US20170126727A1 - Integrated security system having threat visualization - Google Patents
Integrated security system having threat visualization Download PDFInfo
- Publication number
- US20170126727A1 US20170126727A1 US14/983,927 US201514983927A US2017126727A1 US 20170126727 A1 US20170126727 A1 US 20170126727A1 US 201514983927 A US201514983927 A US 201514983927A US 2017126727 A1 US2017126727 A1 US 2017126727A1
- Authority
- US
- United States
- Prior art keywords
- security
- threats
- threat
- management system
- administrator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Definitions
- the invention relates to computer networks, and, more particularly, to management and configuration techniques of network security devices.
- Data and technology stored in computer systems and networks are vulnerable to increasing levels of cyberthreats.
- Common types of network attacks include Denial of Service (DOS) attacks, spoofing attacks, packet eavesdropping or interception, and the like.
- DOS Denial of Service
- spoofing attacks spoofing attacks
- packet eavesdropping or interception eavesdropping or interception
- administrators tasked to protect computer networks are increasingly burdened and ill-equipped to mitigate and resolve cyberthreats and network attacks efficiently and effectively.
- Currently, to respond to the cyberthreats administrators must take part in a manual, labor-intensive process to configure policies or other protection systems in an attempt to block such threats.
- this disclosure describes an integrated security management system that provides centralized threat visualization and automated control of security devices distributed throughout a network.
- the security management system includes one or more processors, one or more computer-readable memories storing instructions that, when executed, implement a sophisticated user interface and visualization engine that generates and displays a live threat visualization of animated network threats in real-time or near real-time.
- the security management system includes a threat data aggregator that aggregates data on one or more threats from one or more security devices deployed within a security domain, e.g., an enterprise network.
- the security management system may also include a threat control module capable of displaying the one or more threats and configuring the security devices deployed within the network including, for example, deploying created or updated security policies in response to one or more detected network attacks.
- An administrator may, for example, interact with the graphical representation of threats rendered by the threat control module based on the data aggregated from the distributed security devices and, responsive to the interaction, the security management system may identify a relevant set of the security devices, automatically construct security policies having ordered rules within the policies for the identified set of security devices, and automatically communicate and install the policies in the identified set of security devices using a policy deployment engine of the underlying network management components of the integrated security management system.
- the security management system enables administrators to take direct actions, such as selectively blocking or allowing traffic and applications, while monitoring events from a graphical representation of threats.
- the administrator in an enterprise interacts with the graphical representation of threats rendered by the security management system to automatically invoke a policy/rule module of the security management system to configure and update security policies for the security devices deployed throughout the computer networks of the enterprise.
- FIG. 1 is a block diagram illustrating an example enterprise network having an integrated security management system as described herein.
- FIG. 2 is a block diagram illustrating an example integrated security management system, in one aspect of this disclosure.
- FIG. 3 is an example security device, which processes network flows to identify potential network threats, in one aspect of this disclosure.
- FIGS. 4A-4C illustrate example user interfaces generated by a security management system to present to an administrator a representation of the aggregated threat data, in various aspects of the disclosure.
- FIGS. 5A-5E illustrate example user interfaces generated by the security management system to present to an administrator representations of filtered event data associated with a threat, in various aspects of the disclosure.
- FIGS. 6A-6D illustrate example user interfaces generated by security management system by which an administrator may review and publish automatically created rules associated with security policies, in various aspects of the disclosure.
- FIG. 7 illustrates an example user interface generated by security management system by which an administrator may enable deployment and/or publication of the automatically created security policies, in one aspect of the disclosure.
- FIG. 8 illustrates an example user interface generated by security management system by which an administrator may view the job status of the published or updated security policies.
- FIG. 9 illustrates an example interface generated by security management system by which an administrator may view the source or destination details of the threat device, in one aspect of the disclosure.
- FIG. 10 is a flowchart showing an example operation of security management system.
- FIG. 11 shows a detailed example of a computing device that may be configured to implement some embodiments in accordance with the current disclosure.
- FIG. 1 is a block diagram illustrating an example enterprise network having an integrated security management system as described herein.
- enterprise network 2 includes an integrated security management system 10 and one or more security devices 5 deployed in a distributed manner throughout the network.
- security devices 5 The one or more security devices 5 A- 5 C (collectively “security devices 5 ”) of enterprise network 2 are interconnected via communication links that form a communication topology.
- security devices 5 monitor packet flows within network 2 and apply security services to those packet flows so as to protect computing resources (not shown) within the network, such as network servers, end user computers and infrastructure devices providing network connectively.
- security devices 5 may perform deep packet inspection on the packet flows to detect patterns or anomalies within the packet flows that are indicative of threats, such as network attacks, viruses, malware and the like.
- security devices 5 typically apply polices that define criteria (e.g., header information, patterns, anomaly information) to be compared with the packet flows and take actions specified by the policies, such as dropping packet flows, logging packet flows or redirecting packet flows to packet analyzers for further analysis.
- Security devices 5 may include, for example, firewalls or other intrusion detection systems (IDS) or intrusion prevention systems (IDP), or even high-end routers or service nodes configured to apply network security services to packet flows within network 2 .
- IDS intrusion detection systems
- IDDP intrusion prevention systems
- enterprise network 2 may transmit data according to any other discrete data unit defined by any other protocol, such as a cell defined by the Asynchronous Transfer Mode (ATM) protocol, or a datagram defined by the User Datagram Protocol (UDP).
- Communication links interconnecting security devices 5 may be physical links (e.g., optical, copper, and the like) or wireless.
- Enterprise network 2 may be coupled to one or more additional private or public networks, e.g., the Internet (not shown).
- enterprise network 2 is shown coupled to public network 4 A- 4 C (collectively “public network 4 ”) (e.g., the Internet) via communication links 7 A- 7 C, respectively.
- Public network 4 may include, for example, one or more client computing devices.
- Public network 4 may provide access to web servers, application servers, public databases, media servers, end-user devices, and other types of network resource devices and content.
- Network devices in public network 4 may present a number of security threats to enterprise network 2 .
- devices in public network 4 may attempt to deliver worms, trojans, and/or viruses to one or more of security devices 5 .
- a hacker using a device in public network 4 may attempt to infiltrate enterprise network 2 to snoop, corrupt, destroy, or steal information stored by one or more security devices 5 .
- security management system 10 enables centralized management of security devices 5 by collecting and aggregating threat information from the security devices 5 and presenting a unified, real-time visualization of network threats present throughout enterprise network 2 .
- security management system 10 provides an integrated system that provides network administrators, e.g., administrator 12 , with a centralized, single point of control for managing security devices 5 in response to network threats.
- security management system 10 receives and aggregates data from security devices 5 in real-time as threats are detected and identified within a security domain, e.g., enterprise network 2 .
- Security management system 10 renders and maintains an animated representation of the identified threats based on the data aggregated from distributed security devices 5 .
- security management system 10 identifies a relevant set of security devices 5 , automatically constructs security policies having ordered rules within the policies for the identified set of security devices 5 , and automatically communicates and installs the policies in the identified set of security devices 5 using an underlying policy deployment engine integrated within security management system 10 .
- security management system 10 is illustrated as participating in configuration sessions 9 A- 9 C (collectively “configuration sessions 9 ”) with security devices 5 to communicate and install the policies in the identified set of security devices 5 .
- security management system 10 enables administrators 12 to take direct actions, such as selectively blocking or allowing traffic and applications, while monitoring events from a representation of threats identified anywhere within network 2 .
- the administrator is able to interact with the representation of the threats as rendered by security management system 10 to automatically configure and update security policies of security devices 5 deployed throughout network 2 .
- security management system 10 and security devices 5 managed by security management system 10 may be centrally maintained by an IT group of the enterprise.
- Administrator 12 may interact with security management system 10 to remotely monitor and configure security devices 5 .
- administrator 12 may receive alerts from security management system 10 regarding security devices 5 , view live threat and configuration information data of security devices 5 , drill-down to filtered representations of filtered threat data, create or update security policies for security devices 5 , add new security devices to enterprise network 2 , remove existing security devices from enterprise network 2 , or otherwise manipulate the enterprise network 2 and security devices therein.
- the techniques of this invention are applicable to other network types, public and private, including LANs, VLANs, VPNs, and the like.
- Administrator 12 may use security management system 10 to configure security devices 5 with security policies, where each security policy represents a set of one or more ordered rules that specify certain operational characteristics that further the objectives of administrator 12 .
- security policies may, using policies with a collection of an ordered set of rules, specify for a security device 5 a particular security policy regarding security of incoming or outgoing Internet Protocol (IP) traffic.
- IP Internet Protocol
- policies and rules the techniques of this disclosure may be applicable to other aspects of security devices, including modifying routing tables, or other aspects involving updating or reordering pre-existing security policies or rules.
- security devices 5 maintain data for a particular policy (e.g., security) as an ordered list of one or more rules that are each keyed to a unique identifier.
- a triggering event e.g., security
- the security device 5 Upon occurrence of a triggering event in one of the managed security devices 5 , such as the receipt of a network packet, the security device 5 sequentially traverses the ordered list to determine the first policy rule in the list that applies to the triggering event data. If the security device finds an applicable policy rule, the security device proceeds to execute the specified action (e.g., drop the packet, update a traffic log, or redirect the packet for further analysis and inspection, block or allow the packet).
- the specified action e.g., drop the packet, update a traffic log, or redirect the packet for further analysis and inspection, block or allow the packet.
- NSM Network and Security Manager
- FIG. 2 is a block diagram illustrating an example integrated security management system 10 , in one aspect of this disclosure.
- security management system 10 provides a system and interface with which administrator 12 utilizes to view live or near-live threats, quickly assess a filtered representation of filtered threat data associated with a given threat for comprehensive analysis, and to configure or modify various security policies of security devices 5 in response to the threat.
- administrator 12 utilizes to view live or near-live threats, quickly assess a filtered representation of filtered threat data associated with a given threat for comprehensive analysis, and to configure or modify various security policies of security devices 5 in response to the threat.
- threat control module 17 of security management system 10 constructs and outputs an interface to enable administrator 12 to view live threats on, for instance, a grid, chart or map, to drill-down to various filtered representations of filtered threat data associated with the threats, to insert or configure new rules in a current or new policy for one or more of security devices 5 , to produce an updated policy for the security devices 5 , and to delete or change the ordering of existing rules.
- administrator 12 may direct security management system 10 to deploy the configuration to one or more of security devices 5 through a policy deployment engine 26 based on the new or updated policy.
- security management system 10 automatically modifies policies of security devices 5 as a response to, for example, the detection of threats.
- security management system 10 provides live threat visualization of enterprise-wide threats in real-time or near real-time and integrates automatic policy generation and deployment to security devices 5 in the visualization process, thereby providing a seamless user experience for monitoring and acting on threats in a centralized management system.
- security management system 10 integrates threat aggregation and visualization with an underlying device management system capable of centrally managing configuration information for network devices of network 2 , including security devices 5 .
- security management system 10 enables administrator 12 to view live network traffic information and quickly diagnose and prevent an attack, such as by seamlessly enabling administrator 12 to quickly block or temporarily block network traffic for a given set of users, applications, geographic regions, combinations thereof, etc.
- Security management system 10 may further enable administrator 12 to allow network traffic that is not a threat, but may otherwise have been blocked by conventional techniques.
- security management system 10 enables administrator(s) 12 to seamlessly update, e.g., construct and deploy, security policies to security devices 5 , such as to block or allow packet flows between particular source and destination addresses, block or allow only traffic from a source address, or block or allow only traffic to a destination IP address.
- security management system 10 may receive detailed analysis of packets from each of security devices 5 .
- security devices 5 such as an IDS or IDP system, may analyze both client-to-server and server-to-client packet flows, process the packets to perform application classification to identify the type of application and communication protocol associated with each packet flow (e.g., Skype, Yahoo Messenger, Bit Torrent peer-to-peer protocol), perform detailed analysis of the packets, for example, to identify specific fields within the packets in the packet flows, as further described herein.
- security management system 10 includes a threat data aggregator 14 that executes on one or more processors of security management system 10 to aggregate the detailed analysis of the packets received from the one or more security devices 5 with respect to any threats detected within the network.
- Security management system 10 may aggregate the threat data with threat data aggregator 14 , and may store information describing each active packet flow present within the network traffic within a threat database 16 .
- Threat database 16 may store specifications of security devices 5 associated with each active packet flow, i.e., low-level information such as source and destination devices and ports associated with the packet flow.
- security device 5 may identify pairs of packet flows that collectively form a single communication session between a client and server. For example, an IDS 200 may designate communication session as pairs of packet flows in opposite directions for flows sharing at least some common network addresses, ports and protocol.
- security management system 10 may poll security devices 5 for traffic information if the security devices 5 do not provide system updates.
- administrator 12 may view the aggregated threat data collected from security devices 5 , aggregated by threat data aggregator 14 , and stored in threat database 16 , as shown in FIG. 2 , formatted, for example, as a list, a grid, a chart, or a map.
- Threat data aggregator 14 may aggregate IP traffic information and collect various related information associated with the threats such as threat name, count, start time, threat severity, source location, source IP address, destination location, destination IP address, device information, attack category, attack type, service, impact of threat, and action taken, in one aspect of the disclosure.
- Threat data aggregator 14 may further aggregate application usage data values such as traffic to and from an application, and user data such as bandwidth and sessions.
- Threat control module 17 of security management system 10 may further include a visualization module 18 to generate various filtered representations of the live aggregated threat data, such as in grid, chart, or map view. Visualization module 18 may also generate filtered representations of live aggregated threat data in the form of an application usage view or user usage view. Threat control module 17 may then present the generated graphical representation of aggregated data to an administrator 12 for interaction and configuration of security devices 5 .
- security management system 10 may also include a policy/rule module 20 that executes on one or more processors of security management system 10 , wherein the policy/rule module 20 may generate configuration information for security devices 5 based on configuration information automatically generated by security management system 10 or defined by administrator 12 and received from threat control module 17 .
- security management system 10 may store configuration parameters in a candidate policy database 22 for review and eventual publishing to committed policy database 24 , as will be discussed in greater detail herein.
- Security management system 10 may also include a policy deployment engine 26 that sends the updated configuration information of security policies to security devices 5 .
- the underlying policy deployment engine 26 of security management system 10 may use one or more network management protocols designed for management of configuration information data within managed security devices 5 , such as the Simple Network Management Protocol (SNMP) protocol or the Network Configuration Protocol (NETCONF) protocol or a derivative thereof, such as the Juniper Device Management Interface, to manage the security policies within security devices 5 .
- network management protocols designed for management of configuration information data within managed security devices 5 , such as the Simple Network Management Protocol (SNMP) protocol or the Network Configuration Protocol (NETCONF) protocol or a derivative thereof, such as the Juniper Device Management Interface, to manage the security policies within security devices 5 .
- SNMP Simple Network Management Protocol
- NETCONF Network Configuration Protocol
- security management system 10 may establish configuration sessions 9 with one or more security devices 5 that allow security management system 10 to traverse and modify configuration information data within the identified security devices 5 .
- FIG. 3 is an example intrusion prevention system (IDS) 200 , which represents an example implementation of any of security devices 5 of FIG. 1 .
- IDS 200 processes network inbound and outbound packet flows entering and egressing network 2 and performs deep packet inspection on packet flows to identify potential network threats and communicates threat information as well as application identification and flow information to security management system 10 , in one aspect of this disclosure.
- IDS 200 receives policies and other configuration data from security management system 10 and applies those policies to packet flows within the network.
- IDS 200 includes a forwarding plane 222 that transparently monitors inbound network traffic 224 and forwards the network traffic as outbound network traffic 226 .
- forwarding plane 222 includes flow analysis module 225 , stateful inspection engine 228 , protocol decoders 230 , and forwarding component 231 .
- Security management client 244 provides a configuration interface 245 for communicating with security management system 10 in accordance with one or more device configuration protocols. For example, responsive to input from administrator 12 , security management system 10 may output communications to configuration interface 245 to update policies 247 , thereby controlling and configuring IDS 200 to monitor particular subnets of the enterprise network 2 and apply security policy rules received from security management system 10 . As another example, security management system 10 may provide and install policies 247 that specify attack definitions 233 , which, in some example approaches, security management client 244 relays to stateful inspection engine 228 . In one embodiment, attack definitions 233 may be compound attack definitions.
- security management system 10 may present a user interface by which administrator 12 may modify assumptions regarding packet flow characteristics, such as the highest priority packet flows for monitoring, port bindings for applications, or other features of determining a type of application and protocol associated with the packet flow.
- Security management client 244 may receive the aforementioned information via configuration interface 245 for storage within policies 247 and relays the information to the stateful inspection engine 228 for real-time application to packet flows.
- Flow analysis module 225 receives inbound traffic 224 and identifies individual network flows within the traffic. Each network flow represents a flow of packets in one direction within the network traffic and is identified by at least a source address, a destination address and a communication protocol. Flow analysis module 225 may utilize additional information to specify network flows, including source media access control (“MAC”) address, destination MAC address, source port, and destination port. Other examples may use other information to identify network flows, such as IP addresses, application sessions, and bandwidth usage.
- MAC source media access control
- Flow analysis module 225 maintains flow data within flow table 235 that describes each active packet flow present within the network traffic.
- Flow table 235 specifies network elements associated with each active packet flow, i.e., low-level information such as source and destination devices and ports associated with the packet flow.
- flow table 235 may identify pairs of packet flows that collectively form a single communication session between a client and server. For example, flow table 235 may designate communication session as pairs of packet flows in opposite directions for flows sharing at least some common network addresses, ports and protocol.
- stateful inspection engine 228 inspects both client-to-server packet flows as well as server-to-client packet flows in order to more accurately identify the type of application and underlying protocol for each communication session. This may assist when, for example, a malicious user attempts to spoof (i.e., mimic) one type of application and instead use another in attempt to bypass an IDS. As an example, a malicious user may attempt to circumvent an IDS by spoofing an SMTP request when actually using the HTTP protocol. IDS 200 may determine from the response from the server that the original packet flow was just an attempt to bypass IDS 200 and may take appropriate action, such as dropping future packets associated with the packet flow and/or alerting the targeted device of the attack.
- IDS 200 may use a minimum data size of the reassembled TCP segments, in addition to the signature, in order to identify the types of applications. Certain applications may require a minimum amount of data, so IDS 200 may distinguish malicious packet flows by determining whether the packet flow contains enough data for the identified protocol. Moreover, IDS 200 may not necessarily recognize every application. In one example, when an application is unknown, IDS 200 may simply forward the packet flow. If IDS 200 cannot identify a given application, it may be because that application is not a typical target for a malicious packet flow. Other examples may take other actions for unidentified applications, however, such as discarding all packets, which target unknown applications or applying a default signature to all packet flows associated with unknown application types. Other examples may also utilize other protocols, such as the user datagram protocol (UDP); IDS 200 accordingly may require a minimum data size of UDP segments in order to identify the application associated with the UDP segments.
- UDP user datagram protocol
- stateful inspection engine 228 For each packet flow, stateful inspection engine 228 buffers a copy of the packet flow and reassembles the buffered packet flow to form application-layer communications 232 . For example, stateful inspection engine 228 may reconstruct TCP segments into application-layer communications 232 , which represent protocol-specific messages.
- Protocol decoders 230 represent a set of one or more protocol-specific software modules. Each of protocol decoders 230 corresponds to a different communication protocol or service.
- protocol decoders 230 Examples of communication protocols that may be supported by protocol decoders 230 include the HyperText Transfer Protocol (“HTTP”), the File Transfer Protocol (“FTP”), the Network News Transfer Protocol (“NNTP”), the Simple Mail Transfer Protocol (“SMTP”), Telnet, Domain Name System (“DNS”), Gopher, Finger, the Post Office Protocol (“POP”), the Secure Socket Layer (“SSL”) protocol, the Lightweight Directory Access Protocol (“LDAP”), Secure Shell (“SSH”), Server Message Block (“SMB”) and other protocols.
- HTTP HyperText Transfer Protocol
- FTP File Transfer Protocol
- NTP Network News Transfer Protocol
- SMTP Simple Mail Transfer Protocol
- Telnet Telnet
- DNS Domain Name System
- POP Post Office Protocol
- SSL Secure Socket Layer
- SSL Lightweight Directory Access Protocol
- SSH Secure Shell
- SMB Server Message Block
- Protocol decoders 230 analyze reassembled application-layer communications 232 and output transaction data 234 that identifies application-layer transactions.
- transaction data 234 indicate when a series of related application-layer communications between two peer devices starts and ends.
- Stateful inspection engine 228 receives transaction data 234 , application-layer elements 236 and protocol anomaly data 238 from protocol decoders 230 . Stateful inspection engine 228 applies policies 247 (e.g., attack definitions 233 or other rules) to protocol-specific application-layer elements 236 and anomaly data 238 to detect and prevent network attacks and other security risks.
- policies 247 e.g., attack definitions 233 or other rules
- stateful inspection engine 228 outputs alert 240 to security management client 244 for logging and further analysis as threat data 249 .
- Threat data 249 may, for example, include packet flow identification information from flow table 235 for those packet flows that have been identified as potential threats.
- threat data 249 may store, for each of the packet flows, application classification information provided by flow analysis module 225 that identifies the type of application-layer application associated with the packet flow.
- threat data 249 may include, for each of the packet flows, threat information from stateful inspection engine 228 that characterizes the particular type of threat, such as the identified pattern, anomalies or other qualities of the respective packet flow that triggered one or more policies for classifying the packet flow as a threat.
- Security management client 244 relays threat data 249 about the currently detected security risk(s) to security management system 10 .
- stateful inspection engine 228 may take additional action, such as dropping the packets associated with the communication session, automatically closing the communication session or other action. If no security risk is detected for a given application-layer communication session, forwarding component 231 continues to forward the packet flows between the peers. Forwarding component 231 may, for example, maintain a routing table that stores routes in accordance with a topology of the enterprise network for use in forwarding the packet flows. Operation of IDP and IDS devices is further described in U.S. Pat. No. 9,106,693, entitled “ATTACK DETECTION AND PREVENTION USING GLOBAL DEVICE FINGERPRINTING” the discussion of which is incorporated herein by reference.
- FIGS. 4A-4C illustrate example user interfaces generated by security management system 10 to present to an administrator 12 a representation of the aggregated threat data, in various aspects of the disclosure.
- Threat control module 17 of security management system 10 may present dynamic threat animations and present user interfaces that may serve to organize network events and associated threat data in a variety of graphical representations.
- FIG. 4A illustrates an example user interface generated by security management system 10 by which administrator 12 may view a live threat graphical representation of threats in a map view.
- visualization module 18 may generate a graphical representation of a map 400 (here, a world map) associated with a security domain (e.g., an enterprise or service provider network) and display statistics such as a total threat count 401 , total intrusion prevention system (IPS) events 402 , total anti-virus (AV) events 403 , total anti-spam events 404 , total device authorizations 405 (e.g., successful and/or unsuccessful logins), top destination devices 406 , top destination countries 407 , top source devices 408 , top source countries (not shown), and other information related to aggregated threats.
- IPS total intrusion prevention system
- AV anti-virus
- 404 total anti-spam events
- visualization module 18 may generate a live threat aggregated representation to include one or more variable graphical indicators (e.g., color-code, variations in line thickness, size variations) associated with threats to represent varying magnitude or categories of threats. For example, threats from security device 5 A may be represented in one color, whereas threats from security device 5 B may be represented in another; or threats with a greater volume may be represented in one color, whereas a lower volume may be represented by another color.
- visualization module 18 may generate a graphical representation of the aggregated threat data with lines connecting the source and destination IP addresses. The visual representation of the lines (e.g., thickness, color, etc.) may represent the magnitude of traffic (e.g., volume of traffic, number of attacks, etc.) between the source and destination IP addresses.
- FIG. 4B illustrates another example user interface generated by security management system 10 by which administrator 12 may view aggregate threat data of application usage, in one aspect of the disclosure.
- threat data aggregator 14 may aggregate threat data for packet flows that have been identified as particular software applications by security devices 5 , where the user interface provides a graphical indicator representative of usage associated with the different types of applications such as number of user sessions with an application and/or bandwidth consumed by an application.
- Visualization module 18 may generate a graphical representation of the aggregate threat data associated with application usage, such as the example chart view in FIG. 4B .
- visualization module 18 may generate a graphical representation of the aggregated threat data with graphical indicators 421 (e.g., variable sizing and/or color) that may represent the magnitude of application usage and/or severity of threat (e.g., bandwidth consumed from application usage, number of sessions, etc.).
- Threat control module 17 may then present the graphical representation of aggregated threat data that displays top sessions or bandwidth usage by application based on category (e.g., web 411 , multimedia 412 , messaging 413 , social 414 , and/or infrastructure 415 ).
- Threat control module 17 may further present an interface displaying top sessions or bandwidth usage by applications based on characteristic (e.g., loss of productivity 416 , prone to misuse 417 , can leak information 418 , supports file transfer 419 , and/or bandwidth consumed 420 ) and for configuration of security devices 5 in response to detecting a threat.
- characteristic e.g., loss of productivity 416 , prone to misuse 417 , can leak information 418 , supports file transfer 419 , and/or bandwidth consumed 420
- FIG. 4B illustrates an example interface in chart view displaying threat data aggregated by application usage and grouped by risk.
- FIG. 4B illustrates an example chart displaying various applications and various graphical indicators 421 .
- an application with a larger sized bubble may represent a higher number of sessions for an application.
- the bubble's color such as red, orange, and yellow, may represent the severity of the threat.
- a drop down menu 429 is used to select whether to group application icons by risk or by other parameters, while a device select drop down menu 430 allows threat control module to filter the display to shown particular devices 5 .
- Threat control module 17 may also present a user interface by which administrator 12 may select a response to automatically create security policies in accordance with affected security devices 5 .
- FIG. 4C illustrates another example user interface generated by security management system 10 by which administrator 12 may view aggregate threat data based on user usage, in one aspect of the disclosure.
- threat data aggregator 14 may aggregate threat data associated with a network user's application usage from security devices 5 such as number of sessions with an application and/or bandwidth consumed by a specific user.
- Visualization module 18 may generate a graphical representation of aggregate threat data associated with a specific user's application usage in the manner shown in either FIG. 4A or FIG. 4B above.
- threat control module 17 may present a user interface overlaying the graphical representation of aggregated threat data that displays top network users usage.
- FIG. 4C illustrates an example interface in grid view displaying threat data aggregated by network user usage.
- FIG. 4C illustrates an example grid displaying various network users and their top applications used.
- visualization module 18 may further generate a graphical representation of network usage including information on top users 422 , top applications 423 , the name of users 424 , total number of sessions 425 , bandwidth consumed 426 , and/or top application used 427 .
- Threat control module 17 may also present a user interface (e.g., check box 428 ) by which administrator 12 may select a response to automatically create security policies in accordance with affected security devices 5 .
- FIGS. 5A-5E illustrate example user interfaces generated by security management system 10 to present to an administrator 12 representations of filtered event data associated with threats, in various aspects of the disclosure.
- Visualization module 18 may generate various filtered representations of filtered threat data in various views, such as a grid, chart, and map view based on a selection of user interface elements from an administrator 12 .
- Threat control module 17 of security management 10 may present administrator 12 a user interface to select specific user interface elements, such as data from a live-threat aggregated representation, to drill-down to additional threat details displayed in a filtered representation of filtered threat data (overlaying the aggregated representation) generated by visualization module 18 .
- administrator 12 may select a country or other specified geographic location from a live threat map to view a grid of filtered data associated with threats, such as a threat name 501 , count of threats 502 , start time 503 , severity of threat 504 , source location 505 , source IP address 506 , destination location 507 , destination IP address 508 , category of threat 509 , type of threat 510 , service 511 , impact 512 , and threat action status 513 (e.g., allowed or blocked), as shown in FIG. 5A .
- the threat name 501 may include the name of the potential malicious activity, such as the virus name or malware name.
- the count 502 may include a counter signifying the number of threats that repeatedly occur within security devices 5 .
- the start time 503 may include time and date information of the threat.
- the severity 504 may include information on the level of severity of the threat and may be displayed as a graphical or numerical representation.
- the source location 505 may include information about the location from where the attack originates.
- the source location may further include finer points of granularity, such as the name of the organization associated with the source IP address, or countries, states, cities, or other specific locations associated with the source.
- the source IP address 506 may include the IP address of the computer system from which the suspected threat originated.
- the destination location 507 may include information about the location from where the attack occurs.
- the destination location may further include finer points of granularity, such as countries, states, cities, or other specific locations.
- the destination IP address 508 may include the internet protocol address of the computer system that was targeted by the suspected attack.
- the category 509 may include information about the malicious activity, which includes forms of malware (e.g., viruses, worm, Trojans).
- the attack type 510 may include information about the type of threat, such as a signature or compound.
- the service 511 may include information on the protocol used with the attack, including Hypertext Transfer Protocol (HTTP) or Internet Control Message Protocol (ICMP).
- the threat impact 512 may include the level of impact (e.g., high or low) the threat may have.
- the threat action status 513 may include information about whether the threat is allowed or blocked. In some graphical representations, users can filter threats with the above information. Threat control module 17 may also present a user interface for administrator 12 to select a response for automatically generating security policies to block or allow traffic of a selected threat in accordance with affected security devices 5 .
- Visualization module 18 may also generate a filtered representation of aggregated threat data in chart view presenting filtered threat data associated with a selected user interface element, such as a geographic location, as shown in the example of FIG. 5B .
- the interface overlays a map view representation of threats.
- visualization module 18 may generate a filtered representation of the aggregated threat data and filtered threat details in various charts of interest, such as source countries 521 , source IP address 522 , destination devices 523 , incoming virus/worms 524 , incoming IPS attacks 525 , devices with incoming DDoS attacks 526 , or other threat details.
- administrator 12 may select a country (e.g., United States) from the live threat aggregated representation to view filtered threat details associated with the selected country as a destination or as a source.
- Threat control module 17 may present a user interface, generated by visualization module 18 , by which administrator 12 may view and further interact with the filtered threat details and select various filtered threat details for additional information, as shown in FIG. 5B .
- Threat control module 17 may also present a user interface by which administrator 12 may select a response for automatically generating security policies to block or allow traffic of a selection in the chart view in accordance with affected security devices 5 .
- FIG. 5C illustrates another example user interface generated by security management system 10 that may present to administrator 12 a graphical representation in map view of filtered event data associated with geographically based threats, in one aspect of the disclosure.
- Visualization module 18 may generate a map representation of aggregated threat data and may also include filtered threat data associated with a selected location by administrator 12 .
- Threat control module 17 may present administrator 12 an interface to view and further interact with additional filtered threat details and to selectively block or allow traffic or types of traffic associated with the approximate geographic location, as shown in FIG. 5C .
- filtered threat details may include total events 531 , allowed events 532 , and blocked events 533 associated with a particular country.
- threat data from either source IP addresses or destination IP addresses may be presented.
- a threat action response 560 allows the user to block traffic directly from the threat details interface.
- FIG. 5D illustrates another example user interface generated by security management system 10 that may present to administrator 12 a filtered representation of aggregated threat data relating to a selected application in chart view.
- visualization module 18 may generate a filtered representation of filtered threat details associated with a selected application from the aggregated representation of threats.
- Threat control module 17 may present a user interface by which administrator 12 may select a user interface element, such as a particular application from the aggregated representation of live threats, to drill-down to additional threat details associated with application usage, such as number of sessions of an application in a particular amount of time 541 , category of application 542 (e.g., web, multimedia, messaging, social, infrastructure), characteristic of threat 543 (e.g., loss of productivity, prone to misuse, can leak information, supports file transfer, bandwidth consumed), total bytes used in a particular amount of time 544 , sub-category of application 545 (e.g., social networking), risk level 546 , and/or top users of the application 547 .
- a user interface element such as a particular application from the aggregated representation of live threats, to drill-down to additional threat details associated with application usage, such as number of sessions of an application in a particular amount of time 541 , category of application 542 (e.g., web, multimedia, messaging, social, infrastructure), characteristic of threat 543 (e
- Threat control module 17 may also present a user interface by which administrator 12 may select a response for automatically generating security policies to block or allow traffic from particular applications in accordance with affected security devices 5 .
- a threat action response 560 allows the administrator to block traffic directly from the threat details interface.
- threat control module 17 displays icons reflecting parameters such as the number of sessions for a particular application or the bandwidth used by the application, and the administrator can block traffic associated with the application, or rate limit the application.
- threat control module 17 displays icons reflecting parameters such as the number of sessions for a particular user or the bandwidth used by a user, and the administrator can block particular traffic for that user, or rate limit the user.
- threat control module 17 displays icons reflecting parameters such as the number of sessions per application for a particular user or a particular device or the bandwidth per application used by a user or a particular device, and the administrator can block traffic for specific applications for that user or device, or rate limit the user or device with regard to specific applications.
- FIG. 5E illustrates another example user interface generated by security management system 10 that may present to administrator 12 a filtered representation of filtered threat details relating to user usage of applications in grid view.
- visualization module 18 may generate a filtered representation of filtered threat details associated with a selected network user.
- Threat control module 17 may present a user interface by which administrator 12 may select a user interface element, such as a particular user from the aggregated representation of live threats, to drill-down to filtered threat details associated with a network user, such as user name 551 , number of sessions by user 552 , bandwidth consumed by user 553 , user role 554 , date and time of last session 555 , and last seen IP 556 .
- 5E may also include the top applications 557 used by the selected user based on a period of time 558 .
- Threat control module 17 may also present a user interface for administrator 12 to select a response for automatically generating security policies to block or allow traffic from a particular user in accordance with affected security devices 5 .
- a threat action response 560 allows the administrator to block traffic directly from the user threat details interface.
- Security management system 10 may also present a user interface by which administrator 12 may interact with the aggregated representation of live threats and filtered threat details rendered by security management system 10 and, responsive to the interaction, the integrated security management system 10 may identify a relevant set of security devices 5 , automatically construct for the security devices 5 updated policies having ordered rules within the policies using a policy/rule module 20 , and automatically communicate and install the policies in the security devices 5 using a policy deployment engine 26 of the underlying security management system 10 .
- security management system 10 may provide, through threat control module 17 , a system and an interface that administrator 12 may use to view live threats and to quickly assess filtered threat data associated with the threat for comprehensive analysis.
- administrator 12 may direct security management system 10 to automatically create security policies for deployment to security devices 5 in response to the detected threat.
- threat control module 17 of security management system 10 may present an interface to enable administrator 12 to insert new rules in a current policy of one of security devices 5 , to configure an updated policy for the security device 5 , and to delete or change the ordering of existing rules.
- administrator 12 may select to view filtered threat details from the live threat aggregated representation.
- Security management system 10 may then present a user interface by which administrator 12 may automatically create security policies for affected security devices 5 based on the filtered threat details.
- the threat control module 17 may present a user interface by which administrator 12 may select the Threat Name 501 , App:TUN:TOR-1 and may select a threat action response 560 , such as to block traffic from or to the source IP address, to block both the traffic going to and from the source IP address, block only the traffic coming from the source IP address, or block only the traffic going to the source IP address within any of the graphical representations of threats.
- Administrator 12 may select to block or allow traffic in response to detecting the specific threat from the graphical representation of threats.
- administrator 12 may select a source IP address in a graphical representation in chart view (e.g., FIG. 5B ) to view threat data associated with the selected source IP address (e.g., in an interface similar to FIG. 5A ). Administrator 12 may further select a threat action response to block or allow traffic from the graphical representation in chart view, which will navigate administrator 12 to another user interface presented by threat control module 17 of security management system 10 .
- administrator 12 may select a country in a graphical representation in map view (e.g., FIG. 5C ) to view threat data associated with the selected geographic location. Administrator 12 may further select a threat action response 560 to block or allow traffic directly from the graphical representation in map view, which will navigate administrator 12 to another user interface presented by threat control module 17 of security management system 10 . In other examples, administrator 12 may select locations with finer granularity, such as states, cities, and other regions.
- administrator 12 may select a particular application in a graphical representation in chart view displaying threat data aggregated by application usage to view additional details associated with the selected application (e.g., FIG. 5D ). Administrator 12 may further select a threat action response 560 to block or allow traffic from the graphical representation in chart view, which will navigate administrator 12 to another user interface presented by threat control module 17 of security management system 10 .
- administrator 12 may select a particular network user in a graphical representation displaying threat data aggregated by application usage to view additional details associated with the selected network user (e.g., FIG. 5E ). Administrator 12 may further select a threat action response 560 to block or allow traffic from the graphical representation, which will navigate administrator 12 to another user interface presented by threat control module 17 of security management system 10 .
- FIGS. 6A-6C illustrate example user interfaces generated by security management system 10 by which administrator 12 may review and publish automatically created rules associated with security policies, in various aspects of the disclosure.
- FIGS. 6A-6C may be an interface overlaying the representations of threats or filtered threat data.
- security management system 10 may generate an interface by which administrator 12 may configure the automatically generated revised policies for blocking or allowing traffic, as shown in FIG. 6A .
- FIG. 6A illustrates an example user interface presented to administrator 12 to view and selectively deploy the automatically generated security policies, in one aspect of the disclosure. The user interface enables administrator 12 to selectively deploy any or all of the automatically generated policies for configuration of security devices 5 .
- security management system 10 automatically generated revisions to the ordered set of rules within each of the security policies in response to selecting a threat action response 560 , including modifying internal rules and the ordering of rules within the policies, to block traffic coming from and/or to the source IP address(es), in one aspect of the disclosure.
- the example interface of FIG. 6A may provide a list of the automatically generated revised policies to select.
- the user interface of FIG. 6A may provide administrator 12 information on created policies 601 , number of rules added 602 , number of devices 5 the policy is applied to 603 , and number of devices 5 with pending updates 604 related to policy changes.
- pre-existing security policies and associated information of affected security devices 5 stored in committed database 26 may be retrieved and presented to administrator 12 for further review.
- the interface of FIG. 6A may also include information associated with affected devices that have invoked a policy within a previous duration of time (e.g., month, week, days, etc.).
- Threat control module 17 of security management system 10 may also, in response to selection of a particular policy, present an interface to configure policy rules associated with the selected threat, as shown in FIG. 6B .
- FIG. 6B illustrates an example user interface generated by the security management system 10 by which administrator 12 may view the particular rules automatically created for a given policy that was generated by the security management system 10 , in one aspect of the disclosure.
- administrator 12 may select a specific policy within the interface of FIG. 6A and may further create, edit, delete, or order one or more rules for a firewall policy, as shown in FIG. 6B .
- rules automatically generated may suggest rule placement in the generated security policy.
- 6B may present administrator 12 the option to designate or modify the order of rules 611 , the name of rules 612 , define whether the source zone 613 and/or destination zone 615 may be trusted or untrusted, define source address 614 and/or destination address 616 the rule applies to, define a service of rules 617 , define rule options 618 , or define the action of a rule within a security policy 619 , such as to permit traffic or to deny traffic.
- administrator 12 may use interface FIG. 6B , presented by threat control module 17 , to specify “Rule 2” and “Rule 3” to have a sequence number of 808 and 809, respectively, and to specify the action to deny IP traffic for Policy CCC.
- security management system 10 may also include a policy/rule module 20 that executes on one or more processors of security management system 10 , wherein the policy/rule module 20 may generate configuration information for security devices 5 based on configuration information automatically generated by security management system 10 or defined by administrator 12 and received from threat control module 17 .
- security management system 10 may store configuration parameters in candidate policy database 22 .
- Threat control module 17 of security management system 10 may also, in response to selection of a particular device, as shown in FIG. 6A , present an interface by which administrator 12 may view information on security devices 5 associated with the selected threat, as shown in FIG. 6C .
- FIG. 6C illustrates an example user interface generated by security management system 10 by which an administrator 12 may view security device details associated with devices affected by the automatically created security policies, in one aspect of the disclosure.
- Threat control module 17 may present an interface with security policies and device information stored in candidate policy database 22 and/or committed policy database 24 .
- the interface of FIG. 6C may include a device name 621 , domain 622 , managed status 623 , connection status 624 , policy type 625 , and delta configuration 626 .
- the delta configuration may include access to a command-line interface (CLI) and/or extensible markup language (XML) configuration of devices.
- CLI command-line interface
- XML extensible markup language
- threat control module 17 of security management system 10 may further, in response to selection of a delta configuration of a device, as shown in FIG. 6C , present an interface by which administrator 12 may view CLI and/or XML configuration of the selected device, as shown in FIG. 6D .
- FIG. 7 illustrates an example user interface generated by security management system 10 by which an administrator 12 may enable deployment and/or publication of the automatically created security policies, in one aspect of the disclosure.
- Security management system 10 may include a candidate policy database 22 and a committed policy database 24 that interfaces with threat control module 17 and policy/rule module 20 of the security management system 10 , as shown in FIG. 2 .
- Threat control module 17 may present a user interface for administrator 12 to elect whether to update 702 (e.g., deploy), publish 704 (e.g., store for further review), or save 706 the automatically created security policies (either individually or as groups). In one example, an election to publish the automatically created security policies may store the security policies in candidate database 22 for further review.
- Publication of security policies may allow other administrators 12 to review, through a user interface generated by security management system 10 , the automatically created security policies stored in candidate policy database 22 before deployment. After further review, the other administrators 12 may elect to update (e.g., deploy) the published security policies or to reconfigure the security policies.
- An election to update security policies may store the automatically created security policies in committed policy database 24 , in one example.
- Administrator 12 may elect to update security policies presented by user interface generated by security management 10 (as shown in FIG. 7 ) to push the automatically created security policies to security devices 5 , such as through SNMP or NETCONF protocols.
- Security management system 10 may include a policy deployment engine 26 that executes on one or more processors of system 10 to send updated configuration information of security policies to security devices 5 .
- the interface of FIG. 7 may also present a user interface generated by security management system 10 by which administrator 12 may define a specific date 708 or time 710 to update 702 or publish 704 the automatically created security policies.
- threat control module 17 may present administrator 12 an interface to schedule an update for Sep. 27, 2015 at 5:15 am PST.
- security management system 10 may store these updated security policies to candidate policy database 22 before Sep. 27, 2015 at 5:15 am PST.
- Security management system 10 may then store the updated security policies in committed policy database 24 when the policies are updated to security devices 5 on Sep. 27, 2015 at 5:15 am PST.
- Security management system 10 may further deploy the updated security policies stored within committed policy database 24 with policy deployment engine 26 to security devices 5 .
- committed policy database 24 may be located in the security management system 10 .
- security management system 10 may communicate with an external committed policy database 24 .
- FIG. 8 illustrates an example user interface generated by security management system 10 by which administrator 12 may view the job status of the published or updated security policies.
- threat control module 17 of security management system 10 may present a user interface by which an administrator 12 may provide information from candidate policy database 22 and/or committed policy database 24 on the phase of configuration policy updates, such as statuses snapshot policy 801 , publish policy 802 , and update devices 803 .
- the interface of FIG. 8 generated by the security management system 10 may further display information including job type 804 , job ID 805 , job name 806 , user 807 , job status 808 , percent complete 809 , scheduled start time 810 , actual start time 811 , and end time 812 .
- the interface of FIG. 8 may also search for device publishing details 813 , including the name of the device, status of publication, services, and/or messages.
- FIG. 9 illustrates an example interface generated by security management system 10 by which administrator 12 may view the source or destination details of the threat device, in one aspect of the disclosure.
- threat control module 17 of security management system 10 may present a user interface presenting device information including source device details 901 and destination device details 902 .
- the user interface may present device details including the device IP, device name, organization name, organization ID, physical address of the device (e.g., street address, city, state/province, postal code, country), registration date, updated date, and a reference link to more information about the device.
- FIG. 10 is a flowchart showing an example operation of security management system 10 .
- security devices 5 may initially analyze packet flows to identify applications and potential threat data ( 100 ).
- Security device 5 may proceed to communicate the potential threat data to security management system 10 ( 102 ).
- Security management system 10 may receive the communicated threat data from the security device 5 and aggregate the received data with threat data aggregator 14 ( 104 ).
- Security management system 10 through threat control module 17 , may further construct and display the real-time or near real-time threats that have been aggregated by threat data aggregator 14 and stored in threat database 16 , wherein the display may be a visualization generated by threat control module 17 in map, chart, grid view, or the like.
- Security management system 10 may further receive input from an administrator 12 to configure policies including the ordering of rules ( 108 ). For example, administrator 12 may configure policies directly from the display of real-time or near real-time threats and/or through various graphical representations of filtered event data associated with threats.
- security management system 10 may automatically generate newly configured or updated security policies including ordered rules using policy/rule module 20 ( 110 ).
- Security management system 10 may further deploy the generated or updated policies to security device 5 from through the policy deployment engine 26 ( 112 ).
- Security device 5 may then receive the deployed generated security policies from security management system 10 ( 114 ).
- Security device 5 may proceed to update the configuration data relating to the generated security policies from security management system 10 ( 116 ).
- security device 5 may process traffic according to the updated security policies ( 118 ).
- FIG. 11 shows a detailed example of a computing device that may be configured to implement some embodiments in accordance with the current disclosure.
- device 1100 may be a server, a workstation, a computing center, a cluster of servers or other example embodiments of a computing environment, centrally located or distributed, capable of executing the techniques described herein. Any or all of the devices may, for example, implement portions of the techniques described herein for a security management system.
- a computer 1100 includes a hardware-based processor 1110 that may be incorporated into security management system 10 to execute program instructions or software, causing the computer to perform various methods or tasks, such as performing the techniques described herein.
- Processor 1110 may be a general purpose processor, a digital signal processor (DSP), a core processor within an Application Specific Integrated Circuit (ASIC) and the like.
- DSP digital signal processor
- ASIC Application Specific Integrated Circuit
- Processor 1110 is coupled via bus 1120 to a memory 1130 , which is used to store information such as program instructions and other data while the computer is in operation.
- a storage device 1140 such as a hard disk drive, nonvolatile memory, or other non-transient storage device stores information such as program instructions, data files of the multidimensional data and the reduced data set, and other information.
- computer 1150 may provide an operating environment for execution of one or more virtual machines that, in turn, provide an execution environment for software for implementing the techniques described herein.
- the computer also includes various input-output elements 1150 , including parallel or serial ports, USB, Firewire or IEEE 1394, Ethernet, and other such ports to connect the computer to external device such as a keyboard, touchscreen, mouse, pointer or the like.
- Other input-output elements include wireless communication interfaces such as Bluetooth, Wi-Fi, and cellular data networks.
- the computer itself may be a traditional personal computer, a rack-mount or business computer or server, or any other type of computerized system.
- the computer in a further example may include fewer than all elements listed above, such as a thin client or mobile device having only some of the shown elements.
- the computer is distributed among multiple computer systems, such as a distributed server that has many computers working together to provide various functions.
- the techniques described herein may be implemented in hardware, software, firmware, or any combination thereof.
- Various features described as modules, units or components may be implemented together in an integrated logic device or separately as discrete but interoperable logic devices or other hardware devices.
- various features of electronic circuitry may be implemented as one or more integrated circuit devices, such as an integrated circuit chip or chipset.
- this disclosure may be directed to an apparatus such a processor or an integrated circuit device, such as an integrated circuit chip or chipset.
- the techniques may be realized at least in part by a computer readable data storage medium comprising instructions that, when executed, cause one or more processors to perform one or more of the methods described above.
- the computer-readable data storage medium or device may store such instructions for execution by a processor. Any combination of one or more computer-readable medium(s) may be utilized.
- a computer-readable storage medium may form part of a computer program product, which may include packaging materials.
- a computer-readable storage medium may comprise a computer data storage medium such as random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), electrically erasable programmable read-only memory (EEPROM), flash memory, magnetic or optical data storage media, and the like.
- RAM random access memory
- ROM read-only memory
- NVRAM non-volatile random access memory
- EEPROM electrically erasable programmable read-only memory
- flash memory magnetic or optical data storage media, and the like.
- a computer-readable storage medium may be any tangible medium that can contain or store a program for use by or in connection with an instruction execution system, apparatus, or device. Additional examples of computer readable medium include computer-readable storage devices, computer-readable memory, and tangible computer-readable medium.
- an article of manufacture may comprise one or more computer-readable storage media.
- the computer-readable storage media may comprise non-transitory media.
- the term “non-transitory” may indicate that the storage medium is not embodied in a carrier wave or a propagated signal.
- a non-transitory storage medium may store data that can, over time, change (e.g., in RAM or cache).
- the code or instructions may be software and/or firmware executed by processing circuitry including one or more processors, such as one or more digital signal processors (DSPs), general purpose microprocessors, application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other equivalent integrated or discrete logic circuitry.
- DSPs digital signal processors
- ASICs application-specific integrated circuits
- FPGAs field-programmable gate arrays
- processors may refer to any of the foregoing structure or any other processing circuitry suitable for implementation of the techniques described herein.
- functionality described in this disclosure may be provided within software modules or hardware modules.
Abstract
Description
- This application claims the benefit of India Patent Application 5944/CHE/2015, filed Nov. 3, 2015, the entire contents of which are hereby incorporated by reference.
- The invention relates to computer networks, and, more particularly, to management and configuration techniques of network security devices.
- Data and technology stored in computer systems and networks are vulnerable to increasing levels of cyberthreats. Common types of network attacks include Denial of Service (DOS) attacks, spoofing attacks, packet eavesdropping or interception, and the like. Because of the increasing sophistication of cyberthreats, administrators tasked to protect computer networks are increasingly burdened and ill-equipped to mitigate and resolve cyberthreats and network attacks efficiently and effectively. Currently, to respond to the cyberthreats, administrators must take part in a manual, labor-intensive process to configure policies or other protection systems in an attempt to block such threats.
- In general, this disclosure describes an integrated security management system that provides centralized threat visualization and automated control of security devices distributed throughout a network.
- For example, in one example implementation, the security management system includes one or more processors, one or more computer-readable memories storing instructions that, when executed, implement a sophisticated user interface and visualization engine that generates and displays a live threat visualization of animated network threats in real-time or near real-time. Moreover, the security management system includes a threat data aggregator that aggregates data on one or more threats from one or more security devices deployed within a security domain, e.g., an enterprise network. The security management system may also include a threat control module capable of displaying the one or more threats and configuring the security devices deployed within the network including, for example, deploying created or updated security policies in response to one or more detected network attacks. An administrator may, for example, interact with the graphical representation of threats rendered by the threat control module based on the data aggregated from the distributed security devices and, responsive to the interaction, the security management system may identify a relevant set of the security devices, automatically construct security policies having ordered rules within the policies for the identified set of security devices, and automatically communicate and install the policies in the identified set of security devices using a policy deployment engine of the underlying network management components of the integrated security management system.
- In this way, the security management system enables administrators to take direct actions, such as selectively blocking or allowing traffic and applications, while monitoring events from a graphical representation of threats. As such, the administrator in an enterprise interacts with the graphical representation of threats rendered by the security management system to automatically invoke a policy/rule module of the security management system to configure and update security policies for the security devices deployed throughout the computer networks of the enterprise.
- The details of one or more embodiments of the invention are set forth in the accompanying drawings and the description below. Other features, objects, and advantages of the invention will be apparent from the description and drawings, and from the claims.
-
FIG. 1 is a block diagram illustrating an example enterprise network having an integrated security management system as described herein. -
FIG. 2 is a block diagram illustrating an example integrated security management system, in one aspect of this disclosure. -
FIG. 3 is an example security device, which processes network flows to identify potential network threats, in one aspect of this disclosure. -
FIGS. 4A-4C illustrate example user interfaces generated by a security management system to present to an administrator a representation of the aggregated threat data, in various aspects of the disclosure. -
FIGS. 5A-5E illustrate example user interfaces generated by the security management system to present to an administrator representations of filtered event data associated with a threat, in various aspects of the disclosure. -
FIGS. 6A-6D illustrate example user interfaces generated by security management system by which an administrator may review and publish automatically created rules associated with security policies, in various aspects of the disclosure. -
FIG. 7 illustrates an example user interface generated by security management system by which an administrator may enable deployment and/or publication of the automatically created security policies, in one aspect of the disclosure. -
FIG. 8 illustrates an example user interface generated by security management system by which an administrator may view the job status of the published or updated security policies. -
FIG. 9 illustrates an example interface generated by security management system by which an administrator may view the source or destination details of the threat device, in one aspect of the disclosure. -
FIG. 10 is a flowchart showing an example operation of security management system. -
FIG. 11 shows a detailed example of a computing device that may be configured to implement some embodiments in accordance with the current disclosure. -
FIG. 1 is a block diagram illustrating an example enterprise network having an integrated security management system as described herein. In the example ofFIG. 1 ,enterprise network 2 includes an integratedsecurity management system 10 and one ormore security devices 5 deployed in a distributed manner throughout the network. - The one or
more security devices 5A-5C (collectively “security devices 5”) ofenterprise network 2 are interconnected via communication links that form a communication topology. In general,security devices 5 monitor packet flows withinnetwork 2 and apply security services to those packet flows so as to protect computing resources (not shown) within the network, such as network servers, end user computers and infrastructure devices providing network connectively. For example,security devices 5 may perform deep packet inspection on the packet flows to detect patterns or anomalies within the packet flows that are indicative of threats, such as network attacks, viruses, malware and the like. During this process,security devices 5 typically apply polices that define criteria (e.g., header information, patterns, anomaly information) to be compared with the packet flows and take actions specified by the policies, such as dropping packet flows, logging packet flows or redirecting packet flows to packet analyzers for further analysis.Security devices 5 may include, for example, firewalls or other intrusion detection systems (IDS) or intrusion prevention systems (IDP), or even high-end routers or service nodes configured to apply network security services to packet flows withinnetwork 2. - While described in this disclosure as transmitting, conveying, or otherwise supporting packets,
enterprise network 2 may transmit data according to any other discrete data unit defined by any other protocol, such as a cell defined by the Asynchronous Transfer Mode (ATM) protocol, or a datagram defined by the User Datagram Protocol (UDP). Communication links interconnectingsecurity devices 5 may be physical links (e.g., optical, copper, and the like) or wireless.Enterprise network 2 may be coupled to one or more additional private or public networks, e.g., the Internet (not shown). - In the example of
FIG. 1 ,enterprise network 2 is shown coupled topublic network 4A-4C (collectively “public network 4”) (e.g., the Internet) viacommunication links 7A-7C, respectively.Public network 4 may include, for example, one or more client computing devices.Public network 4 may provide access to web servers, application servers, public databases, media servers, end-user devices, and other types of network resource devices and content. Network devices inpublic network 4 may present a number of security threats toenterprise network 2. For example, devices inpublic network 4 may attempt to deliver worms, trojans, and/or viruses to one or more ofsecurity devices 5. As another example, a hacker using a device inpublic network 4 may attempt to infiltrateenterprise network 2 to snoop, corrupt, destroy, or steal information stored by one ormore security devices 5. - As described herein,
security management system 10 enables centralized management ofsecurity devices 5 by collecting and aggregating threat information from thesecurity devices 5 and presenting a unified, real-time visualization of network threats present throughoutenterprise network 2. Moreover,security management system 10 provides an integrated system that provides network administrators, e.g.,administrator 12, with a centralized, single point of control for managingsecurity devices 5 in response to network threats. - For example,
security management system 10 receives and aggregates data fromsecurity devices 5 in real-time as threats are detected and identified within a security domain, e.g.,enterprise network 2.Security management system 10 renders and maintains an animated representation of the identified threats based on the data aggregated fromdistributed security devices 5. Responsive to interaction fromadministrator 12,security management system 10 identifies a relevant set ofsecurity devices 5, automatically constructs security policies having ordered rules within the policies for the identified set ofsecurity devices 5, and automatically communicates and installs the policies in the identified set ofsecurity devices 5 using an underlying policy deployment engine integrated withinsecurity management system 10. In the example ofFIG. 1 ,security management system 10 is illustrated as participating inconfiguration sessions 9A-9C (collectively “configuration sessions 9”) withsecurity devices 5 to communicate and install the policies in the identified set ofsecurity devices 5. - In this way,
security management system 10 enablesadministrators 12 to take direct actions, such as selectively blocking or allowing traffic and applications, while monitoring events from a representation of threats identified anywhere withinnetwork 2. As such, the administrator is able to interact with the representation of the threats as rendered bysecurity management system 10 to automatically configure and update security policies ofsecurity devices 5 deployed throughoutnetwork 2. - In common practice,
security management system 10 andsecurity devices 5 managed bysecurity management system 10 may be centrally maintained by an IT group of the enterprise.Administrator 12 may interact withsecurity management system 10 to remotely monitor and configuresecurity devices 5. For example,administrator 12 may receive alerts fromsecurity management system 10 regardingsecurity devices 5, view live threat and configuration information data ofsecurity devices 5, drill-down to filtered representations of filtered threat data, create or update security policies forsecurity devices 5, add new security devices toenterprise network 2, remove existing security devices fromenterprise network 2, or otherwise manipulate theenterprise network 2 and security devices therein. Although described with respect to an enterprise network, the techniques of this invention are applicable to other network types, public and private, including LANs, VLANs, VPNs, and the like. -
Administrator 12 may usesecurity management system 10 to configuresecurity devices 5 with security policies, where each security policy represents a set of one or more ordered rules that specify certain operational characteristics that further the objectives ofadministrator 12. For example,administrator 12 may, using policies with a collection of an ordered set of rules, specify for a security device 5 a particular security policy regarding security of incoming or outgoing Internet Protocol (IP) traffic. While described with respect to policies and rules, the techniques of this disclosure may be applicable to other aspects of security devices, including modifying routing tables, or other aspects involving updating or reordering pre-existing security policies or rules. - In general,
security devices 5 maintain data for a particular policy (e.g., security) as an ordered list of one or more rules that are each keyed to a unique identifier. Upon occurrence of a triggering event in one of the managedsecurity devices 5, such as the receipt of a network packet, thesecurity device 5 sequentially traverses the ordered list to determine the first policy rule in the list that applies to the triggering event data. If the security device finds an applicable policy rule, the security device proceeds to execute the specified action (e.g., drop the packet, update a traffic log, or redirect the packet for further analysis and inspection, block or allow the packet). Further example details of a centralized network management system capable of managing security devices and deploying policies thereto are described in U.S. Pat. No. 8,429,255, entitled “DETERMINING REORDER COMMANDS FOR REMOTE REORDERING OF POLICY RULES,” and U.S. Pat. No. 8,248,958, entitled “REMOTE VALIDATION OF NETWORK DEVICE CONFIGURATION USING A DEVICE MANAGEMENT PROTOCOL FOR REMOTE PACKET,” the contents of each of which is incorporated herein by reference. Further examples are described in, Network and Security Manager (NSM) application as described in Juniper Networks, “Juniper Networks Network and Security Manager Administration Guide Revision 2009.1,” August 2009, available at http://www.juniper.net/techpubs/software/management/security-manager/nsm2009_1/nsm-admin-guide.pdf, which is incorporated herein by reference in its entirety. -
FIG. 2 is a block diagram illustrating an example integratedsecurity management system 10, in one aspect of this disclosure. As described herein,security management system 10 provides a system and interface with whichadministrator 12 utilizes to view live or near-live threats, quickly assess a filtered representation of filtered threat data associated with a given threat for comprehensive analysis, and to configure or modify various security policies ofsecurity devices 5 in response to the threat. InFIG. 2 , for example,threat control module 17 ofsecurity management system 10 constructs and outputs an interface to enableadministrator 12 to view live threats on, for instance, a grid, chart or map, to drill-down to various filtered representations of filtered threat data associated with the threats, to insert or configure new rules in a current or new policy for one or more ofsecurity devices 5, to produce an updated policy for thesecurity devices 5, and to delete or change the ordering of existing rules. In response to producing the new or updated policy,administrator 12 may directsecurity management system 10 to deploy the configuration to one or more ofsecurity devices 5 through a policy deployment engine 26 based on the new or updated policy. In some aspects,security management system 10 automatically modifies policies ofsecurity devices 5 as a response to, for example, the detection of threats. - Unlike conventional systems, in some example implementations,
security management system 10 provides live threat visualization of enterprise-wide threats in real-time or near real-time and integrates automatic policy generation and deployment tosecurity devices 5 in the visualization process, thereby providing a seamless user experience for monitoring and acting on threats in a centralized management system. During a cyberattack, when speed to resolve and mitigate an attack may be critical, the centralized, enterprise-wide live threat visualization coupled with automated policy generation and deployment ofsecurity management system 10 may be advantageous.Security management system 10 integrates threat aggregation and visualization with an underlying device management system capable of centrally managing configuration information for network devices ofnetwork 2, includingsecurity devices 5. For example, various implementations and features ofsecurity management system 10 as described herein enablesadministrator 12 to view live network traffic information and quickly diagnose and prevent an attack, such as by seamlessly enablingadministrator 12 to quickly block or temporarily block network traffic for a given set of users, applications, geographic regions, combinations thereof, etc.Security management system 10 may further enableadministrator 12 to allow network traffic that is not a threat, but may otherwise have been blocked by conventional techniques. As such,security management system 10 enables administrator(s) 12 to seamlessly update, e.g., construct and deploy, security policies tosecurity devices 5, such as to block or allow packet flows between particular source and destination addresses, block or allow only traffic from a source address, or block or allow only traffic to a destination IP address. - In the example of
FIG. 2 ,security management system 10 may receive detailed analysis of packets from each ofsecurity devices 5. In one example,security devices 5, such as an IDS or IDP system, may analyze both client-to-server and server-to-client packet flows, process the packets to perform application classification to identify the type of application and communication protocol associated with each packet flow (e.g., Skype, Yahoo Messenger, Bit Torrent peer-to-peer protocol), perform detailed analysis of the packets, for example, to identify specific fields within the packets in the packet flows, as further described herein. In the example ofFIG. 2 ,security management system 10 includes athreat data aggregator 14 that executes on one or more processors ofsecurity management system 10 to aggregate the detailed analysis of the packets received from the one ormore security devices 5 with respect to any threats detected within the network. -
Security management system 10 may aggregate the threat data withthreat data aggregator 14, and may store information describing each active packet flow present within the network traffic within athreat database 16.Threat database 16 may store specifications ofsecurity devices 5 associated with each active packet flow, i.e., low-level information such as source and destination devices and ports associated with the packet flow. In addition,security device 5 may identify pairs of packet flows that collectively form a single communication session between a client and server. For example, anIDS 200 may designate communication session as pairs of packet flows in opposite directions for flows sharing at least some common network addresses, ports and protocol. In another example,security management system 10 may pollsecurity devices 5 for traffic information if thesecurity devices 5 do not provide system updates. - In the example of
FIG. 2 ,administrator 12 may view the aggregated threat data collected fromsecurity devices 5, aggregated bythreat data aggregator 14, and stored inthreat database 16, as shown inFIG. 2 , formatted, for example, as a list, a grid, a chart, or a map.Threat data aggregator 14 may aggregate IP traffic information and collect various related information associated with the threats such as threat name, count, start time, threat severity, source location, source IP address, destination location, destination IP address, device information, attack category, attack type, service, impact of threat, and action taken, in one aspect of the disclosure.Threat data aggregator 14 may further aggregate application usage data values such as traffic to and from an application, and user data such as bandwidth and sessions. -
Threat control module 17 ofsecurity management system 10 may further include avisualization module 18 to generate various filtered representations of the live aggregated threat data, such as in grid, chart, or map view.Visualization module 18 may also generate filtered representations of live aggregated threat data in the form of an application usage view or user usage view.Threat control module 17 may then present the generated graphical representation of aggregated data to anadministrator 12 for interaction and configuration ofsecurity devices 5. - As shown in
FIG. 2 ,security management system 10 may also include a policy/rule module 20 that executes on one or more processors ofsecurity management system 10, wherein the policy/rule module 20 may generate configuration information forsecurity devices 5 based on configuration information automatically generated bysecurity management system 10 or defined byadministrator 12 and received fromthreat control module 17. In response to policy/rule module 20 creating or modifying security policies,security management system 10 may store configuration parameters in acandidate policy database 22 for review and eventual publishing tocommitted policy database 24, as will be discussed in greater detail herein.Security management system 10 may also include a policy deployment engine 26 that sends the updated configuration information of security policies tosecurity devices 5. - In general, the underlying policy deployment engine 26 of
security management system 10 may use one or more network management protocols designed for management of configuration information data within managedsecurity devices 5, such as the Simple Network Management Protocol (SNMP) protocol or the Network Configuration Protocol (NETCONF) protocol or a derivative thereof, such as the Juniper Device Management Interface, to manage the security policies withinsecurity devices 5. Further details of the SNMP protocol can be found in Harrington et al., RFC 3411, “An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks,” Network Working Group, the Internet Engineering Task Force draft, December 2002, available at http://tools.ietf.org/html/rfc3411, the entire contents of which are incorporated herein by reference. NETCONF is described in R. Enns et al., RFC 4741: “NETCONF Configuration Protocol,” Network Working Group, the Internet Engineering Task Force draft, December 2006, available at http://tools.ietf.org/html/rfc4741, which is incorporated herein by reference in its entirety. Using the network management protocol,security management system 10 may establish configuration sessions 9 with one ormore security devices 5 that allowsecurity management system 10 to traverse and modify configuration information data within the identifiedsecurity devices 5. -
FIG. 3 is an example intrusion prevention system (IDS) 200, which represents an example implementation of any ofsecurity devices 5 ofFIG. 1 . As described below,IDS 200 processes network inbound and outbound packet flows entering andegressing network 2 and performs deep packet inspection on packet flows to identify potential network threats and communicates threat information as well as application identification and flow information tosecurity management system 10, in one aspect of this disclosure. Moreover, as further described below,IDS 200 receives policies and other configuration data fromsecurity management system 10 and applies those policies to packet flows within the network. - In the illustrated example,
IDS 200 includes a forwardingplane 222 that transparently monitorsinbound network traffic 224 and forwards the network traffic asoutbound network traffic 226. In the example illustrated byFIG. 3 , forwardingplane 222 includesflow analysis module 225,stateful inspection engine 228,protocol decoders 230, and forwardingcomponent 231. -
Security management client 244 provides a configuration interface 245 for communicating withsecurity management system 10 in accordance with one or more device configuration protocols. For example, responsive to input fromadministrator 12,security management system 10 may output communications to configuration interface 245 to updatepolicies 247, thereby controlling and configuringIDS 200 to monitor particular subnets of theenterprise network 2 and apply security policy rules received fromsecurity management system 10. As another example,security management system 10 may provide and installpolicies 247 that specifyattack definitions 233, which, in some example approaches,security management client 244 relays tostateful inspection engine 228. In one embodiment,attack definitions 233 may be compound attack definitions. Moreover,security management system 10 may present a user interface by whichadministrator 12 may modify assumptions regarding packet flow characteristics, such as the highest priority packet flows for monitoring, port bindings for applications, or other features of determining a type of application and protocol associated with the packet flow.Security management client 244 may receive the aforementioned information via configuration interface 245 for storage withinpolicies 247 and relays the information to thestateful inspection engine 228 for real-time application to packet flows. -
Flow analysis module 225 receivesinbound traffic 224 and identifies individual network flows within the traffic. Each network flow represents a flow of packets in one direction within the network traffic and is identified by at least a source address, a destination address and a communication protocol.Flow analysis module 225 may utilize additional information to specify network flows, including source media access control (“MAC”) address, destination MAC address, source port, and destination port. Other examples may use other information to identify network flows, such as IP addresses, application sessions, and bandwidth usage. -
Flow analysis module 225 maintains flow data within flow table 235 that describes each active packet flow present within the network traffic. Flow table 235 specifies network elements associated with each active packet flow, i.e., low-level information such as source and destination devices and ports associated with the packet flow. In addition, flow table 235 may identify pairs of packet flows that collectively form a single communication session between a client and server. For example, flow table 235 may designate communication session as pairs of packet flows in opposite directions for flows sharing at least some common network addresses, ports and protocol. - As described in further detail below,
stateful inspection engine 228 inspects both client-to-server packet flows as well as server-to-client packet flows in order to more accurately identify the type of application and underlying protocol for each communication session. This may assist when, for example, a malicious user attempts to spoof (i.e., mimic) one type of application and instead use another in attempt to bypass an IDS. As an example, a malicious user may attempt to circumvent an IDS by spoofing an SMTP request when actually using the HTTP protocol.IDS 200 may determine from the response from the server that the original packet flow was just an attempt to bypassIDS 200 and may take appropriate action, such as dropping future packets associated with the packet flow and/or alerting the targeted device of the attack. - In some example approaches,
IDS 200 may use a minimum data size of the reassembled TCP segments, in addition to the signature, in order to identify the types of applications. Certain applications may require a minimum amount of data, soIDS 200 may distinguish malicious packet flows by determining whether the packet flow contains enough data for the identified protocol. Moreover,IDS 200 may not necessarily recognize every application. In one example, when an application is unknown,IDS 200 may simply forward the packet flow. IfIDS 200 cannot identify a given application, it may be because that application is not a typical target for a malicious packet flow. Other examples may take other actions for unidentified applications, however, such as discarding all packets, which target unknown applications or applying a default signature to all packet flows associated with unknown application types. Other examples may also utilize other protocols, such as the user datagram protocol (UDP);IDS 200 accordingly may require a minimum data size of UDP segments in order to identify the application associated with the UDP segments. - For each packet flow,
stateful inspection engine 228 buffers a copy of the packet flow and reassembles the buffered packet flow to form application-layer communications 232. For example,stateful inspection engine 228 may reconstruct TCP segments into application-layer communications 232, which represent protocol-specific messages. -
Stateful inspection engine 228 invokes the appropriate one ofprotocol decoders 230 based on the identified type of application determination to analyze the application-layer communications 232.Protocol decoders 230 represent a set of one or more protocol-specific software modules. Each ofprotocol decoders 230 corresponds to a different communication protocol or service. Examples of communication protocols that may be supported byprotocol decoders 230 include the HyperText Transfer Protocol (“HTTP”), the File Transfer Protocol (“FTP”), the Network News Transfer Protocol (“NNTP”), the Simple Mail Transfer Protocol (“SMTP”), Telnet, Domain Name System (“DNS”), Gopher, Finger, the Post Office Protocol (“POP”), the Secure Socket Layer (“SSL”) protocol, the Lightweight Directory Access Protocol (“LDAP”), Secure Shell (“SSH”), Server Message Block (“SMB”) and other protocols. -
Protocol decoders 230 analyze reassembled application-layer communications 232 and output transaction data 234 that identifies application-layer transactions. In particular, transaction data 234 indicate when a series of related application-layer communications between two peer devices starts and ends. -
Stateful inspection engine 228 receives transaction data 234, application-layer elements 236 and protocol anomaly data 238 fromprotocol decoders 230.Stateful inspection engine 228 applies policies 247 (e.g.,attack definitions 233 or other rules) to protocol-specific application-layer elements 236 and anomaly data 238 to detect and prevent network attacks and other security risks. - In the event a security risk is detected,
stateful inspection engine 228 outputs alert 240 tosecurity management client 244 for logging and further analysis asthreat data 249.Threat data 249 may, for example, include packet flow identification information from flow table 235 for those packet flows that have been identified as potential threats. Moreover,threat data 249 may store, for each of the packet flows, application classification information provided byflow analysis module 225 that identifies the type of application-layer application associated with the packet flow. In addition,threat data 249 may include, for each of the packet flows, threat information fromstateful inspection engine 228 that characterizes the particular type of threat, such as the identified pattern, anomalies or other qualities of the respective packet flow that triggered one or more policies for classifying the packet flow as a threat. -
Security management client 244 relaysthreat data 249 about the currently detected security risk(s) tosecurity management system 10. In addition,stateful inspection engine 228 may take additional action, such as dropping the packets associated with the communication session, automatically closing the communication session or other action. If no security risk is detected for a given application-layer communication session, forwardingcomponent 231 continues to forward the packet flows between the peers.Forwarding component 231 may, for example, maintain a routing table that stores routes in accordance with a topology of the enterprise network for use in forwarding the packet flows. Operation of IDP and IDS devices is further described in U.S. Pat. No. 9,106,693, entitled “ATTACK DETECTION AND PREVENTION USING GLOBAL DEVICE FINGERPRINTING” the discussion of which is incorporated herein by reference. -
FIGS. 4A-4C illustrate example user interfaces generated bysecurity management system 10 to present to an administrator 12 a representation of the aggregated threat data, in various aspects of the disclosure.Threat control module 17 ofsecurity management system 10 may present dynamic threat animations and present user interfaces that may serve to organize network events and associated threat data in a variety of graphical representations. -
FIG. 4A illustrates an example user interface generated bysecurity management system 10 by whichadministrator 12 may view a live threat graphical representation of threats in a map view. For example,visualization module 18 may generate a graphical representation of a map 400 (here, a world map) associated with a security domain (e.g., an enterprise or service provider network) and display statistics such as atotal threat count 401, total intrusion prevention system (IPS)events 402, total anti-virus (AV)events 403, totalanti-spam events 404, total device authorizations 405 (e.g., successful and/or unsuccessful logins),top destination devices 406,top destination countries 407,top source devices 408, top source countries (not shown), and other information related to aggregated threats. In one embodiment,visualization module 18 may generate a live threat aggregated representation to include one or more variable graphical indicators (e.g., color-code, variations in line thickness, size variations) associated with threats to represent varying magnitude or categories of threats. For example, threats fromsecurity device 5A may be represented in one color, whereas threats fromsecurity device 5B may be represented in another; or threats with a greater volume may be represented in one color, whereas a lower volume may be represented by another color. In another approach,visualization module 18 may generate a graphical representation of the aggregated threat data with lines connecting the source and destination IP addresses. The visual representation of the lines (e.g., thickness, color, etc.) may represent the magnitude of traffic (e.g., volume of traffic, number of attacks, etc.) between the source and destination IP addresses. -
FIG. 4B illustrates another example user interface generated bysecurity management system 10 by whichadministrator 12 may view aggregate threat data of application usage, in one aspect of the disclosure. In one example,threat data aggregator 14 may aggregate threat data for packet flows that have been identified as particular software applications bysecurity devices 5, where the user interface provides a graphical indicator representative of usage associated with the different types of applications such as number of user sessions with an application and/or bandwidth consumed by an application.Visualization module 18 may generate a graphical representation of the aggregate threat data associated with application usage, such as the example chart view inFIG. 4B . In another approach,visualization module 18 may generate a graphical representation of the aggregated threat data with graphical indicators 421 (e.g., variable sizing and/or color) that may represent the magnitude of application usage and/or severity of threat (e.g., bandwidth consumed from application usage, number of sessions, etc.).Threat control module 17 may then present the graphical representation of aggregated threat data that displays top sessions or bandwidth usage by application based on category (e.g.,web 411,multimedia 412,messaging 413, social 414, and/or infrastructure 415).Threat control module 17 may further present an interface displaying top sessions or bandwidth usage by applications based on characteristic (e.g., loss ofproductivity 416, prone to misuse 417, can leakinformation 418, supportsfile transfer 419, and/or bandwidth consumed 420) and for configuration ofsecurity devices 5 in response to detecting a threat. - For example,
FIG. 4B illustrates an example interface in chart view displaying threat data aggregated by application usage and grouped by risk. In particular,FIG. 4B illustrates an example chart displaying various applications and variousgraphical indicators 421. InFIG. 4B , for example, an application with a larger sized bubble may represent a higher number of sessions for an application. The bubble's color, such as red, orange, and yellow, may represent the severity of the threat. In some example approaches, a drop downmenu 429 is used to select whether to group application icons by risk or by other parameters, while a device select drop downmenu 430 allows threat control module to filter the display to shownparticular devices 5.Threat control module 17 may also present a user interface by whichadministrator 12 may select a response to automatically create security policies in accordance withaffected security devices 5. -
FIG. 4C illustrates another example user interface generated bysecurity management system 10 by whichadministrator 12 may view aggregate threat data based on user usage, in one aspect of the disclosure. In one example,threat data aggregator 14 may aggregate threat data associated with a network user's application usage fromsecurity devices 5 such as number of sessions with an application and/or bandwidth consumed by a specific user.Visualization module 18 may generate a graphical representation of aggregate threat data associated with a specific user's application usage in the manner shown in eitherFIG. 4A orFIG. 4B above. In one example approach,threat control module 17 may present a user interface overlaying the graphical representation of aggregated threat data that displays top network users usage. - For example,
FIG. 4C illustrates an example interface in grid view displaying threat data aggregated by network user usage. In particular,FIG. 4C illustrates an example grid displaying various network users and their top applications used. In one approach,visualization module 18 may further generate a graphical representation of network usage including information ontop users 422,top applications 423, the name ofusers 424, total number ofsessions 425, bandwidth consumed 426, and/or top application used 427.Threat control module 17 may also present a user interface (e.g., check box 428) by whichadministrator 12 may select a response to automatically create security policies in accordance withaffected security devices 5. -
FIGS. 5A-5E illustrate example user interfaces generated bysecurity management system 10 to present to anadministrator 12 representations of filtered event data associated with threats, in various aspects of the disclosure.Visualization module 18 may generate various filtered representations of filtered threat data in various views, such as a grid, chart, and map view based on a selection of user interface elements from anadministrator 12.Threat control module 17 ofsecurity management 10 may present administrator 12 a user interface to select specific user interface elements, such as data from a live-threat aggregated representation, to drill-down to additional threat details displayed in a filtered representation of filtered threat data (overlaying the aggregated representation) generated byvisualization module 18. For example,administrator 12 may select a country or other specified geographic location from a live threat map to view a grid of filtered data associated with threats, such as athreat name 501, count ofthreats 502, starttime 503, severity ofthreat 504,source location 505,source IP address 506,destination location 507,destination IP address 508, category ofthreat 509, type ofthreat 510,service 511,impact 512, and threat action status 513 (e.g., allowed or blocked), as shown inFIG. 5A . Thethreat name 501 may include the name of the potential malicious activity, such as the virus name or malware name. Thecount 502 may include a counter signifying the number of threats that repeatedly occur withinsecurity devices 5. Thestart time 503 may include time and date information of the threat. Theseverity 504 may include information on the level of severity of the threat and may be displayed as a graphical or numerical representation. Thesource location 505 may include information about the location from where the attack originates. The source location may further include finer points of granularity, such as the name of the organization associated with the source IP address, or countries, states, cities, or other specific locations associated with the source. Thesource IP address 506 may include the IP address of the computer system from which the suspected threat originated. Thedestination location 507 may include information about the location from where the attack occurs. The destination location may further include finer points of granularity, such as countries, states, cities, or other specific locations. Thedestination IP address 508 may include the internet protocol address of the computer system that was targeted by the suspected attack. Thecategory 509 may include information about the malicious activity, which includes forms of malware (e.g., viruses, worm, Trojans). Theattack type 510 may include information about the type of threat, such as a signature or compound. Theservice 511 may include information on the protocol used with the attack, including Hypertext Transfer Protocol (HTTP) or Internet Control Message Protocol (ICMP). Thethreat impact 512 may include the level of impact (e.g., high or low) the threat may have. Thethreat action status 513 may include information about whether the threat is allowed or blocked. In some graphical representations, users can filter threats with the above information.Threat control module 17 may also present a user interface foradministrator 12 to select a response for automatically generating security policies to block or allow traffic of a selected threat in accordance withaffected security devices 5. -
Visualization module 18 may also generate a filtered representation of aggregated threat data in chart view presenting filtered threat data associated with a selected user interface element, such as a geographic location, as shown in the example ofFIG. 5B . In the example shown, the interface overlays a map view representation of threats. Upon the selection of a specific country,visualization module 18 may generate a filtered representation of the aggregated threat data and filtered threat details in various charts of interest, such assource countries 521,source IP address 522,destination devices 523, incoming virus/worms 524,incoming IPS attacks 525, devices withincoming DDoS attacks 526, or other threat details. In one instance,administrator 12 may select a country (e.g., United States) from the live threat aggregated representation to view filtered threat details associated with the selected country as a destination or as a source.Threat control module 17 may present a user interface, generated byvisualization module 18, by whichadministrator 12 may view and further interact with the filtered threat details and select various filtered threat details for additional information, as shown inFIG. 5B .Threat control module 17 may also present a user interface by whichadministrator 12 may select a response for automatically generating security policies to block or allow traffic of a selection in the chart view in accordance withaffected security devices 5. -
FIG. 5C illustrates another example user interface generated bysecurity management system 10 that may present to administrator 12 a graphical representation in map view of filtered event data associated with geographically based threats, in one aspect of the disclosure.Visualization module 18 may generate a map representation of aggregated threat data and may also include filtered threat data associated with a selected location byadministrator 12.Threat control module 17 may presentadministrator 12 an interface to view and further interact with additional filtered threat details and to selectively block or allow traffic or types of traffic associated with the approximate geographic location, as shown inFIG. 5C . In one example of a filtered representation associated with the threats, filtered threat details may includetotal events 531, allowedevents 532, and blockedevents 533 associated with a particular country. In another example, threat data from either source IP addresses or destination IP addresses may be presented. Athreat action response 560 allows the user to block traffic directly from the threat details interface. -
FIG. 5D illustrates another example user interface generated bysecurity management system 10 that may present to administrator 12 a filtered representation of aggregated threat data relating to a selected application in chart view. In one example,visualization module 18 may generate a filtered representation of filtered threat details associated with a selected application from the aggregated representation of threats.Threat control module 17 may present a user interface by whichadministrator 12 may select a user interface element, such as a particular application from the aggregated representation of live threats, to drill-down to additional threat details associated with application usage, such as number of sessions of an application in a particular amount oftime 541, category of application 542 (e.g., web, multimedia, messaging, social, infrastructure), characteristic of threat 543 (e.g., loss of productivity, prone to misuse, can leak information, supports file transfer, bandwidth consumed), total bytes used in a particular amount oftime 544, sub-category of application 545 (e.g., social networking),risk level 546, and/or top users of theapplication 547.Threat control module 17 may also present a user interface by whichadministrator 12 may select a response for automatically generating security policies to block or allow traffic from particular applications in accordance withaffected security devices 5. In the example shown inFIG. 5D , athreat action response 560 allows the administrator to block traffic directly from the threat details interface. - In one example approach,
threat control module 17 displays icons reflecting parameters such as the number of sessions for a particular application or the bandwidth used by the application, and the administrator can block traffic associated with the application, or rate limit the application. - In another example approach,
threat control module 17 displays icons reflecting parameters such as the number of sessions for a particular user or the bandwidth used by a user, and the administrator can block particular traffic for that user, or rate limit the user. - In yet another example approach,
threat control module 17 displays icons reflecting parameters such as the number of sessions per application for a particular user or a particular device or the bandwidth per application used by a user or a particular device, and the administrator can block traffic for specific applications for that user or device, or rate limit the user or device with regard to specific applications. -
FIG. 5E illustrates another example user interface generated bysecurity management system 10 that may present to administrator 12 a filtered representation of filtered threat details relating to user usage of applications in grid view. In one example,visualization module 18 may generate a filtered representation of filtered threat details associated with a selected network user.Threat control module 17 may present a user interface by whichadministrator 12 may select a user interface element, such as a particular user from the aggregated representation of live threats, to drill-down to filtered threat details associated with a network user, such asuser name 551, number of sessions byuser 552, bandwidth consumed byuser 553,user role 554, date and time oflast session 555, and last seenIP 556. In another example, the user interface ofFIG. 5E may also include thetop applications 557 used by the selected user based on a period oftime 558.Threat control module 17 may also present a user interface foradministrator 12 to select a response for automatically generating security policies to block or allow traffic from a particular user in accordance withaffected security devices 5. In the example shown inFIG. 5E , athreat action response 560 allows the administrator to block traffic directly from the user threat details interface. -
Security management system 10 may also present a user interface by whichadministrator 12 may interact with the aggregated representation of live threats and filtered threat details rendered bysecurity management system 10 and, responsive to the interaction, the integratedsecurity management system 10 may identify a relevant set ofsecurity devices 5, automatically construct for thesecurity devices 5 updated policies having ordered rules within the policies using a policy/rule module 20, and automatically communicate and install the policies in thesecurity devices 5 using a policy deployment engine 26 of the underlyingsecurity management system 10. - As stated prior,
security management system 10 may provide, throughthreat control module 17, a system and an interface thatadministrator 12 may use to view live threats and to quickly assess filtered threat data associated with the threat for comprehensive analysis. In response to the live threat,administrator 12 may directsecurity management system 10 to automatically create security policies for deployment tosecurity devices 5 in response to the detected threat. For example,threat control module 17 ofsecurity management system 10 may present an interface to enableadministrator 12 to insert new rules in a current policy of one ofsecurity devices 5, to configure an updated policy for thesecurity device 5, and to delete or change the ordering of existing rules. - In one instance,
administrator 12 may select to view filtered threat details from the live threat aggregated representation.Security management system 10 may then present a user interface by whichadministrator 12 may automatically create security policies foraffected security devices 5 based on the filtered threat details. For example, inFIG. 5A , thethreat control module 17 may present a user interface by whichadministrator 12 may select theThreat Name 501, App:TUN:TOR-1 and may select athreat action response 560, such as to block traffic from or to the source IP address, to block both the traffic going to and from the source IP address, block only the traffic coming from the source IP address, or block only the traffic going to the source IP address within any of the graphical representations of threats.Administrator 12 may select to block or allow traffic in response to detecting the specific threat from the graphical representation of threats. - In another example,
administrator 12 may select a source IP address in a graphical representation in chart view (e.g.,FIG. 5B ) to view threat data associated with the selected source IP address (e.g., in an interface similar toFIG. 5A ).Administrator 12 may further select a threat action response to block or allow traffic from the graphical representation in chart view, which will navigateadministrator 12 to another user interface presented bythreat control module 17 ofsecurity management system 10. - In another example,
administrator 12 may select a country in a graphical representation in map view (e.g.,FIG. 5C ) to view threat data associated with the selected geographic location.Administrator 12 may further select athreat action response 560 to block or allow traffic directly from the graphical representation in map view, which will navigateadministrator 12 to another user interface presented bythreat control module 17 ofsecurity management system 10. In other examples,administrator 12 may select locations with finer granularity, such as states, cities, and other regions. - In another example,
administrator 12 may select a particular application in a graphical representation in chart view displaying threat data aggregated by application usage to view additional details associated with the selected application (e.g.,FIG. 5D ).Administrator 12 may further select athreat action response 560 to block or allow traffic from the graphical representation in chart view, which will navigateadministrator 12 to another user interface presented bythreat control module 17 ofsecurity management system 10. - In another example,
administrator 12 may select a particular network user in a graphical representation displaying threat data aggregated by application usage to view additional details associated with the selected network user (e.g.,FIG. 5E ).Administrator 12 may further select athreat action response 560 to block or allow traffic from the graphical representation, which will navigateadministrator 12 to another user interface presented bythreat control module 17 ofsecurity management system 10. -
FIGS. 6A-6C illustrate example user interfaces generated bysecurity management system 10 by whichadministrator 12 may review and publish automatically created rules associated with security policies, in various aspects of the disclosure. In one example,FIGS. 6A-6C may be an interface overlaying the representations of threats or filtered threat data. In response to selecting athreat action response 560 to block or allow traffic relating to a threat,security management system 10 may generate an interface by whichadministrator 12 may configure the automatically generated revised policies for blocking or allowing traffic, as shown inFIG. 6A .FIG. 6A illustrates an example user interface presented toadministrator 12 to view and selectively deploy the automatically generated security policies, in one aspect of the disclosure. The user interface enablesadministrator 12 to selectively deploy any or all of the automatically generated policies for configuration ofsecurity devices 5. In this example,security management system 10 automatically generated revisions to the ordered set of rules within each of the security policies in response to selecting athreat action response 560, including modifying internal rules and the ordering of rules within the policies, to block traffic coming from and/or to the source IP address(es), in one aspect of the disclosure. - The example interface of
FIG. 6A may provide a list of the automatically generated revised policies to select. In one example, the user interface ofFIG. 6A may provideadministrator 12 information on createdpolicies 601, number of rules added 602, number ofdevices 5 the policy is applied to 603, and number ofdevices 5 with pendingupdates 604 related to policy changes. In another example, pre-existing security policies and associated information ofaffected security devices 5 stored in committed database 26 may be retrieved and presented toadministrator 12 for further review. In another example, the interface ofFIG. 6A may also include information associated with affected devices that have invoked a policy within a previous duration of time (e.g., month, week, days, etc.). -
Threat control module 17 ofsecurity management system 10 may also, in response to selection of a particular policy, present an interface to configure policy rules associated with the selected threat, as shown inFIG. 6B .FIG. 6B illustrates an example user interface generated by thesecurity management system 10 by whichadministrator 12 may view the particular rules automatically created for a given policy that was generated by thesecurity management system 10, in one aspect of the disclosure. For example,administrator 12 may select a specific policy within the interface ofFIG. 6A and may further create, edit, delete, or order one or more rules for a firewall policy, as shown inFIG. 6B . In one example, rules automatically generated may suggest rule placement in the generated security policy. In another example, the interface ofFIG. 6B may presentadministrator 12 the option to designate or modify the order ofrules 611, the name ofrules 612, define whether thesource zone 613 and/ordestination zone 615 may be trusted or untrusted, definesource address 614 and/ordestination address 616 the rule applies to, define a service ofrules 617, definerule options 618, or define the action of a rule within asecurity policy 619, such as to permit traffic or to deny traffic. For instance,administrator 12 may use interfaceFIG. 6B , presented bythreat control module 17, to specify “Rule 2” and “Rule 3” to have a sequence number of 808 and 809, respectively, and to specify the action to deny IP traffic for Policy CCC. - As shown in
FIG. 2 ,security management system 10 may also include a policy/rule module 20 that executes on one or more processors ofsecurity management system 10, wherein the policy/rule module 20 may generate configuration information forsecurity devices 5 based on configuration information automatically generated bysecurity management system 10 or defined byadministrator 12 and received fromthreat control module 17. In response to policy/rule module 20 creating or modifying security policies,security management system 10 may store configuration parameters incandidate policy database 22. -
Threat control module 17 ofsecurity management system 10 may also, in response to selection of a particular device, as shown inFIG. 6A , present an interface by whichadministrator 12 may view information onsecurity devices 5 associated with the selected threat, as shown inFIG. 6C .FIG. 6C illustrates an example user interface generated bysecurity management system 10 by which anadministrator 12 may view security device details associated with devices affected by the automatically created security policies, in one aspect of the disclosure.Threat control module 17 may present an interface with security policies and device information stored incandidate policy database 22 and/orcommitted policy database 24. In one example, the interface ofFIG. 6C may include adevice name 621,domain 622, managedstatus 623,connection status 624,policy type 625, anddelta configuration 626. The delta configuration may include access to a command-line interface (CLI) and/or extensible markup language (XML) configuration of devices. For instance,threat control module 17 ofsecurity management system 10 may further, in response to selection of a delta configuration of a device, as shown inFIG. 6C , present an interface by whichadministrator 12 may view CLI and/or XML configuration of the selected device, as shown inFIG. 6D . -
FIG. 7 illustrates an example user interface generated bysecurity management system 10 by which anadministrator 12 may enable deployment and/or publication of the automatically created security policies, in one aspect of the disclosure.Security management system 10 may include acandidate policy database 22 and acommitted policy database 24 that interfaces withthreat control module 17 and policy/rule module 20 of thesecurity management system 10, as shown inFIG. 2 .Threat control module 17 may present a user interface foradministrator 12 to elect whether to update 702 (e.g., deploy), publish 704 (e.g., store for further review), or save 706 the automatically created security policies (either individually or as groups). In one example, an election to publish the automatically created security policies may store the security policies incandidate database 22 for further review. Publication of security policies may allowother administrators 12 to review, through a user interface generated bysecurity management system 10, the automatically created security policies stored incandidate policy database 22 before deployment. After further review, theother administrators 12 may elect to update (e.g., deploy) the published security policies or to reconfigure the security policies. - An election to update security policies may store the automatically created security policies in
committed policy database 24, in one example.Administrator 12 may elect to update security policies presented by user interface generated by security management 10 (as shown inFIG. 7 ) to push the automatically created security policies tosecurity devices 5, such as through SNMP or NETCONF protocols.Security management system 10 may include a policy deployment engine 26 that executes on one or more processors ofsystem 10 to send updated configuration information of security policies tosecurity devices 5. - The interface of
FIG. 7 may also present a user interface generated bysecurity management system 10 by whichadministrator 12 may define aspecific date 708 ortime 710 to update 702 or publish 704 the automatically created security policies. For example,threat control module 17 may presentadministrator 12 an interface to schedule an update for Sep. 27, 2015 at 5:15 am PST. Upon selection to update 702 the policies,security management system 10 may store these updated security policies tocandidate policy database 22 before Sep. 27, 2015 at 5:15 am PST.Security management system 10 may then store the updated security policies incommitted policy database 24 when the policies are updated tosecurity devices 5 on Sep. 27, 2015 at 5:15 am PST.Security management system 10 may further deploy the updated security policies stored withincommitted policy database 24 with policy deployment engine 26 tosecurity devices 5. In one example,committed policy database 24 may be located in thesecurity management system 10. In another example,security management system 10 may communicate with an externalcommitted policy database 24. -
FIG. 8 illustrates an example user interface generated bysecurity management system 10 by whichadministrator 12 may view the job status of the published or updated security policies. In one embodiment,threat control module 17 ofsecurity management system 10 may present a user interface by which anadministrator 12 may provide information fromcandidate policy database 22 and/orcommitted policy database 24 on the phase of configuration policy updates, such as statuses snapshot policy 801, publishpolicy 802, and updatedevices 803. The interface ofFIG. 8 generated by thesecurity management system 10 may further display information includingjob type 804,job ID 805,job name 806,user 807,job status 808, percent complete 809, scheduledstart time 810,actual start time 811, and endtime 812. In another example, the interface ofFIG. 8 may also search for device publishing details 813, including the name of the device, status of publication, services, and/or messages. -
FIG. 9 illustrates an example interface generated bysecurity management system 10 by whichadministrator 12 may view the source or destination details of the threat device, in one aspect of the disclosure. In one example,threat control module 17 ofsecurity management system 10 may present a user interface presenting device information including source device details 901 and destination device details 902. The user interface may present device details including the device IP, device name, organization name, organization ID, physical address of the device (e.g., street address, city, state/province, postal code, country), registration date, updated date, and a reference link to more information about the device. -
FIG. 10 is a flowchart showing an example operation ofsecurity management system 10. As shown inFIG. 10 ,security devices 5 may initially analyze packet flows to identify applications and potential threat data (100).Security device 5 may proceed to communicate the potential threat data to security management system 10 (102).Security management system 10 may receive the communicated threat data from thesecurity device 5 and aggregate the received data with threat data aggregator 14 (104).Security management system 10, throughthreat control module 17, may further construct and display the real-time or near real-time threats that have been aggregated bythreat data aggregator 14 and stored inthreat database 16, wherein the display may be a visualization generated bythreat control module 17 in map, chart, grid view, or the like.Security management system 10, throughthreat control module 17, may further receive input from anadministrator 12 to configure policies including the ordering of rules (108). For example,administrator 12 may configure policies directly from the display of real-time or near real-time threats and/or through various graphical representations of filtered event data associated with threats. Upon receiving the configuration input fromadministrator 12,security management system 10 may automatically generate newly configured or updated security policies including ordered rules using policy/rule module 20 (110).Security management system 10 may further deploy the generated or updated policies tosecurity device 5 from through the policy deployment engine 26 (112).Security device 5 may then receive the deployed generated security policies from security management system 10 (114).Security device 5 may proceed to update the configuration data relating to the generated security policies from security management system 10 (116). Upon updating the configuration data with the security policies,security device 5 may process traffic according to the updated security policies (118). -
FIG. 11 shows a detailed example of a computing device that may be configured to implement some embodiments in accordance with the current disclosure. For example,device 1100 may be a server, a workstation, a computing center, a cluster of servers or other example embodiments of a computing environment, centrally located or distributed, capable of executing the techniques described herein. Any or all of the devices may, for example, implement portions of the techniques described herein for a security management system. In this example, acomputer 1100 includes a hardware-basedprocessor 1110 that may be incorporated intosecurity management system 10 to execute program instructions or software, causing the computer to perform various methods or tasks, such as performing the techniques described herein. -
Processor 1110 may be a general purpose processor, a digital signal processor (DSP), a core processor within an Application Specific Integrated Circuit (ASIC) and the like.Processor 1110 is coupled via bus 1120 to amemory 1130, which is used to store information such as program instructions and other data while the computer is in operation. Astorage device 1140, such as a hard disk drive, nonvolatile memory, or other non-transient storage device stores information such as program instructions, data files of the multidimensional data and the reduced data set, and other information. As another example,computer 1150 may provide an operating environment for execution of one or more virtual machines that, in turn, provide an execution environment for software for implementing the techniques described herein. - The computer also includes various input-
output elements 1150, including parallel or serial ports, USB, Firewire or IEEE 1394, Ethernet, and other such ports to connect the computer to external device such as a keyboard, touchscreen, mouse, pointer or the like. Other input-output elements include wireless communication interfaces such as Bluetooth, Wi-Fi, and cellular data networks. - The computer itself may be a traditional personal computer, a rack-mount or business computer or server, or any other type of computerized system. The computer in a further example may include fewer than all elements listed above, such as a thin client or mobile device having only some of the shown elements. In another example, the computer is distributed among multiple computer systems, such as a distributed server that has many computers working together to provide various functions.
- The techniques described herein may be implemented in hardware, software, firmware, or any combination thereof. Various features described as modules, units or components may be implemented together in an integrated logic device or separately as discrete but interoperable logic devices or other hardware devices. In some cases, various features of electronic circuitry may be implemented as one or more integrated circuit devices, such as an integrated circuit chip or chipset.
- If implemented in hardware, this disclosure may be directed to an apparatus such a processor or an integrated circuit device, such as an integrated circuit chip or chipset. Alternatively or additionally, if implemented in software or firmware, the techniques may be realized at least in part by a computer readable data storage medium comprising instructions that, when executed, cause one or more processors to perform one or more of the methods described above. For example, the computer-readable data storage medium or device may store such instructions for execution by a processor. Any combination of one or more computer-readable medium(s) may be utilized.
- A computer-readable storage medium (device) may form part of a computer program product, which may include packaging materials. A computer-readable storage medium (device) may comprise a computer data storage medium such as random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), electrically erasable programmable read-only memory (EEPROM), flash memory, magnetic or optical data storage media, and the like. In general, a computer-readable storage medium may be any tangible medium that can contain or store a program for use by or in connection with an instruction execution system, apparatus, or device. Additional examples of computer readable medium include computer-readable storage devices, computer-readable memory, and tangible computer-readable medium. In some examples, an article of manufacture may comprise one or more computer-readable storage media.
- In some examples, the computer-readable storage media may comprise non-transitory media. The term “non-transitory” may indicate that the storage medium is not embodied in a carrier wave or a propagated signal. In certain examples, a non-transitory storage medium may store data that can, over time, change (e.g., in RAM or cache).
- The code or instructions may be software and/or firmware executed by processing circuitry including one or more processors, such as one or more digital signal processors (DSPs), general purpose microprocessors, application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other equivalent integrated or discrete logic circuitry. Accordingly, the term “processor,” as used herein may refer to any of the foregoing structure or any other processing circuitry suitable for implementation of the techniques described herein. In addition, in some aspects, functionality described in this disclosure may be provided within software modules or hardware modules.
- Various examples of the invention have been described. These and other examples are within the scope of the following claims.
Claims (18)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610952348.XA CN106953837B (en) | 2015-11-03 | 2016-11-02 | Security management system and security management method |
EP16197173.4A EP3166281B1 (en) | 2015-11-03 | 2016-11-03 | Integrated security system having threat visualization |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
IN5944CH2015 | 2015-11-03 | ||
IN5944/CHE/2015 | 2015-11-03 |
Publications (1)
Publication Number | Publication Date |
---|---|
US20170126727A1 true US20170126727A1 (en) | 2017-05-04 |
Family
ID=58634964
Family Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/983,999 Active 2036-02-20 US10021115B2 (en) | 2015-11-03 | 2015-12-30 | Integrated security system having rule optimization |
US14/983,983 Active US10135841B2 (en) | 2015-11-03 | 2015-12-30 | Integrated security system having threat visualization and automated security device control |
US14/983,927 Abandoned US20170126727A1 (en) | 2015-11-03 | 2015-12-30 | Integrated security system having threat visualization |
US16/030,330 Active US10382451B2 (en) | 2015-11-03 | 2018-07-09 | Integrated security system having rule optimization |
Family Applications Before (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/983,999 Active 2036-02-20 US10021115B2 (en) | 2015-11-03 | 2015-12-30 | Integrated security system having rule optimization |
US14/983,983 Active US10135841B2 (en) | 2015-11-03 | 2015-12-30 | Integrated security system having threat visualization and automated security device control |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/030,330 Active US10382451B2 (en) | 2015-11-03 | 2018-07-09 | Integrated security system having rule optimization |
Country Status (2)
Country | Link |
---|---|
US (4) | US10021115B2 (en) |
CN (3) | CN106941480B (en) |
Cited By (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170169219A1 (en) * | 2015-12-15 | 2017-06-15 | Yokogawa Electric Corporation | Control device, integrated industrial system, and control method thereof |
CN108009713A (en) * | 2017-11-27 | 2018-05-08 | 江苏安信息科技有限公司 | A kind of method of safety on line assessment |
CN108234447A (en) * | 2017-12-04 | 2018-06-29 | 北京交通大学 | A kind of safety regulation for heterogeneous networks security function manages system and method |
US10212186B2 (en) * | 2016-02-24 | 2019-02-19 | Verodin, Inc. | Systems and methods for attack simulation on a production network |
US10382451B2 (en) | 2015-11-03 | 2019-08-13 | Juniper Networks, Inc. | Integrated security system having rule optimization |
US10419473B1 (en) * | 2016-10-26 | 2019-09-17 | Wells Fargo Bank, N.A. | Situational awareness and perimeter protection orchestration |
CN110933049A (en) * | 2019-11-16 | 2020-03-27 | 杭州安恒信息技术股份有限公司 | Network illegal information monitoring method and system based on video capture |
US10630726B1 (en) | 2018-11-18 | 2020-04-21 | Bank Of America Corporation | Cybersecurity threat detection and mitigation system |
US10681068B1 (en) * | 2016-07-26 | 2020-06-09 | Christopher Galliano | System and method for analyzing data and using analyzed data to detect cyber threats and defend against cyber threats |
US10771506B1 (en) * | 2017-07-31 | 2020-09-08 | Juniper Networks, Inc. | Deployment of a security policy based on network topology and device capability |
US10819742B2 (en) | 2015-12-15 | 2020-10-27 | Yokogawa Electric Corporation | Integrated industrial system and control method thereof |
US10824676B2 (en) | 2018-11-29 | 2020-11-03 | Bank Of America Corporation | Hybrid graph and relational database architecture |
CN111988322A (en) * | 2020-08-24 | 2020-11-24 | 北京微步在线科技有限公司 | Attack event display system |
US10951641B2 (en) | 2018-06-06 | 2021-03-16 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11012472B2 (en) | 2018-12-05 | 2021-05-18 | International Business Machines Corporation | Security rule generation based on cognitive and industry analysis |
US11218360B2 (en) | 2019-12-09 | 2022-01-04 | Quest Automated Services, LLC | Automation system with edge computing |
US11258681B2 (en) * | 2016-12-16 | 2022-02-22 | Nicira, Inc. | Application assessment and visibility for micro-segmentation of a network deployment |
US11277436B1 (en) * | 2019-06-24 | 2022-03-15 | Ca, Inc. | Identifying and mitigating harm from malicious network connections by a container |
US11334626B1 (en) | 2020-11-02 | 2022-05-17 | Bank Of America Corporation | Hybrid graph and relational database architecture |
US11354325B2 (en) | 2018-10-25 | 2022-06-07 | Bank Of America Corporation | Methods and apparatus for a multi-graph search and merge engine |
CN114641968A (en) * | 2019-07-03 | 2022-06-17 | 向心网络公司 | Method and system for efficient network protection of mobile devices |
US11388175B2 (en) * | 2019-09-05 | 2022-07-12 | Cisco Technology, Inc. | Threat detection of application traffic flows |
US11588854B2 (en) | 2019-12-19 | 2023-02-21 | Vmware, Inc. | User interface for defining security groups |
US11709946B2 (en) | 2018-06-06 | 2023-07-25 | Reliaquest Holdings, Llc | Threat mitigation system and method |
Families Citing this family (125)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9860274B2 (en) | 2006-09-13 | 2018-01-02 | Sophos Limited | Policy management |
US9781004B2 (en) | 2014-10-16 | 2017-10-03 | Cisco Technology, Inc. | Discovering and grouping application endpoints in a network environment |
US9648036B2 (en) * | 2014-12-29 | 2017-05-09 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
WO2017180057A1 (en) * | 2016-04-11 | 2017-10-19 | Certis Cisco Security Pte Ltd | System and method for threat incidents corroboration in discrete temporal reference using 3d abstract modelling |
US11102238B2 (en) | 2016-04-22 | 2021-08-24 | Sophos Limited | Detecting triggering events for distributed denial of service attacks |
US10938781B2 (en) | 2016-04-22 | 2021-03-02 | Sophos Limited | Secure labeling of network flows |
US10986109B2 (en) | 2016-04-22 | 2021-04-20 | Sophos Limited | Local proxy detection |
US11277416B2 (en) | 2016-04-22 | 2022-03-15 | Sophos Limited | Labeling network flows according to source applications |
US11165797B2 (en) | 2016-04-22 | 2021-11-02 | Sophos Limited | Detecting endpoint compromise based on network usage history |
US20170359306A1 (en) | 2016-06-10 | 2017-12-14 | Sophos Limited | Network security |
US10411817B2 (en) * | 2016-07-22 | 2019-09-10 | Asustek Computer Inc. | Electronic device, operation method of electronic device, and non-transitory computer readable storage medium |
WO2018053337A1 (en) * | 2016-09-16 | 2018-03-22 | Oracle International Corporation | Dynamic policy injection and access visualization for threat detection |
US10382492B2 (en) | 2017-03-02 | 2019-08-13 | Draios Inc. | Automated service-oriented performance management |
US10623264B2 (en) | 2017-04-20 | 2020-04-14 | Cisco Technology, Inc. | Policy assurance for service chaining |
US10560328B2 (en) | 2017-04-20 | 2020-02-11 | Cisco Technology, Inc. | Static network policy analysis for networks |
US10826788B2 (en) | 2017-04-20 | 2020-11-03 | Cisco Technology, Inc. | Assurance of quality-of-service configurations in a network |
US10826925B2 (en) * | 2017-04-28 | 2020-11-03 | Honeywell International Inc. | Consolidated enterprise view of cybersecurity data from multiple sites |
US10958674B2 (en) * | 2017-04-30 | 2021-03-23 | Splunk Inc. | User interface for defining anomaly action rules in a network security system |
US11032307B2 (en) * | 2017-04-30 | 2021-06-08 | Splunk Inc. | User interface for defining custom threat rules in a network security system |
US10715552B2 (en) | 2017-04-30 | 2020-07-14 | Splunk Inc. | Enabling user definition of anomaly action rules in a network security system |
US10904289B2 (en) * | 2017-04-30 | 2021-01-26 | Splunk Inc. | Enabling user definition of custom threat rules in a network security system |
US10966091B1 (en) * | 2017-05-24 | 2021-03-30 | Jonathan Grier | Agile node isolation using packet level non-repudiation for mobile networks |
US10693738B2 (en) | 2017-05-31 | 2020-06-23 | Cisco Technology, Inc. | Generating device-level logical models for a network |
US10581694B2 (en) | 2017-05-31 | 2020-03-03 | Cisco Technology, Inc. | Generation of counter examples for network intent formal equivalence failures |
US10623271B2 (en) | 2017-05-31 | 2020-04-14 | Cisco Technology, Inc. | Intra-priority class ordering of rules corresponding to a model of network intents |
US10505816B2 (en) | 2017-05-31 | 2019-12-10 | Cisco Technology, Inc. | Semantic analysis to detect shadowing of rules in a model of network intents |
US10812318B2 (en) | 2017-05-31 | 2020-10-20 | Cisco Technology, Inc. | Associating network policy objects with specific faults corresponding to fault localizations in large-scale network deployment |
US10554483B2 (en) | 2017-05-31 | 2020-02-04 | Cisco Technology, Inc. | Network policy analysis for networks |
US10439875B2 (en) | 2017-05-31 | 2019-10-08 | Cisco Technology, Inc. | Identification of conflict rules in a network intent formal equivalence failure |
US20180351788A1 (en) | 2017-05-31 | 2018-12-06 | Cisco Technology, Inc. | Fault localization in large-scale network policy deployment |
US10904101B2 (en) | 2017-06-16 | 2021-01-26 | Cisco Technology, Inc. | Shim layer for extracting and prioritizing underlying rules for modeling network intents |
US11469986B2 (en) | 2017-06-16 | 2022-10-11 | Cisco Technology, Inc. | Controlled micro fault injection on a distributed appliance |
US10686669B2 (en) | 2017-06-16 | 2020-06-16 | Cisco Technology, Inc. | Collecting network models and node information from a network |
US10498608B2 (en) | 2017-06-16 | 2019-12-03 | Cisco Technology, Inc. | Topology explorer |
US10587621B2 (en) | 2017-06-16 | 2020-03-10 | Cisco Technology, Inc. | System and method for migrating to and maintaining a white-list network security model |
US10547715B2 (en) | 2017-06-16 | 2020-01-28 | Cisco Technology, Inc. | Event generation in response to network intent formal equivalence failures |
US11645131B2 (en) * | 2017-06-16 | 2023-05-09 | Cisco Technology, Inc. | Distributed fault code aggregation across application centric dimensions |
US10574513B2 (en) | 2017-06-16 | 2020-02-25 | Cisco Technology, Inc. | Handling controller and node failure scenarios during data collection |
US11150973B2 (en) | 2017-06-16 | 2021-10-19 | Cisco Technology, Inc. | Self diagnosing distributed appliance |
US10432467B2 (en) | 2017-06-19 | 2019-10-01 | Cisco Technology, Inc. | Network validation between the logical level and the hardware level of a network |
US10623259B2 (en) | 2017-06-19 | 2020-04-14 | Cisco Technology, Inc. | Validation of layer 1 interface in a network |
US11343150B2 (en) | 2017-06-19 | 2022-05-24 | Cisco Technology, Inc. | Validation of learned routes in a network |
US10528444B2 (en) | 2017-06-19 | 2020-01-07 | Cisco Technology, Inc. | Event generation in response to validation between logical level and hardware level |
US10218572B2 (en) | 2017-06-19 | 2019-02-26 | Cisco Technology, Inc. | Multiprotocol border gateway protocol routing validation |
US10333787B2 (en) | 2017-06-19 | 2019-06-25 | Cisco Technology, Inc. | Validation of L3OUT configuration for communications outside a network |
US10560355B2 (en) | 2017-06-19 | 2020-02-11 | Cisco Technology, Inc. | Static endpoint validation |
US10536337B2 (en) | 2017-06-19 | 2020-01-14 | Cisco Technology, Inc. | Validation of layer 2 interface and VLAN in a networked environment |
US10567229B2 (en) | 2017-06-19 | 2020-02-18 | Cisco Technology, Inc. | Validating endpoint configurations between nodes |
US10652102B2 (en) | 2017-06-19 | 2020-05-12 | Cisco Technology, Inc. | Network node memory utilization analysis |
US10700933B2 (en) | 2017-06-19 | 2020-06-30 | Cisco Technology, Inc. | Validating tunnel endpoint addresses in a network fabric |
US10567228B2 (en) | 2017-06-19 | 2020-02-18 | Cisco Technology, Inc. | Validation of cross logical groups in a network |
US10673702B2 (en) | 2017-06-19 | 2020-06-02 | Cisco Technology, Inc. | Validation of layer 3 using virtual routing forwarding containers in a network |
US11283680B2 (en) | 2017-06-19 | 2022-03-22 | Cisco Technology, Inc. | Identifying components for removal in a network configuration |
US10554493B2 (en) | 2017-06-19 | 2020-02-04 | Cisco Technology, Inc. | Identifying mismatches between a logical model and node implementation |
US10341184B2 (en) | 2017-06-19 | 2019-07-02 | Cisco Technology, Inc. | Validation of layer 3 bridge domain subnets in in a network |
US10505817B2 (en) | 2017-06-19 | 2019-12-10 | Cisco Technology, Inc. | Automatically determining an optimal amount of time for analyzing a distributed network environment |
US10547509B2 (en) | 2017-06-19 | 2020-01-28 | Cisco Technology, Inc. | Validation of a virtual port channel (VPC) endpoint in the network fabric |
US10812336B2 (en) | 2017-06-19 | 2020-10-20 | Cisco Technology, Inc. | Validation of bridge domain-L3out association for communication outside a network |
US10348564B2 (en) | 2017-06-19 | 2019-07-09 | Cisco Technology, Inc. | Validation of routing information base-forwarding information base equivalence in a network |
US10437641B2 (en) | 2017-06-19 | 2019-10-08 | Cisco Technology, Inc. | On-demand processing pipeline interleaved with temporal processing pipeline |
US10644946B2 (en) | 2017-06-19 | 2020-05-05 | Cisco Technology, Inc. | Detection of overlapping subnets in a network |
US10805160B2 (en) | 2017-06-19 | 2020-10-13 | Cisco Technology, Inc. | Endpoint bridge domain subnet validation |
US10411996B2 (en) | 2017-06-19 | 2019-09-10 | Cisco Technology, Inc. | Validation of routing information in a network fabric |
US10524130B2 (en) | 2017-07-13 | 2019-12-31 | Sophos Limited | Threat index based WLAN security and quality of service |
US10587456B2 (en) | 2017-09-12 | 2020-03-10 | Cisco Technology, Inc. | Event clustering for a network assurance platform |
US10997303B2 (en) | 2017-09-12 | 2021-05-04 | Sophos Limited | Managing untyped network traffic flows |
US10587484B2 (en) | 2017-09-12 | 2020-03-10 | Cisco Technology, Inc. | Anomaly detection and reporting in a network assurance appliance |
US10833922B2 (en) * | 2017-09-12 | 2020-11-10 | Synergex Group | Methods, systems, and media for adding IP addresses to firewalls |
US10917384B2 (en) * | 2017-09-12 | 2021-02-09 | Synergex Group | Methods, systems, and media for modifying firewalls based on dynamic IP addresses |
US10554477B2 (en) | 2017-09-13 | 2020-02-04 | Cisco Technology, Inc. | Network assurance event aggregator |
US10325109B2 (en) * | 2017-09-14 | 2019-06-18 | International Business Machines Corporation | Automatic and dynamic selection of cryptographic modules for different security contexts within a computer network |
US10333833B2 (en) | 2017-09-25 | 2019-06-25 | Cisco Technology, Inc. | Endpoint path assurance |
US11563753B2 (en) * | 2017-09-25 | 2023-01-24 | Rohde & Schwarz Gmbh & Co. Kg | Security surveillance system and security surveillance method |
US10706155B1 (en) * | 2017-09-28 | 2020-07-07 | Amazon Technologies, Inc. | Provision and execution of customized security assessments of resources in a computing environment |
US10643002B1 (en) | 2017-09-28 | 2020-05-05 | Amazon Technologies, Inc. | Provision and execution of customized security assessments of resources in a virtual computing environment |
US10635857B2 (en) * | 2017-09-29 | 2020-04-28 | Hewlett Packard Enterprise Development Lp | Card system framework |
US10599839B2 (en) * | 2017-09-29 | 2020-03-24 | Hewlett Packard Enterprise Development Lp | Security investigations using a card system framework |
US11003772B2 (en) * | 2017-10-19 | 2021-05-11 | AO Kaspersky Lab | System and method for adapting patterns of malicious program behavior from groups of computer systems |
CN107733914B (en) * | 2017-11-04 | 2020-11-10 | 公安部第三研究所 | Centralized management and control system for heterogeneous security mechanism |
US11102053B2 (en) | 2017-12-05 | 2021-08-24 | Cisco Technology, Inc. | Cross-domain assurance |
US10958622B2 (en) * | 2018-01-10 | 2021-03-23 | Cisco Technology, Inc. | Hierarchical security group identifiers |
US10873509B2 (en) | 2018-01-17 | 2020-12-22 | Cisco Technology, Inc. | Check-pointing ACI network state and re-execution from a check-pointed state |
US10572495B2 (en) | 2018-02-06 | 2020-02-25 | Cisco Technology Inc. | Network assurance database version compatibility |
US10740120B2 (en) * | 2018-04-20 | 2020-08-11 | Dell Products L.P. | Dynamic user interface update generation |
US10812315B2 (en) | 2018-06-07 | 2020-10-20 | Cisco Technology, Inc. | Cross-domain network assurance |
US10659298B1 (en) | 2018-06-27 | 2020-05-19 | Cisco Technology, Inc. | Epoch comparison for network events |
US11218508B2 (en) | 2018-06-27 | 2022-01-04 | Cisco Technology, Inc. | Assurance of security rules in a network |
US10911495B2 (en) | 2018-06-27 | 2021-02-02 | Cisco Technology, Inc. | Assurance of security rules in a network |
US11019027B2 (en) | 2018-06-27 | 2021-05-25 | Cisco Technology, Inc. | Address translation for external network appliance |
US11044273B2 (en) | 2018-06-27 | 2021-06-22 | Cisco Technology, Inc. | Assurance of security rules in a network |
US10904070B2 (en) | 2018-07-11 | 2021-01-26 | Cisco Technology, Inc. | Techniques and interfaces for troubleshooting datacenter networks |
CN109086379A (en) * | 2018-07-25 | 2018-12-25 | 北京航天云路有限公司 | High-dimensional transaction data analysis and method for visualizing and system |
US10826770B2 (en) | 2018-07-26 | 2020-11-03 | Cisco Technology, Inc. | Synthesis of models for networks using automated boolean learning |
US10616072B1 (en) | 2018-07-27 | 2020-04-07 | Cisco Technology, Inc. | Epoch data interface |
CN109165363A (en) * | 2018-08-27 | 2019-01-08 | 成都深思科技有限公司 | A kind of configuration method of network data snapshot |
CN111262719B (en) * | 2018-12-03 | 2022-12-02 | 阿里巴巴集团控股有限公司 | Information display method, device and storage medium |
CN111030968A (en) * | 2019-01-24 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Detection method and device capable of customizing threat detection rule and storage medium |
US11159487B2 (en) | 2019-02-26 | 2021-10-26 | Juniper Networks, Inc. | Automatic configuration of perimeter firewalls based on security group information of SDN virtual firewalls |
CN109922090A (en) * | 2019-04-29 | 2019-06-21 | 杭州迪普科技股份有限公司 | Flow forwarding method, device, electronic equipment and machine readable storage medium |
US11245716B2 (en) | 2019-05-09 | 2022-02-08 | International Business Machines Corporation | Composing and applying security monitoring rules to a target environment |
US11558410B2 (en) * | 2019-05-29 | 2023-01-17 | Arbor Networks, Inc. | Measurement and analysis of traffic filtered by network infrastructure |
US11443263B2 (en) * | 2019-06-18 | 2022-09-13 | Heyhq, Inc. | Organizational risk management subscription service |
CN110266684B (en) * | 2019-06-19 | 2022-06-24 | 北京天融信网络安全技术有限公司 | Domain name system safety protection method and device |
US11582191B2 (en) | 2019-07-03 | 2023-02-14 | Centripetal Networks, Inc. | Cyber protections of remote networks via selective policy enforcement at a central network |
CN110597146A (en) * | 2019-10-08 | 2019-12-20 | 六安市三鑫电器设备有限公司 | Integrated electric control cabinet and control method thereof |
US11283699B2 (en) | 2020-01-17 | 2022-03-22 | Vmware, Inc. | Practical overlay network latency measurement in datacenter |
US11805013B2 (en) * | 2020-01-29 | 2023-10-31 | Juniper Networks, Inc. | Prioritizing policy intent enforcement on network devices |
CN111404879A (en) * | 2020-02-26 | 2020-07-10 | 亚信科技(成都)有限公司 | Visualization method and device for network threats |
US20210306359A1 (en) * | 2020-03-28 | 2021-09-30 | Dell Products L.P. | Intelligent detection and prevention of anomalies in interface protocols |
CN113810344B (en) * | 2020-06-15 | 2023-07-18 | 中国电信股份有限公司 | Security orchestration system, device, method, and computer-readable storage medium |
CN112149127B (en) * | 2020-08-18 | 2024-03-19 | 杭州安恒信息技术股份有限公司 | Security policy configuration method, device, system, computer equipment and medium |
US11606694B2 (en) | 2020-10-08 | 2023-03-14 | Surendra Goel | System that provides cybersecurity in a home or office by interacting with internet of things devices and other devices |
US11336533B1 (en) | 2021-01-08 | 2022-05-17 | Vmware, Inc. | Network visualization of correlations between logical elements and associated physical elements |
US20220239676A1 (en) * | 2021-01-28 | 2022-07-28 | Cloudcover Ip, Llc | Cyber-safety threat detection system |
US11526617B2 (en) | 2021-03-24 | 2022-12-13 | Bank Of America Corporation | Information security system for identifying security threats in deployed software package |
US11556637B2 (en) | 2021-04-05 | 2023-01-17 | Bank Of America Corporation | Information security system and method for anomaly and security threat detection |
CN113098883B (en) * | 2021-04-13 | 2021-11-26 | 四川玖优创信息科技有限公司 | Block chain and big data based security protection method and block chain service system |
US11483369B1 (en) * | 2021-06-07 | 2022-10-25 | Ciena Corporation | Managing confirmation criteria for requested operations in distributed microservice networks |
US11711278B2 (en) | 2021-07-24 | 2023-07-25 | Vmware, Inc. | Visualization of flow trace operation across multiple sites |
CN113596048B (en) * | 2021-08-04 | 2023-05-26 | 荆亮 | Firewall maintenance network method and device |
US11855862B2 (en) | 2021-09-17 | 2023-12-26 | Vmware, Inc. | Tagging packets for monitoring and analysis |
US20230224275A1 (en) * | 2022-01-12 | 2023-07-13 | Bank Of America Corporation | Preemptive threat detection for an information system |
CN114500396B (en) * | 2022-02-09 | 2024-04-16 | 江苏大学 | MFD chromatographic feature extraction method and system for distinguishing anonymous Torr application flow |
WO2023154122A1 (en) * | 2022-02-10 | 2023-08-17 | Centripetal Networks, Inc. | Cyber protections of remote networks via selective policy enforcement at a central network |
US20240007368A1 (en) * | 2022-06-29 | 2024-01-04 | Vmware, Inc. | Visualization of data message traversal across services |
Citations (49)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6330562B1 (en) * | 1999-01-29 | 2001-12-11 | International Business Machines Corporation | System and method for managing security objects |
US20030055557A1 (en) * | 2001-09-20 | 2003-03-20 | International Business Machines Corporation | Method of calibrating a car alarm depending on the crime statistics of an area VIA intergration with road navigation display systems |
US20040049585A1 (en) * | 2000-04-14 | 2004-03-11 | Microsoft Corporation | SERVER SIDE CONFIGURATION OF CLIENT IPSec LIFETIME SECURITY PARAMETERS |
US20060028999A1 (en) * | 2004-03-28 | 2006-02-09 | Robert Iakobashvili | Flows based visualization of packet networks with network performance analysis, troubleshooting, optimization and network history backlog |
US20060140127A1 (en) * | 2004-12-29 | 2006-06-29 | Hee-Jo Lee | Apparatus for displaying network status |
US20060221077A1 (en) * | 2005-03-08 | 2006-10-05 | William Wright | System and method for large scale information analysis using data visualization techniques |
US20070044147A1 (en) * | 2005-08-17 | 2007-02-22 | Korea University Industry And Academy Collaboration Foundation | Apparatus and method for monitoring network using the parallel coordinate system |
US20070118909A1 (en) * | 2005-11-18 | 2007-05-24 | Nexthink Sa | Method for the detection and visualization of anomalous behaviors in a computer network |
US20070261099A1 (en) * | 2006-05-02 | 2007-11-08 | Broussard Scott J | Confidential content reporting system and method with electronic mail verification functionality |
US7506371B1 (en) * | 2004-01-22 | 2009-03-17 | Guardium, Inc. | System and methods for adaptive behavior based access control |
US7574603B2 (en) * | 2003-11-14 | 2009-08-11 | Microsoft Corporation | Method of negotiating security parameters and authenticating users interconnected to a network |
US20100150008A1 (en) * | 2007-03-08 | 2010-06-17 | Seon Gyoung Sohn | Apparatus and method for displaying state of network |
US7743414B2 (en) * | 2006-05-26 | 2010-06-22 | Novell, Inc. | System and method for executing a permissions recorder analyzer |
US20110238826A1 (en) * | 2008-12-08 | 2011-09-29 | Neuralitic Systems | Method and system for analysing a mobile operator data network |
US20110277034A1 (en) * | 2010-05-06 | 2011-11-10 | Tenable Network Security, Inc. | System and method for three-dimensional visualization of vulnerability and asset data |
US20110302295A1 (en) * | 2010-06-07 | 2011-12-08 | Novell, Inc. | System and method for modeling interdependencies in a network datacenter |
US20120069131A1 (en) * | 2010-05-28 | 2012-03-22 | Abelow Daniel H | Reality alternate |
US20120221589A1 (en) * | 2009-08-25 | 2012-08-30 | Yuval Shahar | Method and system for selecting, retrieving, visualizing and exploring time-oriented data in multiple subject records |
US20120278477A1 (en) * | 2009-04-08 | 2012-11-01 | The University Of North Carolina At Chapel Hill | Methods, systems, and computer program products for network server performance anomaly detection |
US20130030875A1 (en) * | 2011-07-29 | 2013-01-31 | Panasonic Corporation | System and method for site abnormality recording and notification |
US20130055342A1 (en) * | 2011-08-24 | 2013-02-28 | International Business Machines Corporation | Risk-based model for security policy management |
US20130097706A1 (en) * | 2011-09-16 | 2013-04-18 | Veracode, Inc. | Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security |
US20130174256A1 (en) * | 2011-12-29 | 2013-07-04 | Architecture Technology Corporation | Network defense system and framework for detecting and geolocating botnet cyber attacks |
US20130326578A1 (en) * | 2012-06-04 | 2013-12-05 | Nokia Corporation | Method and apparatus for determining privacy policy based on data and associated values |
US20140013432A1 (en) * | 2012-07-09 | 2014-01-09 | Electronics And Telecommunications Reseach Institute | Method and apparatus for visualizing network security state |
US20140075494A1 (en) * | 2012-09-12 | 2014-03-13 | Ca, Inc. | Managing security clusters in cloud computing environments using autonomous security risk negotiation agents |
US20140137241A1 (en) * | 2012-11-14 | 2014-05-15 | Click Security, Inc. | Automated security analytics platform with pluggable data collection and analysis modules |
US20140137242A1 (en) * | 2012-11-14 | 2014-05-15 | Click Security, Inc. | Automated security analytics platform with multi-level representation conversion for space efficiency and incremental persistence |
US8751424B1 (en) * | 2011-12-15 | 2014-06-10 | The Boeing Company | Secure information classification |
US20140181972A1 (en) * | 2012-04-18 | 2014-06-26 | Zimperium, Inc. | Preventive intrusion device and method for mobile devices |
US20140189861A1 (en) * | 2012-10-16 | 2014-07-03 | Bikram Kumar Gupta | System and method for correlating network information with subscriber information in a mobile network environment |
US20140215621A1 (en) * | 2013-01-25 | 2014-07-31 | REMTCS Inc. | System, method, and apparatus for providing network security |
US20140343732A1 (en) * | 2012-02-01 | 2014-11-20 | Abb Research Ltd. | Dynamic configuration of an industrial control system |
US20150026761A1 (en) * | 2009-01-28 | 2015-01-22 | Headwater Partners I Llc | Security, fraud detection, and fraud mitigation in device-assisted services systems |
US20150120959A1 (en) * | 2013-10-29 | 2015-04-30 | Solana Networks Inc. | Method and system for monitoring and analysis of network traffic flows |
US20150222667A1 (en) * | 2013-12-02 | 2015-08-06 | Alex Nayshtut | Protection system including security rule evaluation |
US9124622B1 (en) * | 2014-11-07 | 2015-09-01 | Area 1 Security, Inc. | Detecting computer security threats in electronic documents based on structure |
US20150269438A1 (en) * | 2014-03-18 | 2015-09-24 | Sri International | Real-time system for multi-modal 3d geospatial mapping, object recognition, scene annotation and analytics |
US9231769B1 (en) * | 2013-05-29 | 2016-01-05 | Symantec Corporation | Systems and methods for providing interfaces for creating transport layer security certificates |
US20160063387A1 (en) * | 2014-08-29 | 2016-03-03 | Verizon Patent And Licensing Inc. | Monitoring and detecting environmental events with user devices |
US20160080408A1 (en) * | 2014-09-15 | 2016-03-17 | Lookingglass Cyber Solutions | Apparatuses, methods and systems for a cyber security assessment mechanism |
US20160191466A1 (en) * | 2014-12-30 | 2016-06-30 | Fortinet, Inc. | Dynamically optimized security policy management |
US20160191558A1 (en) * | 2014-12-23 | 2016-06-30 | Bricata Llc | Accelerated threat mitigation system |
US20160205137A1 (en) * | 2013-09-30 | 2016-07-14 | Grant Babb | Visualization and analysis of complex security information |
US20160217187A1 (en) * | 2015-01-26 | 2016-07-28 | International Business Machines Corporation | Representing identity data relationships using graphs |
US20160226944A1 (en) * | 2015-01-29 | 2016-08-04 | Splunk Inc. | Facilitating custom content extraction from network packets |
US20160241584A1 (en) * | 2011-12-29 | 2016-08-18 | 21Ct, Inc. | Method and system for identifying a threatening network |
US20160301704A1 (en) * | 2015-04-09 | 2016-10-13 | Accenture Global Services Limited | Event correlation across heterogeneous operations |
US20170214694A1 (en) * | 2014-08-22 | 2017-07-27 | Nokia Technologies Oy | A Security and Trust Framework for Virtualized Networks |
Family Cites Families (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1535164B1 (en) | 2002-08-26 | 2012-01-04 | International Business Machines Corporation | Determining threat level associated with network activity |
GB0224187D0 (en) | 2002-10-17 | 2002-11-27 | Mitel Knowledge Corp | Interactive conflict resolution for personalised policy-based services |
US8176527B1 (en) | 2002-12-02 | 2012-05-08 | Hewlett-Packard Development Company, L. P. | Correlation engine with support for time-based rules |
US7305708B2 (en) | 2003-04-14 | 2007-12-04 | Sourcefire, Inc. | Methods and systems for intrusion detection |
US9118711B2 (en) * | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
WO2006105093A2 (en) | 2005-03-28 | 2006-10-05 | Wake Forest University | Methods, systems, and computer program products for network firewall policy optimization |
CN100463461C (en) * | 2005-05-10 | 2009-02-18 | 西安交通大学 | Active network safety loophole detector |
US7908380B1 (en) * | 2006-04-24 | 2011-03-15 | Oracle America, Inc. | Method of session quota constraint enforcement |
US20080244691A1 (en) | 2007-03-30 | 2008-10-02 | Israel Hilerio | Dynamic threat vector update |
US8291495B1 (en) | 2007-08-08 | 2012-10-16 | Juniper Networks, Inc. | Identifying applications for intrusion detection systems |
US8490171B2 (en) | 2008-07-14 | 2013-07-16 | Tufin Software Technologies Ltd. | Method of configuring a security gateway and system thereof |
CN101557324B (en) * | 2008-12-17 | 2011-06-08 | 天津大学 | Real-time visual detection method for DDoS attack |
US8248958B1 (en) | 2009-12-09 | 2012-08-21 | Juniper Networks, Inc. | Remote validation of network device configuration using a device management protocol for remote packet injection |
US8429255B1 (en) | 2010-01-27 | 2013-04-23 | Juniper Networks, Inc. | Determining reorder commands for remote reordering of policy rules |
US8726376B2 (en) * | 2011-03-11 | 2014-05-13 | Openet Telecom Ltd. | Methods, systems and devices for the detection and prevention of malware within a network |
WO2012162419A2 (en) | 2011-05-24 | 2012-11-29 | Citrix Systems, Inc. | Systems and methods for analyzing network metrics |
US8839349B2 (en) * | 2011-10-18 | 2014-09-16 | Mcafee, Inc. | Integrating security policy and event management |
US8973147B2 (en) | 2011-12-29 | 2015-03-03 | Mcafee, Inc. | Geo-mapping system security events |
CN102624717B (en) * | 2012-03-02 | 2015-11-18 | 深信服网络科技(深圳)有限公司 | Automatically the method generated based on the security strategy of vulnerability scanning and device |
US8826429B2 (en) | 2012-04-02 | 2014-09-02 | The Boeing Company | Information security management |
US9027077B1 (en) | 2012-04-30 | 2015-05-05 | Palo Alto Networks, Inc. | Deploying policy configuration across multiple security devices through hierarchical configuration templates |
KR101415850B1 (en) * | 2012-11-30 | 2014-07-09 | 한국전자통신연구원 | Apparatus and method for checking firewall policy |
WO2014128284A1 (en) * | 2013-02-22 | 2014-08-28 | Adaptive Mobile Limited | Dynamic traffic steering system and method in a network |
US9106693B2 (en) | 2013-03-15 | 2015-08-11 | Juniper Networks, Inc. | Attack detection and prevention using global device fingerprinting |
CN103152227A (en) * | 2013-03-26 | 2013-06-12 | 北京启明星辰信息技术股份有限公司 | Integrated real-time detection system and detection method coping with network threats and attacks |
US9270694B2 (en) * | 2013-05-21 | 2016-02-23 | Rapid7, Llc | Systems and methods for assessing security for a network of assets and providing recommendations |
CN104468161B (en) * | 2013-09-17 | 2018-05-22 | ***通信集团设计院有限公司 | A kind of collocation method of firewall rule sets under discrimination, device and fire wall |
CN103856371A (en) * | 2014-02-28 | 2014-06-11 | 中国人民解放军91655部队 | Safety protection method of information system |
US20160014159A1 (en) | 2014-07-10 | 2016-01-14 | Sven Schrecker | Separated security management |
US10581756B2 (en) * | 2014-09-09 | 2020-03-03 | Microsoft Technology Licensing, Llc | Nonintrusive dynamically-scalable network load generation |
US20160149948A1 (en) * | 2014-09-25 | 2016-05-26 | Cybersponse, Inc. | Automated Cyber Threat Mitigation Coordinator |
CN104993935B (en) * | 2015-07-01 | 2017-12-19 | 北京奇安信科技有限公司 | Cyberthreat reminding method, equipment and system |
US10021115B2 (en) * | 2015-11-03 | 2018-07-10 | Juniper Networks, Inc. | Integrated security system having rule optimization |
-
2015
- 2015-12-30 US US14/983,999 patent/US10021115B2/en active Active
- 2015-12-30 US US14/983,983 patent/US10135841B2/en active Active
- 2015-12-30 US US14/983,927 patent/US20170126727A1/en not_active Abandoned
-
2016
- 2016-11-02 CN CN201610952228.XA patent/CN106941480B/en active Active
- 2016-11-02 CN CN201610952724.5A patent/CN107026835B/en active Active
- 2016-11-02 CN CN201610952348.XA patent/CN106953837B/en active Active
-
2018
- 2018-07-09 US US16/030,330 patent/US10382451B2/en active Active
Patent Citations (50)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6330562B1 (en) * | 1999-01-29 | 2001-12-11 | International Business Machines Corporation | System and method for managing security objects |
US20040049585A1 (en) * | 2000-04-14 | 2004-03-11 | Microsoft Corporation | SERVER SIDE CONFIGURATION OF CLIENT IPSec LIFETIME SECURITY PARAMETERS |
US20030055557A1 (en) * | 2001-09-20 | 2003-03-20 | International Business Machines Corporation | Method of calibrating a car alarm depending on the crime statistics of an area VIA intergration with road navigation display systems |
US7574603B2 (en) * | 2003-11-14 | 2009-08-11 | Microsoft Corporation | Method of negotiating security parameters and authenticating users interconnected to a network |
US7506371B1 (en) * | 2004-01-22 | 2009-03-17 | Guardium, Inc. | System and methods for adaptive behavior based access control |
US20060028999A1 (en) * | 2004-03-28 | 2006-02-09 | Robert Iakobashvili | Flows based visualization of packet networks with network performance analysis, troubleshooting, optimization and network history backlog |
US20060140127A1 (en) * | 2004-12-29 | 2006-06-29 | Hee-Jo Lee | Apparatus for displaying network status |
US20060221077A1 (en) * | 2005-03-08 | 2006-10-05 | William Wright | System and method for large scale information analysis using data visualization techniques |
US20070044147A1 (en) * | 2005-08-17 | 2007-02-22 | Korea University Industry And Academy Collaboration Foundation | Apparatus and method for monitoring network using the parallel coordinate system |
US20070118909A1 (en) * | 2005-11-18 | 2007-05-24 | Nexthink Sa | Method for the detection and visualization of anomalous behaviors in a computer network |
US20070261099A1 (en) * | 2006-05-02 | 2007-11-08 | Broussard Scott J | Confidential content reporting system and method with electronic mail verification functionality |
US7743414B2 (en) * | 2006-05-26 | 2010-06-22 | Novell, Inc. | System and method for executing a permissions recorder analyzer |
US20100150008A1 (en) * | 2007-03-08 | 2010-06-17 | Seon Gyoung Sohn | Apparatus and method for displaying state of network |
US20110238826A1 (en) * | 2008-12-08 | 2011-09-29 | Neuralitic Systems | Method and system for analysing a mobile operator data network |
US20150026761A1 (en) * | 2009-01-28 | 2015-01-22 | Headwater Partners I Llc | Security, fraud detection, and fraud mitigation in device-assisted services systems |
US20120278477A1 (en) * | 2009-04-08 | 2012-11-01 | The University Of North Carolina At Chapel Hill | Methods, systems, and computer program products for network server performance anomaly detection |
US20120221589A1 (en) * | 2009-08-25 | 2012-08-30 | Yuval Shahar | Method and system for selecting, retrieving, visualizing and exploring time-oriented data in multiple subject records |
US20110277034A1 (en) * | 2010-05-06 | 2011-11-10 | Tenable Network Security, Inc. | System and method for three-dimensional visualization of vulnerability and asset data |
US20120069131A1 (en) * | 2010-05-28 | 2012-03-22 | Abelow Daniel H | Reality alternate |
US20110302290A1 (en) * | 2010-06-07 | 2011-12-08 | Novell, Inc. | System and method for managing changes in a network datacenter |
US20110302295A1 (en) * | 2010-06-07 | 2011-12-08 | Novell, Inc. | System and method for modeling interdependencies in a network datacenter |
US20130030875A1 (en) * | 2011-07-29 | 2013-01-31 | Panasonic Corporation | System and method for site abnormality recording and notification |
US20130055342A1 (en) * | 2011-08-24 | 2013-02-28 | International Business Machines Corporation | Risk-based model for security policy management |
US20130097706A1 (en) * | 2011-09-16 | 2013-04-18 | Veracode, Inc. | Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security |
US8751424B1 (en) * | 2011-12-15 | 2014-06-10 | The Boeing Company | Secure information classification |
US20130174256A1 (en) * | 2011-12-29 | 2013-07-04 | Architecture Technology Corporation | Network defense system and framework for detecting and geolocating botnet cyber attacks |
US20160241584A1 (en) * | 2011-12-29 | 2016-08-18 | 21Ct, Inc. | Method and system for identifying a threatening network |
US20140343732A1 (en) * | 2012-02-01 | 2014-11-20 | Abb Research Ltd. | Dynamic configuration of an industrial control system |
US20140181972A1 (en) * | 2012-04-18 | 2014-06-26 | Zimperium, Inc. | Preventive intrusion device and method for mobile devices |
US20130326578A1 (en) * | 2012-06-04 | 2013-12-05 | Nokia Corporation | Method and apparatus for determining privacy policy based on data and associated values |
US20140013432A1 (en) * | 2012-07-09 | 2014-01-09 | Electronics And Telecommunications Reseach Institute | Method and apparatus for visualizing network security state |
US20140075494A1 (en) * | 2012-09-12 | 2014-03-13 | Ca, Inc. | Managing security clusters in cloud computing environments using autonomous security risk negotiation agents |
US20140189861A1 (en) * | 2012-10-16 | 2014-07-03 | Bikram Kumar Gupta | System and method for correlating network information with subscriber information in a mobile network environment |
US20140137241A1 (en) * | 2012-11-14 | 2014-05-15 | Click Security, Inc. | Automated security analytics platform with pluggable data collection and analysis modules |
US20140137242A1 (en) * | 2012-11-14 | 2014-05-15 | Click Security, Inc. | Automated security analytics platform with multi-level representation conversion for space efficiency and incremental persistence |
US20140215621A1 (en) * | 2013-01-25 | 2014-07-31 | REMTCS Inc. | System, method, and apparatus for providing network security |
US9231769B1 (en) * | 2013-05-29 | 2016-01-05 | Symantec Corporation | Systems and methods for providing interfaces for creating transport layer security certificates |
US20160205137A1 (en) * | 2013-09-30 | 2016-07-14 | Grant Babb | Visualization and analysis of complex security information |
US20150120959A1 (en) * | 2013-10-29 | 2015-04-30 | Solana Networks Inc. | Method and system for monitoring and analysis of network traffic flows |
US20150222667A1 (en) * | 2013-12-02 | 2015-08-06 | Alex Nayshtut | Protection system including security rule evaluation |
US20150269438A1 (en) * | 2014-03-18 | 2015-09-24 | Sri International | Real-time system for multi-modal 3d geospatial mapping, object recognition, scene annotation and analytics |
US20170214694A1 (en) * | 2014-08-22 | 2017-07-27 | Nokia Technologies Oy | A Security and Trust Framework for Virtualized Networks |
US20160063387A1 (en) * | 2014-08-29 | 2016-03-03 | Verizon Patent And Licensing Inc. | Monitoring and detecting environmental events with user devices |
US20160080408A1 (en) * | 2014-09-15 | 2016-03-17 | Lookingglass Cyber Solutions | Apparatuses, methods and systems for a cyber security assessment mechanism |
US9124622B1 (en) * | 2014-11-07 | 2015-09-01 | Area 1 Security, Inc. | Detecting computer security threats in electronic documents based on structure |
US20160191558A1 (en) * | 2014-12-23 | 2016-06-30 | Bricata Llc | Accelerated threat mitigation system |
US20160191466A1 (en) * | 2014-12-30 | 2016-06-30 | Fortinet, Inc. | Dynamically optimized security policy management |
US20160217187A1 (en) * | 2015-01-26 | 2016-07-28 | International Business Machines Corporation | Representing identity data relationships using graphs |
US20160226944A1 (en) * | 2015-01-29 | 2016-08-04 | Splunk Inc. | Facilitating custom content extraction from network packets |
US20160301704A1 (en) * | 2015-04-09 | 2016-10-13 | Accenture Global Services Limited | Event correlation across heterogeneous operations |
Cited By (47)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10382451B2 (en) | 2015-11-03 | 2019-08-13 | Juniper Networks, Inc. | Integrated security system having rule optimization |
US10956567B2 (en) * | 2015-12-15 | 2021-03-23 | Yokogawa Electric Corporation | Control device, integrated industrial system, and control method thereof |
US20170169219A1 (en) * | 2015-12-15 | 2017-06-15 | Yokogawa Electric Corporation | Control device, integrated industrial system, and control method thereof |
US10819742B2 (en) | 2015-12-15 | 2020-10-27 | Yokogawa Electric Corporation | Integrated industrial system and control method thereof |
US20190190944A1 (en) * | 2016-02-24 | 2019-06-20 | Verodin, Inc. | Systems and methods for attack simulation on a production network |
US10944779B2 (en) * | 2016-02-24 | 2021-03-09 | Fireeye, Inc. | Systems and methods for attack simulation on a production network |
US11706238B2 (en) | 2016-02-24 | 2023-07-18 | Google Llc | Systems and methods for attack simulation on a production network |
US10757131B2 (en) | 2016-02-24 | 2020-08-25 | Fireeye, Inc. | Systems and methods for attack simulation on a production network |
US11134095B2 (en) * | 2016-02-24 | 2021-09-28 | Fireeye, Inc. | Systems and methods for attack simulation on a production network |
US10212186B2 (en) * | 2016-02-24 | 2019-02-19 | Verodin, Inc. | Systems and methods for attack simulation on a production network |
US10681068B1 (en) * | 2016-07-26 | 2020-06-09 | Christopher Galliano | System and method for analyzing data and using analyzed data to detect cyber threats and defend against cyber threats |
US11677777B1 (en) | 2016-10-26 | 2023-06-13 | Wells Fargo Bank, N.A. | Situational awareness and perimeter protection orchestration |
US10419473B1 (en) * | 2016-10-26 | 2019-09-17 | Wells Fargo Bank, N.A. | Situational awareness and perimeter protection orchestration |
US11258681B2 (en) * | 2016-12-16 | 2022-02-22 | Nicira, Inc. | Application assessment and visibility for micro-segmentation of a network deployment |
US11750481B2 (en) | 2016-12-16 | 2023-09-05 | Nicira, Inc. | Application assessment and visibility for micro-segmentation of a network deployment |
US10771506B1 (en) * | 2017-07-31 | 2020-09-08 | Juniper Networks, Inc. | Deployment of a security policy based on network topology and device capability |
CN108009713A (en) * | 2017-11-27 | 2018-05-08 | 江苏安信息科技有限公司 | A kind of method of safety on line assessment |
CN108234447A (en) * | 2017-12-04 | 2018-06-29 | 北京交通大学 | A kind of safety regulation for heterogeneous networks security function manages system and method |
US11108798B2 (en) | 2018-06-06 | 2021-08-31 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11637847B2 (en) | 2018-06-06 | 2023-04-25 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11921864B2 (en) | 2018-06-06 | 2024-03-05 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11095673B2 (en) | 2018-06-06 | 2021-08-17 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US10951641B2 (en) | 2018-06-06 | 2021-03-16 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11709946B2 (en) | 2018-06-06 | 2023-07-25 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11687659B2 (en) | 2018-06-06 | 2023-06-27 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US10965703B2 (en) | 2018-06-06 | 2021-03-30 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11265338B2 (en) | 2018-06-06 | 2022-03-01 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11611577B2 (en) | 2018-06-06 | 2023-03-21 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11297080B2 (en) * | 2018-06-06 | 2022-04-05 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11323462B2 (en) | 2018-06-06 | 2022-05-03 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11588838B2 (en) | 2018-06-06 | 2023-02-21 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11528287B2 (en) | 2018-06-06 | 2022-12-13 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11363043B2 (en) | 2018-06-06 | 2022-06-14 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11374951B2 (en) | 2018-06-06 | 2022-06-28 | Reliaquest Holdings, Llc | Threat mitigation system and method |
US11354325B2 (en) | 2018-10-25 | 2022-06-07 | Bank Of America Corporation | Methods and apparatus for a multi-graph search and merge engine |
US10630726B1 (en) | 2018-11-18 | 2020-04-21 | Bank Of America Corporation | Cybersecurity threat detection and mitigation system |
US10862926B2 (en) | 2018-11-18 | 2020-12-08 | Bank Of America Corporation | Cybersecurity threat detection and mitigation system |
US10824676B2 (en) | 2018-11-29 | 2020-11-03 | Bank Of America Corporation | Hybrid graph and relational database architecture |
US11012472B2 (en) | 2018-12-05 | 2021-05-18 | International Business Machines Corporation | Security rule generation based on cognitive and industry analysis |
US11277436B1 (en) * | 2019-06-24 | 2022-03-15 | Ca, Inc. | Identifying and mitigating harm from malicious network connections by a container |
CN114641968A (en) * | 2019-07-03 | 2022-06-17 | 向心网络公司 | Method and system for efficient network protection of mobile devices |
US11388175B2 (en) * | 2019-09-05 | 2022-07-12 | Cisco Technology, Inc. | Threat detection of application traffic flows |
CN110933049A (en) * | 2019-11-16 | 2020-03-27 | 杭州安恒信息技术股份有限公司 | Network illegal information monitoring method and system based on video capture |
US11218360B2 (en) | 2019-12-09 | 2022-01-04 | Quest Automated Services, LLC | Automation system with edge computing |
US11588854B2 (en) | 2019-12-19 | 2023-02-21 | Vmware, Inc. | User interface for defining security groups |
CN111988322A (en) * | 2020-08-24 | 2020-11-24 | 北京微步在线科技有限公司 | Attack event display system |
US11334626B1 (en) | 2020-11-02 | 2022-05-17 | Bank Of America Corporation | Hybrid graph and relational database architecture |
Also Published As
Publication number | Publication date |
---|---|
CN107026835B (en) | 2020-06-26 |
US10135841B2 (en) | 2018-11-20 |
US20180332055A1 (en) | 2018-11-15 |
CN106941480B (en) | 2020-06-26 |
CN106941480A (en) | 2017-07-11 |
CN107026835A (en) | 2017-08-08 |
US10021115B2 (en) | 2018-07-10 |
CN106953837B (en) | 2020-09-25 |
US20170126740A1 (en) | 2017-05-04 |
CN106953837A (en) | 2017-07-14 |
US10382451B2 (en) | 2019-08-13 |
US20170126728A1 (en) | 2017-05-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10382451B2 (en) | Integrated security system having rule optimization | |
US10728117B1 (en) | Systems and methods for improving digital user experience | |
US10938686B2 (en) | Systems and methods for analyzing digital user experience | |
US10892964B2 (en) | Systems and methods for monitoring digital user experience | |
US11063909B1 (en) | Methods and systems for efficient cyber protections of mobile devices | |
EP3699766A1 (en) | Systems and methods for monitoring, analyzing, and improving digital user experience | |
US9264301B1 (en) | High availability for software defined networks | |
EP3449600B1 (en) | A data driven intent based networking approach using a light weight distributed sdn controller for delivering intelligent consumer experiences | |
EP2930885B1 (en) | Incremental application of resources to network traffic flows based on heuristics and business policies | |
US11582191B2 (en) | Cyber protections of remote networks via selective policy enforcement at a central network | |
US20240022592A1 (en) | Visibility and scanning of a variety of entities | |
EP3166279B1 (en) | Integrated security system having rule optimization | |
EP3166281B1 (en) | Integrated security system having threat visualization | |
EP3166280B1 (en) | Integrated security system having threat visualization and automated security device control | |
Rania et al. | SDWAN with IDPS Efficient Network Solution | |
WO2023154122A1 (en) | Cyber protections of remote networks via selective policy enforcement at a central network | |
SOON et al. | NEXT GENERATION SD-WAN WITH IDPS | |
Christenson Colón | Unified Threat Management | |
Limmer | Efficient Network Monitoring for Attack Detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: JUNIPER NETWORKS, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BEAM, LISA M.;NESTEROFF, LYUBOV;CHAVEZ, RENE;AND OTHERS;SIGNING DATES FROM 20151218 TO 20151221;REEL/FRAME:037382/0653 |
|
AS | Assignment |
Owner name: JUNIPER NETWORKS, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SHIMUK, NATALIA L.;REEL/FRAME:037497/0392 Effective date: 20160113 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |