Browse Prior Art Database

Visualization of Event Data Facilitating the Understanding of the Distribution of Co-Occurring Values Between two Event Dimensions Disclosure Number: IPCOM000029074D
Original Publication Date: 2004-Jun-15
Included in the Prior Art Database: 2004-Jun-15
Document File: 4 page(s) / 62K

Publishing Venue



The disclosed idea relates to an algorithm for event monitoring in which two attributes are used. It is proposed to use two event properties for grouping. The results are then used for visualization by iconic bitmaps.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 42% of the total text.

Page 1 of 4

Visualization of Event Data Facilitating the Understanding of the Distribution of Co-Occurring Values Between two Event Dimensions

Background and Problem solved

Persons analyzing or monitoring time-ordered multivariate data items ('events') in some cases need to identify
(1) which values (if any) in a primary even dimension are repeated frequently and
(2) the way these repeated values co-occur with values of a second (and possibly third) dimension Such a concrete need was identified with operators performing centralized monitoring of security events and alarms generated by a multiplicity of sensors such as intrusion detection systems. In some configurations these sensors generate a large number of 'false positive' events. That is events that are not actual indications of a threat of a new unintended network configuration. To determine whether an event (or set of events) can be classified as false positive operators have to inspect one or more of the different properties of the events under investigation. Examples of intrusion event properties include source-IP (internet address of the computer that originated the identified network traffic), target-IP (internet address of the computer the identified network traffic was sent to), and alarm type (classification of the identified network traffic). Typically operators in a centralized security operations center have to monitor a large number of sensors in parallel. While monitoring they switch between the event displays for different sensors and review the events of each sensor individually. The simplest strategy for choosing the next sensor to work on is to work sequentially through the list of sensors and start again from the top once the end of the list has been reached. The problem with this strategy is that emerging problems in a sensor might go unnoticed for a while until it is visited again during the regular turn. A number of methods can be used to improve this situation. A simple method is to mark sensors with a 'new event count' that allows operators to focus on the sensor with the most unreviewed events. However, the pure amount of new event information generated by a sensor does not necessarily correlate with the "interestingness" of the information and the urgency with which the events in a sensor should be dealt with. Trough research it was realized that the initial "interestingness" of a sensor is closely related to mainly two event properties: The event source-IP and the event-type. In particular operators are particularly interested in sensors with sets of events that originate from the same source IP, and are associated with a variety of alarm types, with events of "high severity" being more interesting than low severity events.

One method to satisfy this need is to dynamically group similar events, as described in US20030110398A1: Method, computer program element and a system for processing alarms triggered by a monitoring system, according to the two dimensions sourc...