Method and apparatus for exercising and debugging correlations for network security system

US 7,899,901 B1
Filed: 12/02/2002
Issued: 03/01/2011
Est. Priority Date: 12/02/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

a first device receiving security events, wherein one or more of the security events originated in an event log that was generated by a computer network device;

the first device normalizing the security events to a common event schema;

the first device transmitting the normalized security events to a second device;

the second device receiving the normalized security events and correlating the normalized security events according to a first rule defining a security incident;

the first device transmitting the normalized security events to a computer-readable storage medium;

the first device retrieving one or more of the normalized security events from the computer-readable storage medium;

the first device transmitting the retrieved normalized security events to the second device, wherein the transmission of the retrieved normalized security events to the second device is performed faster than the initial transmission of the normalized security events to the second device;

the second device receiving the retrieved normalized security events and correlating the retrieved normalized security events according to a second rule defining a security incident, wherein the second rule differs from the first rule; and

the second device generating a meta-event when the retrieved normalized security events satisfy a condition associated with the second rule.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A selected time interval of previously stored security events generated by a number of computer network devices are replayed and cross-correlated according to rules defining security incidents. Meta-events are generated when the security events satisfy conditions associated with one or more of the rules. The rules used during replay may differ from prior rules used at a time when the security events occurred within a computer network that included the computer network devices. In this way, new rules can be tested against true security event data streams to determine whether or not the rules should be used in a live environment (i.e., the efficacy of the rules can be tested and/or debugged against actual security event data).

123 Citations

View as Search Results

22 Claims

1. A method, comprising:
- a first device receiving security events, wherein one or more of the security events originated in an event log that was generated by a computer network device;
  
  the first device normalizing the security events to a common event schema;
  
  the first device transmitting the normalized security events to a second device;
  
  the second device receiving the normalized security events and correlating the normalized security events according to a first rule defining a security incident;
  
  the first device transmitting the normalized security events to a computer-readable storage medium;
  
  the first device retrieving one or more of the normalized security events from the computer-readable storage medium;
  
  the first device transmitting the retrieved normalized security events to the second device, wherein the transmission of the retrieved normalized security events to the second device is performed faster than the initial transmission of the normalized security events to the second device;
  
  the second device receiving the retrieved normalized security events and correlating the retrieved normalized security events according to a second rule defining a security incident, wherein the second rule differs from the first rule; and
  
  the second device generating a meta-event when the retrieved normalized security events satisfy a condition associated with the second rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising displaying the meta-event.
  - 3. The method of claim 1, wherein the meta-event represents an instance for which various ones or more of the retrieved normalized security events satisfy a condition associated with the second rule.
  - 4. The method of claim 1, wherein prior to being normalized, one or more of the security events was gathered from one or more of routers, e-mail logs, anti-virus products, firewalls, network intrusion detection systems, access control servers, virtual private network systems, network device event logs, and network device Syslogs.
  - 5. The method of claim 1, wherein the first device comprises a software agent that is associated with the computer network device.
  - 6. The method of claim 1, wherein the first device transmits the retrieved normalized security events in response to user selection.
  - 7. The method of claim 6, wherein the user selection is made through a graphical user interface having elements defining modes of re-transmission.
  - 8. The method of claim 7, wherein the modes of re-transmission include “
    - play”
      
      , “
      
      fast forward” and
      
      “
      
      reverse”
      
      .
  - 9. The method of claim 6, wherein the user selection is made through a pick list displayed via a graphical user interface.
  - 10. The method of claim 6, wherein the user selection indicates a time interval.
  - 11. The method of claim 1, further comprising applying the second rule to live security events reported by one or more computer network devices.

12. A system, comprising:
- a first device comprising a hardware processor configured to;
  
  receive security events, wherein one or more of the security events originated in an event log that was generated by a computer network device;
  
  normalize the security events to a common event schema;
  
  transmit the normalized security events to a second device;
  
  transmit the normalized security events to a computer-readable storage medium;
  
  retrieve one or more of the normalized security events from the computer-readable storage medium; and
  
  transmit the retrieved normalized security events to the second device, wherein the transmission of the retrieved normalized security events to the second device is performed faster than the initial transmission of the normalized security events to the second device; and
  
  the second device comprising a hardware processor configured to;
  
  receive the normalized security events and correlate the normalized security events according to a first rule defining a security incident;
  
  receive the retrieved normalized security events and correlate the retrieved normalized security events according to a second rule defining a security incident, wherein the second rule differs from the first rule; and
  
  generate a meta-event when the retrieved normalized security events satisfy a condition associated with the second rule.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the meta-event represents an instance for which various ones or more of the retrieved normalized security events satisfy a condition associated with the second rule.
  - 14. The system of claim 12, wherein prior to being normalized, one or more of the security events was gathered from one or more of routers, e-mail logs, anti-virus products, firewalls, network intrusion detection systems, access control servers, virtual private network systems, network device event logs, and network device Syslogs.
  - 15. The system of claim 12, wherein the first device comprises a software agent that is associated with the computer network device.
  - 16. The system of claim 12, wherein the hardware processor of the first device is further configured to transmit the retrieved normalized security events in response to user selection.
  - 17. The system of claim 16, wherein the user selection is made through a graphical user interface having elements defining modes of re-transmission.
  - 18. The system of claim 17, wherein the modes of re-transmission include “
    - play”
      
      , “
      
      fast forward” and
      
      “
      
      reverse”
      
      .
  - 19. The system of claim 16, wherein the user selection is made through a pick list displayed via a graphical user interface.
  - 20. The system of claim 16, wherein the user selection indicates a time interval.
  - 21. The system of claim 12, wherein the hardware processor of the second device is further configured to display the meta-event.
  - 22. The system of claim 12, wherein the hardware processor of the second device is further configured to apply the second rule to live security events reported by one or more computer network devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Arcsight Incorporated (HP Inc.)
Inventors
Wang, Shijie, Dash, Debabrata, Njemanze, Hugh S.
Primary Examiner(s)
Serrao; Ranodhi N

Application Number

US10/308,416
Time in Patent Office

3,011 Days
Field of Search

709/224, 709/223, 370/241, 370/242, 726/14, 726/22
US Class Current

709/224
CPC Class Codes

G06F 21/552 involving long-term monitor...

Method and apparatus for exercising and debugging correlations for network security system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

123 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for exercising and debugging correlations for network security system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

123 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links