Comparing events from multiple network security devices

US 8,528,077 B1
Filed: 04/09/2004
Issued: 09/03/2013
Est. Priority Date: 04/09/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a set of events from a plurality of security devices;

dividing the set of events into a plurality of event flows, wherein an event flow represents a subset of the set of events;

comparing the plurality of event flows;

wherein the plurality of security devices comprises two or more identical security devices;

wherein the plurality of event flows comprises two or more event flows, one event flow corresponding with each identical security device; and

further comprising evaluating a perimeter defense device based on the comparison.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Events are received from a plurality of security devices (which may be similar or different devices, e.g., intrusion detection systems configured to monitor network traffic) and divided into a plurality of event flows. Comparing the event flows (e.g., using statistical correlation methods) then generates one or more meta-events. The received events may be divided into different event flows on the basis of the security device which generated the events. The meta-events may be generated by evaluating a perimeter defense device through comparison of the different event flows. In some cases, various ones of the security devices may be inside or outside a perimeter defined by the perimeter defense device.

Citations

20 Claims

1. A method comprising:
- receiving a set of events from a plurality of security devices;
  
  dividing the set of events into a plurality of event flows, wherein an event flow represents a subset of the set of events;
  
  comparing the plurality of event flows;
  
  wherein the plurality of security devices comprises two or more identical security devices;
  
  wherein the plurality of event flows comprises two or more event flows, one event flow corresponding with each identical security device; and
  
  further comprising evaluating a perimeter defense device based on the comparison.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein at least one of the two or more identical security devices is outside a perimeter defined by the perimeter defense device, and at least another one of the two or more identical security devices is inside the perimeter defined by the perimeter defense device.
  - 3. The method of claim 2, wherein the two or more identical security devices comprise two or more identical intrusion detection systems.

4. A method comprising:
- receiving a set of events from a plurality of security devices;
  
  dividing the set of events into a plurality of event flows, wherein an event flow represents a subset of the set of events;
  
  comparing the plurality of event flows;
  
  wherein the plurality of security devices comprises two or more identical security devices;
  
  wherein the plurality of event flows comprises two or more event flows, one event flow corresponding with each identical security device; and
  
  further comprising detecting that one of the identical security devices has been tampered with based on the comparison.
- View Dependent Claims (5)
- - 5. The method of claim 4, wherein the two or more identical security devices monitor identical network traffic.

6. A method comprising:
- receiving a set of events from a plurality of security devices;
  
  dividing the set of events into a plurality of event flows, wherein an event flow represents a subset of the set of events;
  
  comparing the plurality of event flows;
  
  wherein the plurality of security devices comprises two or more heterogeneous security devices;
  
  wherein the plurality of event flows comprises two or more event flows, one event flow corresponding with each heterogeneous security device; and
  
  further comprising evaluating effectiveness of the two or more heterogeneous security devices based on the comparison.
- View Dependent Claims (7, 8)
- - 7. The method of claim 6, wherein the two or more heterogeneous security devices comprise two or more intrusion detection systems, each provided by a different vendor.
  - 8. The method of claim 6, wherein the two or more heterogeneous security devices comprise a network intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS).

9. A network security system comprising:
- a plurality of distributed agents to collect security events from a plurality of security devices;
  
  an agent manager to group the collected security events into an event flow;
  
  one or more filters to divide the event flow into a plurality of event sub-flows, wherein an event sub-flow represents a subset of the collected security events; and
  
  a comparison engine to compare the plurality of event sub-flows;
  
  wherein the plurality of security devices comprises a first security device situated outside of a perimeter defined by a perimeter defense device and a second security device situated inside the perimeter defined by the perimeter defense device;
  
  the one or more filters are configured to divide the event flow into two event sub-flows, one event sub-flow corresponding with each of the two security devices; and
  
  the comparison engine is configured to evaluate the perimeter defense device by comparing the two event sub-flows.
- View Dependent Claims (10)
- - 10. The network security system of claim 9, wherein the first and second security devices comprise two identical intrusion detection systems.

11. A network security system comprising:
- a plurality of distributed agents to collect security events from a plurality of security devices;
  
  an agent manager to group the collected security events into an event flow;
  
  one or more filters to divide the event flow into a plurality of event sub-flows, wherein an event sub-flow represents a subset of the collected security events; and
  
  a comparison engine to compare the plurality of event sub-flows;
  
  wherein the plurality of security devices comprises two identical network security devices configured to monitor identical network traffic;
  
  the one or more filters are configured to divide the event flow into two event sub-flows, one event sub-flow corresponding with each identical network security device; and
  
  the comparison engine is configured to detect whether one of the two identical network security devices has been tampered with by comparing the two event sub-flows.

12. A network security system comprising:
- a plurality of distributed agents to collect security events from a plurality of security devices;
  
  an agent manager to group the collected security events into an event flow;
  
  one or more filters to divide the event flow into a plurality of event sub-flows, wherein an event sub-flow represents a subset of the collected security events; and
  
  a comparison engine to compare the plurality of event sub-flows;
  
  the plurality of security devices comprises two heterogeneous security devices;
  
  the one or more filters are configured to divide the event flow into two event sub-flows, one event sub-flow corresponding with each of the heterogeneous security devices; and
  
  the comparison engine is configured to evaluate an effectiveness of the two heterogeneous network security devices by comparing the two event sub-flows.
- View Dependent Claims (13, 14)
- - 13. The network security system of claim 12, wherein the two heterogeneous security devices comprise two intrusion detection systems, each provided by a different vendor.
  - 14. The network security device of claim 12, wherein the two heterogeneous network security devices comprise a network intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS).

15. A non-transitory machine-readable medium having stored thereon data representing instruction that, when executed by a processor, cause the processor to perform operations comprising:
- receiving a set of events from a plurality of network security devices;
  
  dividing the set of events into a plurality of event flows, wherein an event flow represents a subset of the set of events;
  
  comparing the plurality of event flows;
  
  wherein the plurality of network security devices comprises two or more identical network security devices;
  
  the plurality of event flows comprises two or more event flows, one event flow corresponding with each identical network security device; and
  
  the operations further comprise evaluating a perimeter defense device based on the comparison.
- View Dependent Claims (16)
- - 16. The non-transitory machine-readable medium of claim 15, wherein at least one of the two or more identical network security devices is outside a perimeter defined by the perimeter defense device, and at least another one of the two or more identical network security devices is inside the perimeter defined by the perimeter defense device.

17. A non-transitory machine-readable medium having stored thereon data representing instruction that, when executed by a processor, cause the processor to perform operations comprising:
- receiving a set of events from a plurality of network security devices;
  
  dividing the set of events into a plurality of event flows, wherein an event flow represents a subset of the set of events;
  
  comparing the plurality of event flows;
  
  wherein the plurality of network security devices comprises two or more identical network security devices configured to monitor identical network traffic;
  
  the plurality of event flows comprises two or more event flows, one event flow corresponding with each identical network security device; and
  
  the operations further comprise detecting that one of the identical network security devices has been tampered with based on the comparison.

18. A non-transitory machine-readable medium having stored thereon data representing instruction that, when executed by a processor, cause the processor to perform operations comprising:
- receiving a set of events from a plurality of network security devices;
  
  dividing the set of events into a plurality of event flows, wherein an event flow represents a subset of the set of events;
  
  comparing the plurality of event flows;
  
  wherein the plurality of network security devices comprises two or more heterogeneous network security devices;
  
  the plurality of event flows comprises two or more event flows, one event flow corresponding with each heterogeneous network security device; and
  
  the operations further comprise evaluating effectiveness of the two or more heterogeneous network security devices based on the comparison.
- View Dependent Claims (19, 20)
- - 19. The non-transitory machine-readable medium of claim 18, wherein the two or more heterogeneous network security devices comprise two or more intrusion network security devices, each provided by a different vendor.
  - 20. The non-transitory machine-readable medium of claim 18, wherein the two or more heterogeneous network security devices comprise a network intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Tidwell, Kenny, Dash, Debabrata
Primary Examiner(s)
Powers, William
Assistant Examiner(s)
BAYOU, YONAS A

Application Number

US10/821,459
Time in Patent Office

3,434 Days
Field of Search

713/201, 726/22
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 43/026   using flow identification

H04L 63/0209   Architectural arrangements,...

H04L 63/1408   by monitoring network traff...

Comparing events from multiple network security devices

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Comparing events from multiple network security devices

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links