Method and System for Analysis of Security Events in a Managed Computer Network

摘要

An event retrieval and analysis system compares counts of event data for a device to stored profile counts to determine if alerts should be triggered. Event data can be retrieved by a sensor. Rules for analyzing the event data can be retrieved based on the device. The event data is analyzed based on the rules to determine recordable events. Recordable events are organized into categories representing a type or severity of attack. Current event counts are calculated by summing the recordable events for each category. A normal profile is retrieved for the device and compared to the current event count. A percentage change trigger can be retrieved from a threshold matrix based on the current event count. The percentage increase of the current event count over the normal profile is calculated and compared to the percentage change trigger to determine if an alert is triggered by the analysis system.

主权项

1. A method for managing events, the method comprising:
receiving, by one or more sensors of an event retrieval and analysis computer, a multiplicity of event data for a respective multiplicity of events corresponding to a device; adding, by the event retrieval and analysis computer, the multiplicity of event data to a queue for the device; determining, by the event retrieval and analysis computer, that the queue is not full and a predetermined amount of time has passed since a prior categorization of events represented by respective event data on the queue; responsive to determining that the queue is not full and a predetermined amount of time has passed since a prior categorization of events, based on the event data for each of the multiplicity of events, categorizing, by the event retrieval and analysis computer, each of the multiplicity of events as at least one of
a worm signature event category that represents worm attacks against the device,a sweeps signature event category that represents sweep attacks against a network leading to the device, anda hot decodes signature event category that represents high priority signatures tracked by a user; and comparing, by the event retrieval and analysis computer, a total number of the events in each of the categories to a respective reference number, and responsive to any of the categories where the respective total number of the events exceeds the respective reference number by a predetermined amount, generating and issuing a notice.