What technology area does this patent fall under?

Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Mar 01 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Blacklisting and whitelisting of security-related events

US9276946B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9276946-B2
Application number	US-201414280311-A
Country	US
Kind code	B2
Filing date	May 16, 2014
Priority date	Jul 31, 2013
Publication date	Mar 1, 2016
Grant date	Mar 1, 2016

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI.

First claim

Opening claim text (preview).

What is claimed is: 1. A method, comprising: receiving raw data from one or more data sources; segmenting the raw data into a plurality of time-stamped, searchable events, wherein each event in the plurality of time-stamped, searchable events includes information relating to performance or security of an information technology system; creating an event group from the plurality of time-stamped, searchable events, each event in the event group matching criteria relating to one or more fields; determining an event group summary, the summary summarizing one or more fields of the events in the event group; causing display of a graphical user interface displaying a plurality of event group summaries including the event group summary; based on user input in response to the display of the graphical user interface, placing a selected event group summary on a whitelist or a blacklist, wherein placing the selected event group summary on the whitelist removes the selected event group summary from the displayed plurality of event group summaries, and wherein placing the selected event group summary on the blacklist changes a visual appearance of the selected event group summary among the displayed plurality of event group summaries; wherein the method is performed by one or more computing devices. 2. The method as recited in claim 1 , wherein each event in the plurality of events includes security-related information. 3. The method as recited in claim 1 , wherein at least one event group summary of the displayed event group summaries includes domain activity information. 4. The method as recited in claim 1 , further comprising: receiving log data; organizing the received log data into the plurality of events, wherein an event is comprised of at least a portion of one or more lines of data within the log data. 5. The method as recited in claim 1 , wherein the criteria is evaluated using a late binding schema applied to at least a portion of the plurality of events. 6. The method as recited in claim 1 , wherein each event of the plurality of events is associated with a time stamp, and wherein the event group summary encompasses events having time stamps within a specified time period. 7. The method as recited in claim 1 , further comprising: in response to a user input, removing an event group summary from the whitelist and displaying the removed event group summary with the displayed plurality of event group summaries. 8. An apparatus, comprising: a subsystem, implemented at least partially in hardware, that receives raw data from one or more data sources; a subsystem, implemented at least partially in hardware, that segments the raw data into a plurality of time-stamped, searchable events, wherein each event in the plurality of time-stamped, searchable events includes information relating to performance or security of an information technology system; a subsystem, implemented at least partially in hardware, that creates an event group from the plurality of time-stamped, searchable events, each event in the event group matching criteria relating to one or more fields; a subsystem, implemented at least partially in hardware, that determines an event group summary, the summary summarizing one or more fields of the events in the event group; a subsystem, implemented at least partially in hardware, that causing display of a graphical user interface that displays a plurality of event group summaries including the event group summary; a list subsystem, implemented at least partially in hardware, that, based on user input in response to the display of the graphical user interface, places a selected event group summary on a whitelist or a blacklist, wherein when the list subsystem places the selected event group summary on the whitelist the list subsystem removes the selected event group summary from the displayed plurality of event group summaries, and wherein when the list subsystem places the selected event group summary on the blacklist the list subsystem changes a visual appearance of the selected event group summary among the displayed plurality of event group summaries. 9. The apparatus as recited in claim 8 , wherein each event in the plurality of events includes security-related information. 10. The apparatus as recited in claim 8 , wherein at least one event group summary of the displayed event group summaries includes domain activity information. 11. The apparatus as recited in claim 8 , further comprising: a subsystem, implemented at least partially in hardware, that receives log data; a subsystem, implemented at least partially in hardware, that organizes the received log data into the plurality of events, wherein an event is comprised of at least a portion of one or more lines of data within the log data. 12. The apparatus as recited in claim 8 , wherein the criteria is evaluated using a late binding schema applied to at least a portion of the plurality of events. 13. The apparatus as recited in claim 8 , wherein each event of the plurality of events is associated with a time stamp, and wherein the event group summary encompasses events having time stamps within a specified time period. 14. The apparatus as recited in claim 8 , further comprising: a subsystem, implemented at least partially in hardware, that, in response to a user input, removes an event group summary from the whitelist and displays the removed event group summary with the displayed plurality of event group summaries. 15. A non-transitory computer readable medium, storing software instructions, which when executed by one or more processors cause performance of: receiving raw data from one or more data sources; segmenting the raw data into a plurality of time-stamped, searchable events, wherein each event in the plurality of time-stamped, searchable events includes information relating to performance or security of an information technology system; creating an event group from the plurality of time-stamped, searchable events, each event in the event group matching criteria relating to one or more fields; determining an event group summary, the summary summarizing one or more fields of the events in the event group; causing display of a graphical user interface displaying a plurality of event group summaries including the event group summary; based on user input in response to the display of the graphical user interface, placing a selected event group summary on a whitelist or a blacklist, wherein placing the selected event group summary on the whitelist removes the selected event group summary from the displayed plurality of event group summaries, and wherein placing the selected event group summary on the blacklist changes a visual appearance of the selected event group summary among the displayed plurality of event group summaries. 16. The non-transitory computer readable medium as recited in claim 15 , wherein each event in the plurality of events includes security-related information. 17. The non-transitory computer readable medium as recited in claim 15 , wherein at least one event group summary of the displayed event group summaries includes domain activity information. 18. The non-transitory computer readable medium as recited in claim 15 , further comprising: receiving log data; organizing the received log data into the plurality of events, wherein an event is comprised of at least a portion of one or more lines of data within the log data. 19. The non-transitory computer readable medium as recited in claim 15 , wherein the criteria is ev

Assignees

Splunk Inc

Inventors

Classifications

H04L63/14
for detecting or protecting against malicious traffic · CPC title
H04L63/1433Primary
Vulnerability analysis · CPC title
G06F16/285
Clustering or classification · CPC title
H04L63/1408Primary
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
G06F2221/034
Test or assess a computer or a system · CPC title

Patent family

Related publications grouped by family.

View patent family 49622622

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9276946B2 cover?: A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security i…
Who is the assignee on this patent?: Splunk Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Mar 01 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).