公开(公告)号：US20120260306A1

公开(公告)日：2012-10-11

申请号：US13443682

申请日：2012-04-10

申请人： Hugh S. Njemanze ,  Pravin S. Kothari ,  Debabrata Dash ,  Shijie Wang

发明人： Hugh S. Njemanze ,  Pravin S. Kothari ,  Debabrata Dash ,  Shijie Wang

IPC分类号： G06F21/00

CPC分类号： G06F21/554 ,  G06Q10/06

摘要： First stage meta-events are generated based on analyzing time attributes of base events received from a network component. Second stage meta-events are generated based on a number of the first stage meta-events that have a time attribute falling within a time period. An amount of time that has passed since a most-recent second stage meta-event was generated is determined, and if a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, a third stage meta-event is determined.

摘要翻译： 基于从网络组件接收的基本事件的时间属性分析，生成第一阶段元事件。 基于具有落在时间段内的时间属性的第一级元事件的数量来生成第二级元事件。 确定从最近的第二阶段元事件生成以来已经过去的时间量，并且如果阈值时间段不超过从检测到最近的第二阶段元事件以来已经过去的时间量 ，确定第三阶段元事件。

公开(公告)号：US20110145711A1

公开(公告)日：2011-06-16

申请号：US13031079

申请日：2011-02-18

申请人： Hugh S. Njemanze ,  Debabrata Dash ,  Shijie Wang

发明人： Hugh S. Njemanze ,  Debabrata Dash ,  Shijie Wang

IPC分类号： G06F15/177 ,  G06F15/173 ,  G06F3/048

CPC分类号： G06F21/552

摘要： A selected time interval of previously stored events generated by a number of computer network devices are replayed and cross-correlated according to rules. Meta-events are generated when the events satisfy conditions associated with one or more of the rules. The rules used during replay may differ from prior rules used at a time when the events occurred within a computer network that included the computer network devices. In this way, new rules can be tested against true event data streams to determine whether or not the rules should be used in a live environment (i.e., the efficacy of the rules can be tested an tor debugged against actual event data).

摘要翻译： 由多个计算机网络设备产生的先前存储的事件的选定时间间隔根据规则被重放和交叉相关。 当事件满足与一个或多个规则相关联的条件时，生成元事件。 在播放期间使用的规则可能与在计算机网络中包含计算机网络设备的事件发生时所使用的先前规则不同。 以这种方式，可以针对真实事件数据流来测试新规则，以确定在活动环境中是否应该使用规则（即，可以针对实际事件数据来调试规则的功效）。

公开(公告)号：US08560679B2

公开(公告)日：2013-10-15

申请号：US13031079

申请日：2011-02-18

申请人： Hugh S. Njemanze ,  Debabrata Dash ,  Shijie Wang

发明人： Hugh S. Njemanze ,  Debabrata Dash ,  Shijie Wang

IPC分类号： G06F15/173 ,  G06F9/00 ,  G06F11/00

CPC分类号： G06F21/552

摘要： A selected time interval of previously stored events generated by a number of computer network devices are replayed and cross-correlated according to rules. Meta-events are generated when the events satisfy conditions associated with one or more of the rules. The rules used during replay may differ from prior rules used at a time when the events occurred within a computer network that included the computer network devices. In this way, new rules can be tested against true event data streams to determine whether or not the rules should be used in a live environment (i.e., the efficacy of the rules can be tested and/or debugged against actual event data).

摘要翻译： 由多个计算机网络设备产生的先前存储的事件的选定时间间隔根据规则被重放和交叉相关。 当事件满足与一个或多个规则相关联的条件时，生成元事件。 在播放期间使用的规则可能与在计算机网络中包含计算机网络设备的事件发生时所使用的先前规则不同。 以这种方式，可以针对真实事件数据流来测试新的规则，以确定在活的环境中是否应该使用规则（即，规则的功效可以针对实际事件数据进行测试和/或调试）。

公开(公告)号：US08176527B1

公开(公告)日：2012-05-08

申请号：US10308767

申请日：2002-12-02

申请人： Hugh S. Njemanze ,  Pravin S. Kothari ,  Debabrata Dash ,  Shijie Wang

发明人： Hugh S. Njemanze ,  Pravin S. Kothari ,  Debabrata Dash ,  Shijie Wang

IPC分类号： G06F7/04

CPC分类号： G06F21/554 ,  G06Q10/06

摘要： A rules engine with support for time-based rules is disclosed. A method performed by the rules engine, comprises receiving security events generated by a number of network devices. The security events are aggregated. One or more time-based rules are provided to a RETE engine. The aggregated security events are provided to the RETE engine at specific times associated with the time-based rules. The security events are cross-correlated with the one or more time-based rules; and one or more first stage meta-events are reported.

摘要翻译： 公布了支持基于时间的规则的规则引擎。 由规则引擎执行的方法包括接收由多个网络设备产生的安全事件。 安全事件被聚合。 一个或多个基于时间的规则提供给RETE引擎。 聚合的安全事件在与时间规则相关联的特定时间提供给RETE引擎。 安全事件与一个或多个基于时间的规则相互关联; 并报告一个或多个第一阶段元事件。

公开(公告)号：US07899901B1

公开(公告)日：2011-03-01

申请号：US10308416

申请日：2002-12-02

申请人： Hugh S. Njemanze ,  Debabrata Dash ,  Shijie Wang

发明人： Hugh S. Njemanze ,  Debabrata Dash ,  Shijie Wang

IPC分类号： G06F15/173 ,  G06F9/00 ,  G06F11/00

CPC分类号： G06F21/552

摘要： A selected time interval of previously stored security events generated by a number of computer network devices are replayed and cross-correlated according to rules defining security incidents. Meta-events are generated when the security events satisfy conditions associated with one or more of the rules. The rules used during replay may differ from prior rules used at a time when the security events occurred within a computer network that included the computer network devices. In this way, new rules can be tested against true security event data streams to determine whether or not the rules should be used in a live environment (i.e., the efficacy of the rules can be tested and/or debugged against actual security event data).

摘要翻译： 由许多计算机网络设备产生的先前存储的安全事件的选定时间间隔根据定义安全事件的规则被重播和交叉相关。 当安全事件满足与一个或多个规则相关联的条件时，生成元事件。 在播放期间使用的规则可能与在包括计算机网络设备的计算机网络中发生安全事件时使用的先前规则不同。 以这种方式，可以针对真实的安全事件数据流来测试新的规则，以确定是否应该在活动环境中使用规则（即，可以针对实际安全事件数据来测试和/或调试规则的功能） 。

公开(公告)号：US07260844B1

公开(公告)日：2007-08-21

申请号：US10655062

申请日：2003-09-03

申请人： Kenny Tidwell ,  Kumar Saurabh ,  Debabrata Dash ,  Hugh S. Njemanze ,  Pravin S. Kothari

发明人： Kenny Tidwell ,  Kumar Saurabh ,  Debabrata Dash ,  Hugh S. Njemanze ,  Pravin S. Kothari

IPC分类号： G06F11/00

CPC分类号： H04L63/1433 ,  G06F21/577 ,  H04L63/1425

摘要： A network security system is provided that receives information from various sensors and can analyse the received information. In one embodiment of the present invention, such a system receives a security event from a software agent. The received security event includes a target address and an event signature, as generated by the software agent. The event signature can be used to determine a set of vulnerabilities exploited by the received security event, and the target address can be used to identify a target asset within the network. By accessing a model of the target asset, a set of vulnerabilities exposed by the target asset can be retrieved. Then, a threat can be detected by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.

摘要翻译： 提供一种从各种传感器接收信息并且可以分析所接收的信息的网络安全系统。 在本发明的一个实施例中，这样的系统从软件代理接收安全事件。 所接收的安全事件包括由软件代理产生的目标地址和事件签名。 可以使用事件签名来确定接收的安全事件利用的一组漏洞，并且可以使用目标地址来识别网络内的目标资产。 通过访问目标资产的模型，可以检索目标资产公开的一组漏洞。 然后，可以通过将安全事件利用的一组漏洞与目标资产公开的一组漏洞进行比较来检测威胁。

公开(公告)号：US07861299B1

公开(公告)日：2010-12-28

申请号：US11836251

申请日：2007-08-09

申请人： Kenny C. Tidwell ,  Kumar Saurabh ,  Debabrata Dash ,  Hugh S. Njemanze ,  Pravin S. Kothari

发明人： Kenny C. Tidwell ,  Kumar Saurabh ,  Debabrata Dash ,  Hugh S. Njemanze ,  Pravin S. Kothari

IPC分类号： G06F11/00

CPC分类号： H04L63/1433 ,  G06F21/577 ,  H04L63/1425

摘要： A network security system is provided that receives information from various sensors and can analyze the received information. In one embodiment of the present invention, such a system receives a security event from a software agent. The received security event includes a target address and an event signature, as generated by the software agent. The event signature can be used to determine a set of vulnerabilities exploited by the received security event, and the target address can be used to identify a target asset within the network. By accessing a model of the target asset, a set of vulnerabilities exposed by the target asset can be retrieved. Then, a threat can be detected by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.

摘要翻译： 提供一种从各种传感器接收信息并且可以分析所接收的信息的网络安全系统。 在本发明的一个实施例中，这样的系统从软件代理接收安全事件。 所接收的安全事件包括由软件代理产生的目标地址和事件签名。 事件签名可用于确定接收到的安全事件利用的一组漏洞，并且目标地址可用于标识网络内的目标资产。 通过访问目标资产的模型，可以检索目标资产公开的一组漏洞。 然后，可以通过将安全事件利用的一组漏洞与目标资产公开的一组漏洞进行比较来检测威胁。

公开(公告)号：US09027120B1

公开(公告)日：2015-05-05

申请号：US10683191

申请日：2003-10-10

申请人： Kenny Tidwell ,  Christian Beedgen ,  Hugh S. Njemanze ,  Pravin S. Kothari

发明人： Kenny Tidwell ,  Christian Beedgen ,  Hugh S. Njemanze ,  Pravin S. Kothari

IPC分类号： G06F12/14 ,  G06F21/60

CPC分类号： G06F21/606 ,  G06F21/552 ,  H04L41/044 ,  H04L41/046 ,  H04L41/0604 ,  H04L41/0631 ,  H04L63/1416 ,  H04L63/20

摘要： A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect base security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the base security events. Each subsystem can also include a filter coupled to the manager module to select which base security events are to be processed further. The selected base security events are passed to a global manager module coupled to the plurality of subsystems that generates global correlated events by correlating the base security events selected for further processing by each filter of each subsystem.

摘要翻译： 提供具有层次结构的网络安全系统。 在一个实施例中，本发明包括多个子系统，其中每个子系统包括配置成从监视器设备收集基本安全事件的多个分布式软件代理，以及耦合到多个分布式软件代理的本地管理器模块，以通过 关联基础安全事件。 每个子系统还可以包括耦合到管理器模块的过滤器，以选择要进一步处理哪些基本安全事件。 所选择的基本安全事件被传递到耦合到多个子系统的全局管理器模块，其通过将每个子系统的每个过滤器选择用于进一步处理的基本安全事件相关联来生成全局相关事件。

公开(公告)号：US07333999B1

公开(公告)日：2008-02-19

申请号：US10698814

申请日：2003-10-30

申请人： Hugh S. Njemanze

发明人： Hugh S. Njemanze

IPC分类号： G06F17/00

CPC分类号： G06F8/33 ,  Y10S707/99943

摘要： A prefix expression tree showing an expression can be supplemented to also display the expression in infix notation. In one embodiment, the present invention includes displaying an expression being capable of representation in infix and prefix notation in prefix expression tree format. In one embodiment, the expression includes a plurality of operators and operands, and the plurality of operands make up the leaves of the expression tree. In one embodiment, the present invention further includes inserting a plurality of infix operators corresponding with the plurality of operators into the prefix expression tree, wherein, the plurality of operands and infix operators represent the expression in infix notation.

摘要翻译： 可以补充显示表达式的前缀表达式树，还可以以中缀符号显示表达式。 在一个实施例中，本发明包括以前缀表达式树形式显示能够以中缀和前缀符号表示的表达式。 在一个实施例中，表达式包括多个运算符和操作数，并且多个操作数组成表达式树的叶。 在一个实施例中，本发明还包括将与多个运算符相对应的多个中缀运算符插入到前缀表达树中，其中，多个操作数和中缀运算符以中缀符号表示。

公开(公告)号：US20130081065A1

公开(公告)日：2013-03-28

申请号：US13700330

申请日：2011-06-01

申请人： Dhiraj Sharan ,  Steve Chan ,  Christian Friedrich Beedgen ,  Hugh S. Njemanze

发明人： Dhiraj Sharan ,  Steve Chan ,  Christian Friedrich Beedgen ,  Hugh S. Njemanze

IPC分类号： G06F9/54

CPC分类号： G06F9/542 ,  G06F11/3006 ,  G06F11/302 ,  G06F11/3072 ,  G06F16/252 ,  G06Q10/08 ,  H04L63/1425

摘要： Mapping event data to a domain schema includes receiving (301) event data for an event, wherein the event data is arranged in a source schema of a data source providing the event data. A best fit domain schema is determined (302) from a plurality of domain schemas, wherein the domain schemas include different fields from the source schema. The event data in the source schema is mapped (303) to the best fit domain schema.

摘要翻译： 将事件数据映射到域模式包括接收（301）事件的事件数据，其中事件数据被布置在提供事件数据的数据源的源模式中。 从多个域模式确定最佳拟合域模式（302），其中所述域模式包括与源模式不同的字段。 源模式中的事件数据被映射（303）到最佳拟合域模式。