WO2005060205A1 - Procede de gestion d’un ensemble d’alertes issues de sondes de detection d’intrusions d’un systeme de securite d’informations. - Google Patents
Procede de gestion d’un ensemble d’alertes issues de sondes de detection d’intrusions d’un systeme de securite d’informations. Download PDFInfo
- Publication number
- WO2005060205A1 WO2005060205A1 PCT/FR2004/003252 FR2004003252W WO2005060205A1 WO 2005060205 A1 WO2005060205 A1 WO 2005060205A1 FR 2004003252 W FR2004003252 W FR 2004003252W WO 2005060205 A1 WO2005060205 A1 WO 2005060205A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- alert
- alerts
- attribute
- description
- request
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 239000000523 sample Substances 0.000 claims description 34
- 238000001514 detection method Methods 0.000 claims description 32
- 230000004044 response Effects 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 5
- 230000008520 organization Effects 0.000 description 3
- 230000021615 conjugation Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000000306 recurrent effect Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/12—Network monitoring probes
Definitions
- the invention relates to a method for managing a set of alerts from intrusion detection probes.
- the security of information systems requires the deployment of “IDS” intrusion detection systems comprising intrusion detection probes that issue alerts to alert management systems.
- intrusion detection probes are active components of the intrusion detection system that analyze one or more data sources in search of events characteristic of an intrusive activity and issue alerts to management systems alert.
- An alert management system centralizes alerts from probes and optionally performs an analysis of all of these alerts.
- the intrusion detection probes generate a very large number of alerts which can include several thousands per day depending on the configurations and the environment. The excess of alerts can result from a combination of several phenomena. First, false alerts account for up to 90% of the total number of alerts. Then, the alerts are often too granular, that is to say that their semantic content is very poor.
- alerts are often redundant and recurrent.
- the excess of alerts makes them difficult to understand and manipulate by a human security operator.
- Upstream processing of alerts at the management system level is therefore necessary to facilitate the analysis work of the security operator.
- Current alert management systems consist of storing alerts in a relational database management system (RDBMS).
- RDBMS relational database management system
- the security operator can thus interrogate this RDBMS management system by submitting a request relating to the properties of the alerts.
- the RDBMS management system provides in return to the operator, all the alerts whose description meets the request.
- the disadvantage of these systems is the fact that the alerts provided to the operator can be numerous and granular, which makes their analysis tedious.
- the invention aims to remedy these drawbacks, and to provide a simple method of managing a set of alerts from intrusion detection probes to allow flexible, easy consultation and quick of this set of alerts.
- a method of managing a set of alerts from intrusion detection probes of an information security system comprising an alert management system, each alert being defined by an identifier.
- alert and alert content characterized in that it comprises the following steps: -associating with each of the alerts from the intrusion detection probes, a description comprising a conjunction of a plurality of value attributes belonging to a plurality of attribute domains; organize the value attributes belonging to each attribute domain into a taxonomic structure defining generalization relationships between said value attributes, the plurality of attribute domains thus forming a plurality of taxonomic structures; complete the description of each of said alerts with sets of values induced by the taxonomic structures from the value attributes of said alerts to form complete alerts; -store said full alerts in a logical file system to allow consultation.
- storing complete alerts in a logical file system allows a security operator to consult the alert management system in an efficient, fast and flexible manner in order to obtain an accurate view of all of the alerts from intrusion detection probes.
- the consultation of complete alerts can be carried out by a succession of interrogations and / or navigations in said complete alerts so that in response to a request, the alert management system provides relevant value attributes making it possible to distinguish a sub -set of complete alerts among a set of complete alerts satisfying the request in order to allow the refinement of said request.
- the relevant value attributes are in priority the most general with regard to the plurality of taxonomic structures.
- the alert management system in response to the request, also provides alert identifiers satisfying the request and the description of which cannot be refined with respect to said request.
- the alert identifier is a pair formed by an identifier of the intrusion detection probe which produces the alert and an alert serial number assigned by said probe.
- the content of each alert includes a text message provided by the corresponding intrusion detection probe.
- Each value attribute has an attribute identifier and an attribute value.
- each attribute identifier is associated with an attribute domain among the following domains: domain of the attack, domain of the identity of the attacker, domain of the identity of the victim and date range of the attack.
- the description of a given alert is supplemented by recovering from the generalization relationships of the plurality of taxonomic structures and recursively, a set comprising the more general value attributes and which has not already been present in the description of '' another alert previously completed.
- the attributes valued in the taxonomic structure are organized according to a directed acydic graph.
- the invention also relates to a computer program designed to implement the above method, when it is executed by the alert management system.
- FIG. 1 is a view very schematic of an information security system comprising an alert management system according to the invention
- FIG. 2 is a flowchart illustrating the steps of the method for managing a set of alerts, according to the invention
- FIG. 3A illustrates an example of documentation associated with signatures of attacks
- FIG. 3B very schematically shows a taxonomic structure associated with the example of FIG. 3A.
- FIG. 1 illustrates an example of an intrusion detection system 1 connected through a router 3 to an external network 5 and to an internal network 7a and 7b with distributed architecture.
- the intrusion detection system 1 comprises several intrusion detection probes 11a, 11b, lie, and an alert management system 13.
- a first intrusion detection probe 11a monitors the alerts coming from the outside
- a second probe 11b monitors part of the internal network 7a comprising work stations 15
- a third probe 11b monitors another part of the internal network 7b comprising servers 17 delivering information to the external network 5.
- the management system alerts 13 includes a host 19 dedicated to processing alerts, a logical file system 21, and an output unit 23.
- the logical file system can be of the "LISFS" type proposed by Padioleau and Ridoux, in a conference (Usenix Annual Technical Conference 2003) entitled "A Logic File System".
- files are objects with associated descriptions, expressed in propositional logic.
- the description of a file is a combination of properties.
- the properties of the files are the directories of the file system, so that the path of a file is its description.
- a path is therefore a logical formula.
- a file system location contains all the files whose description satisfies the formula corresponding to the location path.
- specific commands allow you to navigate and manipulate the files and their descriptions.
- the probes 11a, 11b, 11e deployed in the intrusion detection system 1 send (arrows 26) their alerts 25 to the system for managing alerts 13.
- FIG. 2 is a flowchart illustrating the steps of the method for managing a set O of alerts originating from intrusion detection probes according to the invention. Each alert o in this set O of alerts is defined by an alert identifier and alert content.
- an alert oe O can be defined by a unique alert identifier id ( ⁇ ) given by a pair (s, n) where s is the serial identifier of the intrusion detection probe which produces the alert and n is an alert serial number assigned by this probe to alert o.
- the content m 0 of the alert o includes a text message provided by the intrusion detection probe which produced the alert and which is intended for the security operator.
- Step El consists in associating with each of the alerts from the intrusion detection probes 11a, 11b, lie, a description d ⁇ o) comprising a conjunction of a plurality of value attributes ⁇ d oi j belonging to a plurality or a set of attribute domains ⁇ A ⁇ .
- a value attribute d 0j is a pair (a, v) comprising an attribute identifier a and an attribute value v.
- Each attribute identifier a is associated with an attribute domain A from the following domains: attack domain, attacker identity domain, victim identity domain and date date domain the attack.
- an attribute domain A is formed of a discrete set provided with a partial order relation A defining the domain of the attribute value d oi .
- Step E2 consists in organizing the value attributes d oi belonging to each attribute domain A into a taxonomic structure defining generalization (or specialization) relationships between these value attributes.
- a taxonomy by attribute domain There is a taxonomy by attribute domain.
- the plurality of attribute domains forms a plurality of taxonomic structures.
- the taxonomic structure of the value attributes is generically a directed acydic graph.
- the taxonomic relationships are modeled by axioms.
- Step E3 consists of completing the description of each of the alerts from the intrusion detection probes 11a, 11b, lie, by sets of values induced by the taxonomic structures, from the value attributes of these initial alerts, to form full alerts.
- the value attributes of the alerts produced by the intrusion detection probes are the most specific of the taxonomies.
- the alert management system 13 can, for example, complete the description of this alert by recovering from generalization relationships the plurality of taxonomic structures and recursively, a set comprising more general value attributes that have not already been present in the description of another previously completed alert.
- the description of a given alert is completed by a process which consists in going back in a given taxonomy from a given value attribute. If a value attribute already exists in the description of another previously processed alert, then the escalation process stops, otherwise it is added and the process is repeated from this added value attribute.
- step E4 of FIG. 2 consists of storing the alerts, which were completed in the previous step, in the logical file system 21 to allow consultation thereof.
- a "StoreAlert" algorithm describing a process for storing a new alert in a logical file system like LISFS.
- the complete alert and its content are stored by a storage command "cp", which takes as parameter the content of the alert m of the description of the alert d 0tl l — ld 0t ⁇ and the identifier of the alert ⁇ .
- the storage of full alerts in the logical file system 21 allows their consultation by a succession of interrogations and / or browsing in all of the full alerts.
- the alert management system 13 provides relevant value attributes making it possible to distinguish a subset of full alerts from a set of full alerts satisfying the request in order to allow the refinement of this query.
- a request from the security operator is a logical formula, which combines conjugations ⁇ , disjunctions v, and negations
- the description d ⁇ o) of an alert o satisfies a request, if the request / is a logical consequence of the description d (o).
- / ⁇ .
- the set A of relevant value attributes is the set of value attributes belonging to value attribute fields A, such as for any relevant value attribute p of A, the set of full alerts satisfying the conjunction of the current request / with the relevant value attribute p is contained strictly in the set of full alerts satisfying the current query /.
- this set A of relevant value attributes which make it possible to distinguish alerts between them, can be defined as follows: A - ⁇ pe A: c ext (f A p) c ext () ⁇ .
- the set A can be considered as a set of navigation links, by defining each relevant value attribute p as a navigation link.
- the security operator can thus refine his current request / by choosing a navigation link eg A provided by the alert management system 13.
- the current request / by the security operator is thus transformed into the new request / ⁇ p.
- the alert management system 13 provides, as a priority, the most general relevant value attributes with regard to the plurality of taxonomic structures.
- the set A ms ⁇ of the most general relevant value attributes is then given by the set ma ⁇
- (-4) which can be defined as follows: ma
- (.4), is the set of any relevant value attribute p of A which does not have a more general value attribute.
- the alert management system provides a set O of alert identifiers whose description satisfies the current request / and which cannot be refined, that is to say described more precisely, in relation to this request /.
- the set O of alert identifiers includes any alert identifier whose description satisfies the current request / and such that there is no relevant value attribute p such that the conjunction of / and p is satisfied by the description of this same alert.
- this set O can be defined as follows:
- the domain of the attribute value “attack” consists of the identifiers of signature of attacks contained in the alerts generated by the intrusion detection probes lia, 11b, lie.
- the domain of the attack value attribute also includes the vulnerabilities possibly exploited by an attack.
- the vulnerabilities are more abstract, that is to say more general, than attack identifiers.
- the other values used to qualify the attacks come from the keywords used to qualify the attacks in a documentation of the intrusion detection probes lia, 11b, lie.
- FIG. 3A illustrates an example of documentation associated with the signatures of attacks.
- Column 31 of Table 33 has whole numbers designating the signatures of attacks.
- FIG. 3B shows a taxonomic structure 37 defining generalization relationships 39 between the value attributes contained in table 33. This taxonomic structure 37 is organized according to expert knowledge, using the keywords from the documentation of the signatures in table 33.
- the attack signatures 31 constitute the most specific value attributes.
- the domain of the value attribute “attackers” contains IP addresses. External IP addresses can be generalized by the name of the organization owning the range of IP addresses to which it belongs the address.
- the name of the organization corresponds to the "netname" field contained in the databases of the IANA TM organization, which manages the allocation of IP addresses.
- Internal IP addresses and private IP addresses (non-routable) can be generalized into local network identifiers defined by an administrator of the intrusion detection system 1.
- the names of organizations can be generalized to the value "ext" and the identifiers local networks can be generalized to the “int” value.
- the value attribute domain "victim" has IP addresses. These victims' IP addresses can be generalized to the address of the corresponding local network.
- These IP addresses can also be generalized into machine names, obtained by name resolution mechanisms. Machine names can be generalized into host “functions” (for example web server), defined by the site administrator.
- Machine names can be generalized into local network identifiers defined by the network administrator (for example DMZ).
- the value attribute field "date" includes the timestamping of alerts in DD-MM-YYYY format hh: mm: ss.
- the dates are successively generalized in minutes, hour, day, and month in the year. These generalizations ultimately correspond to increasingly crude abstractions of the date of an attack.
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP04816392A EP1700453A1 (fr) | 2003-12-17 | 2004-12-16 | PROCEDE DE GESTION D’UN ENSEMBLE D’ALERTES ISSUES DE SONDES DE DETECTION D'INTRUSIONS D'UN SYSTEME DE SECURITE D'INFORMATIONS. |
US10/583,586 US7810157B2 (en) | 2003-12-17 | 2004-12-16 | Method of managing alerts issued by intrusion detection sensors of an information security system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0314833A FR2864282A1 (fr) | 2003-12-17 | 2003-12-17 | Procede de gestion d'un ensemble d'alertes issus de sondes de detection d'intrusions d'un systeme de securite d'informations. |
FR0314833 | 2003-12-17 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005060205A1 true WO2005060205A1 (fr) | 2005-06-30 |
Family
ID=34630264
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FR2004/003252 WO2005060205A1 (fr) | 2003-12-17 | 2004-12-16 | Procede de gestion d’un ensemble d’alertes issues de sondes de detection d’intrusions d’un systeme de securite d’informations. |
Country Status (4)
Country | Link |
---|---|
US (1) | US7810157B2 (fr) |
EP (1) | EP1700453A1 (fr) |
FR (1) | FR2864282A1 (fr) |
WO (1) | WO2005060205A1 (fr) |
Families Citing this family (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7788722B1 (en) | 2002-12-02 | 2010-08-31 | Arcsight, Inc. | Modular agent for network security intrusion detection system |
US7376969B1 (en) | 2002-12-02 | 2008-05-20 | Arcsight, Inc. | Real time monitoring and analysis of events from multiple network security devices |
US7899901B1 (en) | 2002-12-02 | 2011-03-01 | Arcsight, Inc. | Method and apparatus for exercising and debugging correlations for network security system |
US7219239B1 (en) | 2002-12-02 | 2007-05-15 | Arcsight, Inc. | Method for batching events for transmission by software agent |
US7607169B1 (en) | 2002-12-02 | 2009-10-20 | Arcsight, Inc. | User interface for network security console |
US8176527B1 (en) | 2002-12-02 | 2012-05-08 | Hewlett-Packard Development Company, L. P. | Correlation engine with support for time-based rules |
US7650638B1 (en) | 2002-12-02 | 2010-01-19 | Arcsight, Inc. | Network security monitoring system employing bi-directional communication |
US7260844B1 (en) | 2003-09-03 | 2007-08-21 | Arcsight, Inc. | Threat detection in a network security system |
US8015604B1 (en) | 2003-10-10 | 2011-09-06 | Arcsight Inc | Hierarchical architecture in a network security system |
US9027120B1 (en) | 2003-10-10 | 2015-05-05 | Hewlett-Packard Development Company, L.P. | Hierarchical architecture in a network security system |
US7565696B1 (en) | 2003-12-10 | 2009-07-21 | Arcsight, Inc. | Synchronizing network security devices within a network security system |
US8528077B1 (en) | 2004-04-09 | 2013-09-03 | Hewlett-Packard Development Company, L.P. | Comparing events from multiple network security devices |
US7509677B2 (en) | 2004-05-04 | 2009-03-24 | Arcsight, Inc. | Pattern discovery in a network security system |
US7644438B1 (en) | 2004-10-27 | 2010-01-05 | Arcsight, Inc. | Security event aggregation at software agent |
US9100422B1 (en) | 2004-10-27 | 2015-08-04 | Hewlett-Packard Development Company, L.P. | Network zone identification in a network security system |
US7809131B1 (en) | 2004-12-23 | 2010-10-05 | Arcsight, Inc. | Adjusting sensor time in a network security system |
US7647632B1 (en) | 2005-01-04 | 2010-01-12 | Arcsight, Inc. | Object reference in a system |
US8850565B2 (en) * | 2005-01-10 | 2014-09-30 | Hewlett-Packard Development Company, L.P. | System and method for coordinating network incident response activities |
US7844999B1 (en) | 2005-03-01 | 2010-11-30 | Arcsight, Inc. | Message parsing in a network security system |
FR2888440A1 (fr) * | 2005-07-08 | 2007-01-12 | France Telecom | Procede et systeme de detection d'intrusions |
CN101350745B (zh) * | 2008-08-15 | 2011-08-03 | 北京启明星辰信息技术股份有限公司 | 一种入侵检测方法及装置 |
US8566947B1 (en) * | 2008-11-18 | 2013-10-22 | Symantec Corporation | Method and apparatus for managing an alert level for notifying a user as to threats to a computer |
US9244713B1 (en) * | 2014-05-13 | 2016-01-26 | Nutanix, Inc. | Method and system for sorting and bucketizing alerts in a virtualization environment |
US10313396B2 (en) * | 2016-11-15 | 2019-06-04 | Cisco Technology, Inc. | Routing and/or forwarding information driven subscription against global security policy data |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0735477A1 (fr) * | 1995-03-31 | 1996-10-02 | Alcatel N.V. | Méthode et système de gestion de base de données d'erreur en temps réel |
EP1146689A2 (fr) * | 2000-04-12 | 2001-10-17 | Mitel Knowledge Corporation | Hiérarchie d'arbre et description des fichiers génerés |
Family Cites Families (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6445774B1 (en) * | 1997-11-17 | 2002-09-03 | Mci Communications Corporation | System for automated workflow in a network management and operations system |
US6393386B1 (en) * | 1998-03-26 | 2002-05-21 | Visual Networks Technologies, Inc. | Dynamic modeling of complex networks and prediction of impacts of faults therein |
US6707795B1 (en) * | 1999-04-26 | 2004-03-16 | Nortel Networks Limited | Alarm correlation method and system |
US6647400B1 (en) * | 1999-08-30 | 2003-11-11 | Symantec Corporation | System and method for analyzing filesystems to detect intrusions |
US7203962B1 (en) * | 1999-08-30 | 2007-04-10 | Symantec Corporation | System and method for using timestamps to detect attacks |
US7159237B2 (en) * | 2000-03-16 | 2007-01-02 | Counterpane Internet Security, Inc. | Method and system for dynamic network intrusion monitoring, detection and response |
CA2313908A1 (fr) * | 2000-07-14 | 2002-01-14 | David B. Skillicorn | Detection d'intrusion dans des reseaux faisant appel a la decomposition en valeurs singulieres |
US6732153B1 (en) * | 2000-05-23 | 2004-05-04 | Verizon Laboratories Inc. | Unified message parser apparatus and system for real-time event correlation |
CA2417817C (fr) * | 2000-08-11 | 2007-11-06 | British Telecommunications Public Limited Company | Systeme et procede de detection d'evenements |
US7917393B2 (en) * | 2000-09-01 | 2011-03-29 | Sri International, Inc. | Probabilistic alert correlation |
GB0022485D0 (en) * | 2000-09-13 | 2000-11-01 | Apl Financial Services Oversea | Monitoring network activity |
US7379993B2 (en) * | 2001-09-13 | 2008-05-27 | Sri International | Prioritizing Bayes network alerts |
US7437762B2 (en) * | 2001-11-29 | 2008-10-14 | International Business Machines Corporation | Method, computer program element and a system for processing alarms triggered by a monitoring system |
US20030101260A1 (en) * | 2001-11-29 | 2003-05-29 | International Business Machines Corporation | Method, computer program element and system for processing alarms triggered by a monitoring system |
US6801940B1 (en) * | 2002-01-10 | 2004-10-05 | Networks Associates Technology, Inc. | Application performance monitoring expert |
US7026926B1 (en) * | 2002-08-15 | 2006-04-11 | Walker Iii Ethan A | System and method for wireless transmission of security alarms to selected groups |
EP1535164B1 (fr) * | 2002-08-26 | 2012-01-04 | International Business Machines Corporation | Determination du niveau de menace associe a l'activite d'un reseau |
KR100456634B1 (ko) * | 2002-10-31 | 2004-11-10 | 한국전자통신연구원 | 정책기반 침입 탐지 및 대응을 위한 경보 전달 장치 및 방법 |
US7712133B2 (en) * | 2003-06-20 | 2010-05-04 | Hewlett-Packard Development Company, L.P. | Integrated intrusion detection system and method |
US20050086529A1 (en) * | 2003-10-21 | 2005-04-21 | Yair Buchsbaum | Detection of misuse or abuse of data by authorized access to database |
-
2003
- 2003-12-17 FR FR0314833A patent/FR2864282A1/fr not_active Withdrawn
-
2004
- 2004-12-16 US US10/583,586 patent/US7810157B2/en not_active Expired - Fee Related
- 2004-12-16 WO PCT/FR2004/003252 patent/WO2005060205A1/fr active Application Filing
- 2004-12-16 EP EP04816392A patent/EP1700453A1/fr not_active Withdrawn
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0735477A1 (fr) * | 1995-03-31 | 1996-10-02 | Alcatel N.V. | Méthode et système de gestion de base de données d'erreur en temps réel |
EP1146689A2 (fr) * | 2000-04-12 | 2001-10-17 | Mitel Knowledge Corporation | Hiérarchie d'arbre et description des fichiers génerés |
Non-Patent Citations (3)
Title |
---|
DEBAR H ET AL: "A REVISED TAXONOMY FOR INTRUSION-DETECTION SYSTEMS", ANNALES DES TELECOMMUNICATIONS - ANNALS OF TELECOMMUNICATIONS, PRESSES POLYTECHNIQUES ET UNIVERSITAIRES ROMANDES, LAUSANNE, CH, vol. 55, no. 7/8, July 2000 (2000-07-01), pages 361 - 378, XP000954771, ISSN: 0003-4347 * |
ULF LINDQVIST AND ERLAND JONSSON: "How to Systematically Classify Computer Security Intrusions", PROCEEDINGS OF THE 21ST NATIONAL INFORMATION SYSTEMST SECURITY CONFERENCE, 4 May 1997 (1997-05-04) - 8 May 2003 (2003-05-08), OAKLAND, CALIFORNIA, pages 154 - 163, XP002291664, Retrieved from the Internet <URL:http://www.ce.chalmers.se/old/staff/ulfl/pubs/sp97ul.pdf> [retrieved on 20040809] * |
YOANN PADIOLEAU AND OLIVIER RIDOUX: "A Logic File System", PROCEEDINGS OF THE 2003 USENIX ANNUAL TECHNICAL CONFERENCE, 9 June 2003 (2003-06-09) - 14 June 2003 (2003-06-14), SAN ANTONIO, TEXAS, USA, XP002291663, Retrieved from the Internet <URL:http://www.usenix.org/events/usenix03/tech/full_papers/padioleau/padioleau.pdf> [retrieved on 20040809] * |
Also Published As
Publication number | Publication date |
---|---|
EP1700453A1 (fr) | 2006-09-13 |
US7810157B2 (en) | 2010-10-05 |
FR2864282A1 (fr) | 2005-06-24 |
US20070150579A1 (en) | 2007-06-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2005060205A1 (fr) | Procede de gestion d’un ensemble d’alertes issues de sondes de detection d’intrusions d’un systeme de securite d’informations. | |
US11716248B1 (en) | Selective event stream data storage based on network traffic volume | |
US11343268B2 (en) | Detection of network anomalies based on relationship graphs | |
US11748358B2 (en) | Feedback on inferred sourcetypes | |
US7240049B2 (en) | Systems and methods for search query processing using trend analysis | |
US10367827B2 (en) | Using network locations obtained from multiple threat lists to evaluate network data or machine data | |
EP1695485B1 (fr) | Procede de classification automatique d un ensemble d a lertes issues de sondes de detection d intrusions d un systeme de securite d information | |
US8527486B2 (en) | Mobile application discovery through mobile search | |
US9361320B1 (en) | Modeling big data | |
US20080228695A1 (en) | Techniques for analyzing and presenting information in an event-based data aggregation system | |
Al-Saggaf et al. | Data mining and privacy of social network sites’ users: Implications of the data mining problem | |
US20130054477A1 (en) | System to identify multiple copyright infringements | |
Zeng et al. | Semantic IoT data description and discovery in the IoT-edge-fog-cloud infrastructure | |
Buntain et al. | # pray4victims: Consistencies in Response to Disaster on Twitter | |
Spangher et al. | Characterizing search-engine traffic to internet research agency web properties | |
SalahEldeen et al. | Reading the correct history? Modeling temporal intention in resource sharing | |
CA2921758A1 (fr) | Scripts automatises d'extraction et d'indexation d'information avec analyseur de paquets | |
US11714698B1 (en) | System and method for machine-learning based alert prioritization | |
Hunn et al. | How to implement online warnings to prevent the use of child sexual abuse material | |
KR20240015280A (ko) | 트렌드 분석을 이용한 검색 쿼리 처리 시스템 및 방법 | |
US11907227B1 (en) | System and method for changepoint detection in streaming data | |
US11531718B2 (en) | Visualization of entity profiles | |
Rajan et al. | Features and Challenges of web mining systems in emerging technology | |
WO2018015515A1 (fr) | Procedes de partage d'opinion, equipements et programmes d'ordinateur pour la mise en oeuvre des procedes | |
US11501112B1 (en) | Detecting, diagnosing, and directing solutions for source type mislabeling of machine data, including machine data that may contain PII, using machine learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2007150579 Country of ref document: US Ref document number: 10583586 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2004816392 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2004816392 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 10583586 Country of ref document: US |