Method and system for communicating data to and from network security devices

US 7,484,097 B2
Filed: 03/24/2003
Issued: 01/27/2009
Est. Priority Date: 04/04/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

an operations center establishing authentication information associated with a first computer network security device, wherein said first computer network security device is located within a first computer network and is configured to generate security log data for said first computer network;

said operations center receiving said security log data in data transmission from said first computer network security device, wherein said operations center is configured to monitor security of a plurality of computer networks, wherein said receiving said security log data comprises receiving a signature generated by said first computer network security device;

said operations center authenticating said data transmission using said authentication information, wherein said authenticating comprises determining whether a timestamp associated with said received signature has expired; and

said operations center analyzing said security log data to monitor security of said first computer network, wherein said analyzing comprises;

automatically performing one or more queries on the security log data to identify a plurality of sub-events indicative of malicious activity in said first computer network;

storing data representing the plurality of sub-events; and

automatically correlating two or more of the sub-events in order to identify one or more patterns indicative of malicious activity in said first computer network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for transmitting data from a computer network security device for monitoring at least one computer network node to an operations center for monitoring at least the computer network security device and to the computer network security device from the operations center in a managed computer network security system including at least the computer network security device and operations center, including establishing security information associated with the at least one computer network security device. The established security information is used to authenticate data transmissions from the computer network security device to the operations center. The established security information is used to authenticate data transmission to the computer network security device from the operations center.

55 Citations

View as Search Results

25 Claims

1. A method comprising:
- an operations center establishing authentication information associated with a first computer network security device, wherein said first computer network security device is located within a first computer network and is configured to generate security log data for said first computer network;
  
  said operations center receiving said security log data in data transmission from said first computer network security device, wherein said operations center is configured to monitor security of a plurality of computer networks, wherein said receiving said security log data comprises receiving a signature generated by said first computer network security device;
  
  said operations center authenticating said data transmission using said authentication information, wherein said authenticating comprises determining whether a timestamp associated with said received signature has expired; and
  
  said operations center analyzing said security log data to monitor security of said first computer network, wherein said analyzing comprises;
  
  automatically performing one or more queries on the security log data to identify a plurality of sub-events indicative of malicious activity in said first computer network;
  
  storing data representing the plurality of sub-events; and
  
  automatically correlating two or more of the sub-events in order to identify one or more patterns indicative of malicious activity in said first computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, wherein said authentication information comprises an authentication key.
  - 3. The method of claim 1, wherein said authentication information comprises a public key of a public/private key pairing.
  - 4. The method of claim 1, wherein said establishing comprises generating a seed value.
  - 5. The method of claim 1, wherein said establishing comprises generating a pair of authentication keys.
  - 6. The method of claim 1, wherein establishing said authentication information comprises said operations center receiving and storing said authentication information prior to receiving said security log data.
  - 7. The method of claim 1, wherein said security log data received by said operations center is signed with a private key, wherein said authenticating said data transmission using said authentication information comprises authenticating said security log data using a public key corresponding to said private key.
  - 8. The method of claim 1, wherein said receiving said security log data comprises receiving a timestamp associated with said security log data, wherein authenticating said data transmission comprises determining whether said timestamp associated with said security log data has expired.
  - 9. The method of claim 1, wherein said authentication information comprises a key, wherein the method further comprises querying a database using said key.
  - 10. The method of claim 9, further comprising overwriting at least a portion of data in said database if said querying returns data indicative of said first computer network security device.
  - 11. The method of claim 9, further comprising adding data to said database using said key.
  - 12. The method of claim 11, wherein said adding data uses a received identification of said first computer network security device.
  - 13. The method of claim 1, wherein said authenticating said data transmission using said authentication information comprises querying a database for said authentication information.
  - 14. The method of claim 13, wherein said authenticating said data transmission using said authentication information comprises validating a received signature using said authentication information.
  - 15. The method of claim 1, further comprising storing said security log data in a database.
  - 16. The method of claim 1, wherein said authenticating said data transmission said authentication information further comprises querying a database for said authentication information.
  - 17. The method of claim 1,wherein the security log data indicates source and destination ports for network connections, wherein automatically performing the one or more queries on the security log data to identify the plurality of sub-events comprises automatically performing one or more queries to analyze the source and destination ports.
  - 18. The method of claim 1,wherein the security log data indicates sequences of network connection information, wherein automatically performing the one or more queries on the security log data to identify the plurality of sub-events comprises automatically performing one or more queries to analyze the sequences of network connection information.
  - 19. The method of claim 1,wherein the security log data indicates network connection attempts, wherein automatically performing the one or more queries on the security log data to identify the plurality of sub-events comprises automatically performing one or more queries to detect excessive network connection attempts.
  - 20. The method of claim 1, further comprising:
    - storing event data representing the one or more patterns.
  - 21. The method of claim 1, wherein the plurality of sub-events is a first plurality of sub-events, wherein the method further comprises:
    - said operations center receiving additional security log data from a second computer network security device located within a second computer network;
      
      said operations center analyzing the additional security log data to identify a second plurality of sub-events indicative of malicious activity in the second computer network; and
      
      said operations center automatically correlating one or more of the first plurality of sub-events indicative of malicious activity in the first computer network with one or more of the second plurality of sub-events indicative of malicious activity in the second computer network.
  - 22. The method of claim 1, wherein the plurality of sub-events is a first plurality of sub-events, wherein the method further comprises:
    - said operations center receiving additional security log data from a second computer network security device located within the first computer network;
      
      said operations center analyzing the additional security log data to identify a second plurality of sub-events indicative of malicious activity in the first computer network; and
      
      said operations center automatically correlating one or more of the first plurality of sub-events indicative of malicious activity in the first computer network with one or more of the second plurality of sub-events indicative of malicious activity in the first computer network.
  - 23. The method of claim 1, further comprising:
    - prior to analyzing the security log data, said operations center normalizing the security log data into a normalized format.

24. One or more computer-readable storage media storing program instructions that are computer executable to:
- store authentication information associated with a first computer network security device in a database in an operations center, wherein said first computer network security device is located within a first computer network and is configured generate security log data for said first computer network, and wherein said operations center is configured to monitor security of a plurality of computer networks;
  
  receive said security log data at the operations center in data transmission from said first computer network security device, including receiving a signature generated by said first computer network security device;
  
  authenticate said data transmission using said authentication information, including determining whether a timestamp associated with the received signature has expired; and
  
  analyze said security log data to monitor security of said first computer network, wherein said analyzing comprises;
  
  automatically performing one or more queries on the security log data to identify a plurality of sub-events indicative of malicious activity in said first computer network;
  
  storing data representing the plurality of sub-events; and
  
  automatically correlating one or more of the sub-events in order to identify one or more patterns indicative of malicious activity in said first computer network.

25. An operations center comprising:
- one or more processors;
  
  a memory storing program instructions that are executable by the one or more processors to;
  
  receive authentication information associated with a computer network security device, wherein said computer network security device is located within a first computer network and is configured to generate security log data for said first computer network, and wherein said operations center is configured to monitor security of a plurality of computer networks;
  
  receive said security log data in data transmission from said computer network security device, including receiving a signature generated by said computer network security device;
  
  authenticate said data transmission using said authentication information, including determining whether a timestamp associated with the received signature has expired; and
  
  analyze said security log data to monitor security of said first computer network, wherein said analyzing comprises;
  
  automatically performing one or more queries on the security log data to identify a plurality of sub-events indicative of malicious activity in said first computer network;
  
  storing data representing the plurality of sub-events; and
  
  automatically correlating one or more of the sub-events in order to identify one or more patterns indicative of malicious activity in said first computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Hirsh, Amir, Dejoras Mendoza, Kristine, Steiger, John Thomas, Schafrik, Robert Edward Jr.
Primary Examiner(s)
Moazzami; Nasser G
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US10/395,803
Publication Number

US 20030217292A1
Time in Patent Office

2,136 Days
Field of Search

713/168, 713/176, 713/178, 726/2, 726/15, 726/18, 726/22, 726/26, 726/1, 709/223, 709/229
US Class Current

713/176
CPC Class Codes

H04L 63/126   the source of the received ...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Method and system for communicating data to and from network security devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for communicating data to and from network security devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links