Comparing events from multiple network security devices
First Claim
Patent Images
1. A method comprising:
- receiving a set of events from a plurality of security devices;
dividing the set of events into a plurality of event flows, wherein an event flow represents a subset of the set of events;
comparing the plurality of event flows;
wherein the plurality of security devices comprises two or more identical security devices;
wherein the plurality of event flows comprises two or more event flows, one event flow corresponding with each identical security device; and
further comprising evaluating a perimeter defense device based on the comparison.
11 Assignments
0 Petitions
Accused Products
Abstract
Events are received from a plurality of security devices (which may be similar or different devices, e.g., intrusion detection systems configured to monitor network traffic) and divided into a plurality of event flows. Comparing the event flows (e.g., using statistical correlation methods) then generates one or more meta-events. The received events may be divided into different event flows on the basis of the security device which generated the events. The meta-events may be generated by evaluating a perimeter defense device through comparison of the different event flows. In some cases, various ones of the security devices may be inside or outside a perimeter defined by the perimeter defense device.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving a set of events from a plurality of security devices; dividing the set of events into a plurality of event flows, wherein an event flow represents a subset of the set of events; comparing the plurality of event flows; wherein the plurality of security devices comprises two or more identical security devices; wherein the plurality of event flows comprises two or more event flows, one event flow corresponding with each identical security device; and further comprising evaluating a perimeter defense device based on the comparison. - View Dependent Claims (2, 3)
-
-
4. A method comprising:
-
receiving a set of events from a plurality of security devices; dividing the set of events into a plurality of event flows, wherein an event flow represents a subset of the set of events; comparing the plurality of event flows; wherein the plurality of security devices comprises two or more identical security devices; wherein the plurality of event flows comprises two or more event flows, one event flow corresponding with each identical security device; and further comprising detecting that one of the identical security devices has been tampered with based on the comparison. - View Dependent Claims (5)
-
-
6. A method comprising:
-
receiving a set of events from a plurality of security devices; dividing the set of events into a plurality of event flows, wherein an event flow represents a subset of the set of events; comparing the plurality of event flows; wherein the plurality of security devices comprises two or more heterogeneous security devices; wherein the plurality of event flows comprises two or more event flows, one event flow corresponding with each heterogeneous security device; and further comprising evaluating effectiveness of the two or more heterogeneous security devices based on the comparison. - View Dependent Claims (7, 8)
-
-
9. A network security system comprising:
-
a plurality of distributed agents to collect security events from a plurality of security devices; an agent manager to group the collected security events into an event flow; one or more filters to divide the event flow into a plurality of event sub-flows, wherein an event sub-flow represents a subset of the collected security events; and a comparison engine to compare the plurality of event sub-flows; wherein the plurality of security devices comprises a first security device situated outside of a perimeter defined by a perimeter defense device and a second security device situated inside the perimeter defined by the perimeter defense device; the one or more filters are configured to divide the event flow into two event sub-flows, one event sub-flow corresponding with each of the two security devices; and the comparison engine is configured to evaluate the perimeter defense device by comparing the two event sub-flows. - View Dependent Claims (10)
-
-
11. A network security system comprising:
-
a plurality of distributed agents to collect security events from a plurality of security devices; an agent manager to group the collected security events into an event flow; one or more filters to divide the event flow into a plurality of event sub-flows, wherein an event sub-flow represents a subset of the collected security events; and a comparison engine to compare the plurality of event sub-flows; wherein the plurality of security devices comprises two identical network security devices configured to monitor identical network traffic; the one or more filters are configured to divide the event flow into two event sub-flows, one event sub-flow corresponding with each identical network security device; and the comparison engine is configured to detect whether one of the two identical network security devices has been tampered with by comparing the two event sub-flows.
-
-
12. A network security system comprising:
-
a plurality of distributed agents to collect security events from a plurality of security devices; an agent manager to group the collected security events into an event flow; one or more filters to divide the event flow into a plurality of event sub-flows, wherein an event sub-flow represents a subset of the collected security events; and a comparison engine to compare the plurality of event sub-flows; the plurality of security devices comprises two heterogeneous security devices; the one or more filters are configured to divide the event flow into two event sub-flows, one event sub-flow corresponding with each of the heterogeneous security devices; and the comparison engine is configured to evaluate an effectiveness of the two heterogeneous network security devices by comparing the two event sub-flows. - View Dependent Claims (13, 14)
-
-
15. A non-transitory machine-readable medium having stored thereon data representing instruction that, when executed by a processor, cause the processor to perform operations comprising:
-
receiving a set of events from a plurality of network security devices; dividing the set of events into a plurality of event flows, wherein an event flow represents a subset of the set of events; comparing the plurality of event flows; wherein the plurality of network security devices comprises two or more identical network security devices; the plurality of event flows comprises two or more event flows, one event flow corresponding with each identical network security device; and the operations further comprise evaluating a perimeter defense device based on the comparison. - View Dependent Claims (16)
-
-
17. A non-transitory machine-readable medium having stored thereon data representing instruction that, when executed by a processor, cause the processor to perform operations comprising:
-
receiving a set of events from a plurality of network security devices; dividing the set of events into a plurality of event flows, wherein an event flow represents a subset of the set of events; comparing the plurality of event flows; wherein the plurality of network security devices comprises two or more identical network security devices configured to monitor identical network traffic; the plurality of event flows comprises two or more event flows, one event flow corresponding with each identical network security device; and the operations further comprise detecting that one of the identical network security devices has been tampered with based on the comparison.
-
-
18. A non-transitory machine-readable medium having stored thereon data representing instruction that, when executed by a processor, cause the processor to perform operations comprising:
-
receiving a set of events from a plurality of network security devices; dividing the set of events into a plurality of event flows, wherein an event flow represents a subset of the set of events; comparing the plurality of event flows; wherein the plurality of network security devices comprises two or more heterogeneous network security devices; the plurality of event flows comprises two or more event flows, one event flow corresponding with each heterogeneous network security device; and the operations further comprise evaluating effectiveness of the two or more heterogeneous network security devices based on the comparison. - View Dependent Claims (19, 20)
-
Specification