Real time monitoring and analysis of events from multiple network security devices

US 7,376,969 B1
Filed: 12/02/2002
Issued: 05/20/2008
Est. Priority Date: 12/02/2002
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring security of a computer network, the computer network comprising network devices, the method comprising:

gathering security events generated by the network devices, wherein a security event generated by a network device comprises information about operation of the network device and is in a format used by the network device;

modifying the security events to normalize the security events to a common schema, wherein the common schema includes a category that represents an event name;

aggregating two or more normalized security events into an aggregated event, wherein the aggregated event includes a number that represents how many normalized security events were aggregated; and

cross-correlating the normalized security events and the aggregated event according to rules to generate a meta-event, wherein the cross-correlating is performed remotely from the normalizing and the aggregating.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security events generated by a number of network devices are gathered and normalized to produce normalized security events in a common schema. The normalized security events are cross-correlated according to rules to generate meta-events. The security events may be gathered remotely from a system at which the cross-correlating is performed. Any meta-events that are generated may be reported by generating alerts for display at one or more computer consoles, or by sending an e-mail message, a pager message, a telephone message, and/or a facsimile message to an operator or other individual. In addition to reporting the meta-events, the present system allows for taking other actions specified by the rules, for example executing scripts or other programs to reconfigure one or more of the network devices, and or to modify or update access lists, etc.

591 Citations

27 Claims

1. A method for monitoring security of a computer network, the computer network comprising network devices, the method comprising:
- gathering security events generated by the network devices, wherein a security event generated by a network device comprises information about operation of the network device and is in a format used by the network device;
  
  modifying the security events to normalize the security events to a common schema, wherein the common schema includes a category that represents an event name;
  
  aggregating two or more normalized security events into an aggregated event, wherein the aggregated event includes a number that represents how many normalized security events were aggregated; and
  
  cross-correlating the normalized security events and the aggregated event according to rules to generate a meta-event, wherein the cross-correlating is performed remotely from the normalizing and the aggregating.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the gathering of the security events is performed remotely from the cross-correlating of the normalized security events and the aggregated event with the rules.
  - 3. The method of claim 1, further comprising reporting the meta-event.
  - 4. The method of claim 3, wherein reporting comprises generating an alert for display at one or more consoles.
  - 5. The method of claim 1, further comprising taking an action specified by the rules to notify a selected individual of the meta-event.
  - 6. The method of claim 5, wherein notification is made through one or more of an e-mail message, a pager message, a telephone message, a facsimile message, and an alert displayed graphically at one or more computer systems.
  - 7. The method of claim 1, wherein the security events are gathered from one or more of routers, e-mail logs;
    - anti-virus products, firewalls, network intrusion detection systems, access control servers, virtual private network systems, operating system logs, databases, software applications and network device event logs.
  - 8. The method of claim 1, wherein normalizing the security events comprises parsing data reported by the network devices to extract event field values therefrom and populating corresponding fields in the common schema with the extracted event field values.
  - 9. The method of claim 1, further comprising filtering the security events prior to normalizing the security events to remove unwanted security events.
  - 10. The method of claim 1, wherein the normalized security events and the aggregated event are transmitted across a network prior to being cross-correlated with the rules.
  - 11. The method of claim 1, wherein the normalized security events and the aggregated event are stored in a database.
  - 12. The method of claim 11, wherein the normalized security events and the aggregated event are stored in the database after being cross-correlated with the rules.
  - 13. The method of claim 11, wherein the meta-event is stored in the database.

14. A system for monitoring security of a computer network, the computer network comprising network components, the system comprising:
- a number of software agents, a software agent configured to receive security event information from one or more associated network components, wherein security event information received from a network component comprises information about operation of the network component and is in a format used by the network component, and further configured to modify the security event information to normalize the security event information to a common schema, wherein the common schema includes a category that represents an event name, and further configured to aggregate two or more normalized security events into an aggregated event, wherein the aggregated event includes a number that represents how many normalized security events were aggregated; and
  
  a server-based manager configured to receive normalized security event information reports and aggregated security event information reports from the agents and further configured to cross-correlate security event information reports from different ones of the agents according to one or more rules to produce a meta-event.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, wherein the manager is further configured to store the security event information reports from the agents in a database.
  - 16. The system of claim 15, wherein the manager is further configured to store the meta-event in the database.
  - 17. The system of claim 14, further comprising one or more consoles communicatively coupled to receive notification of the meta-event from the manager.
  - 18. The system of claim 17, wherein the rules are written at one or more of the consoles and provided to the manager.
  - 19. The system of claim 14, wherein the manager includes a knowledge base comprising information regarding the meta-event.
  - 20. The system of claim 14, wherein the network components are heterogeneous.

21. A computer readable medium, having stored thereon computer-readable instructions, which when executed in a computer system, cause the computer system to monitor security of a computer network, the computer network comprising network devices, by cross-correlating security events according to rules to generate a meta-event, a security event having been collected from a network device and modified to normalize the security event to a common schema, wherein the common schema includes a category that represents an event name, and aggregated into an aggregated event, wherein the aggregated event includes a number greater than 1 that represents how many normalized security events were aggregated, the security event comprising information about operation of the network device and being in a format used by the network device.
- View Dependent Claims (22, 23, 24)
- - 22. The computer readable medium of claim 21, having stored thereon further computer-readable instructions, which when executed in the computer system, cause the computer system to report the meta-event.
  - 23. The computer readable medium of claim 22, wherein the meta-event is reported in one or more of the following ways:
    - as an e-mail message, a pager message, a telephone message, a facsimile message, and an alert displayed graphically at one or more computer workstations.
  - 24. The computer readable medium of claim 22 wherein the security events are collected from one or more of the following:
    - routers, e-mail logs, anti-virus products, firewalls, network intrusion detection systems, access control servers, virtual private network systems, and network device event logs.

25. A computer readable medium, having stored thereon computer-readable instructions, which when executed in a computer system, cause the computer system to collect security event information from an associated network device, wherein the security event information is in a format used by the associated network device, and to modify the security event information to normalize the security event information to a common schema, wherein the common schema includes a category that represents an event name, and to aggregate two or more normalized security events into an aggregated event, wherein the aggregated event includes a number that represents how many normalized security events were aggregated.
- View Dependent Claims (26, 27)
- - 26. The computer readable medium of claim 25, having stored thereon further computer-readable instructions, which when executed in the computer system, cause the computer system to filter the security event information prior to normalizing the security event information.
  - 27. The computer readable medium of claim 25, having stored thereon further computer-readable instructions, which when executed in the computer system, cause the computer system to transmit normalized security event information and aggregated security event information to a remote computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Arcsight Incorporated (HP Inc.)
Inventors
Njemanze, Hugh S., Kothari, Pravin S.
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US10/308,415
Time in Patent Office

1,996 Days
Field of Search

726/1, 726/22, 726/23
US Class Current

726/22
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

H04L 63/1425 Traffic logging, e.g. anoma...

Real time monitoring and analysis of events from multiple network security devices

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

591 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Real time monitoring and analysis of events from multiple network security devices

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

591 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links