System security event notification aggregation and non-repudiation

US 20060156398A1
Filed: 12/30/2004
Published: 07/13/2006
Est. Priority Date: 12/30/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an item of security information from a security agent monitoring a host network client;

receiving an additional item of security information from a security agent monitoring the host network client;

aggregating the items of security information into a combined alert message; and

transmitting the combined alert message to a security management console.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An aggregation agent may combine and correlate information generated by multiple on-host agents and/or information generated in response to multiple security events. The aggregation agent may transmit the combined information to a security console. The security console may check the identity of the aggregation agent to determine whether to accept the information.

Citations

24 Claims

1. A method comprising:
- receiving an item of security information from a security agent monitoring a host network client;
  
  receiving an additional item of security information from a security agent monitoring the host network client;
  
  aggregating the items of security information into a combined alert message; and
  
  transmitting the combined alert message to a security management console.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method according to claim 1, wherein aggregating the items of security information further comprises correlating the items of security information with each other to remove duplicate information.
  - 3. A method according to claim 2, wherein correlating the items of security information further comprises:
    - determining that the items of security information are received from the same security agent and relate to separate security events; and
      
      appending the items together into a single alert message.
  - 4. A method according to claim 2, wherein correlating the items of security information further comprises:
    - determining that the items of security information are related to the same security event and provide duplicated information; and
      
      placing only one of the items of security information into the combined alert message.
  - 5. A method according to claim 4, wherein determining that the items of security information are related to the same security event and provide duplicated information comprises determining that security information received from separate security agents monitoring the host network client relates to the same security event and provide duplicated information.
  - 6. A method according to claim 1, further comprising verifying the integrity of the security agent from which the item of security information are received.
  - 7. A method according to claim 6, wherein verifying the integrity of the security agent further comprises:
    - hashing executable code of the security agent; and
      
      determining if the result of the hashing matches an expected value.
  - 8. A method according to claim 6, wherein verifying the integrity of the security agent further comprises verifying keys received from a hardware security agent.
  - 9. A method according to claim 1, further comprising compressing the combined alert message.
  - 10. A method according to claim 1, wherein transmitting the alert message to the security management console further comprises presenting authentication to the security management console.
  - 11. A method according to claim 1, wherein the security management console comprises a central console that maps information from the combined alert message to a console to which the information applies.

12. An article of manufacture comprising a machine accessible medium having content to provide instructions to result in a machine performing operations including:
- receiving multiple security alerts indicating multiple security events on a host machine;
  
  aggregating the security alerts to generate a security message;
  
  signing the security message with a digital authentication; and
  
  transmitting the signed security message to a security management console.
- View Dependent Claims (13, 14, 15, 16)
- - 13. An article of manufacture according to claim 12, wherein the multiple security events comprise data generated by multiple different host-based security agents.
  - 14. An article of manufacture according to claim 12, wherein the content to provide instructions to result in the machine aggregating the security alerts further comprises the content to provide instructions to result in the machine correlating the multiple security events and aggregating the events based, at least in part, on the correlation.
  - 15. An article of manufacture according to claim 14, wherein the content to provide instructions to result in the machine correlating the multiple security events further comprises the content to provide instructions to result in the machine dropping security events having duplicate information as other security events.
  - 16. An article of manufacture according to claim 12, further comprising the content to provide instructions to result in the machine encrypting the security message.

17. An apparatus comprising:
- a receiver to receive alerts from multiple host security agents, each alert destined for a console corresponding to a respective host security agent;
  
  a transport agent coupled to the receiver to gather and cross-correlate the alerts, and prepare a single security alert message to indicate the alerts; and
  
  a transmitter coupled to the transport agent to transmit the security alert message to the consoles over a network.
- View Dependent Claims (18, 19, 20, 21)
- - 18. An apparatus according to claim 17, wherein the multiple host security agents comprise one or more of a host firewall, an intrusion detection system (IDS), and intrusion prevention system (IPS), antivirus software, or a security compliance agent.
  - 19. An apparatus according to claim 17, wherein cross-correlate the alerts comprises the transport agent to determine whether one or more alerts duplicates information indicated in another alert, and eliminating the duplicate alert(s).
  - 20. An apparatus according to claim 17, further comprising the transport agent to sign the single security alert message to authenticate the message to the consoles.
  - 21. An apparatus according to claim 17, further comprising the transmitter to dynamically change a configuration of a communication link with the consoles in response to a console indicating a different configuration of the communication link to the transport agent.

22. An apparatus comprising:
- a network interface circuit having an aggregation agent to join multiple security messages from a security monitor on a host machine into a single alert and sign the single alert, a receive path to receive the multiple security messages, and a transmitter coupled to a network to transmit the single alert to a network management server; and
  
  a twisted pair cable coupled to the network interface circuit to couple the network interface circuit to a network.
- View Dependent Claims (23, 24)
- - 23. An apparatus according to claim 22, wherein the aggregation agent to join multiple security messages further comprises the aggregation agent to correlate the multiple security messages.
  - 24. An apparatus according to claim 22, further comprising:
    - the aggregation agent to verify integrity of the security monitor; and
      
      a non-volatile storage coupled to the network interface circuit to store information relating to determining the integrity verification and authentication information for the network interface circuit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tahoe Research Limited (f/k/a Learndale Limited) (Vector Capital Corporation)
Original Assignee
Intel Corporation
Inventors
Morgan, Dennis M., Ross, Alan D.

Granted Patent

US 7,571,474 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/606   by securing the transmissio...

H04L 63/20   for managing network securi...

System security event notification aggregation and non-repudiation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System security event notification aggregation and non-repudiation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links