Patent Grant
8015604
The present invention relates to a network security system, and, in particular, to a network security system having a hierarchical architecture.
Computer networks and systems have become indispensable tools for modern business. Today terabits of information on virtually every subject imaginable are stored in and accessed across such networks by users throughout the world. Much of this information is, to some degree, confidential and its protection is required. Not surprisingly then, various network security monitor devices have been developed to help uncover attempts by unauthorized persons and/or devices to gain access to computer networks and the information stored therein.
Network security products largely include Intrusion Detection Systems (IDS's), which can be Network or Host based (NIDS and HIDS respectively). Other network security products include firewalls, router logs, and various other event reporting devices. Due to the size of their networks, many enterprises deploy hundreds, or thousands of these products thoughts their networks. Thus, network security personnel are bombarded alarms representing possible security threats. Most enterprises do not have the resources or the qualified personnel to individually attend to all of the received alarms.
Furthermore, many large organizations deploy these devices locally at each of their sites to distribute computational resources and to limit bandwidth use. Since security events generally concern local attacks, such division is generally helpful. However, localizing network security can have disadvantages, since not all available and relevant information is used during the threat analysis and decision making.
A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the security events. Each of the subsystems can report the correlated events to a global manager module coupled to the plurality of subsystems, and the global manager module can correlate the correlated events from each manager module.
The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings in which like reference numerals refer to similar elements and in which:
Described herein is a network security system having a hierarchical configuration.
Although the present system will be discussed with reference to various illustrated examples, these examples should not be read to limit the broader spirit and scope of the present invention. For example, the examples presented herein describe distributed agents, managers and various network devices, which are but one embodiment of the present invention. The general concepts and reach of the present invention are much broader and may extend to any computer-based or network-based security system.
Some portions of the detailed description that follows are presented in terms of algorithms and symbolic representations of operations on data within a computer memory. These algorithmic descriptions and representations are the means used by those skilled in the computer science arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers or the like. It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise, it will be appreciated that throughout the description of the present invention, use of terms such as “processing”, “computing”, “calculating”, “determining”, “displaying” or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission or display devices.
As indicated above, one embodiment of the present invention is instantiated in computer software, that is, computer readable instructions, which, when executed by one or more computer processors/systems, instruct the processors/systems to perform the designated actions. Such computer software may be resident in one or more computer readable media, such as hard drives, CD-ROMs, DVD-ROMs, read-only memory, read-write memory and so on. Such software may be distributed on one or more of these media, or may be made available for download across one or more computer networks (e.g., the Internet). Regardless of the format, the computer programming, rendering and processing techniques discussed herein are simply examples of the types of programming, rendering and processing techniques that may be used to implement aspects of the present invention. These examples should in no way limit the present invention, which is best understood with reference to the claims that follow this description.
Referring now to
In formal security terminology, an “event” is an actual physical occurrence—such as a packet traversing the network, or a file being deleted—and an “alarm” is a representation of the “event.” As used in this application, however, a security event 102 (or just “event”) refers to a representation of a physical phenomenon, thus being an “alarm” according to strict formal terminology. In this application, alarms are produced by a network security device associated with an agent 104—such as an HIDS, a NIDS, or a firewall—and a base event 102 refers to the output of the agent 104 after the agent 104 processed, e.g. aggregated, batched, or normalized, the alarms. Furthermore, an unprocessed alarm directly from a sensor device is also considered to be a “base event” for the purposes of this application.
A base event 102 can have various fields that contain information about the event 102. Several example events are described, for example, in the co-pending application entitled “Real Time Monitoring and Analysis of Events from Multiple Network Security Devices”, filed on Dec. 2, 2002, application Ser. No. 10/308,415 for inventors Hugh S. Njemanze and Pravin S. Kothari, and in the co-pending application Ser. No. 10/655,062 entitled “Threat Dection in a Network Security System”, filed on Sep. 3, 2003, for inventors Kenny Tidwell, Kumar Saurabh, Depurate Dash, Hugh S. Njemanze and Pravin S. Kothari, both applications incorporated herein fully by reference. The base events are then processed by the manager module 100. Such processing can include prioritisation performed by an event prioritizer module 106. Event prioritisation is described in more detail in Ser. No. 10/655,062.
Furthermore, event processing can include event correlation performed by an event correlator module 108 using various rules. Event correlation is described in detail in application Ser. No. 10/308,415. The output of the event correlator 108 is correlated events. A correlated event is a conclusion drawn from several base events based on the rules. For example, twenty failed logins followed by a successful login and twenty-one base events that can translate to one correlated event, namely “successful brute-force dictionary attack.” The manager module 100 can also include a notifier module 110 to send alert information to the system administrators. The notifier is also described in application Ser. No. 10/308,415.
Referring now to
Thus, agents 104 and local manager 100 are identical to their counterparts described with reference to
As described above, one output of the local manager is correlated events. In one embodiment described with reference to
The manager agent 210 can be implemented similarly or identically to agents 104. The tasks performed by the manager agent can also be similar or identical to agents 104, such as normalization, aggregation, batching, and other tasks described above and in the incorporated applications.
The filter 208 can be implemented using Boolean expressions. Its purpose is to select the correlated events to be delivered to the global manager module 200. For example, the filter 208 can be set to block out correlated events deemed only to have local significance. In other embodiments, bandwidth constraints between the global manager 200 and subsystem 202 may allow for only a relatively few correlated events to be sent, hence allowing only specifically requested types of correlated event through the filter.
For example, the global manager 200, through back-link 212, can program the filter 208 to provide all correlated events relating to some IP address of interest. In similar fashion, the global manager 200 can configure what it receives from each subsystem to anything the filters 208 can be programmed to, using back-links 212 to each subsystem. In other embodiments, the filter 208 can be programmed and configured locally at subsystem 202. In other embodiments in which all correlated events are provided to the global manager 200, the filter 208 can be omitted.
In one embodiment, the global manager 200, through back-channel 214, can request information from the local manager 100. For example, the global manager 200 may send a request to the local manager 100 for all base events that were correlated to produce a particular correlated event previously sent to the global manager 200.
Subsystem 204 and subsystem 206 can be similar or identical to subsystem 202 described above. Any number of subsystems can be similarly configured to feed correlated events to the global manager 200. In one embodiment, these base events are retrieved from local storage by the local manager 100, and are sent to the global manager 200 through back-channel 214 to avoid re-correlation of these base events.
The global manager module 200 receives the correlated events from the various subsystems. These correlated events can be referred to as local correlated events, since they are local to a specific subsystem. In one embodiment, the global manager 200 functions in a manner similar to the local managers 100, treating the local correlated events as base events. Thus, the global manager 200 can perform a correlation of the local correlated events to generate global correlated events.
An example is given with reference to
In this example, each local security network picked up an attempted unauthorized network access. This conclusion is a local correlated event 306 that may be based on various base events. When these local correlated events 306 are reported wirelessly to a command centre 308 housing the global manager module 200, the global manager 200 can correlate these local correlated events to determine the location of a hacker. This would be a global correlated event, since it uses correlated events from various local security networks.
In this example, finding the hacker would be difficult for a single vehicle with a local network security system, since each vehicle experiences many attacks. However, if all vehicles experience an attack on the same street corner, broader conclusions about the location of a specific attacker can be drawn.
Referring now to
Another embodiment of the present invention is now described with reference to
An example is given with reference to
As described with reference to
The global manager 200 can thus correlate all high-priority base events, not just the local ones. In this manner, the global correlation performed by the global manager 200 results in global correlated events that can concern a global attack. For example, an attacker trying to bring down the Phoenix network 608 may not be catastrophic, the same attacker trying to bring down multiple networks may be.
In another example, an attacker may have been detected by subsystem 610 to have performed reconnaissance—such as scanning for populated addresses and open ports—on the Phoenix network 608. If this attacker now attacks the Dallas network, the Dallas subsystem 610 is unaware of the heightened security risk. However, the global manager 200 will be able to inform the Dallas office 604 that an attack they thought to be low priority is being perpetrated by an attacker using information from a previous reconnaissance.
In other embodiments, each subsystem can be configured as a combination of
Thus, a hierarchically configured network security system, and event processing in such a system has been described. In the foregoing description, various specific intermediary values were given names, such as “local correlated events,” and various specific modules, such as the “manager agent,” have been described. However, these names are merely to describe and illustrate various aspects of the present invention, and in no way limit the scope of the present invention. Furthermore, various modules, such as the local manager module 100 and the global manager module 200 in
In the foregoing description, the various examples and embodiments were meant to be illustrative of the present invention and not restrictive in terms of their scope. Accordingly, the invention should be measured only in terms of the claims, which follow.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5557742 | Smaha et al. | Sep 1996 | A |
| 5717919 | Kodavalla et al. | Feb 1998 | A |
| 5850516 | Schneier | Dec 1998 | A |
| 5857190 | Brown | Jan 1999 | A |
| 5956404 | Schneier et al. | Sep 1999 | A |
| 5978475 | Schneier et al. | Nov 1999 | A |
| 6070244 | Orchier et al. | May 2000 | A |
| 6088804 | Hill et al. | Jul 2000 | A |
| 6134664 | Walker | Oct 2000 | A |
| 6192034 | Hsieh et al. | Feb 2001 | B1 |
| 6212633 | Levy et al. | Apr 2001 | B1 |
| 6226260 | McDysan | May 2001 | B1 |
| 6275942 | Bernhard et al. | Aug 2001 | B1 |
| 6279113 | Vaidya | Aug 2001 | B1 |
| 6321338 | Porras et al. | Nov 2001 | B1 |
| 6405318 | Rowland | Jun 2002 | B1 |
| 6408391 | Huff et al. | Jun 2002 | B1 |
| 6408404 | Ladwig | Jun 2002 | B1 |
| 6484203 | Porras et al. | Nov 2002 | B1 |
| 6542075 | Barker et al. | Apr 2003 | B2 |
| 6694362 | Secor et al. | Feb 2004 | B1 |
| 6704874 | Porras et al. | Mar 2004 | B1 |
| 6708212 | Porras et al. | Mar 2004 | B2 |
| 6711615 | Porras et al. | Mar 2004 | B2 |
| 6714513 | Joiner et al. | Mar 2004 | B1 |
| 6721713 | Guheen et al. | Apr 2004 | B1 |
| 6754705 | Joiner et al. | Jun 2004 | B2 |
| 6789117 | Joiner et al. | Sep 2004 | B1 |
| 6789202 | Ko et al. | Sep 2004 | B1 |
| 6839850 | Campbell et al. | Jan 2005 | B1 |
| 6892227 | Elwell et al. | May 2005 | B1 |
| 6928556 | Black et al. | Aug 2005 | B2 |
| 6941358 | Joiner et al. | Sep 2005 | B1 |
| 6957186 | Guheen et al. | Oct 2005 | B1 |
| 6957348 | Flowers et al. | Oct 2005 | B1 |
| 6966015 | Steinberg et al. | Nov 2005 | B2 |
| 6985920 | Bhattacharya et al. | Jan 2006 | B2 |
| 6988208 | Hrabik et al. | Jan 2006 | B2 |
| 6990591 | Pearson | Jan 2006 | B1 |
| 7007301 | Crosbie et al. | Feb 2006 | B2 |
| 7039953 | Black et al. | May 2006 | B2 |
| 7043727 | Bennett et al. | May 2006 | B2 |
| 7062783 | Joiner | Jun 2006 | B1 |
| 7065657 | Moran | Jun 2006 | B1 |
| 7073055 | Freed et al. | Jul 2006 | B1 |
| 7076803 | Bruton et al. | Jul 2006 | B2 |
| 7089428 | Farley et al. | Aug 2006 | B2 |
| 7103874 | McCollum et al. | Sep 2006 | B2 |
| 7127743 | Khanolkar et al. | Oct 2006 | B1 |
| 7154857 | Joiner et al. | Dec 2006 | B1 |
| 7159237 | Schneier et al. | Jan 2007 | B2 |
| 7171689 | Beavers | Jan 2007 | B2 |
| 7219239 | Njemanze et al. | May 2007 | B1 |
| 7222366 | Bruton et al. | May 2007 | B2 |
| 7260830 | Sugimoto | Aug 2007 | B2 |
| 7260844 | Tidwell et al. | Aug 2007 | B1 |
| 7278160 | Black et al. | Oct 2007 | B2 |
| 7308689 | Black et al. | Dec 2007 | B2 |
| 7333999 | Njemanze | Feb 2008 | B1 |
| 7376969 | Njemanze et al. | May 2008 | B1 |
| 7483972 | Bhattacharya et al. | Jan 2009 | B2 |
| 7644365 | Bhattacharya et al. | Jan 2010 | B2 |
| 20020019945 | Houston et al. | Feb 2002 | A1 |
| 20020069369 | Tremain | Jun 2002 | A1 |
| 20020087882 | Schneier et al. | Jul 2002 | A1 |
| 20020099958 | Hrabik et al. | Jul 2002 | A1 |
| 20020104014 | Zobel et al. | Aug 2002 | A1 |
| 20020147803 | Dodd et al. | Oct 2002 | A1 |
| 20020184532 | Hackenberger et al. | Dec 2002 | A1 |
| 20030023876 | Bardsley et al. | Jan 2003 | A1 |
| 20030084349 | Friedrichs et al. | May 2003 | A1 |
| 20030093514 | Valdes et al. | May 2003 | A1 |
| 20030093692 | Porras | May 2003 | A1 |
| 20030097588 | Fischman et al. | May 2003 | A1 |
| 20030101358 | Porras et al. | May 2003 | A1 |
| 20030145225 | Bruton et al. | Jul 2003 | A1 |
| 20030188189 | Desai et al. | Oct 2003 | A1 |
| 20030196123 | Rowland et al. | Oct 2003 | A1 |
| 20030221123 | Beavers | Nov 2003 | A1 |
| 20040010601 | Afergan et al. | Jan 2004 | A1 |
| 20040010718 | Porras et al. | Jan 2004 | A1 |
| 20040015718 | DeClouet | Jan 2004 | A1 |
| 20040024864 | Porras et al. | Feb 2004 | A1 |
| 20040034795 | Anderson et al. | Feb 2004 | A1 |
| 20040034800 | Singhal et al. | Feb 2004 | A1 |
| 20040044912 | Connary et al. | Mar 2004 | A1 |
| 20040073800 | Shah et al. | Apr 2004 | A1 |
| 20040088583 | Yoon et al. | May 2004 | A1 |
| 20040098623 | Scheidell | May 2004 | A1 |
| 20040123141 | Yadav | Jun 2004 | A1 |
| 20040221191 | Porras et al. | Nov 2004 | A1 |
| 20040260763 | Bhattacharya et al. | Dec 2004 | A1 |
| 20050027845 | Secor et al. | Feb 2005 | A1 |
| 20050060562 | Bhattacharya et al. | Mar 2005 | A1 |
| 20050204404 | Hrabik et al. | Sep 2005 | A1 |
| 20050235360 | Pearson | Oct 2005 | A1 |
| 20050251860 | Saurabh et al. | Nov 2005 | A1 |
| 20060069956 | Steinberg et al. | Mar 2006 | A1 |
| 20060095587 | Bhattacharya et al. | May 2006 | A1 |
| 20060212932 | Patrick et al. | Sep 2006 | A1 |
| 20070118905 | Morin et al. | May 2007 | A1 |
| 20070136437 | Shankar et al. | Jun 2007 | A1 |
| 20070150579 | Morin et al. | Jun 2007 | A1 |
| 20070162973 | Schneier et al. | Jul 2007 | A1 |
| 20070169038 | Shankar et al. | Jul 2007 | A1 |
| 20070234426 | Khanolkar et al. | Oct 2007 | A1 |
| 20070260931 | Aguilar-Macias et al. | Nov 2007 | A1 |
| 20080104046 | Singla et al. | May 2008 | A1 |
| 20080104276 | Lahoti et al. | May 2008 | A1 |
| 20080162592 | Huang et al. | Jul 2008 | A1 |
| 20080165000 | Morin et al. | Jul 2008 | A1 |
| 20100058165 | Bhattacharya et al. | Mar 2010 | A1 |
| Number | Date | Country |
|---|---|---|
| WO 0245315 | Jun 2002 | WO |
| WO 02060117 | Aug 2002 | WO |
| WO 02078262 | Oct 2002 | WO |
| WO 02101988 | Dec 2002 | WO |
| WO 03009531 | Jan 2003 | WO |
| WO 2004019186 | Mar 2004 | WO |
| WO 2005001655 | Jan 2005 | WO |
| WO 2005026900 | Mar 2005 | WO |
