442 results about "Event correlation" patented technology

Processing systems and methods receive events, such as a transaction to an account, and converts the events into messages. Each message then invokes one or more rules which are executed by a rules engine. The execution of these rules may invoke the execution of additional rules. After all rules have executed, the account associated with the event is updated, such as by projecting the account. The rules have their parameters defined in a repository so that the parameters can be easily changed without any need to recompile. The processing systems receive authorizations and other transactions and runs in real-time as transactions arrive. As a result, balances are updated continuously and accounts are read and updated only when there is activity. Hierarchy is user configurable, including multiple hierarchy to any depth. System operations are controlled by rules and their parameters and most modifications can be accomplished without access to source code.

A method and apparatus is disclosed for improving the security of computer networks by providing a means operating passively on the network for detecting, reporting and responding to intruders. The system is comprised of a plurality of intruder sensor client computers and associated event correlation engines. Resident in the memory of the client computer and operating in the background is a Tactical Internet Device Protection (TIDP) component consisting of a passive intruder detector and a security Management Information Base (MIB). The passive intruder detector component of the TIDP passively monitors operations performed on the client computer and emits a Simple Network Management Protocol (SNMP) trap to an event correlation engine when it identifies a suspected intruder. The event correlation engine, through the use of a behavior model loaded in its memory, determines whether the user's activities are innocent or those of a perspective intruder. When the event correlation engine is unable to classify a user based on a single trap message, it can request historical information from the security MIB, a database of the operating history of the client computer including a chronology of the illegal operations performed on the client. Once the event correlation engine determines that an intruder is located at an associated client workstation, it generates a status message and transmits the message to all of its subscribers, informing them of the presence and location of a suspected intruder.

Method and apparatus for situation-based management of natural and artificial systems using event correlation and a situation manager. Input is provided from multiple sources in the form of a collection of events. A first level of processing performs event correlation over the collection of events and infers new events and new qualities of events. A second level of processing manages situations based on the collection of events, where situations are recognized, maintained, and given a degree of confidence. Situations are periodically updated based on incoming events. The assertion of a situation may call for information from external sources, provide information for external sources, and provide control instructions to external sources. Given a current situation, past, and possible future situations are inferred. Additionally, a method and apparatus for bi-directional communication between the event correlator and situation manager.

A method of root cause analysis in a virtual machine environment includes receiving a plurality of events from a system monitoring the virtualized environment. The events may include alarms or alerts, such as alarms or alerts associated with a resource reaching or exceeding a threshold. The capacity manager consumes these events and performs event correlation to produce a set of correlated events. The capacity manager performs a root cause analysis on the set of correlated events to identify one or more root causes. The capacity manager further performs an impact analysis to determine how the root cause impacts the system, such as other virtual machines, hosts or resource in the virtual environment. Based on the root cause and impact analysis, the capacity manager makes one or more recommendations to address issues with or to improve the operations and/or performance of the virtualized environment.

Method and apparatus for service level management, wherein business processes are composed of services. A state of the service is defined by one or more service parameters, and the service parameters depend upon performance of network components that support the service, e.g., component parameters. The state of the service may depend, for example, on a collection of service parameter values for availability, reliability, security, integrity and response time. A service level agreement is a contract between a supplier and a customer that identifies services supported by a network, service parameters for the services, and service levels (e.g., acceptable levels) for each service parameter.

A method and system are disclosed for efficiently correlating network events within a data processing system and then transmitting messages to various network entities in response to an occurrence of a particular network event. According to the present invention, a network mediation service receives raw message streams from one or more external networks and passes the streams in real-time to the event notification service. The event notification service then passes the message to the message parsing service for processing. After the message has been parsed by the message parsing service, it is passed back to the event notification service which passes the message along an event channel to the network management service. The message is also passed to the event correlation service for event correlation. A knowledge-based database of message classes that define how to interpret the message text are used by the event correlation service to match correlation rule conditions to the observed events. After event correlation service processes the parsed event, it is passed to the network management service for resolution.

A computer implemented method on a computer readable media is provided for determining the source of a problem in a complex system of managed components based upon symptoms. The problem source identification process is split into different activities. Explicit configuration non-specific representations of types of managed components, their problems, symptoms and the relations along which the problems or symptoms propagate are created that can be manipulated by executable computer code. A data structure is produced for determining the source of a problem by combining one or more of the representations based on information of specific instances of managed components in the system. Computer code is then executed which uses the data structure to determine the source of the problem from one or more symptoms.

A computer system includes a symptoms database having symptoms that relate to problems, where each symptom includes an event correlation rule having corresponding predicates. To identify a root cause of a problem, collected events are correlated with symptoms based upon their associated event correlation rule(s). For each symptom at least partially matched to an event, visualization information is associated with corresponding events based upon the visualization attribute of the symptom, and textual information is associated with event based upon the recommendation of the symptom. Moreover, recommendations may be provided to an operator, such as based upon information associated with the symptom. The event and symptom data is analyzed by grouping events in the set of events based upon their associated visualization information and presenting the textual information associated with an operator-selected event.

The invention discloses a crossroad traffic event automatic detection system based on multi-source information fusion. The invention aims at urban crossroad traffic management, establishes audio-video traffic information acquisition, traffic information analytical processing and traffic event automatic alarming three subsystems. The invention mainly comprises: designing and realizing an acquisition subsystem of multi-source traffic information (traffic audio information, traffic video information, multi-angle video information, elevation angle video information); realizing a traffic parameter automatic extractive technique based on traffic audio and traffic video; realizing a traffic event (car crash, illegal parking, jam and retrograde motion) automatic detection technique based on the multi-source information fusion; and realizing a software system for traffic event report, traffic event associated video information transmission, and traffic control center display and processing, and forming an integrated crossroad traffic event automatic detection system.

A network security monitor system groups a plurality of security events into network sessions, correlates the network sessions according to a set of predefined network security event correlation rules and generates a security incident for the network sessions that satisfy one of the network security event correlation rules. The system then presents the information of the network sessions and security incidents to a user of the system in an intuitive form. The user is able to not only learn the details of a possible network attack, but also creates new security event correlation rules intuitively, including drop rules for dropping a particular type of events.

The invention relates to a network attack scene generating method based on multi-source alarm logs. The network attack scene generating method includes the steps that firstly, the alarm logs generated by multiple network security protection devices are collected, effective alarm log data are extracted through preprocessing, and noise, redundancy or ineffective logs are removed; for the effective alarm logs acquired by one device, log format differences of different devices are shielded through single-source log aggregation and mapping, and attack event information is analyzed and extracted; attack events extracted from different sources are fused and analyzed, and network attack events with high credibility are generated; then through correlation analysis of the attack events, a network attack scene graph is generated, and the whole attack process of one attack operation is analyzed. Due to the fact that the multi-source logs are fused, the analyzed attack event information can more completely and more reliably depict attacks to which a network is subject, attack scenes are acquired through correlation analysis of the attack events, the intentions of attackers can be more clearly shown, and the security threat state of the network can be more clearly reflected.

A policy component comprises policy configuration information. The policy configuration information contains one or more rules. Each rule and group of rules can be associated with a set of response actions. As the nodes on the monitored networks change or intrusive actions are introduced on the networks, network change events or intrusion events are generated. The policy component correlates network change events and/or intrusions events with network map information. The network map contains information on the network topology, services and network devices, amongst other things. When certain criteria is satisfied based on the correlation, a policy violation event may be issued by the system resulting in alerts or remediations.

A method is provided for calibrating past position estimates from a positioning system that provides real-time position estimates of a mobile object. The method first stores the real-time position estimates, which as time goes by become past position estimates and naturally form a first past trajectory depicting the past movement of the mobile object. Subsequently, a calibrated past trajectory is determined, which includes calibrated past position estimates that correspond to the same time instances as the past positions in the first past trajectory. When real-time positions have low qualities, this method calibrates them at a later time by using (higher-quality) real-time positions both before and after them. Errors in the past positions are then corrected based on the calibrated past trajectory. When used with event detectors that indicate inventory transactions, this method can correct position errors associated with inventory events so as to improve the performance of inventory tracking.

A security monitoring system processes event messages related to computer network security in real time, evaluating inter-event constraints so as to identify combinations of events that are partial solutions to a predefined event correlation rule, and furthermore evaluating combinations of the partial solutions do determine if they together satisfy the predefined event correlation rule. A decision tree is formed based on the rule. Event messages are categorized into groups at leaf nodes of the tree in accordance with a plurality of intra-event constraints, and then the messages are correlated in accordance with a plurality of inter-event constraints at non-leaf nodes of the tree. When the inter-event constraint at a root node of the tree has been satisfied, a network attack alert is issued and protective actions may be taken.

Method and apparatus for situation-based management of natural and artificial systems using event correlation and a situation manager. Input is provided from multiple sources in the form of a collection of events. A first level of processing performs event correlation over the collection of events and infers new events and new qualities of events. A second level of processing manages situations based on the collection of events, where situations are recognized, maintained, and given a degree of confidence. Situations are periodically updated based on incoming events. The assertion of a situation may call for information from external sources, provide information for external sources, and provide control instructions to external sources. Given a current situation, past, and possible future situations are inferred. Additionally, a method and apparatus for bi-directional communication between the event correlator and situation manager.

A wake-and-go mechanism is provided for a data processing system. The wake-and-go mechanism recognizes a programming idiom, specialized instruction, operating system call, or application programming interface call that indicates that a thread is waiting for an event. The wake-and-go mechanism updates a wake-and-go array with a target address, expected data value, and comparison type associated with the event. The thread then goes to sleep until the event occurs. The wake-and-go array may be a content addressable memory (CAM). When a transaction appears on the symmetric multiprocessing (SMP) fabric that modifies the value at a target address in the CAM, logic associated with the CAM performs a comparison based on the data value being written, expected data value, and comparison type.

A system for pluggable event correlation may include an input manager that receives a plurality of events and converts the events into a format compatible with one or more of a plurality of correlation engines. The correlation engines may then evaluate the converted events using various rules and generate correlated events when the evaluated events trigger at least one of the rules. An action manager may execute remedial actions when the correlation engines generate the correlated events. Moreover, extensibility may be provided by enabling a user to define rules to be triggered when events occur in a predetermined pattern, and actions to be executed when a predetermined rule triggers a correlated event. Further, to plug a new correlation engine into the system, adapters may be deployed to handle input and output, while the user-defined rules may be validating according to semantic requirements of the new correlation engine.

A system and method for analyzing events from devices relating to network security, includes a device interface(s), for receiving events from devices. One or more processors, responsive to the event received pursuant to the device interfaces, evaluate the event in accordance with rules, wherein the rules define, inter alia, an operation the system is to take to evaluate the event and an action to be taken under specified conditions. Also, the processor can determine, responsive to the received event, whether the event is of interest, and if not, discarding the event. The processor can provide a correlation corresponding to the at least one event, for the rules.

Management of a customer's IT environment is facilitated by correlating events that occur within the environment, obtaining information relating to those events, and performing actions, such as environment tuning or recovery actions, based on the information. Discrete phases of processing are used to obtain the information and/or perform the actions. One or more of these discrete processing phases have tunable time intervals associated therewith. That is, at least one time interval is dynamically adjusted based on the runtime state of the environment.