Detection, remediation and inference rule development for multi-layer information technology ("it") structures
US-2017102997-A1 · Apr 13, 2017 · US
Managing alert profiles
US2017031741A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2017031741-A1 |
| Application number | US-201514812823-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jul 29, 2015 |
| Priority date | Jul 29, 2015 |
| Publication date | Feb 2, 2017 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and techniques for managing alert profiles, including creating the alert profiles and deactivating the alert profiles, are described. Auditing software executing on a central server may receive an event log from a software agent. The event log may identify activities associated with a network element in a computer system. The auditing software may include a classifier trained using machine learning. The auditing software may determine that the event log is indicative of an interesting activity, such as malicious activity. The auditing software may create an alert profile. The auditing software may assign a severity to the alert profile. The auditing software may determine whether the alert profile is relevant. The auditing software may deactivate the alert profile based on determining that the alert profile is not relevant.
First claim
Opening claim text (preview).
What is claimed is: 1 . A computer-implemented method, comprising: receiving, from a software agent, an event log identifying one or more activities associated with a network element; determining, by a classifier trained using machine learning, that the event log is indicative of an interesting activity; creating, by the classifier, an alert profile based at least partly on the event log; determining, by the classifier, a severity of the alert profile based at least partly on the event log; associating, by the classifier, a time period with the alert profile based at least partly on the severity of the alert profile; and deactivating, by the classifier, the alert profile after the time period has expired. 2 . The computer-implemented method of claim 1 , wherein the network element comprises at least one of: a database hosting device; a user computing device; or a server device. 3 . The computer-implemented method of claim 1 , further comprising: determining that one or more conditions associated with the alert profile are satisfied; and performing one or more actions associated with the alert profile. 4 . The computer-implemented method of claim 3 , wherein the one or more actions include alerting a system administrator. 5 . The computer-implemented method of claim 3 , wherein the one or more actions include preventing the network element from performing additional activities or preventing access to the network element. 6 . The computer-implemented method of claim 1 , wherein deactivating, by the classifier, the alert profile after the time period has expired comprises: determining, after the time period has expired, that the alert profile is not relevant based on one or more additional event logs; and deactivating the alert profile based at least in part on determining that the alert profile is not relevant. 7 . The computer-implemented method of claim 1 , wherein associating, by the classifier, the time period with the alert profile based at least partly on the severity of the alert profile comprises: determining, by the classifier, a base time period; determining the time period by multiplying the base time period by the severity of the alert profile; and associating the time period with the alert profile. 8 . One or more non-transitory computer-readable media storing instructions that include a classifier algorithm, the instructions executable by one or more processors to perform operations comprising: receiving an event log associated with a network element; determining that the event log is indicative of an interesting activity; creating an alert profile based at least partly on the event log; activating the alert profile; determining that one or more conditions associated with the alert profile are satisfied; performing one or more actions associated with the alert profile; and deactivating the alert profile based on determining that the alert profile is not relevant. 9 . The one or more non-transitory computer-readable media of claim 8 , wherein determining that the event log is indicative of the interesting activity comprises: determining that the event log is indicative of malicious activity. 10 . The one or more non-transitory computer-readable media of claim 8 , wherein determining that the event log is indicative of the interesting activity comprises: determining that the event log is indicative that a utilization of a network resource is at or above a predetermined threshold. 11 . The one or more non-transitory computer-readable media of claim 8 , wherein determining that the event log is indicative of the interesting activity comprises: determining that the event log is indicative that a utilization of a network resource is below a predetermined threshold. 12 . The one or more non-transitory computer-readable media of claim 8 , wherein determining that the one or more conditions associated with the alert profile are satisfied comprises: receiving one or more additional event logs; and determining that the one or more conditions associated with the alert profile are satisfied based at least partly on the one or more additional event logs. 13 . The one or more non-transitory computer-readable media of claim 8 , wherein determining that the alert profile is not relevant comprises: determining that a pre-determined period of time has elapsed after creating the alert profile. 14 . A server, comprising: one or more processors; and one or more non-transitory computer-readable media storing instructions that are executable by the one or more processors to perform operations comprising: receiving a first event log identifying one or more events associated with a network element; determining that the first event log is indicative of an interesting activity; creating an alert profile based at least partly on the first event log; activating the alert profile; receiving at least a second event log; determining that one or more conditions associated with the alert profile are satisfied based on the first event log and the second event log; performing one or more actions associated with the alert profile based on determining that the one or more conditions associated with the alert profile are satisfied; and deactivating the alert profile based on determining that the alert profile is not relevant. 15 . The server of claim 14 , wherein determining that the first event log is indicative of an interesting activity comprises: determining that the first event log is indicative of malicious activity. 16 . The server of claim 14 , wherein the alert profile comprises the one or more conditions and the one or more actions. 17 . The server of claim 14 , wherein performing the one or more actions associated with the alert profile comprises: alerting a system administrator; and blocking traffic to and from the network element. 18 . The server of claim 14 , the operations further comprising: determining a time period to activate the alert profile; and associating the time period with the alert profile. 19 . The server of claim 14 , wherein determining that the alert profile is not relevant comprises: determining that the interesting activity has not occurred for at least a predetermined amount of time. 20 . The server of claim 14 , wherein determining that the alert profile is not relevant comprises: determining that an additional event log indicative of the interesting activity has not been received for at least a predetermined amount of time.
Assignees
Inventors
Classifications
- G06F11/079Primary
Root cause analysis, i.e. error or fault diagnosis (in a hardware test environment G06F11/22; in a software test environment G06F11/36) · CPC title
Storage of error reports, e.g. persistent data storage, storage using memory protection · CPC title
Physics · mapped topic
Means for error signaling, e.g. using interrupts, exception flags, dedicated error registers · CPC title
Error or fault detection not based on redundancy (power supply failures G06F1/30; network fault management H04L41/06) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2017031741A1 cover?
- Systems and techniques for managing alert profiles, including creating the alert profiles and deactivating the alert profiles, are described. Auditing software executing on a central server may receive an event log from a software agent. The event log may identify activities associated with a network element in a computer system. The auditing software may include a classifier trained using mach…
- Who is the assignee on this patent?
- Dell Products Lp
- What technology area does this patent fall under?
- Primary CPC classification G06F11/079. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Feb 02 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).