Method and system for displaying network security incidents
First Claim
1. A method of analyzing security events, comprising:
- receiving and processing security events, including grouping the security events into network sessions, each session having an identified source and destination;
displaying a graph representing devices in a network, the devices including security devices and non-security devices, the displayed graph including a plurality of individual device symbols and a plurality of group device symbols, each individual device symbol representing a security device of the network and each group device symbol representing a group of non-security devices of the network; and
displaying in conjunction with the graph security incident information, including with respect to a group device symbol an incident volume indicator that indicates a number of network sessions whose source or destination is at any member of a group of non-security devices corresponding to the group device symbol.
3 Assignments
0 Petitions
Accused Products
Abstract
A network security monitor system groups a plurality of security events into network sessions, correlates the network sessions according to a set of predefined network security event correlation rules and generates a security incident for the network sessions that satisfy one of the network security event correlation rules. The system then presents the information of the network sessions and security incidents to a user of the system in an intuitive form. The user is able to not only learn the details of a possible network attack, but also creates new security event correlation rules intuitively, including drop rules for dropping a particular type of events.
127 Citations
31 Claims
-
1. A method of analyzing security events, comprising:
-
receiving and processing security events, including grouping the security events into network sessions, each session having an identified source and destination;
displaying a graph representing devices in a network, the devices including security devices and non-security devices, the displayed graph including a plurality of individual device symbols and a plurality of group device symbols, each individual device symbol representing a security device of the network and each group device symbol representing a group of non-security devices of the network; and
displaying in conjunction with the graph security incident information, including with respect to a group device symbol an incident volume indicator that indicates a number of network sessions whose source or destination is at any member of a group of non-security devices corresponding to the group device symbol. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of defining a rule, the rule identifying instances of a security incident with respect to security events, the method comprising:
-
providing a table having a plurality of rows, each row defining a class of security events and defining a logical relationship to the class of security events of a subsequent row in the table, if any;
enabling user editing of the table to define one or more constraints in one or more rows of the table, the one or more constraints based upon a group of event parameters comprising a source address, a destination address, and an event type; and
enabling user editing of the table to specify the logical relationship of a user selected row of the table with respect to a subsequent row of the table, the specified logical relationship selected from a predefined set of Boolean relationships and timing relationships. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A method of defining a query against a plurality of security events to detect a user-defined security event pattern, the method comprising:
-
collecting a plurality of security events, each event characterized by a set of event parameters including a source address, a destination address, and an event type;
providing a table having a plurality of rows, each row having a plurality of columns and defining a class of security events, one column specifying a logical relationship to the class of security events of a subsequent row in the table, if any, one column specifying a predefined event count of the class of security events;
enabling user editing of the table to define one or more constraints in one or more rows of the table, each of the one or more constraints correlating one or more columns of one row with one or more columns of another row in the table or correlating one or more columns of one row with a predefined set of parameters; and
enabling user editing of the table to specify the logical relationship of a user selected row of the table with respect to a subsequent row of the table, the specified logical relationship selected from a predefined set of Boolean relationships and timing relationships. - View Dependent Claims (15)
-
-
16. A method of analyzing a stream of security events, comprising:
-
receiving and processing a stream of security events, including grouping the security events into a plurality of network sessions, each session having an identified source and destination and assigned a unique session identifier;
applying a plurality of predefined security event correlation rules to the plurality of network sessions in association with the processed security events;
for each of a subset of the predefined security event correlation rules, identifying network sessions from the plurality of network sessions in association with the processed security events, if any, that satisfy the rule;
displaying a graph representing devices in a network, the displayed graph including a plurality of individual device symbols and a plurality of group device symbols, each individual device symbol representing one security device of the network, and each group device symbol representing a group of non-security devices of the network; and
displaying in conjunction with the graph information associated with the identified network sessions, including with respect to each group device symbol a session volume indicator that indicates a number of identified network sessions whose source or destination is at a non-security device in a group of non-security devices corresponding to the group device symbol.
-
-
17. A method of analyzing a stream of security events, comprising:
-
receiving a stream of security events;
grouping the security events into a plurality of network sessions, each session having at least one security event and characterized by an identified source and destination;
applying a plurality of predefined security event correlation rules to the plurality of network sessions in association with the security events;
for each of a subset of the predefined security event correlation rules, identifying network sessions that satisfy the rule, if any;
displaying a graph representing devices in a network, the displayed graph including a plurality of individual device symbols and a plurality of group device symbols, each individual device symbol representing a security device of the network, and each group device symbol representing a group of non-security devices of the network; and
displaying in conjunction with the graph information associated with the identified network sessions, including with respect to each group device symbol a session volume indicator that indicates a number of identified network sessions whose source or destination is at a non-security device in a group of non-security devices corresponding to the group device symbol.
-
-
18. A network security events analysis system, comprising:
-
one or more central processing units for executing programs;
an interface for receiving security events; and
a network security event correlation engine executable by the one or more central processing units, the engine comprising;
instructions for receiving and processing security events, including grouping the security events into network sessions, each session having an identified source and destination;
instructions for displaying a graph representing devices in a network, the devices including security devices and non-security devices, the displayed graph including a plurality of individual device symbols and a plurality of group device symbols, each individual device symbol representing a security device of the network and each group device symbol representing a group of non-security devices of the network; and
instructions for displaying in conjunction with the graph security incident information, including with respect to a group device symbol an incident volume indicator that indicates a number of network sessions whose source or destination is at one member of a group of non-security devices corresponding to the group device symbol. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
-
25. A computer program product for use in conjunction with a computer system, the computer program product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising:
-
instructions for receiving and processing security events, including grouping the security events into network sessions, each session having an identified source and destination;
instructions for displaying a graph representing devices in a network, the devices including security devices and non-security devices, the displayed graph including a plurality of individual device symbols and a plurality of group device symbols, each individual device symbol representing a security device of the network and each group device symbol representing a group of non-security devices of the network; and
instructions for displaying in conjunction with the graph security incident information, including with respect to a group device symbol an incident volume indicator that indicates a number of network sessions whose source or destination is at one member of a group of non-security devices corresponding to the group device symbol. - View Dependent Claims (26, 27, 28, 29, 30, 31)
-
Specification