Intelligent security engine and intelligent and integrated security system using the same

US 20040015719A1
Filed: 07/16/2002
Published: 01/22/2004
Est. Priority Date: 07/16/2002
Status: Abandoned Application

First Claim

Patent Images

1. An intelligent and integrated security system, comprising:

a firewall for interconnecting and controlling access between external and internal networks;

a plurality of security agents for monitoring a data flow and system calls over the internal network;

an intelligent security engine (ISE) for analyzing an alert message, a traffic information and an event information transferred from the plurality of security agents, to decide if there is an attack and to generate a signature through a learning process; and

a security policy manager (SPM) for managing and applying a security policy to each of the plurality of security agents based on a decision of the ISE.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A firewall interconnects and controls access between external and internal networks, and a plurality of security agents monitor a data flow and system calls over the internal network. An intelligent security engine (ISE) is for analyzing an alert message, a traffic information and an event information transferred from the plurality of security agents to decide if there is an attack and to generate a signature through a learning process. A security policy manager (SPM) is for managing and applying a security policy to each of the plurality of security agents based on the decision of the ISE. The ISE performs a correlation analysis and a causation analysis on suspicious traffic and events and a detection message transferred from the plurality of security agents. Further, the ISE carries out a pattern analysis and generates a new detection pattern through a self-learning process.

Citations

32 Claims

1. An intelligent and integrated security system, comprising:
- a firewall for interconnecting and controlling access between external and internal networks;
  
  a plurality of security agents for monitoring a data flow and system calls over the internal network;
  
  an intelligent security engine (ISE) for analyzing an alert message, a traffic information and an event information transferred from the plurality of security agents, to decide if there is an attack and to generate a signature through a learning process; and
  
  a security policy manager (SPM) for managing and applying a security policy to each of the plurality of security agents based on a decision of the ISE.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The security system claimed in claim 1, wherein the ISE performs a correlation analysis and a causation analysis on a suspicious traffic, a suspicious event and a detection message transferred from the plurality of security agents.
  - 3. The security system claimed in claim 1, wherein the ISE comprises a pattern analysis module which performs a pattern analysis on all traffic and events transferred from the plurality of security agents.
  - 4. The security system claimed in claim 2, wherein the ISE comprises a pattern analysis module which performs a pattern analysis on all traffic and events transferred from the plurality of security agents, said pattern analysis module generating a new detection pattern based on the results of the correlation analysis and causation analysis, a session information and raw data.
  - 5. The security system claimed in claim 3 or 4, wherein the pattern analysis module comprises a pre-processor for data-transforming an audit produced from the plurality of security agents, a pattern analyzer for analyzing the transformed audit data and generating a new pattern and model, and a detector for detecting an intrusion based on the generated model.
  - 6. The security system claimed in claim 3 or 4, wherein the pattern analysis module performs an anomaly detection by using clustering with regard to network traffic and a misuse detection pattern generation by using an expert system.
  - 7. The security system claimed in claim 2, wherein the correlation analysis analyzes correlation among alerts transferred from the plurality of security agents, and examines a related system information, a network topology, and application information.
  - 8. The security system claimed in claim 2, wherein the causation analysis analyzes causes and results of events based on a scenario with respect to suspicious information transferred from the plurality of security agents.
  - 9. The security system claimed in claim 1, wherein the plurality of security agents include a network security agent (NSA) for analyzing a suspicious traffic and providing a network security function, and a host security agent (HSA) for reacting to threats associated with resources of a server within the network.
  - 10. The security system claimed in claim 1 or 9, wherein the plurality of agents include a firewall security agent (FSA) for adopting a security policy transferred from the SPM and causing the firewall to block traffic from an attacker.
  - 11. The security system claimed in claim 9, wherein the NSA and HSA perform a misuse detection to a known attack and transfer all the traffic and events to the ISE.
  - 12. The security system claimed in claim 11, wherein the misuse detection uses one of an expert system, a signature analysis, a state-transition analysis, Petri nets, a genetic algorithm, pattern matching, a stateful inspection and rule-based solution.
  - 13. The security system claimed in claim 12, wherein the pattern matching examines if an object to be compared is identical to a predetermined pattern.
  - 14. The security system claimed in claim 12, wherein the stateful inspection examines a session table in order to determine if a target host of an attack is actually damaged.
  - 15. The security system claimed in claim 3 or 4, wherein the anomaly detection performed by the ISE uses one of a profile-based detection, statistical measures, a rule-based solution, a neural network, a clustering-based anomaly detection and a solution employing a decision tree.
  - 16. The security system claimed in claim 3 or 4, wherein the ISE generates a new signature through a learning process when an attack determined by the anomaly detection of the pattern analysis module is an unknown attack.
  - 17. The security system claimed in claim 16, wherein the learning process is a clustering process which includes a step for matching reduced session information onto a three dimensional space.
  - 18. The security system claimed in claim 17, wherein the reduced session information includes a session duration time, a start time, a termination time, a number of packets received by a source, a number of packets received by a destination, and a status of a TCP flag upon termination.
  - 19. The security system claimed in claim 7, wherein the correlation analysis uses a clustering technique which groups events until an event group exceeds a threshold.

20. An intelligent and integrated security system comprising:
- a firewall for interconnecting and controlling access between external and internal networks;
  
  a network security agent (NSA) for analyzing a suspicious traffic so as to react to a threat related to a network security;
  
  a host security agent (HSA) for protecting resources of servers located within the network and analyzing a status and activity of the system;
  
  an intelligent security engine (ISE) for analyzing an alert message, a traffic information and an event information transferred from the NSA and HSA to decide if there is an attack and to generate a signature through a learning process;
  
  a security policy manager (SPM) for managing and applying a security policy to each of the plurality of security agents based on a decision of the ISE; and
  
  a firewall security agent (FSA) for adopting the security policy of the SPM and causing the firewall to block a traffic from an attacker, wherein the ISE carries out a correlation analysis and a causation analysis based on a suspicious traffic and event transferred from the NSA and HSA, and performs a pattern analysis on all the reduced forms of traffics and events delivered from the NSA and HSA.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The security system claimed in claim 20, wherein the pattern analysis performs an anomaly detection by using a decision tree.
  - 22. The security system claimed in claim 20, wherein the pattern analysis performs an anomaly detection by a clustering technique.
  - 23. The security system claimed in claim 20 or 22, wherein the pattern analysis carries out a misuse detection by using an expert system.
  - 24. The security system claimed in claim 20, further comprising a security center for verifying the new signature generated by the ISE.
  - 25. The security system claimed in claim 23, wherein the security center applies the verified signature to a remotely located FSA for a firewall that belongs to a remote external network.

26. An intelligent security engine comprising:
- means for receiving all reduced forms of traffic and events from a security agent and receiving a suspicious traffic and event from the security agent;
  
  means for performing a correlation analysis and a causation analysis on the suspicious traffic and event received by the receiving means;
  
  a pattern analysis module for analyzing patterns of all the reduced forms of traffic and events received by the receiving means;
  
  means for generating a new signature based on the results of the correlation analysis, the causation analysis and the pattern analysis;
  
  means for deciding if there is an attack based on the results of correlation analysis, the causation analysis and the pattern analysis; and
  
  means for transferring the decision and the new signature to a security policy manager.
- View Dependent Claims (27, 28, 29, 30, 31, 32)
- - 27. The intelligent security engine claimed in claim 26, further comprising a learning machine for inferring an event or traffic that is likely to occur.
  - 28. The intelligent security engine claimed in claim 27, wherein the learning machine matches a session information onto a three dimensional space and groups the session information into a cluster.
  - 29. The intelligent security engine claimed in claim 26, wherein the pattern analysis module comprises a pre-processor for data-transforming an audit produced from a plurality of the security agents, a pattern analyzer for analyzing the transformed audit data and generating a new pattern and model, and a detector for detecting an intrusion based on the generated model.
  - 30. The intelligent security engine claimed in claim 29, wherein the pattern analysis module performs an anomaly detection by using clustering with regard to network traffic and a misuse detection pattern generation by using an expert system.
  - 31. The intelligent security engine claimed in claim 26, wherein the correlation analysis analyzes correlation among alerts transferred from a plurality of the security agents, and examines a related system information, a network topology and application information.
  - 32. The intelligent security engine claimed in claim 26, wherein the causation analysis analyzes causes and results of events based on a scenario with respect to suspicious information transferred from a plurality of the security agents.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cybertek Holdings, Inc. (Pyeong Ahn Trading, Inc.)
Original Assignee
Cybertek Holdings, Inc. (Pyeong Ahn Trading, Inc.)
Inventors
Lee, Dae-Hyung, Ryu, Du-Cheon, Kim, Sung-Chul

Application Number

US10/195,326
Publication Number

US 20040015719A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1416 Event detection, e.g. attac...

Intelligent security engine and intelligent and integrated security system using the same

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Intelligent security engine and intelligent and integrated security system using the same

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links