Hierarchical architecture in a network security system
First Claim
Patent Images
1. A network security system comprising:
- a plurality of subsystems, each subsystem comprising;
a plurality of distributed software agents, each agent configured;
to collect a security event from a monitor device; and
to transmit the security event;
a local manager module coupled to the plurality of distributed software agents, configured;
to receive, from each agent, the security event;
to generate one or more correlated events by correlating the received security events, wherein a correlated event comprises a conclusion drawn from the received security events; and
to transmit the one or more correlated events; and
a local manager agent coupled to the local manager module, configured;
to receive, from the local manager module, the one or more correlated events;
to process the one or more correlated events; and
to transmit the processed correlated events; and
a global manager module coupled to the plurality of subsystems, each subsystem comprising a local network security system, the global manager module configured;
to receive, from each subsystem, the processed correlated events; and
to correlate the received processed correlated events.
11 Assignments
0 Petitions
Accused Products
Abstract
A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the security events. Each of the subsystems can report the correlated events to a global manager module coupled to the plurality of subsystems, and the global manager module can correlate the correlated events from each manager module.
-
Citations
16 Claims
-
1. A network security system comprising:
-
a plurality of subsystems, each subsystem comprising; a plurality of distributed software agents, each agent configured; to collect a security event from a monitor device; and to transmit the security event; a local manager module coupled to the plurality of distributed software agents, configured; to receive, from each agent, the security event; to generate one or more correlated events by correlating the received security events, wherein a correlated event comprises a conclusion drawn from the received security events; and to transmit the one or more correlated events; and a local manager agent coupled to the local manager module, configured; to receive, from the local manager module, the one or more correlated events; to process the one or more correlated events; and to transmit the processed correlated events; and a global manager module coupled to the plurality of subsystems, each subsystem comprising a local network security system, the global manager module configured; to receive, from each subsystem, the processed correlated events; and to correlate the received processed correlated events. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for monitoring a plurality of local networks, the method comprising:
-
for each local network; collecting security events; generating local correlated events by correlating the collected security events at a local network security system monitoring the local network, wherein a local correlated event comprises a conclusion drawn from the collected security events; and processing the local correlated events; collecting, from each local network, the processed local correlated events; and generating global correlated events by correlating the collected processed local correlated events. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A machine-readable medium having stored thereon data representing instructions that, when executed by a processor, causes the processor to perform operations comprising:
-
for each local network of a plurality of local networks; collecting security events; generating local correlated events by correlating the collected security events at a local network security system monitoring the local network, wherein a local correlated event comprises a conclusion drawn from the collected security events; and processing the local correlated events; collecting, from each local network, the processed local correlated events; and generating global correlated events by correlating the collected processed local correlated events. - View Dependent Claims (13, 14, 15, 16)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeMicro Focus LLC (Open Text Corporation)
-
Original AssigneeArcsight Incorporated (HP Inc.)
-
InventorsKothari, Pravin S., Tidwell, Kenny, Beedgen, Christian, Njemanze, Hugh S.
-
Primary Examiner(s)Parthasarathy; Pramila
-
Application NumberUS10/683,221Time in Patent Office2,888 DaysField of Search726/23, 726/2, 726/22, 726/26US Class Current726/22CPC Class CodesH04L 41/046 comprising network manageme...H04L 41/0631 using root cause analysis; ...H04L 63/1416 Event detection, e.g. attac...H04L 63/1441 Countermeasures against mal...H04L 67/10 in which an application is ...H04L 67/12 specially adapted for propr...
