Method and apparatus for verifying the integrity and security of computer networks and implementing counter measures

US 20050204404A1
Filed: 03/02/2005
Published: 09/15/2005
Est. Priority Date: 01/25/2001
Status: Active Grant

First Claim

Patent Images

1. A security system for a computer network, the network having a plurality of devices connected thereto, at least some of the devices generating event messages when the device is under an attack, each event message having an associated event, the security system comprising:

(a) a security subsystem connected to at least the devices in the network that generate an event message when under attack, the security subsystem including;

(i) a collection engine which collects the event messages from the devices, and (ii) an event analyzer which analyzes the event messages to determine if any of the associated events exceed any predetermined thresholds;

(b) a master security system which receives the associated events that exceed any predetermined thresholds; and

(c) a first communication medium connected between the security subsystem and the master security system, the master security system receiving the associated events through the first communication medium.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for verifying the integrity of devices on a target network. The apparatus has security subsystems and a master security system hierarchically connected to the security subsystems via a secure link. The target network includes various intrusion detection devices, which may be part of the security subsystem. Each intrusion detection device generates a plurality of event messages when an attack on the network is detected. The security subsystem collects these event messages, correlates, and analyzes them, and performs network scanning processes. If certain events warrant additional scrutiny, they are uploaded to the master security system for review.

92 Citations

View as Search Results

17 Claims

1. A security system for a computer network, the network having a plurality of devices connected thereto, at least some of the devices generating event messages when the device is under an attack, each event message having an associated event, the security system comprising:
- (a) a security subsystem connected to at least the devices in the network that generate an event message when under attack, the security subsystem including;
  
  (i) a collection engine which collects the event messages from the devices, and (ii) an event analyzer which analyzes the event messages to determine if any of the associated events exceed any predetermined thresholds;
  
  (b) a master security system which receives the associated events that exceed any predetermined thresholds; and
  
  (c) a first communication medium connected between the security subsystem and the master security system, the master security system receiving the associated events through the first communication medium.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1 wherein the master security system is located outside of the computer network.
  - 3. The system of claim 2 wherein the master security system does not respond to any instructions issued from the security subsystem, the connection manner of the first communication medium and the inability of the master security system to respond to any instructions issued from the security subsystem thereby preventing a takeover of the master security system as a result of an attack on the network.
  - 4. The system of claim 1 further comprising:
    - (d) a second communication medium connected between the master security system and the network which enables data communication from the master security system to the network for issuing instructions to network devices.
  - 5. The system of claim 4 wherein the instructions are issued if the first communication medium is severed or compromised.
  - 6. The system of claim 1 wherein the security subsystem further comprises:
    - (iii) a counteraction mechanism which causes selected countering events to occur regarding the network devices upon detection of selected events that exceed any predetermined thresholds.
  - 7. The system of claim 6 wherein the countering event includes restricting or disabling access to the network or a device in the network.
  - 8. The system of claim 1 further comprising:
    - (d) an enterprize event analyzer which performs event correlation to correlate event messages received from different devices in the network to one particular threat or security event.
  - 9. The system of claim 8 further comprising:
    - (d) a hierarchy of event analyzers that work in conjunction with each other to correlate event message to one particular threat or security, the hierarchy of event analyzers, including;
      
      (i) the first event analyzer, and (ii) a global event analyzer associated with the master security system.
  - 10. The system of claim 1 wherein the first communication medium is connected only to the security subsystem and to the master security system, and not to any of the network devices.
  - 11. The system of claim 1 wherein the master security system is hierarchically independent from the security subsystem.
  - 12. The system of claim 1 wherein the security subsystem is hierarchically subordinate to the master security system.
  - 13. The system of claim 1 wherein the first communication medium is a secure link defined by a virtual private network (VPN) tunnel.
  - 14. The system of claim 1 wherein the master security system further monitors whether the security subsystem responds to the master security system, the master security system taking action if no response is detected.
  - 15. The system of claim 1 wherein the master system further comprises a pseudo-attack generator which generates attacks on the network, the security subsystem detecting such attacks and sending expected replies to the master system when its integrity is intact, the master system detecting whether the expected replies are received in response to a pseudo-attack to determine whether the integrity of the subsystem has been compromised.

16. A security system for a computer network, the network having a plurality of devices connected thereto, at least some of the devices generating event messages when the device is under an attack, each event message having an associated event, the security system comprising:
- (a) a security subsystem connected to at least the devices in the network that generate an event message when under attack, the security subsystem including;
  
  (i) a collection engine which collects the event messages from the devices, and (ii) an event analyzer which combines all event messages from the devices determined to be related to the same attack into a single security ticket;
  
  (b) a master security system which receives the security tickets; and
  
  (c) a first communication medium connected between the security subsystem and the master security system, the master security system receiving the security tickets through the first communication medium.

17. A security system for a computer network, the network having a plurality of devices connected thereto, at least some of the devices generating event messages when the device is under an attack, each event message having an associated event, the security system comprising:
- (a) a security subsystem connected to at least the devices in the network that generate an event message when under attack, the security subsystem including;
  
  (i) a collection engine which collects the event messages from at least the devices in the network that generate an event message when under attack, and (ii) an enterprise event analyzer which performs event correlation to correlate event messages collected by the collection engine to one particular threat or security event;
  
  (b) a master security system which receives the correlated event messages; and
  
  (c) a first communication medium connected between the security subsystem and the master security system, the master security system receiving the correlated event messages through the first communication medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NTT Security (US) Inc. (Nippon Telegraph and Telephone Corporation)
Original Assignee
Solutionary, Inc (Nippon Telegraph and Telephone Corporation)
Inventors
Guilfoyle, Jeffrey, Mac Beaver, Edward, Hrabik, Michael

Granted Patent

US 7,370,359 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Method and apparatus for verifying the integrity and security of computer networks and implementing counter measures

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

92 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for verifying the integrity and security of computer networks and implementing counter measures

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links