Hierarchical architecture in a network security system
First Claim
Patent Images
1. A network security system comprising:
- a plurality of subsystems, each subsystem comprising;
a plurality of distributed software agents, each agent configured;
to collect a security event from a monitor device; and
to transmit the security event;
a local manager module coupled to the plurality of distributed software agents, configured;
to receive, from each agent, the security event;
to generate one or more correlated events by correlating the received security events, wherein a correlated event comprises a conclusion drawn from the received security events; and
to transmit the one or more correlated events; and
a local manager agent coupled to the local manager module, configured;
to receive, from the local manager module, the one or more correlated events;
to process the one or more correlated events; and
to transmit the processed correlated events; and
a global manager module coupled to the plurality of subsystems, each subsystem comprising a local network security system, the global manager module configured;
to receive, from each subsystem, the processed correlated events; and
to correlate the received processed correlated events.
11 Assignments
0 Petitions
Accused Products
Abstract
A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the security events. Each of the subsystems can report the correlated events to a global manager module coupled to the plurality of subsystems, and the global manager module can correlate the correlated events from each manager module.
-
Citations
16 Claims
-
1. A network security system comprising:
-
a plurality of subsystems, each subsystem comprising; a plurality of distributed software agents, each agent configured; to collect a security event from a monitor device; and to transmit the security event; a local manager module coupled to the plurality of distributed software agents, configured; to receive, from each agent, the security event; to generate one or more correlated events by correlating the received security events, wherein a correlated event comprises a conclusion drawn from the received security events; and to transmit the one or more correlated events; and a local manager agent coupled to the local manager module, configured; to receive, from the local manager module, the one or more correlated events; to process the one or more correlated events; and to transmit the processed correlated events; and a global manager module coupled to the plurality of subsystems, each subsystem comprising a local network security system, the global manager module configured; to receive, from each subsystem, the processed correlated events; and to correlate the received processed correlated events. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for monitoring a plurality of local networks, the method comprising:
-
for each local network; collecting security events; generating local correlated events by correlating the collected security events at a local network security system monitoring the local network, wherein a local correlated event comprises a conclusion drawn from the collected security events; and processing the local correlated events; collecting, from each local network, the processed local correlated events; and generating global correlated events by correlating the collected processed local correlated events. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A machine-readable medium having stored thereon data representing instructions that, when executed by a processor, causes the processor to perform operations comprising:
-
for each local network of a plurality of local networks; collecting security events; generating local correlated events by correlating the collected security events at a local network security system monitoring the local network, wherein a local correlated event comprises a conclusion drawn from the collected security events; and processing the local correlated events; collecting, from each local network, the processed local correlated events; and generating global correlated events by correlating the collected processed local correlated events. - View Dependent Claims (13, 14, 15, 16)
-
Specification