CA2428192C - Network intelligence system - Google Patents
Network intelligence system Download PDFInfo
- Publication number
- CA2428192C CA2428192C CA2428192A CA2428192A CA2428192C CA 2428192 C CA2428192 C CA 2428192C CA 2428192 A CA2428192 A CA 2428192A CA 2428192 A CA2428192 A CA 2428192A CA 2428192 C CA2428192 C CA 2428192C
- Authority
- CA
- Canada
- Prior art keywords
- network
- information
- security
- networks
- master
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 230000008520 organization Effects 0.000 claims abstract description 6
- 206010020400 Hostility Diseases 0.000 claims abstract description 4
- 238000000034 method Methods 0.000 claims description 19
- VEMKTZHHVJILDY-UHFFFAOYSA-N resmethrin Chemical compound CC1(C)C(C=C(C)C)C1C(=O)OCC1=COC(CC=2C=CC=CC=2)=C1 VEMKTZHHVJILDY-UHFFFAOYSA-N 0.000 claims description 17
- 238000012550 audit Methods 0.000 claims description 5
- 238000001514 detection method Methods 0.000 claims description 4
- 230000035945 sensitivity Effects 0.000 claims description 3
- 230000002265 prevention Effects 0.000 claims 2
- 238000005067 remediation Methods 0.000 claims 2
- 230000000903 blocking effect Effects 0.000 claims 1
- 238000004891 communication Methods 0.000 description 8
- 230000000694 effects Effects 0.000 description 6
- 238000011161 development Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003203 everyday effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 238000000682 scanning probe acoustic microscopy Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/04—Network management architectures or arrangements
- H04L41/046—Network management architectures or arrangements comprising network management agents or mobile agents therefor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A network security system takes an active approach to network security. This is accomplished by providing intelligence about other networks. A master network intelligence database is established that uses a plurality of network information agents for gathering information about networks and providing the information to the master network intelligence database. A customer network security system is then able to secure the customer network in dependence upon information received from the master network intelligence. Security information includes at least one of hostility level on the Internet, collected from numerous sites; security event history; seam levels; hosted services; public wireless; organization type; organization associations; peer ISPs; bandwidth connection to the Internet; active security measures; number of users on the network; age of the network; inappropriate content served; industry; geographic placement; open proxy servers; and contact information.
Description
NET~VORI~ INTELLIGENCE SYSTEM
Field of the Invention The present invention relates to method and apparatus for network security and is particularly acquiring and using knowledge about networks.
Background of the Invention The rapid development of the Internet, World Wide Web and E-commerce has made it increasingly important to be able to monitor the traffic going into and coming out of a network in order to discover abnormal network traffic that may be an indication of attacks from hackers or misuse of network resources by users inside the network. A network of computers may be attacked by a hacker using Smurf, Denial of Services (DoS), or be abused by a rogue employee within the network, who may attack some other networks or download pornography.
Various network security software, such as firewalls, Intrusion Detection Systems (IDS), network monitors, and vulnerability assessment tools, have been developed to protect a network from abuse and hacking.
IDS systems are used to spot, alert, and stop intrusions. Typically running on dedicated computers hooked to the network, II)S systems actively monitor network traffic for suspicious activities. Statistics or rule-based artificial intelligence is used to detect abnormal activities.
Thus, IDS systems depend on the recognition of known attack patterns. For example, contents in the network traffic may be monitored to match the patterns in an IDS
system's databases.
The real-time analysis of the network traffic provides the capability to send instant notifications via e-mails, pager alerts, or other means. Based on a predefined security policy, some IDS systems can take defensive actions against intrusions, such as initiating the termination of network connections or changing the configuration of network devices (e.g., firewalls and routers). Since hacking activities and misuse of new patterns are under constant development, IDS systems are also under constant development.
Field of the Invention The present invention relates to method and apparatus for network security and is particularly acquiring and using knowledge about networks.
Background of the Invention The rapid development of the Internet, World Wide Web and E-commerce has made it increasingly important to be able to monitor the traffic going into and coming out of a network in order to discover abnormal network traffic that may be an indication of attacks from hackers or misuse of network resources by users inside the network. A network of computers may be attacked by a hacker using Smurf, Denial of Services (DoS), or be abused by a rogue employee within the network, who may attack some other networks or download pornography.
Various network security software, such as firewalls, Intrusion Detection Systems (IDS), network monitors, and vulnerability assessment tools, have been developed to protect a network from abuse and hacking.
IDS systems are used to spot, alert, and stop intrusions. Typically running on dedicated computers hooked to the network, II)S systems actively monitor network traffic for suspicious activities. Statistics or rule-based artificial intelligence is used to detect abnormal activities.
Thus, IDS systems depend on the recognition of known attack patterns. For example, contents in the network traffic may be monitored to match the patterns in an IDS
system's databases.
The real-time analysis of the network traffic provides the capability to send instant notifications via e-mails, pager alerts, or other means. Based on a predefined security policy, some IDS systems can take defensive actions against intrusions, such as initiating the termination of network connections or changing the configuration of network devices (e.g., firewalls and routers). Since hacking activities and misuse of new patterns are under constant development, IDS systems are also under constant development.
IDS systems have a number of weaknesses. IDS systems depend on the recognition of known attack patterns, sequences, or signatures. Currently known signatures of attacks are collected to write rules to detect and disable network activities with these signatures.
However, IDS systems cannot detect or stop the attacks of unknown signatures.
IDS systems have to be upgraded when the rules are updated to handle attacks of signatures that are only recently recognized.
A grave concern of network administrators is the exponential increase in attacks seen as the size and reach of the Internet increases with time. A consequence of this is that in the foreseeable future IDSs on networks will be overwhelmed by such attacks and will no longer be able to keep pace with mutating forms of attack.
All of the above issues and techniques and structures to address the issue arise for the anonymous nature of data communications. Unlike real. world interactions between people where an identity is exchanged fairly early in the conversation, in cyber space ones identity and hence ones reputation can hide behind a network address. T'o make matters worse, the Internet is stateless, that is it does not retain information about previous activity that would affect current activity. For example an end user could try to hack into a private network, send an e-mail to a fellow hacker about the attempt and then do on-line banking, without any of the previous activity affecting their access to the banking network.
Even on a larger scale, such as a network, there is no way on knowing whom you are dealing with other than relying on anecdotal information. As a consequence network administrators have to rely on tools to detect intrusion and misuse. The concern is that this kind of behavior will continue to increase to the point where current methods will be overwhelmed by the numbers of such incidents.
Summary of the Invention An object of the present invention is to provide an improved method and apparatus for network security.
However, IDS systems cannot detect or stop the attacks of unknown signatures.
IDS systems have to be upgraded when the rules are updated to handle attacks of signatures that are only recently recognized.
A grave concern of network administrators is the exponential increase in attacks seen as the size and reach of the Internet increases with time. A consequence of this is that in the foreseeable future IDSs on networks will be overwhelmed by such attacks and will no longer be able to keep pace with mutating forms of attack.
All of the above issues and techniques and structures to address the issue arise for the anonymous nature of data communications. Unlike real. world interactions between people where an identity is exchanged fairly early in the conversation, in cyber space ones identity and hence ones reputation can hide behind a network address. T'o make matters worse, the Internet is stateless, that is it does not retain information about previous activity that would affect current activity. For example an end user could try to hack into a private network, send an e-mail to a fellow hacker about the attempt and then do on-line banking, without any of the previous activity affecting their access to the banking network.
Even on a larger scale, such as a network, there is no way on knowing whom you are dealing with other than relying on anecdotal information. As a consequence network administrators have to rely on tools to detect intrusion and misuse. The concern is that this kind of behavior will continue to increase to the point where current methods will be overwhelmed by the numbers of such incidents.
Summary of the Invention An object of the present invention is to provide an improved method and apparatus for network security.
Security is really all about knowledge, which is something that security devices and networks clearly lack. Everyday, in the real world, we use our knowledge, and records of people, places, and things, to make decisions about them. We don't hire people based only on what they look like when they are standing at our door. We don't let people into the country without proper identification and records. The thought of doing so seems foolish, but it is exactly what security devices and networks do every day, for every communication that occurs. IDSs and firewalls have no other information available to them other then what the packet looks like, standing at the door.
Network and security devices have no way of knowing to whom they are talking on the other side, none at all. Am I talking to a network that is extremely hostile?
Known to be a hacker haven? Do they employ active security devices over there? Or are they just wide open... making it irrelevant if I try to secure info I send them? 1-~m I
violating my own security by talking to them? Do I need to be accepting email from sites known to be heavy seam I S domains, and are from far flung continents my company never communicates with anyways?
Is this a competitor of mine? If so, why are they requesting the info they are requesting. Even if they have firewalls and we are communicating securely, can I trust that they are who they say they are, since they are allowing public access to their wireless networks? What if some hacker parks outside their window? Why do I need to open my network to the risks associated with communicating with open university networks, or residential ISP networks?
How can I
prioritize traffic that comes from large enterprises, to ensure they get good service? How can I
stop my IDS from generating so many false positives, why can't it tell the difference between a possible security problem on a highly secured, trusted partner network of mine, and the same event from the University of XX~~°s student network, one of the most hostile networks in the world?
These questions, and many more, can be answered, with the present invention, a Network Intelligence Database. Every network in the world would have a record in the database, with a large number of properties. Some properties might be:
Hostility level on the Internet;
Security event history;
Spam levels;
Hosted services (web servers, email servers);
Public wireless;
Organization type: educational, enterprise, military;
Organization associations: owned by, partnered with whom;
Peer ISPs;
Bandwidth connection to the Internet;
Active security measures, firewalls, IDSs;
Number of users, employees, people on this network;
Age of the network;
Inappropriate content served (hate sites, porn, pirated software);
Industry: industrial, computers;
Geographic placement;
Open proxy servers; and Address, contact information.
Accordingly, system and method of the present invention establish respective reputations for networks and allow a given network to determine whether to communicate with a particular network in dependence upon its reputation.
In accordance with an aspect of the present invention there is provided a network security system for providing intelligence about other networks comprising: a master network intelligence database including a first communication interface; a plurality of network information agents for gathering information about networks and providing the information to the master network intelligence database via the communication interface; and a second communication interface for a customer network security system securing a network in dependence upon information from the master network intelligence database.
5 In accordance with another aspect of the present invention there is provided a network security system for providing intelligence about other networks comprising: a master network intelligence database including first and second communication interfaces; a plurality of network information agents for gathering information about networks and providing the information to the master network intelligence database via the first communication interface;
and a customer network security system for securing a network in dependence upon information received from the master network intelligence database via the second communication interface.
In accordance with a further aspect of 'the present invention there is provided a method of network security system providing intelligence about other networks comprising the steps of gathering information about networks; storing the information in a master network intelligence database; and securing a customer network in dependence upon information received from the master network intelligence database.
An advantage of the present invention is providing security based upon the reputation of networks.
Brief Description of the Drawings The present invention will be further understood from the following detailed description with reference to the drawings in which:
Fig. 1 illustrates apparatus for network security in accordance with an embodiment of the present invention;
Fig. 2 illustrates further detail of the apparatus of Fig. 1; and Fig. 3 illustrates operation of the apparatus of Fig. 1.
Detailed Description of the Preferred Embodiment Referring to Fig. 1 apparatus for network security in accordance with an embodiment of the present invention. The apparatus 10 includes a master network intelligence database (M-NID) 12, and a plurality of customer network intelligence databases (C-NID) 14. The Master NID resides at a location 16 offering the service, and customers 18 obtain a Customer NID 14, or C-NID, from the service provider 16. The Master NID 12 then feeds the customers' NID 14 updates as new data are collected. A Policy enforcer (PE) 20 layered on top of the C-NID 14 interfaces with services and devices on a customer company network 18. The PE
20 allows an administrator to take conceptual ideas of who he wants his network to talk to, not talk to, or how he wants to configure services, and turns them into the technical rules sets that the devices require.
In operation, the PE 20 talks to the C-NID 14, turns concepts into rules and feeds the rules to the NID device agents 40 installed on the customer network security devices.
The Master NID 12 includes information on networks through properties 22 of those networks and applies both a weighting system to those properties and time sensitivity (how things become less or more important over time).
The Customer NID (C-NID) 14 includes information on networks, receives real-time updates from the Master-NID 12 that include properties, a~zd has a mufti-user weighting system and time sensitivity. The C-N~ (Custom-NID) includes a real-time interface for receiving live remote updates from the Mater-NID. It also includes data mining and searching capability.
Refernng to Fig. 2, there is illustrated further detail of the apparatus of Fig. 1. The master NID 12 gathers information from a number of sources, for example human NID
information agents 30, automated NID information agents 32 and corporate partner information sources 34.
NID information agents are provided at the M-NID service provider, for example these could include:
1. Perimeter Security Agent --These are the agents from M-NID service provider that scour the Internet, looking for evidence of perimeter security measures in place at remote networks.
2. Newgroup/Forum Agent - performing linguistic analysis to glean information about the networks.
3. Search Engine Agent, for example a Google TM Agent.
Network and security devices have no way of knowing to whom they are talking on the other side, none at all. Am I talking to a network that is extremely hostile?
Known to be a hacker haven? Do they employ active security devices over there? Or are they just wide open... making it irrelevant if I try to secure info I send them? 1-~m I
violating my own security by talking to them? Do I need to be accepting email from sites known to be heavy seam I S domains, and are from far flung continents my company never communicates with anyways?
Is this a competitor of mine? If so, why are they requesting the info they are requesting. Even if they have firewalls and we are communicating securely, can I trust that they are who they say they are, since they are allowing public access to their wireless networks? What if some hacker parks outside their window? Why do I need to open my network to the risks associated with communicating with open university networks, or residential ISP networks?
How can I
prioritize traffic that comes from large enterprises, to ensure they get good service? How can I
stop my IDS from generating so many false positives, why can't it tell the difference between a possible security problem on a highly secured, trusted partner network of mine, and the same event from the University of XX~~°s student network, one of the most hostile networks in the world?
These questions, and many more, can be answered, with the present invention, a Network Intelligence Database. Every network in the world would have a record in the database, with a large number of properties. Some properties might be:
Hostility level on the Internet;
Security event history;
Spam levels;
Hosted services (web servers, email servers);
Public wireless;
Organization type: educational, enterprise, military;
Organization associations: owned by, partnered with whom;
Peer ISPs;
Bandwidth connection to the Internet;
Active security measures, firewalls, IDSs;
Number of users, employees, people on this network;
Age of the network;
Inappropriate content served (hate sites, porn, pirated software);
Industry: industrial, computers;
Geographic placement;
Open proxy servers; and Address, contact information.
Accordingly, system and method of the present invention establish respective reputations for networks and allow a given network to determine whether to communicate with a particular network in dependence upon its reputation.
In accordance with an aspect of the present invention there is provided a network security system for providing intelligence about other networks comprising: a master network intelligence database including a first communication interface; a plurality of network information agents for gathering information about networks and providing the information to the master network intelligence database via the communication interface; and a second communication interface for a customer network security system securing a network in dependence upon information from the master network intelligence database.
5 In accordance with another aspect of the present invention there is provided a network security system for providing intelligence about other networks comprising: a master network intelligence database including first and second communication interfaces; a plurality of network information agents for gathering information about networks and providing the information to the master network intelligence database via the first communication interface;
and a customer network security system for securing a network in dependence upon information received from the master network intelligence database via the second communication interface.
In accordance with a further aspect of 'the present invention there is provided a method of network security system providing intelligence about other networks comprising the steps of gathering information about networks; storing the information in a master network intelligence database; and securing a customer network in dependence upon information received from the master network intelligence database.
An advantage of the present invention is providing security based upon the reputation of networks.
Brief Description of the Drawings The present invention will be further understood from the following detailed description with reference to the drawings in which:
Fig. 1 illustrates apparatus for network security in accordance with an embodiment of the present invention;
Fig. 2 illustrates further detail of the apparatus of Fig. 1; and Fig. 3 illustrates operation of the apparatus of Fig. 1.
Detailed Description of the Preferred Embodiment Referring to Fig. 1 apparatus for network security in accordance with an embodiment of the present invention. The apparatus 10 includes a master network intelligence database (M-NID) 12, and a plurality of customer network intelligence databases (C-NID) 14. The Master NID resides at a location 16 offering the service, and customers 18 obtain a Customer NID 14, or C-NID, from the service provider 16. The Master NID 12 then feeds the customers' NID 14 updates as new data are collected. A Policy enforcer (PE) 20 layered on top of the C-NID 14 interfaces with services and devices on a customer company network 18. The PE
20 allows an administrator to take conceptual ideas of who he wants his network to talk to, not talk to, or how he wants to configure services, and turns them into the technical rules sets that the devices require.
In operation, the PE 20 talks to the C-NID 14, turns concepts into rules and feeds the rules to the NID device agents 40 installed on the customer network security devices.
The Master NID 12 includes information on networks through properties 22 of those networks and applies both a weighting system to those properties and time sensitivity (how things become less or more important over time).
The Customer NID (C-NID) 14 includes information on networks, receives real-time updates from the Master-NID 12 that include properties, a~zd has a mufti-user weighting system and time sensitivity. The C-N~ (Custom-NID) includes a real-time interface for receiving live remote updates from the Mater-NID. It also includes data mining and searching capability.
Refernng to Fig. 2, there is illustrated further detail of the apparatus of Fig. 1. The master NID 12 gathers information from a number of sources, for example human NID
information agents 30, automated NID information agents 32 and corporate partner information sources 34.
NID information agents are provided at the M-NID service provider, for example these could include:
1. Perimeter Security Agent --These are the agents from M-NID service provider that scour the Internet, looking for evidence of perimeter security measures in place at remote networks.
2. Newgroup/Forum Agent - performing linguistic analysis to glean information about the networks.
3. Search Engine Agent, for example a Google TM Agent.
4. Public Web agent, gleans information from public websites.
Referring to Fig. 3, there is illustrated operation of the apparatus of Fig.
1. At each customer network 18, the customer deploys NID device agents 40 on all of its network devices.
The Policy enforcer 20 takes concepts "lets not talk to anyone without a firewall if they have public wireless", and turns it into rule sets for the NID device agents 40. Agents are built for all devices to allow them to accept policies from the PE and bring intelligence to all devices on a network. Hence, PCs do not talk to hostile networks, nor accept traffic from SPAM
senders.
For example, there are N~ device agents for IDS 42, firewall 44, servers 46 (web, email), PCs 48 and routers 50. The PE tells IDS NID device agents how to reduce false positives and filter or enhance alerts from the IDS. The PE tells Firewall NID
device agents how block or modify traffic based on it's new knowledge of the remote networks.
In operation, the Master NID 12 resides at a location 16 offering the service, and customers 18 obtain a Customer NID 14, or C-NID, from the service provider 16.
The Master NID 12 then feeds the customers' NIDs 14 updates as new data are collected or changed.
The Policy enforcer PE 20 layered on top of the C-NID 14 interfaces with services 46 and devices 42, 44, 48, 50 on a customer company network 18 via the NID device agents. The PE 20 allows an administrator to take conceptual ideas of who he wants his network to talk to, not talk to, or how he wants to configure services, and turns them into the technical rules sets that the devices require via info from the C-N ID. For example, the statement "I don't see any need for accepting mail from any residential ISP outside North America, nor from Universities, or other sites that have a high spam rating°'. The Policy enforcer 20 then takes that concept, and with the help of the C-NTD 14, turns it into a rule set of matching networl~s, and feeds it to the NID device agent on the mail server 46. Other examples are: "Any network with a reasonably high hostility level, or doesn't employ active security devices should have a higher priority for my IDS alerts"; "I don't want any of my competitors, or associated parent companies or networks getting access to my in depth technology white papers°°.
The NID information agents are the autonomous agents that run on computers at the NID service provider. The NID information agents constantly probe information sources on the Internet and feed that information into the M-NID via a network connection to the central NID server. The NID information agents take a number of forms, but all of them share the fact that they feed information into the M-NID. The NID information agents may be content search information agents that read through newsgroups and glean information therefrom. Or, the NID information agents may be active probing information agents, which send packets to remote networks and glean information from the responses received to those packets.
NID device agents are agents that convert policy enforcer rules, which are in a generic format, into specific rules for the device in question. The Nm device agent resides on the customer's device, and communicates over the customer's network with the policy enforcer.
For example, if the policy enforcer 20 were asked to block Universities with the name'UABC' in the title, that existed in Canada, the policy enforcer 20 would turn that concept into a generic rule 'Block 123.456/16'. This generic rule is then fed to all the NID device agents the customer's network. For example a NID device agent on a LIhTUX box, which turns the genreric rule into a rule for the particular firewall technology on the LMX
box. rule.
An alternative to NID device agents, would be using a protocol standard that network devices adhere to, which then allows the devices to understand the rules from the policy enforcer, so they would not have a need for a NID device agent. For example, the NID service provider could publish an XML standard for to which devices where to adhere.
9~
Thus, an initial implementation of the network intelligence system would required NID
device agents so that the network devices would be able to understand what the policy enforcer is asking of them to do. I~owever, as new versions of the devices are shipped by companies they could make sure it adheres to a published XML (or other) standard, that the policy enforcer uses. Thus, no NID device agent is required on the device, because the device could talk directly to and receive rules directly from the policy enforcer.
The NID service provider 16 partners with security, intelligence, and network operations companies 34 around the world. Consequently, enterprise customers 18 may start to require certain prerequisites from the remote networks they communicate with. They may set in place enforced polices based on information in the master NID 12. For example:
~ Company A may no longer let you into their network unless you have an up-to-date security audit, of a certain level, from a trusted auditor.
~ Bank B may not allow online banking from networks without firewalls and other active security systems.
~ Government agency C blocks lOs of thousands of networks from accessing government sites and services in the US because those networks do not use anti-virus software.
~ Company D forces 100,000 desktop computers to avoid sites known to peddle copyrighted material to avoid backlash from RIGA (Recording Industry Association of America) Firms from all sorts of areas may partner 34 with the NID service provider 16 to have their unique information available in the Master NID 12, to be used by customers 18 via the PE
20. For example ~ Virus companies ~ Security companies ~ Business Intelligence Companies ~ Spam, mail companies ~ Wireless networking companies ~ Intelligence services, CIA
~ Security Audit companies ~ IDS, Firewall, Router vendors Another feature of the NID can be self registration. Some network administers will 5 want to register the information about their network in the M-NII7 to ensure that they get unimpeded access to other networks that have deployed) the NID. They will readily go to https://nid register. to enter in their corporate network information (such as if they have firewalls, size of network, security personnel contact info they could also have a third party verification of their claims via an external auditor (which strengthens the believability of the 10 claims). Self registering ensures that a network's info in the NID is correct. As the NID
grows, self registration becomes something that companies will want to do, to ensure that they get unimpeded access to larger networks with which they wish to communicate.
Embodiments of the present invention have the following advantages:
The Master NID 12 includes a registration system where networks can register their network, for example for a small fee. Registration then adds the network's information into the NID.
Verification of a network's claims upon registration can be done to ensure valid information and properties in the NID can reflect this. For example, the network claims to have firewalls, but this has not been verified.
By listing in the NID any security audit certificates the network may hold, other networks can be assured of the nature of the network with which they are communicating. The NII7 service provider partners with companies that secure networks.
Numerous modifications, variations and adaptations may be made to the particular embodiments of the present invention described above without departing from the scope of the invention as defined in the claims.
Referring to Fig. 3, there is illustrated operation of the apparatus of Fig.
1. At each customer network 18, the customer deploys NID device agents 40 on all of its network devices.
The Policy enforcer 20 takes concepts "lets not talk to anyone without a firewall if they have public wireless", and turns it into rule sets for the NID device agents 40. Agents are built for all devices to allow them to accept policies from the PE and bring intelligence to all devices on a network. Hence, PCs do not talk to hostile networks, nor accept traffic from SPAM
senders.
For example, there are N~ device agents for IDS 42, firewall 44, servers 46 (web, email), PCs 48 and routers 50. The PE tells IDS NID device agents how to reduce false positives and filter or enhance alerts from the IDS. The PE tells Firewall NID
device agents how block or modify traffic based on it's new knowledge of the remote networks.
In operation, the Master NID 12 resides at a location 16 offering the service, and customers 18 obtain a Customer NID 14, or C-NID, from the service provider 16.
The Master NID 12 then feeds the customers' NIDs 14 updates as new data are collected or changed.
The Policy enforcer PE 20 layered on top of the C-NID 14 interfaces with services 46 and devices 42, 44, 48, 50 on a customer company network 18 via the NID device agents. The PE 20 allows an administrator to take conceptual ideas of who he wants his network to talk to, not talk to, or how he wants to configure services, and turns them into the technical rules sets that the devices require via info from the C-N ID. For example, the statement "I don't see any need for accepting mail from any residential ISP outside North America, nor from Universities, or other sites that have a high spam rating°'. The Policy enforcer 20 then takes that concept, and with the help of the C-NTD 14, turns it into a rule set of matching networl~s, and feeds it to the NID device agent on the mail server 46. Other examples are: "Any network with a reasonably high hostility level, or doesn't employ active security devices should have a higher priority for my IDS alerts"; "I don't want any of my competitors, or associated parent companies or networks getting access to my in depth technology white papers°°.
The NID information agents are the autonomous agents that run on computers at the NID service provider. The NID information agents constantly probe information sources on the Internet and feed that information into the M-NID via a network connection to the central NID server. The NID information agents take a number of forms, but all of them share the fact that they feed information into the M-NID. The NID information agents may be content search information agents that read through newsgroups and glean information therefrom. Or, the NID information agents may be active probing information agents, which send packets to remote networks and glean information from the responses received to those packets.
NID device agents are agents that convert policy enforcer rules, which are in a generic format, into specific rules for the device in question. The Nm device agent resides on the customer's device, and communicates over the customer's network with the policy enforcer.
For example, if the policy enforcer 20 were asked to block Universities with the name'UABC' in the title, that existed in Canada, the policy enforcer 20 would turn that concept into a generic rule 'Block 123.456/16'. This generic rule is then fed to all the NID device agents the customer's network. For example a NID device agent on a LIhTUX box, which turns the genreric rule into a rule for the particular firewall technology on the LMX
box. rule.
An alternative to NID device agents, would be using a protocol standard that network devices adhere to, which then allows the devices to understand the rules from the policy enforcer, so they would not have a need for a NID device agent. For example, the NID service provider could publish an XML standard for to which devices where to adhere.
9~
Thus, an initial implementation of the network intelligence system would required NID
device agents so that the network devices would be able to understand what the policy enforcer is asking of them to do. I~owever, as new versions of the devices are shipped by companies they could make sure it adheres to a published XML (or other) standard, that the policy enforcer uses. Thus, no NID device agent is required on the device, because the device could talk directly to and receive rules directly from the policy enforcer.
The NID service provider 16 partners with security, intelligence, and network operations companies 34 around the world. Consequently, enterprise customers 18 may start to require certain prerequisites from the remote networks they communicate with. They may set in place enforced polices based on information in the master NID 12. For example:
~ Company A may no longer let you into their network unless you have an up-to-date security audit, of a certain level, from a trusted auditor.
~ Bank B may not allow online banking from networks without firewalls and other active security systems.
~ Government agency C blocks lOs of thousands of networks from accessing government sites and services in the US because those networks do not use anti-virus software.
~ Company D forces 100,000 desktop computers to avoid sites known to peddle copyrighted material to avoid backlash from RIGA (Recording Industry Association of America) Firms from all sorts of areas may partner 34 with the NID service provider 16 to have their unique information available in the Master NID 12, to be used by customers 18 via the PE
20. For example ~ Virus companies ~ Security companies ~ Business Intelligence Companies ~ Spam, mail companies ~ Wireless networking companies ~ Intelligence services, CIA
~ Security Audit companies ~ IDS, Firewall, Router vendors Another feature of the NID can be self registration. Some network administers will 5 want to register the information about their network in the M-NII7 to ensure that they get unimpeded access to other networks that have deployed) the NID. They will readily go to https://nid register. to enter in their corporate network information (such as if they have firewalls, size of network, security personnel contact info they could also have a third party verification of their claims via an external auditor (which strengthens the believability of the 10 claims). Self registering ensures that a network's info in the NID is correct. As the NID
grows, self registration becomes something that companies will want to do, to ensure that they get unimpeded access to larger networks with which they wish to communicate.
Embodiments of the present invention have the following advantages:
The Master NID 12 includes a registration system where networks can register their network, for example for a small fee. Registration then adds the network's information into the NID.
Verification of a network's claims upon registration can be done to ensure valid information and properties in the NID can reflect this. For example, the network claims to have firewalls, but this has not been verified.
By listing in the NID any security audit certificates the network may hold, other networks can be assured of the nature of the network with which they are communicating. The NII7 service provider partners with companies that secure networks.
Numerous modifications, variations and adaptations may be made to the particular embodiments of the present invention described above without departing from the scope of the invention as defined in the claims.
Claims (34)
1. A network security system comprising:
a master network intelligence database;
at least one network information agent gathering information about a plurality of networks and providing the information to the master network intelligence database a customer network security-system, the customer network security system comprising:
a customer network intelligence database updated with information from the master network intelligence database, the information from the master network intelligence database including verified network information of at least one other customer network registered at the master network intelligence database by the at least one customer network, the network information comprising network security detection, prevention and remediation capabilities of the at least one other customer network;
a policy enforcer generating generic security rules based at least in part on the information in the customer network intelligence database;
at least one device agent receiving the generic security rules from the policy enforcer and converting the generic security rules into device specific rules;
and at least one security device securing a customer network by blocking and allowing data packets to and from the customer network according to the device specific rules from the device agents.
a master network intelligence database;
at least one network information agent gathering information about a plurality of networks and providing the information to the master network intelligence database a customer network security-system, the customer network security system comprising:
a customer network intelligence database updated with information from the master network intelligence database, the information from the master network intelligence database including verified network information of at least one other customer network registered at the master network intelligence database by the at least one customer network, the network information comprising network security detection, prevention and remediation capabilities of the at least one other customer network;
a policy enforcer generating generic security rules based at least in part on the information in the customer network intelligence database;
at least one device agent receiving the generic security rules from the policy enforcer and converting the generic security rules into device specific rules;
and at least one security device securing a customer network by blocking and allowing data packets to and from the customer network according to the device specific rules from the device agents.
2. A network security system as claimed in claim 1 wherein the at least one network information agents includes human network information agents.
3. A network security system as claimed in claim 1 wherein the at least one network information agents includes automated network information agents.
4. A network security system as claimed in claim 1 wherein the at least one network information agents includes network information agents co-located with corporate partners.
5. A network security system as claimed in claim 1 wherein the information relates to security of the plurality of networks.
6. A network security system as claimed in claim 5 wherein the security information includes at least one of hostility level on the internet, collected from numerous sites; security event history; spam levels; hosted services; public wireless; organization type; organization associations; peer ISPs; bandwidth connection to the Internet; active security measures; number of users on the first plurality of networks; age of the-first plurality of networks; inappropriate content served; industry; geographic placement; open proxy servers; contact information; spoken language; current security audits; desktop security measures; time zone; and security personnel.
7. A network security system as claimed in claim 3 wherein the at least one network information agents includes means for probing information sources on the Internet and feeding that information into the master network intelligence database.
8. A network security system as claimed in claim 7 wherein the at least one network information agents comprises content search information agents for reading through newsgroups and gleaning information therefrom.
9. A network security system as claimed in claim 7 wherein the at least one network information agents comprises active probing information agents for sending packets to remote networks and gleaning information from the responses received to those packets.
10. A network security system as claimed in claim 7 wherein the master network intelligence database establishes the reputations for the plurality of networks in dependence upon information provided thereto.
11. A network security system as claimed in claim 1, wherein the customer network security system includes at least one network information agents for gathering information from the at least one device agent.
12. A network security system as claimed in claim 1, wherein the at least one device agents is a component of the at least one security device.
13. A network security system as claimed in claim 1, wherein the at least one security device comprises a firewall.
14. A network security system as claimed in claim 1, wherein the at least one security device comprises an intrusion detection system (IDS).
15. A network security system as claimed in claim 1, wherein the at least one security device comprises a router.
16. A network security system as claimed in claim 1, wherein the at least one security device comprises a personal computer (PC).
17. A network security system as claimed in claim 1, wherein the at least one security device comprises a virtual private network (VPN).
18. A network security system as claimed in claim 1, wherein the at least one device agent utilizes a protocol standard to understand the rules from the policy enforcer.
19. A network security system as claimed in claim 18 wherein the protocol standard is XML.
20. A network security system as claimed in claim 1, wherein the master network intelligence database establishes the reputations for a plurality of networks in dependence upon information provided thereto.
21. A method of network security system providing intelligence about other networks comprising the steps of:
receiving information about a plurality of networks from a master network intelligence database;
updating a customer network intelligence database disposed in a customer network security system with the information about the plurality of networks, the information about the plurality of networks including verified network information of at least one other customer network registered at the master network intelligence database by the at least one customer network, the network information comprising network security detection, prevention and remediation capabilities of the at least one other customer network;
generating, at a policy enforcer, generic security rules based at least in part on the information in the customer intelligence database; and transmitting the generic security rules from the policy enforcer to at least one device agent for converting the generic security rules into device specific rules instructing at least one security device to block and allow data packets to and from the customer network security system.
receiving information about a plurality of networks from a master network intelligence database;
updating a customer network intelligence database disposed in a customer network security system with the information about the plurality of networks, the information about the plurality of networks including verified network information of at least one other customer network registered at the master network intelligence database by the at least one customer network, the network information comprising network security detection, prevention and remediation capabilities of the at least one other customer network;
generating, at a policy enforcer, generic security rules based at least in part on the information in the customer intelligence database; and transmitting the generic security rules from the policy enforcer to at least one device agent for converting the generic security rules into device specific rules instructing at least one security device to block and allow data packets to and from the customer network security system.
22. A method of network security as claimed in claim 21, further comprising transmitting information from the at least one device agent to the master intelligence database.
23. A method of network security as claimed in claim 21 wherein the information stored in the master intelligence database is gathered by at least one network information agents.
24. A method of network security as claimed in claim 23 wherein the at least one network information agents includes human network information agents.
25. A method of network security as claimed in claim 23 wherein the at least one network information agents includes automated network information agents.
26. A method of network security as claimed in claim 23 wherein the at least one network information agents includes network information agents co-located with corporate partners.
27. A method of network security claimed in claim 21 wherein the information relates to security of networks.
28. A method of network security as claimed in claim 21, further comprising transmitting a subscription request to receive the subset of information from the master intelligence database.
29. A method of network security as claimed in claim 28 wherein transmitting a subscription request includes the step of selecting information having predetermined properties.
30. A method of network security as claimed in claim 21 further comprising publishing security audits at the master intelligence database.
31. A method of network security as claimed in claim 23, wherein gathering information includes allowing network administrators to register their network with the master intelligence database.
32. A method of network security as claimed in claim 31 wherein gathering information includes auditing any information provided by the network administrators.
33. A method of network security as claimed in claim 21, further comprising applying a time sensitivity parameter to the received information.
34. A network security system as claimed in claim 1, wherein the customer network is different then the plurality of networks having information included in the information used to update the master network intelligence database.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA2428192A CA2428192C (en) | 2003-05-08 | 2003-05-08 | Network intelligence system |
| PCT/CA2004/000693 WO2004100486A1 (en) | 2003-05-08 | 2004-05-10 | Network intelligence system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA2428192A CA2428192C (en) | 2003-05-08 | 2003-05-08 | Network intelligence system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2428192A1 CA2428192A1 (en) | 2004-11-08 |
| CA2428192C true CA2428192C (en) | 2013-07-02 |
Family
ID=33426199
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA2428192A Expired - Lifetime CA2428192C (en) | 2003-05-08 | 2003-05-08 | Network intelligence system |
Country Status (2)
| Country | Link |
|---|---|
| CA (1) | CA2428192C (en) |
| WO (1) | WO2004100486A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2644386A1 (en) * | 2006-03-03 | 2007-09-07 | Art Of Defence Gmbh | Distributed web application firewall |
| US8230505B1 (en) | 2006-08-11 | 2012-07-24 | Avaya Inc. | Method for cooperative intrusion prevention through collaborative inference |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1143664A3 (en) * | 1999-06-10 | 2003-11-26 | Alcatel Internetworking, Inc. | Object model for network policy management |
| JP2001243193A (en) * | 2000-02-28 | 2001-09-07 | Attention System Kk | Unauthorized access prevention system |
| US20030051026A1 (en) * | 2001-01-19 | 2003-03-13 | Carter Ernst B. | Network surveillance and security system |
| US20030084349A1 (en) * | 2001-10-12 | 2003-05-01 | Oliver Friedrichs | Early warning system for network attacks |
-
2003
- 2003-05-08 CA CA2428192A patent/CA2428192C/en not_active Expired - Lifetime
-
2004
- 2004-05-10 WO PCT/CA2004/000693 patent/WO2004100486A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| CA2428192A1 (en) | 2004-11-08 |
| WO2004100486A1 (en) | 2004-11-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8024795B2 (en) | Network intelligence system | |
| Scarfone et al. | Guide to intrusion detection and prevention systems (idps) | |
| US8230505B1 (en) | Method for cooperative intrusion prevention through collaborative inference | |
| US8935742B2 (en) | Authentication in a globally distributed infrastructure for secure content management | |
| US20060026679A1 (en) | System and method of characterizing and managing electronic traffic | |
| US20070094729A1 (en) | Secure self-organizing and self-provisioning anomalous event detection systems | |
| US20040193943A1 (en) | Multiparameter network fault detection system using probabilistic and aggregation analysis | |
| Kim et al. | DSS for computer security incident response applying CBR and collaborative response | |
| Sangster et al. | Network endpoint assessment (NEA): Overview and requirements | |
| Vacas et al. | Detecting network threats using OSINT knowledge-based IDS | |
| Scarfone et al. | Sp 800-94. guide to intrusion detection and prevention systems (idps) | |
| Mohammed et al. | Automatic defense against zero-day polymorphic worms in communication networks | |
| Fry et al. | Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks | |
| Chanti et al. | A literature review on classification of phishing attacks | |
| US20230319070A1 (en) | Scored threat signature analysis | |
| CA2428192C (en) | Network intelligence system | |
| Deri et al. | Using cyberscore for network traffic monitoring | |
| Barrett et al. | CompTIA Security+ SY0-401 Exam Cram | |
| McMillan | CompTIA Cybersecurity Analyst (CySA+) Cert Guide | |
| Abusamrah et al. | Next-Generation Firewall, Deep Learning Endpoint Protection and Intelligent SIEM Integration | |
| Morthala | Building Firewall Application To Enhance The Cyber Security | |
| Mansoor et al. | An analysis of security systems for electronic information for establishing secure internet | |
| Chelladurai | Significance of Firewall and its Practicality In Corporate Environment | |
| WO2023187309A1 (en) | Scored threat signature analysis | |
| Saxena | Next Generation Intelligent Network Intrusion Prevention System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKEX | Expiry |
Effective date: 20230508 |
|
| MKEX | Expiry |
Effective date: 20230508 |