System and method for identifying infected networks and systems from unknown attacks
First Claim
1. A method of managing security on network infrastructure, comprising:
- receiving, by a log collector configured on a processor of a network security monitor via a first computer network, a plurality of logs of a second computer network, the plurality of logs indicative of a status of the second computer network determined by a monitoring agent executing on the second computer network;
generating, by a log indexer configured on the network security monitor, indexed logs from the plurality of logs based on log format;
retrieving, by the network security monitor, a list of threat indicators from a database based on a schema from a plurality of threat indicators received from a plurality of heterogeneous repositories via the first computer network, the plurality of threat indicators including at least one of an internet protocol (IP) address, a malware code sample, a malicious code sample, or an intrusion prevention system (IPS) signature;
comparing, by a log correlation engine configured on the network security monitor, the list of threat indicators with the indexed logs; and
generating, by a report engine configured on the network security monitor, a report based on the comparing to identify a threat.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and method of the present disclosure are directed to a network security monitor. The monitor can receive logs of a second computer network indicative of a status of the second computer network determined by a monitoring agent executing on the second computer network. The monitor can generate indexed logs from the logs based on log format. The monitor can retrieving a list of threat indicators from a database based on a schema from a plurality of threat indicators received from a plurality of heterogeneous repositories via the first computer network. The monitor can compare the list of threat indicators with the indexed logs. The monitor can generate a report based on the comparing to identify a threat.
31 Citations
20 Claims
-
1. A method of managing security on network infrastructure, comprising:
-
receiving, by a log collector configured on a processor of a network security monitor via a first computer network, a plurality of logs of a second computer network, the plurality of logs indicative of a status of the second computer network determined by a monitoring agent executing on the second computer network; generating, by a log indexer configured on the network security monitor, indexed logs from the plurality of logs based on log format; retrieving, by the network security monitor, a list of threat indicators from a database based on a schema from a plurality of threat indicators received from a plurality of heterogeneous repositories via the first computer network, the plurality of threat indicators including at least one of an internet protocol (IP) address, a malware code sample, a malicious code sample, or an intrusion prevention system (IPS) signature; comparing, by a log correlation engine configured on the network security monitor, the list of threat indicators with the indexed logs; and generating, by a report engine configured on the network security monitor, a report based on the comparing to identify a threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for management of security on network infrastructure, comprising:
-
a network security monitor comprising a hardware processor and memory; a log collector configured on the network security monitor to receive, via a first computer network, a plurality of logs of a second computer network, the plurality of logs indicative of a status of the second computer network determined by a monitoring agent executing on the second computer network; a log indexer configured on the network security monitor to generate indexed logs from the plurality of logs based on types of threat indicators; the network security monitor configured to retrieve a list of threat indicators from a database based on a schema from a plurality of threat indicators received from a plurality of heterogeneous repositories via the first computer network, the plurality of threat indicators including at least one of an internet protocol (IP) address, a malware code sample, a malicious code sample, or an intrusion prevention system (IPS) signature; a log correlation engine configured with a heuristic technique on the network security monitor to perform a comparison of the list of threat indicators with the indexed logs; and a report engine configured on the network security monitor to generate a report based on the comparison. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification