Threat scoring system and method for intrusion detection security networks
    3.
    发明申请
    Threat scoring system and method for intrusion detection security networks 有权
    入侵检测安全网络的威胁评分系统和方法

    公开(公告)号:US20070169194A1

    公开(公告)日:2007-07-19

    申请号:US11321620

    申请日:2005-12-29

    IPC分类号: G06F12/14

    摘要: Embodiments of the invention provide a security expert system (SES) that automates intrusion detection analysis and threat discovery that can use fuzzy logic and forward-chaining inference engines to approximate human reasoning process. Embodiments of the SES can analyze incoming security events and generate a threat rating that indicates the likelihood of an event or a series of events being a threat. In one embodiment, the threat rating is determined based on an attacker rating, a target rating, a valid rating, and, optionally, a negative rating. In one embodiment, the threat rating may be affected by a validation flag. The SES can analyze the criticality of assets and calibrate/recalibrate the severity of an attack accordingly to allow for triage. The asset criticality can have a user-defined value. This ability allows the SES to protect and defend critical network resources in a discriminating and selective manner if necessary (e.g., many attacks).

    摘要翻译: 本发明的实施例提供一种安全专家系统(SES),其自动化可以使用模糊逻辑和前向链接推理机来近似人类推理过程的入侵检测分析和威胁发现。 SES的实施例可以分析传入的安全事件并产生威胁等级,其指示事件或一系列事件成为威胁的可能性。 在一个实施例中,威胁等级是基于攻击者等级,目标等级,有效等级以及可选地为负的等级来确定的。 在一个实施例中,威胁等级可能受到验证标志的影响。 SES可以分析资产的关键性,并相应地校准/重新校准攻击的严重性,以便进行分诊。 资产重要性可以具有用户定义的值。 这种能力允许SES以必要的方式(例如,许多攻击)以辨别和选择的方式来保护和保护关键网络资源。

    Systems and methods for correlating log messages into actionable security incidents and managing human responses
    4.
    发明授权
    Systems and methods for correlating log messages into actionable security incidents and managing human responses 有权
    将日志消息与可操作的安全事件相关联并管理人类响应的系统和方法

    公开(公告)号:US08156553B1

    公开(公告)日:2012-04-10

    申请号:US12171713

    申请日:2008-07-11

    IPC分类号: G06F11/00

    CPC分类号: G06Q10/06

    摘要: Systems and methods for correlating log messages into actionable incidents. Some embodiments implement a method which includes comparing a plurality of disparate log messages to a plurality of incident descriptions. The disparate log messages can be parsed. When the messages correlate with an incident description an incident case can be created. Workflow steps can be associated with the incident case and output along with the incident case. Additional disparate log messages can be compared to the incident expressions and, when additional messages correlate with the correlated incident description, the incident case can be adjusted. In some embodiments, the adjustment can include adding workflow steps to the incident case. Results of various workflow steps can be monitored and adjustments can be made accordingly. In some embodiments, the results can include out-of-bounds activities.

    摘要翻译: 将日志消息与可执行事件相关联的系统和方法。 一些实施例实现一种方法,其包括将多个不同的日志消息与多个事件描述进行比较。 可以解析不同的日志消息。 当消息与事件描述相关时,可以创建事件案例。 工作流程步骤可以与事件案例和输出以及事件案例相关联。 可以将额外的不同日志消息与事件表达式进行比较,并且当附加消息与相关事件描述相关时,可以调整事件情况。 在一些实施例中,调整可以包括向事件案例添加工作流步骤。 可以监控各种工作流步骤的结果,并进行相应的调整。 在一些实施例中,结果可以包括超出范围的活动。