Secure self-organizing and self-provisioning anomalous event detection systems

US 8,108,930 B2
Filed: 10/27/2006
Issued: 01/31/2012
Est. Priority Date: 03/10/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method comprising:

scanning a network, by a processor, for an instance of an anomalous event detection module, wherein the network includes one or more sub-networks;

creating the instance if no instance exists;

determining whether one or more additional instances need to be created based on a change in configuration of the network; and

automatically creating the one or more additional instances based on the determined change in configuration.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach for providing managed security services is disclosed. A database, within a server or a pre-existing anomalous event detection system, stores a rule set specifying a security policy for a network associated with a customer. An anomalous detection event module is deployed within a premise of the customer and retrieves rule sets from the database. The anomalous detection event module monitors a sub-network of the network based on the rule sets. The anomalous event detection module is further configured to self-organize by examining components of the network and to monitor for anomalous events according to the examined components, and to self-provision by selectively creating another instance of the anomalous detection event module to monitor another sub-network of the network.

Citations

20 Claims

1. A computer-implemented method comprising:
- scanning a network, by a processor, for an instance of an anomalous event detection module, wherein the network includes one or more sub-networks;
  
  creating the instance if no instance exists;
  
  determining whether one or more additional instances need to be created based on a change in configuration of the network; and
  
  automatically creating the one or more additional instances based on the determined change in configuration.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, further comprising:
    - obtaining a rule set specifying a security policy for one of the sub-networks.
  - 3. A method according to claim 2, further comprising:
    - associating a digital certificate with the rule set to indicate that the rule set is from a particular source.
  - 4. A method according to claim 2, wherein the rule set is stored in a database that resides with a pre-existing anomalous event detection system within the network, the method further comprising:
    - establishing a secure communication session with the pre-existing anomalous event detection system to retrieve the rule set.
  - 5. A method according to claim 2, further comprising:
    - storing an anomalous event from one of the sub-networks;
      
      analyzing the anomalous event according to statistical predictive rules; and
      
      selectively creating a new rule in response to the analysis of the anomalous event.
  - 6. A method according to claim 5, further comprising:
    - inserting the new rule into the database to update the rule set, wherein the updated rule set is time-stamped to support retrieval of the latest modified rule set.
  - 7. A method according to claim 1, further comprising:
    - transmitting status information to a pre-existing anomalous event detection system within a cluster.
  - 8. A method according to claim 1, further comprising:
    - monitoring elements of the network, wherein events associated with the elements are tailored to the monitoring; and
      
      detecting an anomalous event using one of a signature-based scheme, and a heuristic scheme.

9. A system comprising:
- an anomalous event detection module configured to scan a network for an instance of itself, wherein the network includes one or more sub-networks, wherein the anomalous event detection module is further configured to create the instance if no instance exists, and to determine whether one or more additional instances need to be created based on a change in configuration of the network, the anomalous event detection module automatically creating the one or more additional instances based on the determined change in configuration.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. A system according to claim 9, wherein the anomalous event detection module is further configured to obtain a rule set specifying a security policy for one of the sub-networks.
  - 11. A system according to claim 10, wherein the anomalous event detection module is further configured to associate a digital certificate with the rule set to indicate that the rule set is from a particular source.
  - 12. A system according to claim 10, wherein the anomalous event detection module is further configured to establish a secure communication session with a pre-existing anomalous event detection system to retrieve the rule set.
  - 13. A system according to claim 10, wherein the anomalous event detection module is further configured to store an anomalous event from one of the sub-networks, to analyze the anomalous event according to statistical predictive rules, and to selectively create a new rule in response to the analysis of the anomalous event.
  - 14. A system according to claim 13, wherein the anomalous event detection module is further configured to insert the new rule into the database to update the rule set, wherein the updated rule set is time-stamped to support retrieval of the latest modified rule set.
  - 15. A system according to claim 9, wherein the anomalous event detection module is further configured to transmit status information to a pre-existing anomalous event detection system within a cluster.
  - 16. A system according to claim 9, wherein the anomalous event detection module is further configured to monitor elements of the network, wherein events associated with the elements are tailored to the monitoring, the anomalous event detection module being further configured to detect an anomalous event using one of a signature-based scheme, and a heuristic scheme.

17. An apparatus comprising:
- a communication interface configured to scan a network for an instance of an anomalous event detection module, wherein the network includes one or more sub-networks; and
  
  a processor configured to create the instance if no instance exists, and to determine whether one or more additional instances need to be created based on a change in configuration of the network, wherein the one or more additional instances are automatically created based on the determined change in configuration.
- View Dependent Claims (18, 19, 20)
- - 18. An apparatus according to claim 17, wherein the communication interface is further configured to establish a secure communication session with a pre-existing anomalous event detection system to retrieve a rule set.
  - 19. An apparatus according to claim 18, wherein the processor is further configured to store an anomalous event from one of the sub-networks, to analyze the anomalous event according to statistical predictive rules, and to selectively create a new rule in response to the analysis of the anomalous event.
  - 20. An apparatus according to claim 17, wherein the processor is further configured to monitor elements of the network, wherein events associated with the elements are tailored to the monitoring, the processor being further configured to detect an anomalous event using one of a signature-based scheme, and a heuristic scheme.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Business Global LLC (Verizon Communications Inc.)
Inventors
Hoefelmeyer, Ralph Samuel, Wiederin, Shawn Edward, Phillips, Theresa Eileen
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US11/553,802
Publication Number

US 20070094729A1
Time in Patent Office

1,922 Days
Field of Search

726/23, 726/25, 709/224, 709/223
US Class Current

726/23
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0823   using certificates cryptogr...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Secure self-organizing and self-provisioning anomalous event detection systems

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure self-organizing and self-provisioning anomalous event detection systems

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links