Abstract: A method of selecting, for at least one service of an information system and depending service(s), at least one countermeasure to be implemented against at least one cyber attack, the method includes: identifying elements of the service exposed to the cyber attack(s), calculating a risk mitigation level of each countermeasure with respect to the cyber attack(s), ranking the countermeasure(s) on the basis of a parameter which is at least a function of the risk mitigation level, simulating the impact of the countermeasure(s) on the service and the depending service(s), the countermeasure to be implemented being selected at least as a function of result of the simulation.

Abstract: A method of selecting, for at least one service of an information system and depending service(s), at least one countermeasure to be implemented against at least one cyber attack, the method includes: identifying elements of the service exposed to the cyber attack(s), calculating a risk mitigation level of each countermeasure with respect to the cyber attack(s), ranking the countermeasure(s) on the basis of a parameter which is at least a function of the risk mitigation level, simulating the impact of the countermeasure(s) on the service and the depending service(s), the countermeasure to be implemented being selected at least as a function of result of the simulation.

Abstract: This invention concerns a method for processing computer system input data including at least one detection step for a specific word INSTR present among said data. In the method according to the invention, the specific word to be detected represents an instruction necessary for the execution of a program present among said data. Because it focuses detection on the means necessary for the execution of an attack program that thus reveal the presence of said program, the invention can be used to simply and effectively detect different types of attacks.

Abstract: A method of managing alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) including an alert management system (13), each alert being defined by an alert identifier and an alert content. Each of the alerts issued by the intrusion detection sensors (11a, 11b, 11c) is associated with a description including a conjunction of valued attributes belonging to attribute domains. The valued attributes belonging to each attribute domain are organized into a taxonomic structure defining generalization relationships between said valued attributes, the plurality of attribute domains thus forming a plurality of taxonomic structures. The description of each of said alerts is completed with sets of values induced by the taxonomic structures on the basis of the valued attributes of said alerts to form complete alerts. The complete alerts are stored in a logic file system (21) to enable them to be consulted.

Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations”—are presented to a user or administrator.

Abstract: A method of automatically detecting intrusions among events under surveillance. The method comprises comparing an event under surveillance to a set of patterns, each pattern being associated with a predetermined intrusion signature from a set of intrusion signatures, determining among said set of intrusion signatures a subset of intrusion signatures revealing a particular intrusion in said event under surveillance, and dynamically generating a new signature corresponding to said subset of intrusion signatures, said new signature being dedicated to recognizing said particular intrusion.

Abstract: A method of automatically classifying alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a1, . . . , an) belonging to a plurality of attribute domains (A1, . . . , An). Attributes belonging to each attribute domain are organized into a hierarchical structure. For each alert issued by the intrusion detection sensors (11a, 11b, 11c), a trellis specific to that alert is constructed by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure. Each specific trellis is iteratively merged into a general trellis. Collated alerts in the general trellis are identified by selecting the alerts that are simultaneously the most pertinent and the most general. The collated alerts are supplied to an output unit (23) of an alert management system (13).

Abstract: The invention relates to a system and a method of suppressing false alarms among alarms issued by intrusion detection sensors (13a, 13b, 13c) of a protected information system (1) including entities (9, 11a, 11b) generating attacks associated with the alarms and an alarm management system (15), the method comprising the following steps: using a false alarm suppression module (23) to define qualitative relationships between the entities (9, 11a, 11b) and a set of profiles; using the false alarm suppression module (23) to define nominative relationships between the set of profiles and a set of names of attacks which that set of profiles is recognized as generating; and using the false alarm suppression module (23) to qualify a given alarm as a false alarm if the entity (9, 11a, 11b) implicated in the given alarm has a profile recognized as generating the attack associated with that given alarm.

Abstract: An event handler is provided that associates events from heterogeneous data sources. In a first phase, incoming events are translated to vectors of event attributes. Based on the data source, implicit information about the event and its attributes may be available. This information is used to normalize the information provided by the event. Normalization actions may include renaming the attributes, deriving new attributes from given attributes, and transforming attribute value ranges. In a second phase, a determination is made as to whether two or more events are considered to be associated based on the vectors. Different vectors of core attributes may be created in order to create associations with different semantics.

Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations”—are presented to a user or administrator.

Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations”—are presented to a user or administrator.

Abstract: A method of managing alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) including an alert management system (13), each alert being defined by an alert identifier and an alert content. Each of the alerts issued by the intrusion detection sensors (11a, 11b, 11c) is associated with a description including a conjunction of valued attributes belonging to attribute domains. The valued attributes belonging to each attribute domain are organized into a taxonomic structure defining generalization relationships between said valued attributes, the plurality of attribute domains thus forming a plurality of taxonomic structures. The description of each of said alerts is completed with sets of values induced by the taxonomic structures on the basis of the valued attributes of said alerts to form complete alerts. The complete alerts are stored in a logic file system (21) to enable them to be consulted.

Abstract: A of automatically classifying alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a1, . . . , an) belonging to a plurality of attribute domains (A1, . . . , An). Attributes belonging to each attribute domain are organized into a hierarchical structure. For each alert issued by the intrusion detection sensors (11a, 11b, 11c), a trellis specific to that alert is constructed by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure. Each specific trellis is iteratively merged into a general trellis. Collated alerts in the general trellis are identified by selecting the alerts that are simultaneously the most pertinent and the most general. The collated alerts are supplied to an output unit (23) of an alert management system (13).

Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations” are established from groups whose severity exceeds a threshold value. These groups and situations are then propagated up a hierarchical arrangement of systems and further aggregated so as to provide summary information over a larger group of systems. This hierarchical scheme allows for scalability of the event correlation process across larger networks of systems.

Abstract: A method, apparatus, and computer implemented instructions for handling a situation in a data processing system. In response to detecting a situation, an aging function is applied to the situation. Alerts regarding the situation based on the aging function are presented.

Abstract: This invention concerns a method for processing computer system input data including at least one detection step for a specific word INSTR present among said data. In the method according to the invention, the specific word to be detected represents an instruction necessary for the execution of a program present among said data. Because it focuses detection the means necessary for the execution of an attack program that thus reveal the presence of said program, the invention can be used to simply and effectively detect different types of attacks.

Abstract: An event handler is provided that associates events from heterogeneous data sources. In a first phase, incoming events are translated to vectors of event attributes. Based on the data source, implicit information about the event and its attributes may be available. This information is used to normalize the information provided by the event. Normalization actions may include renaming the attributes, deriving new attributes from given attributes, and transforming attribute value ranges. In a second phase, a determination is made as to whether two or more events are considered to be associated based on the vectors. Different vectors of core attributes may be created in order to create associations with different semantics.

Abstract: A method, apparatus, and computer implemented instructions for handling a situation in a data processing system. In response to detecting a situation, an aging function is applied to the situation. Alerts regarding the situation based on the aging function are presented.

Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations” are established from groups whose severity exceeds a threshold value. These groups and situations are then propagated up a hierarchical arrangement of systems and further aggregated so as to provide summary information over a larger group of systems. This hierarchical scheme allows for scalability of the event correlation process across larger networks of systems.

Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations”—are presented to a user or administrator.