Real time monitoring and analysis of events from multiple network security devices
First Claim
1. A method for monitoring security of a computer network, the computer network comprising network devices, the method comprising:
- gathering security events generated by the network devices, wherein a security event generated by a network device comprises information about operation of the network device and is in a format used by the network device;
modifying the security events to normalize the security events to a common schema, wherein the common schema includes a category that represents an event name;
aggregating two or more normalized security events into an aggregated event, wherein the aggregated event includes a number that represents how many normalized security events were aggregated; and
cross-correlating the normalized security events and the aggregated event according to rules to generate a meta-event, wherein the cross-correlating is performed remotely from the normalizing and the aggregating.
11 Assignments
0 Petitions
Accused Products
Abstract
Security events generated by a number of network devices are gathered and normalized to produce normalized security events in a common schema. The normalized security events are cross-correlated according to rules to generate meta-events. The security events may be gathered remotely from a system at which the cross-correlating is performed. Any meta-events that are generated may be reported by generating alerts for display at one or more computer consoles, or by sending an e-mail message, a pager message, a telephone message, and/or a facsimile message to an operator or other individual. In addition to reporting the meta-events, the present system allows for taking other actions specified by the rules, for example executing scripts or other programs to reconfigure one or more of the network devices, and or to modify or update access lists, etc.
-
Citations
27 Claims
-
1. A method for monitoring security of a computer network, the computer network comprising network devices, the method comprising:
-
gathering security events generated by the network devices, wherein a security event generated by a network device comprises information about operation of the network device and is in a format used by the network device; modifying the security events to normalize the security events to a common schema, wherein the common schema includes a category that represents an event name; aggregating two or more normalized security events into an aggregated event, wherein the aggregated event includes a number that represents how many normalized security events were aggregated; and cross-correlating the normalized security events and the aggregated event according to rules to generate a meta-event, wherein the cross-correlating is performed remotely from the normalizing and the aggregating. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for monitoring security of a computer network, the computer network comprising network components, the system comprising:
-
a number of software agents, a software agent configured to receive security event information from one or more associated network components, wherein security event information received from a network component comprises information about operation of the network component and is in a format used by the network component, and further configured to modify the security event information to normalize the security event information to a common schema, wherein the common schema includes a category that represents an event name, and further configured to aggregate two or more normalized security events into an aggregated event, wherein the aggregated event includes a number that represents how many normalized security events were aggregated; and a server-based manager configured to receive normalized security event information reports and aggregated security event information reports from the agents and further configured to cross-correlate security event information reports from different ones of the agents according to one or more rules to produce a meta-event. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
- 21. A computer readable medium, having stored thereon computer-readable instructions, which when executed in a computer system, cause the computer system to monitor security of a computer network, the computer network comprising network devices, by cross-correlating security events according to rules to generate a meta-event, a security event having been collected from a network device and modified to normalize the security event to a common schema, wherein the common schema includes a category that represents an event name, and aggregated into an aggregated event, wherein the aggregated event includes a number greater than 1 that represents how many normalized security events were aggregated, the security event comprising information about operation of the network device and being in a format used by the network device.
- 25. A computer readable medium, having stored thereon computer-readable instructions, which when executed in a computer system, cause the computer system to collect security event information from an associated network device, wherein the security event information is in a format used by the associated network device, and to modify the security event information to normalize the security event information to a common schema, wherein the common schema includes a category that represents an event name, and to aggregate two or more normalized security events into an aggregated event, wherein the aggregated event includes a number that represents how many normalized security events were aggregated.
Specification