Data processing: generic control systems or specific application – Generic control system – apparatus or process – Plural processors
Reexamination Certificate
1999-12-20
2003-07-22
Patel, Ramesh (Department: 2121)
Data processing: generic control systems or specific application
Generic control system, apparatus or process
Plural processors
C700S011000, C700S012000, C700S023000, C700S048000, C700S052000, C700S053000, C706S002000, C706S008000, C706S010000, C706S018000, C706S045000
Reexamination Certificate
active
06597957
ABSTRACT:
TECHNICAL FIELD OF THE INVENTION
This invention relates in general to the field of computer systems, and more particularly to a system and method for consolidating and sorting event data.
BACKGROUND OF THE INVENTION
Computer networks have become increasingly important tools for communicating public and private information between and within distributed locations. Many computer users are familiar with the Internet, which may be described as a large public computer network. Similarly, many computer users are familiar with private computer networks, such as company intranets, local area networks (LANs), and wide area networks (WANs). These more private computer networks generally limit network access on a user by user basis by funneling communicated data through dedicated lines and/or by controlling network access through passwords, encryption or other security measures.
One potential roadblock to reliable and secure network communication is posed by hackers or other unauthorized users disrupting or interfering with network resources. The danger posed by unauthorized access to a computer network can vary from simple embarrassment to substantial loss of resources. To help guard against these unwanted disruptions, several computer network managers have turned to network intrusion detection systems.
Network intrusion detection is a process that identifies and responds to misuse or policy violations on a network. By placing sensor devices at determined points on a network, network traffic is monitored and compared against patterns or “signatures” that represent suspicious activity, misuse, or actual attacks. A sensor monitoring a network can send alerts to a director, to a security management system, and, under appropriate circumstances, to network equipment such as routers and firewalls.
Sensors included in some conventional intrusion detection systems will automatically and quickly respond in a user-defined manner, such as sending an alert. The sending of an alert may involve the creation of an event. In most cases, an event is a set of data elements that adheres to a known format and represents that something has occurred. In a network intrusion detection system, an event could indicate any number of occurrences. For example, an event may indicate that a program or computer has failed, that a computer's configuration has changed, or that an unauthorized user is attempting to break into a computer on the network.
In practice, events are usually generated by computerized processes and are meant to be viewed and perhaps acted upon. Events may be generated in several different types of computer systems. For example, an event may be generated by and remain within a stand-alone computer or an event may be generated by an intrusion detection system sensor and communicated across a network.
In a typical network-based operation, for example, an intrusion detection system and its respective sensors may analyze network packet headers to make security decisions based on source, destination, and packet type. Intrusion detection systems may also analyze packet data to make decisions based on the actual data being transmitted. These systems tend to scale well for network protection because the number of actual workstations, servers or user systems on the network is not critical—the amount of traffic is what matters.
Unfortunately, the volume of traffic and the number of events generated as a result of that traffic creates a number of challenges for conventional intrusion detection systems. For example, conventional intrusion detection systems, even those employing an event browser, have a difficult time providing a useable display of events. A conventional event browser, for example, may display events in a scrolling list. As the quantity of events presented on the scrolling list increases, the useability of the list tends to decrease. The display often includes too much information, and the information changes too quickly. In fact, in some cases, a scrolling list of events may scroll so quickly that events scroll off the “top” of the screen before they can be read.
This scrolling problem and other problems associated with conventional solutions may be magnified by the fact that a detection system's sensors can be placed around the globe and configured to report back to a central site. While this may enable an individual at the central site to support a large enterprise, the individual will likely be inundated with events.
SUMMARY OF THE INVENTION
In accordance with the present disclosure, a system and method for consolidating and sorting event data are disclosed that provide significant advantages over prior developed techniques. In addition to providing an effective tool for consolidating and sorting event data, the disclosed embodiments allow for the presentation of a more useable display of event data.
According to one aspect of the present disclosure, a system incorporating teachings of the present disclosure may include a computing platform communicatively coupled to a computer readable medium and a network. The computer readable medium may store an application that includes at least one node mapped into a tree. The at least one node may have a data element reference including a pointer to a data element that includes event data received via the network. In addition, the node may have a row indicator node count, a least child reference, a greatest child reference, a lesser sibling reference, a greatest sibling reference, a parent reference, and a status manager reference.
According to another aspect of the present disclosure, a method for consolidating and sorting event data may involve providing event data via a network to an event sorter. The event sorter may manage a tree that has a plurality of nodes representing earlier received event data. The method may also include creating a node having a data element reference with a pointer to a data element representing the provided event data and identifying a location within the tree in which to place the created node. In some embodiments, a method incorporating teachings of the present invention may also include placing the node at the identified location.
The disclosed system and method provide several technical advantages over conventional approaches. For example, the present invention may allow for consolidation of events into a viewable and expandable spreadsheet. As new events are reported, a system incorporating teachings of the present invention may present a spreadsheet to a user that updates in near real time.
In addition, the disclosed sorting scheme may allow for the presentation of event-related information including, for example, time of event, type of event, and severity of event, in a format that is more useable than formats available with conventional systems. For example, a system incorporating teachings of the present invention may help eliminate the scroll off problems associated with conventional systems.
Other technical advantages will be apparent to those of ordinary skill in the art in view of the following specification, claims, and drawings.
REFERENCES:
patent: 5032979 (1991-07-01), Hecht et al.
patent: 5101402 (1992-03-01), Chiu et al.
patent: 5278901 (1994-01-01), Shieh et al.
patent: 5414833 (1995-05-01), Hershey et al.
patent: 5448724 (1995-09-01), Hayashi
patent: 5467268 (1995-11-01), Sisley et al.
patent: 5488715 (1996-01-01), Wainwright
patent: 5524238 (1996-06-01), Miller et al.
patent: 5557742 (1996-09-01), Smaha et al.
patent: 5606668 (1997-02-01), Shwed
patent: 5621889 (1997-04-01), Lermuzeaux et al.
patent: 5640319 (1997-06-01), Beuning et al.
patent: 5699513 (1997-12-01), Feigen et al.
patent: 5737728 (1998-04-01), Sisley et al.
patent: 5793763 (1998-08-01), Mayes et al.
patent: 5796942 (1998-08-01), Esbensen
patent: 5798706 (1998-08-01), Kraemer et al.
patent: 5805801 (1998-09-01), Holloway et al.
patent: 5826014 (1998-10-01), Coley et al.
patent: 5889993 (1999-03-01), Kroeger et al.
patent: 5919257 (1999-07-01), Trostle
patent: 5931946 (1999-08-01), Terada et al.
patent: 5943652 (1999-08-0
Baker & Botts L.L.P.
Cisco Technology Inc.
Patel Ramesh
LandOfFree
System and method for consolidating and sorting event data does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for consolidating and sorting event data, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for consolidating and sorting event data will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3073186