Threat assessment orchestrator system and method

US 6,742,128 B1
Filed: 08/28/2002
Issued: 05/25/2004
Est. Priority Date: 08/28/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for assessing threats to a network utilizing a plurality of data sources, comprising:

collecting network data from a plurality of different network data sources;

aggregating the network data;

correlating the network data;

storing the aggregated and correlated network data;

assessing threats to a network utilizing the aggregated and correlated network data;

generating metadata utilizing the aggregated and correlated network data;

performing threat assessment profiling by generating an alert upon successfully comparing predetermined profiles with the aggregated and correlated network data and results of monitoring the network data; and

performing threat assessment predicting by;

generating an alert upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, and generating a profile upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, the profile adapted for being used during the threat assessment profiling;

wherein a graphical user interface is included for;

displaying first network data collected from a first network data source utilizing a first window;

displaying second network data collected from a second network data source utilizing a second window; and

displaying third network data collected from a third network data source utilizing a third window;

where the first window, the second window, and the third window are utilized for assessing the threats to the network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product are provided for assessing threats to a network utilizing a plurality of data sources. Initially, network data is collected from a plurality of different network data sources. Such data is then aggregated and correlated, after which it is stored. Threats to a network are then assessed utilizing the aggregated and correlated network data.

299 Citations

23 Claims

1. A method for assessing threats to a network utilizing a plurality of data sources, comprising:
- collecting network data from a plurality of different network data sources;
  
  aggregating the network data;
  
  correlating the network data;
  
  storing the aggregated and correlated network data;
  
  assessing threats to a network utilizing the aggregated and correlated network data;
  
  generating metadata utilizing the aggregated and correlated network data;
  
  performing threat assessment profiling by generating an alert upon successfully comparing predetermined profiles with the aggregated and correlated network data and results of monitoring the network data; and
  
  performing threat assessment predicting by;
  
  generating an alert upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, and generating a profile upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, the profile adapted for being used during the threat assessment profiling;
  
  wherein a graphical user interface is included for;
  
  displaying first network data collected from a first network data source utilizing a first window;
  
  displaying second network data collected from a second network data source utilizing a second window; and
  
  displaying third network data collected from a third network data source utilizing a third window;
  
  where the first window, the second window, and the third window are utilized for assessing the threats to the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, wherein the network data includes network performance data collected utilizing a network analyzer.
  - 3. The method as recited in claim 2, wherein the network performance data is selected from the group consisting of network utilization data, application response time data, and error rate data.
  - 4. The method as recited in claim 2, wherein the network performance data includes network utilization data, application response time data, and error rate data.
  - 5. The method as recited in claim 1, wherein the network data includes virus activity data collected utilizing an antivirus program.
  - 6. The method as recited in claim 1, wherein the network data includes network intrusion data collected utilizing a security program.
  - 7. The method as recited in claim 6, wherein the security program includes a plurality of agents and an event collector.

8. The method as recited in claim 1, wherein the network data includes network component data collected from a plurality of components of the network.

9. The method as recited in claim 1, wherein the network data includes threshold-based network data collected utilizing a baseline monitoring application.

10. The method as recited in claim 1, and further comprising identifying a plurality of rules.

11. The method as recited in claim 10, wherein the assessing is carried out based on the rules.

12. A computer program product for assessing threats to a network utilizing a plurality of data sources, comprising:
- computer code for collecting network data from a plurality of different network data sources;
  
  computer code for aggregating the network data;
  
  computer code for correlating the network data;
  
  computer code for storing the aggregated and correlated network data;
  
  computer code for assessing threats to a network utilizing the aggregated and correlated network data;
  
  computer code for generating metadata utilizing the aggregated and correlated network data;
  
  computer code for performing threat assessment profiling by generating an alert upon successfully comparing predetermined profiles with the aggregated and correlated network data and results of monitoring the network data; and
  
  computer code for performing threat assessment predicting by;
  
  generating an alert upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, and generating a profile upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, the profile adapted for being used during the threat assessment profiling;
  
  wherein a graphical user interface is included for;
  
  displaying first network data collected from a first network data source utilizing a first window;
  
  displaying second network data collected from a second network data source utilizing a second window; and
  
  displaying third network data collected from a third network data source utilizing a third window;
  
  where the first window, the second window, and the third window are utilized for assessing the threats to the network.

13. A system for assessing threats to a network utilizing a plurality of data sources, comprising:
- a plurality of different network data sources for providing different types of network data;
  
  logic coupled to the network data sources for aggregating and correlating the network data;
  
  a database coupled to the logic for storing the aggregated and correlated network data; and
  
  a threat assessment orchestrator module coupled to the database for assessing threats to a network utilizing the aggregated and correlated network data by;
  
  generating metadata utilizing the aggregated and correlated network data;
  
  performing threat assessment profiling by generating an alert upon successfully comparing predetermined profiles with the aggregated and correlated network data and results of monitoring the network data; and
  
  performing threat assessment predicting by;
  
  generating an alert upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, and generating a profile upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, the profile adapted for being used during the threat assessment profiling;
  
  wherein a graphical user interface is included for;
  
  displaying first network data collected from a first network data source utilizing a first window;
  
  displaying second network data collected from a second network data source utilizing a second window; and
  
  displaying third network data collected from a third network data source utilizing a third window;
  
  where the first window, the second window, and the third window are utilized for assessing the threats to the network.

14. A method for assessing threats to a network utilizing a plurality of data sources, comprising:
- collecting network data from a plurality of different network data sources including a network analyzer, an antivirus program, and an intrusion program;
  
  storing the network data;
  
  assessing threats to a network utilizing the network data from each of the different network data sources;
  
  generating metadata utilizing aggregated and correlated network data;
  
  performing threat assessment profiling by generating an alert upon successfully comparing predetermined profiles with the aggregated and correlated network data and results of monitoring the network data; and
  
  performing threat assessment predicting by;
  
  generating an alert upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, and generating a profile upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, the profile adapted for being used during the threat assessment profiling.

15. A system for assessing threats to a network utilizing a plurality of data sources, comprising:
- means for collecting network data from a plurality of different network data sources including a network analyzer, an antivirus program, and an intrusion program;
  
  means for storing the network data;
  
  means for assessing threats to a network utilizing the network data from each of the different network data sources;
  
  means for generating metadata utilizing aggregated and correlated network data;
  
  means for performing threat assessment profiling by generating an alert upon successfully comparing predetermined profiles with the aggregated and correlated network data and results of monitoring the network data; and
  
  means for performing threat assessment predicting by;
  
  generating an alert upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, and generating a profile upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, the profile adapted for being used during the threat assessment profiling.

16. A database system for assessing threats to a network utilizing a plurality of data sources, comprising:
- a database for collecting network data from each of a plurality of different network data sources including a network analyzer, an antivirus program, and a security program;
  
  wherein threats to a network are assessed utilizing the network data in the database by;
  
  generating metadata utilizing aggregated and correlated network data;
  
  performing threat assessment profiling by generating an alert upon successfully comparing predetermined profiles with the aggregated and correlated network data and results of monitoring the network data; and
  
  performing threat assessment predicting by;
  
  generating an alert upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, and generating a profile upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, the profile adapted for being used during the threat assessment profiling.

17. A method for displaying threats to a network, comprising:
- collecting network data;
  
  comparing the network data against a plurality of profiles;
  
  graphically displaying differing degrees of correlation between the network data and the profiles;
  
  generating metadata utilizing aggregated and correlated network data;
  
  performing threat assessment profiling by generating an alert upon successfully comparing predetermined profiles with the aggregated and correlated network data and results of monitoring the network data; and
  
  performing threat assessment predicting by;
  
  generating an alert upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, and generating a profile upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, the profile adapted for being used during the threat assessment profiling.

18. A graphical user interface for displaying threats to a network, comprising:
- a graph for graphically displaying differing degrees of correlation between network data and a plurality of profiles;
  
  wherein threats to a network are assessed by;
  
  generating metadata utilizing aggregated and correlated network data;
  
  performing threat assessment profiling by generating an alert upon successfully comparing predetermined profiles with the aggregated and correlated network data and results of monitoring the network data; and
  
  performing threat assessment predicting by;
  
  generating an alert upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, and generating a profile upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, the profile adapted for being used during the threat assessment profiling.

19. A method for displaying threats to a network, comprising:
- displaying first network data collected from a first network data source utilizing a first window;
  
  displaying second network data collected from a second network data source utilizing a second window; and
  
  displaying third network data collected from a third network data source utilizing a third window;
  
  wherein the first window, the second window, and the third window are utilized for assessing threats to a network;
  
  wherein the network data sources are selected from the group consisting of a network analyzer, an antivirus program, and a security program;
  
  wherein threats to a network are assessed utilizing the network data in the database by;
  
  generating metadata utilizing aggregated and correlated network data;
  
  performing threat assessment profiling by generating an alert upon successfully comparing predetermined profiles with the aggregated and correlated network data and results of monitoring the network data; and
  
  performing threat assessment predicting by;
  
  generating an alert upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, and generating a profile upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, the profile adapted for being used during the threat assessment profiling.

20. A system for displaying threats to a network, comprising:
- a first window for displaying first network data collected from a first network data source;
  
  a second window for displaying second network data collected from a second network data source; and
  
  a third window for displaying third network data collected from a third network data source;
  
  wherein the first window, the second window, and the third window are utilized for assessing threats to a network;
  
  wherein the network data sources are selected from the group consisting of a network analyzer, an antivirus program, and a security program;
  
  wherein the threats to the network are assessed utilizing the network data in the database by;
  
  generating metadata utilizing, aggregated and correlated network data;
  
  performing threat assessment profiling by generating an alert upon successfully comparing predetermined profiles with the aggregated and correlated network data and results of monitoring the network data; and
  
  performing threat assessment predicting by;
  
  generating an alert upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, and generating a profile upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, the profile adapted for being used during the threat assessment profiling.

21. A method for assessing threats to a network, comprising:
- identifying profiles indicating a sequence of actions over time associated with threats, wherein the profiles are generated upon successfully comparing predetermined predictor indicators with network data during a prediction process;
  
  comparing network data against the profiles;
  
  assessing threats to a network based on the comparison;
  
  wherein the threats to the network are assessed utilizing the network data in the database by;
  
  generating metadata utilizing aggregated and correlated network data;
  
  performing threat assessment profiling by generating an alert upon successfully comparing predetermined profiles with the aggregated and correlated network data and results of monitoring the network data; and
  
  performing threat assessment predicting by;
  
  generating an alert upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, and generating a profile upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, the profile adapted for being used during the threat assessment profiling.

22. A method for assessing threats to a network utilizing a plurality of data sources, comprising:
- (a) collecting first network data utilizing a first network data source including a network analyzer, the first network data including network performance data selected from the group consisting of network utilization data, application response time data, and error rate data;
  
  (b) storing the first network data in a first database;
  
  (c) collecting second network data utilizing a second network data source including an antivirus program, the second network data including virus activity data;
  
  (d) storing the second network data in a second database;
  
  (e) collecting third network data utilizing a third network data source including a security program including a plurality of agents and an event collector, the third network data including network intrusion data;
  
  (f) storing the third network data in a third database;
  
  (g) collecting fourth network data utilizing a fourth network data source, the fourth network data including network component data associated with a plurality of components of the network;
  
  (h) storing the fourth network data in a fourth database;
  
  (i) aggregating and correlating the first network data, the second network data, the third network data, and the fourth network data;
  
  (j) storing the aggregated and correlated network data in a fifth database;
  
  (k) generating metadata utilizing the aggregated and correlated network data;
  
  (l) allowing direct access to the fifth database;
  
  (m) monitoring the network data based on adaptive thresholds utilizing a baseline monitoring application;
  
  (n) identifying a plurality of rules;
  
  (o) performing threat assessment profiling utilizing the aggregated and correlated network data and results of the monitoring based on the rules including;
  
  (i) comparing predetermined profiles with the aggregated and correlated network data and the results, and (ii) generating an alert upon successfully comparing the predetermined profiles with the aggregated and correlated network data and the results;
  
  (p) performing threat assessment predicting utilizing the aggregated and correlated network data and the results of the monitoring based on the rules including;
  
  (i) comparing predetermined indicators with the aggregated and correlated network data and the results, (ii) generating an alert upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, and (iii) generating a profile upon successfully comparing the predetermined indicators with the aggregated and correlated network data and the results, the profile adapted for being used during the threat assessment profiling; and
  
  (q) generating alerts based on the threat assessment profiling and the threat assessment predicting.

23. A method for assessing threats to a network utilizing a plurality of data sources, comprising:
- collecting network data from a plurality of different network data sources;
  
  aggregating the network data;
  
  correlating the network data;
  
  storing the aggregated and correlated network data;
  
  generating metadata utilizing the aggregated and correlated network data;
  
  assessing threats to a network utilizing the aggregated and correlated network data;
  
  performing threat assessment profiling by generating an alert upon successfully comparing predetermined profiles with the aggregated and correlated network data; and
  
  performing threat assessment predicting by;
  
  generating an alert upon successfully comparing the predetermined indicators with the aggregated and correlated network data, and generating a profile upon successfully comparing the predetermined indicators with the aggregated and correlated network data, the profile adapted for being used during the threat assessment profiling.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
Network Associates, Inc.
Inventors
Joiner, Herbert V.
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
SONG, HOSUK

Application Number

US10/230,805
Time in Patent Office

636 Days
Field of Search

713/200, 713/201, 370/242, 370/245, 370/395.5, 370/395.51, 345/736, 345/473, 709/223, 709/224, 709/225, 709/229, 707/9-10, 707/100
US Class Current

726/25
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

Threat assessment orchestrator system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

299 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Threat assessment orchestrator system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

299 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links