Browse Prior Art Database

An Explorer-Like Hierarchical View to Process Intrusion Detection Events in Groups

IP.com Disclosure Number: IPCOM000022284D
Original Publication Date: 2004-Mar-04
Included in the Prior Art Database: 2004-Mar-04
Document File: 6 page(s) / 57K

Publishing Venue

IBM

Abstract

The disclosed view can display data in a hierarchical structure with the help of a tree component (like the traditional Explorer view). In addition, it allows to "flatten" the view, that is to display all items in subdirectories.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 58% of the total text.

Page 1 of 6

An Explorer-Like Hierarchical View to Process Intrusion Detection Events in Groups

Main Idea

Disclosed is an Explorer-like hierarchical view to process intrusion detection events in groups. Imagine a hierarchical file system with the following directory structure and contents:

C:\VIEW
+---company1
| +---sensor1
| | c1_s1_d1.txt
| | c1_s1_d2.txt
| | c1_s1_d3.txt
| |

| +---sensor2
| | c1_s2_d1.txt
| | c1_s2_d2.txt
| |

| \---sensor3
| c1_s3_d1.txt
|

\---company2

+---sensor1

| c2_s1_d1.txt

|

+---sensor2

| c2_s2_d1.txt

|

\---sensor3

c2_s3_d1.txt

An Explorer view shows the following when node \view is selected (*):

+---------------------+----------------------------------+

| view* | |

| | | company1 |

| +-- company1 | company2 |

| | | | |

| | +-- sensor1 | |

| | | | |

| | +-- sensor2 | |

| | | | |

| | \-- sensor3 | |

| | | |

| \-- company2 | |

| | | |

| +-- sensor1 | |

| | | |

| +-- sensor2 | |

| | | |

| \-- sensor3 | |

| | |

+---------------------+----------------------------------+

If node \view\company1 is selected (*), the view is like this:

1

Page 2 of 6

+---------------------+----------------------------------+

| view | |

| | | sensor1 |

| +-- company1* | sensor2 |

| | | | sensor3 |

| | +-- sensor1 | |

| | | | |

| | +-- sensor2 | |

| | | | |

| | \-- sensor3 | |

| | | |

| \-- company2 | |

| | | |

| +-- sensor1 | |

| | | |

| +-- sensor2 | |

| | | |

| \-- sensor3 | |

| | |

+---------------------+----------------------------------+

The view shows the following if node \view\company1\sensor1 is selected (*).

+---------------------+----------------------------------+

| view | |

| | | c1_s1_d1.txt |

| +-- company1 | c1_s1_d2.txt |

| | | | c1_s1_d3.txt |

| | +-- sensor1* | |

| | | | |

| | +-- sensor2 | |

| | | | |

| | \-- sensor3 | |

| | | |

| \-- company2 | |

| | | |

| +-- sensor1 | |

| | | |

| +-- sensor2 | |

| | | |

| \-- sensor3 | |

| | |

+---------------------+----------------------------------+

A sightly modified Explorer view is very useful for visualizing intrusion detection events.

2

Page 3 of 6

The modified view shows the following if node \view\company1\sensor1 is selected (*).

+---------------------+----------------------------------+

| view | |

| | | c1_s1_d1.txt |

| +-- company1 | c1_s1_d2.txt |

| | | | c1_s1_d3.txt |

| | +-- sensor1* | |

| | | | |

| | +-- sensor2 | |

| | | | |

| | \-- sensor3 | |

| | | |

| \-- company2 | |

| | | |

| +-- sensor1 | |

| | | |

| +-- sensor2 | |

| | | |

| \-- sensor3 | |

| | |

+---------------------+----------------------------------+

Note that the picture is identical to the traditional Explorer view.

When selecting the node \view\company1 (*), the following is shown:

+---------------------+----------------------------------+

| view | |

| | | c1_s1_d1.txt |

| +-- company1* | c1_s1_d2.txt |

| | | | c1_s1_d3.txt |

| | +-- sensor1 | c1_s2_d1.txt |

| | | | c1_s2_d2.txt |

| | +-- sensor2 | c1_s3_d1.txt |

| | | | |

| | \-- sensor3 | |

| | | |

| \-- company2 | |

| | | |

| +-- sensor1 | |

| | | |

| +-- sensor2 |...