SYSTEM AND METHOD FOR DETECTING REAL-TIME SECURITY THREATS IN A NETWORK DATACENTER

US 20110302652A1
Filed: 08/25/2010
Published: 12/08/2011
Est. Priority Date: 06/07/2010
Status: Abandoned Application

First Claim

Patent Images

1. A system for detecting real-time security threats in a network datacenter, comprising:

a configuration management database containing information describing every known service endpoint in an information technology datacenter, wherein the information in the configuration management database describing every known service endpoint represents a steady state for the information technology datacenter;

one or more listeners configured to observe traffic in the information technology datacenter in real-time, wherein the one or more listeners detect a network conversation initiating new activity in the information technology datacenter in real-time from the real-time traffic observed in the information technology datacenter; and

a correlation engine that analyzes the network conversation detected with the one or more listeners in real-time, wherein one or more processors cause the correlation engine to;

correlate the new activity initiated in the information technology datacenter with the information in the configuration management database representing the steady state for information technology datacenter, wherein the correlation engine correlates the new activity with the information in the configuration management database in real-time; and

generate a real-time security alert in response to determining that the new activity initiated in the information technology datacenter fails to correlate with any of the known service endpoints described in the configuration management database, wherein the real-time security alert indicates that the detected network conversation initiating the new activity falls out-of-scope from the steady state for the information technology datacenter.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The system and method described herein may include a configuration management database that describes every known service endpoint in a network datacenter to represent a steady state for the datacenter. One or more listeners may then observe traffic in the datacenter in real-time to detect network conversations initiating new activity in the datacenter, which may be correlated, in real-time, with the information in the configuration management database representing the steady state for the datacenter. Thus, in response to the new activity failing to correlate with the known service endpoints, a real-time security alert may be generated to indicate that any network conversations initiating such activity fall out-of-scope from the steady state for the information technology datacenter.

122 Citations

20 Claims

1. A system for detecting real-time security threats in a network datacenter, comprising:
- a configuration management database containing information describing every known service endpoint in an information technology datacenter, wherein the information in the configuration management database describing every known service endpoint represents a steady state for the information technology datacenter;
  
  one or more listeners configured to observe traffic in the information technology datacenter in real-time, wherein the one or more listeners detect a network conversation initiating new activity in the information technology datacenter in real-time from the real-time traffic observed in the information technology datacenter; and
  
  a correlation engine that analyzes the network conversation detected with the one or more listeners in real-time, wherein one or more processors cause the correlation engine to;
  
  correlate the new activity initiated in the information technology datacenter with the information in the configuration management database representing the steady state for information technology datacenter, wherein the correlation engine correlates the new activity with the information in the configuration management database in real-time; and
  
  generate a real-time security alert in response to determining that the new activity initiated in the information technology datacenter fails to correlate with any of the known service endpoints described in the configuration management database, wherein the real-time security alert indicates that the detected network conversation initiating the new activity falls out-of-scope from the steady state for the information technology datacenter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the correlation engine determines that the new activity fails to correlate with the known service endpoints described in the configuration management database in response to determining that the new activity was initiated by a service that does not correlate with any of the known service endpoints.
  - 3. The system of claim 1, wherein the correlation engine determines that the new activity fails to correlate with the known service endpoints described in the configuration management database in response to correlating the new activity with one of the known service endpoints, and further in response to determining that the known service endpoint correlated with the new activity has not initiated any previous network conversations involving the new activity.
  - 4. The system of claim 1, wherein the one or more processors further cause the correlation engine to generate a report describing one or more flows in the network conversation that initiated the new activity in response to generating the real-time security alert.
  - 5. The system of claim 4, wherein the report identifies one or more of the known service endpoints potentially impacted by the out-of-scope network conversation.
  - 6. The system of claim 4, further comprising a security remediation event processor that receives the real-time security alert and the report describing the one or more flows in the network conversation from the correlation engine, wherein the security remediation event processor presents the report to one or more management entities in a workflow that coordinates remediation for the real-time security alert.
  - 7. The system of claim 6, wherein the one or more processors further cause the correlation engine to apply one or more heuristics or rules to the correlated network activity in real-time to determine whether the observed network conversation falls out-of-scope from the steady state for the information technology datacenter.
  - 8. The system of claim 7, wherein the security remediation event processor tunes the one or more heuristics or rules in response to the workflow successfully completing the remediation for the security alert.
  - 9. The system of claim 7, wherein the security remediation event processor updates the information in the configuration management database representing the steady state for the information technology datacenter in response to the workflow successfully completing the remediation for the security alert.
  - 10. The system of claim 1, wherein the one or more listeners include configurations to observe network conversations involving the known service endpoints, including the detected network conversation, in real-time.

11. A method for detecting real-time security threats in a network datacenter, comprising:
- populating a configuration management database with information describing every known service endpoint in an information technology datacenter, wherein the information in the configuration management database describing every known service endpoint represents a steady state for the information technology datacenter;
  
  observing traffic in the information technology datacenter in real-time with one or more listeners, wherein the one or more listeners detect a network conversation initiating new activity in the information technology datacenter in real-time from the real-time traffic observed in the information technology datacenter;
  
  correlating the new activity initiated in the information technology datacenter with the information in the configuration management database representing the steady state for the information technology datacenter, wherein a correlation engine correlates the new activity with the information in the configuration management database in real-time; and
  
  generating a real-time security alert in response to the correlation engine determining that the new activity initiated in the information technology datacenter fails to correlate with any of the known service endpoints described in the configuration management database, wherein the real-time security alert indicates that the detected network conversation initiating the new activity falls out-of-scope from the steady state for the information technology datacenter.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the correlation engine determines that the new activity fails to correlate with the known service endpoints described in the configuration management database in response to determining that the new activity was initiated by a service that does not correlate with any of the known service endpoints.
  - 13. The method of claim 11, wherein the correlation engine determines that the new activity fails to correlate with the known service endpoints described in the configuration management database in response to correlating the new activity with one of the known service endpoints, and further in response to determining that the known service endpoint correlated with the new activity has not initiated any previous network conversations involving the new activity.
  - 14. The method of claim 11, further comprising generating a report describing one or more flows in the network conversation that initiated the new activity in response to the correlation engine generating the real-time security alert.
  - 15. The method of claim 14, wherein the report identifies one or more of the known service endpoints potentially impacted by the out-of-scope network conversation.
  - 16. The method of claim 14, further comprising receiving the real-time security alert and the report describing the one or more flows in the network conversation at a security remediation event processor in communication with the correlation engine, wherein the security remediation event processor presents the report to one or more management entities in a workflow that coordinates remediation for the real-time security alert.
  - 17. The method of claim 16, further comprising applying one or more heuristics or rules to the correlated network activity in real-time to determine whether the observed network conversation falls out-of-scope from the steady state for the information technology datacenter.
  - 18. The method of claim 17, further comprising tuning the one or more heuristics or rules in response to the workflow successfully completing the remediation for the real-time security alert.
  - 19. The method of claim 17, further comprising updating the information in the configuration management database representing the steady state for the information technology datacenter in response to the workflow successfully completing the remediation for the real-time security alert.
  - 20. The method of claim 11, wherein the one or more listeners include configurations to observe network conversations involving the known service endpoints, including the detected network conversation, in real-time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus Software, Inc. (Open Text Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Westerfeld, Kurt Andrew

Application Number

US12/868,475
Publication Number

US 20110302652A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 8/71 Version control security ar...

H04L 43/10 Active monitoring, e.g. hea...

SYSTEM AND METHOD FOR DETECTING REAL-TIME SECURITY THREATS IN A NETWORK DATACENTER

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DETECTING REAL-TIME SECURITY THREATS IN A NETWORK DATACENTER

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links