System and method for active data collection in a network security system
First Claim
Patent Images
1. A network security system, comprising:
- a plurality of sensors operable to receive first data associated with potential attacks on a network security system;
a manager server coupled to at least one of the plurality of sensors and comprising a first processor, the manager server operable to;
correlate at least a portion of the first data based on a correlation rule set to detect potential attacks on the system; and
communicate a query comprising the first data and the correlated data, the correlated data being based at least in part on the correlation of at least a portion of the first data; and
a data collection module coupled to the manager server and an archive database, the data collection module comprising a second processor, the data collection module operable to;
receive the query from the manager server;
generate at least one request for second data based upon the received query;
communicate the at least one request to at least one source different from the plurality of sensors, wherein the at least one source is a server that translates IP addresses;
correlate second data received from the server that translates IP addresses with at least a portion of the first data received by the plurality of sensors; and
generate a relationship score indicating a likelihood that the first data is related to a previous potential attack based on the correlated second data and event history in the archive database;
the first data associated with potential attacks on the network security system being communicated from the plurality of sensors to the manager server without passing through the data collection module.
11 Assignments
0 Petitions
Accused Products
Abstract
A network security system comprises a plurality of sensors, a management server, and a data collection module. The plurality of sensors receive first data associated with potential attacks on the system. The manager server is coupled to at least one sensor and correlates at least a portion of the first data to detect potential attacks on the system. The data collection module is coupled to the manager server and generates at least one request for second data based upon at least one of the first data and the correlated data. The data collection module communicates the request to at least one source different from the plurality of sensors.
147 Citations
20 Claims
-
1. A network security system, comprising:
-
a plurality of sensors operable to receive first data associated with potential attacks on a network security system; a manager server coupled to at least one of the plurality of sensors and comprising a first processor, the manager server operable to; correlate at least a portion of the first data based on a correlation rule set to detect potential attacks on the system; and communicate a query comprising the first data and the correlated data, the correlated data being based at least in part on the correlation of at least a portion of the first data; and a data collection module coupled to the manager server and an archive database, the data collection module comprising a second processor, the data collection module operable to; receive the query from the manager server; generate at least one request for second data based upon the received query; communicate the at least one request to at least one source different from the plurality of sensors, wherein the at least one source is a server that translates IP addresses; correlate second data received from the server that translates IP addresses with at least a portion of the first data received by the plurality of sensors; and generate a relationship score indicating a likelihood that the first data is related to a previous potential attack based on the correlated second data and event history in the archive database; the first data associated with potential attacks on the network security system being communicated from the plurality of sensors to the manager server without passing through the data collection module. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for providing network security, comprising:
-
receiving first data at a sensor, the first data associated with potential attacks on a network security system; correlating by a manager server at least a portion of the first data to detect potential attacks on the system based on a correlation rule set; communicating by the manager server a query comprising the first data and the correlated data, the correlated data being based at least in part on the correlation of at least a portion of the first data; receiving the query from the manager server at a data collection module; generating by the data collection module at least one request for second data based upon the received query; communicating by the data collection module the at least one request to at least one source different from the sensor, wherein the at least one source is a server that translates IP addresses; correlating the second data received from the server that translates IP addresses with at least a portion of the first data received by the plurality of sensors; and generating a relationship score indicating a likelihood that the first data is related to a previous potential attack based on the correlated second data and event history in the archive database; the first data associated with potential attacks on the network security system being communicated from the sensor to the manager server without passing through the data collection module. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A data collection module for use in a network security system, the data collection module comprising:
-
one or more processors; a state module operable to; receive a query from a manager server, the query comprising a first data associated with potential attacks on a network security system received at a sensor and correlated data, the correlated data generated by the manager server from at least a portion of the first data based on a correlation rule set in order to detect potential attacks on the system; and maintain state information for a plurality of events, wherein at least one event is associated with potential attacks on a network security system; a data collection engine coupled to the state module and an archive database, the data collection module, for at least one event, operable to; communicate a request for data to a data source that translates IP addresses; and receive data from the data source that translates IP addresses in response to the request; and a correlation engine operable to correlate the received data from the data source that translates IP addresses with the state information to detect potential attacks on the system, and generate a relationship score indicating a likelihood that the first data is related to a previous potential attack based on the correlated received data and event history in the archive database; the first data associated with potential attacks on the network security system being communicated from the sensor to the manager server without passing through the data collection module. - View Dependent Claims (17, 18, 19, 20)
-
Specification