Threat detection in a network security system

US 7,861,299 B1
Filed: 08/09/2007
Issued: 12/28/2010
Est. Priority Date: 09/03/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method performed by a manager module for determining whether a security event represents a threat to a network, the method comprising:

receiving the security event from an agent, the security event including an indication of a target asset;

determining a first set of one or more vulnerabilities exploited by the received security event;

determining a second set of one or more vulnerabilities exposed by the target asset; and

detecting a threat by determining a vulnerability common to the first set of vulnerabilities and the second set of vulnerabilities.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security system is provided that receives information from various sensors and can analyze the received information. In one embodiment of the present invention, such a system receives a security event from a software agent. The received security event includes a target address and an event signature, as generated by the software agent. The event signature can be used to determine a set of vulnerabilities exploited by the received security event, and the target address can be used to identify a target asset within the network. By accessing a model of the target asset, a set of vulnerabilities exposed by the target asset can be retrieved. Then, a threat can be detected by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.

Citations

29 Claims

1. A computer-implemented method performed by a manager module for determining whether a security event represents a threat to a network, the method comprising:
- receiving the security event from an agent, the security event including an indication of a target asset;
  
  determining a first set of one or more vulnerabilities exploited by the received security event;
  
  determining a second set of one or more vulnerabilities exposed by the target asset; and
  
  detecting a threat by determining a vulnerability common to the first set of vulnerabilities and the second set of vulnerabilities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - if no common vulnerability is shared by both the first set of vulnerabilities and the second set of vulnerabilities, determining that the security event does not represent the threat to the network.
  - 3. The method of claim 1, further comprising prioritizing the security event.
  - 4. The method of claim 3, wherein prioritizing the security event comprises determining a priority based on the security event.
  - 5. The method of claim 4, wherein determining the priority based on the security event comprises determining the priority based on an importance of the target asset.
  - 6. The method of claim 4, wherein determining the priority based on the security event comprises determining the priority based on a danger inherent in the security event.
  - 7. The method of claim 4, wherein determining the priority based on the security event comprises determining the priority based on a relevance of the security event.
  - 8. The method of claim 4, wherein determining the priority based on the security event comprises determining the priority based on a configuration of the target asset.
  - 9. The method of claim 1, wherein the indication of the target asset comprises an address associated with the target asset.
  - 10. The method of claim 9, wherein the address associated with the target asset comprises an Internet Protocol (IP) address.
  - 11. The method of claim 1, wherein the target asset comprises a network device.
  - 12. The method of claim 1, wherein determining the first set of vulnerabilities comprises determining the first set of vulnerabilities based on an event signature of the security event.
  - 13. The method of claim 1, wherein determining the first set of vulnerabilities comprises determining the first set of vulnerabilities based on a type of the security event.
  - 14. The method of claim 1, wherein determining the second set of vulnerabilities comprises determining the second set of vulnerabilities based on a model of the target asset.
  - 15. The method of claim 14, further comprising determining a priority based on a reliability of the model of the target asset.

16. A machine-readable medium having stored thereon data representing instructions that, when executed by a processor in a manager module, cause the processor to perform a method for determining whether a security event represents a threat to a network, the method comprising:
- receiving the security event from an agent, the security event including an indication of a target asset;
  
  determining a first set of one or more vulnerabilities exploited by the received security event;
  
  determining a second set of one or more vulnerabilities exposed by the target asset; and
  
  detecting a threat by determining a vulnerability common to the first set of vulnerabilities and the second set of vulnerabilities.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The machine-readable medium of claim 16, wherein the method further comprises:
    - if no common vulnerability is shared by both the first set of vulnerabilities and the second set of vulnerabilities, determining that the security event does not represent the threat to the network.
  - 19. The machine-readable medium of claim 16, wherein the method further comprises determining a priority based on the security event.
  - 20. The machine-readable medium of claim 16, wherein the indication of the target asset comprises an address associated with the target asset.
  - 21. The machine-readable medium of claim 16, wherein determining the first set of vulnerabilities comprises determining the first set of vulnerabilities based on an event signature of the security event.
  - 22. The machine-readable medium of claim 16, wherein determining the first set of vulnerabilities comprises determining the first set of vulnerabilities based on a type of the security event.
  - 23. The machine-readable medium of claim 16, wherein determining the second set of vulnerabilities comprises determining the second set of vulnerabilities based on a model of the target asset.

17. A system for determining whether a security event represents a threat to a network, the system comprising:
- a machine-readable medium storing machine-readable instructions for performing a method, the method comprising;
  
  receiving the security event from an agent, the security event including an indication of a target asset;
  
  determining a first set of one or more vulnerabilities exploited by the received security event;
  
  determining a second set of one or more vulnerabilities exposed by the target asset; and
  
  detecting a threat by determining a vulnerability common to the first set of vulnerabilities and the second set of vulnerabilities; and
  
  a processor configured to execute the machine-readable instructions stored by the machine-readable medium.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The system of claim 17, wherein the method further comprises:
    - if no common vulnerability is shared by both the first set of vulnerabilities and the second set of vulnerabilities, determining that the security event does not represent the threat to the network.
  - 25. The system of claim 17, wherein the method further comprises determining a priority based on the security event.
  - 26. The system of claim 17, wherein the indication of the target asset comprises an address associated with the target asset.
  - 27. The system of claim 17, wherein determining the first set of vulnerabilities comprises determining the first set of vulnerabilities based on an event signature of the security event.
  - 28. The system of claim 17, wherein determining the first set of vulnerabilities comprises determining the first set of vulnerabilities based on a type of the security event.
  - 29. The system of claim 17, wherein determining the second set of vulnerabilities comprises determining the second set of vulnerabilities based on a model of the target asset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Arcsight Incorporated (HP Inc.)
Inventors
Saurabh, Kumar, Dash, Debabrata, Njemanze, Hugh S., Kothari, Pravin S., Tidwell, Kenny C.
Primary Examiner(s)
Song; Hosuk

Application Number

US11/836,251
Time in Patent Office

1,237 Days
Field of Search

726 22- 26, 709223-225, 713/188
US Class Current

726/22
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Threat detection in a network security system

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Threat detection in a network security system

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links