System and method for active data collection in a network security system

US 8,572,733 B1
Filed: 07/06/2005
Issued: 10/29/2013
Est. Priority Date: 07/06/2005
Status: Active Grant

First Claim

Patent Images

1. A network security system, comprising:

a plurality of sensors operable to receive first data associated with potential attacks on a network security system;

a manager server coupled to at least one of the plurality of sensors and comprising a first processor, the manager server operable to;

correlate at least a portion of the first data based on a correlation rule set to detect potential attacks on the system; and

communicate a query comprising the first data and the correlated data, the correlated data being based at least in part on the correlation of at least a portion of the first data; and

a data collection module coupled to the manager server and an archive database, the data collection module comprising a second processor, the data collection module operable to;

receive the query from the manager server;

generate at least one request for second data based upon the received query;

communicate the at least one request to at least one source different from the plurality of sensors, wherein the at least one source is a server that translates IP addresses;

correlate second data received from the server that translates IP addresses with at least a portion of the first data received by the plurality of sensors; and

generate a relationship score indicating a likelihood that the first data is related to a previous potential attack based on the correlated second data and event history in the archive database;

the first data associated with potential attacks on the network security system being communicated from the plurality of sensors to the manager server without passing through the data collection module.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security system comprises a plurality of sensors, a management server, and a data collection module. The plurality of sensors receive first data associated with potential attacks on the system. The manager server is coupled to at least one sensor and correlates at least a portion of the first data to detect potential attacks on the system. The data collection module is coupled to the manager server and generates at least one request for second data based upon at least one of the first data and the correlated data. The data collection module communicates the request to at least one source different from the plurality of sensors.

147 Citations

View as Search Results

20 Claims

1. A network security system, comprising:
- a plurality of sensors operable to receive first data associated with potential attacks on a network security system;
  
  a manager server coupled to at least one of the plurality of sensors and comprising a first processor, the manager server operable to;
  
  correlate at least a portion of the first data based on a correlation rule set to detect potential attacks on the system; and
  
  communicate a query comprising the first data and the correlated data, the correlated data being based at least in part on the correlation of at least a portion of the first data; and
  
  a data collection module coupled to the manager server and an archive database, the data collection module comprising a second processor, the data collection module operable to;
  
  receive the query from the manager server;
  
  generate at least one request for second data based upon the received query;
  
  communicate the at least one request to at least one source different from the plurality of sensors, wherein the at least one source is a server that translates IP addresses;
  
  correlate second data received from the server that translates IP addresses with at least a portion of the first data received by the plurality of sensors; and
  
  generate a relationship score indicating a likelihood that the first data is related to a previous potential attack based on the correlated second data and event history in the archive database;
  
  the first data associated with potential attacks on the network security system being communicated from the plurality of sensors to the manager server without passing through the data collection module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the at least one source is external to the network security system.
  - 3. The system of claim 1, wherein the at least one source is internal to the network security system.
  - 4. The system of claim 1, wherein the data collection module correlates at least a portion of the second data with the correlated portion of the first data.
  - 5. The system of claim 1, wherein the data collection module receives the second data in response to the at least one request and, in response, generates another request to at least one source different from the plurality of sensors.
  - 6. The system of claim 1, wherein the first data is passively gathered and the second data is actively requested.
  - 7. The system of claim 1, wherein the data collection module is integrated with at least one sensor or manager server.
  - 8. The system of claim 1, wherein the at least one source comprises:
    - a geographic location server that translates between IP addresses and geographic locations.
  - 9. The system of claim 1, wherein the at least one source comprises an internet directory server that translates between domain names and IP addresses.
  - 10. The system of claim 1, wherein the data collection module is further operable to communicate the at least one request to a security vulnerability device.

11. A method for providing network security, comprising:
- receiving first data at a sensor, the first data associated with potential attacks on a network security system;
  
  correlating by a manager server at least a portion of the first data to detect potential attacks on the system based on a correlation rule set;
  
  communicating by the manager server a query comprising the first data and the correlated data, the correlated data being based at least in part on the correlation of at least a portion of the first data;
  
  receiving the query from the manager server at a data collection module;
  
  generating by the data collection module at least one request for second data based upon the received query;
  
  communicating by the data collection module the at least one request to at least one source different from the sensor, wherein the at least one source is a server that translates IP addresses;
  
  correlating the second data received from the server that translates IP addresses with at least a portion of the first data received by the plurality of sensors; and
  
  generating a relationship score indicating a likelihood that the first data is related to a previous potential attack based on the correlated second data and event history in the archive database;
  
  the first data associated with potential attacks on the network security system being communicated from the sensor to the manager server without passing through the data collection module.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, further comprising correlating at least a portion of the second data with the correlated portion of the first data.
  - 13. The method of claim 11, further comprising:
    - receiving the second data in response to the at least one request; and
      
      in response to receiving the second data, generating another request to at least one source different from the sensor.
  - 14. The method of claim 11, wherein the first data is passively gathered and the second data is actively requested.
  - 15. The method of claim 11, wherein the at least one source comprises one of:
    - a geographic location server that translates between IP addresses and geographic locations; and
      
      an internet directory server that translates between domain names and IP addresses.

16. A data collection module for use in a network security system, the data collection module comprising:
- one or more processors;
  
  a state module operable to;
  
  receive a query from a manager server, the query comprising a first data associated with potential attacks on a network security system received at a sensor and correlated data, the correlated data generated by the manager server from at least a portion of the first data based on a correlation rule set in order to detect potential attacks on the system; and
  
  maintain state information for a plurality of events, wherein at least one event is associated with potential attacks on a network security system;
  
  a data collection engine coupled to the state module and an archive database, the data collection module, for at least one event, operable to;
  
  communicate a request for data to a data source that translates IP addresses; and
  
  receive data from the data source that translates IP addresses in response to the request; and
  
  a correlation engine operable to correlate the received data from the data source that translates IP addresses with the state information to detect potential attacks on the system, and generate a relationship score indicating a likelihood that the first data is related to a previous potential attack based on the correlated received data and event history in the archive database;
  
  the first data associated with potential attacks on the network security system being communicated from the sensor to the manager server without passing through the data collection module.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The data collection module of claim 16, wherein:
    - at least one event is associated with data received from a sensor; and
      
      the data source is different from the sensor.
  - 18. The data collection module of claim 16, wherein the data collection engine generates another request for data based at least in part upon the received data.
  - 19. The data collection module of claim 16, wherein the state information is associated with at least one of the following for each event:
    - data that has been requested;
      
      data that has been received in response to a request;
      
      data that is yet to be requested; and
      
      correlated data.
  - 20. The data collection module of claim 16, wherein the data source comprises one of:
    - a geographic location server that translates between IP addresses and geographic locations; and
      
      an internet directory server that translates between domain names and IP addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Forcepoint LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Rockwood, Troy Dean
Primary Examiner(s)
Hirl, Joseph P.
Assistant Examiner(s)
King, John B

Application Number

US11/176,436
Time in Patent Office

3,037 Days
Field of Search

726/22, 726/23, 726/25, 709/223, 709/224
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1433 Vulnerability analysis

System and method for active data collection in a network security system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

147 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for active data collection in a network security system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

147 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links