Threat detection in a network security system
First Claim
1. A method performed by a manager module of a network security system being used to monitor a network, the manager module collecting information from a plurality of distributed software agents that monitor network devices, the method comprising:
- receiving a security event from a software agent, the security event including at least a target address and an event signature generated by the software agent;
determining a set of one or more vulnerabilities exploited by the received security event using the event signature;
identifying a target asset within the network having the target address;
accessing a model of the target asset to retrieve a set of one or more vulnerabilities exposed by the target asset; and
detecting a threat by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.
11 Assignments
0 Petitions
Accused Products
Abstract
A network security system is provided that receives information from various sensors and can analyse the received information. In one embodiment of the present invention, such a system receives a security event from a software agent. The received security event includes a target address and an event signature, as generated by the software agent. The event signature can be used to determine a set of vulnerabilities exploited by the received security event, and the target address can be used to identify a target asset within the network. By accessing a model of the target asset, a set of vulnerabilities exposed by the target asset can be retrieved. Then, a threat can be detected by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.
193 Citations
21 Claims
-
1. A method performed by a manager module of a network security system being used to monitor a network, the manager module collecting information from a plurality of distributed software agents that monitor network devices, the method comprising:
-
receiving a security event from a software agent, the security event including at least a target address and an event signature generated by the software agent; determining a set of one or more vulnerabilities exploited by the received security event using the event signature; identifying a target asset within the network having the target address; accessing a model of the target asset to retrieve a set of one or more vulnerabilities exposed by the target asset; and detecting a threat by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A manager module configured to collecting information from a plurality of distributed software agents that monitor network devices, the manager module comprising:
-
an input collector to receive a security event from a software agent, the security event including at least a target address and an event signature generated by the software agent; a vulnerability mapper coupled to the input collector to determine a set of one or more vulnerabilities exploited by the received security event using the event signature; a asset model retriever coupled to the input collector to identify a target asset within the network having the target address, and to retrieve a set of one or more vulnerabilities exposed by the target asset from an asset model database; and a threat detector coupled to the asset model retriever and the vulnerability mapper to detect a threat by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A machine-readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
-
receiving a security event, the security event including at least a target address and an event signature; determining a set of one or more vulnerabilities exploited by the received security event using the event signature; identifying a target asset within a network having the target address; accessing a model of the target asset to retrieve a set of one or more vulnerabilities exposed by the target asset; and detecting a threat by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification