Real time monitoring and analysis of events from multiple network security devices
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-021/00
G06F-015/16
출원번호
US-0308415
(2002-12-02)
등록번호
US-7376969
(2008-05-20)
발명자
/ 주소
Njemanze,Hugh S.
Kothari,Pravin S.
출원인 / 주소
ArcSight, Inc.
대리인 / 주소
Fenwick & West LLP
인용정보
피인용 횟수 :
262인용 특허 :
29
초록▼
Security events generated by a number of network devices are gathered and normalized to produce normalized security events in a common schema. The normalized security events are cross-correlated according to rules to generate meta-events. The security events may be gathered remotely from a system at
Security events generated by a number of network devices are gathered and normalized to produce normalized security events in a common schema. The normalized security events are cross-correlated according to rules to generate meta-events. The security events may be gathered remotely from a system at which the cross-correlating is performed. Any meta-events that are generated may be reported by generating alerts for display at one or more computer consoles, or by sending an e-mail message, a pager message, a telephone message, and/or a facsimile message to an operator or other individual. In addition to reporting the meta-events, the present system allows for taking other actions specified by the rules, for example executing scripts or other programs to reconfigure one or more of the network devices, and or to modify or update access lists, etc.
대표청구항▼
What is claimed is: 1. A method for monitoring security of a computer network, the computer network comprising network devices, the method comprising: gathering security events generated by the network devices, wherein a security event generated by a network device comprises information about opera
What is claimed is: 1. A method for monitoring security of a computer network, the computer network comprising network devices, the method comprising: gathering security events generated by the network devices, wherein a security event generated by a network device comprises information about operation of the network device and is in a format used by the network device; modifying the security events to normalize the security events to a common schema, wherein the common schema includes a category that represents an event name; aggregating two or more normalized security events into an aggregated event, wherein the aggregated event includes a number that represents how many normalized security events were aggregated; and cross-correlating the normalized security events and the aggregated event according to rules to generate a meta-event, wherein the cross-correlating is performed remotely from the normalizing and the aggregating. 2. The method of claim 1, wherein the gathering of the security events is performed remotely from the cross-correlating of the normalized security events and the aggregated event with the rules. 3. The method of claim 1, further comprising reporting the meta-event. 4. The method of claim 3, wherein reporting comprises generating an alert for display at one or more consoles. 5. The method of claim 1, further comprising taking an action specified by the rules to notify a selected individual of the meta-event. 6. The method of claim 5, wherein notification is made through one or more of an e-mail message, a pager message, a telephone message, a facsimile message, and an alert displayed graphically at one or more computer systems. 7. The method of claim 1, wherein the security events are gathered from one or more of routers, e-mail logs; anti-virus products, firewalls, network intrusion detection systems, access control servers, virtual private network systems, operating system logs, databases, software applications and network device event logs. 8. The method of claim 1, wherein normalizing the security events comprises parsing data reported by the network devices to extract event field values therefrom and populating corresponding fields in the common schema with the extracted event field values. 9. The method of claim 1, further comprising filtering the security events prior to normalizing the security events to remove unwanted security events. 10. The method of claim 1, wherein the normalized security events and the aggregated event are transmitted across a network prior to being cross-correlated with the rules. 11. The method of claim 1, wherein the normalized security events and the aggregated event are stored in a database. 12. The method of claim 11, wherein the normalized security events and the aggregated event are stored in the database after being cross-correlated with the rules. 13. The method of claim 11, wherein the meta-event is stored in the database. 14. A system for monitoring security of a computer network, the computer network comprising network components, the system comprising: a number of software agents, a software agent configured to receive security event information from one or more associated network components, wherein security event information received from a network component comprises information about operation of the network component and is in a format used by the network component, and further configured to modify the security event information to normalize the security event information to a common schema, wherein the common schema includes a category that represents an event name, and further configured to aggregate two or more normalized security events into an aggregated event, wherein the aggregated event includes a number that represents how many normalized security events were aggregated; and a server-based manager configured to receive normalized security event information reports and aggregated security event information reports from the agents and further configured to cross-correlate security event information reports from different ones of the agents according to one or more rules to produce a meta-event. 15. The system of claim 14, wherein the manager is further configured to store the security event information reports from the agents in a database. 16. The system of claim 15, wherein the manager is further configured to store the meta-event in the database. 17. The system of claim 14, further comprising one or more consoles communicatively coupled to receive notification of the meta-event from the manager. 18. The system of claim 17, wherein the rules are written at one or more of the consoles and provided to the manager. 19. The system of claim 14, wherein the manager includes a knowledge base comprising information regarding the meta-event. 20. The system of claim 14, wherein the network components are heterogeneous. 21. A computer readable medium, having stored thereon computer-readable instructions, which when executed in a computer system, cause the computer system to monitor security of a computer network, the computer network comprising network devices, by cross-correlating security events according to rules to generate a meta-event, a security event having been collected from a network device and modified to normalize the security event to a common schema, wherein the common schema includes a category that represents an event name, and aggregated into an aggregated event, wherein the aggregated event includes a number greater than 1 that represents how many normalized security events were aggregated, the security event comprising information about operation of the network device and being in a format used by the network device. 22. The computer readable medium of claim 21, having stored thereon further computer-readable instructions, which when executed in the computer system, cause the computer system to report the meta-event. 23. The computer readable medium of claim 22, wherein the meta-event is reported in one or more of the following ways: as an e-mail message, a pager message, a telephone message, a facsimile message, and an alert displayed graphically at one or more computer workstations. 24. The computer readable medium of claim 22 wherein the security events are collected from one or more of the following: routers, e-mail logs, anti-virus products, firewalls, network intrusion detection systems, access control servers, virtual private network systems, and network device event logs. 25. A computer readable medium, having stored thereon computer-readable instructions, which when executed in a computer system, cause the computer system to collect security event information from an associated network device, wherein the security event information is in a format used by the associated network device, and to modify the security event information to normalize the security event information to a common schema, wherein the common schema includes a category that represents an event name, and to aggregate two or more normalized security events into an aggregated event, wherein the aggregated event includes a number that represents how many normalized security events were aggregated. 26. The computer readable medium of claim 25, having stored thereon further computer-readable instructions, which when executed in the computer system, cause the computer system to filter the security event information prior to normalizing the security event information. 27. The computer readable medium of claim 25, having stored thereon further computer-readable instructions, which when executed in the computer system, cause the computer system to transmit normalized security event information and aggregated security event information to a remote computer system.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (29)
Hill Douglas W. ; Lynn James T., Adaptive system and method for responding to computer network security attacks.
Kodavalla Hanuma ; Joshi Ashok Madhukar ; Chatterjee Sumanta ; McCready Bruce, Database system with methods for appending data records by partitioning an object into multiple page chains.
Hrabik,Michael; Guilfoyle,Jeffrey; Mac Beaver,Edward, Method and apparatus for verifying the integrity and security of computer networks and implementing counter measures.
Farley,Timothy P.; Hammer,John M.; Williams,Bryan Douglas; Brass,Philip Charles; Young,George C.; Mezack,Derek John, Method and system for managing computer security information.
Secor, Peter; Tokarsky, Tim; Perelman, Shoel, Method and system for network event impact analysis and correlation with network administrators, management policies and procedures.
Steinberg, Louis A.; Wetstone, Evan R.; Belousov, Arkadiy; Deuel, John, Method and system for reducing false alarms in network fault management systems.
Eschelbeck, Gerhard; Schlemmer, Andreas; Blaimschein, Peter, System and process for brokering a plurality of security applications using a modular framework in a distributed computing environment.
Eschelbeck, Gerhard; Steiner, Thomas; Johannes, Mayr, System and process for maintaining a plurality of remote security applications using a modular framework in a distributed computing environment.
Eschelbeck, Gerhard, System and process for reporting network events with a plurality of hierarchically-structured databases in a distributed computing environment.
Mahaffey, Kevin Patrick; Hering, John G.; Burgess, James David, Assessing a security state of a mobile communications device to determine access to specific tasks.
Mahaffey, Kevin Patrick; Golombek, David; Evans, Daniel Lee; Richardson, David Luke; Wyatt, Timothy Micheal; Burgess, James David; Lineberry, Anthony McKay; Barton, Kyle, Assessing an application based on application data associated with the application.
Mahaffey, Kevin Patrick; Wyatt, Timothy Micheal; Evans, Daniel Lee; Ong, Emil Barker; Strazzere, Timothy; LaMantia, Matthew John Joseph; Buck, Brian James, Assessing application authenticity and performing an action in response to an evaluation result.
Mayer, Michael J.; Johnson, Hayden S.; Johnson, Jay A.; Miller, Emerson D.; Montrois, Christopher D.; Toomey, Brian L., Automated straight-through processing in an electronic discovery system.
Cosquer, Francois J. N.; Marquet, Bertrand; MacIntosh, Robert W.; Leclerc, Yvon; D'Souza, Scott David, Communication network security risk exposure management systems and methods.
Richardson, David; Farrakha, Ahmed Mohamed; Robinson, William Neil; Buck, Brian James, Determining source of side-loaded software using signature of authorship.
Mahaffey, Kevin Patrick; Wyatt, Timothy Micheal; Buck, Brian James; Hering, John Gunther; Gupta, Amit; Abey, Alex Cameron, Distributed monitoring, evaluation, and response for multiple devices.
Richards, Phillip L.; Hobart, Eric B.; Andersen, David M.; Miller, Emerson D.; Mayer, Michael J.; Whalen, John N.; Toomey, Brian L.; Stellhorn, David W., Electronic discovery system.
Richards, Phillip L.; Hobart, Eric B.; Andersen, David M.; Miller, Emerson D.; Mayer, Michael J.; Whalen, John N.; Toomey, Brian L.; Stellhorn, David W., Electronic discovery system.
Richards, Phillip L.; Hobart, Eric B.; Andersen, David M.; Miller, Emerson D.; Mayer, Michael J.; Whalen, Jr., John N.; Toomey, Brian L.; Stellhorn, David W., Electronic discovery system.
Childress, Rhonda L.; Dinger, John E.; Pennell, Neil Raymond; Wiggins, James Daniel, Event ownership assigner with failover for multiple event server system.
Wood, Matthew S.; Levy, Joseph H.; Marston, McKay, Hardware accelerated application-based pattern matching for real time classification and recording of network traffic.
Akitomi, Tomoaki; Ara, Koji; Sato, Nobuo; Tsuji, Satomi; Yano, Kazuo, Information processing system, management server and information processing method.
Mayer, Michael J.; Toomey, Brian L.; Andersen, David M.; Miller, Emerson D.; Richards, Phillip L., Labeling electronic data in an electronic discovery enterprise system.
Wood, Matthew Scott; Tveit, Paal; Edginton, Brian; Shillingford, Steve; Brown, James, Method and apparatus of network artifact indentification and extraction.
Purcell, Stacy P.; Ross, Alan D.; Baca, Jim S.; Aissi, Selim; Kohlenberg, Tobias M.; Morgan, Dennis M., Method and device for managing security events.
Stevenson, Thomas Edward; Matyger, Jr., Allan Michael; Smith, Paul; Sachen, Sean, Method and system for providing information from third party applications to devices.
Kraemer, Jeffrey A.; Costello, Brian F.; Grecu, Dan L.; Rangamani, Venkat R.; Gladstone, Philip J. S.; Kirby, Alan J., Methods and apparatus for automated creation of security policy.
Mahaffey, Kevin Patrick; Hering, John G.; Burgess, James David; Grkov, Vance; Richardson, David Luke; Mandal, Ayan; Mangat, Cherry; Buck, Brian James; Robinson, William, Methods and systems for addressing mobile communications devices that are lost or stolen but not yet reported as such.
Mahaffey, Kevin Patrick; Hering, John Gunther; Burgess, James David; Grubb, Jonathan Pantera; Golombek, David; Richardson, David Luke; Lineberry, Anthony McKay; Wyatt, Timothy Micheal, Methods and systems for blocking the installation of an application to improve the functioning of a mobile communications device.
Mahaffey, Kevin Patrick; Buck, Brian James; Robinson, William; Hering, John G.; Burgess, James David; Wyatt, Timothy Micheal; Golombek, David; Richardson, David Luke; Lineberry, Anthony McKay; Barton, Kyle; Evans, Daniel Lee; Salomon, Ariel; Grubb, Jonathan Pantera; Wootton, Bruce; Strazzere, Timothy; Swami, Yogesh, Methods and systems for sharing risk responses between collections of mobile communications devices.
Mahaffey, Kevin Patrick; Buck, Brian James; Robinson, William; Hering, John G.; Burgess, James David; Wyatt, Timothy Micheal; Golombek, David; Richardson, David Luke; Lineberry, Anthony McKay; Barton, Kyle; Evans, Daniel Lee; Salomon, Ariel; Grubb, Jonathan Pantera; Wootton, Bruce; Strazzere, Timothy; Swami, Yogesh, Methods and systems for sharing risk responses to improve the functioning of mobile communications devices.
Stolfo, Salvatore J.; Ciocarlie, Gabriela F.; Frias-Martinez, Vanessa; Parekh, Janak; Keromytis, Angelos D.; Sherrick, Joseph, Methods, media, and systems for securing communications between a first node and a second node.
Stolfo, Salvatore J.; Ciocarlie, Gabriela F.; Frias-Martinez, Vanessa; Parekh, Janak; Keromytis, Angelos D.; Sherrick, Joseph, Methods, media, and systems for securing communications between a first node and a second node.
Stolfo, Salvatore J.; Ciocarlie, Gabriela F.; Frias-Martinez, Vanessa; Parekh, Janak; Keromytis, Angelos D.; Sherrick, Joseph, Methods, media, and systems for securing communications between a first node and a second node.
Mahaffey, Kevin Patrick; Wyatt, Timothy Micheal; Evans, Daniel Lee; Ong, Emil Barker; Strazzere, Timothy; LaMantia, Matthew John Joseph; Buck, Brian James, Monitoring installed applications on user devices.
Mahaffey, Kevin Patrick; Richardson, David Luke; Salomon, Ariel; Croy, R. Tyler; Walker, Samuel Alexander; Buck, Brian James; Marcin Gorrino, Sergio Ivan; Golombek, David, Multi-factor authentication and comprehensive login system for client-server networks.
Mayer, Michael J.; Miller, Emerson D.; Andersen, David M., Positive identification and bulk addition of custodians to a case within an electronic discovery system.
Richards, Phillip L.; Andersen, David M.; Miller, Emerson D.; Clark, Benjamin; Knox, Jeffrey V.; Mayer, Michael J., Predictive coding of documents in an electronic discovery system.
Wood, Matthew Scott; Tveit, Paal; Edginton, Brian; Shillingford, Steve; Brown, James; Levy, Joseph H; Arnold, Daniel M, Presentation of an extracted artifact based on an indexing technique.
Lahoti, Ankur; Huang, Hui; Beedgen, Christian F., Real-time identification of an asset model and categorization of an asset to assist in computer network security.
Mahaffey, Kevin Patrick; Wyatt, Timothy Micheal; Buck, Brian James; Hering, John Gunther; Gupta, Amit; Abey, Alex Cameron, Response generation after distributed monitoring and evaluation of multiple devices.
Hayes, Matthew Terence; Eilebrecht, Eric Lynn; Kasiolas, Anastasios; Jager, Marcus J.; Power, Marc Andrew; Sandke, Steven Robert, Rule-based system for client-side quality-of-service tracking and reporting.
Mahaffey, Kevin Patrick; Golombek, David; Richardson, David Luke; Wyatt, Timothy Micheal; Burgess, James David; Hering, John G., System and method for adverse mobile application identification.
Mahaffey, Kevin Patrick; Hering, John Gunther; Burgess, James David; Grubb, Jonathan Pantera; Golombek, David; Richardson, David Luke; Lineberry, Anthony McKay; Wyatt, Timothy Micheal, System and method for assessing an application to be installed on a mobile communications device.
Mahaffey, Kevin Patrick; Burgess, James David; Golombek, David; Wyatt, Timothy Micheal; Lineberry, Anthony McKay; Barton, Kyle; Evans, Daniel Lee; Richardson, David Luke; Salomon, Ariel, System and method for assessing data objects on mobile communications devices.
Mahaffey, Kevin Patrick, System and method for creating and applying categorization-based policy to secure a mobile communications device from access to certain data objects.
Wyatt, Timothy Micheal; Mahaffey, Kevin Patrick; Richardson, David Luke; Buck, Brian James; Rogers, Marc William, System and method for creating and assigning a policy for a mobile communications device based on personal data.
Walker, Samuel Alexander; Mandal, Ayan Kanti; Senapati, Devesh; Mahaffey, Kevin Patrick; Richardson, David Luke; Buck, Brian James, System and method for developing, updating, and using user device behavioral context models to modify user, device, and application state, settings and behavior for enhanced user security.
Levy, Joseph H.; Wood, Matthew Scott; Arnold, Daniel; Foisy, Kenny; Tubbs, Dave, System and method for hypertext transfer protocol layered reconstruction.
Mahaffey, Kevin Patrick; Hering, John G.; Burgess, James David; Grubb, Jonathan Pantera; Golombek, David; Richardson, David Luke; Lineberry, Anthony McKay; Wyatt, Timothy Micheal, System and method for mobile communication device application advisement.
Mahaffey, Kevin Patrick; Burgess, James David; Golombek, David; Wyatt, Timothy Micheal; Lineberry, Anthony McKay; Barton, Kyle; Evans, Daniel Lee; Richardson, David Luke; Salomon, Ariel, System and method for preventing malware on a mobile communication device.
Mahaffey, Kevin Patrick; Golombek, David; Evans, Daniel Lee; Richardson, David Luke; Wyatt, Timothy Micheal; Burgess, James David; Lineberry, Anthony McKay; Barton, Kyle, System and method for security data collection and analysis.
Mahaffey, Kevin Patrick; Burgess, James David; Golombek, David; Wyatt, Timothy Micheal; Lineberry, Anthony McKay; Barton, Kyle; Evans, Daniel Lee; Richardson, David Luke; Salomon, Ariel, System and method for server-coupled application re-analysis to obtain characterization assessment.
Mahaffey, Kevin Patrick; Burgess, James David; Golombek, David; Wyatt, Timothy Micheal; Lineberry, Anthony McKay; Barton, Kyle; Evans, Daniel Lee; Richardson, David Luke; Salomon, Ariel, System and method for server-coupled application re-analysis to obtain trust, distribution and ratings assessment.
Mahaffey, Kevin Patrick; Burgess, James David; Golombek, David; Wyatt, Timothy Micheal; Lineberry, Anthony McKay; Barton, Kyle; Evans, Daniel Lee; Richardson, David Luke; Salomon, Ariel, System and method for server-coupled malware prevention.
Buck, Brian James; Mahaffey, Kevin Patrick; Yerra, Kesava Abhinav; LaMantia, Matthew John Joseph, System and method for uploading location information based on device movement.
Walker, Samuel Alexander; Mandal, Ayan Kanti; Senapati, Devesh; Mahaffey, Kevin Patrick; Richardson, David Luke; Buck, Brian James, System and method for using context models to control operation of a mobile communications device.
Kester, Harold M.; Kester Jones, legal representative, Nicole; Dimm, John Ross; Anderson, Mark Richard; Papa, Joseph, System and method of monitoring and controlling application files.
Mahaffey, Kevin Patrick; Hering, John Gunther; Burgess, James, Systems and methods for applying a security policy to a device based on a comparison of locations.
Mahaffey, Kevin Patrick; Hering, John Gunther; Burgess, James, Systems and methods for transmitting a communication based on a device leaving or entering an area.
Cockerill, Aaron; Richardson, David; Thanos, Daniel; Robinson, William Neil; Buck, Brian James; Mahaffey, Kevin Patrick, Use of device risk evaluation to manage access to services.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.