Hierarchical architecture in a network security system

US 9,027,120 B1
Filed: 10/10/2003
Issued: 05/05/2015
Est. Priority Date: 10/10/2003
Status: Active Grant

First Claim

Patent Images

1. A network security system comprising:

a plurality of subsystems, each subsystem comprising;

a plurality of distributed software agents, each agent configured;

to collect a base security event from a monitor device; and

to transmit the base security event;

a local manager module coupled to the plurality of distributed software agents, configured;

to receive, from each agent, the base security event;

to generate one or more local correlated events by correlating the received base security events, wherein a local correlated event comprises a conclusion drawn from the received base security events according to a rule based on at least a vulnerability of a target network node, the rule grouping security incidents associated with the base security events into a plurality of threat levels, and wherein the conclusion indicates that a plurality of the received base security events is associated with a same security incident; and

to transmit the one or more local correlated events; and

a filter coupled to the local manager module, configured;

to receive the one or more local correlated events;

to select local correlated events; and

to transmit the selected local correlated events; and

a global manager module coupled to the plurality of subsystems, comprising a processor configured;

to receive, from each subsystem, the selected local correlated events; and

to generate one or more global correlated events by correlating the received selected local correlated events, wherein a global correlated event comprises a second conclusion drawn from the received selected local correlated events according to a second rule, and wherein the second conclusion indicates that a plurality of the received selected local correlated events is associated with a second same security incident.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect base security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the base security events. Each subsystem can also include a filter coupled to the manager module to select which base security events are to be processed further. The selected base security events are passed to a global manager module coupled to the plurality of subsystems that generates global correlated events by correlating the base security events selected for further processing by each filter of each subsystem.

140 Citations

20 Claims

1. A network security system comprising:
- a plurality of subsystems, each subsystem comprising;
  
  a plurality of distributed software agents, each agent configured;
  
  to collect a base security event from a monitor device; and
  
  to transmit the base security event;
  
  a local manager module coupled to the plurality of distributed software agents, configured;
  
  to receive, from each agent, the base security event;
  
  to generate one or more local correlated events by correlating the received base security events, wherein a local correlated event comprises a conclusion drawn from the received base security events according to a rule based on at least a vulnerability of a target network node, the rule grouping security incidents associated with the base security events into a plurality of threat levels, and wherein the conclusion indicates that a plurality of the received base security events is associated with a same security incident; and
  
  to transmit the one or more local correlated events; and
  
  a filter coupled to the local manager module, configured;
  
  to receive the one or more local correlated events;
  
  to select local correlated events; and
  
  to transmit the selected local correlated events; and
  
  a global manager module coupled to the plurality of subsystems, comprising a processor configured;
  
  to receive, from each subsystem, the selected local correlated events; and
  
  to generate one or more global correlated events by correlating the received selected local correlated events, wherein a global correlated event comprises a second conclusion drawn from the received selected local correlated events according to a second rule, and wherein the second conclusion indicates that a plurality of the received selected local correlated events is associated with a second same security incident.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network security system of claim 1, wherein the filter can be automatically programmed by the global manager module.
  - 3. The network security system of claim 1, wherein each subsystem further comprises a local manager agent coupled to the filter to collect the selected local correlated events.
  - 4. The network security system of claim 1, wherein each subsystem comprises a local network security system.
  - 5. The network security system of claim 4, wherein each local network security system monitors a network associated with a site.
  - 6. The network security system of claim 1, wherein the plurality of threat levels comprises more than two threat levels.
  - 7. The network security system of claim 1, wherein the plurality of threat levels comprises:
    - a first threat level comprising one or more of reconnaissance zone transfer, port scan, protocol and scanning;
      
      a second threat level comprising suspicious illegal outgoing traffic and unusual levels of alerts from the same host;
      
      a third threat level comprising attack overflow, IDS evasion, virus, and denial of service; and
      
      a fourth threat level comprising successful compromise of a backdoor, root compromise and covert channel exploit.

8. A method comprising:
- collecting base security events at a plurality of sites;
  
  generating local correlated events at each site by correlating the base security events collected at each site, wherein a local correlated event comprises a conclusion drawn from the collected base security events according to a rule based on at least a vulnerability of a target network node, the rule grouping security incidents associated with the base security events into a plurality of threat levels, and wherein the conclusion indicates that a plurality of the received base security events is associated with a same security incident;
  
  selecting local correlated events from each site; and
  
  a processor generating global correlated events by correlating the selected local correlated events, wherein a global correlated event comprises a second conclusion drawn from the selected local correlated events according to a second rule, and wherein the second conclusion indicates that a plurality of the selected local correlated events is associated with a second same security incident.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, further comprising filtering the local correlated events at each site to determine which local correlated events to collect.
  - 10. The method of claim 8, wherein the collecting the base security events at each site is performed by a plurality of distributed software agents at each site.
  - 11. The method of claim 8, wherein the local correlated events are generated by a local network security system monitoring each site.
  - 12. The method of claim 11, wherein the collecting of base security events from each site is performed by a distributed software agent associated with each site.
  - 13. The method of claim 8, wherein the global correlated events are generated by a global manager module.

14. A non-transitory machine-readable medium having stored thereon data representing instructions that, when executed by a processor, causes the processor to perform operations comprising:
- collecting base security events at a plurality of sites;
  
  generating local correlated events at each site by correlating the base security events collected at each site, wherein a local correlated event comprises a conclusion drawn from the collected base security events according to a rule based on at least a vulnerability of a target network node, the rule grouping security incidents associated with the base security events into a plurality of threat levels, and wherein the conclusion indicates that a plurality of the received base security events is associated with a same security incident;
  
  selecting local correlated events from each site; and
  
  generating global correlated events by correlating the selected local correlated events, wherein a global correlated event comprises a second conclusion drawn from the selected local correlated events according to a second rule, and wherein the second conclusion indicates that a plurality of the selected local correlated events is associated with a second same security incident.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory machine-readable medium of claim 14, wherein the instructions further cause the processor to perform operations comprising filtering the local correlated events at each site to determine which local correlated events to collect.
  - 16. The non-transitory machine-readable medium of claim 14, wherein the collecting the base security events at each site is performed by a plurality of distributed software agents at each site.
  - 17. The non-transitory machine-readable medium of claim 14, wherein the local correlated events are generated by a local network security system monitoring each site.
  - 18. The non-transitory machine-readable medium of claim 17, wherein the collecting of base security events from each site is performed by a distributed software agent associated with each site.
  - 19. The non-transitory machine-readable medium of claim 14, wherein the global correlated events are generated by a global manager module.

20. A network security system comprising:
- a plurality of subsystems, each subsystem comprising;
  
  a plurality of distributed software agents, each agent configured;
  
  to collect a base security event from a monitor device; and
  
  to transmit the base security event;
  
  a local manager module coupled to the plurality of distributed software agents, configured;
  
  to receive, from each agent, the base security event;
  
  to transmit the base security events;
  
  to generate one or more local correlated events by correlating the received base security events, wherein a local correlated event comprises a conclusion drawn from the received base security events according to a rule based on at least a vulnerability of a target network node, the rule grouping security incidents associated with the base security events into a plurality of threat levels, and wherein the conclusion indicates that a plurality of the received base security events is associated with a same security incident; and
  
  to transmit the one or more local correlated events; and
  
  a filter coupled to the local manager module, configured;
  
  to receive the base security events;
  
  to select base security events; and
  
  to transmit the selected base security events; and
  
  a global manager module coupled to the plurality of subsystems, comprising a processor configured;
  
  to receive, from each subsystem, the one or more local correlated events;
  
  to receive, from each subsystem, the selected base security events; and
  
  to generate one or more global correlated events by correlating the one or more local correlated events and the received selected base security events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Tidwell, Kenny, Beedgen, Christian, Njemanze, Hugh S., Kothari, Pravin S.
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US10/683,191
Time in Patent Office

4,225 Days
Field of Search

726/22, 726/23, 726/25
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/606   by securing the transmissio...

H04L 41/044   comprising hierarchical man...

H04L 41/046   comprising network manageme...

H04L 41/0604   using filtering, e.g. reduc...

H04L 41/0631   using root cause analysis; ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Hierarchical architecture in a network security system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

140 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Hierarchical architecture in a network security system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

140 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others