Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method and system for managing computer security information

a technology for security information and computer systems, applied in the field of methods, can solve problems such as inability to protect data, inability to exchange information freely, and inability to manage high-speed memory resources, and achieve the effect of managing high-speed memory resources very efficiently

Inactive Publication Date: 2006-11-23
IBM CORP
View PDF4 Cites 116 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Benefits of technology

[0014] The present invention can solve the aforementioned problems by providing a computer security management system that can log, investigate, respond to, and track computer security incidents that can occur in a networked computer system. The invention can track suspicious computer activity or actual computer security threats. Actual security threats can include, but are not limited to, integrity attacks, confidentiality attacks, denial of service attacks, multi-stage attacks, or other similar attacks on computers or computer networks. The invention typically refers to suspicious computer activity descriptions obtained from data sources as real-time raw events and actual computer security threats as mature correlation events. The invention can comprise a method and system for managing security information collected from one or more data sources. More specifically, the present invention can comprise a fusion engine which “fuses” or assembles information from multiple data sources and analyzes this information in order to detect relationships between raw events that may indicate malicious behavior and to provide an organized presentation of information to one or more consoles without slowing down the processing performed by the data sources.
[0015] The multiple data sources can comprise sensors or detectors that monitor network traffic or individual computers or both. The sensors can comprise devices that may be referred to as intrusion detection systems (IDS). Because the present invention can be separate from IDS devices, it permits the IDS devices to operate efficiently and at high speeds when real-time processing of high volumes of data traffic is essential.
[0022] In addition to determining whether raw computer events are part of or form a mature correlation event or actual security threat, the fusion engine can also manage its high speed memory resources very efficiently. For example, the fusion engine can employ memory management techniques that erase raw events, immature, and mature correlation events that have either exceeded a predetermined time period or that have met predetermined conditions or both. The high speed memory resources can comprise RAM containing data that is categorized according to the classifications of the raw events and mature correlation events.

Problems solved by technology

The nature of a distributed network, such as the internet, makes it vulnerable to attack.
However, this free exchange of information carries a price: many users will try to attack the networks and computers connected to the internet; many users will also try to invade other users' privacy and attempt to crack databases of sensitive information or intercept information as it travels across internet routes.
However, these conventional intrusion detection systems can typically have many problems and drawbacks.
Because of these high speeds, a detector of an intrusion detection system cannot perform complex analysis of the information that flows through the detector for obvious reasons.
That is, if a detector were to perform complex analysis of the information flowing through it, then such analysis would fail to keep up with the flow of information that passes through the detector.
In light of current network speeds and the corresponding volume of information that is generated as a result of the network speeds, many detectors of conventional intrusion detection systems can provide very limited protection against complex and more sophisticated computer attacks.
This limited protection can manifest itself when many false positives are generated by an intrusion detection system.
In other words, many conventional intrusion detection systems may generate false alarms based on communications between computers that do not comprise any threat or attacks.
In addition to false alarms, conventional intrusion detection systems are typically not equipped to handle complex analysis because of the limitations on current processing speeds.
For example, many conventional intrusion detection systems cannot execute central processing unit-intensive checks such as the well-known L0pht Crack.
Conventional intrusion detection system typically cannot employ the L0pht Crack method in any real-time analysis.
Another obstacle of conventional intrusion detection systems is that most intrusion detection systems have very limited or short term memory capacity.
In other words, long histories of data streams are seldom kept by the detectors in conventional intrusion detection systems.
Another problem of conventional intrusion detection systems is that the detectors of such systems typically only watch or observe a single environment.
Conventional detectors typically have a limited scope of awareness since they are designed to observe only portions of a network instead of the entire network as a whole.
Because conventional detectors typically monitor only portions of a network, they are unable to track more sophisticated computer attacks such as distributed attacks.
In addition to the inability to track more sophisticated computer attacks, many conventional intrusion detection systems do not permit active probing of an attacker or the target of a computer attack.
However, as mentioned above, most intrusion detection systems do not permit active probing since such probing could reveal the location of the detector.
And if the location of a detector is revealed, it sometimes may also become a target for a computer attack.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and system for managing computer security information
  • Method and system for managing computer security information
  • Method and system for managing computer security information

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0043] The present invention may be embodied in program modules that run in a distributed computing environment. The present invention can comprise a computer security management system that can log, investigate, respond, and track computer security incidents that can occur in a network computer system. The present invention can comprise a fusion engine which “fuses” or assembles information from multiple data sources and analyzes this information in order to provide an organized, and sometimes ranked, presentation of information to one or more consoles. The fusion engine can classify raw real-time computer events while also ranking the real-time computer events based upon comparisons with one or more databases.

[0044] Illustrative Operating Environment

[0045] Although the illustrative embodiment will be generally described in the context of an program modules running on a personal computer and a server, those skilled in the art will recognize that the present invention may be imple...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

A security management system includes a fusion engine which “fuses” or assembles information from multiple data sources and analyzes this information in order to detect relationships between raw events that may indicate malicious behavior and to provide an organized presentation of information to consoles without slowing down the processing performed by the data sources. The multiple data sources can comprise sensors or detectors that monitor network traffic or individual computers or both. The sensors can comprise devices that may be used in intrusion detection systems (IDS). The data sources can also comprise firewalls, audit systems, and other like security or IDS devices that monitor data traffic in real-time. The present invention can identify relationships between one or more real-time, raw computer events as they are received in real- time. The fusion engine can also assess and rank the risk of real-time raw events as well as mature correlation events.

Description

PRIORITY AND RELATED APPLICATIONS [0001] The present application claims priority to provisional patent application entitled, “Intrusion Detection Fusion System of a Network Security System,” filed on Apr. 28, 2000 and assigned U.S. application Ser. No. 60 / 200,316. The present application is also related to non-provisional application entitled, “System and Method for Managing Security Events on a Network,” (Attorney Docket No. 05456-105005) filed on Apr. 27, 2001 and assigned U.S. application Ser. No. ______.TECHNICAL FIELD [0002] The present invention relates to computer systems and the security of such systems. More particularly, the present invention relates to a method and system for ranking individual security events according to risk and fusing or identifying relationships between two or more security events that may occur on or within a computer system. The invention can also identify relationships in other security related information. BACKGROUND OF THE INVENTION [0003] The n...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F15/16G06F12/14G06F11/00G06F17/00G06F9/00G06F12/16G06F15/18G08B23/00
CPCG06F21/577H04L63/1458H04L63/1433H04L41/0893H04L41/0894
Inventor FARLEY, TIMOTHY P.HAMMER, JOHN M.WILLIAMS, BRYAN DOUGLASBRASS, PHILIP CHARLESYOUNG, GEORGE C.MEZACK, DEREK JOHN
Owner IBM CORP
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products