Scalable network security with fast response protocol
First Claim
1. An apparatus comprising instructions stored on non-transitory, tangible, computer-readable storage, the instructions when executed to cause at least one computer of a first network to:
- receive a query from a query source, the query specifying an indicator of a possible network security threat;
access a local database and process content of the local database to identify whether the local database contains data corresponding to the possible network security threat;
determine a threat level associated with the possible network security threat;
if threat level is not greater than a threshold, update the local database by transmitting a query from the at least one computer of the first network to at least one other computer via a wide area network (WAN), obtaining results from the at least one other computer, updating the threat level associated with the possible network security threat dependent on the results, and storing the updated threat level in the local database in association with the possible network security threat;
if the threat level is greater than the threshold, transmit a response to the query source responsive to data in the local database corresponding to the possible network security threat without regard to whether at least one other computer possesses additional data regarding the at least one network security threat; and
transmit, dependent on at least one of the threat level determined by the at least one computer of the first network or the updated threat level, a remedial measure to the query source to counteract the possible network security threat in a manner to cause a machine of the query source to automatically instantiate a policy to counteract the possible network security threat.
5 Assignments
0 Petitions
Accused Products
Abstract
This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a standardized data format and communication structure, a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Use of an integration scheme having defined message types and specified query response framework provides for real-time response and easy adaptation for cross-vendor communication. Examples are provided where an intrusion detection system (IDS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction. A network security provider using this infrastructure can provide hosted or managed boundary security to a diverse set of clients, each on a customized basis.
53 Citations
20 Claims
-
1. An apparatus comprising instructions stored on non-transitory, tangible, computer-readable storage, the instructions when executed to cause at least one computer of a first network to:
-
receive a query from a query source, the query specifying an indicator of a possible network security threat; access a local database and process content of the local database to identify whether the local database contains data corresponding to the possible network security threat; determine a threat level associated with the possible network security threat; if threat level is not greater than a threshold, update the local database by transmitting a query from the at least one computer of the first network to at least one other computer via a wide area network (WAN), obtaining results from the at least one other computer, updating the threat level associated with the possible network security threat dependent on the results, and storing the updated threat level in the local database in association with the possible network security threat; if the threat level is greater than the threshold, transmit a response to the query source responsive to data in the local database corresponding to the possible network security threat without regard to whether at least one other computer possesses additional data regarding the at least one network security threat; and transmit, dependent on at least one of the threat level determined by the at least one computer of the first network or the updated threat level, a remedial measure to the query source to counteract the possible network security threat in a manner to cause a machine of the query source to automatically instantiate a policy to counteract the possible network security threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of processing security event data, implemented on at least one computer of a first network, the method comprising:
-
receiving a query from a query source, the query specifying an indicator of a possible network security threat; accessing a local database and process content of the local database to identify whether the local database contains data corresponding to the possible network security threat;
determining a threat level associated with the possible network security threat;
if threat level is not greater than a threshold, transmitting a query from the at least one computer of the first network to at least one other computer via a wide area network (WAN), obtaining results from the at least one other computer, updating the threat level associated with the possible network security threat dependent on the results, and storing the updated threat level in the local database in association with the possible network security threat to thereby update the threat level in the local database; and
if the threat level is greater than the threshold, transmitting a response to the query source responsive to data in the local database corresponding to the possible network security threat without regard to whether the whether the at least one other computer possesses additional data regarding the at least one network security threat;
transmitting, dependent on at least one of the threat level determined by the at least one computer of the first network or the updated threat level, a remedial measure to the query source to counteract the possible network security threat;
wherein transmitting the remedial measure is performed in a manner to cause a machine of the query source to automatically instantiate a policy to counteract the possible network security threat. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification