Threat detection in a network security system

US 7,260,844 B1
Filed: 09/03/2003
Issued: 08/21/2007
Est. Priority Date: 09/03/2003
Status: Active Grant

First Claim

Patent Images

1. A method performed by a manager module of a network security system being used to monitor a network, the manager module collecting information from a plurality of distributed software agents that monitor network devices, the method comprising:

receiving a security event from a software agent, the security event including at least a target address and an event signature generated by the software agent;

determining a set of one or more vulnerabilities exploited by the received security event using the event signature;

identifying a target asset within the network having the target address;

accessing a model of the target asset to retrieve a set of one or more vulnerabilities exposed by the target asset; and

detecting a threat by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security system is provided that receives information from various sensors and can analyse the received information. In one embodiment of the present invention, such a system receives a security event from a software agent. The received security event includes a target address and an event signature, as generated by the software agent. The event signature can be used to determine a set of vulnerabilities exploited by the received security event, and the target address can be used to identify a target asset within the network. By accessing a model of the target asset, a set of vulnerabilities exposed by the target asset can be retrieved. Then, a threat can be detected by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.

193 Citations

21 Claims

1. A method performed by a manager module of a network security system being used to monitor a network, the manager module collecting information from a plurality of distributed software agents that monitor network devices, the method comprising:
- receiving a security event from a software agent, the security event including at least a target address and an event signature generated by the software agent;
  
  determining a set of one or more vulnerabilities exploited by the received security event using the event signature;
  
  identifying a target asset within the network having the target address;
  
  accessing a model of the target asset to retrieve a set of one or more vulnerabilities exposed by the target asset; and
  
  detecting a threat by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising prioritizing the detected threat.
  - 3. The method of claim 2, wherein prioritizing the detected threat comprises evaluating the reliability of the model of the target asset.
  - 4. The method of claim 2, wherein prioritizing the detected threat comprises evaluating the relevance of the security event based on the operation of the target asset.
  - 5. The method of claim 2, wherein prioritizing the detected threat comprises evaluating the danger inherent in the security event.
  - 6. The method of claim 2, wherein prioritizing the detected threat comprises evaluating the importance of the target asset.
  - 7. The method of claim 1, wherein determining the set of one or more vulnerabilities exploited by the received security event comprises mapping each exploited vulnerability to related vulnerabilities according to other vulnerability organizational schemes.

8. A manager module configured to collecting information from a plurality of distributed software agents that monitor network devices, the manager module comprising:
- an input collector to receive a security event from a software agent, the security event including at least a target address and an event signature generated by the software agent;
  
  a vulnerability mapper coupled to the input collector to determine a set of one or more vulnerabilities exploited by the received security event using the event signature;
  
  a asset model retriever coupled to the input collector to identify a target asset within the network having the target address, and to retrieve a set of one or more vulnerabilities exposed by the target asset from an asset model database; and
  
  a threat detector coupled to the asset model retriever and the vulnerability mapper to detect a threat by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The manager module of claim 8, further comprising a threat prioritizer to prioritize the detected threat.
  - 10. The manager module of claim 9, wherein the threat prioritizer prioritizes the detected threat by evaluating the reliability of the model of the target asset.
  - 11. The manager module of claim 9, wherein the threat prioritizer prioritizes the detected threat by evaluating the relevance of the security event based on the operation of the target asset.
  - 12. The manager module of claim 9, wherein the threat prioritizer prioritizes the detected threat by evaluating the danger inherent in the security event.
  - 13. The manager module of claim 9, wherein the threat prioritizer prioritizes the detected threat by evaluating the importance of the target asset.
  - 14. The manager module of claim 8, wherein the vulnerability mapper determines the set of one or more vulnerabilities exploited by the received security event by mapping each vulnerability to related vulnerabilities according to other vulnerability organizational schemes.

15. A machine-readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- receiving a security event, the security event including at least a target address and an event signature;
  
  determining a set of one or more vulnerabilities exploited by the received security event using the event signature;
  
  identifying a target asset within a network having the target address;
  
  accessing a model of the target asset to retrieve a set of one or more vulnerabilities exposed by the target asset; and
  
  detecting a threat by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The machine-readable medium of claim 15, wherein the instructions further cause the processor to perform operation comprising prioritizing the detected threat.
  - 17. The machine-readable medium of claim 16, wherein prioritizing the detected threat comprises evaluating the reliability of the model of the target asset.
  - 18. The machine-readable medium of claim 16, wherein prioritizing the detected threat comprises evaluating the relevance of the security event based on the operation of the target asset within the network.
  - 19. The machine-readable medium of claim 16, wherein prioritizing the detected threat comprises evaluating the danger inherent in the security event.
  - 20. The machine-readable medium of claim 16, wherein prioritizing the detected threat comprises evaluating the importance of the target asset.
  - 21. The machine-readable medium of claim 15, wherein determining the set of one or more vulnerabilities exploited by the received security event comprises mapping each exploited vulnerability to related vulnerabilities according to other vulnerability organizational schemes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Arcsight Incorporated (HP Inc.)
Inventors
Dash, Debabrata, Njemanze, Hugh S., Kothari, Pravin S., Tidwell, Kenny, Saurabh, Kumar
Primary Examiner(s)
Song; Hosuk

Application Number

US10/655,062
Time in Patent Office

1,448 Days
Field of Search

726 22- 26, 709223-225, 713/188
US Class Current

726/22
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Threat detection in a network security system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

193 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Threat detection in a network security system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

193 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others