Yizheng; Yu, Bin; Tang, Wenting; Beedgen, Christian F., Generating row-based and column-based chunks.
상세보기
Kruse, William Frederick Hingle; Rangole, Ashish, Large-scale authorization data collection and aggregation.
상세보기
Lingafelt, Charles S.; Murray, James W.; Swantek, James T.; Worley, James S., Managing cyber attacks through change of network address.
상세보기
Boteler, Aaron; Norton, Marc, Method and apparatus for detecting SSH login attacks.
상세보기
Porras, Phillip Andrew; Zhang, Jian, Method and apparatus for generating highly predictive blacklists.
상세보기
Roll, Stuart L., Method and system for time-based correlation of events.
상세보기
Weiderman Sandahl, Göran; Gustafsson, Johan, Method, apparatus and computer program for analysing events in a computer system.
상세보기
Sporton, Simon; Sutherns, Timothy; Sauder, Oliver, Monitoring of signalling traffic.
상세보기
Karale, Sachin, Network security management.
상세보기
Solomon, Arnold Cory; Floyd, Gregory Ray, Notification system, method, and computer application based on decision rules for evaluating a plurality of utility meter conditions.
상세보기
Sinnema, Rémon, Risk-adaptive access control of an application action based on threat detection data.
상세보기
Patel, Rajesh, Security event data normalization.
상세보기
Kouznetsov, Oleg, Security information and event management.
상세보기
Kruse, William Frederick Hingle; Rangole, Ashish; Scharf, Jr., James E.; Zhao, Kai; Wierer, Jeffrey John, Self-learning access control policies.
상세보기
Fan Chiang, Shih-Wu, Surveillance system and surveillance method.
상세보기
Altman, Yuval; Keren, Assaf Yosef, System and method for automated configuration of intrusion detection systems.
상세보기
Zlatokrilov, Haim, System and method for identifying communication session participants based on traffic patterns.
상세보기
Yishay, Yitshak, System and method for keyword spotting using representative dictionary.
상세보기
Altman, Yuval; Kere, Assaf Yosef; Krupkin, Ido; Rozenblum, Pinhas, System and method for malware detection.
상세보기
Altman, Yuval; Keren, Assaf Yosef; Krupkin, Ido, System and method for malware detection learning.
상세보기
Altman, Yuval; Keren, Assaf Yosef; Krupkin, Ido, System and method for malware detection learning.
상세보기
Margolies, Jeffrey M.; Lippiatt, Keith Gregory; Krull, Joseph Eric, Systems and methods for detecting and investigating insider fraud.
상세보기
Allen, Andrew T.; Myers, Ken R.; Chan, John M.; Bomer, Michelle N.; Yackshaw, Catherine, Techniques for grammar rule composition and testing.
상세보기
Singla, Anurag; Saurabh, Kumar; Tidwell, Kenny C., Tracking changing state data to assist in computer network security.
상세보기

IPC	Description
A	생활필수품
A62	인명구조; 소방(사다리 E06C)
A62B	인명구조용의 기구, 장치 또는 방법(특히 의료용에 사용되는 밸브 A61M 39/00; 특히 물에서 쓰이는 인명구조 장치 또는 방법 B63C 9/00; 잠수장비 B63C 11/00; 특히 항공기에 쓰는 것, 예. 낙하산, 투출좌석 B64D; 특히 광산에서 쓰이는 구조장치 E21F 11/00)
A62B-1/08	.. 윈치 또는 풀리에 제동기구가 있는 것

내보내기 구분	파일저장 인쇄 메일전송
구성항목	기본정보 상세정보 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표IPC 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 공고번호, 공고일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표출원인, 출원인국적, 출원인주소, 발명자, 발명자E, 발명자코드, 발명자주소, 발명자 우편번호, 발명자국적, 대표IPC, IPC코드, 요약, 미국특허분류, 대리인주소, 대리인코드, 대리인(한글), 대리인(영문), 국제공개일자, 국제공개번호, 국제출원일자, 국제출원번호, 우선권, 우선권주장일, 우선권국가, 우선권출원번호, 원출원일자, 원출원번호, 지정국, Citing Patents, Cited Patents
저장형식	Text(ASCII format) Excel format PIAS분석(.xls)
메일정보	받는사람 (필수) @ 보내는사람 (선택) @ 제목 내용 KISTI 검색결과 이메일 서비스
안내	총 건의 자료가 검색되었습니다. 다운받으실 자료의 인덱스를 입력하세요. (1-10,000) 검색결과의 순서대로 최대 10,000건 까지 다운로드가 가능합니다. 데이타가 많을 경우 속도가 느려질 수 있습니다.(최대 2~3분 소요) 다운로드 파일은 UTF-8 형태로 저장됩니다. 파일의 내용이 제대로 보이지 않을실 때는 웹브라우저 상단의 보기 -> 인코딩 -> 자동선택 여부를 확인하십시오. ~ Text(ASCII format) Excel format

연합인증

Correlation engine with support for time-based rules 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

이 특허에 인용된 특허 (51)

이 특허를 인용한 특허 (32)

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트

연합인증

Correlation engine with support for time-based rules 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

전체(0) 논문(0) 특허(0) 보고서(0)

전체(0) 논문(0) 특허(0) 보고서(0)

이 특허에 인용된 특허 (51)

이 특허를 인용한 특허 (32)

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트