公开(公告)号：US20120260306A1

公开(公告)日：2012-10-11

申请号：US13443682

申请日：2012-04-10

申请人： Hugh S. Njemanze ,  Pravin S. Kothari ,  Debabrata Dash ,  Shijie Wang

发明人： Hugh S. Njemanze ,  Pravin S. Kothari ,  Debabrata Dash ,  Shijie Wang

IPC分类号： G06F21/00

CPC分类号： G06F21/554 ,  G06Q10/06

摘要： First stage meta-events are generated based on analyzing time attributes of base events received from a network component. Second stage meta-events are generated based on a number of the first stage meta-events that have a time attribute falling within a time period. An amount of time that has passed since a most-recent second stage meta-event was generated is determined, and if a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, a third stage meta-event is determined.

摘要翻译： 基于从网络组件接收的基本事件的时间属性分析，生成第一阶段元事件。 基于具有落在时间段内的时间属性的第一级元事件的数量来生成第二级元事件。 确定从最近的第二阶段元事件生成以来已经过去的时间量，并且如果阈值时间段不超过从检测到最近的第二阶段元事件以来已经过去的时间量 ，确定第三阶段元事件。

公开(公告)号：US08176527B1

公开(公告)日：2012-05-08

申请号：US10308767

申请日：2002-12-02

申请人： Hugh S. Njemanze ,  Pravin S. Kothari ,  Debabrata Dash ,  Shijie Wang

发明人： Hugh S. Njemanze ,  Pravin S. Kothari ,  Debabrata Dash ,  Shijie Wang

IPC分类号： G06F7/04

CPC分类号： G06F21/554 ,  G06Q10/06

摘要： A rules engine with support for time-based rules is disclosed. A method performed by the rules engine, comprises receiving security events generated by a number of network devices. The security events are aggregated. One or more time-based rules are provided to a RETE engine. The aggregated security events are provided to the RETE engine at specific times associated with the time-based rules. The security events are cross-correlated with the one or more time-based rules; and one or more first stage meta-events are reported.

摘要翻译： 公布了支持基于时间的规则的规则引擎。 由规则引擎执行的方法包括接收由多个网络设备产生的安全事件。 安全事件被聚合。 一个或多个基于时间的规则提供给RETE引擎。 聚合的安全事件在与时间规则相关联的特定时间提供给RETE引擎。 安全事件与一个或多个基于时间的规则相互关联; 并报告一个或多个第一阶段元事件。

公开(公告)号：US07260844B1

公开(公告)日：2007-08-21

申请号：US10655062

申请日：2003-09-03

申请人： Kenny Tidwell ,  Kumar Saurabh ,  Debabrata Dash ,  Hugh S. Njemanze ,  Pravin S. Kothari

发明人： Kenny Tidwell ,  Kumar Saurabh ,  Debabrata Dash ,  Hugh S. Njemanze ,  Pravin S. Kothari

IPC分类号： G06F11/00

CPC分类号： H04L63/1433 ,  G06F21/577 ,  H04L63/1425

摘要： A network security system is provided that receives information from various sensors and can analyse the received information. In one embodiment of the present invention, such a system receives a security event from a software agent. The received security event includes a target address and an event signature, as generated by the software agent. The event signature can be used to determine a set of vulnerabilities exploited by the received security event, and the target address can be used to identify a target asset within the network. By accessing a model of the target asset, a set of vulnerabilities exposed by the target asset can be retrieved. Then, a threat can be detected by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.

摘要翻译： 提供一种从各种传感器接收信息并且可以分析所接收的信息的网络安全系统。 在本发明的一个实施例中，这样的系统从软件代理接收安全事件。 所接收的安全事件包括由软件代理产生的目标地址和事件签名。 可以使用事件签名来确定接收的安全事件利用的一组漏洞，并且可以使用目标地址来识别网络内的目标资产。 通过访问目标资产的模型，可以检索目标资产公开的一组漏洞。 然后，可以通过将安全事件利用的一组漏洞与目标资产公开的一组漏洞进行比较来检测威胁。

公开(公告)号：US07861299B1

公开(公告)日：2010-12-28

申请号：US11836251

申请日：2007-08-09

申请人： Kenny C. Tidwell ,  Kumar Saurabh ,  Debabrata Dash ,  Hugh S. Njemanze ,  Pravin S. Kothari

发明人： Kenny C. Tidwell ,  Kumar Saurabh ,  Debabrata Dash ,  Hugh S. Njemanze ,  Pravin S. Kothari

IPC分类号： G06F11/00

CPC分类号： H04L63/1433 ,  G06F21/577 ,  H04L63/1425

摘要： A network security system is provided that receives information from various sensors and can analyze the received information. In one embodiment of the present invention, such a system receives a security event from a software agent. The received security event includes a target address and an event signature, as generated by the software agent. The event signature can be used to determine a set of vulnerabilities exploited by the received security event, and the target address can be used to identify a target asset within the network. By accessing a model of the target asset, a set of vulnerabilities exposed by the target asset can be retrieved. Then, a threat can be detected by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.

摘要翻译： 提供一种从各种传感器接收信息并且可以分析所接收的信息的网络安全系统。 在本发明的一个实施例中，这样的系统从软件代理接收安全事件。 所接收的安全事件包括由软件代理产生的目标地址和事件签名。 事件签名可用于确定接收到的安全事件利用的一组漏洞，并且目标地址可用于标识网络内的目标资产。 通过访问目标资产的模型，可以检索目标资产公开的一组漏洞。 然后，可以通过将安全事件利用的一组漏洞与目标资产公开的一组漏洞进行比较来检测威胁。

公开(公告)号：US20110145711A1

公开(公告)日：2011-06-16

申请号：US13031079

申请日：2011-02-18

申请人： Hugh S. Njemanze ,  Debabrata Dash ,  Shijie Wang

发明人： Hugh S. Njemanze ,  Debabrata Dash ,  Shijie Wang

IPC分类号： G06F15/177 ,  G06F15/173 ,  G06F3/048

CPC分类号： G06F21/552

摘要： A selected time interval of previously stored events generated by a number of computer network devices are replayed and cross-correlated according to rules. Meta-events are generated when the events satisfy conditions associated with one or more of the rules. The rules used during replay may differ from prior rules used at a time when the events occurred within a computer network that included the computer network devices. In this way, new rules can be tested against true event data streams to determine whether or not the rules should be used in a live environment (i.e., the efficacy of the rules can be tested an tor debugged against actual event data).

摘要翻译： 由多个计算机网络设备产生的先前存储的事件的选定时间间隔根据规则被重放和交叉相关。 当事件满足与一个或多个规则相关联的条件时，生成元事件。 在播放期间使用的规则可能与在计算机网络中包含计算机网络设备的事件发生时所使用的先前规则不同。 以这种方式，可以针对真实事件数据流来测试新规则，以确定在活动环境中是否应该使用规则（即，可以针对实际事件数据来调试规则的功效）。

公开(公告)号：US08560679B2

公开(公告)日：2013-10-15

申请号：US13031079

申请日：2011-02-18

申请人： Hugh S. Njemanze ,  Debabrata Dash ,  Shijie Wang

发明人： Hugh S. Njemanze ,  Debabrata Dash ,  Shijie Wang

IPC分类号： G06F15/173 ,  G06F9/00 ,  G06F11/00

CPC分类号： G06F21/552

摘要： A selected time interval of previously stored events generated by a number of computer network devices are replayed and cross-correlated according to rules. Meta-events are generated when the events satisfy conditions associated with one or more of the rules. The rules used during replay may differ from prior rules used at a time when the events occurred within a computer network that included the computer network devices. In this way, new rules can be tested against true event data streams to determine whether or not the rules should be used in a live environment (i.e., the efficacy of the rules can be tested and/or debugged against actual event data).

摘要翻译： 由多个计算机网络设备产生的先前存储的事件的选定时间间隔根据规则被重放和交叉相关。 当事件满足与一个或多个规则相关联的条件时，生成元事件。 在播放期间使用的规则可能与在计算机网络中包含计算机网络设备的事件发生时所使用的先前规则不同。 以这种方式，可以针对真实事件数据流来测试新的规则，以确定在活的环境中是否应该使用规则（即，规则的功效可以针对实际事件数据进行测试和/或调试）。

公开(公告)号：US07899901B1

公开(公告)日：2011-03-01

申请号：US10308416

申请日：2002-12-02

申请人： Hugh S. Njemanze ,  Debabrata Dash ,  Shijie Wang

发明人： Hugh S. Njemanze ,  Debabrata Dash ,  Shijie Wang

IPC分类号： G06F15/173 ,  G06F9/00 ,  G06F11/00

CPC分类号： G06F21/552

摘要： A selected time interval of previously stored security events generated by a number of computer network devices are replayed and cross-correlated according to rules defining security incidents. Meta-events are generated when the security events satisfy conditions associated with one or more of the rules. The rules used during replay may differ from prior rules used at a time when the security events occurred within a computer network that included the computer network devices. In this way, new rules can be tested against true security event data streams to determine whether or not the rules should be used in a live environment (i.e., the efficacy of the rules can be tested and/or debugged against actual security event data).

摘要翻译： 由许多计算机网络设备产生的先前存储的安全事件的选定时间间隔根据定义安全事件的规则被重播和交叉相关。 当安全事件满足与一个或多个规则相关联的条件时，生成元事件。 在播放期间使用的规则可能与在包括计算机网络设备的计算机网络中发生安全事件时使用的先前规则不同。 以这种方式，可以针对真实的安全事件数据流来测试新的规则，以确定是否应该在活动环境中使用规则（即，可以针对实际安全事件数据来测试和/或调试规则的功能） 。

公开(公告)号：US09027120B1

公开(公告)日：2015-05-05

申请号：US10683191

申请日：2003-10-10

申请人： Kenny Tidwell ,  Christian Beedgen ,  Hugh S. Njemanze ,  Pravin S. Kothari

发明人： Kenny Tidwell ,  Christian Beedgen ,  Hugh S. Njemanze ,  Pravin S. Kothari

IPC分类号： G06F12/14 ,  G06F21/60

CPC分类号： G06F21/606 ,  G06F21/552 ,  H04L41/044 ,  H04L41/046 ,  H04L41/0604 ,  H04L41/0631 ,  H04L63/1416 ,  H04L63/20

摘要： A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect base security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the base security events. Each subsystem can also include a filter coupled to the manager module to select which base security events are to be processed further. The selected base security events are passed to a global manager module coupled to the plurality of subsystems that generates global correlated events by correlating the base security events selected for further processing by each filter of each subsystem.

摘要翻译： 提供具有层次结构的网络安全系统。 在一个实施例中，本发明包括多个子系统，其中每个子系统包括配置成从监视器设备收集基本安全事件的多个分布式软件代理，以及耦合到多个分布式软件代理的本地管理器模块，以通过 关联基础安全事件。 每个子系统还可以包括耦合到管理器模块的过滤器，以选择要进一步处理哪些基本安全事件。 所选择的基本安全事件被传递到耦合到多个子系统的全局管理器模块，其通过将每个子系统的每个过滤器选择用于进一步处理的基本安全事件相关联来生成全局相关事件。

公开(公告)号：US07376969B1

公开(公告)日：2008-05-20

申请号：US10308415

申请日：2002-12-02

申请人： Hugh S. Njemanze ,  Pravin S. Kothari

发明人： Hugh S. Njemanze ,  Pravin S. Kothari

IPC分类号： G06F21/00 ,  G06F15/16

CPC分类号： H04L63/1425 ,  G06F21/55

摘要： Security events generated by a number of network devices are gathered and normalized to produce normalized security events in a common schema. The normalized security events are cross-correlated according to rules to generate meta-events. The security events may be gathered remotely from a system at which the cross-correlating is performed. Any meta-events that are generated may be reported by generating alerts for display at one or more computer consoles, or by sending an e-mail message, a pager message, a telephone message, and/or a facsimile message to an operator or other individual. In addition to reporting the meta-events, the present system allows for taking other actions specified by the rules, for example executing scripts or other programs to reconfigure one or more of the network devices, and or to modify or update access lists, etc.

摘要翻译： 收集并归一化由多个网络设备生成的安全事件，以在公共模式中生成归一化的安全事件。 归一化的安全事件根据规则进行交叉相关，以生成元事件。 可以从执行交叉相关的系统远程收集安全事件。 生成的任何元事件可以通过生成用于在一个或多个计算机控制台上显示的警报来报告，或者通过向操作者或其他人发送电子邮件消息，寻呼机消息，电话消息和/或传真消息来报告 个人。 除了报告元事件之外，本系统允许采取规则指定的其他动作，例如执行脚本或其他程序来重新配置一个或多个网络设备，以及修改或更新访问列表等。

公开(公告)号：US08015604B1

公开(公告)日：2011-09-06

申请号：US10683221

申请日：2003-10-10

申请人： Kenny Tidwell ,  Christian Beedgen ,  Hugh S. Njemanze ,  Pravin S. Kothari

发明人： Kenny Tidwell ,  Christian Beedgen ,  Hugh S. Njemanze ,  Pravin S. Kothari

IPC分类号： G06F11/00

CPC分类号： H04L41/0631 ,  H04L41/046 ,  H04L63/1416 ,  H04L63/1441 ,  H04L67/10 ,  H04L67/12

摘要： A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the security events. Each of the subsystems can report the correlated events to a global manager module coupled to the plurality of subsystems, and the global manager module can correlate the correlated events from each manager module.

摘要翻译： 提供具有层次结构的网络安全系统。 在一个实施例中，本发明包括多个子系统，其中每个子系统包括被配置为从监控设备收集安全事件的多个分布式软件代理，以及耦合到多个分布式软件代理的本地管理器模块，以通过相关 安全事件。 每个子系统可以将相关事件报告给耦合到多个子系统的全局管理器模块，并且全局管理器模块可以将来自每个管理器模块的相关事件相关联。