Security event data normalization

US 9,060,024 B2
Filed: 04/06/2009
Issued: 06/16/2015
Est. Priority Date: 06/08/2004
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

registering, with at least one processor, a network security agent, the registering comprising determining a functional category of the network security agent, the functional category being associated with a numerical identifier;

receiving, with the at least one processor, a packet from the network security agent indicating a network event;

converting, with the at least one processor, the packet to a security event tag that numerically represents a broad classification of the event, the numerical identifier associated with the functional category of the network security agent that detected the event, and a category of the event; and

using the security event tag to represent the event in place of the packet.

View all claims

19 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Normalizing security event data from multiple different network agents. The data from the multiple different agents is categorized and tagged with a descriptor that includes information about the nature of the event. Multiple different events from multiple different devices can therefore be evaluated using a common format which is common for the multiple different devices from different vendors.

46 Citations

View as Search Results

14 Claims

1. A method, comprising:
- registering, with at least one processor, a network security agent, the registering comprising determining a functional category of the network security agent, the functional category being associated with a numerical identifier;
  
  receiving, with the at least one processor, a packet from the network security agent indicating a network event;
  
  converting, with the at least one processor, the packet to a security event tag that numerically represents a broad classification of the event, the numerical identifier associated with the functional category of the network security agent that detected the event, and a category of the event; and
  
  using the security event tag to represent the event in place of the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as in claim 1, further comprising determining, with the at least one processor, if the packet is from a registered device.
  - 3. A method as in claim 1, wherein the plurality of functional categories includes a firewall, a network intrusion system, a router, and a virtual private network.
  - 4. A method as in claim 1, wherein the security event tag has common fields for the same event from different network security agents.
  - 5. A method as in claim 1, wherein the security event tag represents at least an IP address, at least one port, and at least one signature identifier.
  - 6. A method as in claim 1, wherein the broad classification is uncategorized, unknown, normal, reconnaissance, malicious, compromised, or health/status.
  - 7. A method as in claim 1, wherein the category of the event is an intrusion detection system category.

8. A system, comprising:
- a port that receives a packet from a network security agent indicating a network event; and
  
  at least one processor constructed and arranged to;
  
  register the network security agent, the registering comprising determining a functional category of the network security agent, the functional category being associated with a numerical identifier, andconvert the packet to a security event tag that numerically represents a broad classification of the event, the numerical identifier associated with the functional category of the network security agent that detected the event, and a category of the event;
  
  wherein the security event tag represents the event in place of the packet.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. A system as in claim 8, further comprising the network security agent.
  - 10. A system as in claim 8, wherein the plurality of functional categories includes a firewall, a network intrusion system, a router, and a virtual private network.
  - 11. A system as in claim 8, wherein the security event tag has common fields for the same event from different network security agents.
  - 12. A system as in claim 8, wherein the security event tag represents at least an IP address, at least one port, and at least one signature identifier.
  - 13. A system as in claim 8, wherein the broad classification is uncategorized, unknown, normal, reconnaissance, malicious, compromised, or health/status.
  - 14. A system as in claim 8, wherein the category of the event is an intrusion detection system category.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
LOG Storm Security, Inc.
Original Assignee
LOG Storm Security, Inc.
Inventors
Patel, Rajesh
Primary Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US12/418,815
Publication Number

US 20090276843A1
Time in Patent Office

2,262 Days
Field of Search

726/13, 726/1, 726/4, 726/5, 726/22, 726/23, 726/24, 726/25
US Class Current

1/1
CPC Class Codes

H04L 41/0226   Mapping or translating mult...

H04L 41/069   using logs of notifications...

H04L 43/00   Arrangements for monitoring...

H04L 63/20   for managing network securi...

H04L 67/565   Conversion or adaptation of...

Security event data normalization

First Claim

19 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Security event data normalization

First Claim

19 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others