US20170104777A1 - Device Time Accumulation - Google Patents
Device Time Accumulation Download PDFInfo
- Publication number
- US20170104777A1 US20170104777A1 US14/971,192 US201514971192A US2017104777A1 US 20170104777 A1 US20170104777 A1 US 20170104777A1 US 201514971192 A US201514971192 A US 201514971192A US 2017104777 A1 US2017104777 A1 US 2017104777A1
- Authority
- US
- United States
- Prior art keywords
- events
- event
- time
- security
- computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/06—Generation of reports
- H04L43/067—Generation of reports using time frame reporting
Definitions
- the present invention relates in general to the field of computers and similar technologies, and in particular to software utilized in this field. Still more particularly, it relates to a method, system and computer-usable medium for performing a device time accumulation operation.
- SIEM security information and event management
- events can be accumulated within a monitored system but not provided for analysis until some later time. When this occurs, the time information used for analyzing the events, including time series graphs, may be skewed.
- a method, system and computer-usable medium are disclosed for performing a device time accumulation operation.
- a device time accumulation operation systems within a security intelligence platform which accumulate events within the IT environment associate an event ingest time with the event.
- the device time accumulation operation analyzes the ingest times as well as the emit time to take into account historical time data associated with the accumulated events.
- FIG. 1 depicts an exemplary client computer in which the present invention may be implemented.
- FIG. 2 is a simplified block diagram of a security intelligence platform.
- FIG. 3 is a generalized flowchart of the operation of a device time accumulation operation.
- a method, system and computer-usable medium are disclosed for performing a device time accumulation operation.
- a device time accumulation operation systems within a security intelligence platform which accumulate events within the IT environment associate an event ingest time with the event.
- the device time accumulation operation analyzes the ingest times as well as the emit time to take into account historical time data associated with the accumulated events.
- the present invention may be embodied as a method, system, or computer program product. Accordingly, embodiments of the invention may be implemented entirely in hardware, entirely in software (including firmware, resident software, micro-code, etc.) or in an embodiment combining software and hardware. These various embodiments may all generally be referred to herein as a “circuit,” “module,” or “system.” Furthermore, the present invention may take the form of a computer program product on a computer-usable storage medium having computer-usable program code embodied in the medium.
- the computer-usable or computer-readable medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, or a magnetic storage device.
- a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
- Computer program code for carrying out operations of the present invention may be written in an object oriented programming language such as Java, Smalltalk, C++ or the like. However, the computer program code for carrying out operations of the present invention may also be written in conventional procedural programming languages, such as the “C” programming language or similar programming languages.
- the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
- the remote computer may be connected to the user's computer through a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
- LAN local area network
- WAN wide area network
- Internet Service Provider for example, AT&T, MCI, Sprint, EarthLink, MSN, GTE, etc.
- Embodiments of the invention are described below with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
- These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.
- the computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
- FIG. 1 is a block diagram of an exemplary client computer 102 in which the present invention may be utilized.
- Client computer 102 includes a processor unit 104 that is coupled to a system bus 106 .
- a video adapter 108 which controls a display 110 , is also coupled to system bus 106 .
- System bus 106 is coupled via a bus bridge 112 to an Input/Output (I/O) bus 114 .
- An I/O interface 116 is coupled to I/O bus 114 .
- I/O Input/Output
- the I/O interface 116 affords communication with various I/O devices, including a keyboard 118 , a mouse 120 , a Compact Disk-Read Only Memory (CD-ROM) drive 122 , a floppy disk drive 124 , and a flash drive memory 126 .
- the format of the ports connected to I/O interface 116 may be any known to those skilled in the art of computer architecture, including but not limited to Universal Serial Bus (USB) ports.
- USB Universal Serial Bus
- Client computer 102 is able to communicate with a service provider server 152 via a network 128 using a network interface 130 , which is coupled to system bus 106 .
- Network 128 may be an external network such as the Internet, or an internal network such as an Ethernet Network or a Virtual Private Network (VPN).
- client computer 102 is able to use the present invention to access service provider server 152 .
- VPN Virtual Private Network
- a hard drive interface 132 is also coupled to system bus 106 .
- Hard drive interface 132 interfaces with a hard drive 134 .
- hard drive 134 populates a system memory 136 , which is also coupled to system bus 106 .
- Data that populates system memory 136 includes the client computer's 102 operating system (OS) 138 and software programs 144 .
- OS operating system
- OS 138 includes a shell 140 for providing transparent user access to resources such as software programs 144 .
- shell 140 is a program that provides an interpreter and an interface between the user and the operating system. More specifically, shell 140 executes commands that are entered into a command line user interface or from a file.
- shell 140 (as it is called in UNIX®), also called a command processor in Windows®, is generally the highest level of the operating system software hierarchy and serves as a command interpreter.
- the shell provides a system prompt, interprets commands entered by keyboard, mouse, or other user input media, and sends the interpreted command(s) to the appropriate lower levels of the operating system (e.g., a kernel 142 ) for processing.
- shell 140 generally is a text-based, line-oriented user interface, the present invention can also support other user interface modes, such as graphical, voice, gestural, etc.
- OS 138 also includes kernel 142 , which includes lower levels of functionality for OS 138 , including essential services required by other parts of OS 138 and software programs 144 , including memory management, process and task management, disk management, and mouse and keyboard management.
- Software programs 144 may include a browser 146 and email client 148 .
- Browser 146 includes program modules and instructions enabling a World Wide Web (WWW) client (i.e., client computer 102 ) to send and receive network messages to the Internet using HyperText Transfer Protocol (HTTP) messaging, thus enabling communication with service provider server 152 .
- WWW World Wide Web
- HTTP HyperText Transfer Protocol
- software programs 144 may also include a device time accumulation system 150 .
- the device time accumulation system 150 includes code for implementing the processes described hereinbelow.
- client computer 102 is able to download the device time accumulation system 150 from a service provider server 152 .
- client computer 102 may include alternate memory storage devices such as magnetic cassettes, Digital Versatile Disks (DVDs), Bernoulli cartridges, and the like. These and other variations are intended to be within the spirit, scope and intent of the present invention.
- FIG. 2 shows a simplified block diagram of a security intelligence environment 200 which includes a security intelligence platform 210 in accordance with various aspects of the invention.
- the security intelligence platform 210 integrates security information and event management (STEM), log management, anomaly detection, vulnerability management, risk management and incident forensics into a unified solution.
- STEM security information and event management
- the security intelligence platform 210 delivers threat detection, ease of use and lower total cost of ownership.
- the security intelligence platform 210 uses intelligence, integration and automation to deliver security and compliance functionality.
- the security intelligence platform 210 receives information from one or more of a plurality of data sources 220 and performs one or more of correlation operations, activity baselining and anomaly detection operations, offense identification operations and device time accumulation operations to provide an identification of a true offense 222 as well as identification of suspected intendents 224 .
- the security intelligence platform 210 includes one or more of an integrated family of modules that can help detect threats that otherwise would be missed.
- the family of modules can include a correlation module 230 for performing the correlation operations, an activity baselining and anomaly detection module 232 for performing the activity baselining and anomaly detection operations, an offence identification module 234 for performing the offence identification operation and a device time accumulation module 236 for performing a device time accumulation operation.
- the correlation operation includes one or more of logs/events analysis, flow analysis, IP reputation analysis and geographic location analysis.
- the activity baselining and anomaly detection operation includes one or more of user activity analysis, database activity analysis, application activity analysis and network activity analysis.
- the offense identification operation includes one or more of credibility analysis, severity analysis and relevance analysis.
- the plurality of data sources 220 can include one or more of security devices 240 , servers and mainframes 242 , network and virtual activity data sources 244 , data activity data sources 246 , application activity data sources 248 , configuration information data sources 250 , vulnerabilities and threats information data sources 252 as well as users and identities data sources 254 .
- the data sources 220 can also include an event accumulation module 256 into which events generated by any of the data sources are stored while awaiting forwarding to the security intelligence platform 210 .
- the security intelligence platform 210 helps detect and defend against threats by applying sophisticated analytics to the data received from the plurality of data sources. In doing so, the security intelligence platform 210 helps identify high-priority incidents that might otherwise get lost in the noise of the operation of a large scale information processing environment.
- the security intelligence platform 200 uses some or all of the integrated family of modules to solve a number of business issues including: consolidating data silos into one integrated solution; identifying insider theft and fraud; managing vulnerabilities, configurations, compliance and risks; conducting forensic investigations of incidents and offenses; and, addressing regulatory mandates.
- the security intelligence platform 210 provides a plurality of functions.
- the security intelligence platforms consolidates data silos from a plurality of data sources. More specifically, while a wealth of information exists within organizations operating large scale information processing systems such as log, network flow and business process data, this information is often held in discrete data silos.
- the security intelligence platform 210 converges network, security and operations views into a unified and flexible solution.
- the security intelligence platform breaks down the walls between silos by correlating logs with network flows and a multitude of other data, presenting virtually all relevant information on a single screen. Such a correlation helps enable superior threat detection and a much richer view of enterprise activity.
- the security intelligence platform performs an insider fraud detection operation. Some of the gravest threats to an organization can come from the inside the organization, yet organizations often lack the intelligence needed to detect malicious insiders or outside parties that have compromised user accounts. By combining user and application monitoring with application-layer network visibility, organizations can better detect meaningful deviations from normal activity, helping to stop an attack before it completes.
- the security intelligence platform 210 predicts and remediates risk and vulnerabilities.
- Security, network and infrastructure teams strive to manage risk by identifying vulnerabilities and prioritizing remediation before a breach occurs.
- the security intelligence platform 210 integrates risk, configuration and vulnerability management with STEM capabilities, including correlation and network flow analytics, to help provide better insight into critical vulnerabilities. As a result, organizations can remediate risks more effectively and efficiently.
- the security intelligence platform 210 can conduct forensics analysis.
- the security intelligence platform 210 includes integrated incident forensics helps IT security teams reduce the time spent investigating security incidents, and eliminates the need for specialized training.
- the security intelligence platform 210 expands security data searches to include full packet captures and digitally stored text, voice, and image documents.
- the security intelligence platform helps present clarity around what happened when, who was involved, and what data was accessed or transferred in a security incident. As a result, the security intelligence platform 210 helps remediate a network breach and can help prevent it from succeeding again.
- the security intelligence platform 210 addresses regulatory compliance mandates. Many organizations wrestle with passing compliance audits while having to perform data collection, monitoring and reporting with increasingly limited resources. To automate and simplify compliance tasks, the security intelligence platform 210 provides collection, correlation and reporting on compliance-related activity, backed by numerous out-of-the-box report templates.
- the security intelligence platform 210 leverages easier-to-use security analytics. More specifically, the security intelligence platform 210 provides a unified architecture for storing, correlating, querying and reporting on log, flow, vulnerability, and malevolent user and asset data. The security intelligence platform 210 combines sophisticated analytics with out-of-the-box rules, reports and dashboards. While the platform is powerful and scalable for large corporations and major government agencies, the platform is also intuitive and flexible enough for small and midsize organizations. Users benefit from potentially faster time to value, lower cost of ownership, greater agility, and enhanced protection against security and compliance risks.
- the security intelligence platform 210 provides advanced intelligence. More specifically, by analyzing more types of data and using more analytics techniques, the platform can often detect threats that might be missed by other solutions and help provide advanced network visibility.
- the security intelligence platform 210 also provides advanced integration. Because the security intelligence platform includes a common application platform, database and user interface, the platform delivers massive log management scale without compromising the real-time intelligence of SIEM and network behavior analytics. It provides a common solution for all searching, correlation, anomaly detection and reporting functions. A single, intuitive user interface provides seamless access to all log management, flow analysis, incident management, configuration management, risk and vulnerability management, incident forensics, dashboard and reporting functions.
- the security intelligence platform 210 also provides advanced automation. More specifically, the security intelligence platform 201 is simple to deploy and manage, offering extensive out-of-the-box integration modules and security intelligence content. By automating many asset discovery, data normalization and tuning functions, while providing out-of-the-box rules and reports, the security intelligence platform 210 is designed to reduce complexity of the operation of the platform.
- the device time accumulation operation begins at step 310 by monitoring the data sources 220 to determine whether an event has been generated by a system within the security intelligence environment 200 . Any of the data sources 220 may generate an event.
- the data sources 220 may include one or more of a firewall, a network switch, a user end point (e.g., some form of information processing system such as a portable information processing system or a desktop information processing system), a wireless access point and a physical security device (e.g., a badge reader).
- the event is stored within the event accumulation module 256 .
- an event emit time is associated with the event and is stored within the event accumulation module 256 with the event at step 325 .
- an event emit time corresponds to the time at which an associated event is generated by a data source.
- the device time accumulation operation 300 analyzes an accumulation status to determine whether to forward any accumulated events on to the security intelligence platform 210 . If the device time accumulation operation 300 determines based upon the accumulation status to not forward the accumulated events, then the operation returns to step 310 to await a next event. If the device time accumulation operation 300 determines based upon the accumulation status to forward the accumulated events, then the operation 300 forwards the accumulated events to the security intelligence platform 210 at step 340 .
- an event ingest time is associated with each forwarded event at step 345 .
- an ingest emit time corresponds to the time at which an associated event is forwarded to the security intelligence platform 210 .
- the device time accumulation module 236 then makes use of both the event ingest time as well as the event emit time to analyze the events to take into account historical data. More specifically, the device time accumulation module 236 can use time series graphs for analyzing the events taking into account the event ingest time associated with the event as well as the event emit time.
- the event ingest times and the event emit times are used to create accumulations of the data.
- the accumulations that are created are used for analytics or to populate time-series graphs for graphical representation of the data.
- the accumulations may be ordered by device time of by security analysis platform time. This information becomes especially important when the analysis takes into account accumulation of multiple events across a given amount of time. In this situation, the emit times can skew the time series graph analysis whereas including ingest times in the time series graph does not.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Data Mining & Analysis (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
- Field of the Invention
- The present invention relates in general to the field of computers and similar technologies, and in particular to software utilized in this field. Still more particularly, it relates to a method, system and computer-usable medium for performing a device time accumulation operation.
- Description of the Related Art
- Organizations today are exposed to a greater volume and variety of attacks than in the past. Advanced attackers are clever and patient, leaving just a whisper of their presence. Accordingly, it is desirable to provide security functionality which helps to detect and defend against threats by applying sophisticated analytics to more types of data. It is also desirable to provide such security functionality which identifies high-priority incidents that might otherwise get lost in the noise of the overall operation of a large scale information processing environment.
- It is known to provide security functionality to IT environments via security intelligence platforms which integrate security information and event management (SIEM), log management, anomaly detection, vulnerability management, risk management and incident forensics into a unified solution.
- In many known IT environments such as large scale security intelligence platforms, events can be accumulated within a monitored system but not provided for analysis until some later time. When this occurs, the time information used for analyzing the events, including time series graphs, may be skewed.
- A method, system and computer-usable medium are disclosed for performing a device time accumulation operation. With a device time accumulation operation systems within a security intelligence platform which accumulate events within the IT environment associate an event ingest time with the event. When the events are provided for analysis, the device time accumulation operation analyzes the ingest times as well as the emit time to take into account historical time data associated with the accumulated events.
- The present invention may be better understood, and its numerous objects, features and advantages made apparent to those skilled in the art by referencing the accompanying drawings. The use of the same reference number throughout the several figures designates a like or similar element.
-
FIG. 1 depicts an exemplary client computer in which the present invention may be implemented. -
FIG. 2 is a simplified block diagram of a security intelligence platform. -
FIG. 3 is a generalized flowchart of the operation of a device time accumulation operation. - A method, system and computer-usable medium are disclosed for performing a device time accumulation operation. With a device time accumulation operation systems within a security intelligence platform which accumulate events within the IT environment associate an event ingest time with the event. When the events are provided for analysis, the device time accumulation operation analyzes the ingest times as well as the emit time to take into account historical time data associated with the accumulated events.
- As will be appreciated by one skilled in the art, the present invention may be embodied as a method, system, or computer program product. Accordingly, embodiments of the invention may be implemented entirely in hardware, entirely in software (including firmware, resident software, micro-code, etc.) or in an embodiment combining software and hardware. These various embodiments may all generally be referred to herein as a “circuit,” “module,” or “system.” Furthermore, the present invention may take the form of a computer program product on a computer-usable storage medium having computer-usable program code embodied in the medium.
- Any suitable computer usable or computer readable medium may be utilized. The computer-usable or computer-readable medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, or a magnetic storage device. In the context of this document, a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
- Computer program code for carrying out operations of the present invention may be written in an object oriented programming language such as Java, Smalltalk, C++ or the like. However, the computer program code for carrying out operations of the present invention may also be written in conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
- Embodiments of the invention are described below with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
- These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.
- The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
-
FIG. 1 is a block diagram of anexemplary client computer 102 in which the present invention may be utilized.Client computer 102 includes aprocessor unit 104 that is coupled to a system bus 106. Avideo adapter 108, which controls adisplay 110, is also coupled to system bus 106. System bus 106 is coupled via abus bridge 112 to an Input/Output (I/O) bus 114. An I/O interface 116 is coupled to I/O bus 114. The I/O interface 116 affords communication with various I/O devices, including akeyboard 118, a mouse 120, a Compact Disk-Read Only Memory (CD-ROM)drive 122, afloppy disk drive 124, and aflash drive memory 126. The format of the ports connected to I/O interface 116 may be any known to those skilled in the art of computer architecture, including but not limited to Universal Serial Bus (USB) ports. -
Client computer 102 is able to communicate with aservice provider server 152 via anetwork 128 using anetwork interface 130, which is coupled to system bus 106.Network 128 may be an external network such as the Internet, or an internal network such as an Ethernet Network or a Virtual Private Network (VPN). Usingnetwork 128,client computer 102 is able to use the present invention to accessservice provider server 152. - A
hard drive interface 132 is also coupled to system bus 106.Hard drive interface 132 interfaces with ahard drive 134. In a preferred embodiment,hard drive 134 populates asystem memory 136, which is also coupled to system bus 106. Data that populatessystem memory 136 includes the client computer's 102 operating system (OS) 138 and software programs 144. - OS 138 includes a
shell 140 for providing transparent user access to resources such as software programs 144. Generally,shell 140 is a program that provides an interpreter and an interface between the user and the operating system. More specifically,shell 140 executes commands that are entered into a command line user interface or from a file. Thus, shell 140 (as it is called in UNIX®), also called a command processor in Windows®, is generally the highest level of the operating system software hierarchy and serves as a command interpreter. The shell provides a system prompt, interprets commands entered by keyboard, mouse, or other user input media, and sends the interpreted command(s) to the appropriate lower levels of the operating system (e.g., a kernel 142) for processing. Whileshell 140 generally is a text-based, line-oriented user interface, the present invention can also support other user interface modes, such as graphical, voice, gestural, etc. - As depicted, OS 138 also includes
kernel 142, which includes lower levels of functionality for OS 138, including essential services required by other parts of OS 138 and software programs 144, including memory management, process and task management, disk management, and mouse and keyboard management. Software programs 144 may include abrowser 146 andemail client 148.Browser 146 includes program modules and instructions enabling a World Wide Web (WWW) client (i.e., client computer 102) to send and receive network messages to the Internet using HyperText Transfer Protocol (HTTP) messaging, thus enabling communication withservice provider server 152. In various embodiments, software programs 144 may also include a devicetime accumulation system 150. In these and other embodiments, the devicetime accumulation system 150 includes code for implementing the processes described hereinbelow. In one embodiment,client computer 102 is able to download the devicetime accumulation system 150 from aservice provider server 152. - The hardware elements depicted in
client computer 102 are not intended to be exhaustive, but rather are representative to highlight components used by the present invention. For instance,client computer 102 may include alternate memory storage devices such as magnetic cassettes, Digital Versatile Disks (DVDs), Bernoulli cartridges, and the like. These and other variations are intended to be within the spirit, scope and intent of the present invention. -
FIG. 2 shows a simplified block diagram of asecurity intelligence environment 200 which includes asecurity intelligence platform 210 in accordance with various aspects of the invention. Thesecurity intelligence platform 210 integrates security information and event management (STEM), log management, anomaly detection, vulnerability management, risk management and incident forensics into a unified solution. By using intelligence, integration and automation to provide 360-degree security insight, thesecurity intelligence platform 210 delivers threat detection, ease of use and lower total cost of ownership. Thesecurity intelligence platform 210 uses intelligence, integration and automation to deliver security and compliance functionality. - The
security intelligence platform 210 receives information from one or more of a plurality ofdata sources 220 and performs one or more of correlation operations, activity baselining and anomaly detection operations, offense identification operations and device time accumulation operations to provide an identification of atrue offense 222 as well as identification of suspectedintendents 224. In certain embodiments, thesecurity intelligence platform 210 includes one or more of an integrated family of modules that can help detect threats that otherwise would be missed. For example, in certain embodiments, the family of modules can include acorrelation module 230 for performing the correlation operations, an activity baselining andanomaly detection module 232 for performing the activity baselining and anomaly detection operations, anoffence identification module 234 for performing the offence identification operation and a devicetime accumulation module 236 for performing a device time accumulation operation. In various embodiments, the correlation operation includes one or more of logs/events analysis, flow analysis, IP reputation analysis and geographic location analysis. In various embodiments, the activity baselining and anomaly detection operation includes one or more of user activity analysis, database activity analysis, application activity analysis and network activity analysis. In various embodiments, the offense identification operation includes one or more of credibility analysis, severity analysis and relevance analysis. The plurality ofdata sources 220 can include one or more ofsecurity devices 240, servers andmainframes 242, network and virtualactivity data sources 244, dataactivity data sources 246, applicationactivity data sources 248, configurationinformation data sources 250, vulnerabilities and threatsinformation data sources 252 as well as users and identities data sources 254. Thedata sources 220 can also include anevent accumulation module 256 into which events generated by any of the data sources are stored while awaiting forwarding to thesecurity intelligence platform 210. - The
security intelligence platform 210 helps detect and defend against threats by applying sophisticated analytics to the data received from the plurality of data sources. In doing so, thesecurity intelligence platform 210 helps identify high-priority incidents that might otherwise get lost in the noise of the operation of a large scale information processing environment. Thesecurity intelligence platform 200 uses some or all of the integrated family of modules to solve a number of business issues including: consolidating data silos into one integrated solution; identifying insider theft and fraud; managing vulnerabilities, configurations, compliance and risks; conducting forensic investigations of incidents and offenses; and, addressing regulatory mandates. - In various embodiments, the
security intelligence platform 210 provides a plurality of functions. For example, in certain embodiments, the security intelligence platforms consolidates data silos from a plurality of data sources. More specifically, while a wealth of information exists within organizations operating large scale information processing systems such as log, network flow and business process data, this information is often held in discrete data silos. Thesecurity intelligence platform 210 converges network, security and operations views into a unified and flexible solution. The security intelligence platform breaks down the walls between silos by correlating logs with network flows and a multitude of other data, presenting virtually all relevant information on a single screen. Such a correlation helps enable superior threat detection and a much richer view of enterprise activity. - Additionally, in various embodiments, the security intelligence platform performs an insider fraud detection operation. Some of the gravest threats to an organization can come from the inside the organization, yet organizations often lack the intelligence needed to detect malicious insiders or outside parties that have compromised user accounts. By combining user and application monitoring with application-layer network visibility, organizations can better detect meaningful deviations from normal activity, helping to stop an attack before it completes.
- Additionally, in various embodiments, the
security intelligence platform 210 predicts and remediates risk and vulnerabilities. Security, network and infrastructure teams strive to manage risk by identifying vulnerabilities and prioritizing remediation before a breach occurs. Thesecurity intelligence platform 210 integrates risk, configuration and vulnerability management with STEM capabilities, including correlation and network flow analytics, to help provide better insight into critical vulnerabilities. As a result, organizations can remediate risks more effectively and efficiently. - Additionally, in various embodiments, the
security intelligence platform 210 can conduct forensics analysis. In certain embodiments, thesecurity intelligence platform 210 includes integrated incident forensics helps IT security teams reduce the time spent investigating security incidents, and eliminates the need for specialized training. Thesecurity intelligence platform 210 expands security data searches to include full packet captures and digitally stored text, voice, and image documents. The security intelligence platform helps present clarity around what happened when, who was involved, and what data was accessed or transferred in a security incident. As a result, thesecurity intelligence platform 210 helps remediate a network breach and can help prevent it from succeeding again. - Additionally, in various embodiments, the
security intelligence platform 210 addresses regulatory compliance mandates. Many organizations wrestle with passing compliance audits while having to perform data collection, monitoring and reporting with increasingly limited resources. To automate and simplify compliance tasks, thesecurity intelligence platform 210 provides collection, correlation and reporting on compliance-related activity, backed by numerous out-of-the-box report templates. - The
security intelligence platform 210 leverages easier-to-use security analytics. More specifically, thesecurity intelligence platform 210 provides a unified architecture for storing, correlating, querying and reporting on log, flow, vulnerability, and malevolent user and asset data. Thesecurity intelligence platform 210 combines sophisticated analytics with out-of-the-box rules, reports and dashboards. While the platform is powerful and scalable for large corporations and major government agencies, the platform is also intuitive and flexible enough for small and midsize organizations. Users benefit from potentially faster time to value, lower cost of ownership, greater agility, and enhanced protection against security and compliance risks. - The
security intelligence platform 210 provides advanced intelligence. More specifically, by analyzing more types of data and using more analytics techniques, the platform can often detect threats that might be missed by other solutions and help provide advanced network visibility. - The
security intelligence platform 210 also provides advanced integration. Because the security intelligence platform includes a common application platform, database and user interface, the platform delivers massive log management scale without compromising the real-time intelligence of SIEM and network behavior analytics. It provides a common solution for all searching, correlation, anomaly detection and reporting functions. A single, intuitive user interface provides seamless access to all log management, flow analysis, incident management, configuration management, risk and vulnerability management, incident forensics, dashboard and reporting functions. - The
security intelligence platform 210 also provides advanced automation. More specifically, the security intelligence platform 201 is simple to deploy and manage, offering extensive out-of-the-box integration modules and security intelligence content. By automating many asset discovery, data normalization and tuning functions, while providing out-of-the-box rules and reports, thesecurity intelligence platform 210 is designed to reduce complexity of the operation of the platform. - Referring to
FIG. 3 a flow chart of a device time accumulation operation 300 is shown. More specifically, the device time accumulation operation begins atstep 310 by monitoring thedata sources 220 to determine whether an event has been generated by a system within thesecurity intelligence environment 200. Any of thedata sources 220 may generate an event. In various embodiments, thedata sources 220 may include one or more of a firewall, a network switch, a user end point (e.g., some form of information processing system such as a portable information processing system or a desktop information processing system), a wireless access point and a physical security device (e.g., a badge reader). Next, atstep 320 when an event is generated, the event is stored within theevent accumulation module 256. When the event is stored within theevent accumulation module 256, an event emit time is associated with the event and is stored within theevent accumulation module 256 with the event atstep 325. For the purposes of this disclosure, an event emit time corresponds to the time at which an associated event is generated by a data source. - Next, at
step 330, the device time accumulation operation 300 analyzes an accumulation status to determine whether to forward any accumulated events on to thesecurity intelligence platform 210. If the device time accumulation operation 300 determines based upon the accumulation status to not forward the accumulated events, then the operation returns to step 310 to await a next event. If the device time accumulation operation 300 determines based upon the accumulation status to forward the accumulated events, then the operation 300 forwards the accumulated events to thesecurity intelligence platform 210 atstep 340. When the events are forwarded to thesecurity intelligence platform 210, an event ingest time is associated with each forwarded event atstep 345. For the purposes of this disclosure, an ingest emit time corresponds to the time at which an associated event is forwarded to thesecurity intelligence platform 210. - The device
time accumulation module 236 then makes use of both the event ingest time as well as the event emit time to analyze the events to take into account historical data. More specifically, the devicetime accumulation module 236 can use time series graphs for analyzing the events taking into account the event ingest time associated with the event as well as the event emit time. In various embodiments, the event ingest times and the event emit times are used to create accumulations of the data. The accumulations that are created are used for analytics or to populate time-series graphs for graphical representation of the data. In various embodiments, the accumulations may be ordered by device time of by security analysis platform time. This information becomes especially important when the analysis takes into account accumulation of multiple events across a given amount of time. In this situation, the emit times can skew the time series graph analysis whereas including ingest times in the time series graph does not. - Although the present invention has been described in detail, it should be understood that various changes, substitutions and alterations can be made hereto without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (7)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/971,192 US20170104777A1 (en) | 2015-10-13 | 2015-12-16 | Device Time Accumulation |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/881,732 US9853985B2 (en) | 2015-10-13 | 2015-10-13 | Device time accumulation |
US14/971,192 US20170104777A1 (en) | 2015-10-13 | 2015-12-16 | Device Time Accumulation |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/881,732 Continuation US9853985B2 (en) | 2015-10-13 | 2015-10-13 | Device time accumulation |
Publications (1)
Publication Number | Publication Date |
---|---|
US20170104777A1 true US20170104777A1 (en) | 2017-04-13 |
Family
ID=58500195
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/881,732 Expired - Fee Related US9853985B2 (en) | 2015-10-13 | 2015-10-13 | Device time accumulation |
US14/971,192 Abandoned US20170104777A1 (en) | 2015-10-13 | 2015-12-16 | Device Time Accumulation |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/881,732 Expired - Fee Related US9853985B2 (en) | 2015-10-13 | 2015-10-13 | Device time accumulation |
Country Status (1)
Country | Link |
---|---|
US (2) | US9853985B2 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190050585A1 (en) * | 2015-10-13 | 2019-02-14 | International Business Machines Corporation | Security Systems GUI Application Framework |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030023874A1 (en) * | 2001-07-16 | 2003-01-30 | Rudy Prokupets | System for integrating security and access for facilities and information systems |
US8438276B1 (en) * | 2004-08-31 | 2013-05-07 | Precise Software Solutions, Inc. | Method of monitoring network and application performance by analyzing web clients and web servers |
US20130291115A1 (en) * | 2012-04-30 | 2013-10-31 | General Electric Company | System and method for logging security events for an industrial control system |
US9122859B1 (en) * | 2008-12-30 | 2015-09-01 | Google Inc. | Browser based event information delivery mechanism using application resident on removable storage device |
US20150295779A1 (en) * | 2014-04-15 | 2015-10-15 | Splunk Inc. | Bidirectional linking of ephemeral event streams to creators of the ephemeral event streams |
US20150295778A1 (en) * | 2014-04-15 | 2015-10-15 | Splunk Inc. | Inline visualizations of metrics related to captured network data |
US20160127401A1 (en) * | 2014-10-30 | 2016-05-05 | Splunk Inc. | Capture triggers for capturing network data |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7930752B2 (en) * | 2005-11-18 | 2011-04-19 | Nexthink S.A. | Method for the detection and visualization of anomalous behaviors in a computer network |
EP2332065A4 (en) * | 2008-07-31 | 2011-09-07 | Juma Technology Corp | Publish and subscribe method for real-time event monitoring in a system for managing a plurality of disparate networks |
US20110191394A1 (en) * | 2010-01-29 | 2011-08-04 | Winteregg Joel | Method of processing log files in an information system, and log file processing system |
US9047464B2 (en) | 2011-04-11 | 2015-06-02 | NSS Lab Works LLC | Continuous monitoring of computer user and computer activities |
JP6192995B2 (en) * | 2013-06-04 | 2017-09-06 | 株式会社東芝 | COMMUNICATION DEVICE, COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND COMPUTER PROGRAM |
US8914323B1 (en) | 2014-04-10 | 2014-12-16 | Sqrrl Data, Inc. | Policy-based data-centric access control in a sorted, distributed key-value data store |
-
2015
- 2015-10-13 US US14/881,732 patent/US9853985B2/en not_active Expired - Fee Related
- 2015-12-16 US US14/971,192 patent/US20170104777A1/en not_active Abandoned
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030023874A1 (en) * | 2001-07-16 | 2003-01-30 | Rudy Prokupets | System for integrating security and access for facilities and information systems |
US8438276B1 (en) * | 2004-08-31 | 2013-05-07 | Precise Software Solutions, Inc. | Method of monitoring network and application performance by analyzing web clients and web servers |
US9122859B1 (en) * | 2008-12-30 | 2015-09-01 | Google Inc. | Browser based event information delivery mechanism using application resident on removable storage device |
US20130291115A1 (en) * | 2012-04-30 | 2013-10-31 | General Electric Company | System and method for logging security events for an industrial control system |
US20150295779A1 (en) * | 2014-04-15 | 2015-10-15 | Splunk Inc. | Bidirectional linking of ephemeral event streams to creators of the ephemeral event streams |
US20150295778A1 (en) * | 2014-04-15 | 2015-10-15 | Splunk Inc. | Inline visualizations of metrics related to captured network data |
US20160127401A1 (en) * | 2014-10-30 | 2016-05-05 | Splunk Inc. | Capture triggers for capturing network data |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190050585A1 (en) * | 2015-10-13 | 2019-02-14 | International Business Machines Corporation | Security Systems GUI Application Framework |
US10678933B2 (en) * | 2015-10-13 | 2020-06-09 | International Business Machines Corporation | Security systems GUI application framework |
Also Published As
Publication number | Publication date |
---|---|
US20170104769A1 (en) | 2017-04-13 |
US9853985B2 (en) | 2017-12-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Bhatt et al. | The operational role of security information and event management systems | |
US11012466B2 (en) | Computerized system and method for providing cybersecurity detection and response functionality | |
US11809457B2 (en) | Systems and methods for indexing and aggregating data records | |
US9607144B1 (en) | User activity modelling, monitoring, and reporting framework | |
Kim et al. | A study on cyber threat prediction based on intrusion detection event for APT attack detection | |
US10862906B2 (en) | Playbook based data collection to identify cyber security threats | |
US10614226B2 (en) | Machine learning statistical methods estimating software system's security analysis assessment or audit effort, cost and processing decisions | |
US8719942B2 (en) | System and method for prioritizing computers based on anti-malware events | |
US10678933B2 (en) | Security systems GUI application framework | |
CN111726357A (en) | Attack behavior detection method and device, computer equipment and storage medium | |
US20240111809A1 (en) | System event detection system and method | |
US20200067985A1 (en) | Systems and methods of interactive and intelligent cyber-security | |
US9853985B2 (en) | Device time accumulation | |
US20170083986A1 (en) | License Givebacks in a Rate-Based System | |
Meenakshi et al. | Literature survey on log-based anomaly detection framework in cloud | |
US11588843B1 (en) | Multi-level log analysis to detect software use anomalies | |
CN114844691A (en) | Data processing method and device, electronic equipment and storage medium | |
WO2023224760A1 (en) | Event-triggered forensics capture | |
Pandey et al. | Role of Lean Six Sigma 4.0 and Digital Forensic Tools in Cyber Investigation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DAVIS, GREGORY A.;DZNELADZE, IRAKLE;KEIRSTEAD, JASON D.;AND OTHERS;SIGNING DATES FROM 20150923 TO 20151013;REEL/FRAME:037306/0497 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STCV | Information on status: appeal procedure |
Free format text: NOTICE OF APPEAL FILED |
|
STCV | Information on status: appeal procedure |
Free format text: APPEAL BRIEF (OR SUPPLEMENTAL BRIEF) ENTERED AND FORWARDED TO EXAMINER |
|
STCV | Information on status: appeal procedure |
Free format text: EXAMINER'S ANSWER TO APPEAL BRIEF MAILED |
|
STCV | Information on status: appeal procedure |
Free format text: ON APPEAL -- AWAITING DECISION BY THE BOARD OF APPEALS |
|
STCV | Information on status: appeal procedure |
Free format text: BOARD OF APPEALS DECISION RENDERED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION |