Method, apparatus, and program for associating related heterogeneous events in an event handler
    4.
    发明授权
    Method, apparatus, and program for associating related heterogeneous events in an event handler 有权
    用于在事件处理程序中关联相关异构事件的方法,装置和程序

    公开(公告)号:US07308689B2

    公开(公告)日:2007-12-11

    申请号:US10324569

    申请日:2002-12-18

    IPC分类号: G06F13/00

    摘要: An event handler is provided that associates events from heterogeneous data sources. In a first phase, incoming events are translated to vectors of event attributes. Based on the data source, implicit information about the event and its attributes may be available. This information is used to normalize the information provided by the event. Normalization actions may include renaming the attributes, deriving new attributes from given attributes, and transforming attribute value ranges. In a second phase, a determination is made as to whether two or more events are considered to be associated based on the vectors. Different vectors of core attributes may be created in order to create associations with different semantics.

    摘要翻译: 提供了一个事件处理程序,用于将来自异构数据源的事件关联起来。 在第一阶段,传入事件被转换为事件属性的向量。 基于数据源,有关事件及其属性的隐含信息可能可用。 此信息用于规范事件提供的信息。 归一化动作可以包括重命名属性,从给定属性导出新属性,以及变换属性值范围。 在第二阶段中,基于向量确定两个或更多个事件是否被认为是相关联的。 可以创建不同的核心属性向量,以便创建与不同语义的关联。

    Presentation of Correlated Events as Situation Classes
    6.
    发明申请
    Presentation of Correlated Events as Situation Classes 有权
    将相关事件介绍为情境类

    公开(公告)号:US20070204343A1

    公开(公告)日:2007-08-30

    申请号:US11743728

    申请日:2007-05-03

    IPC分类号: G06F21/00

    摘要: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations”—are presented to a user or administrator.

    摘要翻译: 公开了一种方法,计算机程序产品和用于呈现关于将数据简化形式的安全相关事件的数据的装置。 事件被抽象为集合数据类型。 具有公共元素的集合被分组在一起,并且组 - “情况”的摘要被呈现给用户或管理员。

    Method of managing alerts issued by intrusion detection sensors of an information security system
    7.
    发明申请
    Method of managing alerts issued by intrusion detection sensors of an information security system 有权
    管理由信息安全系统的入侵检测传感器发出的警报的方法

    公开(公告)号:US20070150579A1

    公开(公告)日:2007-06-28

    申请号:US10583586

    申请日:2004-12-16

    CPC分类号: H04L63/1425 H04L43/12

    摘要: A method of managing alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) including an alert management system (13), each alert being defined by an alert identifier and an alert content. Each of the alerts issued by the intrusion detection sensors (11a, 11b, 11c) is associated with a description including a conjunction of valued attributes belonging to attribute domains. The valued attributes belonging to each attribute domain are organized into a taxonomic structure defining generalization relationships between said valued attributes, the plurality of attribute domains thus forming a plurality of taxonomic structures. The description of each of said alerts is completed with sets of values induced by the taxonomic structures on the basis of the valued attributes of said alerts to form complete alerts. The complete alerts are stored in a logic file system (21) to enable them to be consulted.

    摘要翻译: 一种管理由包括警报管理系统(13)的信息安全系统(1)的入侵检测传感器(11a,11b,11c)发出的警报的方法,每个警报由警报标识符和警报内容定义。 由入侵检测传感器(11a,11b,11c)发出的每个警报与包括属于属性域的值属性的连接的描述相关联。 属于每个属性域的有价值属性被组织成定义所述有价值属性之间的泛化关系的分类结构,所述多个属性域由此形成多个分类结构。 基于所述警报的有价值属性来形成每个所述警报的描述,所述值由所述分类结构引起的值集合以形成完整的警报。 完整的警报存储在逻辑文件系统(21)中,以使其能够被查阅。

    Generic method for detecting attack programs hidden in data chains
    8.
    发明授权
    Generic method for detecting attack programs hidden in data chains 失效
    用于检测隐藏在数据链中的攻击程序的通用方法

    公开(公告)号:US07891002B2

    公开(公告)日:2011-02-15

    申请号:US10491851

    申请日:2002-09-20

    IPC分类号: G06F12/14 G06F21/00 G08B23/00

    CPC分类号: G06F21/563

    摘要: This invention concerns a method for processing computer system input data including at least one detection step for a specific word INSTR present among said data.In the method according to the invention, the specific word to be detected represents an instruction necessary for the execution of a program present among said data.Because it focuses detection on the means necessary for the execution of an attack program that thus reveal the presence of said program, the invention can be used to simply and effectively detect different types of attacks.

    摘要翻译: 本发明涉及一种用于处理计算机系统输入数据的方法,该方法包括在所述数据中存在的特定字INSTR的至少一个检测步骤。 在根据本发明的方法中,要检测的特定字表示执行所述数据中存在的程序所需的指令。 因为它将检测集中在执行攻击程序所必需的手段,从而揭示所述程序的存在,所以本发明可以用于简单有效地检测不同类型的攻击。

    Method and System for Detecting Intrusions
    9.
    发明申请
    Method and System for Detecting Intrusions 审中-公开
    检测入侵的方法和系统

    公开(公告)号:US20090138970A1

    公开(公告)日:2009-05-28

    申请号:US11988492

    申请日:2006-07-06

    IPC分类号: G06F21/00

    CPC分类号: H04L63/14 H04L63/1408

    摘要: A method of automatically detecting intrusions among events under surveillance. The method comprises comparing an event under surveillance to a set of patterns, each pattern being associated with a predetermined intrusion signature from a set of intrusion signatures, determining among said set of intrusion signatures a subset of intrusion signatures revealing a particular intrusion in said event under surveillance, and dynamically generating a new signature corresponding to said subset of intrusion signatures, said new signature being dedicated to recognizing said particular intrusion.

    摘要翻译: 一种在监控事件之间自动检测入侵的方法。 该方法包括将监视中的事件与一组模式进行比较,每个模式与来自一组入侵签名的预定入侵签名相关联,在所述一组入侵签名之间确定入侵签名的子集,以揭示所述事件中的特定入侵 监视并且动态地生成与所述入侵签名子集相对应的新签名,所述新签名专用于识别所述特定入侵。

    Suppression of False Alarms in Alarms Arising from Intrusion Detection Probes in a Monitored Information System
    10.
    发明申请
    Suppression of False Alarms in Alarms Arising from Intrusion Detection Probes in a Monitored Information System 审中-公开
    在监测信息系统中禁止入侵检测探测器发出的报警中的虚警

    公开(公告)号:US20080165000A1

    公开(公告)日:2008-07-10

    申请号:US11579901

    申请日:2005-05-09

    IPC分类号: G08B13/00

    摘要: The invention relates to a system and a method of suppressing false alarms among alarms issued by intrusion detection sensors (13a, 13b, 13c) of a protected information system (1) including entities (9, 11a, 11b) generating attacks associated with the alarms and an alarm management system (15), the method comprising the following steps: using a false alarm suppression module (23) to define qualitative relationships between the entities (9, 11a, 11b) and a set of profiles; using the false alarm suppression module (23) to define nominative relationships between the set of profiles and a set of names of attacks which that set of profiles is recognized as generating; and using the false alarm suppression module (23) to qualify a given alarm as a false alarm if the entity (9, 11a, 11b) implicated in the given alarm has a profile recognized as generating the attack associated with that given alarm.

    摘要翻译: 本发明涉及一种抑制由保护信息系统(1)的入侵检测传感器(13a,13b,13c)发出的警报中的假警报的系统和方法,所述受保护信息系统包括实体(9,11a,11b) 与警报相关联的攻击和警报管理系统(15),该方法包括以下步骤:使用虚警告抑制模块(23)来定义实体(9,11a,11b)和一组 档案; 使用所述假警报抑制模块(23)来定义所述配置文件集合与所述配置文件集合被识别为生成的一组攻击名称之间的nominative关系; 并且如果涉及给定警报的实体(9,11a,11b)具有被识别为生成与所述给定警报相关联的攻击的简档,则使用所述假警报抑制模块(23)将给定的警报限定为假警报。