Hierarchical architecture in a network security system
    1.
    发明授权
    Hierarchical architecture in a network security system 有权
    网络安全系统中的层次结构

    公开(公告)号:US08015604B1

    公开(公告)日:2011-09-06

    申请号:US10683221

    申请日:2003-10-10

    IPC分类号: G06F11/00

    摘要: A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the security events. Each of the subsystems can report the correlated events to a global manager module coupled to the plurality of subsystems, and the global manager module can correlate the correlated events from each manager module.

    摘要翻译: 提供具有层次结构的网络安全系统。 在一个实施例中,本发明包括多个子系统,其中每个子系统包括被配置为从监控设备收集安全事件的多个分布式软件代理,以及耦合到多个分布式软件代理的本地管理器模块,以通过相关 安全事件。 每个子系统可以将相关事件报告给耦合到多个子系统的全局管理器模块,并且全局管理器模块可以将来自每个管理器模块的相关事件相关联。

    Hierarchical architecture in a network security system
    2.
    发明授权
    Hierarchical architecture in a network security system 有权
    网络安全系统中的层次结构

    公开(公告)号:US09027120B1

    公开(公告)日:2015-05-05

    申请号:US10683191

    申请日:2003-10-10

    IPC分类号: G06F12/14 G06F21/60

    摘要: A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect base security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the base security events. Each subsystem can also include a filter coupled to the manager module to select which base security events are to be processed further. The selected base security events are passed to a global manager module coupled to the plurality of subsystems that generates global correlated events by correlating the base security events selected for further processing by each filter of each subsystem.

    摘要翻译: 提供具有层次结构的网络安全系统。 在一个实施例中,本发明包括多个子系统,其中每个子系统包括配置成从监视器设备收集基本安全事件的多个分布式软件代理,以及耦合到多个分布式软件代理的本地管理器模块,以通过 关联基础安全事件。 每个子系统还可以包括耦合到管理器模块的过滤器,以选择要进一步处理哪些基本安全事件。 所选择的基本安全事件被传递到耦合到多个子系统的全局管理器模块,其通过将每个子系统的每个过滤器选择用于进一步处理的基本安全事件相关联来生成全局相关事件。

    Threat detection in a network security system
    3.
    发明授权
    Threat detection in a network security system 有权
    网络安全系统中的威胁检测

    公开(公告)号:US07260844B1

    公开(公告)日:2007-08-21

    申请号:US10655062

    申请日:2003-09-03

    IPC分类号: G06F11/00

    摘要: A network security system is provided that receives information from various sensors and can analyse the received information. In one embodiment of the present invention, such a system receives a security event from a software agent. The received security event includes a target address and an event signature, as generated by the software agent. The event signature can be used to determine a set of vulnerabilities exploited by the received security event, and the target address can be used to identify a target asset within the network. By accessing a model of the target asset, a set of vulnerabilities exposed by the target asset can be retrieved. Then, a threat can be detected by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.

    摘要翻译: 提供一种从各种传感器接收信息并且可以分析所接收的信息的网络安全系统。 在本发明的一个实施例中,这样的系统从软件代理接收安全事件。 所接收的安全事件包括由软件代理产生的目标地址和事件签名。 可以使用事件签名来确定接收的安全事件利用的一组漏洞,并且可以使用目标地址来识别网络内的目标资产。 通过访问目标资产的模型,可以检索目标资产公开的一组漏洞。 然后,可以通过将安全事件利用的一组漏洞与目标资产公开的一组漏洞进行比较来检测威胁。

    Network zone identification in a network security system
    4.
    发明授权
    Network zone identification in a network security system 有权
    网络安全系统中的网络区域识别

    公开(公告)号:US09100422B1

    公开(公告)日:2015-08-04

    申请号:US10974105

    申请日:2004-10-27

    IPC分类号: H04L29/06

    摘要: Different network segments can have overlapping address spaces. In one embodiment, the present invention includes a distributed agent of a security system receiving a security event from a network device monitored by the agent. In one embodiment, the agent normalizes the security event into an event schema including one or more zone fields. In one embodiment, the agent also determines one or more zones associated with the received security event, the one or more zones each describing a part of a network, and populates the one or more zone fields using the determined one or more zones.

    摘要翻译: 不同的网段可以具有重叠的地址空间。 在一个实施例中,本发明包括从代理监视的网络设备接收安全事件的安全系统的分布式代理。 在一个实施例中,代理将安全事件规范化为包括一个或多个区域字段的事件模式。 在一个实施例中,代理还确定与所接收的安全事件相关联的一个或多个区域,所述一个或多个区域每个描述网络的一部分,并且使用所确定的一个或多个区域来填充所述一个或多个区域域。

    Comparing events from multiple network security devices
    5.
    发明授权
    Comparing events from multiple network security devices 有权
    比较来自多个网络安全设备的事件

    公开(公告)号:US08528077B1

    公开(公告)日:2013-09-03

    申请号:US10821459

    申请日:2004-04-09

    IPC分类号: G06F11/00

    摘要: Events are received from a plurality of security devices (which may be similar or different devices, e.g., intrusion detection systems configured to monitor network traffic) and divided into a plurality of event flows. Comparing the event flows (e.g., using statistical correlation methods) then generates one or more meta-events. The received events may be divided into different event flows on the basis of the security device which generated the events. The meta-events may be generated by evaluating a perimeter defense device through comparison of the different event flows. In some cases, various ones of the security devices may be inside or outside a perimeter defined by the perimeter defense device.

    摘要翻译: 从多个安全设备(其可以是相似或不同的设备,例如被配置为监视网络业务的入侵检测系统)接收事件并被划分为多个事件流。 比较事件流(例如,使用统计相关方法)然后生成一个或多个元事件。 接收到的事件可以根据产生事件的安全设备划分成不同的事件流。 元事件可以通过比较不同事件流来评估周边防御设备来生成。 在一些情况下,各种安全装置可以在由周边防御装置限定的周边的内部或外部。

    Pattern discovery in a network security system
    7.
    发明授权
    Pattern discovery in a network security system 有权
    网络安全系统中的模式发现

    公开(公告)号:US07509677B2

    公开(公告)日:2009-03-24

    申请号:US10839613

    申请日:2004-05-04

    CPC分类号: H04L63/1416 G06F21/552

    摘要: Patterns can be discovered in security events collected by a network security system. In one embodiment, the present invention includes collecting and storing security events from a variety of monitor devices. In one embodiment, a subset of the stored security events is provided to a manager as an event stream. In one embodiment, the present invention further includes the manager discovering one or more previously unknown event patterns in the event stream.

    摘要翻译: 可以在网络安全系统收集的安全事件中发现模式。 在一个实施例中,本发明包括收集和存储来自各种监视器装置的安全事件。 在一个实施例中,存储的安全事件的子集作为事件流被提供给管理器。 在一个实施例中,本发明还包括管理器发现事件流中的一个或多个先前未知的事件模式。

    Pattern Discovery in a Network System
    8.
    发明申请
    Pattern Discovery in a Network System 有权
    网络系统中的模式发现

    公开(公告)号:US20090064333A1

    公开(公告)日:2009-03-05

    申请号:US12243838

    申请日:2008-10-01

    IPC分类号: G06F21/00

    CPC分类号: H04L63/1416 G06F21/552

    摘要: Patterns can be discovered in events collected by a network system. In one embodiment, the present invention includes collecting and storing events from a variety of monitor devices. In one embodiment, a subset of the stored events is provided to a manager as an event stream. In one embodiment, the present invention further includes the manager discovering one or more previously unknown event patterns in the event stream.

    摘要翻译: 可以在网络系统收集的事件中发现模式。 在一个实施例中,本发明包括收集和存储来自各种监视器装置的事件。 在一个实施例中,存储的事件的子集作为事件流被提供给管理器。 在一个实施例中,本发明还包括管理器发现事件流中的一个或多个先前未知的事件模式。

    Tracking Changing State Data to Assist in Computer Network Security
    9.
    发明申请
    Tracking Changing State Data to Assist in Computer Network Security 有权
    跟踪更改状态数据以协助计算机网络安全

    公开(公告)号:US20080104046A1

    公开(公告)日:2008-05-01

    申请号:US11923502

    申请日:2007-10-24

    IPC分类号: G06F17/30

    摘要: A session table includes one or more records, where each record represents a session. Session record information is stored in various fields, such as key fields, value fields, and timestamp fields. Session information is described as keys and values in order to support query/lookup operations. A session table is associated with a filter, which describes a set of keys that can be used for records in that table. A session table is populated using data contained in security information/events. Rules are created to identify events related to session information, extract the session information, and use the session information to modify a session table. A session table is partitioned so that the number of records in each session table partition is decreased. A session table is processed periodically so that active sessions are moved to the current partition.

    摘要翻译: 会话表包括一个或多个记录,其中每个记录表示会话。 会话记录信息存储在各种字段中,例如键字段,值字段和时间戳字段。 会话信息被描述为键和值以支持查询/查找操作。 会话表与过滤器相关联,过滤器描述了可用于该表中的记录的一组密钥。 使用安全信息/事件中包含的数据填充会话表。 创建规则以识别与会话信息相关的事件,提取会话信息,并使用会话信息来修改会话表。 会话表被分区,使得每个会话表分区中的记录数量减少。 周期性地处理会话表,以便将活动会话移动到当前分区。

    Pattern discovery in a network security system
    10.
    发明申请
    Pattern discovery in a network security system 有权
    网络安全系统中的模式发现

    公开(公告)号:US20050251860A1

    公开(公告)日:2005-11-10

    申请号:US10839613

    申请日:2004-05-04

    IPC分类号: G06F21/00 H04L9/00 H04L29/06

    CPC分类号: H04L63/1416 G06F21/552

    摘要: Patterns can be discovered in security events collected by a network security system. In one embodiment, the present invention includes collecting and storing security events from a variety of monitor devices. In one embodiment, a subset of the stored security events is provided to a manager as an event stream. In one embodiment, the present invention further includes the manager discovering one or more previously unknown event patterns in the event stream.

    摘要翻译: 可以在网络安全系统收集的安全事件中发现模式。 在一个实施例中,本发明包括收集和存储来自各种监视器装置的安全事件。 在一个实施例中,存储的安全事件的子集作为事件流被提供给管理器。 在一个实施例中,本发明还包括管理器发现事件流中的一个或多个先前未知的事件模式。