Method and Apparatus for Incremental Augmentation and Visual Indication of Event Context Information
Original Publication Date: 2004-Nov-25
Included in the Prior Art Database: 2004-Nov-25
Interactive Event Monitoring, and in particular the monitoring of events from multiple network security sensors (such as IDS: Intrusion Detection Systems) is a challenging task for the operators. Operators have to review many thousand events per hour and identify those events that require an in-depth investigation and indicate a potential problem. To best support this task events would be augmented with "context information" such as the operating system of the involved machine and previously identified vulnerabilities. The context information should further indicate whether one knows of problems originating from a source-IP in the past (over an extended period of time, e.g. during the last 10 days). Providing such context information is a time-consuming task as it involves searching through potentially large databases of known vulnerabilities and of prior traffic. Therefore, it is typically not possible to display such context information in real time. As operators need to react to urgent security events as quickly as possible, they cannot wait for this context information to become available. State-of-the-art consoles for online monitoring system therefore perform only minimal pre-processing and the supporting infrastructure does not perform any computation-intensive operations for augmenting event information.