Real time monitoring and analysis of events from multiple network security devices

US 8,056,130 B1
Filed: 04/04/2008
Issued: 11/08/2011
Est. Priority Date: 12/02/2002
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring security of a computer network, the computer network comprising network devices, the method comprising:

receiving security events generated by the network devices, wherein a security event generated by a network device is in a format used by the network device;

modifying the security events to normalize the security events to a common schema, wherein the common schema includes a category that represents an event name;

selecting one or more of the normalized security events according to a filter; and

cross-correlating the selected security events with a rule, wherein the cross-correlating is performed remotely from the normalizing.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security events generated by a number of network devices are gathered and normalized to produce normalized security events in a common schema. The normalized security events are cross-correlated according to rules to generate meta-events. The security events may be gathered remotely from a system at which the cross-correlating is performed. Any meta-events that are generated may be reported by generating alerts for display at one or more computer consoles, or by sending an e-mail message, a pager message, a telephone message, and/or a facsimile message to an operator or other individual. In addition to reporting the meta-events, the present system allows for taking other actions specified by the rules, for example executing scripts or other programs to reconfigure one or more of the network devices, and or to modify or update access lists, etc.

260 Citations

35 Claims

1. A method for monitoring security of a computer network, the computer network comprising network devices, the method comprising:
- receiving security events generated by the network devices, wherein a security event generated by a network device is in a format used by the network device;
  
  modifying the security events to normalize the security events to a common schema, wherein the common schema includes a category that represents an event name;
  
  selecting one or more of the normalized security events according to a filter; and
  
  cross-correlating the selected security events with a rule, wherein the cross-correlating is performed remotely from the normalizing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the security event generated by the network device originated in an event log that was generated by the network device.
  - 3. The method of claim 1, wherein the security event generated by the network device comprises information about operation of the network device.
  - 4. The method of claim 1, wherein the network device comprises one of a router, a firewall, a network intrusion detection system, an access control server, a virtual private network system, a database, an anti-virus product, a software application, an e-mail log, an operating system log, and an event log.
  - 5. The method of claim 1, further comprising determining when the rule is satisfied.
  - 6. The method of claim 5, further comprising responsive to the rule being satisfied, performing an action.
  - 7. The method of claim 6, wherein the action comprises generating a notification.
  - 8. The method of claim 7, wherein the notification comprises one of an e-mail message, a pager message, a telephone message, a facsimile message, and an alert to be displayed by a computer system.
  - 9. The method of claim 6, wherein the action comprises generating a meta-event.
  - 10. The method of claim 9, further comprising storing the meta-event in a database.
  - 11. The method of claim 1, further comprising storing the selected security events in a database.
  - 12. The method of claim 11, wherein the storing occurs after the cross-correlating.
  - 13. The method of claim 1, wherein normalizing a security event to a common schema comprises:
    - parsing the security event to extract event field values; and
      
      populating corresponding fields in the common schema with the extracted event field values.
  - 14. The method of claim 1, further comprising aggregating two or more normalized security events into an aggregated event, wherein the aggregated event includes a number that represents how many normalized security events were aggregated.
  - 15. The method of claim 14, wherein the aggregating is performed remotely from the cross-correlating.
  - 16. The method of claim 1, further comprising transmitting the selected security events, wherein the transmitting occurs prior to the cross-correlating.
  - 17. The method of claim 16, wherein the transmitting occurs in batch mode.

18. A system for monitoring security of a computer network, the computer network comprising network components, the system comprising:
- one or more software agents, including a software agent configured to receive event information from one or more network components, wherein event information received from a network component is in a format used by the network component, and further configured to modify the event information to normalize the event information to a common schema and to filter the normalized event information, wherein the common schema includes a category that represents an event name; and
  
  a server-based manager configured to receive filtered event information from the one or more software agents and further configured to cross-correlate the filtered event information with a rule.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The system of claim 18, further comprising a database communicatively coupled to the manager, wherein the manager is further configured to store the filtered event information in the database.
  - 20. The system of claim 18, wherein the manager is further configured to determine when the rule is satisfied and to generate a notification responsive to the rule being satisfied.
  - 21. The system of claim 20, further comprising a console communicatively coupled to the manager, wherein the console is configured to receive from the manager the notification.
  - 22. The system of claim 21, wherein the rule was generated at the console and transmitted to the manager.
  - 23. The system of claim 20, further comprising a knowledge base comprising information regarding the notification.
  - 24. The system of claim 18, wherein the network components are heterogeneous.
  - 25. The system of claim 18, wherein the software agent is further configured to aggregate two or more normalized security events into an aggregated event, wherein the aggregated event includes a number that represents how many normalized security events were aggregated.
  - 26. The system of claim 18, wherein the software agent is further configured to transmit the filtered event information to the manager.
  - 27. The system of claim 26, wherein the transmitting occurs in batch mode.

28. A non-transitory computer readable medium, having stored thereon computer-readable instructions, which when executed in a computer system, cause the computer system to monitor security of a computer network, the computer network comprising network devices, by cross-correlating events with a rule, an event having been received from a network device in a format used by the network device and modified to normalize the event to a common schema and the normalized event selected according to a filter, wherein the common schema includes a category that represents an event name.
- View Dependent Claims (29, 30, 31)
- - 29. The non-transitory computer readable medium of claim 28, having stored thereon further computer-readable instructions, which when executed in the computer system, cause the computer system to perform an action responsive to the rule being satisfied.
  - 30. The non-transitory computer readable medium of claim 29, wherein the action comprises generating a notification.
  - 31. The non-transitory computer readable medium of claim 30, wherein the notification comprises one of an e-mail message, a pager message, a telephone message, a facsimile message, and an alert to be displayed by a computer system.

32. A non-transitory computer readable medium, having stored thereon computer-readable instructions, which when executed in a computer system, cause the computer system to receive event information from an associated network device, wherein the event information is in a format used by the associated network device, and to modify the event information to normalize the event information to a common schema, and to filter the normalized event information, wherein the common schema includes a category that represents an event name.
- View Dependent Claims (33, 34, 35)
- - 33. The non-transitory computer readable medium of claim 32, having stored thereon further computer-readable instructions, which when executed in the computer system, cause the computer system to transmit filtered event information to a remote computer system.
  - 34. The non-transitory computer readable medium of claim 33, having stored thereon further computer-readable instructions, which when executed in the computer system, cause the computer system to aggregate the filtered event information prior to transmission.
  - 35. The non-transitory computer readable medium of claim 33, having stored thereon further computer-readable instructions, which when executed in the computer system, cause the computer system to transmit filtered event information in batch mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Njemanze, Hugh S., Kothari, Pravin S.
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US12/098,322
Time in Patent Office

1,313 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

H04L 63/1425 Traffic logging, e.g. anoma...

Real time monitoring and analysis of events from multiple network security devices

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

260 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Real time monitoring and analysis of events from multiple network security devices

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

260 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links