Intrusion event correlation with network discovery information
First Claim
1. A method for automatically and passively determining the characteristics of a network, comprising:
- storing policy configuration information in a policy component, wherein the policy configuration information comprises one or more rules;
detecting an intrusion event, wherein the intrusion event comprises information including an associated device address;
storing a network map in memory, wherein the network map contains service and network topology information;
linking the intrusion event information to the network map information by way of the associated device address; and
correlating the intrusion event information with the network map information in order to answer queries associated with one or more of the rules in the policy component.
3 Assignments
0 Petitions
Accused Products
Abstract
A policy component comprises policy configuration information. The policy configuration information contains one or more rules. Each rule and group of rules can be associated with a set of response actions. As the nodes on the monitored networks change or intrusive actions are introduced on the networks, network change events or intrusion events are generated. The policy component correlates network change events and/or intrusions events with network map information. The network map contains information on the network topology, services and network devices, amongst other things. When certain criteria is satisfied based on the correlation, a policy violation event may be issued by the system resulting in alerts or remediations.
-
Citations
21 Claims
-
1. A method for automatically and passively determining the characteristics of a network, comprising:
-
storing policy configuration information in a policy component, wherein the policy configuration information comprises one or more rules; detecting an intrusion event, wherein the intrusion event comprises information including an associated device address; storing a network map in memory, wherein the network map contains service and network topology information; linking the intrusion event information to the network map information by way of the associated device address; and correlating the intrusion event information with the network map information in order to answer queries associated with one or more of the rules in the policy component. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for automatically and passively determining the characteristics of a network, comprising:
-
a network map storage device, wherein the network map storage device contains device addresses, service and network topology information; a policy component, operably in communications with the network map storage device, wherein the policy component receives an intrusion event and enforces one or more network configuration rules, and wherein the policy component accesses information in the network map storage device using the device address associated with the intrusion event to determine if information associated with the intrusion event matches network map information as part of evaluating one or more rules. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A system for automatically and passively determining the characteristics of a network, comprising:
-
a means for storing a network map, wherein the network map storage device contains device addresses, service and network topology information; a means for storing a policy component, operably in communications with the network map storing means, wherein the policy component storing means receives an intrusion event and enforces one or more network configuration rules; wherein the policy component storing means accesses information in the network map storing means using the device address associated with the intrusion event to determine if information associated with the intrusion event matches network map information as part of evaluating one or more rules. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification