Secure self-organizing and self-provisioning anomalous event detection systems

US 20040181664A1
Filed: 03/10/2003
Published: 09/16/2004
Est. Priority Date: 03/10/2003
Status: Active Grant

First Claim

Patent Images

1. A method for supporting managed security services, the method comprising:

scanning an enterprise network that includes a plurality of interconnected networks to locate a database storing a rule set specifying a security policy for the enterprise network;

accessing the database over a secure communication link to retrieve the rule set; and

monitoring one of the networks according to the retrieved rule set.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach for providing managed security services is disclosed. A database, within a server or a pre-existing anomalous event detection system, stores a rule set specifying a security policy for a network associated with a customer. An anomalous detection event module is deployed within a premise of the customer and retrieves rule sets from the database. The anomalous detection event module monitors a sub-network of the network based on the rule sets. The anomalous event detection module is further configured to self-organize by examining components of the network and to monitor for anomalous events according to the examined components, and to self-provision by selectively creating another instance of the anomalous detection event module to monitor another sub-network of the network.

48 Citations

View as Search Results

29 Claims

1. A method for supporting managed security services, the method comprising:
- scanning an enterprise network that includes a plurality of interconnected networks to locate a database storing a rule set specifying a security policy for the enterprise network;
  
  accessing the database over a secure communication link to retrieve the rule set; and
  
  monitoring one of the networks according to the retrieved rule set.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1, further comprising:
    - associating a digital certificate with the rule set to indicate that the rule set is from a particular source.
  - 3. A method according to claim 1, wherein the database in the accessing step resides within one of a server maintained by a service provider and a pre-existing anomalous event detection system within the enterprise network, the method further comprising:
    - establishing a secure communication session with the server or the pre-existing anomalous event detection system to retrieve the rule set.
  - 4. A method according to claim 3, wherein the secure communication session in the establishing step is a Virtual Private Network (VPN) tunnel.
  - 5. A method according to claim 3, further comprising:
    - storing an anomalous event from the one network;
      
      analyzing the anomalous event according to statistical predictive rules; and
      
      selectively creating a new rule in response to the analysis of the anomalous event.
  - 6. A method according to claim 5, further comprising:
    - inserting the new rule into the database to update the rule set, wherein the updated rule set is time-stamped to support retrieval of the latest modified rule set.
  - 7. A method according to claim 1, further comprising:
    - transmitting status information to a pre-existing anomalous event detection system within a cluster, wherein the monitoring step is performed in conjunction with the pre-existing anomalous event detection system across the cluster.

8. A system for providing managed security services, the system comprising:
- a database configured to store a rule set specifying a security policy for a network associated with a customer; and
  
  an anomalous detection event module deployed within a premise of the customer and configured to retrieve the rule set from the database and to monitor a sub-network within the network based on the rule set, wherein the anomalous event detection module is further configured to self-organize by examining components of the network and to monitor for the anomalous event according to the examined components, and to self-provision by selectively creating another instance of the anomalous detection event module to monitor another sub-network of the network.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. A system according to claim 8, wherein the anomalous detection event module includes:
    - an intrusion detection engine configured to detect the anomalous event using one of a signature-based scheme, and a heuristic scheme.
  - 10. A system according to claim 8, wherein the anomalous detection event module includes:
    - a provisioning engine configured to establish a secure communication session for accessing the database to retrieve the rule set.
  - 11. A system according to claim 8, wherein the secure communication session is a Virtual Private Network (VPN) tunnel.
  - 12. A system according to claim 8, wherein the database resides within one of a server maintained external to the network, and the provisioning engine establishes the secure communication session to the server.
  - 13. A system according to claim 10, wherein the anomalous detection event module includes:
    - an event evaluator configured to analyze the anomalous event according to statistical predictive rules, wherein a new rule is selectively created in response to the analysis of the anomalous event.
  - 14. A system according to claim 13, wherein the new rule is inserted into the database to update the rule set, and the updated rule set is time-stamped to support retrieval of the latest modified rule set.
  - 15. A system according to claim 13, wherein the anomalous detection event module includes:
    - a certificate application configured to associate a digital certificate with the updated rule set to indicate that the updated rule set is from a particular source.

16. A computer-readable medium carrying one or more sequences of one or more instructions for supporting managed security services, the one or more sequences of one or more instructions including instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of:
- scanning an enterprise network that includes a plurality of interconnected networks to locate a database storing a rule set specifying a security policy for the enterprise network;
  
  accessing the database over a secure communication link to retrieve the rule set; and
  
  monitoring one of the networks according to the retrieved rule set.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. A computer-readable medium according to claim 16, wherein the one or more processors further perform the step of:
    - associating a digital certificate with the rule set to indicate that the rule set is from a particular source.
  - 18. A computer-readable medium according to claim 16, wherein the database in the accessing step resides within one of a server maintained by a service provider and a pre-existing anomalous event detection system within the enterprise network, and the one or more processors further perform the steps of:
    - establishing a secure communication session with the server or the pre-existing anomalous event detection system to retrieve the rule set.
  - 19. A computer-readable medium according to claim 18, wherein the secure communication session in the establishing step is a Virtual Private Network (VPN) tunnel.
  - 20. A computer-readable medium according to claim 18, wherein the one or more processors further perform the steps of:
    - storing an anomalous event from the one network;
      
      analyzing the anomalous event according to statistical predictive rules; and
      
      selectively creating a new rule in response to the analysis of the anomalous event.
  - 21. A computer-readable medium according to claim 20, wherein the one or more processors further perform the step of:
    - inserting the new rule into the database to update the rule set, wherein the updated rule set is time-stamped to support retrieval of the latest modified rule set.
  - 22. A computer-readable medium according to claim 16, wherein the one or more processors further perform the step of:
    - transmitting status information to a pre-existing anomalous event detection system within a cluster, wherein the monitoring step is performed in conjunction with the pre-existing anomalous event detection system across the cluster.

23. A network apparatus for supporting managed security services, the apparatus comprising:
- means for scanning an enterprise network that includes a plurality of interconnected networks to locate a database storing a rule set specifying a security policy for the enterprise network;
  
  means for accessing the database over a secure communication link to retrieve the rule set; and
  
  means for monitoring one of the networks according to the retrieved rule set.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. An apparatus according to claim 23, further comprising:
    - means for associating a digital certificate with the rule set to indicate that the rule set is from a particular source.
  - 25. An apparatus according to claim 23, wherein the database resides within one of a server maintained by a service provider, the apparatus further comprising:
    - means for establishing a secure communication session with the server to retrieve the rule set.
  - 26. An apparatus according to claim 25, wherein the secure communication session is a Virtual Private Network (VPN) tunnel.
  - 27. An apparatus according to claim 25, further comprising:
    - means for storing an anomalous event from the one network;
      
      means for analyzing the anomalous event according to statistical predictive rules; and
      
      means for selectively creating a new rule in response to the analysis of the anomalous event.
  - 28. An apparatus according to claim 27, further comprising:
    - means for inserting the new rule into the database to update the rule set, wherein the updated rule set is time-stamped to support retrieval of the latest modified rule set.
  - 29. An apparatus according to claim 27, further comprising:
    - means for transmitting status information to a pre-existing anomalous event detection system within a cluster, wherein the monitoring step is performed in conjunction with the pre-existing anomalous event detection system across the cluster.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Business Global LLC (Verizon Communications Inc.)
Inventors
Hoefelmeyer, Ralph Samuel, Phillips, Theresa E., Wiederin, Shawn Edward

Granted Patent

US 7,150,044 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/157
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0823   using certificates cryptogr...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Secure self-organizing and self-provisioning anomalous event detection systems

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Secure self-organizing and self-provisioning anomalous event detection systems

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links