1 HIERARCHICAL ARCHITECTURE IN A NETWORK SECURITY SYSTEM
The present invention relates to a network security system, and, in particular, to a network security system having a hierarchical architecture.
Computer networks and systems have become indispensable tools for modern business. Today terabits of infonnation on virtually every subject imaginable are stored in and accessed across such networks by users throughout the world. Much of this information is, to some degree, confidential and its protection is required. Not surprisingly then, various network security monitor devices have been developed to help uncover attempts by unauthorized persons and/or devices to gain access to computer networks and the infonnation stored therein.
Network security products largely include Intrusion Detection Systems (IDS’s), which can be Network or Host based (NIDS and HIDS respectively). Other network security products include firewalls, router logs, and various other event reporting devices. Due to the size of their networks, many enterprises deploy hundreds, or thousands of these products thoughts their networks. Thus, network security personnel are bombarded alarms representing possible security threats. Most enterprises do not have the resources or the qualified personnel to individually attend to all of the received alamis.
Furthermore, many large organizations deploy these devices locally at each of their sites to distribute computational resources and to limit bandwidth use. Since security events generally concem local attacks, such division is generally helpful. However, localizing network security can have disadvantages, since not all available and relevant infonnation is used during the threat analysis and decision making.
A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the security events. Each of the subsystems can report the correlated events to a global manager module coupled to the plurality of subsystems, and the global manager module can correlate the correlated events from each manager module.
BRIEF DESCRIPTION OF THE DRAWINGS
The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings in which like reference numerals refer to similar elements and in which:
FIG. 1 is a block diagram illustrating a standard configuration for implementing a network security system;
FIG. 2 is a block diagram illustrating a hierarchical configuration for implementing a network security system according to one embodiment of the present invention;
FIG. 3 is a block diagram illustrating an example environment in which one embodiment of the present invention may be implemented;
FIG. 4 is a block diagram illustrating additional detail of one embodiment of a subsystem according to the present invention;
FIG. 5 is a block diagram illustrating additional detail of another embodiment of a subsystem according to the present invention; and
FIG. 6 is a block diagram illustrating another example enviromnent in which one embodiment of the present invention may be implemented.
Described herein is a network security system having a hierarchical configuration.
Although the present system will be discussed with reference to various illustrated examples, these examples should not be read to limit the broader spirit and scope of the present invention. For example, the examples presented herein describe distributed agents, managers and various network devices, which are but one embodiment of the present invention. The general concepts and reach of the present invention are much broader and may extend to any computer-based or network-based security system.
Some portions of the detailed description that follows are presented in terms of algorithms and symbolic representations of operations on data within a computer memory. These algorithmic descriptions and representations are the means used by those skilled in the computer science arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the fonn of electrical or magnetic signals capable of being stored, transferred, combined, compared and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, tenns, numbers or the like. It should be borne in mind, however, that all of these and similar tenns are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise, it will be appreciated that throughout the description of the present invention, use of tenns such as “processing”, “computing”, “calculating”, “detennining”, “displaying” or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transfonns data represented as physical (electronic) quantities within the computer system’ s registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission or display devices.
As indicated above, one embodiment of the present invention is instantiated in computer software, that is, computer readable instructions, which, when executed by one or more computer processors/systems, instruct the processors/systems to perfonn the designated actions. Such computer software may be resident in one or more computer readable media, such as hard drives, CD-ROMs, DVD-ROMs, readonly memory, read-write memory and so on. Such software may be distributed on one or more of these media, or may be made available for download across one or more computer networks (e.g., the Internet). Regardless of the format, the computer programming, rendering and processing techniques discussed herein are simply examples of the types of pro gramrning, rendering and processing techniques that may