Hierarchical architecture in a network security system
First Claim
1. A network security system comprising:
- a plurality of subsystems, each subsystem comprising;
a plurality of distributed software agents, each agent configured;
to collect a base security event from a monitor device; and
to transmit the base security event;
a local manager module coupled to the plurality of distributed software agents, configured;
to receive, from each agent, the base security event;
to generate one or more local correlated events by correlating the received base security events, wherein a local correlated event comprises a conclusion drawn from the received base security events according to a rule based on at least a vulnerability of a target network node, the rule grouping security incidents associated with the base security events into a plurality of threat levels, and wherein the conclusion indicates that a plurality of the received base security events is associated with a same security incident; and
to transmit the one or more local correlated events; and
a filter coupled to the local manager module, configured;
to receive the one or more local correlated events;
to select local correlated events; and
to transmit the selected local correlated events; and
a global manager module coupled to the plurality of subsystems, comprising a processor configured;
to receive, from each subsystem, the selected local correlated events; and
to generate one or more global correlated events by correlating the received selected local correlated events, wherein a global correlated event comprises a second conclusion drawn from the received selected local correlated events according to a second rule, and wherein the second conclusion indicates that a plurality of the received selected local correlated events is associated with a second same security incident.
11 Assignments
0 Petitions
Accused Products
Abstract
A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect base security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the base security events. Each subsystem can also include a filter coupled to the manager module to select which base security events are to be processed further. The selected base security events are passed to a global manager module coupled to the plurality of subsystems that generates global correlated events by correlating the base security events selected for further processing by each filter of each subsystem.
140 Citations
20 Claims
-
1. A network security system comprising:
-
a plurality of subsystems, each subsystem comprising; a plurality of distributed software agents, each agent configured; to collect a base security event from a monitor device; and to transmit the base security event; a local manager module coupled to the plurality of distributed software agents, configured; to receive, from each agent, the base security event; to generate one or more local correlated events by correlating the received base security events, wherein a local correlated event comprises a conclusion drawn from the received base security events according to a rule based on at least a vulnerability of a target network node, the rule grouping security incidents associated with the base security events into a plurality of threat levels, and wherein the conclusion indicates that a plurality of the received base security events is associated with a same security incident; and to transmit the one or more local correlated events; and a filter coupled to the local manager module, configured; to receive the one or more local correlated events; to select local correlated events; and to transmit the selected local correlated events; and a global manager module coupled to the plurality of subsystems, comprising a processor configured; to receive, from each subsystem, the selected local correlated events; and to generate one or more global correlated events by correlating the received selected local correlated events, wherein a global correlated event comprises a second conclusion drawn from the received selected local correlated events according to a second rule, and wherein the second conclusion indicates that a plurality of the received selected local correlated events is associated with a second same security incident. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
-
collecting base security events at a plurality of sites; generating local correlated events at each site by correlating the base security events collected at each site, wherein a local correlated event comprises a conclusion drawn from the collected base security events according to a rule based on at least a vulnerability of a target network node, the rule grouping security incidents associated with the base security events into a plurality of threat levels, and wherein the conclusion indicates that a plurality of the received base security events is associated with a same security incident; selecting local correlated events from each site; and a processor generating global correlated events by correlating the selected local correlated events, wherein a global correlated event comprises a second conclusion drawn from the selected local correlated events according to a second rule, and wherein the second conclusion indicates that a plurality of the selected local correlated events is associated with a second same security incident. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-transitory machine-readable medium having stored thereon data representing instructions that, when executed by a processor, causes the processor to perform operations comprising:
-
collecting base security events at a plurality of sites; generating local correlated events at each site by correlating the base security events collected at each site, wherein a local correlated event comprises a conclusion drawn from the collected base security events according to a rule based on at least a vulnerability of a target network node, the rule grouping security incidents associated with the base security events into a plurality of threat levels, and wherein the conclusion indicates that a plurality of the received base security events is associated with a same security incident; selecting local correlated events from each site; and generating global correlated events by correlating the selected local correlated events, wherein a global correlated event comprises a second conclusion drawn from the selected local correlated events according to a second rule, and wherein the second conclusion indicates that a plurality of the selected local correlated events is associated with a second same security incident. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A network security system comprising:
-
a plurality of subsystems, each subsystem comprising; a plurality of distributed software agents, each agent configured; to collect a base security event from a monitor device; and to transmit the base security event; a local manager module coupled to the plurality of distributed software agents, configured; to receive, from each agent, the base security event; to transmit the base security events; to generate one or more local correlated events by correlating the received base security events, wherein a local correlated event comprises a conclusion drawn from the received base security events according to a rule based on at least a vulnerability of a target network node, the rule grouping security incidents associated with the base security events into a plurality of threat levels, and wherein the conclusion indicates that a plurality of the received base security events is associated with a same security incident; and to transmit the one or more local correlated events; and a filter coupled to the local manager module, configured; to receive the base security events; to select base security events; and to transmit the selected base security events; and a global manager module coupled to the plurality of subsystems, comprising a processor configured; to receive, from each subsystem, the one or more local correlated events; to receive, from each subsystem, the selected base security events; and to generate one or more global correlated events by correlating the one or more local correlated events and the received selected base security events.
-
Specification