1. Technical Field
The present invention relates generally to an improved data processing system, and in particular to a method and apparatus for managing alerts. Still more particularly, the present invention provides a method, apparatus, and computer implemented instructions for managing alerts from identified situations relating to a series of security violations.
2. Description of Related Art
Much of the progress in computer technology in recent years has centered around inter-computer communication. In many cases, networks of small-scale computers have been used in place of mainframe computers. Sometimes, it is less expensive and more efficient for users to share data among single-user workstations and small-scale servers than it is to share computing time on a single mainframe computer.
Increases in connectivity between computers, especially through the Internet, the world's largest and most interconnected computer network, are not without costs. Increased connectivity brings with it an increased likelihood of a security breach or other malevolent activity. Put another way, the more accessible computers become, the more they will be accessed.
It is thus imperative for organizations that rely on networks of computers to have effective security violation detection systems in place to prevent and remedy security compromises. In particular, where many system events that might be categorized as suspicious take place, it is important to be able to sort through a large amount of event data to determine what is actually taking place. When system events are simply “dumped” to a human administrator or user, it is difficult for the human administrator to sort through and make sense of the voluminous data.
After a detection of an attempt of an unauthorized access or other suspicious activity has occurred, an alert of the situation is typically displayed for an operator to see and process. Typically, the situation is presented in a static manner as an alert or event with the alert remaining on the operator's console until the alert is either manually closed or a preset time period elapses causing the alert to be closed out. In a dynamic environment with a large amount of activity, this type of alert handling may easily lead to an overwhelming number of alerts being displayed in which the alerts being displayed are difficult to display in terms of timeliness and relative importance.
Therefore, it would be advantageous to have an improved method and apparatus for handling alerts of situations.