This invention relates in general to the field of computer systems, and more particularly to a system and method for consolidating and sorting event data.
Computer networks have become increasingly important tools for communicating public and private information between and within distributed locations. Many computer users are familiar with the Internet, which may be described as a large public computer network. Similarly, many computer users are familiar with private computer networks, such as company intranets, local area networks (LANs), and wide area networks (WANs). These more private computer networks generally limit network access on a user by user basis by funneling communicated data through dedicated lines and/or by controlling network access through passwords, encryption or other security measures.
One potential roadblock to reliable and secure network communication is posed by hackers or other unauthorized users disrupting or interfering with network resources. The danger posed by unauthorized access to a computer network can vary from simple embarrassment to substantial loss of resources. To help guard against these unwanted disruptions, several computer network managers have turned to network intrusion detection systems.
Network intrusion detection is a process that identifies and responds to misuse or policy violations on a network. By placing sensor devices at determined points on a network, network traffic is monitored and compared against patterns or xe2x80x9csignaturesxe2x80x9d that represent suspicious activity, misuse, or actual attacks. A sensor monitoring a network can send alerts to a director, to a security management system, and, under appropriate circumstances, to network equipment such as routers and firewalls.
Sensors included in some conventional intrusion detection systems will automatically and quickly respond in a user-defined manner, such as sending an alert. The sending of an alert may involve the creation of an event. In most cases, an event is a set of data elements that adheres to a known format and represents that something has occurred. In a network intrusion detection system, an event could indicate any number of occurrences. For example, an event may indicate that a program or computer has failed, that a computer""s configuration has changed, or that an unauthorized user is attempting to break into a computer on the network.
In practice, events are usually generated by computerized processes and are meant to be viewed and perhaps acted upon. Events may be generated in several different types of computer systems. For example, an event may be generated by and remain within a stand-alone computer or an event may be generated by an intrusion detection system sensor and communicated across a network.
In a typical network-based operation, for example, an intrusion detection system and its respective sensors may analyze network packet headers to make security decisions based on source, destination, and packet type. Intrusion detection systems may also analyze packet data to make decisions based on the actual data being transmitted. These systems tend to scale well for network protection because the number of actual workstations, servers or user systems on the network is not criticalxe2x80x94the amount of traffic is what matters.
Unfortunately, the volume of traffic and the number of events generated as a result of that traffic creates a number of challenges for conventional intrusion detection systems. For example, conventional intrusion detection systems, even those employing an event browser, have a difficult time providing a useable display of events. A conventional event browser, for example, may display events in a scrolling list. As the quantity of events presented on the scrolling list increases, the useability of the list tends to decrease. The display often includes too much information, and the information changes too quickly. In fact, in some cases, a scrolling list of events may scroll so quickly that events scroll off the xe2x80x9ctopxe2x80x9d of the screen before they can be read.
This scrolling problem and other problems associated with conventional solutions may be magnified by the fact that a detection system""s sensors can be placed around the globe and configured to report back to a central site. While this may enable an individual at the central site to support a large enterprise, the individual will likely be inundated with events.
In accordance with the present disclosure, a system and method for consolidating and sorting event data are disclosed that provide significant advantages over prior developed techniques. In addition to providing an effective tool for consolidating and sorting event data, the disclosed embodiments allow for the presentation of a more useable display of event data.
According to one aspect of the present disclosure, a system incorporating teachings of the present disclosure may include a computing platform communicatively coupled to a computer readable medium and a network. The computer readable medium may store an application that includes at least one node mapped into a tree. The at least one node may have a data element reference including a pointer to a data element that includes event data received via the network. In addition, the node may have a row indicator node count, a least child reference, a greatest child reference, a lesser sibling reference, a greatest sibling reference, a parent reference, and a status manager reference.
According to another aspect of the present disclosure, a method for consolidating and sorting event data may involve providing event data via a network to an event sorter. The event sorter may manage a tree that has a plurality of nodes representing earlier received event data. The method may also include creating a node having a data element reference with a pointer to a data element representing the provided event data and identifying a location within the tree in which to place the created node. In some embodiments, a method incorporating teachings of the present invention may also include placing the node at the identified location.
The disclosed system and method provide several technical advantages over conventional approaches. For example, the present invention may allow for consolidation of events into a viewable and expandable spreadsheet. As new events are reported, a system incorporating teachings of the present invention may present a spreadsheet to a user that updates in near real time.
In addition, the disclosed sorting scheme may allow for the presentation of event-related information including, for example, time of event, type of event, and severity of event, in a format that is more useable than formats available with conventional systems. For example, a system incorporating teachings of the present invention may help eliminate the scroll off problems associated with conventional systems.
Other technical advantages will be apparent to those of ordinary skill in the art in view of the following specification, claims, and drawings.