Early warning system for network attacks

US 20030084349A1
Filed: 08/09/2002
Published: 05/01/2003
Est. Priority Date: 10/12/2001
Status: Abandoned Application

First Claim

Patent Images

23. A computer implemented method for analysis of network security events, the method comprising:

obtaining security event data that was initially gathered by at least one security device;

converting the security event data into common, vendor-independent security event types;

analyzing the security event data to determine a number of occurrences for at least one security event type and to identify linked series of security events within the security event data;

determining identification information for originating parties of at least one security event; and

preparing an alert describing results from the analyzing step for at least one security event.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security events based on network message traffic and other network security information are analyzed to identify validated security threats occurring on one or more networks. Alerts are prepared based on the results of the security analysis.

Citations

121 Claims

23. A computer implemented method for analysis of network security events, the method comprising:
- obtaining security event data that was initially gathered by at least one security device;
  
  converting the security event data into common, vendor-independent security event types;
  
  analyzing the security event data to determine a number of occurrences for at least one security event type and to identify linked series of security events within the security event data;
  
  determining identification information for originating parties of at least one security event; and
  
  preparing an alert describing results from the analyzing step for at least one security event.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 24. The method of claim 23, wherein the security event data comprises a listing of individual security events in vendor specific format.
  - 25. The method of claim 23, wherein the security event data comprises a listing of individual security events, wherein each security event comprises the source IP address of the event, the source port of the event, the destination IP address of the event, the destination port of the event, the protocol associated with the event, the event name, event specific packet data, and a timestamp for the event.
  - 26. The method of claim 23, wherein obtaining the security event data comprises extracting at least one security event from an output file of a security device.
  - 27. The method of claim 23, wherein obtaining the security event data comprises receiving the security event data from another processing unit via a network.
  - 28. The method of claim 23, wherein obtaining the security event data comprises receiving a data stream of security events from a security device.
  - 29. The method of claim 23, wherein the security device comprises an intrusion detection system.
  - 30. The method of claim 23, wherein the security device comprises a security firewall.
  - 31. The method of claim 23, wherein the security device source comprises a computer antivirus program.
  - 32. The method of claim 23, wherein the security device source comprises honeypot.
  - 33. The method of claim 23, wherein identifying the linked series of security events comprises detecting a pattern of security events independent of the sequence of occurrence of the security events.
  - 34. The method of claim 23, wherein identifying the linked series of security events comprises detecting a series of security events occurring in a specific sequence.
  - 35. The method of claim 23, wherein analyzing the security event data further comprises determining a variance in the number of occurrences for the at least one security event type relative to a baseline value.
  - 36. The method of claim 23, wherein obtaining the security event data further comprises associating the security event data with demographic and geographic information about the network providing the security event data.
  - 37. The method of claim 23, further comprising automatically notifying an originating party about participation of the originating party in a security event.
  - 38. The method of claim 23, wherein determining identification information for the originating parties comprises receiving the identification information from another processing unit via a network.
  - 39. The method of claim 23, wherein preparing an alert comprises generating a report based on an identified validated security threat.
  - 40. The method of claim 23, wherein preparing an alert comprises maintenance of a Threat Level.
  - 41. The method of claim 23, further comprising aggregating the obtained security event data with other previously obtained security event data prior to the step of performing a security event analysis.

42. A computer implemented method for identifying validated network security threats, the method comprising:
- obtaining security event data that was initially gathered by at least one security device;
  
  performing a security event analysis on the security event data to identify validated security threats; and
  
  preparing an alert based on the identified validated security threats.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
- - 43. The method of claim 42, wherein the security event data comprises a listing of individual security events in vendor specific format.
  - 44. The method of claim 42, wherein the security event data comprises a listing of individual security events, wherein each security event comprises the source IP address of the event, the source port of the event, the destination IP address of the event, the destination port of the event, the protocol associated with the event, the event name, event specific packet data, and a timestamp for the event.
  - 45. The method of claim 42, wherein obtaining the security event data comprises extracting at least one security event from an output file of a security device.
  - 46. The method of claim 42, wherein obtaining the security event data comprises receiving the security event data from another processing unit via a network.
  - 47. The method of claim 42, wherein obtaining the security event data comprises receiving a data stream of security events from a security device.
  - 48. The method of claim 42, wherein the security device comprises an intrusion detection system.
  - 49. The method of claim 42, wherein the security device comprises a security firewall.
  - 50. The method of claim 42, wherein the security device comprises a computer antivirus program.
  - 51. The method of claim 42, wherein the security device comprises a honeypot.
  - 52. The method of claim 42, wherein performing a security event analysis comprises comparing the security event data to a list of validated security threats.
  - 53. The method of claim 42, wherein performing a security event analysis comprises identifying a linked series of security events.
  - 54. The method of claim 53, wherein identifying the linked series of security events comprises detecting a pattern of security events independent of the sequence of occurrence of the security events.
  - 55. The method of claim 53, wherein identifying the linked series of security events comprises detecting a series of security events occurring in a specific sequence.
  - 56. The method of claim 42, wherein performing a security event analysis comprises:
    - determining a number of occurrences of a security event type within a time period; and
      
      determining a variance in the number of occurrences relative to a baseline value.
  - 57. The method of claim 42, wherein obtaining the security event data further comprises associating the security event data with demographic and geographic information about the network providing the security event data.
  - 58. The method of claim 42, further comprising determining identification information for originating parties of at least one of the security events.
  - 59. The method of claim 58, wherein determining identification information for the originating parties comprises receiving the identification information from another processing unit via a network.
  - 60. The method of claim 42, wherein preparing an alert comprises generating a report based on an identified validated security threat.
  - 61. The method of claim 42, further comprising automatically notifying an originating party about participation of the originating party in a security event.
  - 62. The method of claim 42, further comprising aggregating the obtained security event data with other previously obtained security event data, prior to the step of performing a security event analysis.
  - 63. The method of claim 42, wherein obtaining the security event data comprises receiving a summary of security event data that was previously analyzed by another processing unit.
  - 64. The method of claim 42, wherein preparing an alert comprises maintenance of a Threat Level.

65. A computer implemented method for identifying network security incidents, the method comprising:
- obtaining security event data that was initially gathered by at least one security device;
  
  analyzing the security event data to determine a frequency of occurrence for at least one security event type and to identify linked series of security events within the security event data;
  
  comparing the analyzed security event data with a listing of validated security threats; and
  
  preparing an alert based on the results of the analyzing and comparing steps.

66. A computer system for the early detection of validated security threats, the computer system comprising:
- a software portion configured for obtaining security event data initially gathered by a plurality of security devices;
  
  a software portion configured for converting the security event data into common, vendor-independent security event types;
  
  a software portion configured for performing a security event analysis on the security event data to identify validated security threats; and
  
  a software portion configured for preparing an alert based on the identified validated security threats.
- View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 67, 68, 69, 70, 71, 72, 73, 74)
- - 1. A computer implemented method for the early detection of validated security threats, the method comprising:
    - obtaining security event data initially gathered by a plurality of security devices;
      
      converting the security event data into common, vendor-independent security event types;
      
      performing a security event analysis on the security event data to identify validated security threats; and
      
      preparing an alert based on the identified validated security threats.
  - 2. The method of claim 1, wherein the security event data comprises a listing of individual security events in a vendor specific format.
  - 3. The method of claim 1, wherein the security event data comprises a listing of individual security events, wherein each security event comprises the source IP address of the event, the source port of the event, the destination IP address of the event, the destination port of the event, the protocol associated with the event, the event name, event specific packet data, and a timestamp for the event.
  - 4. The method of claim 1, wherein obtaining the security event data comprises extracting at least one security event from an output file of a security device.
  - 5. The method of claim 1, wherein obtaining the security event data comprises receiving the security event data from another processing unit via a network.
  - 6. The method of claim 1, wherein obtaining the security event data comprises receiving a data stream of security events from a security device.
  - 7. The method of claim 1, wherein at least one security device comprises an intrusion detection system.
  - 8. The method of claim 1, wherein at least one security device comprises a security firewall.
  - 9. The method of claim 1, wherein at least one security device source comprises a computer antivirus program.
  - 10. The method of claim 1, wherein at least one security device source comprises a honeypot.
  - 11. The method of claim 1, wherein performing a security event analysis comprises comparing security events to a list of validated security threats.
  - 12. The method of claim 1, wherein performing a security event analysis comprises identifying a linked series of security events.
  - 13. The method of claim 12, wherein identifying the linked series of security events comprises detecting a pattern of security events independent of the sequence of occurrence of the security events.
  - 14. The method of claim 12, wherein identifying the linked series of security events comprises detecting a series of security events occurring in a specific sequence.
  - 15. The method of claim 1, wherein performing a security event analysis comprises:
    - determining a number of occurrences of a security event type within a time period; and
      
      determining a variance in the number of occurrences relative to a baseline value.
  - 16. The method of claim 1, wherein obtaining the security event data further comprises associating the security event data with demographic and geographic information about the network providing the security event data.
  - 17. The method of claim 1, further comprising determining identification information for originating parties of at least one security event within the security event data.
  - 18. The method of claim 17, wherein determining identification information for the originating parties comprises receiving the identification information from another processing unit via a network.
  - 19. The method of claim 1, wherein preparing an alert comprises generating a report based on an identified validated security threat.
  - 20. The method of claim 1, wherein preparing an alert comprises maintenance of a Threat Level.
  - 21. The method of claim 1, further comprising aggregating the obtained security event data with other previously obtained security event data prior to the step of performing a security event analysis.
  - 22. The method of claim 1, further comprising automatically notifying an originating party about participation of the originating party in a security event.
  - 67. The computer system of claim 66, wherein the security event data comprises a listing of individual security events in a vendor specific format.
  - 68. The computer system of claim 66, wherein the software portion configured for performing a security event analysis comprises a software portion configured for identifying a linked series of security events.
  - 69. The computer system of claim 68, wherein the software portion configured for identifying the linked series of security events comprises a software portion configured for detecting a pattern of security events independent of the sequence of occurrence of the security events.
  - 70. The computer system of claim 66, wherein the software portion configured for performing a security event analysis comprises:
    - a software portion configured for determining a number of occurrences of a security event type within a time period; and
      
      a software portion configured for determining a variance in the number of occurrences relative to a baseline value.
  - 71. The computer system of claim 66, wherein the software portion configured for obtaining the security event data further comprises a software portion configured for associating the security event data with demographic and geographic information about the network providing the security event data.
  - 72. The computer system of claim 66, further comprising a software portion configured for determining identification information for originating parties of at least one security event within the security event data.
  - 73. The computer system of claim 66, wherein the software portion configured for preparing an alert comprises a software portion configured for generating a report based on an identified validated security threat.
  - 74. The computer system of claim 66, wherein the software portion configured for preparing an alert comprises a software portion configured for maintenance of a Threat Level.

69-1. The computer system of claim 68, wherein the software portion configured for identifying the linked series of security events comprises a software portion configured for detecting a series of security events occurring in a specific sequence.

75. A computer system for analysis of network security events, the computer system comprising:
- a software portion configured for obtaining security event data that was initially gathered by at least one security device;
  
  a software portion configured for analyzing the security event data to determine a number of occurrences for at least one security event type and to identify linked series of security events within the security event data;
  
  a software portion configured for determining identification information for originating parties of at least one security event; and
  
  a software portion configured for preparing an alert describing results from the analyzing step for at least one security event.
- View Dependent Claims (76, 77, 78, 79, 80, 81, 82, 83)
- - 76. The computer system of claim 75, wherein the software portion configured for obtaining the security event data comprises a software portion configured for receiving a data stream of security events from a security device.
  - 77. The computer system of claim 75, wherein the software portion configured for identifying the linked series of security events comprises a software portion configured for detecting a pattern of security events independent of the sequence of occurrence of the security events.
  - 78. The computer system of claim 75, wherein the software portion configured for identifying the linked series of security events comprises a software portion configured for detecting a series of security events occurring in a specific sequence.
  - 79. The computer system of claim 75, wherein the software portion configured for analyzing the security event data further comprises a software portion configured for determining a variance in the number of occurrences of the at least one security event type relative to a baseline value.
  - 80. The computer system of claim 75, wherein the software portion configured for obtaining the security event data further comprises a software portion configured for associating the security event data with demographic and geographic information about the network providing the security event data.
  - 81. The computer system of claim 75, wherein the software portion configured for preparing an alert comprises a software portion configured for generating a report based on an identified validated security threat.
  - 82. The computer system of claim 75, wherein the software portion configured for preparing an alert comprises a software portion configured for maintenance of a Threat Level.
  - 83. The computer system of claim 75, further comprising a software portion configured for aggregating the obtained security event data with other previously obtained security event data prior to the step of performing a security event analysis.

84. A computer system for the early detection of validated security threats, the computer system comprising:
- means for obtaining security event data initially gathered by a plurality of security devices;
  
  means for converting the security event data into common, vendor-independent security event types;
  
  means for performing a security event analysis on the security event data to identify validated security threats; and
  
  means for preparing an alert based on the identified validated security threats.
- View Dependent Claims (85, 86, 87, 88, 89, 90, 91, 92, 93)
- - 85. The computer system of claim 84, wherein the security event data comprises a listing of individual security events in a vendor specific format.
  - 86. The computer system of claim 84, wherein the means for performing a security event analysis comprises means for identifying a linked series of security events.
  - 87. The computer system of claim 86, wherein the means for identifying the linked series of security events comprises means for detecting a pattern of security events independent of the sequence of occurrence of the security events.
  - 88. The computer system of claim 86, wherein the means for identifying the linked series of security events comprises means for detecting a series of security events occurring in a specific sequence.
  - 89. The computer system of claim 84, wherein the means for performing a security event analysis comprises:
    - means for determining a number of occurrences of a security event type within a time period; and
      
      means for determining a variance in the number of occurrences relative to a baseline value.
  - 90. The computer system of claim 84, wherein the means for obtaining the security event data further comprises means for associating the security event data with demographic and geographic information about the network providing the security event data.
  - 91. The computer system of claim 84, further comprising means for determining identification information for originating parties of at least one security event within the security event data.
  - 92. The computer system of claim 84, wherein the means for preparing an alert comprises means for generating a report based on an identified validated security threat.
  - 93. The computer system of claim 84, wherein the means for preparing an alert comprises means for maintenance of a Threat Level.

94. A computer system for analysis of network security events, the computer system comprising:
- means for obtaining security event data that was initially gathered by at least one security device;
  
  means for analyzing the security event data to determine a number of occurrences for at least one security event type and to identify linked series of security events within the security event data;
  
  means for determining identification information for originating parties of at least one security event; and
  
  means for preparing an alert describing results from the analyzing step for at least one security event.
- View Dependent Claims (95, 96, 97, 98, 99, 100, 101, 102)
- - 95. The computer system of claim 94, wherein the means for obtaining the security event data comprises means for receiving a data stream of security events from a security device.
  - 96. The computer system of claim 94, wherein the means for identifying the linked series of security events comprises means for detecting a pattern of security events independent of the sequence of occurrence of the security events.
  - 97. The computer system of claim 94, wherein the means for identifying the linked series of security events comprises means for detecting a series of security events occurring in a specific sequence.
  - 98. The computer system of claim 94, wherein the means for analyzing the security event data further comprises means for determining a variance in the number of occurrences of the at least one security event type relative to a baseline value.
  - 99. The computer system of claim 94, wherein the means for obtaining the security event data further comprises means for associating the security event data with demographic and geographic information about the network providing the security event data.
  - 100. The computer system of claim 94, wherein the means for preparing an alert comprises means for generating a report based on an identified validated security threat.
  - 101. The computer system of claim 94, wherein the means for preparing an alert comprises means for maintenance of a Threat Level.
  - 102. The computer system of claim 94, further comprising means for aggregating the obtained security event data with other previously obtained security event data prior to the step of performing a security event analysis.

103. A computer program product for the early detection of validated security threats, the computer program product comprising:
- program code for obtaining security event data initially gathered by a plurality of security devices;
  
  program code for converting the security event data into common, vendor-independent security event types;
  
  program code for performing a security event analysis on the security event data to identify validated security threats; and
  
  program code for preparing an alert based on the identified validated security threats.
- View Dependent Claims (104, 105, 106, 107, 108, 109, 110, 111, 112)
- - 104. The computer program product of claim 103, wherein the security event data comprises a listing of individual security events in a vendor specific format.
  - 105. The computer program product of claim 103, wherein the program code for performing a security event analysis comprises program code for identifying a linked series of security events.
  - 106. The computer program product of claim 105, wherein the program code for identifying the linked series of security events comprises program code for detecting a pattern of security events independent of the sequence of occurrence of the security events.
  - 107. The computer program product of claim 105, wherein the program code for identifying the linked series of security events comprises program code for detecting a series of security events occurring in a specific sequence.
  - 108. The computer program product of claim 103, wherein the program code for performing a security event analysis comprises:
    - program code for determining a number of occurrences of a security event type within a time period; and
      
      program code for determining a variance in the number of occurrences relative to a baseline value.
  - 109. The computer program product of claim 103, wherein the program code for obtaining the security event data further comprises program code for associating the security event data with demographic and geographic information about the network providing the security event data.
  - 110. The computer program product of claim 103, further comprising program code for determining identification information for originating parties of at least one security event within the security event data.
  - 111. The computer program product of claim 103, wherein the program code for preparing an alert comprises program code for generating a report based on an identified validated security threat.
  - 112. The computer program product of claim 103, wherein the program code for preparing an alert comprises program code for maintenance of a Threat Level.

113. A computer program product for analysis of network security events, the computer program product comprising:
- program code for obtaining security event data that was initially gathered by at least one security device;
  
  program code for analyzing the security event data to determine a number of occurrences for at least one security event type and to identify linked series of security events within the security event data;
  
  program code for determining identification information for originating parties of at least one security event; and
  
  program code for preparing an alert describing results from the analyzing step for at least one security event.
- View Dependent Claims (114, 115, 116, 117, 118, 119, 120, 121)
- - 114. The computer program product of claim 113, wherein the program code for obtaining the security event data comprises program code for receiving a data stream of security events from a security device.
  - 115. The computer program product of claim 113, wherein the program code for identifying the linked series of security events comprises program code for detecting a pattern of security events independent of the sequence of occurrence of the security events.
  - 116. The computer program product of claim 113, wherein the program code for identifying the linked series of security events comprises program code for detecting a series of security events occurring in a specific sequence.
  - 117. The computer program product of claim 113, wherein the program code for analyzing the security event data further comprises program code for determining a variance in the number of occurrences of the at least one security event type relative to a baseline value.
  - 118. The computer program product of claim 113, wherein the program code for obtaining the security event data further comprises program code for associating the security event data with demographic and geographic information about the network providing the security event data.
  - 119. The computer program product of claim 113, wherein the program code for preparing an alert comprises program code for generating a report based on an identified validated security threat.
  - 120. The computer program product of claim 113, wherein the program code for preparing an alert comprises program code for maintenance of a Threat Level.
  - 121. The computer program product of claim 113, further comprising program code for aggregating the obtained security event data with other previously obtained security event data prior to the step of performing a security event analysis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
NortonLifeLock Inc.
Inventors
Huger, Alfred, Tomic, George, Levy, Elias, Friedrichs, Oliver

Application Number

US10/216,049
Publication Number

US 20030084349A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

H04L 41/0226   Mapping or translating mult...

H04L 63/1408   by monitoring network traff...

Early warning system for network attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

121 Claims

Specification

Solutions

Use Cases

Quick Links

Early warning system for network attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

121 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links