Threat detection in a network security system
First Claim
1. A computer-implemented method performed by a manager module for determining whether a security event represents a threat to a network, the method comprising:
- receiving the security event from an agent, the security event including an indication of a target asset;
determining a first set of one or more vulnerabilities exploited by the received security event;
determining a second set of one or more vulnerabilities exposed by the target asset; and
detecting a threat by determining a vulnerability common to the first set of vulnerabilities and the second set of vulnerabilities.
10 Assignments
0 Petitions
Accused Products
Abstract
A network security system is provided that receives information from various sensors and can analyze the received information. In one embodiment of the present invention, such a system receives a security event from a software agent. The received security event includes a target address and an event signature, as generated by the software agent. The event signature can be used to determine a set of vulnerabilities exploited by the received security event, and the target address can be used to identify a target asset within the network. By accessing a model of the target asset, a set of vulnerabilities exposed by the target asset can be retrieved. Then, a threat can be detected by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.
-
Citations
29 Claims
-
1. A computer-implemented method performed by a manager module for determining whether a security event represents a threat to a network, the method comprising:
-
receiving the security event from an agent, the security event including an indication of a target asset; determining a first set of one or more vulnerabilities exploited by the received security event; determining a second set of one or more vulnerabilities exposed by the target asset; and detecting a threat by determining a vulnerability common to the first set of vulnerabilities and the second set of vulnerabilities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A machine-readable medium having stored thereon data representing instructions that, when executed by a processor in a manager module, cause the processor to perform a method for determining whether a security event represents a threat to a network, the method comprising:
-
receiving the security event from an agent, the security event including an indication of a target asset; determining a first set of one or more vulnerabilities exploited by the received security event; determining a second set of one or more vulnerabilities exposed by the target asset; and detecting a threat by determining a vulnerability common to the first set of vulnerabilities and the second set of vulnerabilities. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
17. A system for determining whether a security event represents a threat to a network, the system comprising:
-
a machine-readable medium storing machine-readable instructions for performing a method, the method comprising; receiving the security event from an agent, the security event including an indication of a target asset; determining a first set of one or more vulnerabilities exploited by the received security event; determining a second set of one or more vulnerabilities exposed by the target asset; and detecting a threat by determining a vulnerability common to the first set of vulnerabilities and the second set of vulnerabilities; and a processor configured to execute the machine-readable instructions stored by the machine-readable medium. - View Dependent Claims (24, 25, 26, 27, 28, 29)
-
Specification