Abstract: A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect base security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the base security events. Each subsystem can also include a filter coupled to the manager module to select which base security events are to be processed further. The selected base security events are passed to a global manager module coupled to the plurality of subsystems that generates global correlated events by correlating the base security events selected for further processing by each filter of each subsystem.

Abstract: In one embodiment, the present invention provides for receiving security events from a network device by a distributed software agent of a network security system, determining a priority of each received security event, and storing the security events in a plurality of prioritized event buffers based on the determined priorities for a period of time determined by a timer. Upon expiration of the timer, a batch of security events for transport to a security event manager of the network security system can be created by including security events in the batch in order of priority until the batch is full.

Abstract: A selected time interval of previously stored events generated by a number of computer network devices are replayed and cross-correlated according to rules. Meta-events are generated when the events satisfy conditions associated with one or more of the rules. The rules used during replay may differ from prior rules used at a time when the events occurred within a computer network that included the computer network devices. In this way, new rules can be tested against true event data streams to determine whether or not the rules should be used in a live environment (i.e., the efficacy of the rules can be tested and/or debugged against actual event data).

Abstract: Mapping event data to a domain schema includes receiving (301) event data for an event, wherein the event data is arranged in a source schema of a data source providing the event data. A best fit domain schema is determined (302) from a plurality of domain schemas, wherein the domain schemas include different fields from the source schema. The event data in the source schema is mapped (303) to the best fit domain schema.

Abstract: A user interface for a network security console associated with multiple network security devices is disclosed. A graphical user interface (GUI) for use with an intrusion detection system, comprises a radar display that is configured to simulate a stream of time-based events chronologically. In addition, one or more playback controls are configured to control the stream during simulation. In further embodiments, the radar display includes a slider configured to allow a user to jump to events that occurred at a user-defined time.

Abstract: First stage meta-events are generated based on analyzing time attributes of base events received from a network component. Second stage meta-events are generated based on a number of the first stage meta-events that have a time attribute falling within a time period. An amount of time that has passed since a most-recent second stage meta-event was generated is determined, and if a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, a third stage meta-event is determined.

Abstract: The present invention provides for the receipt of a request to modify a software agent's configuration at a server-based manager. A determination of the modifications to the software agent is made at the server-based manager. The requested modifications are then delivered to the software agent. The software agent interprets the requested modifications and implements them.

Abstract: Clocks used by network security devices can be synchronized by a network security system. In one embodiment, the synchronization can include the network security system receiving a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock. Similarly, the network security system can receive a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock.

Abstract: A rules engine with support for time-based rules is disclosed. A method performed by the rules engine, comprises receiving security events generated by a number of network devices. The security events are aggregated. One or more time-based rules are provided to a RETE engine. The aggregated security events are provided to the RETE engine at specific times associated with the time-based rules. The security events are cross-correlated with the one or more time-based rules; and one or more first stage meta-events are reported.

Abstract: Security events generated by a number of network devices are gathered and normalized to produce normalized security events in a common schema. The normalized security events are cross-correlated according to rules to generate meta-events. The security events may be gathered remotely from a system at which the cross-correlating is performed. Any meta-events that are generated may be reported by generating alerts for display at one or more computer consoles, or by sending an e-mail message, a pager message, a telephone message, and/or a facsimile message to an operator or other individual. In addition to reporting the meta-events, the present system allows for taking other actions specified by the rules, for example executing scripts or other programs to reconfigure one or more of the network devices, and or to modify or update access lists, etc.

Abstract: A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the security events. Each of the subsystems can report the correlated events to a global manager module coupled to the plurality of subsystems, and the global manager module can correlate the correlated events from each manager module.

Abstract: A selected time interval of previously stored events generated by a number of computer network devices are replayed and cross-correlated according to rules. Meta-events are generated when the events satisfy conditions associated with one or more of the rules. The rules used during replay may differ from prior rules used at a time when the events occurred within a computer network that included the computer network devices. In this way, new rules can be tested against true event data streams to determine whether or not the rules should be used in a live environment (i.e., the efficacy of the rules can be tested an tor debugged against actual event data).

Abstract: A traditional structured data store is leveraged to provide the benefits of an unstructured full-text search system. A fixed number of “extended” columns is added to the traditional structured data store to form an “enhanced structured data store” (ESDS). The extended columns are independent of any regular columnar interpretation of the data and enable the data that they store to be searched using standard full-text query syntax/techniques that can be executed faster (as opposed to SQL syntax). In other words, the added columns act as a search index. A token is stored in an appropriate extended column based on that token's hash value. The hash value is determined using a hashing scheme, which operates based on the value of the token, rather than the meaning of the token. This enables subsequent searches to be expressed as full-text queries without degrading the ensuing search to a brute force scan.

Abstract: A selected time interval of previously stored security events generated by a number of computer network devices are replayed and cross-correlated according to rules defining security incidents. Meta-events are generated when the security events satisfy conditions associated with one or more of the rules. The rules used during replay may differ from prior rules used at a time when the security events occurred within a computer network that included the computer network devices. In this way, new rules can be tested against true security event data streams to determine whether or not the rules should be used in a live environment (i.e., the efficacy of the rules can be tested and/or debugged against actual security event data).

Abstract: A network security system is provided that receives information from various sensors and can analyze the received information. In one embodiment of the present invention, such a system receives a security event from a software agent. The received security event includes a target address and an event signature, as generated by the software agent. The event signature can be used to determine a set of vulnerabilities exploited by the received security event, and the target address can be used to identify a target asset within the network. By accessing a model of the target asset, a set of vulnerabilities exposed by the target asset can be retrieved. Then, a threat can be detected by comparing the set of vulnerabilities exploited by the security event to the set of vulnerabilities exposed by the target asset.

Abstract: Sensor device times can vary and may be set significantly wrong. In one embodiment, the present invention can adjust a sensor's time by receiving a raw security event from a sensor device, determining whether a timestamp included in the raw security event is within a timerange around a time known by the agent, determining whether a time offset is in a non-initialized state, and determining whether to adjust the timestamp by applying the time offset to the timestamp, the determination being based on whether the timestamp included in the security event is within the timerange around the time known by the agent and whether the time offset is in a non-initialized state.

Abstract: The present invention provides for the receipt of a request to modify a software agent's configuration at a server-based manager. A determination of the modifications to the software agent is made at the server-based manager. The requested modifications are then delivered to the software agent. The software agent interprets the requested modifications and implements them.

Abstract: The present invention provides for the receipt of a heartbeat message transmitted from a software agent within a host machine to a server-based agent manager. The server-based agent manager analyzes the heartbeat message to determine the identity of the sending software agent. The server-based agent manager then determines what information is to be included in a response message to the software agent. The server-based agent manager prepares the response message to be sent to the software agent. The server-based agent manager transmits the response message to the software agent over a bi-directional communication link between the software agent and the server-based agent manager. The software agent receives the response message; deserializes the response message; reviews the instructions within the response message; and performs operations necessary to carry out the instructions delivered in the response message.

Abstract: A user interface for a network security console associated with multiple network security devices is disclosed. A graphical user interface (GUI) for use with an intrusion detection system, comprises a radar display that is configured to simulate a stream of time-based events chronologically. In addition, one or more playback controls are configured to control the stream during simulation. In further embodiments, the radar display includes a slider configured to allow a user to jump to events that occurred at a user-defined time.

Abstract: Clocks used by network security devices can be synchronized by a network security system. In one embodiment, the synchronization can include the network security system receiving a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock. Similarly, the network security system can receive a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock.