Field
The present disclosure relates generally to analyzing events occurring in systems, such as computer network systems. More particularly, the present disclosure relates to apparatus and methods by which to identify event occurrences, such as intrusion attempts, that are significant, score the identified event occurrences with quantitative scores, and to efficiently store or cache the scores for multiple network systems, such as in a Managed Security Services Provider (MSSP) arrangement monitoring numerous client networks.
Background
Modern computer networks and systems are often times complex. Such systems typically are formed of a set of interacting or interdependent system components that together form and define the system. During system operation, many varied system events occur, both events internal to the system as well as external events that potentially affect and threaten operation of the system. A manager or operator of the system, in order fully to be aware of the system operation should be aware of system-related events, particularly events that might deleteriously affect operation of the system.
In a complex network or system, a large number of events, such as intrusion attempts, might occur daily. Logging of the occurrences of such events, when detected, permits subsequent review of the events by the system manager or operator. At the subsequent review, the system manager or operator is able to then take responsive action. Because of the potentially large number of event occurrences, the log of the event occurrences is potentially very lengthy, and review of the logged event occurrences might well be time-consuming. Furthermore, if a small number of significant event occurrences are interspersed amid a large number of insignificant event occurrences, a reviewer might not properly notice significant event-occurrence entries in the log.
While various mechanisms are available by which to provide for alerts to be generated to highlight selected event-occurrence entries, general review and analysis is still carried out in a conventional, sequential, and iterative manner. Accordingly, an improved manner by which to provide for review and analysis of system-event occurrences would be beneficial. Additionally, if an operator or system manager monitors multiple systems, the multiple log reviews, and redundancy of log entries of system-event occurrences across the multiple monitored systems, adds to the time and complexity of reviewing and analyzing system-event occurrences.
It is in light of the above problems that the presently disclosed methods and apparatus beneficially provide improved system operation and management, particularly for review and analysis of system events across multiple monitored systems or networks.