US20080209033A1 - Event monitoring and management - Google Patents

Event monitoring and management Download PDF

Info

Publication number
US20080209033A1
US20080209033A1 US11/807,699 US80769907A US2008209033A1 US 20080209033 A1 US20080209033 A1 US 20080209033A1 US 80769907 A US80769907 A US 80769907A US 2008209033 A1 US2008209033 A1 US 2008209033A1
Authority
US
United States
Prior art keywords
reporting
agent
report
level
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US11/807,699
Other versions
US7779119B2 (en
US20100064039A9 (en
Inventor
Andrew Ginter
Kegan Kawano
Tom Hutchinson
Rui Manuel Martins Lopes
Erik P. Hope
Brad McMillan
Adam Muegge
Andy G. Mah
Brett Jensen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US11/807,699 priority Critical patent/US7779119B2/en
Publication of US20080209033A1 publication Critical patent/US20080209033A1/en
Publication of US20100064039A9 publication Critical patent/US20100064039A9/en
Application granted granted Critical
Publication of US7779119B2 publication Critical patent/US7779119B2/en
Adjusted expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2119Authenticating web pages, e.g. with suspicious links

Definitions

  • This application generally relates to a network, and more particularly to event monitoring and management therein.
  • Computer systems may be used in performing a variety of different tasks.
  • an industrial network of computer systems and components may be used in controlling and/or monitoring industrial systems.
  • Such industrial systems can be used in connection with manufacturing, power generation, energy distribution, waste handling, transportation, telecommunications, water treatment, and the like.
  • the industrial network may be connected and accessible via other networks, both directly and indirectly, including a corporate network and the Internet.
  • the industrial network may thus be susceptible to both internal and external cyber-attacks. As a preventive measure from external cyber-attacks, firewalls or other security measures may be taken to separate the industrial network from other networks.
  • an infected laptop can bypass the firewall by connecting to the industrial network using a modem, direct connection, or by a virtual private network (VPN). The laptop may then introduce worms or other forms of malicious code into the industrial network.
  • VPN virtual private network
  • a method for controlling connectivity in a network comprising: receiving one or more inputs; determining a threat level indicator in accordance with said one or more inputs; and selecting, for use in said network, a firewall configuration in accordance with said threat level indicator.
  • the firewall configuration may be selected from a plurality of firewall configurations each associated with a different threat level indicator.
  • a first firewall configuration associated with a first threat level indicator may provide for more restrictive connectivity of said network than a second firewall configuration associated with a second threat level indicator when said first threat level indicator is a higher threat level than said second threat level indicator.
  • a firewall configuration associated with a highest threat level indicator may provide for disconnecting said network from all other less-trusted networks. The disconnecting may include physically disconnecting said network from other networks.
  • the network may be reconnected to said less trusted networks when a current threat level is a level other than said highest threat level indicator.
  • the method may also include automatically loading said firewall configuration as a current firewall configuration in use in said network.
  • the one or more inputs may include at least one of: a manual input, a metric about a system in said network, a metric about said network, a derived value determined using a plurality of weighted metrics including one metric about said network, a derived value determined using a plurality of metrics, and an external source from said network. If the manual input is specified, the manual input may determine the threat level indicator overriding all other indicators.
  • the plurality of weighted metrics may include a metric about at least one of: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a high level of privileges.
  • the high level of privileges may correspond to one of: administrator privileges and root user privileges.
  • the selecting additionally may select one or more of the following: an antivirus configuration, an intrusion prevention configuration, and an intrusion detection configuration.
  • a computer program product for controlling connectivity in a network comprising code that: receives one or more inputs; determines a threat level indicator in accordance with said one or more inputs; and selects, for use in said network, a firewall configuration in accordance with said threat level indicator.
  • the firewall configuration may be selected from a plurality of firewall configurations each associated with a different threat level indicator.
  • a first firewall configuration associated with a first threat level indicator may provide for more restrictive connectivity of said network than a second firewall configuration associated with a second threat level indicator when said first threat level indicator is a higher threat level than said second threat level indicator.
  • a firewall configuration associated with a highest threat level indicator may provide for disconnecting said network from all other less-trusted networks.
  • the code that disconnects may include physically disconnecting said network from other networks.
  • the network may be reconnected to said less trusted networks when a current threat level is a level other than said highest threat level indicator.
  • the computer program product may also include code that automatically loads said firewall configuration as a current firewall configuration in use in said network.
  • the one or more inputs may include at least one of: a manual input, a metric about a system in said network, a metric about said network, a derived value determined using a plurality of weighted metrics including one metric about said network, a derived value determined using a plurality of metrics, and an external source from said network. If the manual input is specified, the manual input may determine the threat level indicator overriding all other indicators.
  • the plurality of weighted metrics may include a metric about at least one of: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a high level of privileges.
  • the high level of privileges may correspond to one of: administrator privileges and root user privileges.
  • the code that selects may additionally selects one or more of the following: an antivirus configuration, an intrusion prevention configuration, and an intrusion detection configuration.
  • a method of event reporting by an agent comprising: receiving data; determining if said data indicates a first occurrence of an event of interest associated with a metric since a previous periodic reporting; reporting said first occurrence of an event if said determining determines said data indicates said first occurrence; and reporting a summary including said metric in a periodic report at a first point in time.
  • the reporting of said first occurrence and said reporting of said summary may be performed without a request for a report.
  • Data for said reporting of said first occurrence and said reporting of said summary may be performed by said agent communicating data at an application level to a reporting destination using a one-way communication connection.
  • the reporting of said first occurrence and said summary may also include: opening a communication connection; sending data to said reporting destination; and closing said communication connection, said agent only sending data to said reporting destination without reading any communication from said communication connection.
  • the communication connection may be a TCP or UDP socket.
  • the periodic report may include a summary of a selected set of one or more data sources and associated values for a time interval since a last periodic report was sent to a reporting destination.
  • the selected set of one or more metrics may be a first level of reporting information and said periodic report may include a second level of reporting information used to perform one at least one of the following: determine a cause of a problem, and take a corrective action to a problem.
  • the reporting of said first occurrence and said summary may include transmitting messages from said agent to a reporting destination, each of said messages being a fixed maximum size.
  • a time interval at which said periodic report is sent by said agent and data included in each of said messages may be determined in accordance with at least one of: resources available on a computer system and a network in which said agent is included.
  • the agent may execute on a first computer system and reports data to another computer system.
  • the method may also include: monitoring a log file; and extracting said second level of reporting information from said log file, wherein said log file includes log information about a computer system upon which said agent is executing.
  • the agent may transmit an XML communication to said reporting destination using said communication connection.
  • a threshold may be specified for an amount of data that said agent can report in a fixed reporting interval, said threshold being equal to or greater than a fixed maximum size for each summary report sent by said agent.
  • a report sent for any of said reporting may include an encrypted checksum preventing modifications of said report while said report is being communicated from an agent to a receiver in a network.
  • the reporting may be performed by an agent that sends a report, said report including one of: a timestamp which increases with time duration, and a sequence number which increases with time duration, used by a receiver of said report.
  • the receiver may use said one of said timestamp or said sequence number in authenticating a report received by said receiver as being sent by said agent, said receiver processing received reports having said one of a timestamp or sequence number which is greater than another one of a timestamp or sequence number associated with a last report received from said agent.
  • the second level of reporting information may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
  • a method of event reporting by an agent comprising: receiving data; determining if said data corresponds to an event of interest associated with at least one security metric; and sending a report to a reporting destination, said report including said at least one security metric for a fixed time interval, wherein said report is sent from said agent communicating data at an application level to said reporting destination using a one-way communication connection.
  • the agent may only sends data on said one-way communication connection to said reporting destination without reading any communication from said communication connection.
  • the report may include at least one performance metric in accordance with said data received.
  • a method of event reporting by an agent comprising: receiving data; determining if said data indicates a security event of interest; and reporting a summary including information on a plurality of occurrences of said security event of interest occurring within a fixed time interval, said summary being sent at a predetermined time interval.
  • the reporting of the summary may be performed without a request for a report.
  • the reporting of said summary may be performed by said agent communicating data at an application level to a reporting destination using a one-way communication connection.
  • the reporting of said summary may further include: opening a communication connection; sending data to a said reporting destination; and closing said communication connection, said agent only sending data to said reporting destination without reading any communication from said communication connection.
  • the communication connection may be a TCP or UDP socket.
  • the agent may transmit an XML communication to said reporting destination using said communication connection.
  • the reporting of said summary may include transmitting periodic messages from said agent to a reporting destination, each of said message having a fixed maximum size.
  • a computer program product for event reporting by an agent comprising code that: receives data; determines if said data indicates a first occurrence of an event of interest associated with a metric since a previous periodic reporting; reports said first occurrence of an event if said code that determines that said data indicates said first occurrence; and reports a summary including said metric in a periodic report at a first point in time.
  • the code that reports said first occurrence and said code that reports said summary may be performed without a request for a report.
  • Data for the code that reports said first occurrence and said code that reports said summary may be performed by said agent communicating data at an application level to a reporting destination using a one-way communication connection.
  • At least one of said code that reports said first occurrence and said code that reports said summary may further comprise code that: opens a communication connection; sends data to said reporting destination; and closes said communication connection, said agent only sending data to said reporting destination without reading any communication from said communication connection.
  • the communication connection may be a TCP or UDP socket.
  • the periodic report may include a summary of a selected set of one or more data sources and associated values for a time interval since a last periodic report was sent to a reporting destination.
  • the selected set of one or more metrics may be a first level of reporting information and said periodic report may include a second level of reporting information used to perform one at least one of the following: determine a cause of a problem, and take a corrective action to a problem.
  • the code that reports said first occurrence and said code that reports said summary may include code that transmits messages from said agent to a reporting destination, each of said messages being a fixed maximum size.
  • a time interval at which said periodic report is sent by said agent and data included in each of said messages may be determined in accordance with at least one of: resources available on a computer system and a network in which said agent is included.
  • the agent may execute on a first computer system and reports data to another computer system.
  • the computer program product may further comprise code that: monitors a log file; and extracts said second level of reporting information from said log file, wherein said log file includes log information about a computer system upon which said agent is executing.
  • the agent may transmit an XML communication to said reporting destination using said communication connection.
  • a threshold may be specified for an amount of data that said agent can report in a fixed reporting interval, said threshold being equal to or greater than a fixed maximum size for each summary report sent by said agent.
  • a report sent for any of said code that reports may use an encrypted checksum preventing modifications of said report while said report is being communicated from an agent to a receiver in a network.
  • the code that reports may be performed by an agent that sends a report, said report including one of: a timestamp which increases with time duration, and a sequence number which increases with time duration, used by a receiver of said report.
  • the receiver may use said one of said timestamp or said sequence number in authenticating a report received by said receiver as being sent by said agent, said receiver processing received reports having said one of a timestamp or sequence number which is greater than another one of a timestamp or sequence number associated with a last report received from said agent.
  • the second level of reporting information may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
  • a computer program product for event reporting by an agent comprising code that: receives data; determines if said data corresponds to an event of interest associated with at least one security metric; and sends a report to a reporting destination, said report including said at least one security metric for a fixed time interval, wherein said report is sent from said agent communicating data at an application level to said reporting destination using a one-way communication connection.
  • the agent may only send data on said one-way communication connection to said reporting destination without reading any communication from said communication connection.
  • the report may include at least one performance metric in accordance with said data received.
  • a computer program product for event reporting by an agent comprising code that: receives data; determines if said data indicates a security event of interest; and reports a summary including information on a plurality of occurrences of said security event of interest occurring within a fixed time interval, said summary being sent at a predetermined time interval.
  • the code that reports said summary is performed without a request for a report.
  • Data for said code that reports said summary may be performed by said agent communicating data at an application level to a reporting destination using a one-way communication connection.
  • the code that reports said summary may further comprises code that: opens a communication connection; sends data to a said reporting destination; and closes said communication connection, said agent only sending data to said reporting destination without reading any communication from said communication connection.
  • the communication connection may be a TCP or UDP socket.
  • the agent that transmits an XML communication to said reporting destination may use said communication connection.
  • the code that reports said summary may include code that transmits periodic messages from said agent to a reporting destination, each of said message having a fixed maximum size.
  • a method of event notification comprising: receiving a first report of a condition; sending a first notification message about said first report of said condition; sending a second notification message about said condition at a first notification interval; receiving subsequent reports at fixed time intervals; sending a subsequent notification message at a second notification interval if said condition is still ongoing during said second notification interval, wherein said second notification interval has a length which is a multiple of said first notification interval.
  • the first report may be sent from a reporting agent on a first computer system reporting about one of: said first computer system and a network including said first computer system, and said notification messages are sent from a notification server on a second computer system.
  • Notification messages may be sent to a notification point at successive notification intervals wherein each of said successive notification intervals increases approximately exponentially with respect to an immediately prior notification interval.
  • the condition may be associated with an alarm condition and an alarm condition may be set when a current level of a metric is not in accordance with a predetermined threshold value.
  • Each of said notification messages may include a first level of information about said condition and a second level of information used to perform at least one of the following: determine a cause of said condition, and take a corrective action for said condition.
  • An option may be included in a reporting agent to enable and disable reporting of said second level of information to a notification server from said agent sending said first report.
  • An option may be used to enable and disable condition notification messages including said second level of information.
  • An alarm condition may be associated with a first level alarm and an alarm state of said first level may be maintained when a current level of a metric is in accordance with said predetermined threshold value until an acknowledgement of said alarm state at said first level is received by said notification server.
  • the alarm condition may transition to a second level alarm when said current level is not in accordance with said predetermined threshold and another threshold associated with a second level, and said second level alarm is maintained when a current level of a metric is in accordance with one of: said predetermined threshold and said other threshold until acknowledgement of said second level alarm is received by said notification server.
  • Reports may be sent from a reporting agent executing on a computer system in an industrial network to an appliance included in said industrial network and each of said reports includes events occurring within said industrial network.
  • An alarm condition may be determined in accordance with a plurality of weighted metrics, said plurality of weighted metrics including at least one metric about: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a level of privileges greater than a level associated with a user-level account.
  • a method of event notification comprising: receiving a first report of a condition at a reporting destination; and sending a notification message from said reporting destination to a notification destination, said notification message including a summary of information about events occurring in a fixed time interval, said summary identifying at least one of: a source and a target associated with an attack occurring within said fixed time interval, and a percentage of events associated with said at least one of said source and said target.
  • the summary may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
  • the summary may identify at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack.
  • the summary may identify a portion of a type of attack represents with respect to all attacks in said fixed time interval.
  • a notification threshold may be determined using an alarm condition in accordance with a plurality of weighted metrics, said plurality of weighted metrics including at least one metric about: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a level of privileges greater than a level associated with a user-level account.
  • the notification message may include a summary of information about events occurring in a fixed time interval, said summary identifying at least one of: a source and a target associated with an attack occurring within said fixed time interval, and a percentage of events associated with said at least one of said source and said target.
  • the summary may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
  • the summary may identify at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack.
  • the summary may identify a portion of a type of attack represents with respect to all attacks in said fixed time interval.
  • a computer program product for event notification comprising code that: receives a first report of a condition; sends a first notification message about said first report of said condition; sends a second notification message about said condition at a first notification interval; receives subsequent reports at fixed time intervals; and sends a subsequent notification message at a second notification interval if said condition is still ongoing during said second notification interval, wherein said second notification interval has a length which is a multiple of said first notification interval.
  • the first report may be sent from a reporting agent on a first computer system reporting about one of: said first computer system and a network including said first computer system, and said notification messages are sent from a notification server on a second computer system.
  • Notification messages may be sent to a notification point at successive notification intervals wherein each of said successive notification intervals increases approximately exponentially with respect to an immediately prior notification interval.
  • the condition may be associated with an alarm condition and an alarm condition is set when a current level of a metric is not in accordance with a predetermined threshold value.
  • Each of the notification messages may include a first, level of information about said condition and a second level of information used to perform at least one of the following: determine a cause of said condition, and take a corrective action for said condition.
  • An option may be included in a reporting agent to enable and disable reporting of said second level of information to a notification server from said agent sending said first report.
  • An option may be used to enable and disable condition notification messages including said second level of information.
  • An alarm condition may be associated with a first level alarm and an alarm state of said first level is maintained when a current level of a metric is in accordance with said predetermined threshold value until an acknowledgement of said alarm state at said first level is received by said notification server.
  • the alarm condition may transition to a second level alarm when said current level is not in accordance with said predetermined threshold and another threshold associated with a second level, and said second level alarm may be maintained when a current level of a metric is in accordance with one of: said predetermined threshold and said other threshold until acknowledgement of said second level alarm is received by said notification server.
  • Reports may be sent from a reporting agent executing on a computer system in an industrial network to an appliance included in said industrial network and each of said reports includes events occurring within said industrial network.
  • An alarm condition may be determined in accordance with a plurality of weighted metrics, said plurality of weighted metrics including at least one metric about: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a level of privileges greater than a level associated with a user-level account.
  • a computer program product for event notification comprising code that: receives a first report of a condition at a reporting destination; and sends a notification message from said reporting destination to a notification destination, said notification message including a summary of information about events occurring in a fixed time interval, said summary identifying at least one of: a source and a target associated with an attack occurring within said fixed time interval, and a percentage of events associated with said at least one of said source and said target.
  • the summary may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
  • the summary may identify at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack.
  • the summary may identify a portion of a type of attack represents with respect to all attacks in said fixed time interval.
  • a computer program product for event notification comprising code that: receives report of a potential cyber-attack condition at fixed time intervals; and sends a notification message about said conditions when said conditions exceed a notification threshold.
  • a notification threshold may be determined using an alarm condition in accordance with a plurality of weighted metrics, said plurality of weighted metrics including at least one metric about: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a level of privileges greater than a level associated with a user-level account.
  • the notification message may include a summary of information about events occurring in a fixed time interval, said summary identifying at least one of: a source and a target associated with an attack occurring within said fixed time interval, and a percentage of events associated with said at least one of said source and said target.
  • the summary may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
  • the summary may identify at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack.
  • the summary may identify a portion of a type of attack represents with respect to all attacks in said fixed time interval.
  • a method for monitoring an industrial network comprising: reporting first data about a first computer system by a first agent executing on said first computer system in said industrial network, said first computer system performing at least one of: monitoring or controlling a physical process of said industrial network, said first data including information about software used in connection with said physical process.
  • the method may also include reporting second data about communications on a connection between said industrial network and another network by a second agent executing on a second computer system.
  • the second data reported by said second agent may be included in an appliance to which said first data is sent.
  • the first agent may report on at least one of: critical file monitoring, log file for said first computer system, hardware and operating system of said first computer system, password and login, a specific application executing on said computer system wherein said application is in accordance with a particular industrial application of said industrial network.
  • a plurality of agents may execute on said first computer system monitoring said first computer system.
  • the plurality of agents may include a master agent and other agents performing a predetermined set of monitoring tasks, said master agent controlling execution of said other agents.
  • the plurality of agents may report data at predetermined intervals to one of: an appliance and said second computer system.
  • the method may also include performing, by at least one of said plurality of agents: obtaining data from a data source; parsing said data; performing pattern matching on said parsed data to determine events of interest; recording any events of interest; reporting any events of interest in accordance with occurrences of selected events in a time interval; creating a message including said summary at predetermined time intervals; and encrypting at least one of: said message and a checksum of said message.
  • the first data may include at least one of the following metrics: a number of open listen connections and a number of abnormal process terminations. When a number of open listen connections falls below a first level, an event corresponding to a component failure may be determined.
  • an event corresponding to a new component or unauthorized component may be determined.
  • the second agent may report on network activity in accordance with a set of rules, said rules including at least one rule indicating that events in a business network are flagged as suspicious in said industrial network.
  • the events may include at least one of: an event associated with a web browser, and an event associated with e-mail.
  • the second agent may report on an address binding of a physical device identifier to a network address if the physical device identifier of a component was not previously known, or said network address in the address binding is a reassignment of said network address within a predetermined time period since said network address was last included in an address binding.
  • the second agent may report second data about a firewall, and said second data may include at least one of: a change to a saved firewall configuration corresponding to a predetermined threat level, a change to a current set of firewall configuration rules currently controlling operations between said industrial network and said other network.
  • Log files associated with said firewall may be stored remotely at a location on said second computer system with log files for said second computer system activity.
  • the second data may include at least one threat assessment from a source external to said industrial network.
  • the second data may include at least one of: a threat level indicator from a corporate network connected to said industrial network, a threat level indicator from a public network source, and a threat level indicator that is manually input.
  • the method may also include: receiving at least said first data by a receiver; authenticating said first data as being sent by said first agent; and processing, in response to said authenticating, said first data by said receiver.
  • the authenticating may include at least one of: verifying use of said first agent's encryption key, and checking validity of a message checksum, and using a timestamp or sequence number to detect invalid reports received by said receiver as being sent from said first agent.
  • the reporting may be performed in accordance with a threshold size indicates an amount of data that said first agent is permitted to transmit in a fixed periodic reporting interval.
  • a computer program product for monitoring an industrial network comprising code that: reports first data about a first computer system by a first agent executing on said first computer system in said industrial network, said first computer system performing at least one of: monitoring or controlling a physical process of said industrial network, said first data including information about software used in connection with said physical process.
  • the computer program product may also include code that reports second data about communications on a connection between said industrial network and another network by a second agent executing on a second computer system. The second data reported by said second agent may be included in an appliance to which said first data is sent.
  • the first agent may report on at least one of: critical file monitoring, log file for said first computer system, hardware and operating system of said first computer system, password and login, a specific application executing on said computer system wherein said application is in accordance with a particular industrial application of said industrial network.
  • a plurality of agents may execute on said first computer system monitoring said first computer system.
  • the plurality of agents may include a master agent and other agents performing a predetermined set of monitoring tasks, said master agent controlling execution of said other agents.
  • the plurality of agents may report data at predetermined intervals to one of: an appliance and said second computer system.
  • the computer program product may also include code for performing, by at least one of said plurality of agents: obtaining data from a data source; parsing said data; performing pattern matching on said parsed data to determine events of interest; recording any events of interest; reporting any events of interest in accordance with occurrences of selected events in a time interval; creating a message including said summary at predetermined time intervals; and encrypting at least one of: said message and a checksum of said message.
  • the first data may include at least one of the following metrics: a number of open listen connections and a number of abnormal process terminations. When a number of open listen connections falls below a first level, an event corresponding to a component failure may be determined.
  • an event corresponding to a new component or unauthorized component may be determined.
  • the second agent may report on network activity in accordance with a set of rules, said rules including at least one rule indicating that events in a business network are flagged as suspicious in said industrial network.
  • the events may include at least one of: an event associated with a web browser, and an event associated with e-mail.
  • the second agent may report on an address binding of a physical device identifier to a network address if the physical device identifier of a component was not previously known, or said network address in the address binding is a reassignment of said network address within a predetermined time period since said network address was last included in an address binding.
  • the second agent may report second data about a firewall, and said second data includes at least one of: a change to a saved firewall configuration corresponding to a predetermined threat level, a change to a current set of firewall configuration rules currently controlling operations between said industrial network and said other network.
  • Log files associated with said firewall may be stored remotely at a location on said second computer system with log files for said second computer system activity.
  • the second data may include at least one threat assessment from a source external to said industrial network.
  • the second data may include at least one of: a threat level indicator from a corporate network connected to said industrial network, a threat level indicator from a public network source, and a threat level indicator that is manually input.
  • the computer program product may also include code that: receives at least said first data by a receiver; authenticates said first data as being sent by said first agent; and processes, in response to said code that authenticates, said first data by said receiver.
  • the code that authenticates may include at least one of: code that verifies use of said first agent's encryption key and checks validity of a message checksum, and code that uses a timestamp or sequence number to detect invalid reports received by said receiver as being sent from said first agent.
  • the code that reports may use a threshold size indicating an amount of data that said first agent is permitted to transmit in a fixed periodic reporting interval.
  • a method for detecting undesirable messages in a network comprising: receiving a message in said network; determining if said message is undesirable in accordance with at least one rule defining an acceptable message in said network; and reporting said message as undesirable if said message is not determined to be in accordance with said at least one rule.
  • the method may also include: defining another rule for use in said determining if an additional message type is determined to be acceptable in said network.
  • the computer program product may also include code that: defines another rule for use in said determining if an additional message type is determined to be acceptable in said network.
  • a method for performing periodic filesystem integrity checks comprising: receiving two or more sets of filesystem entries, each set representing a grouping of one or more filesystem entries; selecting a zero or more entries from each set; and performing integrity checking for each selected entry from each set during a reporting period.
  • Each of said two or more sets may correspond to a predetermined classification level. If a first classification level is more important than a second classification level, said first classification level may include less entries than said second classification level. A number of entries from each set may be determined in accordance with a level of importance associated with said set.
  • a computer program product for performing periodic filesystem integrity checks comprising code that: receives two or more sets of filesystem entries, each set representing a grouping of one or more filesystem entries; selects a zero or more entries from each set; and performs integrity checking for each selected entry from each set during a reporting period.
  • Each of said two or more sets may correspond to a predetermined classification level. If a first classification level is more important than a second classification level, said first classification level may include less entries than said second classification level. A number of entries from each set may be determined in accordance with a level of importance associated with said set.
  • FIG. 1 is an example of an embodiment of a system described herein;
  • FIG. 2 is an example of an embodiment of components that may be included in a corporate network of the system of FIG. 1 ;
  • FIG. 3 is a more detailed example of an embodiment of components that may be included in an industrial network of the system of FIG. 1 ;
  • FIG. 4 is a more detailed example of an embodiment of components that may be included in the watch server of FIG. 3 ;
  • FIG. 4A is a more detailed example of an embodiment of the threat thermostat controller
  • FIG. 5 is an example of the different types of agents that may be included in an embodiment on systems from FIG. 3 ;
  • FIG. 6 is an example of an embodiment of an architecture of each of the agents from FIG. 5 ;
  • FIG. 7 is a flowchart of steps of one embodiment for control flow within an agent
  • FIG. 8 is an example of an embodiment of the real time database and alarm engine (RTAP) of FIG. 4 ;
  • FIG. 9 is an example of a representation of a database schema used by an embodiment of RTAP.
  • FIG. 9A is an example of representing an alarm function within an attribute with the database schema of FIG. 9 ;
  • FIGS. 10-11 are examples of embodiments of an alarm state table that may be used by RTAP;
  • FIG. 12 is an example of a state transition diagram representing the states and transitions in the alarm state table of FIG. 11 ;
  • FIG. 13-14 are examples of user interface displays that may be used in an embodiment of the system of FIG. 1 .
  • the system 10 may be part of an infrastructure used in connection with, for example, manufacturing, power generation, energy distribution, waste handling, transportation, telecommunications, water treatment, and the like.
  • a corporate network 12 connected through a hub, switch, router and/or firewall 16 to an industrial network 14 .
  • the corporate network 12 may be connected to one or more external networks such as the Internet 20 through a firewall 18 and/or other devices.
  • Also connected to the corporate network 12 either directly or via the firewall 18 , may be a mail server 30 , a web server 32 and/or any one or more other hardware and/or software components.
  • the system 10 of FIG. 1 includes a firewall 18 and may also include one or more other firewalls or security measures
  • the corporate network as well as the industrial network may be susceptible to cyber attacks and other types of security threats, both malicious and accidental.
  • different computer systems that may be included within an embodiment of the industrial network 14 must operate in accordance with an extremely high rate of failsafe performance due to the critical applications and tasks that the industrial network may be used in connection with. In other words, there is a very low tolerance for failure of components included in the industrial network 14 . Loss of control and failure within the industrial network 14 may result in much more catastrophic conditions than a failure that may occur within the corporate network 12 .
  • a catastrophic failure within the corporate network 12 may force a back-up retrieval of information.
  • failure may result in a catastrophic loss in terms of both human and economic dimensions.
  • external threats such as may be encountered from an external hacker coming through the Internet 20 to access the industrial network 14 may only account for part of the security threats.
  • a large number of cyber attacks and other threats may come from within the system 10 itself such as, for example, within the corporate network 12 or from within the industrial network 14 .
  • a disgruntled employee may attempt to perform a malicious attack from within the industrial network 14 as well as within the corporate network 12 in an attempt to cause operation failure of one or more components of the industrial network 14 .
  • someone may connect to the industrial network or the corporate network 12 using a laptop that might be infected, for example, with a form of malicious codes such as a Trojan, a virus, a worm, and the like.
  • This malicious code may be introduced within the system 10 on the corporate network 12 or within the industrial network 14 independent of the firewall 18 and/or firewall 16 functioning. Such types of internal threats may not be caught or prevented by the firewall or other security measures developed for preventing primarily external threats.
  • an embodiment of the system 10 may ideally include and utilize other techniques in connection with controlling, supervising, and securing operation of the components within the system 10 in a failsafe manner.
  • the corporate network 12 may include components generally used in office and corporate activities such as, for example, systems used by individuals in performing accounting functions, and other administrative tasks.
  • the web server 32 may be used, for example, in servicing requests made to a website associated with the corporate network 12 .
  • Incoming e-mail from the internet 20 to the corporate network 12 may be handled by the e-mail server 30 .
  • an embodiment of the system 10 may include other components than as described herein in accordance with a particular functionality of each embodiment.
  • the corporate network 12 may be connected to the industrial network 14 through the hub, switch, router, or firewall 16 . It should be noted that the corporate network 12 may be connected to the industrial network 14 by one or more of the foregoing mentioned in connection with element 16 .
  • the element 16 in FIG. 1 may represent a layering or hierarchical arrangement of hardware and/or software used in connecting the corporate network 12 to the industrial network 14 .
  • the different arrangements of 16 included in an embodiment may vary in accordance with a desired degree of security in accordance with the particular use of the components within the industrial network 14 .
  • the Watch server 50 may be characterized as performing a variety of different monitoring, detection, and notification tasks in connection with the industrial network 14 and connection to the corporate network.
  • the Watch server 50 is described in more detail elsewhere herein.
  • Components included in an embodiment of the system 10 may be connected to each other and to external systems and components using any one or more different types of communication medium(s).
  • the communication mediums may be any one of a variety of networks or other type of communication connections as known to those skilled in the art.
  • the communication medium may be a network connection, bus, and/or other type of data link, such as a hardwire or other connections known in the art.
  • the communication medium may be the Internet, an intranet, network or other non-network connection(s) which facilitate access of data and communication between the different components.
  • an embodiment may also include as element 16 other types of connectivity-based hardware and/or software as known to those of ordinary skill in the art to connect the two networks, the corporate network 12 and the industrial network 14 .
  • the element 16 may also be a dial-up modem connection, a connection for wireless access points, and the like.
  • the different components included in the system 10 of FIG. 1 may all be located at the same physical site, may be located at different physical locations, or some combination thereof.
  • the physical location of one or more of the components may dictate the type of communication medium that may be used in providing connections between the different components.
  • some or all of the connections by which the different components may be connected through a communication medium may pass through other communication devices and/or switching equipment that may exist, such as a phone line, a repeater, a multiplexer, or even a satellite.
  • FIG. 2 shown is an example of an embodiment of components that may be included within a corporate network 12 .
  • user systems 40 a - 40 b Included in this embodiment 12 of FIG. 2 are user systems 40 a - 40 b , and a hub, switch, firewall, or WAN router 42 .
  • the component 42 may be used in connecting this particular corporate network to one or more other corporate networks, to the firewall 18 , and also to any other components included in 16 previously described in connection with FIG. 1 .
  • Each of the user systems 40 a - 40 b may include any one of a variety of different types of computer systems and components.
  • the processors may be any one of a variety of commercially available single or multi-processor systems such as, for example, an Intel-based processor, an IBM mainframe, or other type of processor able to support the incoming traffic and tasks in accordance with each particular embodiment and application.
  • Each of the different components, such as the hub, switch, firewall, and/or router 42 may be any one of a variety of different components which are commercially available and may also be of a proprietary design.
  • Each of the user systems 40 a - 40 b may include one or more data storage devices varying in number and type in accordance with each particular system.
  • a data storage device may include a single device, such as a disk drive, as well as a plurality of devices in a more complex configuration, such as with a storage area network (SAN), and the like.
  • Data may be stored, for example, on magnetic, optical, silicon-based, or non-silicon-based media.
  • the particular arrangement and configuration may vary in accordance with the parameters and requirements associated with each embodiment and system.
  • Each of the user systems 40 a - 40 b may also include one or more I/O devices such as, for example, a keyboard, a mouse, a display device such as a monitor, and the like.
  • I/O devices such as, for example, a keyboard, a mouse, a display device such as a monitor, and the like.
  • Each of these components within a computer system may communicate via any one or more of a variety of different communication connections in accordance with the particular components included therein.
  • a corporate network may include other components besides user systems such as, for example, a network printer available for use by each user system.
  • the industrial network 14 in one embodiment may be a process LAN 102 , a control network 104 , an I/O network 106 , one or more other I/O networks 124 a and 124 b , and a Watch server 50 .
  • the industrial network 14 may be connected to the corporate network 12 by the hub, switch, router, or firewall 16 .
  • the industrial network 14 may include other components than as described herein as well as multiple instances of components described herein.
  • component 16 may be an integrated security appliance such as, for example, the Fortinet Fortigate appliance.
  • the process LAN 102 may be characterized as performing tasks in connection with data management, integration, display, and the like.
  • the control network 104 may be used in connection with controlling the one or more devices within the I/O network 106 as well as one or more other I/O networks 124 a and 124 b .
  • the Watch server 50 may be characterized as performing a variety of different monitoring, detection, and notification tasks in connection with the industrial network 14 and connection to the corporate network.
  • the Watch server 50 and other components included within an embodiment of 14 described in more detail in the following paragraphs may be used in connection with the operation of the industrial network 14 in order to provide for proper operation of the industrial network 14 and component 16 and security threat management.
  • the process LAN 102 of FIG. 3 includes a switch or hub 110 a connected to component 16 and one or more other components within the process LAN 102 .
  • Components included in this example of the process LAN 102 are a historian 114 and an application server 116 .
  • the historian 114 may be used, for example, in storing a history of the different monitoring data that may be gathered by other components included within the network 14 .
  • the historian 114 may serve as a data archive for the different types of data gathered over time within the network 14 .
  • the application server 116 may be used to execute an application that performs, for example, process optimization using sensor and other data.
  • the application server 116 may communicate results to the SCADA server for use in controlling the operations of the network 14 .
  • the SCADA (Supervisory Control and Data Acquisition) server 118 may be used in remotely monitoring and controlling different components within the control network 104 and the I/O network 106 .
  • the SCADA server included in FIG. 2 generally refers to a control system, such as a distributed control system (DCS).
  • DCS distributed control system
  • the SCADA server 118 may also be responsible for controlling and monitoring components included in other I/O networks 124 a and 124 a .
  • the SCADA server 118 may issue one or more commands to the controller 122 in connection with controlling the devices 130 a - 130 n within the I/O network 106 .
  • the SCADA server 118 may similarly be used in connection with controlling and monitoring other components within the I/O networks 124 a and 124 b .
  • a SCADA server may be used as part of a large system for remotely monitoring and controlling, for example, different types of energy production, distribution and transmission facilities, transportation systems, and the like.
  • the SCADA server 118 may be used in connection with controlling and remotely or locally monitoring what may be characterized as components over possibly a large geographically distributed area.
  • the SCADA server may rely on, for example, communication links such as radio, satellite, and telephone lines in connection with communicating with I/O networks 124 a and 124 b as well as I/O network 106 .
  • the particular configuration may vary in accordance with each particular application and embodiment.
  • the workstation 120 may include a human machine interface (HMI), such as a graphical user interface (GUI).
  • HMI human machine interface
  • GUI graphical user interface
  • the workstation 120 may be used, for example, in connection with obtaining different sensor readings, such as temperature, pressure, and the like, from the devices 130 a - 130 n in the I/O network 106 , and displaying these readings on the GUI of the workstation 120 .
  • the workstation 120 may also be used in connection with accepting one or more user inputs in response, for example, to viewing particular values for different sensor readings.
  • the workstation 120 may be used in connection with an application monitoring a transportation system. An operator may use the GUI of workstation 120 to view certain selected statistics or information about the system. The selections may be made using the GUI of the workstation 120 .
  • Other inputs from the workstation 120 may serve as instructions for controlling and monitoring the operation of different devices and components within the industrial network 14 and one or more I/O networks.
  • the transportation system may be used in dispatching
  • the SCADA server 118 may also be used in connection with performing data acquisition of different values obtained by the device sensors 130 a - 130 n in performing its monitoring and/or controlling operations.
  • the data may be communicated to the SCADA server 118 as well as the workstation 120 .
  • the SCADA server 118 may monitor flow rates and other values obtained from one or more of the different sensors and may produce an alert to an operator in connection with detection of a dangerous condition.
  • the dangerous condition or detection may result in an alarm being generated on the workstation 120 , for example, such as may be displayed to a user via the GUI.
  • the SCADA server 118 monitors the physical processing within the industrial network and I/O network(s).
  • the server 118 may, for example, raise alerts to an operator at the workstation 120 when there is a problem detected with the physical plant that may require attention.
  • the controller 122 may be used in connection with issuing commands to control the different devices, such as 130 a - 130 n , as well converting sensor signal data, for example, into a digital signal from analog data that may be gathered from a particular device.
  • An embodiment may also have a controller 122 perform other functionality than as described herein.
  • the Watch server 50 may be used in connection with monitoring, detecting, and when appropriate, notifying a user in accordance with particular conditions detected.
  • the Watch server 50 may include a Watch module which is included in an appliance.
  • the Watch server 50 may also be installed as a software module on a conventional computer system with a commercially available operating system, such as Windows or LINUX, or a hardened operating system, such as SE LINUX.
  • the Watch server 50 may be, for example, a rack mount server-class computer having hardware component redundancy and swappable components.
  • the appliance or conventional computer system may be executing, for example, SE LINUX on an IBM X-series server that monitors the logs and performance of the industrial network 14 . The foregoing may used in connection with monitoring, detecting and notifying a human and/or controlling computer system or other components where appropriate.
  • the Watch server 50 may be used in raising alerts detected in connection with the SCADA system, associated networks, and computer processors.
  • the tasks related to monitoring the computers and networks of FIG. 3 are performed by the Watch server 50 .
  • the tasks related to the physical plant processing, sensor data gathering, and the like for controlling and monitoring the operation of the particular industrial application(s) are performed by the SCADA server 118 .
  • each of the agents 132 a - 132 d may refer to one or more different agents executing on a computer system to perform data gathering about that computer system.
  • the agents 132 a - 132 d report information about the system upon which they are executing to another system, such as the Watch server 50 .
  • the different types of agents that may be included in an embodiment, as well as a particular architecture of each of the agents, are described in more detail elsewhere herein.
  • other data gathering components may include an SNMP component, such as 112 a - 112 c , which also interact and report data to the Watch server 50 .
  • Each of the SNMP components may be used in gathering data about the different network devices upon which the SNMP component resides.
  • these SNMP components 112 a - 122 c may vary in accordance with each particular type of device and may also be supplied by the particular device vendor.
  • the Watch server 50 may periodically poll each of the SNMP components 112 a - 112 c for data.
  • the Watch server 50 may be executing the SE LINUX (Security Enhanced LINUX) operating system.
  • SE LINUX Security Enhanced LINUX
  • other operating systems may be used in connection with the techniques described herein, the SE LINUX operating system may be preferred in an embodiment of the Watch server 50 for at least some of the reasons that will now be described.
  • some operating systems may be characterized as based on a concept of discretionary access control (DAC) which provides two categories of a user.
  • a first category of user may be an administrator for example that has full access to all system resources and a second category of user may be an ordinary user who has full access to the applications and files needed for a job.
  • DAC discretionary access control
  • Examples of operating systems based on the DAC model include for example, a Windows-based operating system.
  • DAC operating systems do not enforce a system-wide security policy.
  • Protective measures are under the control of each of the individual users.
  • a program run by a user may inherit all the permissions of that user and is free to modify any file that that user has access to.
  • a more highly secure computer system may include an operating system based on mandatory access control (MAC).
  • MAC provides a means for a central administrator to apply system wide access policies that are enforced by the operating system. It provides individual security domains that are isolated from each other unless explicit access privileges are specified.
  • the MAC concept provides for a more finely-grained access control to programs, system resources, and files in comparison to the two level DAC system.
  • MAC supports a wide variety of categories of users and confines damage, for example, that flawed or malicious applications may cause to an individual domain. With this difference in security philosophy, MAC may be characterized as representing a best available alternative in order to protect critical systems from both internal and external cyber attacks.
  • One such operating system that is based on the MAC concept or model is the SE LINUX operating system.
  • the SE LINUX operating system is available, for example, at http://ww.nsa.gov/selinux.
  • the components included in the industrial network 14 of FIG. 3 may be used in connection with providing a real time security event monitoring system.
  • the different agents 132 a - 132 d included in the industrial network 14 may be installed on the different computer systems included in the industrial network 14 and may report, for example, on machine health, changes in security log files, application status, and the like. This information gathered by each of the agents 132 a - 132 d and SNMP components 112 a - 112 c may be communicated to the Watch server 50 . This information may be stored in a real-time database also included on the Watch server 50 .
  • Watch server 50 may also run a network intrusion detection system (NEDS), and has the ability to monitor network equipment, such as switches, routers, and firewalls, via the SNMP components included in various network devices shown in the illustration 100 .
  • NEDS network intrusion detection system
  • the agents 132 a - 132 d described herein may be characterized as intelligent agents designed to run and report data while minimizing the use of system and network resources.
  • a control network 104 may have a relatively low amount of network bandwidth. Accordingly, when deploying a monitoring device, such as an agent 132 a - 132 d within such a control system, there may be inadequate bandwidth available for reporting the data from each agent. The lower bandwidth of a control network is typical, for example, of older legacy systems upon which the various agents may be deployed. Agents within an embodiment of the network 14 may be designed to minimize the amount of CPU usage, memory usage, and bandwidth consumed in connection with performing the various data gathering and reporting tasks regarding the industrial network 14 .
  • agents may be written in any one or more of a variety of different programming languages such as PERL, C, Java, and the like. Generally, agents may gather different types of information by executing system commands, reading a data file, and the like on the particular system upon which the agents are executing. It should be noted that the agents also consume resources in a bounded manner minimizing the variance of consumption over time. This is described elsewhere herein in more detail.
  • Agents 132 a - 132 d may format the information into any one of a variety of different message formats, such as XML, and then report this data to the Watch server 50 .
  • the agents 132 a - 132 d may communicate the data to the Watch server 50 over TCP/IP by opening a socket communication channel just long enough to send the relevant data at particularly selected points in time.
  • the agents 132 a - 132 d operate at the application level in communicating information to the Watch server 50 .
  • the Watch server 50 does not send an application level acknowledgement to such received data. Additionally, the agents never read from the communication channel but rather only send data out on this communication channel as a security measure. It should be noted that although the embodiment described herein uses TCP, the techniques described herein may be used in an embodiment with UDP or another type of connectionless communication.
  • the agents that may be included in a system 10 of FIG. 1 may be generally characterized as 2 different classes of monitoring agents.
  • a first class of agent may be used in monitoring control systems upon which the agent actually executes. Agents in this first class are those included in the industrial network 14 of FIG. 3 , such as agents 132 a - 132 d .
  • a second class of agent that may be included in an embodiment is described elsewhere herein in connection with, for example, the Watch server 50 . Agents of this second class may be used in monitoring input from third party equipment or applications or other activity about a system other than the system upon which the agent is executing. As described in more detail elsewhere herein, different types of agents of either class may be used in an embodiment to gather the different types of data.
  • the various activities performed by the agents described herein may be used in connection with monitoring and reporting, for example, on cyber-security incidents as well as the performance of different system devices such as, for example, the different computer systems for CPU load, space and memory usage, power supply voltage, and the like.
  • a cyber-security threat is a cyber-security threat as described herein
  • the techniques and systems described herein may be used in connection with monitoring security threats that are of different types. For example, control system damage may be caused, for example, by a faulty power supply, faulty performance of other components, and the like.
  • the various agents deployed within an embodiment of the system 10 of FIG. 1 may be used in detecting both malicious as well as accidental threats to the industrial network 14 . It may also be useful to correlate performance information with security information when assessing the likelihood of system compromise as a result of an attack on one or more systems.
  • agents 132 a - 132 d may also be used in monitoring a controller 122 , devices 130 a - 130 n , and the like as needed and possible in accordance with each embodiment.
  • Agents may be used on components having a computer processor capable of performing the tasks described herein and meeting predefined resource limitations that may vary with each embodiment. For example, agents may be executed on “smart” controllers, such as 122 , if the controller has a processor able to execute code that performs the agent functionality.
  • each of 113 a , 113 b , and 113 c may refer to one or more connections and may vary in accordance with the particular component connected to the Watch server 50 by each connection.
  • component 16 may be a hub, switch, router or firewall. If component 16 is a switch, element 113 a may refer to two communication connections between 16 and the Watch server 50 where one of the connections is connected to the spanning port of the switch and is used for the monitoring operations for network intrusion detection by the Watch server 50 . In an embodiment in which the component is a hub, a single connection may be used. The foregoing also applies to connections 113 b and 113 c and, respectively, components 110 a and 110 b.
  • Watch server 50 in one embodiment may include a threat agent 200 , an SNMP Watch agent 202 , an SNMP Guard Agent 203 , a NIDS agent 204 , an ARPWatch agent 206 , and a Guard log agent 209 .
  • Data 201 produced by the agents executing in the industrial network may be received by the Watch server.
  • the Watch server 50 itself may be monitored using one or more agents 208 of the first class. Data from these agents is referenced as 208 in FIG. 4 .
  • Each of 200 , 201 , 202 , 203 , 204 , 206 , 208 and 209 communicates with the receiver 210 to store data in RTAP (real-time database and alarm engine) 212 .
  • the Watch server 50 may also include a web server 214 , a notification server 216 , a threat thermostat controller 218 and one or more firewall settings 220 .
  • the agents included in the Watch server 50 are of the second class of agent described elsewhere herein in which the agents included in the Watch server gather or report information about one or more systems other than that system upon which the agent is executing. It should be noted that this class of agent is in contrast, for example, to the agents 132 a - 132 d previously described in connection with FIG. 3 which are executed on a computer system and report information to the Watch server 50 about the particular computer system upon which the agent is executing.
  • the agents included within the Watch server 50 may be used in gathering data from one or more sources.
  • the second class of agents may be written in any one or more programming languages.
  • the threat agent 200 receives threat assessments from one or more sources which are external to the industrial network 14 .
  • the inputs to the component 200 may include, for example, a threat assessment level or alert produced by the corporate network, a security or threat level produced by the US government, such as the Homeland Security Threat level, an input published on a private site on the Internet, and the like.
  • Data from agents of both classes executing within the industrial network 14 of FIG. 3 communicate data to the receiver 210 as input source 201 . It should be noted that any one or more of the metrics described herein may be reported by any of the agents in connection with a periodic reporting interval, as well as in accordance with the occurrence of certain thresholds or events being detected.
  • the SNMP Watch agent 202 periodically polls the different devices including hubs, switches, and routers having a vendor supplied SNMP component, such as 112 a and 112 b .
  • the Watch server performs this periodic polling and communicates with each of the SNMP components 112 a - 112 b to obtain information regarding the particular component or network device.
  • SNMP Components such as 112 a , report data to agent 202 such as, for example, metrics related to the activity level on switches and the like being monitored.
  • the SNMP Guard agent 203 periodically polls the firewall(s) for data.
  • the component 203 works with the Fortinet Fortigate series of firewalls. The particular firewall(s) supported and utilized may vary in accordance with each embodiment.
  • the components 202 and 203 use the SNMP protocol to request the information set forth below from network switches, firewalls, and other network equipment.
  • the following metrics may be reported by 203 at the end of each periodic reporting interval. It should be noted that the units in an embodiment may vary from what is specified herein. Also, not all metrics may be available and tracked by all devices:
  • Configuration Information from the device that describes the device. This may include, for example, the name of the vendor, the model number, the firmware version, and any other software or ruleset versions that the device supports and may be relevant to an understanding of the behavior of the device.
  • Communications Status An indication as to whether the device's SNMP component responded to the previous and/or current SNMP requests for information.
  • Per-interface incoming and outgoing network traffic in kilobytes, for a reporting interval.
  • % CPU Load The percentage of CPU Utilization in the reporting interval.
  • % Disk space For devices with disks, like some firewalls, report the percentage used for every filesystem or partition.
  • % Memory Used Report the fraction of physical memory in use.
  • Open Session Count a count of open communications sessions.
  • VPN Tunnel count a count of the number of machines and/or users connected through a firewall device using an IPSEC, SSL or other Virtual Private Network (VPN) technology. For each such connection, also report the source IP address, and if available:
  • Administrative User Count A count of how many “root” or other administrative users are logged into the device and so are capable of changing the configuration of the device. For each such user, when the information is available via SNMP, report the user name, source IP address and any other information that might help to identify who is logged in.
  • the agent 202 may report at periodic intervals uptime, total incoming and outgoing network traffic, and information regarding the particular operating system, version number and the like.
  • the NIDS agent 204 monitors the process and control LAN communications by scanning messages or copies of messages passing through LANS, hubs, and switches. It should be noted that referring back to FIG. 3 , a dedicated connection between a Watch server and these components may be used in connection with performing NIDS monitoring.
  • the NIDS Agent 204 receives data and determines metrics, for example, such as a message count, network intrusion alerts raised, and the like.
  • the NIDS agent 204 may be used in connection with monitoring both the process LAN and the control LAN communications. As an input to the NIDS agent 204 , data may come from the NIDS component 204 a .
  • Data from LANs, hubs and switches may be input to the NIDS component 204 a and used in connection with detection of network intrusions.
  • a library of signatures that may be used in connection with detecting different types of network intrusions.
  • the NIDS agent 204 may be used in performing real time traffic analysis and packet logging of control networks.
  • the NIDS component 204 a may also be used in connection with performing protocol analysis, content searching and matching, and may be used to detect a variety of attacks and different types of probes including, for example, buffer overflows, stealth port scans, CGI attacks, SMB probes, fingerprinting attempts and the like.
  • the NIDS agent 204 may also be used in connection with monitoring an existing third party network intrusion detection system installed on a control network.
  • the NIDS component 204 a is implemented using SNORT technology.
  • SNORT is described, for example, at www.snort.org, and may be used in connection with monitoring network traffic, for example, by monitoring and analyzing all messages on the network, such as through one of the connections connected into a spanning port of a switch used in an embodiment of FIG. 3 .
  • SNORT reports data on any messages exchanged between any two ports.
  • SNORT uses a pattern matching engine which searches one or more messages for known patterns.
  • the known patterns are associated with known viruses, worms, and the like.
  • a message packet may include a particular bit pattern indicative of a known worm.
  • the NIDS agent may be implemented using both customized and/or conventional NIDS engines.
  • the SNORT open source NIDS engine may be used with the entire SNORT NIDS rules set.
  • An embodiment may also use other NIDS technologies such as, for example, the Fortinet Fortigate NIDS system with the Fortinet Fortigate rules set.
  • An embodiment may also use more than one NIDS system. Specific rules may be disabled or made more specific at particular sites if normal background traffic at the site is found to generate an unacceptable number of false positive alerts as a result of enacting particular rules. This may vary in accordance with each embodiment.
  • An embodiment may connect one or more NIDS engines to the hubs and other components of the industrial network.
  • the NIDS engines may be connected to the spanning ports on the switches as described elsewhere herein. If spanning ports are not available, it may be preferable to connect the NIDS engines to monitor the traffic between the industrial network 14 and the corporate network 12 , using an Ethernet tap, hub, or other technique as known to those of ordinary skill in the art.
  • customized signatures may be used in addition to those that may be supplied with the NIDS technology such as publicly available at the Snort.org website. These additional signatures may identify network traffic that would be “normal” on a business network, but is not associated with normal activity within an industrial network. These may include, for example, signatures identifying one or more of the following: telnet login traffic; ftp file transfer traffic; web browsing through normal and encrypted connections; reading email through POP3, IMAP and Exchange protocols; sending email through SMTP and Exchange protocols; and using any of the instant messaging products, such as those from Microsoft, Yahoo, and America Online.
  • the foregoing may be considered normal traffic on a business network, such as the corporate network 12 , but not within a dedicated-purpose network like the industrial network 14 . It should be noted that plant operators within the network 14 may have access to email and other such facilities, but such access may be gained using workstation computers that, while they may sit physically beside critical equipment, may actually be connected to the corporate network and not to the industrial network.
  • the following additional NIDS signatures may be used to report all attempts to communicate with well-known UDP and TCP ports having support which is turned off on correctly-hardened Solaris machines running the Foxboro IA industrial control system software:
  • Port number application or service 7 ECHO) 9 (DISCARD) 13 (DAYTIME) 19 (CHARGEN) 21 (FTP) 23 (TELNET) 25 (SMTP) 79 (FINGER) 512 (REXEC) 513 (RLOGIN) 514 (RSH) 540 (UUCP) 1497 (RFX-LM)
  • ECHO 9 (DISCARD) 13 (DAYTIME) 19 (CHARGEN) 21 (FTP) 23 (TELNET) 25 (SMTP) 79
  • FINGER 512
  • REXEC REXEC
  • RLOGIN RLOGIN
  • RCH RLOGIN
  • UUCP UUCP
  • An embodiment may also include additional signatures representative of traffic that should not be present on an industrial network.
  • the signatures below may be used, for example, to monitor and report on ports used for TCP and/or UDP to identify uses that may be characteristic and typical within the corporate or other business network, but are not desirable for use within an industrial network. This may include, for example, using particular applications and services such as Microsoft's NetMeeting, AOL and other Instant Messaging services, and the like.
  • Port number application or service 80 (HTTP) 443 (HTTPS) 143 (IMAP) 993 (IMAPS) 110 (POP3) 995 (POP3S) 989 (FTPS-DATA) 990 (FTPS) 992 (TELNETS) 389 (LDAP-NETMEETING) 552 (ULS-NETMEETING) 1503 (T.120-NETMEETING) 1720 (H.323-NETMEETING) 1731 (MSICCP-NETMEETING) 1590 (AOL-AOL_IMESSENGER) 194 (IRC)
  • customized signatures may be used in an inclusionary manner.
  • Exclusionary NIDS signatures such as those illustrated above, typically identify and report upon abnormal or undesirable messages detected on the network being monitored. As additional undesirable, abnormal or atypical messages are identified, new and corresponding NIDS signatures are developed for use in the embodiment.
  • An embodiment may use inclusionary NIDS signatures to identify messages that are part of the network's normal, or desirable operating state and report upon any message not identified as such.
  • New inclusionary NIDS signatures are developed in such an embodiment whenever a type of message is determined to be within the normal or acceptable behavior of a given network. In an embodiment using the inclusionary signatures, no additional signatures are needed to identify new undesirable or abnormal messages.
  • Inclusionary signatures therefore incur lower signature update costs than do exclusionary signatures on networks whose normal or desirable network or message traffic patterns change infrequently. On such networks, it can be argued that inclusionary signatures may provide greater security, because they are immediately able to identify new abnormal or undesirable messages, without waiting for exclusionary signatures to be identified, developed or installed.
  • the NIDS agent 204 may have a reporting interval every 10 seconds.
  • the password age agent 310 described elsewhere herein, may have a reporting interval of every hour.
  • the other agents may have a reporting interval of once every minute which may vary in accordance with the resources within each embodiment and computer systems therein.
  • the ARPWatch agent 206 may detect one or more events of interest in connection with the ARP (address resolution protocol) messages monitored.
  • ARP may be used with the internet protocol (IP) and other protocols as described in RFC 826 at http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc0826.html.
  • IP internet protocol
  • the ARPWatch 206 a is based on open source software, as described in ftp://ftp.ee.lbl.gov/arpwatch.tar.gz, with additional functionality described herein to minimize false positives.
  • ARP may be used in performing IP address resolution and binding to a device address.
  • the ARPWatch 206 a may, for example, look for any new devices, such as computers, detected on a network.
  • the ARPWatch 206 a may monitor the industrial network 14 for the introduction of new types of devices and log information regarding these new devices.
  • the ARPWatch agent 206 may use information on new devices provided by 206 a and report information to RTAP in a fashion similar to that used with the NIDS agent using SNORT based technology.
  • a laptop computer may be turned on and connected for a short time period to a network by a wireless connection.
  • a network address is associated with the laptop while in the network. This may be done by binding an IP address to the device address unique to the particular laptop.
  • IP addresses When first introduced into the network, there is no known IP address for the laptop. In connection with assigning an IP address to this new laptop, one or more messages may be monitored in the network to detect this event of introducing a new device in the network causing a new binding of an IP address to the unique address of the laptop.
  • the IP addresses associated with the device may be assigned on a visitor or temporary basis, such as with the laptop. Thus, IP addresses may be reused such that a same IP address may be bound to different devices at different points in time.
  • a customized version of ARPWatch may raise an alert if the device address of the computer was not previously known or active. An alert may also be raised if the device address was assigned to some other IP address or the IP address had some other device address assigned to it within a prior time period, for example, such as 15-20 minutes. Within an embodiment, the prior time period may vary. It should be noted that the prior time period may be long enough to be confident that the device to which the other IP address was assigned is no longer connected to the network.
  • Such activity may be a sign of, for example, ARP spoofing or ARP poisoning.
  • ARP spoofing occurs when a forged ARP reply message is sent to an original ARP request, and/or forged ARP requests are sent.
  • the forger associates a known IP address with an incorrect device address, often the forger's own device address.
  • receiving the forged ARP messages causes a reassignment of the known IP address to the address of the forger's device, in one or more other devices on the network. This can also cause the network's own table of address bindings to be updated or poisoned with the forged binding.
  • the time period described above may be used to minimize the false positives as may be generated when using the standard open source ARPWatch in IP-address-poor DHCP environments.
  • the agent 206 in one embodiment uses a version of ARPWatch that issues fewer messages than the conventional open source version for ARP frames containing invalid IP addresses that do not fall within the local network mask.
  • the conventional open source ARPwatch logs a message for every ARP frame containing an invalid IP address resulting in up to 100 messages per minute for a given invalid IP address detection.
  • the ARPWatch 206 a in one embodiment keeps track of the invalid addresses detected and reports invalid IP/device address binding for as long as the ARPWatch 206 a is running.
  • the RTAP 212 may also track changed IP addresses reported by the ARPWatch 206 a via the ARPWatch agent 206 , and the web server 214 may then present a list of these to the network administrator for approval such that these addresses are no longer considered as “new.”
  • An embodiment may also provide functionality for approving new and/or changed IP/device address bindings, and/or provide functionality for individually approving new IP addresses and/or new and/or changed IP/device address bindings as well as approving the entire list presented at once. Once the foregoing new device address/IP bindings are approved, the number of “new” network devices drops to zero and any RTAP alert that may be outstanding against that count is reset to a normal condition or state.
  • agents of the first class described elsewhere herein may be executing on the Watch server monitoring the health, performance, and security of the Watch server.
  • the data from these agents 208 is sent to the receiver 210 to report data about the Watch server 50 .
  • the particular types of this first class of agent are described elsewhere herein, for example, in connection with FIGS. 5 and 6 .
  • An embodiment may include any number of these types of agents of the first class to report data about the Watch server 50 .
  • the Guard log agent 209 monitors log files of the Watch server 50 and also the firewall log files of one or more firewalls being monitored, such as an embodiment including a firewall as component 16 of FIG. 3 .
  • an option may be set on the Fortinet Fortigate firewall to automatically transmit all firewall log information to the Watch server 50 .
  • the received firewall log information may be included as part of the system logging for the Watch server 50 .
  • the system log files of the Watch server may be segregated into different physical files of the file system.
  • the firewall log files may be included in a separate physical file in the Watch Server's log file area.
  • the Guard log agent 209 may also obtain additional information from the firewall using SSH (Secure SHell).
  • the agent 209 using SSH (Secure SHell), remotely logs into a machine via a shell.
  • SSH Secure SHell
  • SSH may be characterized as similar in functionality to telnet, however unlike telnet, all data exchanged is encrypted.
  • the agent 209 may download a copy of the firewall rules and other configuration information currently in use in a firewall using SSH.
  • Other embodiments may use other secure command and communications technologies such as, for example, IPSEC, sftp, HTTPS, SSL, and the like.
  • the agent 209 may have a master set of firewall configuration information which it expects to be currently in use. The downloaded copy of firewall configuration information currently in use may be compared to the master set to determine any differences. In the event that any differences are detected, an alert may be raised and signaled by RTAP 212 .
  • the following metrics may be reported by the Guard log agent 209 in connection with the firewall log files every reporting interval:
  • firewall violations Report the total number of firewall violations messages detected in the reporting interval. On platforms that distinguish different kinds of violation messages, report those counts separately.
  • ipchains which, as known to those of ordinary skill in the art, is available on some versions of Linux to set up, maintain and inspect the IP firewall rules in the Linux kernel. Ipchains provides for distinguishing “dropped” packets from “rejected” packets, and these counts may be reported out separately.
  • the summary information may include, for example, one or more IP addresses identified as the source for most of the messages, what percentage of the messages are associated with each IP address, one or more IP addresses that are the target in a majority of the messages, and what percentage of messages are associated with each target address.
  • Network IDS intrusion detection system
  • IPS intrusion prevention system
  • Summary reporting information for each class of intrusion attempt Report the most common source IP address, destination IP address and attack type and the percentage of total attempts in that class of attempt that had that most common source IP, destination IP or attack type.
  • Firewall configuration change This is described above in which the agent 209 may report a boolean value indicating whether any aspect of the industrial network firewall configuration has changed at the end of the reporting interval.
  • the agent 209 agent uses firewall-specified technologies (eg: ssh or tftp) to download the currently active firewall configuration to the server 50 . If the configuration downloaded at the end of one reporting interval differs from the configuration downloaded at the end of the previous reporting interval, the agent 209 reports a one, otherwise if the downloaded configuration differs from the saved firewall settings for the current threat level, the agent 209 reports a one, otherwise if any of the saved firewall settings for any threat level have changed in the reporting interval, the agent reports a one, otherwise it reports a zero.
  • firewall-specified technologies eg: ssh or tftp
  • the agent 209 also reports a one-line summary of what area of the firewall configuration has changed, such as, for example, the saved settings, the downloaded configuration, and the like, with further detail as to what part of the configuration changed, such as, for example, the firewall rules, the number of active ports, address translation rule, and the like. If the configuration has changed, the alert may remain in the elevated alarm state until an authorized administrator, for example, updates the saved configuration data (firewall configuration set) on the Watch server 50 as the new master set of configuration data.
  • firewall configuration change metric allows for automatic tracking and determination of when there has been such a change.
  • RTAP 212 may generate an alert condition. This condition may continue to be tracked as long as the configuration is non-standard until the configuration is restored to a firewall configuration known to be safe.
  • Threat thermostat configuration change Reports the number of saved firewall configurations corresponding to threat thermostat threat levels that have changed in the reporting interval.
  • the agent 209 keeps a copy of the saved firewall configurations corresponding to the different threat levels.
  • the agent 209 compares the copies to the current firewall configurations corresponding to the different threat levels and reports if a particular pairing of firewall rule sets with an associated threat level has changed, or if there has been a change to any one of the rules sets. If there have been any changes, then after reporting, the agent 209 replaces its set of saved firewall configurations with the modified firewall configurations. For every configuration that changed in a reporting period, the agent 209 also reports a one-line summary of what has changed in the configuration.
  • the “other activity” metric is a count of “unusual” messages detected in the master log file during the reporting interval.
  • a set of messages may be defined as unusual using a default and/or user specified set. For example, unusual messages to be included in this metric may be filtered using regular expressions. Any line of the log file that is not counted as some other metric is a candidate for “other activity.” These “other activity” candidate lines are compared to each of the saved regular expressions and discarded if there is a match with any expression. Otherwise, the candidate log entry is counted as an incident of “unusual activity”. When all the log entries generated during the reporting interval are processed, the “unusual” count is reported as the value of the “other activity” metric.
  • the receiver 210 is used to interface with RTAP 212 .
  • use of facilities in RTAP 212 is in accordance with a predefined interface or API (application programming interface).
  • One of the functions of the receiver 210 is to convert the agent protocol data received into a format in accordance with a known RTAP API in order to populate the database of RTAP 212 .
  • the receiver 210 may perform agent authentication of messages received. For example, in one embodiment, a private unique key may be used by each device or processor sending a message to the Watch server 50 . The receiver 210 knows these private keys and uses these to authenticate the received messages as being from one of the expected devices.
  • the receiver 210 records the IP address reporting every metric and rejects new values reported for a metric from any IP address but the last address to report legitimately to the metric.
  • Other embodiments may use other encryption techniques and accordingly may use different techniques in authenticating received messages.
  • the notification server 216 and/or the web server 214 may be used in connection with providing incident notification.
  • a user may specify an e-mail address or other destination for receiving different types of alert notifications that may be produced.
  • the notification in the event of an alert may be sent, for example, to a PDA, pager, cell phone, and the like upon the occurrence of an event determined by the Watch server.
  • Such an event may include, for example, reported data reaching predetermined alarm or other thresholds, detection of a cyber-attack, detection of a component failure within the industrial network requiring immediate repair, and the like.
  • the notification server 216 may also send a message to a direct phone connection, such as to a phone number, rather than an e-mail address.
  • the web server 214 may be used in connection with displaying information and/or accepting input from a user in connection with any one of a variety of different tasks in this embodiment.
  • Other embodiments may use conventional command line, Windows, client/server or other user interfaces known to those of ordinary skill in the art.
  • the web server 214 through a web browser, may be used in displaying a security metric set-up page allowing for customization of security conditions, and definitions used for recording and alarming.
  • a user may specify limit values or thresholds associated with different warnings or alarms. When such thresholds have been reached, a notification message may be sent to one or more specified devices or addresses.
  • the web server 214 in connection with a browser may be used, for example, in connection with displaying different types of information regarding a security status, details of selected metrics, and the like.
  • the different agents may be configured and monitored.
  • the web server 214 may be any one of a variety of different types of web servers known to those of ordinary skill in the art such as, for example, a TOMCAT web server.
  • the web server 214 may be used in connection with obtaining input and/or output using a GUI with a web browser for display, browsing, and the like.
  • the web server 214 and a browser may be used for local access to appliance data as well as remote access to appliance data, such as the RTAP 212 data.
  • the web server 214 may be used in connection with displaying pages to a console in response to a user selection, in response to a detected alert or alarm, obtaining settings for different threshold and alarm levels such as may be used in connection with notifications, and the like.
  • the web server 214 may also be used in connection with communicating information to a device such as a pager in the event of a notification when a particular designated threshold for example of an alarm level has been reached.
  • RTAP 212 may provide for collection, management, visualization and integration of a variety of different automated operations. Data may be collected and reported to the Watch server and stored in RTAP 212 , the Watch server's database. As described elsewhere herein, RTAP 212 may be used in connection with performing security monitoring and providing for appropriate notification in accordance with different events that may be monitored. RTAP may raise alerts, for example, in the event that predetermined threshold conditions or events occur in accordance with the data store maintained by RTAP 212 . One embodiment of RTAP is described in following paragraphs in more detail.
  • RTAP 212 may be implemented using a commercially available real time control system, such as Verano's RTAP product, or the Foxboro Intelligent Automation (IA) product or other SCADA or DCS system. In other words, a conventional control system may be used not to control a physical process, but to monitor the security activity of an industrial network and connections. RTAP 212 may also be implemented using customized software that uses a relational database. As will be appreciated by one of ordinary skill in the art, other embodiments may use other components.
  • a commercially available real time control system such as Verano's RTAP product, or the Foxboro Intelligent Automation (IA) product or other SCADA or DCS system.
  • IA Foxboro Intelligent Automation
  • SCADA Foxboro Intelligent Automation
  • each of the different agents may report data to RTAP 212 through use of the receiver 210 .
  • RTAP 212 may then store the data, process the data, and perform event detection and notification in accordance with predefined alarm levels and thresholds such as may be obtained from user selection or other defined levels. For example, as described above, a user may make selections in accordance with various alarm or alert levels using a browser with a GUI. These particular values specify a threshold that may be stored and used by RTAP 212 . As RTAP 212 receives data reported from the different agents, RTAP 212 may process the data in accordance with the threshold(s) previously specified.
  • the RTAP 212 may signal an alert or alarm, and provide for a notification message to be sent on one or more devices using the web server 214 and/or notification server 206 . It should be noted that the various designated location or device to which notification messages are to be sent may also be specified through the same GUI by which the threshold levels are specified.
  • the threat thermostat controller 218 may be used in generating a response signal in accordance with one or more types of security-threat inputs.
  • the threat thermostat controller 218 may use as inputs any one or more raw or derived parameters from the RTAP 212 , other inputs that may be external to the Watch server, and the like.
  • the threat thermostat controller 218 selects one or more of the firewall settings from 220 which controls access between the corporate network 12 and the industrial network 14 as well as access to the industrial network 14 from other possible connections.
  • the threat thermostat controller 218 may use one of three different firewall settings from 220 in accordance with one or more inputs.
  • Each of the firewall settings included in 220 may correspond to one of three different threat levels.
  • the firewall rule settings corresponding to this condition may allow all traffic between the corporate network 12 and the industrial network 14 as well as other connections into the industrial network 14 to occur.
  • a second different set of firewall settings may be selected from 220 . These firewall settings may allow, for example, access to the industrial network 14 from one or more particular designated users or systems only within the corporate network 12 .
  • a high threat level is determined by the threat thermostat controller 218 , all traffic between the corporate network 12 and industrial network 14 may be denied as well as any other type of connection external into the industrial network 14 .
  • a determination for example, an embodiment may completely isolate the industrial network 14 from any type of outside computer connection.
  • Actions taken in response to a threat level indicator produced by the threat thermostat controller 218 may include physically disconnecting the industrial network 14 from all other external connections, for example, in the event of a highest threat level. This may be performed by using a set of corresponding firewall rules disallowing such connections. Additionally, a physical response may be taken to ensure isolation of one or more critical networks such as, for example, disconnecting a switch or other network device from its power supply. This may be done in a manual or automated fashion such as using a control system to implement RTAP 212 . Similarly, a mechanism may be used to reconnect the critical network as appropriate.
  • the corresponding firewall settings from 220 may allow data to be exchanged between the industrial network and less trusted networks in predefined ways and also allow authorized users on less trusted networks to remotely log into computers on a critical network, such as the industrial network.
  • the second set of firewall rule settings from 220 may be used which provide for a more restrictive flow of communication with a critical network such as the industrial network 14 .
  • a critical network such as the industrial network 14 .
  • corporate may notify the industrial network that a particular virus is circulating on the corporate network 12 , that a Homeland Security alert status has increased, and the like.
  • the second set of rules may be selected and allow critical data only to be exchanged with less trusted networks and also disable remote log in capabilities.
  • each threat level may be a text file with a series of commands that define a particular firewall configuration including firewall rule sets, what network ports are enabled and disabled, address translation rules, and the like. All of this information may be included in each of the text files associated with each of the different threat levels.
  • One of the inputs to the threat thermostat controller 218 may include, for example, a security level as published by the Homeland Security, an assessment or threat level as produced by a corporate department, and/or another source of a threat level that may be gathered from information such as available on the Internet through a government agency or other type of private organization and reported by the threat agent 200 .
  • These assessments may be weighted and combined by the threat thermostat controller 218 to automatically determine a threat level causing a particular set of firewall settings to be utilized.
  • a particular weighting factor may be associated with each of multiple inputs to 218 making the determination of a specific indicator or threat level.
  • the particular firewall settings included in each of the sets of 220 may include a particular set of firewall rules, address translations, addresses to and from which particular communications may or may not be allowed, intrusion detection and prevention signatures, antivirus signatures, and the like.
  • Inputs to the threat thermostat controller may also include, for example, one or more raw metrics as provided from RTAP, and/or one or more derived parameters based on data from RTAP and/or from other sources.
  • the threat thermostat controller may generate a signal causing data to be displayed on a monitor connected to the Watch server 50 such as through a console as well as to send one or more notification messages to previously designated destinations.
  • the threat thermostat control level may be displayed on a GUI.
  • an alert may be generated when there is any type of a change in a firewall rule set or threat level either in an upward or a downward threat level direction.
  • An embodiment may provide for a manual setting of a threat thermostat level used in the selection of the firewall settings, and the like. This manual setting may be in addition to, or as an alternative to, automated processing that may be performed by the threat thermostat controller 218 in determining a threat level. Additionally, an embodiment may include one or more user inputs in the automatic determination of a threat level by the threat thermostat controller 218 . It should be noted that in one embodiment, once the threat level has risen out of the lowest level, only human intervention may lower the thermostat or threat level.
  • an embodiment may vary the particular access associated with each of the different threat levels. Although three or five threat levels and associated rule sets are described herein, an embodiment may include any number, more or less, of threat levels for use in accordance with a particular application and embodiment.
  • alerts may be generated using one or more derived or calculated values in accordance with the raw data gathered by the agents.
  • RTAP 212 may implement the database portion of RTAP 212 as an object oriented database.
  • RTAP 212 may include a calculation engine and an alarm engine in one embodiment.
  • the calculation engine may be used to perform revised data calculations using a spreadsheet-like data flow process.
  • the alarm engine may determine an alarm function or level using a state table. Details of RTAP 212 are described elsewhere herein in more detail.
  • any one or more hardware configurations may be used in connection with the components of FIGS. 3 and 4 .
  • the particular hardware configuration may vary with each embodiment. For example, it may be preferred to have all the components of FIGS. 3 and 4 executing on a single computer system in a rack-mount arrangement to minimize the impact on the physical layout of a plant or other location being monitored. There may be instances where physical location and layout of a system being monitored require use of extra hardware in a particular configuration.
  • NIDS and ARPWatch may be monitoring the activity of 3 different switches in an industrial network using the spanning ports of each switch. Each of the 3 switches may be located in physical locations not in close proximity to one another or another computer system hosting the components of the Watch server 50 .
  • Two switches may be located in different control rooms and one switch may be located in a server room.
  • One hardware configuration is to have the computer system upon which the Watch server components execute monitor the one switch in the server room.
  • Two additional processors may be used in which each processor hosts agents monitoring execution of one of the remaining two switches.
  • the two additional processors are each located in physical proximity near a switch being monitored in the control rooms.
  • the two additional processors are capable of supporting execution of the agents (such as the NIDS agent 204 and ARPWatch Agent 206 ) and any software (such as NIDS 204 a , ARPwatch 206 a ) used by the agents.
  • These processors are connected to, and communicate with, the computer system upon which the Watch server components execute.
  • the hardware and/or software configurations used may vary in accordance with each embodiment and particular criteria thereof.
  • the receiver 210 of the Watch server 50 may track the last time a report was received by each agent (class 1 and class 2). In the event that the component 210 determines that an agent has not reported to the receiver 210 within some predetermined time period, such as within 150% of its expected periodic reporting interval, an alert is raised by sending a notification to one of the notification devices. Such an alert may indicate failure of an agent and/or machine and/or tampering with the watch system and/or with agents. Alerts may also be raised if agents report too frequently, indicating that someone may be trying to mask an attack or otherwise interfere with agent operation.
  • Alerts may also be raised if agent reports are incorrectly authenticated, for example, if they are incorrectly encrypted, have an incorrect checksum, contain an incorrect timestamp or sequence number, are from an incorrect IP address, are of incorrect size, or are flagged as being destined for an IP address other than the address on which the receiver 210 is listening.
  • components 202 , 203 and 209 may preferably send encrypted communications where possible to other components besides the receiver 210 . Whether encryption is used may vary with the functionality of the components communicating. An embodiment may use, for example, V3.0 or greater of the SNMP protocol with the components 202 and 203 in order to obtain support for encryption. Component 209 may also use encryption when communicating with the firewall.
  • FIG. 4A shown is an example 400 of an embodiment of a threat thermostat controller 218 in more detail.
  • the example 400 illustrates in further detail the one or more inputs that may be used in connection with a threat thermostat controller 218 as described previously in connection with the Watch server 50 of FIG. 4 .
  • An embodiment of the threat thermostat controller 218 may automatically determine a firewall rule set and threat indicator 410 in accordance with one or more inputs 402 , 406 and/or 408 and 220 .
  • Inputs 402 , 404 , 406 and 408 may be characterized as selection input which provides for selection of one of the firewall settings from 220 .
  • Inputs 402 may come from external data sources with respect to the industrial network 14 .
  • the external data may include, for example, an indicator from a corporate network, one or more inputs from an internet site such as in connection with a Homeland Security alert, a threat indicator generated by another commercial or private vendor, and the like. This external data may come from network connections, or other type of remote log in connections with respect to the industrial network 14 .
  • Other types of input may include one or more RTAP inputs 404 .
  • the RTAP inputs 404 may be raw data inputs as gathered by agents and stored within the RTAP 212 database, particular threshold levels, and the like.
  • RTAP inputs 404 may also include a resultant value or indicator that is generated by processing performed by RTAP in accordance with one or more of RTAP data values.
  • An RTAP indicator included as an RTAP input 404 to the threat thermostat controller 218 may be, for example, an indicator as to whether a particular threshold level for one or more metrics is exceeded.
  • the input to the threat thermostat controller 218 may also include one or more derived parameters 406 .
  • the derived parameters 406 may be based on one or more raw data values as gathered by the agents and stored in RTAP. These derived values may be stored within RTAP or determined by another source or module.
  • Another input to threat thermostat controller 218 may be one or more manual inputs 408 .
  • the manual input or inputs 408 may include, for example, one or more values that have been selectively input by an operator such as through GUI or configuration file. These values may include a metric that may be manually input rather than being received from an external source in an automated fashion.
  • the outputs of the threat thermostat controller 218 include a firewall rule set and threat indicator 410 .
  • the firewall rule set and other settings may be communicated, for example, to a firewall as a new set of rules to be used for subsequent communications and controlling access to one or more critical networks.
  • a new set of firewall rules may be remotely loaded from the Watch server location 220 to the firewall using SSH (described elsewhere herein) and/or any of a variety of secure communications mechanisms known to those of ordinary skill in the art such as, for example, IPSEC, HTTPS, SSL, and the like.
  • the threat indicator that may be produced by a threat thermostat controller 218 may, also serve as an input to RTAP 212 and may be used, for example, in connection with generating one or more notifications through use of the web server and/or notification server as described elsewhere herein when a particular threat indicator level has increased or decreased, a firewall rule setting selection has been modified and the like. Additionally, data recording for the threat level, date, time, and the like may be recorded in RTAP 212 .
  • the threat thermostat controller 218 may also produce an output signal 411 used in connection with automatically controlling the operation of a connecting/disconnecting the industrial network from the corporate network in accordance with the threat indicator. For example, the signal 411 may be input to RTAP, a control system, switch or other hardware and/or software used to control the power supply enabling connection between the industrial network and corporate network as described elsewhere herein.
  • manual inputs may be used.
  • a single manual input may be used in one embodiment, for example, in selection of a threat indicator causing the threat thermostat controller 218 to make a selection of a particular firewall setting.
  • Another embodiment may provide for use of a combination of automated and/or manual techniques where the automated technique may be used to produce a threat indicator unless a manual input is specified.
  • the manual input or inputs may serve as an override of all of the other inputs in connection with selecting a particular firewall rule set from 220 and generating a threat indicator.
  • Such a manual override may be provided as an option in connection with a mode setting of a threat thermostat controller 218 . If the override setting which may be a boolean value is set to on or true, the manual input will act as an override for all other inputs and an automated technique for producing a threat indicator. In the event that override is set to off, the manual input may not be considered at all, or may also be considered along with other inputs in connection with an automated technique used by the threat thermostat controller.
  • an example 300 of the different types of agents of the first class of agent that may be utilized in an embodiment of the industrial network 14 .
  • the agents 300 may be included and executed on each of the computer systems in the industrial network 14 as indicated by the agents 132 a - 132 d .
  • the different agent types included in 300 are those types of agents that may execute on a system and report information about that system to the Watch server 50 .
  • an embodiment may include the particular agent types of 300
  • an embodiment may include different types of agents and a different number of agents than as described herein in accordance with the particular application and embodiment and may vary for each computer system included in the industrial network 14 .
  • a master agent 302 is responsible for control of the other agents included in the computer system.
  • the master agent 302 is responsible for starting and monitoring each of the other agents and to ensure that the other agents are executing.
  • the master agent 302 is responsible for restarting that particular agent.
  • the master agent 302 may also perform other tasks, such as, for example scheduling different agents to ran at different periods of time, and the like.
  • the critical file monitoring agent 304 may be used in connection with monitoring specified data files.
  • data files that may be monitored by agent 304 may include, for example, operating system files, executable files, database files, or other particular data file that may be of importance in connection with a particular application being performed within the industrial network 14 .
  • the agent 304 may monitor one or more specified data and/or executable files.
  • the agent 304 may detect particular file operations such as file deletion, creation, modification, and changes to permission, check sum errors, and the like. Agent 304 , and others, gather information and may report this information at various time intervals or in accordance with particular events to the Watch server 50 .
  • the log agent 306 may be used in monitoring a system log file for a particular computer system.
  • the log monitoring agent 306 may look for particular strings in connection with system activity such as, for example, “BOOT”, or other strings in connection with events that might occur within the computer system.
  • the log agent 306 searches the log file for predetermined strings of interest, and may store in memory the string found as well as one or more corresponding metrics such as, for example, the number of occurrences of a string.
  • the log agent 306 may count occurrences of a BOOT string and report the count in a single message which may be sent to the Watch server or appliance.
  • the sending of a single communication to the Watch server may be performed as an alternative, for example, to sending a message reporting the occurrence of each string or event.
  • Techniques such as these provide for efficient and bounded use of resources within the industrial network 14 resulting in reduced bandwidth and CPU and memory usage consumed by the agents.
  • the agent 306 may report the following metrics at periodic intervals:
  • Login failures Report the number of “failed login” messages in the system log in the reporting interval.
  • the format of these messages may vary in accordance with software platform, such as operating system and version and login server, such as for example, ssh, telnet, rlogin, and the like. Reported with this metric may be the names of the top three accounts reporting login failures in a reporting interval, and what percentage of the total number of failure reports is associated with each of these three accounts.
  • Password change failures Report the number of “failed password change attempt” messages in the system log in the reporting interval. Some of these failures may be the result of an authorized user trying to change his/her own password. This metric may indicate false positives such as these in addition to indicating a brute force password attack by an unauthorized user. Reported with this metric may be the top three accounts reporting failed password attempts in a reporting interval and a corresponding percentage of failed attempts associated with each account.
  • Network ARPwatch Using the modified version of ARPwatch described elsewhere herein, this metric reports the number of unapproved IP/device address bindings currently on the network. The ARPwatch metric also reports the first three ARPwatch log messages detected in each reporting interval, and if the metric is non-zero in an interval, reports the top three IP addresses and device addresses responsible for those messages.
  • Host IDS audit violations Report the total number of IDS and failure audit messages detected in the reporting interval.
  • the IDS classifies the messages report a count for each classification—eg: critical, warning.
  • This metric may be extended to report a summary of all the messages detected for each kind of message in the reporting interval as well, including, where process information is available, the top three processes responsible for the messages and the percentage of total messages associated with each process and/or, where file information is available, the top three files that are reported as the targets of audited file manipulations, and what percentage of all the IDS messages each file was mentioned in.
  • Host IDS antivirus alerts for host IDS systems that monitor and report on viruses detected on control system hardware. Note that while some computers in the industrial network may not execute antivirus software for performance, compatibility, or other reasons, other computers within the industrial network may utilize antivirus software. An embodiment of this agent may also report the first three such messages detected in a reporting interval.
  • the agent 306 may also include metrics related to the following:
  • Web page authentication failures web page permission violations, total web page failures, firewall violations (described herein in more detail), and tape backup failures. This last metric may be useful in connection with notifying administrators, for example, in the event that security history or other information is no longer being backed up on a tape or other backup device.
  • Windows event logs Report the number of Windows “Error,” “Warning,” “Informational,” “Success Audit,” and “Failure Audit,” log entries detected in the reporting interval.
  • the agent also reports the first 256 characters of text for the first three such log entries discovered for every type of log in every reporting interval.
  • the hardware and operating system agent 308 may be used in connection with gathering and reporting information in connection with the operating system and hardware. For example, through execution of a status commands or others that may be available in an embodiment, information may be produced using one or more operating system utilities or calls. As an output of the command, data may be produced which is parsed by the hardware operating system agent 308 for the particular statistics or metrics of interest. In one embodiment the hardware operating system agent 308 may use one or more status commands, for example, to obtain information about CPU load, disk space, memory usage, uptime, when the last reboot has occurred, hardware and software information such as related to version numbers, and the like.
  • the hardware operating system agent 308 may parse the output of different status commands and send a single report to the Watch server at different points in time rather than report multiple messages to the Watch server. For example, the agent 308 may combine information from multiple status commands and send a single communication to the Watch server or appliance 50 at particular time periods or in accordance with particular events.
  • the following metrics may be reported by agent 308 at periodic intervals:
  • Counts of interprocess communications resources used System V message counts and segment counts for any message queues used by the control system. If the system is becoming congested such as, for example, messages requests are backing up because the system does not have the resources to process them fast enough, or because of a failure of some component of the system that is supposed to be processing them, an alarm may be raised when any message queue's message or segment count exceeds a preset limit.
  • Operating System type This is a constant value reported to assist in auto-configuration of the Watch server. For example, when an administrator is searching for a particular machine when using the GUI on the Watch server, that person may become confused by the many machines whose information is available via the GUI. Operating system type, version number, and the like, may be used in identifying a particular machine through the GUI.
  • metric reports not just the count of logins, but for the first N logins, such as 20 for example, report where the user is logged in from, such as the machine's console, or the IP address, or host name of some other machine the user is logged in from.
  • the foregoing metrics may be determined on a Unix-based system. Other systems may provide similar ways to obtain the same or equivalent information. Note that below as known to those of ordinary skill in the art, “tty” is a UNIX-specific reference to a UNIX device that manages RS232 terminal connections:
  • the number of current users may be determined in a Unix-based system by remove from the “who” list (from 1) any user whose identifier is not associated with any active process identified in 3).
  • an embodiment may also search the /etc/passwd file for each user “who” reports. Any user with a numeric user ID of 0 is in fact running as root and is reported as such. Since a single user logged in on the console may have many terminal windows open and “who” reports each as a separate login, it may be desirable to report the foregoing as a single user.
  • CPU Load On a Windows-based system, report the % CPU used in the reporting interval. On UNIX systems, report the CPU load average for the interval. The load average is the average number of processes competing for the CPU. Note that on a Windows system, if some process is spinning in a tight loop, the machine reports 100% CPU usage. This metric may be characterized as a rather blunt reporting instrument since it gives no idea of how much “other” work the machine is accomplishing over and above the process that is currently looping. On a UNIX system in a similar state, a report may indicate, for example, a load average of 1.5. The process in a loop accounts for 1 load unit (it was always wanting the CPU).
  • the additional 0.5 indicates that over and above the executing process, 1 ⁇ 2 of the time some other process wanted the CPU for execution purposes: Additionally, the top three process names consuming CPU in a reporting interval may be reported along with what portion (such as a fraction or percentage) of the CPU used in the interval was used by each of these top three processes.
  • % Disk space for every disk partition or volume, report the % used for each. It should be noted that RTAP may be configured to alert when the percentage of this metric is not in accordance with an absolute threshold.
  • % Swap space Report the % used for swap space. An alert may be generated when that metric increases to an absolute threshold. Additionally, in each reporting interval, the top three processes using memory and/or swap space may be reported and what % of the available resource each of these processes consumes.
  • % Memory Used Report the fraction of physical memory used. It should be noted that some operating systems report swap and memory as one metric and so the % swap space metric may be the metric reported. In that case % swap space combines memory used and swap used into one total and reports the fraction of that total in use.
  • Hardware such as LM
  • Sensors and Disk Status (such as SMART)—Report metrics from sensors on different computer components, such as the CPU.
  • the values reported on different platforms may differ in accordance with the different hardware and/or software and/or monitoring circuits. Examples of the metrics that may be reported by one or more sensors may include CPU temperature, case temperature, fan speed for any of several fans, power supply working/failed status in machines with multiple power supplies, soft hard disk failures, etc. These sensors can provide early warning of impending hardware failure of critical industrial control computer components.
  • SMART refers to the Self Monitoring Analysis and Reporting Technology as described, for example, at http://smartmontools.sourceforge.net.
  • LM refers to, for example, “LM-78” and “LM-75” hardware monitoring functionality that is standard in some vendor chipsets and is described, for example, at http://secure.netroedge.com/ ⁇ lm78.
  • Network Traffic Report total incoming and total outgoing traffic for every network interface on the computer.
  • An abnormal increase in such traffic can mean either that the machine is under attack, that the machine has been compromised and is being used to attack another machine, that the machine has been compromised and is being used for some purpose other than it was intended for, or that there has been some sort of malfunction of the control system on the machine.
  • Open listen sockets Reports a count of open listen sockets on the computer. Listen sockets are almost always associated with long-running server processes, and the count of such processes and sockets almost always changes very predictably on control system computers. For example, the count of such sockets may fall within a very small range having little variance. When the count moves out of this range, an alert may be generated. When the listen socket count falls out of the bottom of the range, it may be an indication that some server component of the operating system or of the control system itself has failed, causing the associated listen socket to close. When the listen socket count rises out of the top of the normal range, it may indicate that some server component has been added to the system.
  • This may be, for example, a new control system component, a debugging or other tool that it may or may not be wise to deploy on a production control system, or a component installed by an intruder or authorized user seeking to gain unauthorized access to the system in the future.
  • the password age agent 310 may be used in monitoring the status of different passwords and accounts. Such activity may include password aging.
  • the particular metrics that may be gathered by the agent 310 may relate to the security of the computer system being monitored as a security measure to detect hackers trying to log in to the system.
  • the agent 310 may report the following at periodic intervals:
  • Max password age Once an hour, a maximum password age metric may be reported that measures the age of every password on every account on the system. Included in this reported metric may be the age of the oldest password on the system, and, for each of the first 100 users on the system, the user name and age of that user's password. This metric may be useful when raising alerts when passwords become too old. Some sites have a policy of changing passwords regularly, eg: at minimum every 180 days. Because user names and password ages can serve to help identify vulnerable accounts on a computer system, these information may be separately encrypted when the primary communication channel for the agent report is not already encrypted.
  • the application specific agent 312 may be customized, for example, to monitor specific application parameters that may vary with a particular embodiment and/or application executing in the industrial network 14 .
  • the application specific agent 312 is an agent that may be built and specified by a particular operator of the industrial network.
  • the agent 312 may report information about the particular application at periodic intervals including any of the following metrics:
  • Abnormal process terminations A count of control system processes that have terminated unexpectedly or with an improper exit/termination status. The names of a number of such processes which failed in the reporting period may also be reported. These names occupy a fixed maximum size/communications budget, and mean that the next level of detail is available in the Web GUI. It should be noted that this metric may include reporting information regarding the first processes in time to terminate unexpectedly rather than the last processes in time to terminate unexpectedly since the last processes may have terminated as a result of the earliest failed processes. For example, a later terminated process (unexpectedly terminated) may have terminated execution as a result of being unable to communicate with an earlier terminated process (unexpectedly terminated). Also included with this metric when non-zero are the names or other identifiers of the processes that failed most frequently, and what percentage of the total number of failures is associated with each.
  • Installed software Reports a count of software packages installed, uninstalled and/or updated in the last reporting period. This information comes from whatever sources are available on the computer such as, for example, one or more log files that are appended to when software is installed, uninstalled or updated, and one or more system databases of installed software that are updated when software is installed, uninstalled or updated.
  • Another type of application specific agent 312 may be a control system software agent with knowledge of the expected behavior of a specific control system such as, for example, a Foxboro IA system, a Wonderware InSQL server, or a Verano RTAP server (such as the RTAP component 312 ), and the like. Such agents may report some metrics already described herein such as:
  • Installed software When the control system software itself has new components installed, or installed components updated or removed.
  • Process terminations either terminations reported as abnormal by the control system software application itself, or processes no longer active that the agent “knows” should be active because a correctly functioning Foxboro or RTAP or other system should have such processes active to run correctly.
  • Open listen sockets The number of open listen sockets. An embodiment may report and monitor the number of open listen sockets that are managed by the control system and are expected to be open for the correct operation of the control system. Note that the number of open listen sockets refers to an embodiment that may use, for example, UDP or TCP. This metric may be more generally characterized as the number of communication endpoints or communication channels open on a server machine upon which the server is listening for client requests.
  • Control system shutdown Reports all controlled and uncontrolled shutdowns of the control systems application. In the case of an unexpected shutdown of the entire computer running the control system, where there may not have been an opportunity to report the shutdown before the computer itself shuts down, the shutdown may be reported when the computer and the agent restart.
  • An embodiment may also include other types of agents not illustrated in 300 . Some of these may be optionally included in accordance with the amount of resources available as well as the particular task being performed by a system being monitored.
  • an embodiment may also include a type of agent of the first class reporting on file system integrity characteristics, such as changes in file checksum values, permissions, types, and the like. Execution of such an agent may be too CPU and/or disk I/O intensive to scan entire filesystems, or to determine checksums for large number of files in a system, so this agent may be selectively included in particular embodiments.
  • the file system integrity agent may report the following metric at periodic intervals:
  • Integrity failures For IDS that monitor and report on file integrity, report the total number of integrity failure messages detected in the reporting interval. For systems that report different kinds of, or priorities of, integrity failures, an embodiment may report the total integrity failures in each classification. For each classification of failure, also report the first three integrity failure log messages or events detected in the reporting interval and a count of the remaining messages not reported. Integrity failures may be discovered by the agent itself, or the agent may monitor the results of conventional integrity checking tools such as Tripwire or may invoke installation integrity checking tools such as fverify. For more information on Tripwire, see http://www.tripwire.org. For more information on fverify, see: http://h30097.www3.hp.com/docs/base doc/DOCUMENTATION/V51 HTML/MAN/INDEXES/IN DEX_F.HTM
  • an embodiment may pace filesystem integrity checking such that only a small number of files are checked in a given reporting interval to reduce and/or limit the CPU and disk I/O impact of such checking.
  • Such an embodiment may, for example, also classify files into two or more levels of importance, and may scan some number of files from each level of importance in each reporting interval. This way, when the lowest level of importance has many more files in it than the highest level of importance, more important files will tend to be checked more frequently than less important files, while still controlling the resource impact of the scanning.
  • an embodiment may issue an alert using RTAP when any one of more of the metrics, reported as a count or value rather than a boolean, described herein is not in accordance with an absolute threshold.
  • the Watch server may be characterized as an appliance that is a passive listening device where data flow is into the appliance.
  • a process may be executed which expects a periodic report from the agents 132 a - 132 d as well as a report from the agents 132 a - 132 d when a particular event occurs. If there is no report from a particular agent 132 a - 132 d within a predefined time period, the Watch appliance may detect this and consider the agent on a particular system as down or unavailable.
  • an alarm or alert may be raised. Raising an alarm or alert may cause output to be displayed, for example, on a console of a notification device.
  • the different types of agents provide for gathering data that relates to the health, performance, and security of an industrial network. This information is reported to the Watch appliance or server 50 that uses the health, performance and security data in connection with security threat monitoring, detection, and determination.
  • Each of the agents may open up its own communication connection, such as a socket, to send data to the Watch server.
  • An embodiment may alternatively use a different design and interaction of the different types of agents than as illustrated in 300 .
  • each agent may be implemented as a separate process.
  • a single process may be used performing the processing of all the different types of agents illustrated in FIG. 5 and all data may be communicated to the Watch server over a single communication connection maintained by this single process.
  • An embodiment may use another configuration to perform the necessary tasks for data gathering described herein.
  • an embodiment may include the master agent with any one or more of the different types of agents for use with a system being monitored.
  • the master agent is necessary to control the operation of one or more of the other types of the first class.
  • FIG. 6 shown is an example 350 of the architecture of each of the agents of the first and second classes described herein. It should be noted that the architecture 350 may vary in a particular embodiment or with a particular class of agent. The particular illustration of FIG. 6 is only an example and should not be construed as a limitation of the techniques described herein.
  • An agent data source 352 is input to an input data parser 354 .
  • the particular data source 352 may vary in accordance with the particular type of agent.
  • the agent data source may be a system log file.
  • the agent data source may be the output of one or more status commands.
  • the one or more data sources 352 are input to the data parser 354 for parsing.
  • the particular tokens which are parsed by 354 may be passed to the pattern matching module 356 or the metric aggregator and analyzer 358 . It should be noted that there are times when the parsed data may be included in a message and does not require use of pattern matching.
  • the pattern matching module 356 searches the data stream produced by 354 for those one or more strings or items of interest.
  • the pattern matching module 356 may report any matches to the metric aggregator and analyzer 358 .
  • the component 358 keeps track of summary of the different strings as well as counts of each particular string that have occurred over a time period as well as performs processing in connection with immediate notification.
  • an agent may report data to the Watch server 50 at periodic reporting intervals. Additionally, the agent may also report certain events upon immediate detection by the agent. This is described elsewhere herein in more detail.
  • the metric aggregator and analyzer 358 also controls the flow of data between the different components and is also responsible for compressing the messages to minimize the bandwidth function.
  • the metric aggregator and analyzer 358 may send data to the XML data rendering module 362 to form the message.
  • the XML data rendering module 362 puts the information to be sent to the Watch server 50 in the form of an XML message in this particular embodiment. Subsequently, component 362 communicates this XML message to the message authentication and encryption module 360 for encryption prior to sending the XML message to the Watch server or appliance.
  • a timestamp and agent host name or identifier may be included in a message body or text.
  • the authentication processing on the Watch server 50 such as may be performed by the receiver 210 , may require that the timestamp values always increase and otherwise reject duplicate or out of date messages.
  • an encryption technique may be used which utilizes a key, such as a shared secret key, and the entire message may be encrypted with this key.
  • the shared secret key provides the message authentication information.
  • An embodiment may also use other well-known techniques such as, for example, the MD5 cryptographic checksum and encrypt the checksum of the entire message.
  • the authentication processing performed within the Watch server 50 may vary in accordance with the techniques used by the agents.
  • an agent may encrypt the checksum of the message and not the message itself.
  • the agent may encrypt the message.
  • the different types of data reported by the types of first class of agents illustrated in FIG. 5 relate to the health, performance, and security of a critical network, such as the industrial network 14 .
  • This data as reported to the Watch server 50 enables the Watch server 50 to generate signals or alerts in accordance with the health, performance, and security of the critical network.
  • the RTAP 212 of the Watch server may be characterized as a global aggregator and monitor of the different types of data reported to a central point, the Watch server 50 .
  • the agents 132 a - 132 d (of the first class described elsewhere herein) as well as the second class of agents that communicate data to the Watch server 50 may be characterized as distributed monitoring agents. In one embodiment, these agents may raise alerts or send reports to the Watch server in summary format in accordance with predefined time periods, or in accordance with the detection of certain events in order to conserve the bandwidth within the industrial network 14 . In existing systems, agents may report every occurrence of a particular event, such as a suspicious activity, and may result in the consumption of excessive bandwidth when a system is under attack. An agent, such as one of the first class executing in the industrial network 14 , may report attack summaries at fixed intervals to conserve network resources.
  • an agent 132 a - 132 d may report the occurrence of a first suspicious event and then report a summary at the end of a reporting period.
  • reports may be sent from an agent at predetermined time intervals.
  • the agents may send messages upon the detection or occurrence of certain conditions or events.
  • the agents (first class and second class when communicating with the receiver 210 ) included in an embodiment may be designed in accordance with particular criteria. As described in connection with the above embodiment, the agents are “one-way” communication agents at the application level for increased security so that operation of an agent, such as on a component in the industrial network 14 , minimizes added vulnerability to a network attack.
  • the agents communicate with the Watch server by opening a TCP connection, sending an XML document over the connection, and closing the connection after the XML communication is sent. The agents do not read commands or requests for information from this connection from the Watch server.
  • a computer hosting an agent does receive and process messages from the Watch server.
  • the processing performed by such a host to an agent are limited to processing steps at lower network levels.
  • this processing may include the TCP-level connection setup, teardown and data acknowledgement messages performed at levels lower than the application level. Any vulnerabilities existing at these lower levels exist independent of whether the agents described herein are utilized. In other words, use of the agents described herein does not introduce any additional vulnerabilities into monitored and networked control system equipment.
  • the agents in particular the first class of agents described herein, may be characterized as bandwidth limited agents designed to consume a fixed portion of available network resources.
  • Conventional security agents tend to report every anomalous event upon the occurrence of the event consuming potentially unbounded communication resources under denial-of-service attacks.
  • Conventional agents may regard every security event as important and make a best-effort attempt to communicate every such event to their management console. Agents that consume an excessive amount of a limited network communications resource risk causing the entire system to malfunction, triggering safety relays and other mechanisms to initiate an emergency shutdown of the industrial process.
  • the agents described herein are designed to transmit small fixed-size messages at fixed intervals, thus consuming a bounded portion of available communications resources, even under denial-of-service attack conditions.
  • the first class of agents herein gather information, produce condition reports and event summaries, and report those conditions and summaries at fixed intervals.
  • the reports may include: statistics in accordance with the particular first class agent type, such as, for example, resource usage statistics like % CPU used, CPU load factors, % memory used, % file system used, I/O bus utilization, network bandwidth utilization, number of logged in users, and the like.
  • the report may also identify the top N, such as, for example, two or three, consumers of one or more resources.
  • the consumers may be identified by, for example, process names, directories, source IP addresses, and the like, and may identify, when appropriate, what portion of a resource each is consuming.
  • the report may also include other information that may vary with agent type and class such as, for example, counts of log messages and other events, like login failures, network intrusion attempts, firewall violations, and the like detected in the reporting interval that match some criterion or search expression; representative samples of the complete event description or log message for the events counted in the reporting interval, and a short statistical summary of the events, such as what host or IP address hosted the most attacks and what percentage of attacks overall were hosted by a particular computer, which host was most attacked and what percentage of attacks were targeted at a particular host, what user account was most used in connection with launching an attack and what portion of attacks are targeted at a particular user account.
  • a reporting threshold for an agent may be specified indicating a maximum amount of data the agent is allowed to transmit during one of the reporting intervals.
  • the reporting threshold may specify, for example, a number of bytes that is equal to or greater than a size of a summary report sent at the reporting interval. For a given reporting interval or period, an agent's reporting budget may be the reporting threshold.
  • the agent may also report one or more other messages as needed besides the summary in accordance with the specified reporting threshold. Prior to sending a report, the agent makes a determination as to whether it is allowed to send a next report by determining if the total amount of data reported by an agent would exceed the reporting threshold by sending the next report. If the threshold is exceeded, the agent does not send the report.
  • the agents described herein are also designed to limit the amount of processing time and storage (disk and memory) consumed.
  • Conventional intrusion detection and performance monitoring agents are known for the negative performance and storage impact on the system being monitored.
  • SNMP components for example, have been known to consume all of the memory on a host of the SNMP component.
  • AntiVirus scanners may impair the performance of the machines they are monitoring by up to 30-40% depending on the particular processor. The foregoing may not be acceptable in connection with legacy systems, such as may be encountered in industrial networks.
  • Industrial control applications respond to inputs from the industrial process within very short time windows due their real-time processing nature. Furthermore, such systems render information about the process to operators in a timely manner.
  • Anti-virus solutions may not generally be deployed on control system hardware, such as in the industrial network 14 described herein, because the anti-virus processing may impair the operation of a system sometimes causing system failure.
  • the agents described herein are designed to minimize the resource impact on the system being monitored. Expensive metrics, like filesystem checksums, are gathered over a very long period of time, or for only the most security-critical components so that the impact of the data gathering on the system being monitored is within a small fixed budget. For example, in one embodiment, 1-3% of all of a machine's resources can be allotted to the monitoring agents executing thereon.
  • An embodiment of RTAP 212 may use an event reporting technique referred to as the exponentially decreasing attack reporting.
  • an e-mail or other notification message is sent indicating that a particular metric has gone into alert state. If the “current value” of the metric, for example, returns to the “normal” range, a notification message may also be sent regarding this transition.
  • the foregoing may cause a large burst of notification messages to be sent to an administrator and important information may be overlooked due to the volume of notification messages received in a short time interval. For example, in the event that the alert or alarm condition exists for some time period, an initial set of notification messages may be sent when an attacker succeeds in compromising one machine.
  • Reported by agents on that machine in the industrial network may be high memory and network usage as a consequence of being compromised and an illicit web server started.
  • usage levels return to normal, another set of notification messages may be sent.
  • An administrator with access to a web browser could log into the Watch web user interface and see that metrics on a particular host were still in an alert state, but email notification may also be used by administrators who do not have such access.
  • an embodiment may use the “exponentially decreasing notifications” technique which reports the initial alert. Instead of staying silent until the next alert state change, additional alert notices are sent while the metric stays in an alert state.
  • the frequency with which these additional alert notices are sent may vary in accordance with the length of time an alarm condition or state persists. In an embodiment, this frequency may decrease exponentially, or approximately exponentially.
  • the following alert or alarm notification messages may be sent upon the first detection of an alarm or alert condition, and at the end of a first defined reporting interval. At this point, there may be additional summary information that may be optionally sent to the user with the notification message. This is described in more detail herein using the enhanced email notification described elsewhere herein. Subsequently, a notification message is sent at increasing intervals while the condition persists. These time intervals may be user specified as well as defined using one or more default values that may vary with an embodiment. For example, in one embodiment, an initial reporting interval of an alarm condition may be every minute.
  • notification messages may sent at time intervals so that a current reporting interval is approximately 10 times longer than the previous reporting time interval.
  • the second notification message may be sent after 10 minutes and include any additional information such as may be available using the enhanced e-mail reporting described elsewhere herein.
  • the third notification message may be sent at about 11 ⁇ 2 hours later, and so on.
  • the reporting interval may reach a maximum of, for example, 12 hours so that if an alarm or alert state persists, notification messages with enhanced reporting (such as enhanced e-mail) may be sent every 12 hours until the alert condition clears, or the user otherwise removes themselves from the notification list.
  • persistent alert conditions that may otherwise be lost in a burst of notification messages may remind the administrator that there is a persistent problem condition, and provide the administrator with current summary information so that the administrator can see if the nature of the attack or compromise is changing over time.
  • the bandwidth of the network may be more wisely utilized for the duration of the attack as well.
  • the foregoing exponentially decreasing notification reporting may be performed by the notification server 216 of FIG. 4 .
  • the alarm or alert conditions may be produced using the calculation as described elsewhere herein causing the notification server to be notified.
  • the foregoing may be performed by the notification server to reduce the number of times that a notification message is sent.
  • an embodiment may use different techniques in connection with when agents report to the Watch server 50 .
  • One design concern as described elsewhere herein, is minimizing the amount of network bandwidth used for reporting due to the possible bandwidth limitation of the industrial network.
  • the log agent 306 may report the first detection of a log message that causes the metric to increment as soon as the log message is detected. Subsequently, the agent does not report any additional information to the Watch server about the metric until the end of the reporting interval, when the agent 306 then reports the total count for the metric in the reporting interval. Using the foregoing, immediate notification may be achieved upon the occurrence of the metric increase and then an update received at the next reporting interval.
  • the foregoing immediate notification may be used with metrics determined using log files.
  • An embodiment may also use other agent types to report other metrics that may be readily determined on an event basis such as, for example, a line being added to a log file, a file descriptor becoming readable, or a command executing.
  • An embodiment may use a combination of the foregoing immediate notification and periodic interval reporting.
  • the foregoing immediate notification may be performed in accordance with user selected and/or default specified conditions. This may vary with each embodiment.
  • the metric aggregator and analyzer 358 may perform processing steps in connection with the immediate reporting and also periodic interval reporting to the Watch server 50 .
  • FIG. 7 shown is a flowchart 450 of processing steps describing the control flow previously described in connection with 350 of FIG. 6 .
  • the processing steps of 450 may be performed in an embodiment by each of the agents of the first and second classes when processing the one or more input data sources.
  • a determination is made as to whether input data has been received by the agent. If not, control continues to wait at step 452 until input data has been received.
  • the input data may be received in accordance with the agent performing a particular task such as executing a command producing input, waiting for input on a communications channel, reading a data file, and the like, in accordance with one or more predefined criteria.
  • the one or more predefined criteria may include performing a particular task at predefined intervals, when a particular data file reaches a certain level of capacity in accordance with a number of operations, and the like.
  • the particular criteria which causes the input data to be received by the agent may vary in accordance with each embodiment.
  • control proceeds to step 454 where the input data is read and then parsed at step 454 .
  • step 455 a determination is made as to whether pattern matching is needed. If not, control proceeds to step 460 . It should be noted that pattern matching may not be needed, for example, if no selective filtering of the parsed input source is needed when all metrics from a source are reported.
  • step 456 pattern matching is performed.
  • step 458 a determination is made as to whether the input data has any one or more matches in accordance with predefined string values indicating events of interest. If not, no strings of interest are located and control returns to step 452 . Otherwise, control proceeds to step 460 where data may be recorded for the one or more metrics derived from the parsed input source. For example, a particular metric and its value may be stored and recorded, for example, in the memory of a computer system upon which the agent is executing.
  • step 462 a determination is made as to whether any messages reporting data to the Watch server are to be sent. As described herein, an agent may report data at periodic intervals when summary information is reported.
  • An embodiment may also provide for immediate reporting the first time a designated metric increases in value such as may be the case, for example, at the beginning of an attack or an attempted attack. This processing may be performed, for example, by the metric aggregator and analyzer 358 . If no message is to be sent to the Watch server 50 , control proceeds to step 452 to a obtain additional data. Otherwise, control proceeds to step 464 where the message to be sent to the Watch server is prepared in accordance with a message protocol and/or encryption technique that may be used in an embodiment. As described herein, for example, a message being sent to the Watch server is sent in an XML or other format and an encryption technique described elsewhere herein may also be used. Control then proceeds to step 466 where the message is sent to the Watch server. Control then returns to step 452 to wait for additional input data to be received by the agent.
  • FIG. 8 shown is an example of an embodiment 212 of components that may be included in RTAP.
  • RTAP scheduler 502 includes a calculation engine 510 .
  • the database server 508 may output data, such as the metrics gathered by the agents described herein, to one or more devices 514 which may be stored, for example, on data storage devices such as disks.
  • a memory resident portion of the database 512 used to store designated portions of the data in memory in order to increase efficiency by reducing the amount of time it takes to retrieve data.
  • An embodiment may therefore designate one or more portions of the database to be stored in a memory resident portion 512 .
  • the RTAP scheduler 502 schedules and coordinates the different processes within the RTAP component 212 .
  • the RTAP scheduler may perform various process management tasks such as, for example, ensuring that other processes in 212 are executing, scheduling different processing for execution, and the like.
  • the alarm server 504 may be used in connection with interfacing to one or more other components described elsewhere herein for notification purposes.
  • the alarm server 504 may interface with the notification server 216 and the threat thermostat controller of the Watch server 50 .
  • the alarm server 504 may be signaled in the event of a detection of a particular alert or alarm condition by the database server 508 and may accordingly interact with components external to RTAP 212 .
  • the Java server 506 may characterized as a bi-directional server communicating with the web server 32 of FIG.
  • the Java server 506 may interface with the web server 32 as needed for notification, message sending, and other communications with RTAP 212 .
  • the Java server 506 may also output one or more inputs to the threat thermostat controller 218 , and also receive input from the receiver 210 to store data gathered by agents.
  • the database server 508 may be used in connection with storing data either on a data storage device, such as a disk 514 , as well as the one or more memory resident portions of the database, as may be included within memory 512 .
  • the memory resident portion 512 may be implemented, for example, as a shared memory segment.
  • the data stored in 512 and/or 514 may be an object-oriented database. Prior to use, objects of the database may be designated for inclusion in the memory resident portion 512 .
  • write operations of the database are made to the database server using the calculation engine 510 .
  • Read operations may be performed by having another RTAP component perform the processing rather than reading the data through the use of the database server 508 .
  • the RTAP component such as the Java server, processing a read request for data first consults the memory resident portion 512 and may obtain the one or more other portions of data from disk storage 514 as needed. All write operations in this embodiment are processed through the database server 508 and the calculation engine 510 is used to determine revised data values having dependencies on a modified data value being written.
  • the database server 508 uses an alarm state table 520 in this embodiment to determine alarm conditions in accordance with modified data values stored in the database.
  • the component 520 may be included in the disk or memory resident portion of the database in an embodiment depending on how the database is configured.
  • the shared memory segments of portion 512 may be stored at various time intervals to disk or other non-volatile storage as a back up. Such a time interval may be, for example, every 30 seconds or another time interval selected in accordance with the particular tolerance for data loss in the event that data included in the memory resident portion of the database 512 is lost, for example, in connection with a power or memory failure.
  • a synchronization technique between readers and writers to the database may be omitted. Data attributes and/or objects which are being written may be synchronized to prevent reading incomplete values. However, the data that is read may also not include all of the recently data reported. Write operations may be synchronized by the database server 508 . Thus, the database within RTAP may operate without the additional overhead of using some synchronization techniques.
  • the database objects may be represented using a tree-like structure.
  • FIG. 9 shown is an example of an embodiment 600 of one representation of a database tree or schema that may include the objects of the object oriented database of RTAP.
  • at level 0 is a root of the tree 600 .
  • a security object node and an object template node are children of the root located at level 1.
  • the security object is referred to as the parent node with respect to all of the related metrics and other data stored within RTAP.
  • the object templates may include one or more nodes that correspond to the different templates for each of the different object types. For example, in this embodiment there is a metric name object type, a category name object type, and a host name object type.
  • a category name may refer to a particular category of metrics. For example, one category may be login information having associate metrics such as number of failed password attempts, and the like.
  • Each of the different metrics associated with a particular category is a child node of a category node corresponding to that particular category.
  • the failed password attempts may be one metric stored in a metric object which is a child node with respect to the category name object for login information.
  • This 3-level tree of objects is only one possible embodiment of a database of metrics.
  • Other embodiments that may also be implemented by one of ordinary skill in the art may include, for example: conventional relational database representations of metrics, as well as other tree structures for object-tree representations of metrics, such as metric objects as children of host objects without intervening category objects, multiple levels of category objects providing additional metric grouping information, and multiple levels of objects above the level of host objects, providing groupings for hosts, such as functional or geographic host groupings.
  • a particular metric may be referred to by including the name of all of the intervening objects in the path between the root and the particular node of interest.
  • one child node of the support data object is an alarm class object.
  • the children of the alarm class object correspond to the different types of alarm classes.
  • a child node, such as 608 includes the alarm state table for that class.
  • the number of states in an alarm class specifies the number of bins or alarm levels.
  • An embodiment may include other alarm classes than as shown herein.
  • a host object may be created, for example, the first time a new agent reports to the Watch server.
  • a new host may be determined by the receiver 210 of FIG. 4 .
  • On first notification of a new agent an alert or alarm condition is raised.
  • a notification message may be sent.
  • a user or administrator may be presented with a list of one or more new agents and a selection may be made to authorize or reject each new agent.
  • data from the agent may be processed by the receiver 210 . Otherwise, data from an unauthorized/unapproved agent is rejected. Note that the data from the agent is not stored or queued for later processing after approval since this may cause an overflow condition.
  • An agent reports one or more metrics or other data to the receiver 210 which, upon successful authentication of the message, may perform a write operation to the database of RTAP.
  • the RTAP database server 508 then writes the values to the objects and executes or runs the calculation engine in order to propagate all other values dependent on this new value written to the database.
  • a particular metric such as the number of failed password attempts, may be referenced as a metric attribute.
  • the first metric attribute may be the number of failed password attempts as a raw value.
  • a second metric attribute may be the raw value used in a mathematical representation to calculate a percentage.
  • a revised percentage is determined as a revised second attribute value.
  • the calculation engine 510 has a built-in alarm function which uses values from the alarm state table 520 to determine if a revised data value triggers an alarm condition. After writing a new data value to the database, the calculation engine determines revised data values as described above in accordance with data dependencies. Once the revised data values have been determined, alarm state table 520 may be consulted to determine if any of the revised values now trigger a new or revised alarm condition. In the event that the calculation engine determines that an alarm condition has been detected, a message is sent from the database server 508 to the alarm server 504 which subsequently sends a message to the one or more notification servers.
  • an alarm state vector or alarm instance may be defined for an attribute of a metric object. In determining a value for this attribute, the alarm function described above may be invoked.
  • the attribute 1 622 has an associated alarm instance 624 and an alarm function whose result is assigned as the value of the attribute 1 622 .
  • the alarm instance 624 includes one or more subvalues 628 a - 628 c that may be used by the alarm function.
  • the subvalues include a current alarm state 628 a , a current acknowledged state (Ack state) 628 b , and a sequence number 628 c . It should be noted that other information may be included as one or more subvalues than as described herein in this example. Use of these subvalues 628 a - 628 c is described in more detail in following paragraphs.
  • the subvalues may be included in a vector or other data structure.
  • the alarm function may have a defined API of the following format:
  • Alarm (alarmclass, value, limits, other data . . . )
  • the limits in the above refer to the alarm limits vector, as described elsewhere herein.
  • the alarm limits vector may include one or more levels associated with the different thresholds.
  • Each level in the alarm limits vector above refers to an alarm level or threshold that may be associated with varying degrees of alarm conditions or severity levels such as, for example, warning, high, and the like.
  • Each of these levels may be stored within another attribute, such as attribute 2 of FIG. 9A and may have a default value as specified in the original template. These values may be changed in an embodiment, for example, through a user specifying or selecting a new threshold level.
  • the alarmclass may be used to specify a particular class of alarm (such as 2-, 3-, or 5-state) in order to determine the proper alarm class from the tree 600 to obtain the corresponding alarm state table for a particular alarm class.
  • state tables as may be used in connection with alarm states, are known to those of ordinary skill in the art and may include one or more rows of input. Each row may specify a next state and action(s) based on a current state and given input(s).
  • the built in alarm function of the calculation engine may determine, in accordance with the revised data values, whether a predefined level associated with an alarm condition has been exceeded.
  • the predefined levels may be default or user-specified alarm thresholds.
  • the RTAP component 212 may be characterized as described herein in one embodiment as an environment which is a set of cooperating processes that share a common communications infrastructure. In one embodiment, these processes may communicate using SysV UNIX messaging techniques, semaphores, shared messages, and the like. As known to those of ordinary skill in the art, an embodiment using SysV messaging techniques may experience problems due to insufficient memory allocated for message use, such as with RTAP communications. Messages that may be communicated between processes within RTAP, as well as between RTAP and other components, may use a prioritization scheme in which low priority activities involving message sending are suspended when the amount of memory in a message pool falls below a designated threshold. This particular designated threshold may vary in accordance with each particular embodiment.
  • a portion of the memory for message use such as 80% may be designated as a maximum threshold for use in connection with requests.
  • any new requests are blocked until conditions allow this threshold not to be exceeded.
  • message responses are processed.
  • the foregoing may be used to avoid a deadlock condition by blocking, a request in the event that the threshold portion of the message pool is consumed for use in connection with requests.
  • the foregoing special message management functionality may be included in one or more routines or functions of an API layer used by the different RTAP components when performing any messaging operation or function. These routines in the API layer may then invoke the underlying messaging routines that may be included in the operating system.
  • An embodiment may utilize what is referred to herein as “latching alerts” where a particular alarm level does not decrease until an acknowledgment of the current alarm state has been received.
  • An acknowledgment may be made, for example, by an operator through a GUI.
  • An embodiment may define an alarm state table 520 such that an alarm or an alert state may be raised or remain the same until an acknowledgement of the alarm or alert state has been received. Until an acknowledgment is received, the alarm state table does not provide for reducing the alarm or alert state.
  • the foregoing latching alerts may be performed in connection with one or more of those metrics associated with an alert or an alarm state.
  • the latching alerts may be used in an embodiment in connection with particular indicators or classes. Other classes of metrics, such as those associated with performance indicators, may not be subject to the latching condition. This may vary in accordance with each embodiment.
  • FIG. 10 shown is an example of an embodiment of the alarm state table 520 that may be used in connection with implementing latching alerts.
  • a line of information corresponding to a current level or state.
  • Each line of information includes a current level or state, an acknowledgment, and input value or range, a next level or state, and an associated action.
  • a normal level is associated with a level one indicator for a range of input values between 0 and 100, inclusively.
  • An alarm condition is associated with a second level for a range of input values between 101 and 200, inclusively.
  • a third alarm level is associated with an input range of values from 201 to 300, inclusively.
  • Line 652 indicates that the current level or state of normal level one is maintained as long as the input is between the range of 0 and 100.
  • Line 654 indicates that when the current level is normal (level 1) and a current input value is between the range of 101 to 200, level 2 is the next designated level or alarm condition. The action designates that an alarm condition is generated. In connection with line 652 and 654 , it is not relevant whether an acknowledgment has been received because an acknowledgment does not apply in this example in connection with a normal alarm or level condition.
  • line 656 when the system is in the second level of alarm and the input value drops down to the normal range between 0 and 100, but an acknowledgement of the alarm condition has not yet been received with respect to the level 2 alarm condition, the system remains in the level 2 state of alarm.
  • the different ranges or values specified in connection with the third column of 520 may be associated with threshold values or ranges.
  • the thresholds may be specified using default values as well as in accordance with one or more user selected values or ranges. It should also be noted that although the table 520 shows specific numeric values for the ranges in the input column, these alarm range thresholds may be parameterized to use the input values (i.e., alarm LEVELs) of the alarm function described elsewhere herein.
  • FIG. 11 shown is an example of another embodiment of an alarm state table 700 and an alarm limits vector 200 .
  • the elements of vector 200 identified in the lower left corner may be passed as input parameters when invoking the alarm function described herein specifying the LEVELs or thresholds for the different alarm states as described above.
  • the table 700 represents a 3-state alarm (normal, warning, and alert) with 2 thresholds ( 100 and 200 ) forming three partitions or ranges (0-99, 100-199, 200 and greater).
  • Each row of the table 700 corresponds to a state and includes:
  • the portion 702 of this example includes the transition functions (beginning with & in this example) used in determining state transitions from one row of the table to another.
  • Other embodiments of 700 may include information other than as described herein. State transitions occur as a result of evaluating transition functions. It should be noted that if a column name contains a space character (such as between RANGE and LEVEL in 712 ), the transition function name ends at the space character such that the remaining text (LEVEL) following the transition function (RANGE) is a modifier to the function, telling the function how to interpret the values in the column.
  • the alarm system determines the new state for an alarm by repeatedly evaluating transition functions in the context of the alarm state table for the alarm.
  • the transition functions are evaluated in the order in which they appear from left to right as columns in the state table.
  • Each transition function may take optional input parameters such as, for example, the current alarm state, values from the alarm state table and other optional values as arguments.
  • the transition function returns a new state in accordance with the input parameters.
  • Each function is evaluated repeatedly, until the new state returned is the same as indicated by the state value in 704 for a particular row, or until a transition that would loop is detected. Evaluation then proceeds to the transition function indicated by the next column moving from left to right.
  • &ACK &RANGE
  • &RANGE takes an alarm limit vector like the one illustrated in FIG. 11 , lower left corner 720 , as an example, as well as the following and other possible suffixes in column names:
  • Range 0 values less than 100
  • Range 1 values from 100 to 199
  • Range 2 value 200 or more.
  • a fourth range is implied for values less than zero (0).
  • values in this fourth implied range correspond to an error state and are not further described in connection with this example.
  • the &ACK function is a transition function that returns the current state (as indicated by column 704 ) when the alarm has not yet been acknowledged, otherwise returns the new state as indicated in column 714 when the alarm has been acknowledged.
  • the current alarm state 628 a and the ack state 628 b may be used in determining the current state of the alarm and its corresponding row in the alarm state table.
  • the sequence number 628 c may be used in connection with race conditions that may be associated with alarm conditions and acknowledgments thereof.
  • a unique sequence number is associated with each alarm state that caused a notification message to be sent to a user. Each such message contains a copy of that sequence number for the state causing the message to be sent.
  • a unique sequence number may be generated for each alarm condition associated with a single invocation of the alarm function.
  • the single invocation of the alarm function may result in transitioning from a current input state to an output state, and may also transition through one or more other intermediate states to arrive at the output state.
  • a unique sequence number is not associated with the one or more intermediate states. Rather, a first unique sequence number is associated with the current input state and a second unique sequence number is associated with the output state.
  • a first alarm condition notification message having a first sequence number may be sent to a user and indicated on a user interface display.
  • a second alarm condition indicating a greater severity that the first alarm condition and having a second sequence number, may be determined during the same time period in which a user's acknowledgement of only the first alarm condition is received and processed.
  • the user's acknowledgment is processed in accordance with the particular sequence number associated with the alarm condition being acknowledged.
  • the acknowledgement indicates an acknowledgement of the first alarm condition, but not the second.
  • the acknowledgment may also result in acknowledgement of the second alarm condition depending on whether the acknowledgement is processed before or after the second alarm condition is determined.
  • FIG. 12 shown is a state transition diagram 800 illustrating the state transitions associated with the functions 702 of alarm state table 700 .
  • each state is represented as a node.
  • the arrows between the nodes represent the transitions possible between the different states in accordance with the information in 702 of table 700 . Note that the diagram does not indicate transitions causing a same state or a transition to a state A from a same state A.
  • the alarm function is invoked including parameters indicating that the current state or initial state is Alert Unacked (6) with a metric value of 250.
  • a human user or other agent acknowledges the alarm, causing the alarm state to be re-evaluated.
  • Examining the row of table 700 for state 6, the &ACK function is evaluated with a state (6) as the current state. Since the alarm is now acknowledged, &ACK returns (5) as indicated in the &ACK column of row 6 of the table as the new state. As a result, the new state of the alarm becomes Alert Acked (5).
  • &ACK is re-evaluated for state 5 using row 5 of the table 700 . Since the alarm has been acknowledged, the &ACK function returns a 5 as the new state. Since the new state matches the current state, the evaluation of the &ACK function is complete and evaluation proceeds with the next transition function in state 5.
  • the next transition function is &RANGE. Recall that the metric value for which evaluation is being performed is 250. &RANGE uses the limits vector as described above, and determines that the current metric value of 250 is greater than the first limit of 200 classifying the current metric value as being within the highest range of 2 (greater than 200).
  • the state table in FIG. 11 illustrates an alarm that, if a metric associated with the alarm assumes a value corresponding to a lower alarm state while the alarm is latched at a higher state, and the alarm is acknowledged, the alarm transitions into the lower alarm state with an unacknowledged status. If the alarm is in a high-severity acknowledged state, and the underlying metric changes to reflect a lower-severity state, the alarm also changes to a lower-severity unacknowledged state.
  • Comparable alarm tables can be constructed that preserve the latter behavior of the alarm while altering the former behavior to transition into an acknowledged state, rather than an unacknowledged state. Such transition tables however, may be characterized as more complex than the example described herein and may include additional states than as illustrated in FIG. 11 .
  • the table 700 of FIG. 11 models an “analog” or “floating point” metric. Comparable state tables can be constructed for digital metrics, boolean and other kinds of metrics.
  • an embodiment of the alarm state table may utilize values to implement hysteresis for one or more of the ranges.
  • Hysteresis may be characterized as a behavior in which a metric value may transition from a first state into a second state in accordance with a first threshold value, and transition from the second state to the first state in accordance with a second threshold value that differs from the first threshold value.
  • Such threshold values may be used in connection with a metric that may assume values at different points in time which hover near a boundary or range threshold. The use of the two different thresholds may be used in order to reduce constantly changing states for metric values hovering near a boundary condition.
  • a range threshold may be 100.
  • the range threshold may be used to cause a transition from a first state to a second state (from 99-101). However, it may be undesirable to have an alarm state change associated with changes from 101 to 99 especially if the metric value may hover around the boundary of 100.
  • An embodiment may determine that once the first threshold is reached causing a transition from a first range under 100 to a second range of 100 or more, a value of 95 or less is needed to cause a transition from the second back to the first range using 95 as the second threshold value.
  • state tables as described herein may be modified to include the foregoing use of multiple thresholds to account for hysteresis conditions.
  • the XML messages or documents sent by the agents to the receiver may include data corresponding to objects and the tree-like structure as illustrated in FIG. 9 .
  • the XML document may include data represented as:
  • host name name of host sending the report category name name of a group of metrics metric name name of a metric value metric value attr1 other attribute/value . . .
  • an embodiment may use other formats, such as an alternative to XML, and protocols than as described herein for communications between agents and other components.
  • Attributes that may be associated with a metric include “value” and “units.” Other kinds of metrics have other attributes.
  • the “Operating System Type” metric may have corresponding attributes unique to every platform. The attributes may include, for example, a version number, machine ID or other information that may be useful on that platform, but not exist on any other platform.
  • data from the RTAP database may be combined using the calculation engine and elements from the tree-structure object oriented database to produce one or more inputs to the threat thermostat controller 218 previously described herein.
  • the calculation engine as described above may process a data-flow language with a syntax and operation similar to a spreadsheet.
  • a calculation engine expression may be defined as expressions attached to data attributes of objects in the database. When the calculation engine processes an object, all of the expressions in the object are evaluated and become the new values of the attributes to which they are attached. This evaluation process is repeated to reevaluate all objects dependent on changed values.
  • Expressions in an embodiment may reference other attributes using a relative pathname syntax based on the Apple Macintosh filesystem naming conventions. For example,
  • E 1 , E 2 , E 3 , E 4 , and E 5 there may be 5 external threat thermostat values communicated by the threat agent 200 and stored in the RTAP database called E 1 , E 2 , E 3 , E 4 , and E 5 .
  • An input to 218 may be determined as a weighted average of the foregoing five values.
  • the threat agent 200 may monitor or poll the external data sources and write the threat thermostat level indicators to the five “E” external points.
  • these five (5) points may be defined as child objects of a parent object representing the combined weighted average in an expression. The value of this expression may be assigned to the parent object having the following expression:
  • the “.indicator” operator obtains the value of the identified attribute referenced.
  • external indicator 2 is determined to be three times as valuable or relevant as the other indicators.
  • the calculation engine calculates the tree of other points having expressions referencing the contents of any of the attributes of a changed point. The engine is executed to evaluate the expressions on all of those objects, similar to that of a spreadsheet.
  • An embodiment may use any one or more known techniques in evaluating the expressions in an optimal order.
  • an approach may be taken with respect to combining inputs with respect to the different metrics as may be reported by the different agents.
  • a resulting combination may be expressed as a derived parameter used, for example, in connection with generating an alarm or alert condition, as an input to the threat thermostat 218 , and the like.
  • a derived value or signal indicating an attack may be produced by examining one of more of the following: one or more metrics from the NIDS agent, the ARPWatch agent, IPS, the number of bad logins and root user count exceeding some predetermined normal threshold tuned for that particular system.
  • the secondary information may include a resource usage alert on some machine that occurs simultaneous with, or very shortly after, a reliable indication of an attack on that machine, or on the network at large using the initial set of conditions.
  • An embodiment may, for example, generate an alarm condition or produce an input to the threat thermostat 218 based on the foregoing.
  • An alarm condition may be generated in connection with a yes or true attack indicator value based on the first set of one or more conditions. Once this has occurred, another subsequent alert or alarm condition may also be generated based on the occurrence of one or more of the second set of conditions occurring with the first set of conditions, or within a predetermined time interval thereof, for the network, or one or more of the same computers.
  • resource usage metrics may not be used as first level attack indicators or used without also examining other indicators.
  • Resource usage may be characterized as a symptom of potential machine compromise rather than an attack on the machine.
  • Usage metrics may be “noisy” causing false positive indicators of an attack if examined in isolation. However, if such an alert occurs in connection with resource usage simultaneously with, or very shortly after, another reliable “attack” indicator (as in the initial or first set of indicators above), the resource usage metric's credibility increases. Accordingly, the resource usage metrics may be consulted in combination with, or after the occurrence of, other attack indicators to determine, for example, if any one or more particular computers have been compromised.
  • an embodiment may define a derived parameter using an equation or formula that takes into account security metrics and combines them with one or more resource metrics.
  • a derived parameter may be used, for example, in connection with producing an input to the threat thermostat controller.
  • Such a derived parameter may be produced using the weighting technique described above.
  • An embodiment may include a form of enhanced reporting or notification as made by the Watch server to a user upon the detection of an alarm condition.
  • metrics and associated information may be reported by an agent.
  • the values of the metrics may be one or more factors used in determining an alarm condition.
  • the values of the metrics used to detect and report the occurrence of an alarm condition may be characterized as a first level of alarm or event notification information.
  • additional information that may have been gathered by the agent may also be useful in proceeding to take a corrective action or further diagnosing a problem associated with the alarm condition. This additional information that may be used in further diagnosing the problem or taking corrective action may be characterized as a second level of information.
  • An embodiment may provide an option for enabling/disabling notifications of alarm conditions to include this additional information.
  • the additional information may be reported by the agents to the Watch server for optional incorporation into notification messages.
  • An enable/disable option may also be associated with agents gathering the data. Whether an embodiment includes this feature or uses it for selective metrics may vary with each embodiment and its resource limits such as, for example, of the industrial network.
  • the cost and feasibility of obtaining the second level of information may be balanced with the benefits to be gained in taking corrective actions using the second level of information from an alert message rather than obtaining the information some other way. For example, if a second level of information is not included in an alert notification, an administrator may use a user interface connected to the Watch server 50 to gain the additional information.
  • the particular additional information included in the second level of enhanced notification may vary with each metric. It may include additional information to assist in determining a problem source such as a user account, IP or other address, particular component(s) or process(es) consuming a resource and the associated percentage(s), and the like. Some of this second level of information is described above with associated metrics.
  • the enhanced notification feature may be optionally enabled for use with one or more metrics of the SNMP Guard agent 203 and the Guard log agent 209 described herein. For example, the agent 203 may report the following additional information with each of the metrics for enabled enhanced reporting:
  • corrective action includes determining the reason for the communication failure. A message such as the component is not responding, its IP address and the time of the failure may help.
  • Login failures Identify the most frequent type of connection, such as a VPN, remote dial-in, or other connection, a percentage of the failures on this connection, one or more of the user IDs associated with the top number of failures and the percentage and originating IP address or other communication channel associated with each user ID.
  • Open session count identifies the number of open communication sessions between any two points. Additional information may include two or more IP addresses, host names, and the like, identified as being included as a connection endpoint.
  • Agent 209 may include the following additional enhanced reporting or notification information for the following metrics:
  • Threat thermostat change An embodiment may indicate an alarm condition when a change occurs to the threat thermostat setting.
  • the change may be the result of a manual change, an automated change in accordance with the functionality included in an embodiment. Additional detail for enhanced reporting may include what user made the change, what was the status changed to/from, the frequency that such changes have been made within a reporting period, identify the uses that most frequently changed the setting and what percentage of the time each user changed the setting.
  • NIDS and IPS reports An address or other identifying source of the most frequent alerted NIDS/IPS conditions, an associated percentage of these conditions attributed to a particular source, information about the type of attack, and the target of the attack (what machine by host name, IP address and the like).
  • Antivirus events The metric may identify a total number of antivirus events. Additional information may include a break down by type of event within a reporting period to identify what viruses (virus signatures) have been removed from a communication streams with an associated frequency or percentage, what source and/or destinations (such as source and destination networks) appeared most frequently for each type, and a frequency or percentage associated with each of the source and destinations.
  • Additional information may include the text of the first one or more messages of this type detected.
  • the example 900 may be displayed, for example, using a web browser to view alarm incident reports resulting from notification messages sent in accordance with alarm conditions determined.
  • the example 900 may be used to view and acknowledge one or more of the alarm conditions in an embodiment.
  • this display of 900 may be viewed when tab 902 for incidents is selected from one of multiple user interface tabs. Each tab may be selected in connection with different viewing and/or processing.
  • the tab 902 may flash if a new alarm condition is detected from that which is displayed in 900 at a point in time to a user.
  • this embodiment may not automatically update the display 900 with additional information for alert conditions detected since the user selected tab 902 . Rather, this embodiment flashes coloring on tab 902 to indicate such additional alert conditions detected while the user is in the process of using an instance of display 900 .
  • the inventors believe that the flashing tab is less disruptive of user concentration during alarm burst conditions than other notification techniques such as, for example, redrawing the display 900 with updated alarm information as available.
  • the display 900 may indicate in column 906 (labeled “A”) whether a particular condition indicated by a line of displayed data has been acknowledged.
  • An incident or alarm condition associated with a line of displayed data in 900 may be acknowledged, as by selecting the exclamation point icon to the left of a particular line of data, selecting the option 908 to acknowledge all displayed incidents, or some other option that may be provided in an, embodiment.
  • the status in 906 for each incident may be updated in accordance with user acknowledgement. For example, 904 indicates that the associated incident has not been acknowledged (e.g., exclamation point notation in column 906 ).
  • the two incidents as indicated by 910 have been acknowledged (e.g., no exclamation point notation in column 906 ).
  • the example 1000 may be displayed when the monitor tab 1020 is selected to view a metric tree.
  • the information displayed in 1000 is that information included in a portion of 600 —the subtree formed with the security object as its root including all child nodes.
  • the display 1000 shows an aggregate view of the different metrics and associated alarm conditions.
  • the display 1000 reflects the hierarchical representation in the subtree by showing a nesting of hosts (Guard and Watch), categories for each host (such as Intrusion attempts, Resource Usage, and the like), and metrics (such as CPU Usage, Memory Usage and Sessions) associated within each category (such as Resource Usage).
  • these metrics may be defined as leaf nodes having a parent node (category name) defined as Resource Usage.
  • the level indicator may indicate a color or other designation associated uniquely with each alarm state within an embodiment. For example, in one embodiment, the indicator may be green when the metric level is in the normal range, yellow when the metric level is in the warning range, and red when in the highest severity range.
  • the elements in 1000 representing the parent node of one or more other nodes may have a color or other designation corresponding to the aggregate condition of all the child nodes.
  • the indicator for Resource Usage may represent an aggregate of each of the indicators associated with metrics for CPU Usage, Memory Usage, and Sessions.
  • the aggregate indicator of a parent node may be determined to be the maximum indicator value of its one or more child nodes. For example, a parent node indicator, such as 1006 , is yellow if any one or more of its child node indicators, such as 1008 , are yellow but none are red.
  • the user may select to view a graph of a particular metric in the right portion of 1000 by selecting an option in the left portion of 1000 as indicated by selection 1010 .
  • the graph portion is not immediately updated in response to a user selection. Rather, the graph may be updated when the web page is refreshed in accordance with the one or more selections made at that point in time.
  • the icon or indicator displayed for Watch 1002 has a different shape than other machines, such as the Guard machine or host. The different shape makes it easier for users to find the Watch server in the list of hosts since many of the important network monitoring metrics are found in the Watch server branch of the metric tree.
  • the foregoing 900 and 1000 are examples of user interface displays that may be included in an embodiment and displayed, such as using a web browser on the web server 214 of FIG. 4 .
  • Other embodiments may user other interface displays than as described herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Alarm Systems (AREA)

Abstract

Described are techniques used in monitoring the performance, security and health of a system used in an industrial application. Agents included in the industrial network report data to an appliance or server. The appliance stores the data and determines when an alarm condition has occurred. Notifications are sent upon detecting an alarm condition. The alarm thresholds may be user defined. A threat thermostat controller determines a threat level used to control the connectivity of a network used in the industrial application.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • This application is based on U.S. Provisional Patent Application No. 60/477,088, filed on Jun. 9, 2003, Attorney Docket No. VRS-00160, which is incorporated by reference herein.
  • BACKGROUND
  • 1. Technical Field
  • This application generally relates to a network, and more particularly to event monitoring and management therein.
  • 2. Description of Related Art
  • Computer systems may be used in performing a variety of different tasks. For example, an industrial network of computer systems and components may be used in controlling and/or monitoring industrial systems. Such industrial systems can be used in connection with manufacturing, power generation, energy distribution, waste handling, transportation, telecommunications, water treatment, and the like. The industrial network may be connected and accessible via other networks, both directly and indirectly, including a corporate network and the Internet. The industrial network may thus be susceptible to both internal and external cyber-attacks. As a preventive measure from external cyber-attacks, firewalls or other security measures may be taken to separate the industrial network from other networks. However, the industrial network is still vulnerable since such security measures are not foolproof in the prevention of external attacks by viruses, worms, Trojans and other forms of malicious code as well as computer hacking, intrusions, insider attacks, errors, and omissions that may occur. Additionally, an infected laptop, for example, can bypass the firewall by connecting to the industrial network using a modem, direct connection, or by a virtual private network (VPN). The laptop may then introduce worms or other forms of malicious code into the industrial network. It should be noted that an industrial network may be susceptible to other types of security threats besides those related to the computer systems and network.
  • Thus, it may be desirable to monitor events of the industrial network and accordingly raise alerts. It may be desirable that such monitoring and reporting be performed efficiently minimizing the resources of the industrial network consumed. It may further be desirable to have the industrial network perform a threat assessment and respond in accordance with the threat assessment. In performing the assessment, it may also be desirable to take into account a wide variety of conditions relating to performance, health and security information about the industrial network, such as may be obtained using the monitoring data, as well as other factors reflecting conditions external to the industrial network.
  • SUMMARY OF THE INVENTION
  • In accordance with one aspect of the invention is a method for controlling connectivity in a network comprising: receiving one or more inputs; determining a threat level indicator in accordance with said one or more inputs; and selecting, for use in said network, a firewall configuration in accordance with said threat level indicator. The firewall configuration may be selected from a plurality of firewall configurations each associated with a different threat level indicator. A first firewall configuration associated with a first threat level indicator may provide for more restrictive connectivity of said network than a second firewall configuration associated with a second threat level indicator when said first threat level indicator is a higher threat level than said second threat level indicator. A firewall configuration associated with a highest threat level indicator may provide for disconnecting said network from all other less-trusted networks. The disconnecting may include physically disconnecting said network from other networks. The network may be reconnected to said less trusted networks when a current threat level is a level other than said highest threat level indicator. The method may also include automatically loading said firewall configuration as a current firewall configuration in use in said network. The one or more inputs may include at least one of: a manual input, a metric about a system in said network, a metric about said network, a derived value determined using a plurality of weighted metrics including one metric about said network, a derived value determined using a plurality of metrics, and an external source from said network. If the manual input is specified, the manual input may determine the threat level indicator overriding all other indicators. The plurality of weighted metrics may include a metric about at least one of: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a high level of privileges. The high level of privileges may correspond to one of: administrator privileges and root user privileges. The selecting additionally may select one or more of the following: an antivirus configuration, an intrusion prevention configuration, and an intrusion detection configuration.
  • In accordance with another aspect of the invention is a computer program product for controlling connectivity in a network comprising code that: receives one or more inputs; determines a threat level indicator in accordance with said one or more inputs; and selects, for use in said network, a firewall configuration in accordance with said threat level indicator. The firewall configuration may be selected from a plurality of firewall configurations each associated with a different threat level indicator. A first firewall configuration associated with a first threat level indicator may provide for more restrictive connectivity of said network than a second firewall configuration associated with a second threat level indicator when said first threat level indicator is a higher threat level than said second threat level indicator. A firewall configuration associated with a highest threat level indicator may provide for disconnecting said network from all other less-trusted networks. The code that disconnects may include physically disconnecting said network from other networks. The network may be reconnected to said less trusted networks when a current threat level is a level other than said highest threat level indicator. The computer program product may also include code that automatically loads said firewall configuration as a current firewall configuration in use in said network. The one or more inputs may include at least one of: a manual input, a metric about a system in said network, a metric about said network, a derived value determined using a plurality of weighted metrics including one metric about said network, a derived value determined using a plurality of metrics, and an external source from said network. If the manual input is specified, the manual input may determine the threat level indicator overriding all other indicators. The plurality of weighted metrics may include a metric about at least one of: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a high level of privileges. The high level of privileges may correspond to one of: administrator privileges and root user privileges. The code that selects may additionally selects one or more of the following: an antivirus configuration, an intrusion prevention configuration, and an intrusion detection configuration.
  • In accordance with another aspect of the invention is a method of event reporting by an agent comprising: receiving data; determining if said data indicates a first occurrence of an event of interest associated with a metric since a previous periodic reporting; reporting said first occurrence of an event if said determining determines said data indicates said first occurrence; and reporting a summary including said metric in a periodic report at a first point in time. The reporting of said first occurrence and said reporting of said summary may be performed without a request for a report. Data for said reporting of said first occurrence and said reporting of said summary may be performed by said agent communicating data at an application level to a reporting destination using a one-way communication connection. The reporting of said first occurrence and said summary may also include: opening a communication connection; sending data to said reporting destination; and closing said communication connection, said agent only sending data to said reporting destination without reading any communication from said communication connection. The communication connection may be a TCP or UDP socket. The periodic report may include a summary of a selected set of one or more data sources and associated values for a time interval since a last periodic report was sent to a reporting destination. The selected set of one or more metrics may be a first level of reporting information and said periodic report may include a second level of reporting information used to perform one at least one of the following: determine a cause of a problem, and take a corrective action to a problem. The reporting of said first occurrence and said summary may include transmitting messages from said agent to a reporting destination, each of said messages being a fixed maximum size. A time interval at which said periodic report is sent by said agent and data included in each of said messages may be determined in accordance with at least one of: resources available on a computer system and a network in which said agent is included. The agent may execute on a first computer system and reports data to another computer system. The method may also include: monitoring a log file; and extracting said second level of reporting information from said log file, wherein said log file includes log information about a computer system upon which said agent is executing. The agent may transmit an XML communication to said reporting destination using said communication connection. A threshold may be specified for an amount of data that said agent can report in a fixed reporting interval, said threshold being equal to or greater than a fixed maximum size for each summary report sent by said agent. A report sent for any of said reporting may include an encrypted checksum preventing modifications of said report while said report is being communicated from an agent to a receiver in a network. The reporting may be performed by an agent that sends a report, said report including one of: a timestamp which increases with time duration, and a sequence number which increases with time duration, used by a receiver of said report. The receiver may use said one of said timestamp or said sequence number in authenticating a report received by said receiver as being sent by said agent, said receiver processing received reports having said one of a timestamp or sequence number which is greater than another one of a timestamp or sequence number associated with a last report received from said agent. The second level of reporting information may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
  • In accordance with another aspect of the invention is a method of event reporting by an agent comprising: receiving data; determining if said data corresponds to an event of interest associated with at least one security metric; and sending a report to a reporting destination, said report including said at least one security metric for a fixed time interval, wherein said report is sent from said agent communicating data at an application level to said reporting destination using a one-way communication connection. The agent may only sends data on said one-way communication connection to said reporting destination without reading any communication from said communication connection. The report may include at least one performance metric in accordance with said data received.
  • In accordance with another aspect of the invention is a method of event reporting by an agent comprising: receiving data; determining if said data indicates a security event of interest; and reporting a summary including information on a plurality of occurrences of said security event of interest occurring within a fixed time interval, said summary being sent at a predetermined time interval. The reporting of the summary may be performed without a request for a report. The reporting of said summary may be performed by said agent communicating data at an application level to a reporting destination using a one-way communication connection. The reporting of said summary may further include: opening a communication connection; sending data to a said reporting destination; and closing said communication connection, said agent only sending data to said reporting destination without reading any communication from said communication connection. The communication connection may be a TCP or UDP socket. The agent may transmit an XML communication to said reporting destination using said communication connection. The reporting of said summary may include transmitting periodic messages from said agent to a reporting destination, each of said message having a fixed maximum size.
  • In accordance with another aspect of the invention is a computer program product for event reporting by an agent comprising code that: receives data; determines if said data indicates a first occurrence of an event of interest associated with a metric since a previous periodic reporting; reports said first occurrence of an event if said code that determines that said data indicates said first occurrence; and reports a summary including said metric in a periodic report at a first point in time. The code that reports said first occurrence and said code that reports said summary may be performed without a request for a report. Data for the code that reports said first occurrence and said code that reports said summary may be performed by said agent communicating data at an application level to a reporting destination using a one-way communication connection. At least one of said code that reports said first occurrence and said code that reports said summary may further comprise code that: opens a communication connection; sends data to said reporting destination; and closes said communication connection, said agent only sending data to said reporting destination without reading any communication from said communication connection. The communication connection may be a TCP or UDP socket. The periodic report may include a summary of a selected set of one or more data sources and associated values for a time interval since a last periodic report was sent to a reporting destination. The selected set of one or more metrics may be a first level of reporting information and said periodic report may include a second level of reporting information used to perform one at least one of the following: determine a cause of a problem, and take a corrective action to a problem. The code that reports said first occurrence and said code that reports said summary may include code that transmits messages from said agent to a reporting destination, each of said messages being a fixed maximum size. A time interval at which said periodic report is sent by said agent and data included in each of said messages may be determined in accordance with at least one of: resources available on a computer system and a network in which said agent is included. The agent may execute on a first computer system and reports data to another computer system. The computer program product may further comprise code that: monitors a log file; and extracts said second level of reporting information from said log file, wherein said log file includes log information about a computer system upon which said agent is executing. The agent may transmit an XML communication to said reporting destination using said communication connection. A threshold may be specified for an amount of data that said agent can report in a fixed reporting interval, said threshold being equal to or greater than a fixed maximum size for each summary report sent by said agent. A report sent for any of said code that reports may use an encrypted checksum preventing modifications of said report while said report is being communicated from an agent to a receiver in a network. The code that reports may be performed by an agent that sends a report, said report including one of: a timestamp which increases with time duration, and a sequence number which increases with time duration, used by a receiver of said report. The receiver may use said one of said timestamp or said sequence number in authenticating a report received by said receiver as being sent by said agent, said receiver processing received reports having said one of a timestamp or sequence number which is greater than another one of a timestamp or sequence number associated with a last report received from said agent. The second level of reporting information may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
  • In accordance with another aspect of the invention is a computer program product for event reporting by an agent comprising code that: receives data; determines if said data corresponds to an event of interest associated with at least one security metric; and sends a report to a reporting destination, said report including said at least one security metric for a fixed time interval, wherein said report is sent from said agent communicating data at an application level to said reporting destination using a one-way communication connection. The agent may only send data on said one-way communication connection to said reporting destination without reading any communication from said communication connection. The report may include at least one performance metric in accordance with said data received.
  • In accordance with another aspect of the invention is a computer program product for event reporting by an agent comprising code that: receives data; determines if said data indicates a security event of interest; and reports a summary including information on a plurality of occurrences of said security event of interest occurring within a fixed time interval, said summary being sent at a predetermined time interval. The code that reports said summary is performed without a request for a report. Data for said code that reports said summary may be performed by said agent communicating data at an application level to a reporting destination using a one-way communication connection. The code that reports said summary may further comprises code that: opens a communication connection; sends data to a said reporting destination; and closes said communication connection, said agent only sending data to said reporting destination without reading any communication from said communication connection. The communication connection may be a TCP or UDP socket. The agent that transmits an XML communication to said reporting destination may use said communication connection. The code that reports said summary may include code that transmits periodic messages from said agent to a reporting destination, each of said message having a fixed maximum size.
  • In accordance with another aspect of the invention is a method of event notification comprising: receiving a first report of a condition; sending a first notification message about said first report of said condition; sending a second notification message about said condition at a first notification interval; receiving subsequent reports at fixed time intervals; sending a subsequent notification message at a second notification interval if said condition is still ongoing during said second notification interval, wherein said second notification interval has a length which is a multiple of said first notification interval. The first report may be sent from a reporting agent on a first computer system reporting about one of: said first computer system and a network including said first computer system, and said notification messages are sent from a notification server on a second computer system. Notification messages may be sent to a notification point at successive notification intervals wherein each of said successive notification intervals increases approximately exponentially with respect to an immediately prior notification interval. The condition may be associated with an alarm condition and an alarm condition may be set when a current level of a metric is not in accordance with a predetermined threshold value. Each of said notification messages may include a first level of information about said condition and a second level of information used to perform at least one of the following: determine a cause of said condition, and take a corrective action for said condition. An option may be included in a reporting agent to enable and disable reporting of said second level of information to a notification server from said agent sending said first report. An option may be used to enable and disable condition notification messages including said second level of information. An alarm condition may be associated with a first level alarm and an alarm state of said first level may be maintained when a current level of a metric is in accordance with said predetermined threshold value until an acknowledgement of said alarm state at said first level is received by said notification server. The alarm condition may transition to a second level alarm when said current level is not in accordance with said predetermined threshold and another threshold associated with a second level, and said second level alarm is maintained when a current level of a metric is in accordance with one of: said predetermined threshold and said other threshold until acknowledgement of said second level alarm is received by said notification server. Reports may be sent from a reporting agent executing on a computer system in an industrial network to an appliance included in said industrial network and each of said reports includes events occurring within said industrial network. An alarm condition may be determined in accordance with a plurality of weighted metrics, said plurality of weighted metrics including at least one metric about: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a level of privileges greater than a level associated with a user-level account.
  • In accordance with another aspect of the invention is a method of event notification comprising: receiving a first report of a condition at a reporting destination; and sending a notification message from said reporting destination to a notification destination, said notification message including a summary of information about events occurring in a fixed time interval, said summary identifying at least one of: a source and a target associated with an attack occurring within said fixed time interval, and a percentage of events associated with said at least one of said source and said target. The summary may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack. The summary may identify at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack. The summary may identify a portion of a type of attack represents with respect to all attacks in said fixed time interval.
  • In accordance with another aspect of the invention is a method of event notification comprising: receiving report of a potential cyber-attack condition at fixed time intervals; and sending a notification message about said conditions when said conditions exceed a notification threshold. A notification threshold may be determined using an alarm condition in accordance with a plurality of weighted metrics, said plurality of weighted metrics including at least one metric about: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a level of privileges greater than a level associated with a user-level account. The notification message may include a summary of information about events occurring in a fixed time interval, said summary identifying at least one of: a source and a target associated with an attack occurring within said fixed time interval, and a percentage of events associated with said at least one of said source and said target. The summary may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack. The summary may identify at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack. The summary may identify a portion of a type of attack represents with respect to all attacks in said fixed time interval.
  • In accordance with another aspect of the invention is a computer program product for event notification comprising code that: receives a first report of a condition; sends a first notification message about said first report of said condition; sends a second notification message about said condition at a first notification interval; receives subsequent reports at fixed time intervals; and sends a subsequent notification message at a second notification interval if said condition is still ongoing during said second notification interval, wherein said second notification interval has a length which is a multiple of said first notification interval. The first report may be sent from a reporting agent on a first computer system reporting about one of: said first computer system and a network including said first computer system, and said notification messages are sent from a notification server on a second computer system. Notification messages may be sent to a notification point at successive notification intervals wherein each of said successive notification intervals increases approximately exponentially with respect to an immediately prior notification interval. The condition may be associated with an alarm condition and an alarm condition is set when a current level of a metric is not in accordance with a predetermined threshold value. Each of the notification messages may include a first, level of information about said condition and a second level of information used to perform at least one of the following: determine a cause of said condition, and take a corrective action for said condition. An option may be included in a reporting agent to enable and disable reporting of said second level of information to a notification server from said agent sending said first report. An option may be used to enable and disable condition notification messages including said second level of information. An alarm condition may be associated with a first level alarm and an alarm state of said first level is maintained when a current level of a metric is in accordance with said predetermined threshold value until an acknowledgement of said alarm state at said first level is received by said notification server. The alarm condition may transition to a second level alarm when said current level is not in accordance with said predetermined threshold and another threshold associated with a second level, and said second level alarm may be maintained when a current level of a metric is in accordance with one of: said predetermined threshold and said other threshold until acknowledgement of said second level alarm is received by said notification server. Reports may be sent from a reporting agent executing on a computer system in an industrial network to an appliance included in said industrial network and each of said reports includes events occurring within said industrial network. An alarm condition may be determined in accordance with a plurality of weighted metrics, said plurality of weighted metrics including at least one metric about: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a level of privileges greater than a level associated with a user-level account.
  • In accordance with another aspect of the invention is a computer program product for event notification comprising code that: receives a first report of a condition at a reporting destination; and sends a notification message from said reporting destination to a notification destination, said notification message including a summary of information about events occurring in a fixed time interval, said summary identifying at least one of: a source and a target associated with an attack occurring within said fixed time interval, and a percentage of events associated with said at least one of said source and said target. The summary may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack. The summary may identify at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack. The summary may identify a portion of a type of attack represents with respect to all attacks in said fixed time interval.
  • In accordance with another aspect of the invention is a computer program product for event notification comprising code that: receives report of a potential cyber-attack condition at fixed time intervals; and sends a notification message about said conditions when said conditions exceed a notification threshold. A notification threshold may be determined using an alarm condition in accordance with a plurality of weighted metrics, said plurality of weighted metrics including at least one metric about: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a level of privileges greater than a level associated with a user-level account. The notification message may include a summary of information about events occurring in a fixed time interval, said summary identifying at least one of: a source and a target associated with an attack occurring within said fixed time interval, and a percentage of events associated with said at least one of said source and said target. The summary may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack. The summary may identify at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack. The summary may identify a portion of a type of attack represents with respect to all attacks in said fixed time interval.
  • In accordance with another aspect of the invention is a method for monitoring an industrial network comprising: reporting first data about a first computer system by a first agent executing on said first computer system in said industrial network, said first computer system performing at least one of: monitoring or controlling a physical process of said industrial network, said first data including information about software used in connection with said physical process. The method may also include reporting second data about communications on a connection between said industrial network and another network by a second agent executing on a second computer system. The second data reported by said second agent may be included in an appliance to which said first data is sent. The first agent may report on at least one of: critical file monitoring, log file for said first computer system, hardware and operating system of said first computer system, password and login, a specific application executing on said computer system wherein said application is in accordance with a particular industrial application of said industrial network. A plurality of agents may execute on said first computer system monitoring said first computer system. The plurality of agents may include a master agent and other agents performing a predetermined set of monitoring tasks, said master agent controlling execution of said other agents. The plurality of agents may report data at predetermined intervals to one of: an appliance and said second computer system. The method may also include performing, by at least one of said plurality of agents: obtaining data from a data source; parsing said data; performing pattern matching on said parsed data to determine events of interest; recording any events of interest; reporting any events of interest in accordance with occurrences of selected events in a time interval; creating a message including said summary at predetermined time intervals; and encrypting at least one of: said message and a checksum of said message. The first data may include at least one of the following metrics: a number of open listen connections and a number of abnormal process terminations. When a number of open listen connections falls below a first level, an event corresponding to a component failure may be determined. When a number of open listen connections is above a second level, an event corresponding to a new component or unauthorized component may be determined. The second agent may report on network activity in accordance with a set of rules, said rules including at least one rule indicating that events in a business network are flagged as suspicious in said industrial network. The events may include at least one of: an event associated with a web browser, and an event associated with e-mail. The second agent may report on an address binding of a physical device identifier to a network address if the physical device identifier of a component was not previously known, or said network address in the address binding is a reassignment of said network address within a predetermined time period since said network address was last included in an address binding. The second agent may report second data about a firewall, and said second data may include at least one of: a change to a saved firewall configuration corresponding to a predetermined threat level, a change to a current set of firewall configuration rules currently controlling operations between said industrial network and said other network. Log files associated with said firewall may be stored remotely at a location on said second computer system with log files for said second computer system activity. The second data may include at least one threat assessment from a source external to said industrial network. The second data may include at least one of: a threat level indicator from a corporate network connected to said industrial network, a threat level indicator from a public network source, and a threat level indicator that is manually input. The method may also include: receiving at least said first data by a receiver; authenticating said first data as being sent by said first agent; and processing, in response to said authenticating, said first data by said receiver. The authenticating may include at least one of: verifying use of said first agent's encryption key, and checking validity of a message checksum, and using a timestamp or sequence number to detect invalid reports received by said receiver as being sent from said first agent. The reporting may be performed in accordance with a threshold size indicates an amount of data that said first agent is permitted to transmit in a fixed periodic reporting interval.
  • In accordance with another aspect of the invention is a computer program product for monitoring an industrial network comprising code that: reports first data about a first computer system by a first agent executing on said first computer system in said industrial network, said first computer system performing at least one of: monitoring or controlling a physical process of said industrial network, said first data including information about software used in connection with said physical process. The computer program product may also include code that reports second data about communications on a connection between said industrial network and another network by a second agent executing on a second computer system. The second data reported by said second agent may be included in an appliance to which said first data is sent. The first agent may report on at least one of: critical file monitoring, log file for said first computer system, hardware and operating system of said first computer system, password and login, a specific application executing on said computer system wherein said application is in accordance with a particular industrial application of said industrial network. A plurality of agents may execute on said first computer system monitoring said first computer system. The plurality of agents may include a master agent and other agents performing a predetermined set of monitoring tasks, said master agent controlling execution of said other agents. The plurality of agents may report data at predetermined intervals to one of: an appliance and said second computer system. The computer program product may also include code for performing, by at least one of said plurality of agents: obtaining data from a data source; parsing said data; performing pattern matching on said parsed data to determine events of interest; recording any events of interest; reporting any events of interest in accordance with occurrences of selected events in a time interval; creating a message including said summary at predetermined time intervals; and encrypting at least one of: said message and a checksum of said message. The first data may include at least one of the following metrics: a number of open listen connections and a number of abnormal process terminations. When a number of open listen connections falls below a first level, an event corresponding to a component failure may be determined. When a number of open listen connections is above a second level, an event corresponding to a new component or unauthorized component may be determined. The second agent may report on network activity in accordance with a set of rules, said rules including at least one rule indicating that events in a business network are flagged as suspicious in said industrial network. The events may include at least one of: an event associated with a web browser, and an event associated with e-mail. The second agent may report on an address binding of a physical device identifier to a network address if the physical device identifier of a component was not previously known, or said network address in the address binding is a reassignment of said network address within a predetermined time period since said network address was last included in an address binding. The second agent may report second data about a firewall, and said second data includes at least one of: a change to a saved firewall configuration corresponding to a predetermined threat level, a change to a current set of firewall configuration rules currently controlling operations between said industrial network and said other network. Log files associated with said firewall may be stored remotely at a location on said second computer system with log files for said second computer system activity. The second data may include at least one threat assessment from a source external to said industrial network. The second data may include at least one of: a threat level indicator from a corporate network connected to said industrial network, a threat level indicator from a public network source, and a threat level indicator that is manually input. The computer program product may also include code that: receives at least said first data by a receiver; authenticates said first data as being sent by said first agent; and processes, in response to said code that authenticates, said first data by said receiver. The code that authenticates may include at least one of: code that verifies use of said first agent's encryption key and checks validity of a message checksum, and code that uses a timestamp or sequence number to detect invalid reports received by said receiver as being sent from said first agent. The code that reports may use a threshold size indicating an amount of data that said first agent is permitted to transmit in a fixed periodic reporting interval.
  • In accordance with another aspect of the invention is a method for detecting undesirable messages in a network comprising: receiving a message in said network; determining if said message is undesirable in accordance with at least one rule defining an acceptable message in said network; and reporting said message as undesirable if said message is not determined to be in accordance with said at least one rule. The method may also include: defining another rule for use in said determining if an additional message type is determined to be acceptable in said network.
  • In accordance with another aspect of the invention is a computer program product for detecting undesirable messages in a network comprising code that: receives a message in said network; determines if said message is undesirable in accordance with at least one rule defining an acceptable message in said network; and reports said message as undesirable if said message is not determined to be in accordance with said at least one rule. The computer program product may also include code that: defines another rule for use in said determining if an additional message type is determined to be acceptable in said network.
  • In accordance with another aspect of the invention is a method for performing periodic filesystem integrity checks comprising: receiving two or more sets of filesystem entries, each set representing a grouping of one or more filesystem entries; selecting a zero or more entries from each set; and performing integrity checking for each selected entry from each set during a reporting period. Each of said two or more sets may correspond to a predetermined classification level. If a first classification level is more important than a second classification level, said first classification level may include less entries than said second classification level. A number of entries from each set may be determined in accordance with a level of importance associated with said set.
  • In accordance with another aspect of the invention is a computer program product for performing periodic filesystem integrity checks comprising code that: receives two or more sets of filesystem entries, each set representing a grouping of one or more filesystem entries; selects a zero or more entries from each set; and performs integrity checking for each selected entry from each set during a reporting period. Each of said two or more sets may correspond to a predetermined classification level. If a first classification level is more important than a second classification level, said first classification level may include less entries than said second classification level. A number of entries from each set may be determined in accordance with a level of importance associated with said set.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • Features and advantages of the present invention will become more apparent from the following detailed description of exemplary embodiments thereof taken in conjunction with the accompanying drawings in which:
  • FIG. 1 is an example of an embodiment of a system described herein;
  • FIG. 2 is an example of an embodiment of components that may be included in a corporate network of the system of FIG. 1;
  • FIG. 3 is a more detailed example of an embodiment of components that may be included in an industrial network of the system of FIG. 1;
  • FIG. 4 is a more detailed example of an embodiment of components that may be included in the watch server of FIG. 3;
  • FIG. 4A is a more detailed example of an embodiment of the threat thermostat controller;
  • FIG. 5 is an example of the different types of agents that may be included in an embodiment on systems from FIG. 3;
  • FIG. 6 is an example of an embodiment of an architecture of each of the agents from FIG. 5;
  • FIG. 7 is a flowchart of steps of one embodiment for control flow within an agent;
  • FIG. 8 is an example of an embodiment of the real time database and alarm engine (RTAP) of FIG. 4;
  • FIG. 9 is an example of a representation of a database schema used by an embodiment of RTAP;
  • FIG. 9A is an example of representing an alarm function within an attribute with the database schema of FIG. 9;
  • FIGS. 10-11 are examples of embodiments of an alarm state table that may be used by RTAP;
  • FIG. 12 is an example of a state transition diagram representing the states and transitions in the alarm state table of FIG. 11; and
  • FIG. 13-14 are examples of user interface displays that may be used in an embodiment of the system of FIG. 1.
  • DETAILED DESCRIPTION OF EMBODIMENT(S)
  • Referring now to FIG. 1, shown is an example of an embodiment 10 of the system that may be used in connection with techniques described herein. The system 10 may be part of an infrastructure used in connection with, for example, manufacturing, power generation, energy distribution, waste handling, transportation, telecommunications, water treatment, and the like. Included in the system 10 is a corporate network 12 connected through a hub, switch, router and/or firewall 16 to an industrial network 14. The corporate network 12 may be connected to one or more external networks such as the Internet 20 through a firewall 18 and/or other devices. Also connected to the corporate network 12, either directly or via the firewall 18, may be a mail server 30, a web server 32 and/or any one or more other hardware and/or software components.
  • It should be noted that although the system 10 of FIG. 1 includes a firewall 18 and may also include one or more other firewalls or security measures, the corporate network as well as the industrial network may be susceptible to cyber attacks and other types of security threats, both malicious and accidental. As will be described in following paragraphs, different computer systems that may be included within an embodiment of the industrial network 14 must operate in accordance with an extremely high rate of failsafe performance due to the critical applications and tasks that the industrial network may be used in connection with. In other words, there is a very low tolerance for failure of components included in the industrial network 14. Loss of control and failure within the industrial network 14 may result in much more catastrophic conditions than a failure that may occur within the corporate network 12. For example, a catastrophic failure within the corporate network 12 may force a back-up retrieval of information. However, in the event that the industrial network 14 is being used in connection with supplying power or controlling a system such as train switching, failure may result in a catastrophic loss in terms of both human and economic dimensions.
  • In connection with the system 10, it should also be noted that external threats such as may be encountered from an external hacker coming through the Internet 20 to access the industrial network 14 may only account for part of the security threats. A large number of cyber attacks and other threats may come from within the system 10 itself such as, for example, within the corporate network 12 or from within the industrial network 14. For example, a disgruntled employee may attempt to perform a malicious attack from within the industrial network 14 as well as within the corporate network 12 in an attempt to cause operation failure of one or more components of the industrial network 14. As another example, someone may connect to the industrial network or the corporate network 12 using a laptop that might be infected, for example, with a form of malicious codes such as a Trojan, a virus, a worm, and the like. This malicious code may be introduced within the system 10 on the corporate network 12 or within the industrial network 14 independent of the firewall 18 and/or firewall 16 functioning. Such types of internal threats may not be caught or prevented by the firewall or other security measures developed for preventing primarily external threats. Thus, an embodiment of the system 10 may ideally include and utilize other techniques in connection with controlling, supervising, and securing operation of the components within the system 10 in a failsafe manner.
  • The corporate network 12 may include components generally used in office and corporate activities such as, for example, systems used by individuals in performing accounting functions, and other administrative tasks. The web server 32 may be used, for example, in servicing requests made to a website associated with the corporate network 12. Incoming e-mail from the internet 20 to the corporate network 12 may be handled by the e-mail server 30. It should be noted that an embodiment of the system 10 may include other components than as described herein in accordance with a particular functionality of each embodiment.
  • The corporate network 12 may be connected to the industrial network 14 through the hub, switch, router, or firewall 16. It should be noted that the corporate network 12 may be connected to the industrial network 14 by one or more of the foregoing mentioned in connection with element 16. In other words, the element 16 in FIG. 1 may represent a layering or hierarchical arrangement of hardware and/or software used in connecting the corporate network 12 to the industrial network 14. The different arrangements of 16 included in an embodiment may vary in accordance with a desired degree of security in accordance with the particular use of the components within the industrial network 14.
  • Included in the industrial network 14 in this embodiment is a Watch server 50. The Watch server 50 may be characterized as performing a variety of different monitoring, detection, and notification tasks in connection with the industrial network 14 and connection to the corporate network. The Watch server 50 is described in more detail elsewhere herein.
  • Components included in an embodiment of the system 10 may be connected to each other and to external systems and components using any one or more different types of communication medium(s). The communication mediums may be any one of a variety of networks or other type of communication connections as known to those skilled in the art. The communication medium may be a network connection, bus, and/or other type of data link, such as a hardwire or other connections known in the art. For example, the communication medium may be the Internet, an intranet, network or other non-network connection(s) which facilitate access of data and communication between the different components.
  • It should be noted that an embodiment may also include as element 16 other types of connectivity-based hardware and/or software as known to those of ordinary skill in the art to connect the two networks, the corporate network 12 and the industrial network 14. For example, the element 16 may also be a dial-up modem connection, a connection for wireless access points, and the like.
  • The different components included in the system 10 of FIG. 1 may all be located at the same physical site, may be located at different physical locations, or some combination thereof. The physical location of one or more of the components may dictate the type of communication medium that may be used in providing connections between the different components. For example, some or all of the connections by which the different components may be connected through a communication medium may pass through other communication devices and/or switching equipment that may exist, such as a phone line, a repeater, a multiplexer, or even a satellite.
  • Referring now to FIG. 2, shown is an example of an embodiment of components that may be included within a corporate network 12. Included in this embodiment 12 of FIG. 2 are user systems 40 a-40 b, and a hub, switch, firewall, or WAN router 42. The component 42 may be used in connecting this particular corporate network to one or more other corporate networks, to the firewall 18, and also to any other components included in 16 previously described in connection with FIG. 1.
  • Each of the user systems 40 a-40 b may include any one of a variety of different types of computer systems and components. Generally, in connection with computer systems included within the corporate network 12 as well as in connection with other components described herein, the processors may be any one of a variety of commercially available single or multi-processor systems such as, for example, an Intel-based processor, an IBM mainframe, or other type of processor able to support the incoming traffic and tasks in accordance with each particular embodiment and application. Each of the different components, such as the hub, switch, firewall, and/or router 42, may be any one of a variety of different components which are commercially available and may also be of a proprietary design.
  • Each of the user systems 40 a-40 b may include one or more data storage devices varying in number and type in accordance with each particular system. For example, a data storage device may include a single device, such as a disk drive, as well as a plurality of devices in a more complex configuration, such as with a storage area network (SAN), and the like. Data may be stored, for example, on magnetic, optical, silicon-based, or non-silicon-based media. The particular arrangement and configuration may vary in accordance with the parameters and requirements associated with each embodiment and system.
  • Each of the user systems 40 a-40 b, as well as other computer systems described in following paragraphs, may also include one or more I/O devices such as, for example, a keyboard, a mouse, a display device such as a monitor, and the like. Each of these components within a computer system may communicate via any one or more of a variety of different communication connections in accordance with the particular components included therein.
  • It should be noted that a corporate network may include other components besides user systems such as, for example, a network printer available for use by each user system.
  • Referring now to FIG. 3, shown is a more detailed example of an embodiment 100 of components previously described in connection with the system 10 of FIG. 1. Included in the industrial network 14 in one embodiment may be a process LAN 102, a control network 104, an I/O network 106, one or more other I/ O networks 124 a and 124 b, and a Watch server 50. In this example, the industrial network 14 may be connected to the corporate network 12 by the hub, switch, router, or firewall 16. It should be noted that the industrial network 14 may include other components than as described herein as well as multiple instances of components described herein. In one embodiment, component 16 may be an integrated security appliance such as, for example, the Fortinet Fortigate appliance.
  • The process LAN 102 may be characterized as performing tasks in connection with data management, integration, display, and the like. The control network 104 may be used in connection with controlling the one or more devices within the I/O network 106 as well as one or more other I/ O networks 124 a and 124 b. The Watch server 50 may be characterized as performing a variety of different monitoring, detection, and notification tasks in connection with the industrial network 14 and connection to the corporate network. The Watch server 50 and other components included within an embodiment of 14 described in more detail in the following paragraphs may be used in connection with the operation of the industrial network 14 in order to provide for proper operation of the industrial network 14 and component 16 and security threat management.
  • The process LAN 102 of FIG. 3 includes a switch or hub 110 a connected to component 16 and one or more other components within the process LAN 102. Components included in this example of the process LAN 102 are a historian 114 and an application server 116. The historian 114 may be used, for example, in storing a history of the different monitoring data that may be gathered by other components included within the network 14. The historian 114, for example, may serve as a data archive for the different types of data gathered over time within the network 14. The application server 116 may be used to execute an application that performs, for example, process optimization using sensor and other data. The application server 116 may communicate results to the SCADA server for use in controlling the operations of the network 14.
  • The SCADA (Supervisory Control and Data Acquisition) server 118 may be used in remotely monitoring and controlling different components within the control network 104 and the I/O network 106. Note also that the SCADA server included in FIG. 2 generally refers to a control system, such as a distributed control system (DCS). Additionally, the SCADA server 118 may also be responsible for controlling and monitoring components included in other I/ O networks 124 a and 124 a. For example, the SCADA server 118 may issue one or more commands to the controller 122 in connection with controlling the devices 130 a-130 n within the I/O network 106. The SCADA server 118 may similarly be used in connection with controlling and monitoring other components within the I/ O networks 124 a and 124 b. As known to those of ordinary skill in the art, a SCADA server may be used as part of a large system for remotely monitoring and controlling, for example, different types of energy production, distribution and transmission facilities, transportation systems, and the like. Generally, the SCADA server 118 may be used in connection with controlling and remotely or locally monitoring what may be characterized as components over possibly a large geographically distributed area. The SCADA server may rely on, for example, communication links such as radio, satellite, and telephone lines in connection with communicating with I/ O networks 124 a and 124 b as well as I/O network 106. The particular configuration may vary in accordance with each particular application and embodiment.
  • The workstation 120 may include a human machine interface (HMI), such as a graphical user interface (GUI). The workstation 120 may be used, for example, in connection with obtaining different sensor readings, such as temperature, pressure, and the like, from the devices 130 a-130 n in the I/O network 106, and displaying these readings on the GUI of the workstation 120. The workstation 120 may also be used in connection with accepting one or more user inputs in response, for example, to viewing particular values for different sensor readings. For example, the workstation 120 may be used in connection with an application monitoring a transportation system. An operator may use the GUI of workstation 120 to view certain selected statistics or information about the system. The selections may be made using the GUI of the workstation 120. Other inputs from the workstation 120 may serve as instructions for controlling and monitoring the operation of different devices and components within the industrial network 14 and one or more I/O networks. For example, the transportation system may be used in dispatching and monitoring one or more trains.
  • The SCADA server 118 may also be used in connection with performing data acquisition of different values obtained by the device sensors 130 a-130 n in performing its monitoring and/or controlling operations. The data may be communicated to the SCADA server 118 as well as the workstation 120. The SCADA server 118, for example, may monitor flow rates and other values obtained from one or more of the different sensors and may produce an alert to an operator in connection with detection of a dangerous condition. The dangerous condition or detection may result in an alarm being generated on the workstation 120, for example, such as may be displayed to a user via the GUI. The SCADA server 118 monitors the physical processing within the industrial network and I/O network(s). The server 118 may, for example, raise alerts to an operator at the workstation 120 when there is a problem detected with the physical plant that may require attention.
  • The controller 122 may be used in connection with issuing commands to control the different devices, such as 130 a-130 n, as well converting sensor signal data, for example, into a digital signal from analog data that may be gathered from a particular device. An embodiment may also have a controller 122 perform other functionality than as described herein.
  • The Watch server 50 may be used in connection with monitoring, detecting, and when appropriate, notifying a user in accordance with particular conditions detected. The Watch server 50 may include a Watch module which is included in an appliance. The Watch server 50 may also be installed as a software module on a conventional computer system with a commercially available operating system, such as Windows or LINUX, or a hardened operating system, such as SE LINUX. In one embodiment, the Watch server 50 may be, for example, a rack mount server-class computer having hardware component redundancy and swappable components. The appliance or conventional computer system may be executing, for example, SE LINUX on an IBM X-series server that monitors the logs and performance of the industrial network 14. The foregoing may used in connection with monitoring, detecting and notifying a human and/or controlling computer system or other components where appropriate.
  • It should be noted that the Watch server 50 may be used in raising alerts detected in connection with the SCADA system, associated networks, and computer processors. In other words, the tasks related to monitoring the computers and networks of FIG. 3 are performed by the Watch server 50. In contrast, as known to those of ordinary skill in the art, the tasks related to the physical plant processing, sensor data gathering, and the like for controlling and monitoring the operation of the particular industrial application(s) are performed by the SCADA server 118.
  • Included in an embodiment of the network 14 are one or more agents 132 a-132 d that may be used in collecting data which is reported to the Watch server 50. It should be noted that each of the agents 132 a-132 d may refer to one or more different agents executing on a computer system to perform data gathering about that computer system. The agents 132 a-132 d report information about the system upon which they are executing to another system, such as the Watch server 50. The different types of agents that may be included in an embodiment, as well as a particular architecture of each of the agents, are described in more detail elsewhere herein. In addition to each of the agents reporting information to the Watch server 50, other data gathering components may include an SNMP component, such as 112 a-112 c, which also interact and report data to the Watch server 50. Each of the SNMP components may be used in gathering data about the different network devices upon which the SNMP component resides. As known to those of ordinary skill in the art, these SNMP components 112 a-122 c may vary in accordance with each particular type of device and may also be supplied by the particular device vendor. In one embodiment, the Watch server 50 may periodically poll each of the SNMP components 112 a-112 c for data.
  • In one embodiment of the industrial network 14 as described above, the Watch server 50 may be executing the SE LINUX (Security Enhanced LINUX) operating system. Although other operating systems may be used in connection with the techniques described herein, the SE LINUX operating system may be preferred in an embodiment of the Watch server 50 for at least some of the reasons that will now be described. As known to those of ordinary skill in the art, some operating systems may be characterized as based on a concept of discretionary access control (DAC) which provides two categories of a user. A first category of user may be an administrator for example that has full access to all system resources and a second category of user may be an ordinary user who has full access to the applications and files needed for a job. Examples of operating systems based on the DAC model include for example, a Windows-based operating system. DAC operating systems do not enforce a system-wide security policy. Protective measures are under the control of each of the individual users. A program run by a user, for example, may inherit all the permissions of that user and is free to modify any file that that user has access to. A more highly secure computer system may include an operating system based on mandatory access control (MAC). MAC provides a means for a central administrator to apply system wide access policies that are enforced by the operating system. It provides individual security domains that are isolated from each other unless explicit access privileges are specified. The MAC concept provides for a more finely-grained access control to programs, system resources, and files in comparison to the two level DAC system. MAC supports a wide variety of categories of users and confines damage, for example, that flawed or malicious applications may cause to an individual domain. With this difference in security philosophy, MAC may be characterized as representing a best available alternative in order to protect critical systems from both internal and external cyber attacks. One such operating system that is based on the MAC concept or model is the SE LINUX operating system. The SE LINUX operating system is available, for example, at http://ww.nsa.gov/selinux.
  • The components included in the industrial network 14 of FIG. 3, such as the agents 132 a-132 d, SNMP components 112 a-112 c, and the Watch server 50, may be used in connection with providing a real time security event monitoring system. The different agents 132 a-132 d included in the industrial network 14 may be installed on the different computer systems included in the industrial network 14 and may report, for example, on machine health, changes in security log files, application status, and the like. This information gathered by each of the agents 132 a-132 d and SNMP components 112 a-112 c may be communicated to the Watch server 50. This information may be stored in a real-time database also included on the Watch server 50. From the Watch server 50, alarm limits may be set, alerts may be generated, incident reports may be created, and trends may also be displayed. Watch server 50 may also run a network intrusion detection system (NEDS), and has the ability to monitor network equipment, such as switches, routers, and firewalls, via the SNMP components included in various network devices shown in the illustration 100.
  • The agents 132 a-132 d described herein may be characterized as intelligent agents designed to run and report data while minimizing the use of system and network resources. A control network 104 may have a relatively low amount of network bandwidth. Accordingly, when deploying a monitoring device, such as an agent 132 a-132 d within such a control system, there may be inadequate bandwidth available for reporting the data from each agent. The lower bandwidth of a control network is typical, for example, of older legacy systems upon which the various agents may be deployed. Agents within an embodiment of the network 14 may be designed to minimize the amount of CPU usage, memory usage, and bandwidth consumed in connection with performing the various data gathering and reporting tasks regarding the industrial network 14. In one embodiment, agents may be written in any one or more of a variety of different programming languages such as PERL, C, Java, and the like. Generally, agents may gather different types of information by executing system commands, reading a data file, and the like on the particular system upon which the agents are executing. It should be noted that the agents also consume resources in a bounded manner minimizing the variance of consumption over time. This is described elsewhere herein in more detail.
  • Agents 132 a-132 d may format the information into any one of a variety of different message formats, such as XML, and then report this data to the Watch server 50. In one embodiment, the agents 132 a-132 d may communicate the data to the Watch server 50 over TCP/IP by opening a socket communication channel just long enough to send the relevant data at particularly selected points in time. In one embodiment, the agents 132 a-132 d operate at the application level in communicating information to the Watch server 50. The Watch server 50 does not send an application level acknowledgement to such received data. Additionally, the agents never read from the communication channel but rather only send data out on this communication channel as a security measure. It should be noted that although the embodiment described herein uses TCP, the techniques described herein may be used in an embodiment with UDP or another type of connectionless communication.
  • As described in the following paragraphs, the agents that may be included in a system 10 of FIG. 1 may be generally characterized as 2 different classes of monitoring agents. A first class of agent may be used in monitoring control systems upon which the agent actually executes. Agents in this first class are those included in the industrial network 14 of FIG. 3, such as agents 132 a-132 d. A second class of agent that may be included in an embodiment is described elsewhere herein in connection with, for example, the Watch server 50. Agents of this second class may be used in monitoring input from third party equipment or applications or other activity about a system other than the system upon which the agent is executing. As described in more detail elsewhere herein, different types of agents of either class may be used in an embodiment to gather the different types of data.
  • It should be noted that the various activities performed by the agents described herein may be used in connection with monitoring and reporting, for example, on cyber-security incidents as well as the performance of different system devices such as, for example, the different computer systems for CPU load, space and memory usage, power supply voltage, and the like. Although one particular type of security threat is a cyber-security threat as described herein, it should be noted that the techniques and systems described herein may be used in connection with monitoring security threats that are of different types. For example, control system damage may be caused, for example, by a faulty power supply, faulty performance of other components, and the like. The various agents deployed within an embodiment of the system 10 of FIG. 1 may be used in detecting both malicious as well as accidental threats to the industrial network 14. It may also be useful to correlate performance information with security information when assessing the likelihood of system compromise as a result of an attack on one or more systems.
  • Although the agents 132 a-132 d are illustrated in connection with particular components included in FIG. 3, agents 132 a-132 d may also be used in monitoring a controller 122, devices 130 a-130 n, and the like as needed and possible in accordance with each embodiment. Agents may be used on components having a computer processor capable of performing the tasks described herein and meeting predefined resource limitations that may vary with each embodiment. For example, agents may be executed on “smart” controllers, such as 122, if the controller has a processor able to execute code that performs the agent functionality. There may also be a connection from the controller 122 to the Watch server 50 to communicate the agent gathered data to the Watch server 50.
  • In FIG. 3, it should be noted that each of 113 a, 113 b, and 113 c may refer to one or more connections and may vary in accordance with the particular component connected to the Watch server 50 by each connection. For example, component 16 may be a hub, switch, router or firewall. If component 16 is a switch, element 113 a may refer to two communication connections between 16 and the Watch server 50 where one of the connections is connected to the spanning port of the switch and is used for the monitoring operations for network intrusion detection by the Watch server 50. In an embodiment in which the component is a hub, a single connection may be used. The foregoing also applies to connections 113 b and 113 c and, respectively, components 110 a and 110 b.
  • Referring now to FIG. 4, shown is an example of an embodiment of components that may be included in a Watch server 50. Watch server 50 in one embodiment may include a threat agent 200, an SNMP Watch agent 202, an SNMP Guard Agent 203, a NIDS agent 204, an ARPWatch agent 206, and a Guard log agent 209. Data 201 produced by the agents executing in the industrial network may be received by the Watch server. The Watch server 50 itself may be monitored using one or more agents 208 of the first class. Data from these agents is referenced as 208 in FIG. 4. Each of 200, 201, 202, 203, 204, 206, 208 and 209 communicates with the receiver 210 to store data in RTAP (real-time database and alarm engine) 212. The Watch server 50 may also include a web server 214, a notification server 216, a threat thermostat controller 218 and one or more firewall settings 220.
  • The agents included in the Watch server 50, with the exception of the agents reporting data 208, are of the second class of agent described elsewhere herein in which the agents included in the Watch server gather or report information about one or more systems other than that system upon which the agent is executing. It should be noted that this class of agent is in contrast, for example, to the agents 132 a-132 d previously described in connection with FIG. 3 which are executed on a computer system and report information to the Watch server 50 about the particular computer system upon which the agent is executing. The agents included within the Watch server 50 may be used in gathering data from one or more sources. As described in connection with the agents of the first class of agent, the second class of agents may be written in any one or more programming languages.
  • The threat agent 200 receives threat assessments from one or more sources which are external to the industrial network 14. The inputs to the component 200 may include, for example, a threat assessment level or alert produced by the corporate network, a security or threat level produced by the US government, such as the Homeland Security Threat level, an input published on a private site on the Internet, and the like.
  • Data from agents of both classes executing within the industrial network 14 of FIG. 3 communicate data to the receiver 210 as input source 201. It should be noted that any one or more of the metrics described herein may be reported by any of the agents in connection with a periodic reporting interval, as well as in accordance with the occurrence of certain thresholds or events being detected.
  • The SNMP Watch agent 202 periodically polls the different devices including hubs, switches, and routers having a vendor supplied SNMP component, such as 112 a and 112 b. The Watch server performs this periodic polling and communicates with each of the SNMP components 112 a-112 b to obtain information regarding the particular component or network device. SNMP Components, such as 112 a, report data to agent 202 such as, for example, metrics related to the activity level on switches and the like being monitored. Similarly, the SNMP Guard agent 203 periodically polls the firewall(s) for data. In one embodiment, the component 203 works with the Fortinet Fortigate series of firewalls. The particular firewall(s) supported and utilized may vary in accordance with each embodiment. The components 202 and 203 use the SNMP protocol to request the information set forth below from network switches, firewalls, and other network equipment.
  • In one embodiment, the following metrics may be reported by 203 at the end of each periodic reporting interval. It should be noted that the units in an embodiment may vary from what is specified herein. Also, not all metrics may be available and tracked by all devices:
  • Uptime—How long the device has been running continuously since it was last rebooted or reset.
  • Configuration—Information from the device that describes the device. This may include, for example, the name of the vendor, the model number, the firmware version, and any other software or ruleset versions that the device supports and may be relevant to an understanding of the behavior of the device.
  • Communications Status—An indication as to whether the device's SNMP component responded to the previous and/or current SNMP requests for information.
  • Total incoming and outgoing network traffic, in kilobytes, per reporting interval.
  • Per-interface incoming and outgoing network traffic, in kilobytes, for a reporting interval.
  • % CPU Load—The percentage of CPU Utilization in the reporting interval.
  • % Disk space—For devices with disks, like some firewalls, report the percentage used for every filesystem or partition.
  • % Memory Used—Report the fraction of physical memory in use.
  • Open Session Count—a count of open communications sessions.
  • VPN Tunnel count—a count of the number of machines and/or users connected through a firewall device using an IPSEC, SSL or other Virtual Private Network (VPN) technology. For each such connection, also report the source IP address, and if available:
  • host name, user name, certificate name and/or any other information that might serve to identify who or what is connected to the control network via the VPN connection.
  • Administrative User Count—A count of how many “root” or other administrative users are logged into the device and so are capable of changing the configuration of the device. For each such user, when the information is available via SNMP, report the user name, source IP address and any other information that might help to identify who is logged in.
  • With reference to the foregoing metrics, in one embodiment, the agent 202 may report at periodic intervals uptime, total incoming and outgoing network traffic, and information regarding the particular operating system, version number and the like.
  • The NIDS agent 204 monitors the process and control LAN communications by scanning messages or copies of messages passing through LANS, hubs, and switches. It should be noted that referring back to FIG. 3, a dedicated connection between a Watch server and these components may be used in connection with performing NIDS monitoring. The NIDS Agent 204 receives data and determines metrics, for example, such as a message count, network intrusion alerts raised, and the like. The NIDS agent 204 may be used in connection with monitoring both the process LAN and the control LAN communications. As an input to the NIDS agent 204, data may come from the NIDS component 204 a. Data from LANs, hubs and switches may be input to the NIDS component 204 a and used in connection with detection of network intrusions. Included within the NIDS component 204 a is a library of signatures that may be used in connection with detecting different types of network intrusions. It should be noted that the NIDS agent 204 may be used in performing real time traffic analysis and packet logging of control networks. The NIDS component 204 a may also be used in connection with performing protocol analysis, content searching and matching, and may be used to detect a variety of attacks and different types of probes including, for example, buffer overflows, stealth port scans, CGI attacks, SMB probes, fingerprinting attempts and the like. The NIDS agent 204 may also be used in connection with monitoring an existing third party network intrusion detection system installed on a control network.
  • In one embodiment, the NIDS component 204 a is implemented using SNORT technology. As known to those of ordinary skill in the art, SNORT is described, for example, at www.snort.org, and may be used in connection with monitoring network traffic, for example, by monitoring and analyzing all messages on the network, such as through one of the connections connected into a spanning port of a switch used in an embodiment of FIG. 3. SNORT reports data on any messages exchanged between any two ports. SNORT uses a pattern matching engine which searches one or more messages for known patterns. The known patterns are associated with known viruses, worms, and the like. For example, a message packet may include a particular bit pattern indicative of a known worm. The NIDS agent may be implemented using both customized and/or conventional NIDS engines. In one embodiment using the SNORT technology, the SNORT open source NIDS engine may be used with the entire SNORT NIDS rules set. An embodiment may also use other NIDS technologies such as, for example, the Fortinet Fortigate NIDS system with the Fortinet Fortigate rules set. An embodiment may also use more than one NIDS system. Specific rules may be disabled or made more specific at particular sites if normal background traffic at the site is found to generate an unacceptable number of false positive alerts as a result of enacting particular rules. This may vary in accordance with each embodiment. An embodiment may connect one or more NIDS engines to the hubs and other components of the industrial network. In the event that the industrial network includes switches, the NIDS engines may be connected to the spanning ports on the switches as described elsewhere herein. If spanning ports are not available, it may be preferable to connect the NIDS engines to monitor the traffic between the industrial network 14 and the corporate network 12, using an Ethernet tap, hub, or other technique as known to those of ordinary skill in the art.
  • In one embodiment of the NIDS component 204 a, customized signatures may be used in addition to those that may be supplied with the NIDS technology such as publicly available at the Snort.org website. These additional signatures may identify network traffic that would be “normal” on a business network, but is not associated with normal activity within an industrial network. These may include, for example, signatures identifying one or more of the following: telnet login traffic; ftp file transfer traffic; web browsing through normal and encrypted connections; reading email through POP3, IMAP and Exchange protocols; sending email through SMTP and Exchange protocols; and using any of the instant messaging products, such as those from Microsoft, Yahoo, and America Online. The foregoing may be considered normal traffic on a business network, such as the corporate network 12, but not within a dedicated-purpose network like the industrial network 14. It should be noted that plant operators within the network 14 may have access to email and other such facilities, but such access may be gained using workstation computers that, while they may sit physically beside critical equipment, may actually be connected to the corporate network and not to the industrial network.
  • In one embodiment, the following additional NIDS signatures may be used to report all attempts to communicate with well-known UDP and TCP ports having support which is turned off on correctly-hardened Solaris machines running the Foxboro IA industrial control system software:
  • Port number application or service
    7 (ECHO)
    9 (DISCARD)
    13 (DAYTIME)
    19 (CHARGEN)
    21 (FTP)
    23 (TELNET)
    25 (SMTP)
    79 (FINGER)
    512 (REXEC)
    513 (RLOGIN)
    514 (RSH)
    540 (UUCP)
    1497 (RFX-LM)

    The foregoing are pairings of a port number and an application or service that may typically access this port for communications. In connection with an industrial network, there should typically be no communications for these ports using the TCP or UDP communication protocols by the above service or application. If any such communications are observed, they are flagged and reported. The foregoing pairings are well-known and described, for example, in RFC 1700 Assigned Number, section entitled “Well-known Port Numbers”, at http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1700.html.
  • An embodiment may also include additional signatures representative of traffic that should not be present on an industrial network. The signatures below may be used, for example, to monitor and report on ports used for TCP and/or UDP to identify uses that may be characteristic and typical within the corporate or other business network, but are not desirable for use within an industrial network. This may include, for example, using particular applications and services such as Microsoft's NetMeeting, AOL and other Instant Messaging services, and the like.
  • For both TCP and UDP, report communications for the following:
  • Port number application or service
    80 (HTTP)
    443 (HTTPS)
    143 (IMAP)
    993 (IMAPS)
    110 (POP3)
    995 (POP3S)
    989 (FTPS-DATA)
    990 (FTPS)
    992 (TELNETS)
    389 (LDAP-NETMEETING)
    552 (ULS-NETMEETING)
    1503 (T.120-NETMEETING)
    1720 (H.323-NETMEETING)
    1731 (MSICCP-NETMEETING)
    1590 (AOL-AOL_IMESSENGER)
    194 (IRC)
  • For embodiments using Yahoo Instant Messenger, report activity on the following:
      • TCP ports 5000, 5001, 5050, 5100
      • UDP ports 5000-5010
  • For embodiments using Microsoft Instant Messenger, report activity on the following:
      • TCP ports 1863, 6901 for application/service: (VOICE)
      • TCP ports 6891-6900 for application/service: (FILE-XFER)
      • UDP port 6901 for application/service: (VOICE)
  • Note that the particular signatures used may vary with that activity which is typical and/or allowed within each embodiment.
  • The foregoing are examples of different activities that may not be characterized as normal within operation of an industrial network 14. Any additional signatures used may vary in accordance with each embodiment.
  • In one embodiment of the NIDS component 204 a, customized signatures may be used in an inclusionary manner. Exclusionary NIDS signatures, such as those illustrated above, typically identify and report upon abnormal or undesirable messages detected on the network being monitored. As additional undesirable, abnormal or atypical messages are identified, new and corresponding NIDS signatures are developed for use in the embodiment. An embodiment may use inclusionary NIDS signatures to identify messages that are part of the network's normal, or desirable operating state and report upon any message not identified as such. New inclusionary NIDS signatures are developed in such an embodiment whenever a type of message is determined to be within the normal or acceptable behavior of a given network. In an embodiment using the inclusionary signatures, no additional signatures are needed to identify new undesirable or abnormal messages. Inclusionary signatures therefore incur lower signature update costs than do exclusionary signatures on networks whose normal or desirable network or message traffic patterns change infrequently. On such networks, it can be argued that inclusionary signatures may provide greater security, because they are immediately able to identify new abnormal or undesirable messages, without waiting for exclusionary signatures to be identified, developed or installed.
  • In one embodiment, the NIDS agent 204 may have a reporting interval every 10 seconds. The password age agent 310, described elsewhere herein, may have a reporting interval of every hour. The other agents may have a reporting interval of once every minute which may vary in accordance with the resources within each embodiment and computer systems therein.
  • The ARPWatch agent 206 may detect one or more events of interest in connection with the ARP (address resolution protocol) messages monitored. ARP may be used with the internet protocol (IP) and other protocols as described in RFC 826 at http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc0826.html. In one embodiment, the ARPWatch 206 a is based on open source software, as described in ftp://ftp.ee.lbl.gov/arpwatch.tar.gz, with additional functionality described herein to minimize false positives. As known to those of ordinary skill in the art, ARP may be used in performing IP address resolution and binding to a device address. The ARPWatch 206 a may, for example, look for any new devices, such as computers, detected on a network. The ARPWatch 206 a may monitor the industrial network 14 for the introduction of new types of devices and log information regarding these new devices. The ARPWatch agent 206, for example, may use information on new devices provided by 206 a and report information to RTAP in a fashion similar to that used with the NIDS agent using SNORT based technology. For example, a laptop computer may be turned on and connected for a short time period to a network by a wireless connection. When the laptop is introduced into the network, a network address is associated with the laptop while in the network. This may be done by binding an IP address to the device address unique to the particular laptop. When first introduced into the network, there is no known IP address for the laptop. In connection with assigning an IP address to this new laptop, one or more messages may be monitored in the network to detect this event of introducing a new device in the network causing a new binding of an IP address to the unique address of the laptop. The IP addresses associated with the device may be assigned on a visitor or temporary basis, such as with the laptop. Thus, IP addresses may be reused such that a same IP address may be bound to different devices at different points in time.
  • In one embodiment, a customized version of ARPWatch may raise an alert if the device address of the computer was not previously known or active. An alert may also be raised if the device address was assigned to some other IP address or the IP address had some other device address assigned to it within a prior time period, for example, such as 15-20 minutes. Within an embodiment, the prior time period may vary. It should be noted that the prior time period may be long enough to be confident that the device to which the other IP address was assigned is no longer connected to the network.
  • Such activity may be a sign of, for example, ARP spoofing or ARP poisoning. As known in the art, ARP spoofing occurs when a forged ARP reply message is sent to an original ARP request, and/or forged ARP requests are sent. In the forged replies and/or forged requests, the forger associates a known IP address with an incorrect device address, often the forger's own device address. Thus, receiving the forged ARP messages causes a reassignment of the known IP address to the address of the forger's device, in one or more other devices on the network. This can also cause the network's own table of address bindings to be updated or poisoned with the forged binding. The time period described above may be used to minimize the false positives as may be generated when using the standard open source ARPWatch in IP-address-poor DHCP environments.
  • The agent 206 in one embodiment uses a version of ARPWatch that issues fewer messages than the conventional open source version for ARP frames containing invalid IP addresses that do not fall within the local network mask. The conventional open source ARPwatch logs a message for every ARP frame containing an invalid IP address resulting in up to 100 messages per minute for a given invalid IP address detection.
  • The ARPWatch 206 a in one embodiment keeps track of the invalid addresses detected and reports invalid IP/device address binding for as long as the ARPWatch 206 a is running. The RTAP 212 may also track changed IP addresses reported by the ARPWatch 206 a via the ARPWatch agent 206, and the web server 214 may then present a list of these to the network administrator for approval such that these addresses are no longer considered as “new.” An embodiment may also provide functionality for approving new and/or changed IP/device address bindings, and/or provide functionality for individually approving new IP addresses and/or new and/or changed IP/device address bindings as well as approving the entire list presented at once. Once the foregoing new device address/IP bindings are approved, the number of “new” network devices drops to zero and any RTAP alert that may be outstanding against that count is reset to a normal condition or state.
  • In one embodiment, agents of the first class described elsewhere herein may be executing on the Watch server monitoring the health, performance, and security of the Watch server. The data from these agents 208 is sent to the receiver 210 to report data about the Watch server 50. The particular types of this first class of agent are described elsewhere herein, for example, in connection with FIGS. 5 and 6. An embodiment may include any number of these types of agents of the first class to report data about the Watch server 50.
  • The Guard log agent 209 monitors log files of the Watch server 50 and also the firewall log files of one or more firewalls being monitored, such as an embodiment including a firewall as component 16 of FIG. 3. In one embodiment, an option may be set on the Fortinet Fortigate firewall to automatically transmit all firewall log information to the Watch server 50. On the Watch server 50, the received firewall log information may be included as part of the system logging for the Watch server 50. In one embodiment, the system log files of the Watch server may be segregated into different physical files of the file system. The firewall log files may be included in a separate physical file in the Watch Server's log file area. The Guard log agent 209 may also obtain additional information from the firewall using SSH (Secure SHell). The agent 209, using SSH (Secure SHell), remotely logs into a machine via a shell. As known to those of ordinary skill in the art, SSH may be characterized as similar in functionality to telnet, however unlike telnet, all data exchanged is encrypted. In one embodiment, the agent 209 may download a copy of the firewall rules and other configuration information currently in use in a firewall using SSH. Other embodiments may use other secure command and communications technologies such as, for example, IPSEC, sftp, HTTPS, SSL, and the like. The agent 209 may have a master set of firewall configuration information which it expects to be currently in use. The downloaded copy of firewall configuration information currently in use may be compared to the master set to determine any differences. In the event that any differences are detected, an alert may be raised and signaled by RTAP 212.
  • In one embodiment, the following metrics may be reported by the Guard log agent 209 in connection with the firewall log files every reporting interval:
  • firewall violations—Report the total number of firewall violations messages detected in the reporting interval. On platforms that distinguish different kinds of violation messages, report those counts separately. For example, one embodiment uses ipchains which, as known to those of ordinary skill in the art, is available on some versions of Linux to set up, maintain and inspect the IP firewall rules in the Linux kernel. Ipchains provides for distinguishing “dropped” packets from “rejected” packets, and these counts may be reported out separately.
  • Report the first three firewall violation messages detected for each type of violation message in each reporting interval.
  • Report a summary information for each types of firewall violation message. The summary information may include, for example, one or more IP addresses identified as the source for most of the messages, what percentage of the messages are associated with each IP address, one or more IP addresses that are the target in a majority of the messages, and what percentage of messages are associated with each target address.
  • Network IDS (intrusion detection system) and IPS (intrusion prevention system) reports—Report the total number of intrusion detection and prevention reports logged in the reporting period. For systems that report different kinds or priorities or severities of intrusion attempts, report the total number of each class of attempts as separate metrics.
  • For each separately-reported class of intrusion attempts, report the first three attempts logged in each reporting interval as well as the total number of attempts.
  • Summary reporting information for each class of intrusion attempt—Report the most common source IP address, destination IP address and attack type and the percentage of total attempts in that class of attempt that had that most common source IP, destination IP or attack type.
  • Firewall configuration change—This is described above in which the agent 209 may report a boolean value indicating whether any aspect of the industrial network firewall configuration has changed at the end of the reporting interval. As described above, the agent 209 agent uses firewall-specified technologies (eg: ssh or tftp) to download the currently active firewall configuration to the server 50. If the configuration downloaded at the end of one reporting interval differs from the configuration downloaded at the end of the previous reporting interval, the agent 209 reports a one, otherwise if the downloaded configuration differs from the saved firewall settings for the current threat level, the agent 209 reports a one, otherwise if any of the saved firewall settings for any threat level have changed in the reporting interval, the agent reports a one, otherwise it reports a zero. The agent 209 also reports a one-line summary of what area of the firewall configuration has changed, such as, for example, the saved settings, the downloaded configuration, and the like, with further detail as to what part of the configuration changed, such as, for example, the firewall rules, the number of active ports, address translation rule, and the like. If the configuration has changed, the alert may remain in the elevated alarm state until an authorized administrator, for example, updates the saved configuration data (firewall configuration set) on the Watch server 50 as the new master set of configuration data.
  • It should be noted that in industrial networks, for example, paths through the firewall may be opened temporarily by a short term firewall configuration change such as while short-term projects or contractors are on-site. The firewall configuration change metric allows for automatic tracking and determination of when there has been such a change. In response to a one for this metric, for example, RTAP 212 may generate an alert condition. This condition may continue to be tracked as long as the configuration is non-standard until the configuration is restored to a firewall configuration known to be safe.
  • Threat thermostat configuration change—Reports the number of saved firewall configurations corresponding to threat thermostat threat levels that have changed in the reporting interval.
  • Note that the agent 209 keeps a copy of the saved firewall configurations corresponding to the different threat levels. At the end of the reporting interval, the agent 209 compares the copies to the current firewall configurations corresponding to the different threat levels and reports if a particular pairing of firewall rule sets with an associated threat level has changed, or if there has been a change to any one of the rules sets. If there have been any changes, then after reporting, the agent 209 replaces its set of saved firewall configurations with the modified firewall configurations. For every configuration that changed in a reporting period, the agent 209 also reports a one-line summary of what has changed in the configuration.
  • Other activity and innocuous activity filters—In log files of firewalls and other systems, various metrics may be derived from a master system log file. The “other activity” metric is a count of “unusual” messages detected in the master log file during the reporting interval. A set of messages may be defined as unusual using a default and/or user specified set. For example, unusual messages to be included in this metric may be filtered using regular expressions. Any line of the log file that is not counted as some other metric is a candidate for “other activity.” These “other activity” candidate lines are compared to each of the saved regular expressions and discarded if there is a match with any expression. Otherwise, the candidate log entry is counted as an incident of “unusual activity”. When all the log entries generated during the reporting interval are processed, the “unusual” count is reported as the value of the “other activity” metric.
  • The receiver 210 is used to interface with RTAP 212. In one embodiment, use of facilities in RTAP 212 is in accordance with a predefined interface or API (application programming interface). One of the functions of the receiver 210 is to convert the agent protocol data received into a format in accordance with a known RTAP API in order to populate the database of RTAP 212. Additionally, the receiver 210 may perform agent authentication of messages received. For example, in one embodiment, a private unique key may be used by each device or processor sending a message to the Watch server 50. The receiver 210 knows these private keys and uses these to authenticate the received messages as being from one of the expected devices. The receiver 210 records the IP address reporting every metric and rejects new values reported for a metric from any IP address but the last address to report legitimately to the metric. Other embodiments may use other encryption techniques and accordingly may use different techniques in authenticating received messages.
  • The notification server 216 and/or the web server 214 may be used in connection with providing incident notification. When configuring the security or system performance metrics used by the Watch server 50, a user may specify an e-mail address or other destination for receiving different types of alert notifications that may be produced. The notification in the event of an alert may be sent, for example, to a PDA, pager, cell phone, and the like upon the occurrence of an event determined by the Watch server. Such an event may include, for example, reported data reaching predetermined alarm or other thresholds, detection of a cyber-attack, detection of a component failure within the industrial network requiring immediate repair, and the like. Once a user has been notified upon such a device, the user may then use a web browser to gain secure access to the Watch server allowing one to examine the problem and acknowledge any one or more alarms. The notification server 216 may also send a message to a direct phone connection, such as to a phone number, rather than an e-mail address.
  • The web server 214 may be used in connection with displaying information and/or accepting input from a user in connection with any one of a variety of different tasks in this embodiment. Other embodiments may use conventional command line, Windows, client/server or other user interfaces known to those of ordinary skill in the art. In this embodiment, for example, the web server 214, through a web browser, may be used in displaying a security metric set-up page allowing for customization of security conditions, and definitions used for recording and alarming. For example, a user may specify limit values or thresholds associated with different warnings or alarms. When such thresholds have been reached, a notification message may be sent to one or more specified devices or addresses. Additionally, the web server 214 in connection with a browser may be used, for example, in connection with displaying different types of information regarding a security status, details of selected metrics, and the like. In connection with the use of the web server 214 and a browser, the different agents may be configured and monitored.
  • The web server 214 may be any one of a variety of different types of web servers known to those of ordinary skill in the art such as, for example, a TOMCAT web server. The web server 214 may be used in connection with obtaining input and/or output using a GUI with a web browser for display, browsing, and the like. The web server 214 and a browser may be used for local access to appliance data as well as remote access to appliance data, such as the RTAP 212 data. The web server 214 may be used in connection with displaying pages to a console in response to a user selection, in response to a detected alert or alarm, obtaining settings for different threshold and alarm levels such as may be used in connection with notifications, and the like. The web server 214 may also be used in connection with communicating information to a device such as a pager in the event of a notification when a particular designated threshold for example of an alarm level has been reached.
  • RTAP 212 may provide for collection, management, visualization and integration of a variety of different automated operations. Data may be collected and reported to the Watch server and stored in RTAP 212, the Watch server's database. As described elsewhere herein, RTAP 212 may be used in connection with performing security monitoring and providing for appropriate notification in accordance with different events that may be monitored. RTAP may raise alerts, for example, in the event that predetermined threshold conditions or events occur in accordance with the data store maintained by RTAP 212. One embodiment of RTAP is described in following paragraphs in more detail.
  • RTAP 212 may be implemented using a commercially available real time control system, such as Verano's RTAP product, or the Foxboro Intelligent Automation (IA) product or other SCADA or DCS system. In other words, a conventional control system may be used not to control a physical process, but to monitor the security activity of an industrial network and connections. RTAP 212 may also be implemented using customized software that uses a relational database. As will be appreciated by one of ordinary skill in the art, other embodiments may use other components.
  • In operation, each of the different agents may report data to RTAP 212 through use of the receiver 210. RTAP 212 may then store the data, process the data, and perform event detection and notification in accordance with predefined alarm levels and thresholds such as may be obtained from user selection or other defined levels. For example, as described above, a user may make selections in accordance with various alarm or alert levels using a browser with a GUI. These particular values specify a threshold that may be stored and used by RTAP 212. As RTAP 212 receives data reported from the different agents, RTAP 212 may process the data in accordance with the threshold(s) previously specified. In the event that an alarm level has been exceeded or reached, the RTAP 212 may signal an alert or alarm, and provide for a notification message to be sent on one or more devices using the web server 214 and/or notification server 206. It should be noted that the various designated location or device to which notification messages are to be sent may also be specified through the same GUI by which the threshold levels are specified.
  • The threat thermostat controller 218 may be used in generating a response signal in accordance with one or more types of security-threat inputs. In one embodiment, the threat thermostat controller 218 may use as inputs any one or more raw or derived parameters from the RTAP 212, other inputs that may be external to the Watch server, and the like. In one embodiment, in accordance with these various input(s), the threat thermostat controller 218 selects one or more of the firewall settings from 220 which controls access between the corporate network 12 and the industrial network 14 as well as access to the industrial network 14 from other possible connections.
  • In one embodiment, the threat thermostat controller 218 may use one of three different firewall settings from 220 in accordance with one or more inputs. Each of the firewall settings included in 220 may correspond to one of three different threat levels. In the event that a low threat level is detected for example the firewall rule settings corresponding to this condition may allow all traffic between the corporate network 12 and the industrial network 14 as well as other connections into the industrial network 14 to occur. In the event that a medium threat level is determined, a second different set of firewall settings may be selected from 220. These firewall settings may allow, for example, access to the industrial network 14 from one or more particular designated users or systems only within the corporate network 12. If a high threat level is determined by the threat thermostat controller 218, all traffic between the corporate network 12 and industrial network 14 may be denied as well as any other type of connection external into the industrial network 14. In effect, with a high threat level a determination, for example, an embodiment may completely isolate the industrial network 14 from any type of outside computer connection.
  • Actions taken in response to a threat level indicator produced by the threat thermostat controller 218 may include physically disconnecting the industrial network 14 from all other external connections, for example, in the event of a highest threat level. This may be performed by using a set of corresponding firewall rules disallowing such connections. Additionally, a physical response may be taken to ensure isolation of one or more critical networks such as, for example, disconnecting a switch or other network device from its power supply. This may be done in a manual or automated fashion such as using a control system to implement RTAP 212. Similarly, a mechanism may be used to reconnect the critical network as appropriate.
  • In connection with low threat level determinations, the corresponding firewall settings from 220 may allow data to be exchanged between the industrial network and less trusted networks in predefined ways and also allow authorized users on less trusted networks to remotely log into computers on a critical network, such as the industrial network. When the threat level as generated or determined by the threat thermostat controller 218 increases, the second set of firewall rule settings from 220 may be used which provide for a more restrictive flow of communication with a critical network such as the industrial network 14. For example, corporate may notify the industrial network that a particular virus is circulating on the corporate network 12, that a Homeland Security alert status has increased, and the like. Using these different inputs, the second set of rules may be selected and allow critical data only to be exchanged with less trusted networks and also disable remote log in capabilities. In the event that the highest or third level of threat is determined by the threat thermostat controller 218, what may be characterized as an air gap response may be triggered leaving all less trusted networks physically disconnected until the threat(s) have been addressed, such as, for example, by installing any proper operating system and application patches.
  • In connection with the threat thermostat 218 in one embodiment, five threat levels may be utilized. Associated with each threat level may be a text file with a series of commands that define a particular firewall configuration including firewall rule sets, what network ports are enabled and disabled, address translation rules, and the like. All of this information may be included in each of the text files associated with each of the different threat levels.
  • One of the inputs to the threat thermostat controller 218 may include, for example, a security level as published by the Homeland Security, an assessment or threat level as produced by a corporate department, and/or another source of a threat level that may be gathered from information such as available on the Internet through a government agency or other type of private organization and reported by the threat agent 200. These assessments may be weighted and combined by the threat thermostat controller 218 to automatically determine a threat level causing a particular set of firewall settings to be utilized. A particular weighting factor may be associated with each of multiple inputs to 218 making the determination of a specific indicator or threat level.
  • It should be noted that the particular firewall settings included in each of the sets of 220 may include a particular set of firewall rules, address translations, addresses to and from which particular communications may or may not be allowed, intrusion detection and prevention signatures, antivirus signatures, and the like. Inputs to the threat thermostat controller may also include, for example, one or more raw metrics as provided from RTAP, and/or one or more derived parameters based on data from RTAP and/or from other sources. It should be noted that the threat thermostat controller may generate a signal causing data to be displayed on a monitor connected to the Watch server 50 such as through a console as well as to send one or more notification messages to previously designated destinations. In one embodiment, the threat thermostat control level may be displayed on a GUI. In one embodiment, an alert may be generated when there is any type of a change in a firewall rule set or threat level either in an upward or a downward threat level direction.
  • An embodiment may provide for a manual setting of a threat thermostat level used in the selection of the firewall settings, and the like. This manual setting may be in addition to, or as an alternative to, automated processing that may be performed by the threat thermostat controller 218 in determining a threat level. Additionally, an embodiment may include one or more user inputs in the automatic determination of a threat level by the threat thermostat controller 218. It should be noted that in one embodiment, once the threat level has risen out of the lowest level, only human intervention may lower the thermostat or threat level.
  • It should also be noted that although various levels of access with respect to a critical network, such as the industrial network, have been suggested in examples herein in connection with different threat levels, an embodiment may vary the particular access associated with each of the different threat levels. Although three or five threat levels and associated rule sets are described herein, an embodiment may include any number, more or less, of threat levels for use in accordance with a particular application and embodiment.
  • Additionally, in connection with the data that has been gathered by RTAP 212 such as raw data, alerts may be generated using one or more derived or calculated values in accordance with the raw data gathered by the agents.
  • An embodiment may implement the database portion of RTAP 212 as an object oriented database. RTAP 212 may include a calculation engine and an alarm engine in one embodiment. The calculation engine may be used to perform revised data calculations using a spreadsheet-like data flow process. The alarm engine may determine an alarm function or level using a state table. Details of RTAP 212 are described elsewhere herein in more detail.
  • It should be noted that any one or more hardware configurations may be used in connection with the components of FIGS. 3 and 4. The particular hardware configuration may vary with each embodiment. For example, it may be preferred to have all the components of FIGS. 3 and 4 executing on a single computer system in a rack-mount arrangement to minimize the impact on the physical layout of a plant or other location being monitored. There may be instances where physical location and layout of a system being monitored require use of extra hardware in a particular configuration. For example, NIDS and ARPWatch may be monitoring the activity of 3 different switches in an industrial network using the spanning ports of each switch. Each of the 3 switches may be located in physical locations not in close proximity to one another or another computer system hosting the components of the Watch server 50. Two switches may be located in different control rooms and one switch may be located in a server room. One hardware configuration is to have the computer system upon which the Watch server components execute monitor the one switch in the server room. Two additional processors may be used in which each processor hosts agents monitoring execution of one of the remaining two switches. The two additional processors are each located in physical proximity near a switch being monitored in the control rooms. The two additional processors are capable of supporting execution of the agents (such as the NIDS agent 204 and ARPWatch Agent 206) and any software (such as NIDS 204 a, ARPwatch 206 a) used by the agents. These processors are connected to, and communicate with, the computer system upon which the Watch server components execute. As will be appreciated by those of ordinary skill in the art, the hardware and/or software configurations used may vary in accordance with each embodiment and particular criteria thereof.
  • In one embodiment, it should be noted that the receiver 210 of the Watch server 50 may track the last time a report was received by each agent (class 1 and class 2). In the event that the component 210 determines that an agent has not reported to the receiver 210 within some predetermined time period, such as within 150% of its expected periodic reporting interval, an alert is raised by sending a notification to one of the notification devices. Such an alert may indicate failure of an agent and/or machine and/or tampering with the watch system and/or with agents. Alerts may also be raised if agents report too frequently, indicating that someone may be trying to mask an attack or otherwise interfere with agent operation. Alerts may also be raised if agent reports are incorrectly authenticated, for example, if they are incorrectly encrypted, have an incorrect checksum, contain an incorrect timestamp or sequence number, are from an incorrect IP address, are of incorrect size, or are flagged as being destined for an IP address other than the address on which the receiver 210 is listening.
  • It should be noted that components 202, 203 and 209 may preferably send encrypted communications where possible to other components besides the receiver 210. Whether encryption is used may vary with the functionality of the components communicating. An embodiment may use, for example, V3.0 or greater of the SNMP protocol with the components 202 and 203 in order to obtain support for encryption. Component 209 may also use encryption when communicating with the firewall.
  • Referring now to FIG. 4A, shown is an example 400 of an embodiment of a threat thermostat controller 218 in more detail. In particular, the example 400 illustrates in further detail the one or more inputs that may be used in connection with a threat thermostat controller 218 as described previously in connection with the Watch server 50 of FIG. 4. An embodiment of the threat thermostat controller 218 may automatically determine a firewall rule set and threat indicator 410 in accordance with one or more inputs 402, 406 and/or 408 and 220. Inputs 402, 404, 406 and 408 may be characterized as selection input which provides for selection of one of the firewall settings from 220. As an output, the threat thermostat controller 218 may automatically send the selected firewall settings from 220 and a threat indicator level as a signal or signals 410. Inputs 402 may come from external data sources with respect to the industrial network 14. The external data may include, for example, an indicator from a corporate network, one or more inputs from an internet site such as in connection with a Homeland Security alert, a threat indicator generated by another commercial or private vendor, and the like. This external data may come from network connections, or other type of remote log in connections with respect to the industrial network 14. Other types of input may include one or more RTAP inputs 404. The RTAP inputs 404 may be raw data inputs as gathered by agents and stored within the RTAP 212 database, particular threshold levels, and the like. RTAP inputs 404 may also include a resultant value or indicator that is generated by processing performed by RTAP in accordance with one or more of RTAP data values. An RTAP indicator included as an RTAP input 404 to the threat thermostat controller 218 may be, for example, an indicator as to whether a particular threshold level for one or more metrics is exceeded. The input to the threat thermostat controller 218 may also include one or more derived parameters 406. The derived parameters 406 may be based on one or more raw data values as gathered by the agents and stored in RTAP. These derived values may be stored within RTAP or determined by another source or module. Another input to threat thermostat controller 218 may be one or more manual inputs 408. The manual input or inputs 408 may include, for example, one or more values that have been selectively input by an operator such as through GUI or configuration file. These values may include a metric that may be manually input rather than being received from an external source in an automated fashion.
  • Although the various inputs described and shown in 400 have been illustrated for use with a threat thermostat controller 218 in one embodiment, it should be noted that any one or more of these as well as different inputs may be used in connection with the threat thermostat controller to produce an output threat indicator. The outputs of the threat thermostat controller 218 include a firewall rule set and threat indicator 410. The firewall rule set and other settings may be communicated, for example, to a firewall as a new set of rules to be used for subsequent communications and controlling access to one or more critical networks. In one embodiment, a new set of firewall rules may be remotely loaded from the Watch server location 220 to the firewall using SSH (described elsewhere herein) and/or any of a variety of secure communications mechanisms known to those of ordinary skill in the art such as, for example, IPSEC, HTTPS, SSL, and the like.
  • The threat indicator that may be produced by a threat thermostat controller 218 may, also serve as an input to RTAP 212 and may be used, for example, in connection with generating one or more notifications through use of the web server and/or notification server as described elsewhere herein when a particular threat indicator level has increased or decreased, a firewall rule setting selection has been modified and the like. Additionally, data recording for the threat level, date, time, and the like may be recorded in RTAP 212. The threat thermostat controller 218 may also produce an output signal 411 used in connection with automatically controlling the operation of a connecting/disconnecting the industrial network from the corporate network in accordance with the threat indicator. For example, the signal 411 may be input to RTAP, a control system, switch or other hardware and/or software used to control the power supply enabling connection between the industrial network and corporate network as described elsewhere herein.
  • It should be noted that in one embodiment, only manual inputs may be used. A single manual input may be used in one embodiment, for example, in selection of a threat indicator causing the threat thermostat controller 218 to make a selection of a particular firewall setting. Another embodiment may provide for use of a combination of automated and/or manual techniques where the automated technique may be used to produce a threat indicator unless a manual input is specified. In other words, rather than weight one, or more manual inputs in connection with one or more other inputs in an automated fashion, the manual input or inputs may serve as an override of all of the other inputs in connection with selecting a particular firewall rule set from 220 and generating a threat indicator. Such a manual override may be provided as an option in connection with a mode setting of a threat thermostat controller 218. If the override setting which may be a boolean value is set to on or true, the manual input will act as an override for all other inputs and an automated technique for producing a threat indicator. In the event that override is set to off, the manual input may not be considered at all, or may also be considered along with other inputs in connection with an automated technique used by the threat thermostat controller.
  • Referring now to FIG. 5, shown is an example 300 of the different types of agents of the first class of agent that may be utilized in an embodiment of the industrial network 14. It should be noted that the agents 300 may be included and executed on each of the computer systems in the industrial network 14 as indicated by the agents 132 a-132 d. In other words, the different agent types included in 300 are those types of agents that may execute on a system and report information about that system to the Watch server 50. It should be noted that although an embodiment may include the particular agent types of 300, an embodiment may include different types of agents and a different number of agents than as described herein in accordance with the particular application and embodiment and may vary for each computer system included in the industrial network 14.
  • Included in 300 is a master agent 302, a critical file monitoring agent 304, a log agent 306, a hardware and operating system agent 308, a password age agent 310, and an application specific agent 312. In one embodiment, the master agent 302 is responsible for control of the other agents included in the computer system. For example, the master agent 302 is responsible for starting and monitoring each of the other agents and to ensure that the other agents are executing. In the event that the master agent 302 detects that one of the other agents is not executing, the master agent 302 is responsible for restarting that particular agent. The master agent 302 may also perform other tasks, such as, for example scheduling different agents to ran at different periods of time, and the like.
  • The critical file monitoring agent 304 may be used in connection with monitoring specified data files. Such data files that may be monitored by agent 304 may include, for example, operating system files, executable files, database files, or other particular data file that may be of importance in connection with a particular application being performed within the industrial network 14. For example, the agent 304 may monitor one or more specified data and/or executable files. The agent 304 may detect particular file operations such as file deletion, creation, modification, and changes to permission, check sum errors, and the like. Agent 304, and others, gather information and may report this information at various time intervals or in accordance with particular events to the Watch server 50.
  • The log agent 306 may be used in monitoring a system log file for a particular computer system. The log monitoring agent 306 may look for particular strings in connection with system activity such as, for example, “BOOT”, or other strings in connection with events that might occur within the computer system. The log agent 306 searches the log file for predetermined strings of interest, and may store in memory the string found as well as one or more corresponding metrics such as, for example, the number of occurrences of a string. For example, the log agent 306 may count occurrences of a BOOT string and report the count in a single message which may be sent to the Watch server or appliance. The sending of a single communication to the Watch server may be performed as an alternative, for example, to sending a message reporting the occurrence of each string or event. Techniques such as these provide for efficient and bounded use of resources within the industrial network 14 resulting in reduced bandwidth and CPU and memory usage consumed by the agents.
  • In one embodiment, the agent 306 may report the following metrics at periodic intervals:
  • Login failures—Report the number of “failed login” messages in the system log in the reporting interval. The format of these messages may vary in accordance with software platform, such as operating system and version and login server, such as for example, ssh, telnet, rlogin, and the like. Reported with this metric may be the names of the top three accounts reporting login failures in a reporting interval, and what percentage of the total number of failure reports is associated with each of these three accounts.
  • Password change failures—Report the number of “failed password change attempt” messages in the system log in the reporting interval. Some of these failures may be the result of an authorized user trying to change his/her own password. This metric may indicate false positives such as these in addition to indicating a brute force password attack by an unauthorized user. Reported with this metric may be the top three accounts reporting failed password attempts in a reporting interval and a corresponding percentage of failed attempts associated with each account.
  • Network ARPwatch—Using the modified version of ARPwatch described elsewhere herein, this metric reports the number of unapproved IP/device address bindings currently on the network. The ARPwatch metric also reports the first three ARPwatch log messages detected in each reporting interval, and if the metric is non-zero in an interval, reports the top three IP addresses and device addresses responsible for those messages.
  • Host IDS audit violations—Report the total number of IDS and failure audit messages detected in the reporting interval. When the IDS classifies the messages, report a count for each classification—eg: critical, warning. When multiple audit systems are running on a machine, report each system's output independently. For example, on SELinux systems, the SELinux system reports authorization failures for all failed accesses to protected resources. Such authorization failures are reported as a separate SELinux authorization failure metric. Additionally, report the first three log messages detected in each classification in each reporting interval and a count of the messages not reported. This metric may be extended to report a summary of all the messages detected for each kind of message in the reporting interval as well, including, where process information is available, the top three processes responsible for the messages and the percentage of total messages associated with each process and/or, where file information is available, the top three files that are reported as the targets of audited file manipulations, and what percentage of all the IDS messages each file was mentioned in.
  • Host IDS antivirus alerts—for host IDS systems that monitor and report on viruses detected on control system hardware. Note that while some computers in the industrial network may not execute antivirus software for performance, compatibility, or other reasons, other computers within the industrial network may utilize antivirus software. An embodiment of this agent may also report the first three such messages detected in a reporting interval.
  • The agent 306 may also include metrics related to the following:
  • Web page authentication failures, web page permission violations, total web page failures, firewall violations (described herein in more detail), and tape backup failures. This last metric may be useful in connection with notifying administrators, for example, in the event that security history or other information is no longer being backed up on a tape or other backup device.
  • Windows event logs—Report the number of Windows “Error,” “Warning,” “Informational,” “Success Audit,” and “Failure Audit,” log entries detected in the reporting interval. The agent also reports the first 256 characters of text for the first three such log entries discovered for every type of log in every reporting interval.
  • The hardware and operating system agent 308 may be used in connection with gathering and reporting information in connection with the operating system and hardware. For example, through execution of a status commands or others that may be available in an embodiment, information may be produced using one or more operating system utilities or calls. As an output of the command, data may be produced which is parsed by the hardware operating system agent 308 for the particular statistics or metrics of interest. In one embodiment the hardware operating system agent 308 may use one or more status commands, for example, to obtain information about CPU load, disk space, memory usage, uptime, when the last reboot has occurred, hardware and software information such as related to version numbers, and the like. Similar to the behavior of other agents, the hardware operating system agent 308 may parse the output of different status commands and send a single report to the Watch server at different points in time rather than report multiple messages to the Watch server. For example, the agent 308 may combine information from multiple status commands and send a single communication to the Watch server or appliance 50 at particular time periods or in accordance with particular events.
  • In one embodiment, the following metrics may be reported by agent 308 at periodic intervals:
  • Counts of interprocess communications resources used—System V message counts and segment counts for any message queues used by the control system. If the system is becoming congested such as, for example, messages requests are backing up because the system does not have the resources to process them fast enough, or because of a failure of some component of the system that is supposed to be processing them, an alarm may be raised when any message queue's message or segment count exceeds a preset limit.
  • Operating System type—This is a constant value reported to assist in auto-configuration of the Watch server. For example, when an administrator is searching for a particular machine when using the GUI on the Watch server, that person may become confused by the many machines whose information is available via the GUI. Operating system type, version number, and the like, may be used in identifying a particular machine through the GUI.
  • “Uptime”—How long it has been since the machine running the agent 308 has been rebooted. This is sometimes useful in post-mortem analysis. For example, a number of anomalous alerts are generated by the Watch server in connection with resource and system performance metrics. It may also be observed that a particular computer in the industrial network was also being rebooted during this time period. It may be determined that the abnormal resource usage, for example, was due to the machine reboot or restart activity which may differ from the usage when the computer is in steady state. Thus, it may be useful to determine why the machine rebooted and restarted rather than investigating the individually raised resource-generated alerts.
  • User count and root user count—How many login sessions are active on the machine, and how many of those belong to “root” or other account with an elevated level of permissions. Each metric reports not just the count of logins, but for the first N logins, such as 20 for example, report where the user is logged in from, such as the machine's console, or the IP address, or host name of some other machine the user is logged in from. In one embodiment, the foregoing metrics may be determined on a Unix-based system. Other systems may provide similar ways to obtain the same or equivalent information. Note that below as known to those of ordinary skill in the art, “tty” is a UNIX-specific reference to a UNIX device that manages RS232 terminal connections:
  • 1) Determine who is logged into the system. In one embodiment, this may be determined by examining the output of the “who” command. (i.e., On HP-UX, “who −uR”. On Tru64 use “who −M”).
  • 2) From the output of 1), extract the user name, the source machine if any, and the “tty” or other login user identifier.
  • 3) Determine which user(s) are currently using system resources. This may be determined, for example, using the Unix-based “ps” command.
  • 4) Since “Who” command output may be sometimes stale, the number of current users may be determined in a Unix-based system by remove from the “who” list (from 1) any user whose identifier is not associated with any active process identified in 3).
  • 5) When reporting root user counts, an embodiment may also search the /etc/passwd file for each user “who” reports. Any user with a numeric user ID of 0 is in fact running as root and is reported as such. Since a single user logged in on the console may have many terminal windows open and “who” reports each as a separate login, it may be desirable to report the foregoing as a single user.
  • 6) All of the login sessions whose source “who” reported as “:0” as associated with the console display device, may be combined into a single entry.
  • 7) Count and report all root users whose “source” is reported by the “who” command as a machine other than the local machine.
  • 8) Examine the “tty” of all potential root users. Increment the root count for, and record the source for, every unique standard input device:
      • “ptyN”—a pseudo tty used by X11 windows
      • “ttyN”—a Linux pseudo console created using the keystroke combination: <Ctrl><Alt><Fn>
      • serial port logins—“ttySN” on Linux or “ttyN” on HP-UX, Solaris and Tru64,
      • “console” for console device logins and “:0” as well for console logins on Tru64.
  • 9) Determine the owner of any of the standard window manager processes that might be running on the machine. If a root console login has not already been identified, and any of these processes is running as root, that counts as a root console login.
  • (10) Determine and count the number of rsh (remote shell) users. Use the Unix “ps” command to identify remote shell daemon processes (eg: remshd) and their child processes. Count and report as users the user identifiers associated with all such child processes.
  • CPU Load—On a Windows-based system, report the % CPU used in the reporting interval. On UNIX systems, report the CPU load average for the interval. The load average is the average number of processes competing for the CPU. Note that on a Windows system, if some process is spinning in a tight loop, the machine reports 100% CPU usage. This metric may be characterized as a rather blunt reporting instrument since it gives no idea of how much “other” work the machine is accomplishing over and above the process that is currently looping. On a UNIX system in a similar state, a report may indicate, for example, a load average of 1.5. The process in a loop accounts for 1 load unit (it was always wanting the CPU). The additional 0.5 indicates that over and above the executing process, ½ of the time some other process wanted the CPU for execution purposes: Additionally, the top three process names consuming CPU in a reporting interval may be reported along with what portion (such as a fraction or percentage) of the CPU used in the interval was used by each of these top three processes.
  • % Disk space—for every disk partition or volume, report the % used for each. It should be noted that RTAP may be configured to alert when the percentage of this metric is not in accordance with an absolute threshold.
  • % Swap space—Report the % used for swap space. An alert may be generated when that metric increases to an absolute threshold. Additionally, in each reporting interval, the top three processes using memory and/or swap space may be reported and what % of the available resource each of these processes consumes.
  • % Memory Used—Report the fraction of physical memory used. It should be noted that some operating systems report swap and memory as one metric and so the % swap space metric may be the metric reported. In that case % swap space combines memory used and swap used into one total and reports the fraction of that total in use.
  • Hardware (such as LM) Sensors and Disk Status (such as SMART)—Report metrics from sensors on different computer components, such as the CPU. The values reported on different platforms may differ in accordance with the different hardware and/or software and/or monitoring circuits. Examples of the metrics that may be reported by one or more sensors may include CPU temperature, case temperature, fan speed for any of several fans, power supply working/failed status in machines with multiple power supplies, soft hard disk failures, etc. These sensors can provide early warning of impending hardware failure of critical industrial control computer components. Note that “SMART” refers to the Self Monitoring Analysis and Reporting Technology as described, for example, at http://smartmontools.sourceforge.net. “LM” refers to, for example, “LM-78” and “LM-75” hardware monitoring functionality that is standard in some vendor chipsets and is described, for example, at http://secure.netroedge.com/˜lm78.
  • Network Traffic—Report total incoming and total outgoing traffic for every network interface on the computer. An abnormal increase in such traffic can mean either that the machine is under attack, that the machine has been compromised and is being used to attack another machine, that the machine has been compromised and is being used for some purpose other than it was intended for, or that there has been some sort of malfunction of the control system on the machine.
  • Open listen sockets—Reports a count of open listen sockets on the computer. Listen sockets are almost always associated with long-running server processes, and the count of such processes and sockets almost always changes very predictably on control system computers. For example, the count of such sockets may fall within a very small range having little variance. When the count moves out of this range, an alert may be generated. When the listen socket count falls out of the bottom of the range, it may be an indication that some server component of the operating system or of the control system itself has failed, causing the associated listen socket to close. When the listen socket count rises out of the top of the normal range, it may indicate that some server component has been added to the system. This may be, for example, a new control system component, a debugging or other tool that it may or may not be wise to deploy on a production control system, or a component installed by an intruder or authorized user seeking to gain unauthorized access to the system in the future.
  • The password age agent 310 may be used in monitoring the status of different passwords and accounts. Such activity may include password aging. The particular metrics that may be gathered by the agent 310 may relate to the security of the computer system being monitored as a security measure to detect hackers trying to log in to the system.
  • In connection with one embodiment, the agent 310 may report the following at periodic intervals:
  • Max password age—Once an hour, a maximum password age metric may be reported that measures the age of every password on every account on the system. Included in this reported metric may be the age of the oldest password on the system, and, for each of the first 100 users on the system, the user name and age of that user's password. This metric may be useful when raising alerts when passwords become too old. Some sites have a policy of changing passwords regularly, eg: at minimum every 180 days. Because user names and password ages can serve to help identify vulnerable accounts on a computer system, these information may be separately encrypted when the primary communication channel for the agent report is not already encrypted.
  • The application specific agent 312 may be customized, for example, to monitor specific application parameters that may vary with a particular embodiment and/or application executing in the industrial network 14. Generally the application specific agent 312 is an agent that may be built and specified by a particular operator of the industrial network.
  • In one embodiment, the agent 312 may report information about the particular application at periodic intervals including any of the following metrics:
  • Abnormal process terminations—A count of control system processes that have terminated unexpectedly or with an improper exit/termination status. The names of a number of such processes which failed in the reporting period may also be reported. These names occupy a fixed maximum size/communications budget, and mean that the next level of detail is available in the Web GUI. It should be noted that this metric may include reporting information regarding the first processes in time to terminate unexpectedly rather than the last processes in time to terminate unexpectedly since the last processes may have terminated as a result of the earliest failed processes. For example, a later terminated process (unexpectedly terminated) may have terminated execution as a result of being unable to communicate with an earlier terminated process (unexpectedly terminated). Also included with this metric when non-zero are the names or other identifiers of the processes that failed most frequently, and what percentage of the total number of failures is associated with each.
  • Installed software —Reports a count of software packages installed, uninstalled and/or updated in the last reporting period. This information comes from whatever sources are available on the computer such as, for example, one or more log files that are appended to when software is installed, uninstalled or updated, and one or more system databases of installed software that are updated when software is installed, uninstalled or updated.
  • Another type of application specific agent 312 may be a control system software agent with knowledge of the expected behavior of a specific control system such as, for example, a Foxboro IA system, a Wonderware InSQL server, or a Verano RTAP server (such as the RTAP component 312), and the like. Such agents may report some metrics already described herein such as:
  • Installed software—When the control system software itself has new components installed, or installed components updated or removed.
  • Process terminations—either terminations reported as abnormal by the control system software application itself, or processes no longer active that the agent “knows” should be active because a correctly functioning Foxboro or RTAP or other system should have such processes active to run correctly.
  • Open listen sockets—The number of open listen sockets. An embodiment may report and monitor the number of open listen sockets that are managed by the control system and are expected to be open for the correct operation of the control system. Note that the number of open listen sockets refers to an embodiment that may use, for example, UDP or TCP. This metric may be more generally characterized as the number of communication endpoints or communication channels open on a server machine upon which the server is listening for client requests.
  • Control system shutdown—Reports all controlled and uncontrolled shutdowns of the control systems application. In the case of an unexpected shutdown of the entire computer running the control system, where there may not have been an opportunity to report the shutdown before the computer itself shuts down, the shutdown may be reported when the computer and the agent restart.
  • An embodiment may also include other types of agents not illustrated in 300. Some of these may be optionally included in accordance with the amount of resources available as well as the particular task being performed by a system being monitored. For example, an embodiment may also include a type of agent of the first class reporting on file system integrity characteristics, such as changes in file checksum values, permissions, types, and the like. Execution of such an agent may be too CPU and/or disk I/O intensive to scan entire filesystems, or to determine checksums for large number of files in a system, so this agent may be selectively included in particular embodiments. The file system integrity agent may report the following metric at periodic intervals:
  • Integrity failures—For IDS that monitor and report on file integrity, report the total number of integrity failure messages detected in the reporting interval. For systems that report different kinds of, or priorities of, integrity failures, an embodiment may report the total integrity failures in each classification. For each classification of failure, also report the first three integrity failure log messages or events detected in the reporting interval and a count of the remaining messages not reported. Integrity failures may be discovered by the agent itself, or the agent may monitor the results of conventional integrity checking tools such as Tripwire or may invoke installation integrity checking tools such as fverify. For more information on Tripwire, see http://www.tripwire.org. For more information on fverify, see: http://h30097.www3.hp.com/docs/base doc/DOCUMENTATION/V51 HTML/MAN/INDEXES/IN DEX_F.HTM
  • In addition, to provide a degree of filesystem integrity checking on a resource-constrained computer system, an embodiment may pace filesystem integrity checking such that only a small number of files are checked in a given reporting interval to reduce and/or limit the CPU and disk I/O impact of such checking. Such an embodiment may, for example, also classify files into two or more levels of importance, and may scan some number of files from each level of importance in each reporting interval. This way, when the lowest level of importance has many more files in it than the highest level of importance, more important files will tend to be checked more frequently than less important files, while still controlling the resource impact of the scanning.
  • It should be noted that the particular metrics reported by each agent as well as other particular agent characteristics, such as periodic reporting intervals, may vary with each embodiment. Although the description of the various metrics herein may be made with reference to elements particular to this embodiment, such as a the UNIX-based operating systems, it will be appreciated by one of ordinary skill in the art that equivalents may be used in connection with other elements, such as other operating systems that may be used in an embodiment.
  • It should be noted that an embodiment may issue an alert using RTAP when any one of more of the metrics, reported as a count or value rather than a boolean, described herein is not in accordance with an absolute threshold.
  • Data flows from each of the different types of agents of the first class 132 a-132 d on computer systems in the industrial network to the Watch server 50. In this embodiment, the Watch server may be characterized as an appliance that is a passive listening device where data flow is into the appliance. Within the Watch server, a process may be executed which expects a periodic report from the agents 132 a-132 d as well as a report from the agents 132 a-132 d when a particular event occurs. If there is no report from a particular agent 132 a-132 d within a predefined time period, the Watch appliance may detect this and consider the agent on a particular system as down or unavailable. When a particular system, or the particular agent(s) thereon, in the industrial network 14 are detected or determined to be unavailable or offline, as may be determined by the RTAP 212 of FIG. 4, an alarm or alert may be raised. Raising an alarm or alert may cause output to be displayed, for example, on a console of a notification device.
  • Collectively the different types of agents provide for gathering data that relates to the health, performance, and security of an industrial network. This information is reported to the Watch appliance or server 50 that uses the health, performance and security data in connection with security threat monitoring, detection, and determination.
  • Each of the agents may open up its own communication connection, such as a socket, to send data to the Watch server. An embodiment may alternatively use a different design and interaction of the different types of agents than as illustrated in 300. In one embodiment using the example 300, each agent may be implemented as a separate process. In an alternative embodiment, a single process may be used performing the processing of all the different types of agents illustrated in FIG. 5 and all data may be communicated to the Watch server over a single communication connection maintained by this single process. An embodiment may use another configuration to perform the necessary tasks for data gathering described herein.
  • It should be noted that an embodiment may include the master agent with any one or more of the different types of agents for use with a system being monitored. Using the model of FIG. 5, the master agent is necessary to control the operation of one or more of the other types of the first class.
  • Referring now to FIG. 6, shown is an example 350 of the architecture of each of the agents of the first and second classes described herein. It should be noted that the architecture 350 may vary in a particular embodiment or with a particular class of agent. The particular illustration of FIG. 6 is only an example and should not be construed as a limitation of the techniques described herein.
  • An agent data source 352 is input to an input data parser 354. The particular data source 352 may vary in accordance with the particular type of agent. For example, in the event that the agent is a log file agent, the agent data source may be a system log file. In the event that the agent is the hardware operating system agent, the agent data source may be the output of one or more status commands. The one or more data sources 352 are input to the data parser 354 for parsing. The particular tokens which are parsed by 354 may be passed to the pattern matching module 356 or the metric aggregator and analyzer 358. It should be noted that there are times when the parsed data may be included in a message and does not require use of pattern matching. The pattern matching module 356 searches the data stream produced by 354 for those one or more strings or items of interest. The pattern matching module 356 may report any matches to the metric aggregator and analyzer 358. The component 358 keeps track of summary of the different strings as well as counts of each particular string that have occurred over a time period as well as performs processing in connection with immediate notification. As described elsewhere herein, an agent may report data to the Watch server 50 at periodic reporting intervals. Additionally, the agent may also report certain events upon immediate detection by the agent. This is described elsewhere herein in more detail. The metric aggregator and analyzer 358 also controls the flow of data between the different components and is also responsible for compressing the messages to minimize the bandwidth function.
  • Once the metric aggregator and analyzer 358 has determined that a message is to be reported to the Watch server 50, such as for immediate reporting or periodic reporting of aggregated data over a predetermined time period, the metric aggregator and analyzer 358 may send data to the XML data rendering module 362 to form the message. The XML data rendering module 362 puts the information to be sent to the Watch server 50 in the form of an XML message in this particular embodiment. Subsequently, component 362 communicates this XML message to the message authentication and encryption module 360 for encryption prior to sending the XML message to the Watch server or appliance.
  • In connection with the message authentication and encryption module 360 of FIG. 6, it should be noted that any one of a variety of different types of encryption techniques may be used. In one embodiment, a timestamp and agent host name or identifier may be included in a message body or text. The authentication processing on the Watch server 50, such as may be performed by the receiver 210, may require that the timestamp values always increase and otherwise reject duplicate or out of date messages. Additionally, an encryption technique may be used which utilizes a key, such as a shared secret key, and the entire message may be encrypted with this key. The shared secret key provides the message authentication information. An embodiment may also use other well-known techniques such as, for example, the MD5 cryptographic checksum and encrypt the checksum of the entire message. The authentication processing performed within the Watch server 50 may vary in accordance with the techniques used by the agents. In one embodiment, an agent may encrypt the checksum of the message and not the message itself. Alternatively, in an embodiment in which a checksum determination of a message is not available, the agent may encrypt the message.
  • The different types of data reported by the types of first class of agents illustrated in FIG. 5 relate to the health, performance, and security of a critical network, such as the industrial network 14. This data as reported to the Watch server 50 enables the Watch server 50 to generate signals or alerts in accordance with the health, performance, and security of the critical network. In particular, the RTAP 212 of the Watch server may be characterized as a global aggregator and monitor of the different types of data reported to a central point, the Watch server 50.
  • The agents 132 a-132 d (of the first class described elsewhere herein) as well as the second class of agents that communicate data to the Watch server 50 may be characterized as distributed monitoring agents. In one embodiment, these agents may raise alerts or send reports to the Watch server in summary format in accordance with predefined time periods, or in accordance with the detection of certain events in order to conserve the bandwidth within the industrial network 14. In existing systems, agents may report every occurrence of a particular event, such as a suspicious activity, and may result in the consumption of excessive bandwidth when a system is under attack. An agent, such as one of the first class executing in the industrial network 14, may report attack summaries at fixed intervals to conserve network resources. For example, an agent 132 a-132 d may report the occurrence of a first suspicious event and then report a summary at the end of a reporting period. In other words, reports may be sent from an agent at predetermined time intervals. Additionally, the agents may send messages upon the detection or occurrence of certain conditions or events.
  • The agents (first class and second class when communicating with the receiver 210) included in an embodiment may be designed in accordance with particular criteria. As described in connection with the above embodiment, the agents are “one-way” communication agents at the application level for increased security so that operation of an agent, such as on a component in the industrial network 14, minimizes added vulnerability to a network attack. The agents communicate with the Watch server by opening a TCP connection, sending an XML document over the connection, and closing the connection after the XML communication is sent. The agents do not read commands or requests for information from this connection from the Watch server.
  • It should be noted that a computer hosting an agent does receive and process messages from the Watch server. However, the processing performed by such a host to an agent are limited to processing steps at lower network levels. For example, in an embodiment using the XML messages described herein, this processing may include the TCP-level connection setup, teardown and data acknowledgement messages performed at levels lower than the application level. Any vulnerabilities existing at these lower levels exist independent of whether the agents described herein are utilized. In other words, use of the agents described herein does not introduce any additional vulnerabilities into monitored and networked control system equipment.
  • The agents, in particular the first class of agents described herein, may be characterized as bandwidth limited agents designed to consume a fixed portion of available network resources. Conventional security agents tend to report every anomalous event upon the occurrence of the event consuming potentially unbounded communication resources under denial-of-service attacks. Conventional agents may regard every security event as important and make a best-effort attempt to communicate every such event to their management console. Agents that consume an excessive amount of a limited network communications resource risk causing the entire system to malfunction, triggering safety relays and other mechanisms to initiate an emergency shutdown of the industrial process.
  • In contrast, the agents described herein are designed to transmit small fixed-size messages at fixed intervals, thus consuming a bounded portion of available communications resources, even under denial-of-service attack conditions. The first class of agents herein gather information, produce condition reports and event summaries, and report those conditions and summaries at fixed intervals. The reports may include: statistics in accordance with the particular first class agent type, such as, for example, resource usage statistics like % CPU used, CPU load factors, % memory used, % file system used, I/O bus utilization, network bandwidth utilization, number of logged in users, and the like. The report may also identify the top N, such as, for example, two or three, consumers of one or more resources. The consumers may be identified by, for example, process names, directories, source IP addresses, and the like, and may identify, when appropriate, what portion of a resource each is consuming. The report may also include other information that may vary with agent type and class such as, for example, counts of log messages and other events, like login failures, network intrusion attempts, firewall violations, and the like detected in the reporting interval that match some criterion or search expression; representative samples of the complete event description or log message for the events counted in the reporting interval, and a short statistical summary of the events, such as what host or IP address hosted the most attacks and what percentage of attacks overall were hosted by a particular computer, which host was most attacked and what percentage of attacks were targeted at a particular host, what user account was most used in connection with launching an attack and what portion of attacks are targeted at a particular user account. In one embodiment, a reporting threshold for an agent may be specified indicating a maximum amount of data the agent is allowed to transmit during one of the reporting intervals. The reporting threshold may specify, for example, a number of bytes that is equal to or greater than a size of a summary report sent at the reporting interval. For a given reporting interval or period, an agent's reporting budget may be the reporting threshold. The agent may also report one or more other messages as needed besides the summary in accordance with the specified reporting threshold. Prior to sending a report, the agent makes a determination as to whether it is allowed to send a next report by determining if the total amount of data reported by an agent would exceed the reporting threshold by sending the next report. If the threshold is exceeded, the agent does not send the report.
  • The agents described herein, in particular the first class of agents, are also designed to limit the amount of processing time and storage (disk and memory) consumed. Conventional intrusion detection and performance monitoring agents are known for the negative performance and storage impact on the system being monitored. SNMP components, for example, have been known to consume all of the memory on a host of the SNMP component. AntiVirus scanners may impair the performance of the machines they are monitoring by up to 30-40% depending on the particular processor. The foregoing may not be acceptable in connection with legacy systems, such as may be encountered in industrial networks. Industrial control applications respond to inputs from the industrial process within very short time windows due their real-time processing nature. Furthermore, such systems render information about the process to operators in a timely manner. Anti-virus solutions, for example, may not generally be deployed on control system hardware, such as in the industrial network 14 described herein, because the anti-virus processing may impair the operation of a system sometimes causing system failure. The agents described herein are designed to minimize the resource impact on the system being monitored. Expensive metrics, like filesystem checksums, are gathered over a very long period of time, or for only the most security-critical components so that the impact of the data gathering on the system being monitored is within a small fixed budget. For example, in one embodiment, 1-3% of all of a machine's resources can be allotted to the monitoring agents executing thereon.
  • An embodiment of RTAP 212 may use an event reporting technique referred to as the exponentially decreasing attack reporting. In some embodiments, when a metric goes into an alert state and a user has requested notification of the alert, an e-mail or other notification message is sent indicating that a particular metric has gone into alert state. If the “current value” of the metric, for example, returns to the “normal” range, a notification message may also be sent regarding this transition. The foregoing may cause a large burst of notification messages to be sent to an administrator and important information may be overlooked due to the volume of notification messages received in a short time interval. For example, in the event that the alert or alarm condition exists for some time period, an initial set of notification messages may be sent when an attacker succeeds in compromising one machine. Reported by agents on that machine in the industrial network may be high memory and network usage as a consequence of being compromised and an illicit web server started. When usage levels return to normal, another set of notification messages may be sent. However, suppose that the memory and network alert conditions do not return to normal. The foregoing conditions may be overlooked in the burst of notification messages. An administrator with access to a web browser could log into the Watch web user interface and see that metrics on a particular host were still in an alert state, but email notification may also be used by administrators who do not have such access. Accordingly, an embodiment may use the “exponentially decreasing notifications” technique which reports the initial alert. Instead of staying silent until the next alert state change, additional alert notices are sent while the metric stays in an alert state. The frequency with which these additional alert notices are sent may vary in accordance with the length of time an alarm condition or state persists. In an embodiment, this frequency may decrease exponentially, or approximately exponentially. In one embodiment, the following alert or alarm notification messages may be sent upon the first detection of an alarm or alert condition, and at the end of a first defined reporting interval. At this point, there may be additional summary information that may be optionally sent to the user with the notification message. This is described in more detail herein using the enhanced email notification described elsewhere herein. Subsequently, a notification message is sent at increasing intervals while the condition persists. These time intervals may be user specified as well as defined using one or more default values that may vary with an embodiment. For example, in one embodiment, an initial reporting interval of an alarm condition may be every minute. After the end of the first reporting interval or minute, notification messages may sent at time intervals so that a current reporting interval is approximately 10 times longer than the previous reporting time interval. In this example, if the first notification message is sent after 1 minute, the second notification message may be sent after 10 minutes and include any additional information such as may be available using the enhanced e-mail reporting described elsewhere herein. The third notification message may be sent at about 1½ hours later, and so on. The reporting interval may reach a maximum of, for example, 12 hours so that if an alarm or alert state persists, notification messages with enhanced reporting (such as enhanced e-mail) may be sent every 12 hours until the alert condition clears, or the user otherwise removes themselves from the notification list.
  • Using the foregoing notification reporting technique, persistent alert conditions that may otherwise be lost in a burst of notification messages may remind the administrator that there is a persistent problem condition, and provide the administrator with current summary information so that the administrator can see if the nature of the attack or compromise is changing over time. Using this type of exponentially decreasing attack reporting techniques, the bandwidth of the network may be more wisely utilized for the duration of the attack as well. The foregoing exponentially decreasing notification reporting may be performed by the notification server 216 of FIG. 4. The alarm or alert conditions may be produced using the calculation as described elsewhere herein causing the notification server to be notified. However, the foregoing may be performed by the notification server to reduce the number of times that a notification message is sent.
  • Additionally, an embodiment may use different techniques in connection with when agents report to the Watch server 50. One design concern, as described elsewhere herein, is minimizing the amount of network bandwidth used for reporting due to the possible bandwidth limitation of the industrial network. In one embodiment, for one or more designated metrics in a defined reporting interval, the log agent 306 may report the first detection of a log message that causes the metric to increment as soon as the log message is detected. Subsequently, the agent does not report any additional information to the Watch server about the metric until the end of the reporting interval, when the agent 306 then reports the total count for the metric in the reporting interval. Using the foregoing, immediate notification may be achieved upon the occurrence of the metric increase and then an update received at the next reporting interval. The foregoing immediate notification may be used with metrics determined using log files. An embodiment may also use other agent types to report other metrics that may be readily determined on an event basis such as, for example, a line being added to a log file, a file descriptor becoming readable, or a command executing.
  • An embodiment may use a combination of the foregoing immediate notification and periodic interval reporting. In an embodiment using just the periodic interval reporting by the agents to the Watch server 50, there may be an unacceptable delay in reporting alarm conditions indicating an attack or attempted attack. For example, consider an agent's reporting interval of 60 seconds. One second into that interval, the agent viewed a failed login attempt indicated by a metric and then another 10,000 such attempts in the minute. A single report is sent at the end of the minute reporting interval to the Watch server with a report metric indicating the 10,001 attempts. However, there is a delay and an administrator may expect to receive a notification of the event prior to 10,000 being detected. Using the immediate notification, the agent also reports the first occurrence of the failed login attempt when it is detected. Accordingly, the Watch server 50 may respond with an immediate notification message with the first occurrence or detection of the metric increase.
  • It should be noted that the foregoing immediate notification may be performed in accordance with user selected and/or default specified conditions. This may vary with each embodiment. In one embodiment, the metric aggregator and analyzer 358 may perform processing steps in connection with the immediate reporting and also periodic interval reporting to the Watch server 50.
  • Referring now to FIG. 7, shown is a flowchart 450 of processing steps describing the control flow previously described in connection with 350 of FIG. 6. Generally, the processing steps of 450 may be performed in an embodiment by each of the agents of the first and second classes when processing the one or more input data sources. At step 452, a determination is made as to whether input data has been received by the agent. If not, control continues to wait at step 452 until input data has been received. It should be noted that the input data may be received in accordance with the agent performing a particular task such as executing a command producing input, waiting for input on a communications channel, reading a data file, and the like, in accordance with one or more predefined criteria. The one or more predefined criteria may include performing a particular task at predefined intervals, when a particular data file reaches a certain level of capacity in accordance with a number of operations, and the like. The particular criteria which causes the input data to be received by the agent may vary in accordance with each embodiment. At step 452 once data has been received, control proceeds to step 454 where the input data is read and then parsed at step 454. Once the input data stream has been parsed, control proceeds to step 455 where a determination is made as to whether pattern matching is needed. If not, control proceeds to step 460. It should be noted that pattern matching may not be needed, for example, if no selective filtering of the parsed input source is needed when all metrics from a source are reported. Otherwise, control proceeds to step 456 where pattern matching is performed. At step 458, a determination is made as to whether the input data has any one or more matches in accordance with predefined string values indicating events of interest. If not, no strings of interest are located and control returns to step 452. Otherwise, control proceeds to step 460 where data may be recorded for the one or more metrics derived from the parsed input source. For example, a particular metric and its value may be stored and recorded, for example, in the memory of a computer system upon which the agent is executing. At step 462, a determination is made as to whether any messages reporting data to the Watch server are to be sent. As described herein, an agent may report data at periodic intervals when summary information is reported. An embodiment may also provide for immediate reporting the first time a designated metric increases in value such as may be the case, for example, at the beginning of an attack or an attempted attack. This processing may be performed, for example, by the metric aggregator and analyzer 358. If no message is to be sent to the Watch server 50, control proceeds to step 452 to a obtain additional data. Otherwise, control proceeds to step 464 where the message to be sent to the Watch server is prepared in accordance with a message protocol and/or encryption technique that may be used in an embodiment. As described herein, for example, a message being sent to the Watch server is sent in an XML or other format and an encryption technique described elsewhere herein may also be used. Control then proceeds to step 466 where the message is sent to the Watch server. Control then returns to step 452 to wait for additional input data to be received by the agent.
  • Referring now to FIG. 8, shown is an example of an embodiment 212 of components that may be included in RTAP. It should be noted that a version of RTAP is commercially available from Verano Corporation as described, for example, at the website www.verano.com. Included in FIG. 5 is RTAP scheduler 502, an alarm server 504, a Java server 506, and a database server 508. The database server 508 in this embodiment includes a calculation engine 510. The database server 508 may output data, such as the metrics gathered by the agents described herein, to one or more devices 514 which may be stored, for example, on data storage devices such as disks. Included in this embodiment is a memory resident portion of the database 512 used to store designated portions of the data in memory in order to increase efficiency by reducing the amount of time it takes to retrieve data. An embodiment may therefore designate one or more portions of the database to be stored in a memory resident portion 512.
  • The RTAP scheduler 502 schedules and coordinates the different processes within the RTAP component 212. The RTAP scheduler may perform various process management tasks such as, for example, ensuring that other processes in 212 are executing, scheduling different processing for execution, and the like. The alarm server 504 may be used in connection with interfacing to one or more other components described elsewhere herein for notification purposes. For example, the alarm server 504 may interface with the notification server 216 and the threat thermostat controller of the Watch server 50. The alarm server 504 may be signaled in the event of a detection of a particular alert or alarm condition by the database server 508 and may accordingly interact with components external to RTAP 212. The Java server 506 may characterized as a bi-directional server communicating with the web server 32 of FIG. 4. The Java server 506 may interface with the web server 32 as needed for notification, message sending, and other communications with RTAP 212. The Java server 506 may also output one or more inputs to the threat thermostat controller 218, and also receive input from the receiver 210 to store data gathered by agents. The database server 508 may be used in connection with storing data either on a data storage device, such as a disk 514, as well as the one or more memory resident portions of the database, as may be included within memory 512. In one embodiment, the memory resident portion 512 may be implemented, for example, as a shared memory segment. The data stored in 512 and/or 514 may be an object-oriented database. Prior to use, objects of the database may be designated for inclusion in the memory resident portion 512.
  • In one embodiment, write operations of the database are made to the database server using the calculation engine 510. Read operations may be performed by having another RTAP component perform the processing rather than reading the data through the use of the database server 508. The RTAP component, such as the Java server, processing a read request for data first consults the memory resident portion 512 and may obtain the one or more other portions of data from disk storage 514 as needed. All write operations in this embodiment are processed through the database server 508 and the calculation engine 510 is used to determine revised data values having dependencies on a modified data value being written. The database server 508 uses an alarm state table 520 in this embodiment to determine alarm conditions in accordance with modified data values stored in the database. The component 520 may be included in the disk or memory resident portion of the database in an embodiment depending on how the database is configured. The shared memory segments of portion 512 may be stored at various time intervals to disk or other non-volatile storage as a back up. Such a time interval may be, for example, every 30 seconds or another time interval selected in accordance with the particular tolerance for data loss in the event that data included in the memory resident portion of the database 512 is lost, for example, in connection with a power or memory failure. It should be noted that in this embodiment, a synchronization technique between readers and writers to the database may be omitted. Data attributes and/or objects which are being written may be synchronized to prevent reading incomplete values. However, the data that is read may also not include all of the recently data reported. Write operations may be synchronized by the database server 508. Thus, the database within RTAP may operate without the additional overhead of using some synchronization techniques.
  • The database objects may be represented using a tree-like structure. Referring now to FIG. 9, shown is an example of an embodiment 600 of one representation of a database tree or schema that may include the objects of the object oriented database of RTAP. In the representation 600, at level 0 is a root of the tree 600. A security object node and an object template node are children of the root located at level 1. The security object is referred to as the parent node with respect to all of the related metrics and other data stored within RTAP. The object templates may include one or more nodes that correspond to the different templates for each of the different object types. For example, in this embodiment there is a metric name object type, a category name object type, and a host name object type. There are child nodes of the object templates node at level 1 for each of these different types. When a new host is added to the system, an object of the type “host name” is created for that particular new host in accordance with the appropriate object template. Each host name object corresponds to one of the hosts or computer systems. Data associated with each particular host or computer system is organized by category name. A category name may refer to a particular category of metrics. For example, one category may be login information having associate metrics such as number of failed password attempts, and the like. Each of the different metrics associated with a particular category is a child node of a category node corresponding to that particular category. Referring back to the category of login data, for example, the failed password attempts may be one metric stored in a metric object which is a child node with respect to the category name object for login information. This 3-level tree of objects is only one possible embodiment of a database of metrics. Other embodiments that may also be implemented by one of ordinary skill in the art may include, for example: conventional relational database representations of metrics, as well as other tree structures for object-tree representations of metrics, such as metric objects as children of host objects without intervening category objects, multiple levels of category objects providing additional metric grouping information, and multiple levels of objects above the level of host objects, providing groupings for hosts, such as functional or geographic host groupings.
  • In this embodiment, there may be one or more object templates. Similarly, there may one or more different host objects. Associated with a single host object may be one or more category objects. Associated with a single category object may be one or more metric objects. Each of the objects shown in 600 may also have an associated one or more attributes. For sake of simplicity of illustration, all the attribute nodes of each object are not included in the tree 600. As an example, object 602 is shown in more detail in FIG. 9.
  • In connection with the object names included in the database schema or tree of objects, a particular metric may be referred to by including the name of all of the intervening objects in the path between the root and the particular node of interest.
  • Included in FIG. 9 is a support data object having one or more child objects which may be used to store information used primarily to configure standard components of the RTAP system. What will now be described are how the alarm state tables used by the calculation engine, as described elsewhere herein, may be stored within the representation 600. In this embodiment, one child node of the support data object is an alarm class object. The children of the alarm class object correspond to the different types of alarm classes. In this example, there are three alarm classes: Boolean or 2-state, 3-state, and 5-state. For each class, such as the Boolean class 606, a child node, such as 608, includes the alarm state table for that class. In this example, the number of states in an alarm class specifies the number of bins or alarm levels. An embodiment may include other alarm classes than as shown herein.
  • A host object may be created, for example, the first time a new agent reports to the Watch server. A new host may be determined by the receiver 210 of FIG. 4. On first notification of a new agent, an alert or alarm condition is raised. A notification message may be sent. A user or administrator may be presented with a list of one or more new agents and a selection may be made to authorize or reject each new agent. When a new agent is authorized/approved, data from the agent may be processed by the receiver 210. Otherwise, data from an unauthorized/unapproved agent is rejected. Note that the data from the agent is not stored or queued for later processing after approval since this may cause an overflow condition. An agent reports one or more metrics or other data to the receiver 210 which, upon successful authentication of the message, may perform a write operation to the database of RTAP. The RTAP database server 508 then writes the values to the objects and executes or runs the calculation engine in order to propagate all other values dependent on this new value written to the database. For example, a particular metric, such as the number of failed password attempts, may be referenced as a metric attribute. The first metric attribute may be the number of failed password attempts as a raw value. A second metric attribute may be the raw value used in a mathematical representation to calculate a percentage. Accordingly, when a new metric raw value of failed password attempts is written causing an update for the value of the first attribute, the calculation engine is then executed and updates any other values in the database dependent on this new raw value. In this instance, a revised percentage is determined as a revised second attribute value.
  • In this embodiment, the calculation engine 510 has a built-in alarm function which uses values from the alarm state table 520 to determine if a revised data value triggers an alarm condition. After writing a new data value to the database, the calculation engine determines revised data values as described above in accordance with data dependencies. Once the revised data values have been determined, alarm state table 520 may be consulted to determine if any of the revised values now trigger a new or revised alarm condition. In the event that the calculation engine determines that an alarm condition has been detected, a message is sent from the database server 508 to the alarm server 504 which subsequently sends a message to the one or more notification servers.
  • In one embodiment, an alarm state vector or alarm instance may be defined for an attribute of a metric object. In determining a value for this attribute, the alarm function described above may be invoked.
  • Referring now to FIG. 9A, shown is an example 620 of more detail of a node in the tree 600 for a metric, using the alarm function. In this example, the attribute 1 622 has an associated alarm instance 624 and an alarm function whose result is assigned as the value of the attribute1 622. The alarm instance 624 includes one or more subvalues 628 a-628 c that may be used by the alarm function. In this example, the subvalues include a current alarm state 628 a, a current acknowledged state (Ack state) 628 b, and a sequence number 628 c. It should be noted that other information may be included as one or more subvalues than as described herein in this example. Use of these subvalues 628 a-628 c is described in more detail in following paragraphs. In one embodiment, the subvalues may be included in a vector or other data structure.
  • In one embodiment, the alarm function may have a defined API of the following format:
  • Alarm (alarmclass, value, limits, other data . . . )
  • The limits in the above refer to the alarm limits vector, as described elsewhere herein. The alarm limits vector may include one or more levels associated with the different thresholds. Each level in the alarm limits vector above refers to an alarm level or threshold that may be associated with varying degrees of alarm conditions or severity levels such as, for example, warning, high, and the like. Each of these levels may be stored within another attribute, such as attribute 2 of FIG. 9A and may have a default value as specified in the original template. These values may be changed in an embodiment, for example, through a user specifying or selecting a new threshold level. The alarmclass may be used to specify a particular class of alarm (such as 2-, 3-, or 5-state) in order to determine the proper alarm class from the tree 600 to obtain the corresponding alarm state table for a particular alarm class.
  • It should be noted that state tables, as may be used in connection with alarm states, are known to those of ordinary skill in the art and may include one or more rows of input. Each row may specify a next state and action(s) based on a current state and given input(s). Using the alarm state table as input, the built in alarm function of the calculation engine may determine, in accordance with the revised data values, whether a predefined level associated with an alarm condition has been exceeded. The predefined levels may be default or user-specified alarm thresholds.
  • The foregoing is an example of how data gathered by an agent may be processed and stored within an embodiment of the Watch server including RTAP. Other embodiments may use other representations in accordance with the particular metrics and communication protocols used in an embodiment.
  • The RTAP component 212 may be characterized as described herein in one embodiment as an environment which is a set of cooperating processes that share a common communications infrastructure. In one embodiment, these processes may communicate using SysV UNIX messaging techniques, semaphores, shared messages, and the like. As known to those of ordinary skill in the art, an embodiment using SysV messaging techniques may experience problems due to insufficient memory allocated for message use, such as with RTAP communications. Messages that may be communicated between processes within RTAP, as well as between RTAP and other components, may use a prioritization scheme in which low priority activities involving message sending are suspended when the amount of memory in a message pool falls below a designated threshold. This particular designated threshold may vary in accordance with each particular embodiment. In connection with the techniques described herein, a portion of the memory for message use, such as 80%, may be designated as a maximum threshold for use in connection with requests. In the event that more than 80% of the message memory or pool has been consumed and used in connection with message requests, any new requests are blocked until conditions allow this threshold not to be exceeded. However, message responses are processed. The foregoing may be used to avoid a deadlock condition by blocking, a request in the event that the threshold portion of the message pool is consumed for use in connection with requests. In one embodiment, the foregoing special message management functionality may be included in one or more routines or functions of an API layer used by the different RTAP components when performing any messaging operation or function. These routines in the API layer may then invoke the underlying messaging routines that may be included in the operating system.
  • An embodiment may utilize what is referred to herein as “latching alerts” where a particular alarm level does not decrease until an acknowledgment of the current alarm state has been received. An acknowledgment may be made, for example, by an operator through a GUI. An embodiment may define an alarm state table 520 such that an alarm or an alert state may be raised or remain the same until an acknowledgement of the alarm or alert state has been received. Until an acknowledgment is received, the alarm state table does not provide for reducing the alarm or alert state. It should be noted that the foregoing latching alerts may be performed in connection with one or more of those metrics associated with an alert or an alarm state. The latching alerts may be used in an embodiment in connection with particular indicators or classes. Other classes of metrics, such as those associated with performance indicators, may not be subject to the latching condition. This may vary in accordance with each embodiment.
  • Referring now to FIG. 10, shown is an example of an embodiment of the alarm state table 520 that may be used in connection with implementing latching alerts. Included in the state table 520 is a line of information corresponding to a current level or state. Each line of information includes a current level or state, an acknowledgment, and input value or range, a next level or state, and an associated action. In this example 520, a normal level is associated with a level one indicator for a range of input values between 0 and 100, inclusively. An alarm condition is associated with a second level for a range of input values between 101 and 200, inclusively. Finally, a third alarm level is associated with an input range of values from 201 to 300, inclusively. Line 652 indicates that the current level or state of normal level one is maintained as long as the input is between the range of 0 and 100. Line 654 indicates that when the current level is normal (level 1) and a current input value is between the range of 101 to 200, level 2 is the next designated level or alarm condition. The action designates that an alarm condition is generated. In connection with line 652 and 654, it is not relevant whether an acknowledgment has been received because an acknowledgment does not apply in this example in connection with a normal alarm or level condition. Referring to line 656, when the system is in the second level of alarm and the input value drops down to the normal range between 0 and 100, but an acknowledgement of the alarm condition has not yet been received with respect to the level 2 alarm condition, the system remains in the level 2 state of alarm. With reference to line 658, in the event that the system is in the second level of alarm and acknowledgement of this alarm has been received, when the input value or range drops to the normal range between 0 and 100, the level of the current state decreases to level 1 and the alarm condition is cleared. Referring to 660, if the system is in the second level of alarm state and the input value increases to the third level between 201 and 300, an alarm condition is generated to signify this increase in alarm level to level 3. This is performed independent of whether an acknowledgement to the previous alarm state of level 2 has been acknowledged.
  • It should be noted that the different ranges or values specified in connection with the third column of 520 may be associated with threshold values or ranges. The thresholds may be specified using default values as well as in accordance with one or more user selected values or ranges. It should also be noted that although the table 520 shows specific numeric values for the ranges in the input column, these alarm range thresholds may be parameterized to use the input values (i.e., alarm LEVELs) of the alarm function described elsewhere herein.
  • Referring now to FIG. 11, shown is an example of another embodiment of an alarm state table 700 and an alarm limits vector 200. The elements of vector 200 identified in the lower left corner may be passed as input parameters when invoking the alarm function described herein specifying the LEVELs or thresholds for the different alarm states as described above. In this example, the table 700 represents a 3-state alarm (normal, warning, and alert) with 2 thresholds (100 and 200) forming three partitions or ranges (0-99, 100-199, 200 and greater). Each row of the table 700 corresponds to a state and includes:
  • a state identifier for the row in the table 704;
  • a named identifier for the state 706;
  • a color 708 as may be displayed, for example, by an illuminated light on a display panel or other indicator; and
  • an indication as to whether an acknowledgement (ACK) is required for this state 710.
  • The portion 702 of this example includes the transition functions (beginning with & in this example) used in determining state transitions from one row of the table to another. Other embodiments of 700 may include information other than as described herein. State transitions occur as a result of evaluating transition functions. It should be noted that if a column name contains a space character (such as between RANGE and LEVEL in 712), the transition function name ends at the space character such that the remaining text (LEVEL) following the transition function (RANGE) is a modifier to the function, telling the function how to interpret the values in the column.
  • The alarm system determines the new state for an alarm by repeatedly evaluating transition functions in the context of the alarm state table for the alarm. The transition functions are evaluated in the order in which they appear from left to right as columns in the state table. Each transition function may take optional input parameters such as, for example, the current alarm state, values from the alarm state table and other optional values as arguments. As an output, the transition function returns a new state in accordance with the input parameters. Each function is evaluated repeatedly, until the new state returned is the same as indicated by the state value in 704 for a particular row, or until a transition that would loop is detected. Evaluation then proceeds to the transition function indicated by the next column moving from left to right.
  • In this example 700, two functions are illustrated, &ACK and &RANGE as described in more detail in following paragraphs. The &RANGE function takes an alarm limit vector like the one illustrated in FIG. 11, lower left corner 720, as an example, as well as the following and other possible suffixes in column names:
  • level—The level number corresponding to the current alarm state;
      • <—What new state to move to when the current value for the metric is in a range of values lower than the range for the current alarm state;
      • =—What new state to move to when the current value for the metric is in the range of values associated with the current alarm state; and
      • >—What new state to move to when the current value for the metric is in a range of values higher than the range associated with the current alarm state.
        The alarm limit vector 720 in this example contains an integer (2 in this example) as the first vector element indicating what level number to assign to the highest range of values the metric can assume. The highest range of values includes all values greater than or equal to the limit specified as the second vector element, which is 200 in this example. The third vector element specifies another next-lower limit, which is 100 in this example. The fourth vector element specifies the final next-lower limit, which is 0 in this example. The three ranges or partitions of values are specified using the vector elements 2-4 for the following:
  • Range 0: values less than 100
  • Range 1: values from 100 to 199
  • Range 2: value 200 or more.
  • In connection with the foregoing, it should be noted that a fourth range is implied for values less than zero (0). In this example, values in this fourth implied range correspond to an error state and are not further described in connection with this example.
  • In this example, the &ACK function is a transition function that returns the current state (as indicated by column 704) when the alarm has not yet been acknowledged, otherwise returns the new state as indicated in column 714 when the alarm has been acknowledged.
  • Referring back to FIG. 9A, the current alarm state 628 a and the ack state 628 b may be used in determining the current state of the alarm and its corresponding row in the alarm state table. The sequence number 628 c may be used in connection with race conditions that may be associated with alarm conditions and acknowledgments thereof. A unique sequence number is associated with each alarm state that caused a notification message to be sent to a user. Each such message contains a copy of that sequence number for the state causing the message to be sent. In one embodiment, a unique sequence number may be generated for each alarm condition associated with a single invocation of the alarm function. The single invocation of the alarm function may result in transitioning from a current input state to an output state, and may also transition through one or more other intermediate states to arrive at the output state. In this embodiment, a unique sequence number is not associated with the one or more intermediate states. Rather, a first unique sequence number is associated with the current input state and a second unique sequence number is associated with the output state. For example, a first alarm condition notification message having a first sequence number may be sent to a user and indicated on a user interface display. A second alarm condition, indicating a greater severity that the first alarm condition and having a second sequence number, may be determined during the same time period in which a user's acknowledgement of only the first alarm condition is received and processed. The user's acknowledgment is processed in accordance with the particular sequence number associated with the alarm condition being acknowledged. In this example, the acknowledgement indicates an acknowledgement of the first alarm condition, but not the second. Without the use of the sequence number, or some other equivalent known to those of ordinary skill in the art, the acknowledgment may also result in acknowledgement of the second alarm condition depending on whether the acknowledgement is processed before or after the second alarm condition is determined.
  • Referring now to FIG. 12, shown is a state transition diagram 800 illustrating the state transitions associated with the functions 702 of alarm state table 700. In the example 800, each state is represented as a node. The arrows between the nodes represent the transitions possible between the different states in accordance with the information in 702 of table 700. Note that the diagram does not indicate transitions causing a same state or a transition to a state A from a same state A.
  • What will now be described is an example of acknowledging an alarm illustrating the use of the table 700 in determining a new state from a current state. In an example, the alarm function is invoked including parameters indicating that the current state or initial state is Alert Unacked (6) with a metric value of 250. A human user or other agent acknowledges the alarm, causing the alarm state to be re-evaluated. Examining the row of table 700 for state 6, the &ACK function is evaluated with a state (6) as the current state. Since the alarm is now acknowledged, &ACK returns (5) as indicated in the &ACK column of row 6 of the table as the new state. As a result, the new state of the alarm becomes Alert Acked (5). &ACK is re-evaluated for state 5 using row 5 of the table 700. Since the alarm has been acknowledged, the &ACK function returns a 5 as the new state. Since the new state matches the current state, the evaluation of the &ACK function is complete and evaluation proceeds with the next transition function in state 5. The next transition function, is &RANGE. Recall that the metric value for which evaluation is being performed is 250. &RANGE uses the limits vector as described above, and determines that the current metric value of 250 is greater than the first limit of 200 classifying the current metric value as being within the highest range of 2 (greater than 200). The “&RANGE level” column indicates that range (2) corresponds to the current state (5) and so the &RANGE function returns the (5) which is contents of row 5 in the “&RANGE=” column as the new state. Since the new state (5) is identical to the current state (5), evaluation of the &RANGE function is complete. Since the &RANGE function is the last transition function in the state table in this example, the state change is complete and the alarm system proceeds to carry out whatever actions are configured for the new state and any other notifications or other controls that may be associated with the alarm. For example, the alarm color in the example changes from “Red Flashing” to “Red” as indicated by column 708. Column 708 may be characterized as an associated action to be taken when a transition completes after evaluation of all transitions functions. Other embodiments may include other actions.
  • Similar examples can be constructed to demonstrate that the state table illustrated in FIG. 11 embodies the following behavior for a latched alert or alarm:
      • When a metric value enters a value range associated with a “higher” or “more serious” alert state than the current state, the current state transitions to that higher alert state, unacknowledged.
      • If the metric enters a value range associated with a “lower” or “less serious” alert state, and the alarm has not been acknowledged, no state change takes place—the alarm is said to “latch” at the highest alert state represented by the metric while the alarm is unacknowledged.
      • If the alarm is acknowledged, the state changes to whatever state currently reflects the value of the alarm metric.
  • The state table in FIG. 11 illustrates an alarm that, if a metric associated with the alarm assumes a value corresponding to a lower alarm state while the alarm is latched at a higher state, and the alarm is acknowledged, the alarm transitions into the lower alarm state with an unacknowledged status. If the alarm is in a high-severity acknowledged state, and the underlying metric changes to reflect a lower-severity state, the alarm also changes to a lower-severity unacknowledged state. Comparable alarm tables can be constructed that preserve the latter behavior of the alarm while altering the former behavior to transition into an acknowledged state, rather than an unacknowledged state. Such transition tables however, may be characterized as more complex than the example described herein and may include additional states than as illustrated in FIG. 11. The table 700 of FIG. 11 models an “analog” or “floating point” metric. Comparable state tables can be constructed for digital metrics, boolean and other kinds of metrics.
  • It should be noted that an embodiment of the alarm state table may utilize values to implement hysteresis for one or more of the ranges. Hysteresis may be characterized as a behavior in which a metric value may transition from a first state into a second state in accordance with a first threshold value, and transition from the second state to the first state in accordance with a second threshold value that differs from the first threshold value. Such threshold values may be used in connection with a metric that may assume values at different points in time which hover near a boundary or range threshold. The use of the two different thresholds may be used in order to reduce constantly changing states for metric values hovering near a boundary condition. For example, a range threshold may be 100. It may be that the associated metric assumes a series of values: 98, 99, 101, 99, 101, 99, 102, etc. at consecutive points in time. The range threshold may be used to cause a transition from a first state to a second state (from 99-101). However, it may be undesirable to have an alarm state change associated with changes from 101 to 99 especially if the metric value may hover around the boundary of 100. An embodiment may determine that once the first threshold is reached causing a transition from a first range under 100 to a second range of 100 or more, a value of 95 or less is needed to cause a transition from the second back to the first range using 95 as the second threshold value. As will be appreciated by those of ordinary skill in the art, state tables as described herein may be modified to include the foregoing use of multiple thresholds to account for hysteresis conditions.
  • The foregoing is one example of an embodiment of how data may be managed within the system and how alarm conditions may be determined and generated. Other embodiments may store the data in one or more other types of data storage in accordance with one or more organizations and determine alarm conditions using techniques other than as described herein.
  • The XML messages or documents sent by the agents to the receiver may include data corresponding to objects and the tree-like structure as illustrated in FIG. 9. The XML document may include data represented as:
  • host name name of host sending the report
    category name name of a group of metrics
    metric name name of a metric
    value metric value
    attr1 other attribute/value
    . . .
  • It should be noted that an embodiment may use other formats, such as an alternative to XML, and protocols than as described herein for communications between agents and other components.
  • Attributes that may be associated with a metric include “value” and “units.” Other kinds of metrics have other attributes. For example, the “Operating System Type” metric may have corresponding attributes unique to every platform. The attributes may include, for example, a version number, machine ID or other information that may be useful on that platform, but not exist on any other platform.
  • Other groups of metrics may share some additional “standard” or common attributes, for example:
      • log—used by the log agent 306 for all metrics derived from log files. The “log” attribute is a table of strings containing the complete text of the first three log messages of the type counted by the metric in the reporting interval. These log messages may provide additional detail, for example, to a network administrator who is trying to understand why an alert was raised on a particular metric; and
      • summary—used by all agents that support the enhanced e-mail or enhanced reporting feature as described elsewhere herein. The “summary” attribute contains a human-readable summary of the “next level of detail” for the metric.
  • As described herein, data from the RTAP database may be combined using the calculation engine and elements from the tree-structure object oriented database to produce one or more inputs to the threat thermostat controller 218 previously described herein. The calculation engine as described above may process a data-flow language with a syntax and operation similar to a spreadsheet. A calculation engine expression may be defined as expressions attached to data attributes of objects in the database. When the calculation engine processes an object, all of the expressions in the object are evaluated and become the new values of the attributes to which they are attached. This evaluation process is repeated to reevaluate all objects dependent on changed values.
  • Expressions in an embodiment may reference other attributes using a relative pathname syntax based on the Apple Macintosh filesystem naming conventions. For example,
      • ‘̂’ means the parent object
      • ‘:’ separates object names
      • ‘.’ separates an object path from an attribute name
  • In one example, there may be 5 external threat thermostat values communicated by the threat agent 200 and stored in the RTAP database called E1, E2, E3, E4, and E5. An input to 218 may be determined as a weighted average of the foregoing five values. The threat agent 200 may monitor or poll the external data sources and write the threat thermostat level indicators to the five “E” external points. In the RTAP database, these five (5) points may be defined as child objects of a parent object representing the combined weighted average in an expression. The value of this expression may be assigned to the parent object having the following expression:

  • ([E1.indicator]+3*[E2.indicator]+[E3.indicator]+[E4.indicator]+[E5.indicator])/7
  • In the foregoing, the “.indicator” operator obtains the value of the identified attribute referenced. In the foregoing, external indicator 2 is determined to be three times as valuable or relevant as the other indicators. Whenever an indicator is updated, the calculation engine calculates the tree of other points having expressions referencing the contents of any of the attributes of a changed point. The engine is executed to evaluate the expressions on all of those objects, similar to that of a spreadsheet. An embodiment may use any one or more known techniques in evaluating the expressions in an optimal order.
  • In one embodiment, an approach may be taken with respect to combining inputs with respect to the different metrics as may be reported by the different agents. A resulting combination may be expressed as a derived parameter used, for example, in connection with generating an alarm or alert condition, as an input to the threat thermostat 218, and the like. A derived value or signal indicating an attack may be produced by examining one of more of the following: one or more metrics from the NIDS agent, the ARPWatch agent, IPS, the number of bad logins and root user count exceeding some predetermined normal threshold tuned for that particular system. Once an initial set of one or more of the foregoing indicate an alert condition indicative of an attack or attempted attack, secondary condition(s) may be used as confirmation of the attack indication. The secondary information may include a resource usage alert on some machine that occurs simultaneous with, or very shortly after, a reliable indication of an attack on that machine, or on the network at large using the initial set of conditions. An embodiment may, for example, generate an alarm condition or produce an input to the threat thermostat 218 based on the foregoing. An alarm condition may be generated in connection with a yes or true attack indicator value based on the first set of one or more conditions. Once this has occurred, another subsequent alert or alarm condition may also be generated based on the occurrence of one or more of the second set of conditions occurring with the first set of conditions, or within a predetermined time interval thereof, for the network, or one or more of the same computers.
  • In connection with the foregoing, resource usage metrics may not be used as first level attack indicators or used without also examining other indicators. Resource usage may be characterized as a symptom of potential machine compromise rather than an attack on the machine. Usage metrics may be “noisy” causing false positive indicators of an attack if examined in isolation. However, if such an alert occurs in connection with resource usage simultaneously with, or very shortly after, another reliable “attack” indicator (as in the initial or first set of indicators above), the resource usage metric's credibility increases. Accordingly, the resource usage metrics may be consulted in combination with, or after the occurrence of, other attack indicators to determine, for example, if any one or more particular computers have been compromised. Based on the foregoing, an embodiment may define a derived parameter using an equation or formula that takes into account security metrics and combines them with one or more resource metrics. Such a derived parameter may be used, for example, in connection with producing an input to the threat thermostat controller. Such a derived parameter may be produced using the weighting technique described above.
  • An embodiment may include a form of enhanced reporting or notification as made by the Watch server to a user upon the detection of an alarm condition. As described herein, metrics and associated information may be reported by an agent. The values of the metrics may be one or more factors used in determining an alarm condition. The values of the metrics used to detect and report the occurrence of an alarm condition may be characterized as a first level of alarm or event notification information. Once an alarm condition has been detected, additional information that may have been gathered by the agent may also be useful in proceeding to take a corrective action or further diagnosing a problem associated with the alarm condition. This additional information that may be used in further diagnosing the problem or taking corrective action may be characterized as a second level of information.
  • An embodiment may provide an option for enabling/disabling notifications of alarm conditions to include this additional information. The additional information may be reported by the agents to the Watch server for optional incorporation into notification messages. An enable/disable option may also be associated with agents gathering the data. Whether an embodiment includes this feature or uses it for selective metrics may vary with each embodiment and its resource limits such as, for example, of the industrial network. Thus, the cost and feasibility of obtaining the second level of information may be balanced with the benefits to be gained in taking corrective actions using the second level of information from an alert message rather than obtaining the information some other way. For example, if a second level of information is not included in an alert notification, an administrator may use a user interface connected to the Watch server 50 to gain the additional information.
  • It should be noted that the particular additional information included in the second level of enhanced notification may vary with each metric. It may include additional information to assist in determining a problem source such as a user account, IP or other address, particular component(s) or process(es) consuming a resource and the associated percentage(s), and the like. Some of this second level of information is described above with associated metrics. In one embodiment, the enhanced notification feature may be optionally enabled for use with one or more metrics of the SNMP Guard agent 203 and the Guard log agent 209 described herein. For example, the agent 203 may report the following additional information with each of the metrics for enabled enhanced reporting:
  • Communications status—In the event there is a problem indicated by this metric, corrective action includes determining the reason for the communication failure. A message such as the component is not responding, its IP address and the time of the failure may help.
  • Login failures—Identify the most frequent type of connection, such as a VPN, remote dial-in, or other connection, a percentage of the failures on this connection, one or more of the user IDs associated with the top number of failures and the percentage and originating IP address or other communication channel associated with each user ID.
  • Administrative user count, dialup user count VPN user count—identify the IP or other addresses from which the most recent administrative users have logged on.
  • Memory usage, CPU usage, disk space, other resource usage—The top consumers of the resource are identified along with an associated percentage along with which process or user or other information to identify the consumer as appropriate for the resource.
  • Open session count—identifies the number of open communication sessions between any two points. Additional information may include two or more IP addresses, host names, and the like, identified as being included as a connection endpoint.
  • Agent 209 may include the following additional enhanced reporting or notification information for the following metrics:
  • Configuration—In the event that there has been a change to the configuration as monitored by 209, it may be helpful to know what changed such as whether there is a change to the threat thermostat rule sets, such as included in 220, and/or the current firewall configuration, and what portion of the rules changed. Additionally, for any such change, what was the state change (previous state to what current state), from what user account, address, process and the like, made this change.
  • Threat thermostat change—An embodiment may indicate an alarm condition when a change occurs to the threat thermostat setting. The change may be the result of a manual change, an automated change in accordance with the functionality included in an embodiment. Additional detail for enhanced reporting may include what user made the change, what was the status changed to/from, the frequency that such changes have been made within a reporting period, identify the uses that most frequently changed the setting and what percentage of the time each user changed the setting.
  • NIDS and IPS reports—An address or other identifying source of the most frequent alerted NIDS/IPS conditions, an associated percentage of these conditions attributed to a particular source, information about the type of attack, and the target of the attack (what machine by host name, IP address and the like).
  • Antivirus events—The metric may identify a total number of antivirus events. Additional information may include a break down by type of event within a reporting period to identify what viruses (virus signatures) have been removed from a communication streams with an associated frequency or percentage, what source and/or destinations (such as source and destination networks) appeared most frequently for each type, and a frequency or percentage associated with each of the source and destinations.
  • Other activity—This metric identifies other activity that does not belong in any other category. Additional information may include the text of the first one or more messages of this type detected.
  • Referring now to FIG. 13, shown is an example 900 of a graphical user interface display. The example 900 may be displayed, for example, using a web browser to view alarm incident reports resulting from notification messages sent in accordance with alarm conditions determined. The example 900 may be used to view and acknowledge one or more of the alarm conditions in an embodiment. In one embodiment, this display of 900 may be viewed when tab 902 for incidents is selected from one of multiple user interface tabs. Each tab may be selected in connection with different viewing and/or processing. In one embodiment, the tab 902 may flash if a new alarm condition is detected from that which is displayed in 900 at a point in time to a user. In other words, this embodiment may not automatically update the display 900 with additional information for alert conditions detected since the user selected tab 902. Rather, this embodiment flashes coloring on tab 902 to indicate such additional alert conditions detected while the user is in the process of using an instance of display 900. The inventors believe that the flashing tab is less disruptive of user concentration during alarm burst conditions than other notification techniques such as, for example, redrawing the display 900 with updated alarm information as available.
  • The display 900 may indicate in column 906 (labeled “A”) whether a particular condition indicated by a line of displayed data has been acknowledged. An incident or alarm condition associated with a line of displayed data in 900 may be acknowledged, as by selecting the exclamation point icon to the left of a particular line of data, selecting the option 908 to acknowledge all displayed incidents, or some other option that may be provided in an, embodiment. The status in 906 for each incident may be updated in accordance with user acknowledgement. For example, 904 indicates that the associated incident has not been acknowledged (e.g., exclamation point notation in column 906). The two incidents as indicated by 910 have been acknowledged (e.g., no exclamation point notation in column 906).
  • Referring now to FIG. 14, shown is an example of a user interface display 1000. The example 1000 may be displayed when the monitor tab 1020 is selected to view a metric tree. With reference to FIG. 9, the information displayed in 1000 is that information included in a portion of 600—the subtree formed with the security object as its root including all child nodes. The display 1000 shows an aggregate view of the different metrics and associated alarm conditions. The display 1000 reflects the hierarchical representation in the subtree by showing a nesting of hosts (Guard and Watch), categories for each host (such as Intrusion attempts, Resource Usage, and the like), and metrics (such as CPU Usage, Memory Usage and Sessions) associated within each category (such as Resource Usage). In the subtree, these metrics may be defined as leaf nodes having a parent node (category name) defined as Resource Usage.
  • Associated with each of the metrics is a level indicator. The level indicator may indicate a color or other designation associated uniquely with each alarm state within an embodiment. For example, in one embodiment, the indicator may be green when the metric level is in the normal range, yellow when the metric level is in the warning range, and red when in the highest severity range.
  • The elements in 1000 representing the parent node of one or more other nodes may have a color or other designation corresponding to the aggregate condition of all the child nodes. For example, the indicator for Resource Usage may represent an aggregate of each of the indicators associated with metrics for CPU Usage, Memory Usage, and Sessions. In one embodiment, the aggregate indicator of a parent node may be determined to be the maximum indicator value of its one or more child nodes. For example, a parent node indicator, such as 1006, is yellow if any one or more of its child node indicators, such as 1008, are yellow but none are red.
  • In 1000, the user may select to view a graph of a particular metric in the right portion of 1000 by selecting an option in the left portion of 1000 as indicated by selection 1010. In one embodiment, it should be noted that the graph portion is not immediately updated in response to a user selection. Rather, the graph may be updated when the web page is refreshed in accordance with the one or more selections made at that point in time. Note that in 1000 the icon or indicator displayed for Watch 1002 has a different shape than other machines, such as the Guard machine or host. The different shape makes it easier for users to find the Watch server in the list of hosts since many of the important network monitoring metrics are found in the Watch server branch of the metric tree.
  • The foregoing 900 and 1000 are examples of user interface displays that may be included in an embodiment and displayed, such as using a web browser on the web server 214 of FIG. 4. Other embodiments may user other interface displays than as described herein.
  • While the invention has been disclosed in connection with preferred embodiments shown and described in detail, their modifications and improvements thereon will become readily apparent to those skilled in the art. Accordingly, the spirit and scope of the present invention should be limited only by the following claims.

Claims (98)

1-24. (canceled)
25. A method of event reporting by an agent comprising:
receiving data;
determining if said data indicates a first occurrence of an event of interest associated with a metric since a previous periodic reporting;
reporting said first occurrence of an event if said determining determines said data indicates said first occurrence; and
reporting a summary including said metric in a periodic report at a first point in time.
26. The method of claim 25, wherein said reporting of said first occurrence and said reporting of said summary are performed without a request for a report.
27. The method of claim 25, wherein data for said reporting of said first occurrence and said reporting of said summary are performed by said agent communicating data at an application level to a reporting destination using a one-way communication connection.
28. The method of claim 27, wherein said reporting of said first occurrence and said summary further comprising:
opening a communication connection;
sending data to said reporting destination; and
closing said communication connection, said agent only sending data to said reporting destination without reading any communication from said communication connection.
29. The method of claim 28, wherein said communication connection is a TCP or UDP socket.
30. The method of claim 25, wherein said periodic report includes a summary of a selected set of one or more data sources and associated values for a time interval since a last periodic report was sent to a reporting destination.
31. The method of claim 30, wherein said selected set of one or more metrics is a first level of reporting information and said periodic report includes a second level of reporting information used to perform one at least one of the following: determine a cause of a problem, and take a corrective action to a problem.
32. The method of claim 25, wherein said reporting of said first occurrence and said summary includes transmitting messages from said agent to a reporting destination, each of said messages being a fixed maximum size.
33. The method of claim 32, wherein a time interval at which said periodic report is sent by said agent and data included in each of said messages are determined in accordance with at least one of: resources available on a computer system and a network in which said agent is included.
34. The method of claim 33, wherein said agent executes on a first computer system and reports data to another computer system.
35. The method of claim 31, further comprising:
monitoring a log file; and
extracting said second level of reporting information from said log file, wherein said log file includes log information about a computer system upon which said agent is executing.
36. The method of claim 28, wherein said agent transmits an XML communication to said reporting destination using said communication connection.
37. The method of claim 25, wherein a threshold is specified for an amount of data that said agent can report in a fixed reporting interval, said threshold being equal to or greater than a fixed maximum size for each summary report sent by said agent.
38. The method of claim 25, wherein a report sent for any of said reporting includes an encrypted checksum preventing modifications of said report while said report is being communicated from an agent to a receiver in a network.
39. The method of claim 25, wherein said reporting is performed by an agent that sends a report, said report including one of: a timestamp which increases with time duration, and a sequence number which increases with time duration, used by a receiver of said report.
40. The method of claim 39, wherein said receiver uses said one of said timestamp or said sequence number in authenticating a report received by said receiver as being sent by said agent, said receiver processing received reports having said one of a timestamp or sequence number which is greater than another one of a timestamp or sequence number associated with a last report received from said agent.
41. The method of claim 31, wherein said second level of reporting information identifies at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
42. A method of event reporting by an agent comprising:
receiving data;
determining if said data corresponds to an event of interest associated with at least one security metric; and
sending a report to a reporting destination, said report including said at least one security metric for a fixed time interval, wherein said report is sent from said agent communicating data at an application level to said reporting destination using a one-way communication connection.
43. The method of claim 42, wherein said agent only sends data on said one-way communication connection to said reporting destination without reading any communication from said communication connection.
44. The method of claim 42, wherein said report includes at least one performance metric in accordance with said data received.
45. A method of event reporting by an agent comprising:
receiving data;
determining if said data indicates a security event of interest; and
reporting a summary including information on a plurality of occurrences of said security event of interest occurring within a fixed time interval, said summary being sent at a predetermined time interval.
46. The method of claim 45, wherein said reporting of said summary is performed without a request for a report.
47. The method of claim 45, wherein data for said reporting of said summary is performed by said agent communicating data at an application level to a reporting destination using a one-way communication connection.
48. The method of claim 47, wherein said reporting of said summary further comprises:
opening a communication connection;
sending data to a said reporting destination; and
closing said communication connection, said agent only sending data to said reporting destination without reading any communication from said communication connection.
49. The method of claim 48, wherein said communication connection is a TCP or UDP socket.
50. The method of claim 48, wherein said agent transmits an XML communication to said reporting destination using said communication connection.
51. The method of claim 25, wherein said reporting of said summary includes transmitting periodic messages from said agent to a reporting destination, each of said message having a fixed maximum size.
52. A computer program product for event reporting by an agent comprising code that:
receives data;
determines if said data indicates a first occurrence of an event of interest associated with a metric since a previous periodic reporting;
reports said first occurrence of an event if said code that determines that said data indicates said first occurrence; and
reports a summary including said metric in a periodic report at a first point in time.
53. The computer program product of claim 52, wherein said code that reports said first occurrence and said code that reports said summary are performed without a request for a report.
54. The computer program product of claim 52, wherein data for said code that reports said first occurrence and said code that reports said summary are performed by said agent communicating data at an application level to a reporting destination using a one-way communication connection.
55. The computer program product of claim 54, wherein at least one of said code that reports said first occurrence and said code that reports said summary further comprise code that:
opens a communication connection;
sends data to said reporting destination; and
closes said communication connection, said agent only sending data to said reporting destination without reading any communication from said communication connection.
56. The computer program product of claim 55, wherein said communication connection is a TCP or UDP socket.
57. The computer program product of claim 52, wherein said periodic report includes a summary of a selected set of one or more data sources and associated values for a time interval since a last periodic report was sent to a reporting destination.
58. The computer program product of claim 57, wherein said selected set of one or more metrics is a first level of reporting information and said periodic report includes a second level of reporting information used to perform one at least one of the following: determine a cause of a problem, and take a corrective action to a problem.
59. The computer program product of claim 52, wherein said code that reports said first occurrence and said code that reports said summary includes code that transmits messages from said agent to a reporting destination, each of said messages being a fixed maximum size.
60. The computer program product of claim 59, wherein a time interval at which said periodic report is sent by said agent and data included in each of said messages are determined in accordance with at least one of: resources available on a computer system and a network in which said agent is included.
61. The computer program product of claim 60, wherein said agent executes on a first computer system and reports data to another computer system.
62. The computer program product of claim 58, further comprising code that:
monitors a log file; and
extracts said second level of reporting information from said log file, wherein said log file includes log information about a computer system upon which said agent is executing.
63. The computer program product of claim 55, wherein said agent transmits an XML communication to said reporting destination using said communication connection.
64. The computer program product of claim 52, wherein a threshold is specified for an amount of data that said agent can report in a fixed reporting interval, said threshold being equal to or greater than a fixed maximum size for each summary report sent by said agent.
65. The computer program product of claim 52, wherein a report sent for any of said code that reports uses an encrypted checksum preventing modifications of said report while said report is being communicated from an agent to a receiver in a network.
66. The computer program product of claim 52, wherein said code that reports is performed by an agent that sends a report, said report including one of: a timestamp which increases with time duration, and a sequence number which increases with time duration, used by a receiver of said report.
67. The computer program product of claim 66, wherein said receiver uses said one of said timestamp or said sequence number in authenticating a report received by said receiver as being sent by said agent, said receiver processing received reports having said one of a timestamp or sequence number which is greater than another one of a timestamp or sequence number associated with a last report received from said agent.
68. The computer program product of claim 58, wherein said second level of reporting information identifies at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
69. A computer program product for event reporting by an agent comprising code that:
receives data;
determines if said data corresponds to an event of interest associated with at least one security metric; and
sends a report to a reporting destination, said report including said at least one security metric for a fixed time interval, wherein said report is sent from said agent communicating data at an application level to said reporting destination using a one-way communication connection.
70. The computer program product of claim 69, wherein said agent only sends data on said one-way communication connection to said reporting destination without reading any communication from said communication connection.
71. The computer program product of claim 69, wherein said report includes at least one performance metric in accordance with said data received.
72. A computer program product for event reporting by an agent comprising code that:
receives data;
determines if said data indicates a security event of interest; and
reports a summary including information on a plurality of occurrences of said security event of interest occurring within a fixed time interval, said summary being sent at a predetermined time interval.
73. The computer program product of claim 72, wherein said code that reports said summary is performed without a request for a report.
74. The computer program product of claim 72, wherein data for said code that reports said summary is performed by said agent communicating data at an application level to a reporting destination using a one-way communication connection.
75. The computer program product of claim 74, wherein said code that reports said summary further comprises code that:
opens a communication connection;
sends data to a said reporting destination; and
closes said communication connection, said agent only sending data to said reporting destination without reading any communication from said communication connection.
76. The computer program product of claim 75, wherein said communication connection is a TCP or UDP socket.
77. The computer program product of claim 75, wherein said agent transmits an XML communication to said reporting destination using said communication connection.
78. The computer program product of claim 52, wherein said code that reports said summary includes code that transmits periodic messages from said agent to a reporting destination, each of said message having a fixed maximum size.
79. A method of event notification comprising:
receiving a first report of a condition;
sending a first notification message about said first report of said condition;
sending a second notification message about said condition at a first notification interval;
receiving subsequent reports at fixed time intervals;
sending a subsequent notification message at a second notification interval if said condition is still ongoing during said second notification interval, wherein said second notification interval has a length which is a multiple of said first notification interval.
80. The method of claim 79, wherein said first report is sent from a reporting agent on a first computer system reporting about one of: said first computer system and a network including said first computer system, and said notification messages are sent from a notification server on a second computer system.
81. The method of claim 79, wherein notification messages are sent to a notification point at successive notification intervals wherein each of said successive notification intervals increases approximately exponentially with respect to an immediately prior notification interval.
82. The method of claim 80, wherein said condition is associated with an alarm condition and an alarm condition is set when a current level of a metric is not in accordance with a predetermined threshold value.
83. The method of claim 79, wherein each of said notification messages includes a first level of information about said condition and a second level of information used to perform at least one of the following: determine a cause of said condition, and take a corrective action for said condition.
84. The method of claim 83, wherein an option is included in a reporting agent to enable and disable reporting of said second level of information to a notification server from said agent sending said first report.
85. The method of claim 83, wherein an option is used to enable and disable condition notification messages including said second level of information.
86. The method of claim 82, wherein an alarm condition is associated with a first level alarm and an alarm state of said first level is maintained when a current level of a metric is in accordance with said predetermined threshold value until an acknowledgement of said alarm state at said first level is received by said notification server.
87. The method of claim 86, wherein said alarm condition transitions to a second level alarm when said current level is not in accordance with said predetermined threshold and another threshold associated with a second level, and said second level alarm is maintained when a current level of a metric is in accordance with one of: said predetermined threshold and said other threshold until acknowledgement of said second level alarm is received by said notification server.
88. The method of claim 79, wherein reports are sent from a reporting agent executing on a computer system in an industrial network to an appliance included in said industrial network and each of said reports includes events occurring within said industrial network.
89. The method of claim 82, wherein an alarm condition is determined in accordance with a plurality of weighted metrics, said plurality of weighted metrics including at least one metric about: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a level of privileges greater than a level associated with a user-level account.
90. A method of event notification comprising:
receiving a first report of a condition at a reporting destination; and
sending a notification message from said reporting destination to a notification destination, said notification message including a summary of information about events occurring in a fixed time interval, said summary identifying at least one of: a source and a target associated with an attack occurring within said fixed time interval, and a percentage of events associated with said at least one of said source and said target.
91. The method of claim 90, wherein said summary identifies at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
92. The method of claim 90, wherein said summary identifies at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack.
93. The method of claim 90, wherein said summary identifies a portion of a type of attack represents with respect to all attacks in said fixed time interval.
94. A method of event notification comprising:
receiving report of a potential cyber-attack condition at fixed time intervals; and
sending a notification message about said conditions when said conditions exceed a notification threshold.
95. The method of claim 94, wherein a notification threshold is determined using an alarm condition in accordance with a plurality of weighted metrics, said plurality of weighted metrics including at least one metric about: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a level of privileges greater than a level associated with a user-level account.
96. The method of claim 94, wherein said notification message includes a summary of information about events occurring in a fixed time interval, said summary identifying at least one of: a source and a target associated with an attack occurring within said fixed time interval, and a percentage of events associated with said at least one of said source and said target.
97. The method of claim 96, wherein said summary identifies at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
98. The method of claim 96, wherein said summary identifies at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack.
99. The method of claim 96, wherein said summary identifies a portion of a type of attack represents with respect to all attacks in said fixed time interval.
100. A computer program product for event notification comprising code that:
receives a first report of a condition;
sends a first notification message about said first report of said condition;
sends a second notification message about said condition at a first notification interval;
receives subsequent reports at fixed time intervals; and
sends a subsequent notification message at a second notification interval if said condition is still ongoing during said second notification interval, wherein said second notification interval has a length which is a multiple of said first notification interval.
101. The computer program product of claim 100, wherein said first report is sent from a reporting agent on a first computer system reporting about one of: said first computer system and a network including said first computer system, and said notification messages are sent from a notification server on a second computer system.
102. The computer program product of claim 100, wherein notification messages are sent to a notification point at successive notification intervals wherein each of said successive notification intervals increases approximately exponentially with respect to an immediately prior notification interval.
103. The computer program product of claim 101, wherein said condition is associated with an alarm condition and an alarm condition is set when a current level of a metric is not in accordance with a predetermined threshold value.
104. The computer program product of claim 100, wherein each of said notification messages includes a first level of information about said condition and a second level of information used to perform at least one of the following: determine a cause of said condition, and take a corrective action for said condition.
105. The computer program product of claim 104, wherein an option is included in a reporting agent to enable and disable reporting of said second level of information to a notification server from said agent sending said first report.
106. The computer program product of claim 104, wherein an option is used to enable and disable condition notification messages including said second level of information.
107. The computer program product of claim 103, wherein an alarm condition is associated with a first level alarm and an alarm state of said first level is maintained when a current level of a metric is in accordance with said predetermined threshold value until an acknowledgement of said alarm state at said first level is received by said notification server.
108. The computer program product of claim 107, wherein said alarm condition transitions to a second level alarm when said current level is not in accordance with said predetermined threshold and another threshold associated with a second level, and said second level alarm is maintained when a current level of a metric is in accordance with one of: said predetermined threshold and said other threshold until acknowledgement of said second level alarm is received by said notification server.
109. The computer program product of claim 100, wherein reports are sent from a reporting agent executing on a computer system in an industrial network to an appliance included in said industrial network and each of said reports includes events occurring within said industrial network.
110. The computer program product of claim 103, wherein an alarm condition is determined in accordance with a plurality of weighted metrics, said plurality of weighted metrics including at least one metric about: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a level of privileges greater than a level associated with a user-level account.
111. A computer program product for event notification comprising code that:
receives a first report of a condition at a reporting destination; and
sends a notification message from said reporting destination to a notification destination, said notification message including a summary of information about events occurring in a fixed time interval, said summary identifying at least one of: a source and a target associated with an attack occurring within said fixed time interval, and a percentage of events associated with said at least one of said source and said target.
112. The computer program product of claim 111, wherein said summary identifies at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
113. The computer program product of claim 111, wherein said summary identifies at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack.
114. The computer program product of claim 111, wherein said summary identifies a portion of a type of attack represents with respect to all attacks in said fixed time interval.
115. A computer program product for event notification comprising code that:
receives report of a potential cyber-attack condition at fixed time intervals; and
sends a notification message about said conditions when said conditions exceed a notification threshold.
116. The computer program product of claim 115, wherein a notification threshold is determined using an alarm condition in accordance with a plurality of weighted metrics, said plurality of weighted metrics including at least one metric about: a network intrusion detection, a network intrusion prevention, a number of failed login attempts, a number of users with a level of privileges greater than a level associated with a user-level account.
117. The computer program product of claim 115, wherein said notification message includes a summary of information about events occurring in a fixed time interval, said summary identifying at least one of: a source and a target associated with an attack occurring within said fixed time interval, and a percentage of events associated with said at least one of said source and said target.
118. The computer program product of claim 117, wherein said summary identifies at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack.
119. The computer program product of claim 117, wherein said summary identifies at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack.
120. The computer program product of claim 117, wherein said summary identifies a portion of a type of attack represents with respect to all attacks in said fixed time interval.
121-174. (canceled)
US11/807,699 2003-06-09 2007-05-30 Event monitoring and management Expired - Lifetime US7779119B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/807,699 US7779119B2 (en) 2003-06-09 2007-05-30 Event monitoring and management

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US47708803P 2003-06-09 2003-06-09
US10/815,222 US7246156B2 (en) 2003-06-09 2004-03-31 Method and computer program product for monitoring an industrial network
US11/807,699 US7779119B2 (en) 2003-06-09 2007-05-30 Event monitoring and management

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US10/815,222 Division US7246156B2 (en) 2003-06-09 2004-03-31 Method and computer program product for monitoring an industrial network

Publications (3)

Publication Number Publication Date
US20080209033A1 true US20080209033A1 (en) 2008-08-28
US20100064039A9 US20100064039A9 (en) 2010-03-11
US7779119B2 US7779119B2 (en) 2010-08-17

Family

ID=33555439

Family Applications (4)

Application Number Title Priority Date Filing Date
US10/815,222 Expired - Lifetime US7246156B2 (en) 2003-06-09 2004-03-31 Method and computer program product for monitoring an industrial network
US11/102,050 Abandoned US20050182969A1 (en) 2003-06-09 2005-04-08 Periodic filesystem integrity checks
US11/807,877 Abandoned US20100023598A9 (en) 2003-06-09 2007-05-30 Event monitoring and management
US11/807,699 Expired - Lifetime US7779119B2 (en) 2003-06-09 2007-05-30 Event monitoring and management

Family Applications Before (3)

Application Number Title Priority Date Filing Date
US10/815,222 Expired - Lifetime US7246156B2 (en) 2003-06-09 2004-03-31 Method and computer program product for monitoring an industrial network
US11/102,050 Abandoned US20050182969A1 (en) 2003-06-09 2005-04-08 Periodic filesystem integrity checks
US11/807,877 Abandoned US20100023598A9 (en) 2003-06-09 2007-05-30 Event monitoring and management

Country Status (5)

Country Link
US (4) US7246156B2 (en)
EP (1) EP1636704A4 (en)
AU (1) AU2004248605B2 (en)
CA (1) CA2526759C (en)
WO (1) WO2004111785A2 (en)

Cited By (47)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050182969A1 (en) * 2003-06-09 2005-08-18 Andrew Ginter Periodic filesystem integrity checks
US20060021021A1 (en) * 2004-06-08 2006-01-26 Rajesh Patel Security event data normalization
US20080048860A1 (en) * 2005-06-23 2008-02-28 International Business Machines Corporation Monitoring multiple channels of data from real time process to detect recent abnormal behavior
US20080256217A1 (en) * 2007-04-11 2008-10-16 Lg Electronics Inc. Mobile communication device having web alarm function and operating method of the mobile communication device
US20090057424A1 (en) * 2007-08-27 2009-03-05 Honeywell International Inc. Remote hvac control with user privilege setup
US20090204702A1 (en) * 2008-02-08 2009-08-13 Autiq As System and method for network management using self-discovering thin agents
WO2009128905A1 (en) 2008-04-17 2009-10-22 Siemens Energy, Inc. Method and system for cyber security management of industrial control systems
US20100088197A1 (en) * 2008-10-02 2010-04-08 Dehaan Michael Paul Systems and methods for generating remote system inventory capable of differential update reports
US20100131625A1 (en) * 2008-11-26 2010-05-27 Dehaan Michael Paul Systems and methods for remote network management having multi-node awareness
US20100223375A1 (en) * 2009-02-27 2010-09-02 Dehaan Michael Paul Systems and methods for searching a managed network for setting and configuration data
US20100223473A1 (en) * 2009-02-27 2010-09-02 Dehaan Michael Paul Systems and methods for network management using secure mesh command and control framework
US20100306334A1 (en) * 2009-05-29 2010-12-02 Dehaan Michael P Systems and methods for integrated console management interface
US20100306347A1 (en) * 2009-05-29 2010-12-02 Dehaan Michael Paul Systems and methods for detecting, monitoring, and configuring services in a network
US20110055361A1 (en) * 2009-08-31 2011-03-03 Dehaan Michael Paul Systems and methods for generating management agent installations
US20110055636A1 (en) * 2009-08-31 2011-03-03 Dehaan Michael Paul Systems and methods for testing results of configuration management activity
US20110055669A1 (en) * 2009-08-31 2011-03-03 Dehaan Michael Paul Systems and methods for detecting machine faults in network using acoustic monitoring
US20110055810A1 (en) * 2009-08-31 2011-03-03 Dehaan Michael Paul Systems and methods for registering software management component types in a managed network
US20110078301A1 (en) * 2009-09-30 2011-03-31 Dehaan Michael Paul Systems and methods for detecting network conditions based on correlation between trend lines
US20110096849A1 (en) * 2008-07-02 2011-04-28 Stefan Kubsch Optimized selection of transmission protocol respecting thresholds
US20110154351A1 (en) * 2009-12-21 2011-06-23 International Business Machines Corporation Tunable Error Resilience Computing
US20120054823A1 (en) * 2010-08-24 2012-03-01 Electronics And Telecommunications Research Institute Automated control method and apparatus of ddos attack prevention policy using the status of cpu and memory
US20120079098A1 (en) * 2010-09-29 2012-03-29 International Business Machines Corporation Performance Monitoring of a Computer Resource
US20120084413A1 (en) * 2010-10-05 2012-04-05 Red Hat Israel, Ltd. Mechanism for Installing Monitoring Utilities Using Universal Performance Monitor
US20120173710A1 (en) * 2010-12-31 2012-07-05 Verisign Systems, apparatus, and methods for network data analysis
US20120233694A1 (en) * 2011-03-11 2012-09-13 At&T Intellectual Property I, L.P. Mobile malicious software mitigation
US8296414B1 (en) * 2007-09-28 2012-10-23 Emc Corporation Techniques for automated application discovery
US20130054784A1 (en) * 2011-08-29 2013-02-28 Cisco Technology, Inc. Session Layer for Monitoring Utility Application Traffic
US8402267B1 (en) 2009-03-18 2013-03-19 University Of Louisville Research Foundation, Inc. Security enhanced network device and method for secure operation of same
US20130086635A1 (en) * 2011-09-30 2013-04-04 General Electric Company System and method for communication in a network
US20130219495A1 (en) * 2010-12-30 2013-08-22 Kaspersky Lab, Zao System and method for optimization of security tasks by configuring security modules
US20140108319A1 (en) * 2012-10-12 2014-04-17 Bruno KLAUSER Autonomic network sentinels
US8713177B2 (en) * 2008-05-30 2014-04-29 Red Hat, Inc. Remote management of networked systems using secure modular platform
US8719782B2 (en) 2009-10-29 2014-05-06 Red Hat, Inc. Integrated package development and machine configuration management
US8782204B2 (en) 2008-11-28 2014-07-15 Red Hat, Inc. Monitoring hardware resources in a software provisioning environment
US20140203941A1 (en) * 2011-09-29 2014-07-24 Tokyo Electron Limited Substrate processing apparatus, alarm management method of substrate processing apparatus, and storage medium
US8868907B2 (en) 2009-03-18 2014-10-21 University Of Louisville Research Foundation, Inc. Device, method, and system for processing communications for secure operation of industrial control system field devices
US9100297B2 (en) 2008-08-20 2015-08-04 Red Hat, Inc. Registering new machines in a software provisioning environment
WO2015126734A1 (en) * 2014-02-23 2015-08-27 Intel Corporation Orchestration and management of services to deployed devices
US9256488B2 (en) 2010-10-05 2016-02-09 Red Hat Israel, Ltd. Verification of template integrity of monitoring templates used for customized monitoring of system activities
US9363107B2 (en) 2010-10-05 2016-06-07 Red Hat Israel, Ltd. Accessing and processing monitoring data resulting from customized monitoring of system activities
US9524224B2 (en) 2010-10-05 2016-12-20 Red Hat Israel, Ltd. Customized monitoring of system activities
US9558195B2 (en) 2009-02-27 2017-01-31 Red Hat, Inc. Depopulation of user data from network
US9678492B2 (en) 2012-02-01 2017-06-13 Abb Research Ltd. Dynamic configuration of an industrial control system
US10203946B2 (en) 2009-05-29 2019-02-12 Red Hat, Inc. Retiring target machines by a provisioning server
CN110191017A (en) * 2019-05-28 2019-08-30 上海连尚网络科技有限公司 It is a kind of for monitoring the monitoring system and method for routing device exception
US20220038483A1 (en) * 2012-06-26 2022-02-03 Aeris Communications, Inc. Methodology for intelligent pattern detection and anomaly detection in machine to machine communication network
WO2024063761A1 (en) * 2022-09-21 2024-03-28 Rakuten Mobile, Inc. Alarm tracking system and method

Families Citing this family (556)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9892606B2 (en) * 2001-11-15 2018-02-13 Avigilon Fortress Corporation Video surveillance system employing video primitives
US8564661B2 (en) * 2000-10-24 2013-10-22 Objectvideo, Inc. Video analytic rule detection system and method
US8073967B2 (en) 2002-04-15 2011-12-06 Fisher-Rosemount Systems, Inc. Web services-based communications for use with process control systems
US7720727B2 (en) * 2001-03-01 2010-05-18 Fisher-Rosemount Systems, Inc. Economic calculations in process control system
US7389204B2 (en) * 2001-03-01 2008-06-17 Fisher-Rosemount Systems, Inc. Data presentation system for abnormal situation prevention in a process plant
US7587481B1 (en) * 2001-04-05 2009-09-08 Dj Inventions, Llc Enterprise server for SCADA system with security interface
US20020191102A1 (en) * 2001-05-31 2002-12-19 Casio Computer Co., Ltd. Light emitting device, camera with light emitting device, and image pickup method
US7657935B2 (en) * 2001-08-16 2010-02-02 The Trustees Of Columbia University In The City Of New York System and methods for detecting malicious email transmission
US7818797B1 (en) * 2001-10-11 2010-10-19 The Trustees Of Columbia University In The City Of New York Methods for cost-sensitive modeling for intrusion detection and response
US8544087B1 (en) 2001-12-14 2013-09-24 The Trustess Of Columbia University In The City Of New York Methods of unsupervised anomaly detection using a geometric framework
US9306966B2 (en) 2001-12-14 2016-04-05 The Trustees Of Columbia University In The City Of New York Methods of unsupervised anomaly detection using a geometric framework
US7225343B1 (en) * 2002-01-25 2007-05-29 The Trustees Of Columbia University In The City Of New York System and methods for adaptive model generation for detecting intrusions in computer systems
US8910241B2 (en) * 2002-04-25 2014-12-09 Citrix Systems, Inc. Computer security system
US7420929B1 (en) 2002-07-02 2008-09-02 Juniper Networks, Inc. Adaptive network flow analysis
JP2004318552A (en) * 2003-04-17 2004-11-11 Kddi Corp Device, method and program for supporting ids log analysis
US9069666B2 (en) * 2003-05-21 2015-06-30 Hewlett-Packard Development Company, L.P. Systems and methods for controlling error reporting and resolution
EP1634175B1 (en) * 2003-05-28 2015-06-24 Citrix Systems, Inc. Multilayer access control security system
US20090271504A1 (en) * 2003-06-09 2009-10-29 Andrew Francis Ginter Techniques for agent configuration
US20050033701A1 (en) * 2003-08-08 2005-02-10 International Business Machines Corporation System and method for verifying the identity of a remote meter transmitting utility usage data
US7712083B2 (en) * 2003-08-20 2010-05-04 Igt Method and apparatus for monitoring and updating system software
US20050050357A1 (en) * 2003-09-02 2005-03-03 Su-Huei Jeng Method and system for detecting unauthorized hardware devices
US7639714B2 (en) 2003-11-12 2009-12-29 The Trustees Of Columbia University In The City Of New York Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data
US7613804B2 (en) * 2003-11-25 2009-11-03 Microsoft Corporation Systems and methods for state management of networked systems
US7590726B2 (en) * 2003-11-25 2009-09-15 Microsoft Corporation Systems and methods for unifying and/or utilizing state information for managing networked systems
US7430598B2 (en) * 2003-11-25 2008-09-30 Microsoft Corporation Systems and methods for health monitor alert management for networked systems
US7599939B2 (en) * 2003-11-26 2009-10-06 Loglogic, Inc. System and method for storing raw log data
US20050114505A1 (en) * 2003-11-26 2005-05-26 Destefano Jason M. Method and apparatus for retrieving and combining summarized log data in a distributed log data processing system
US20050114707A1 (en) * 2003-11-26 2005-05-26 Destefano Jason Michael Method for processing log data from local and remote log-producing devices
US20050114321A1 (en) * 2003-11-26 2005-05-26 Destefano Jason M. Method and apparatus for storing and reporting summarized log data
US8234256B2 (en) 2003-11-26 2012-07-31 Loglogic, Inc. System and method for parsing, summarizing and reporting log data
US8190723B2 (en) * 2003-12-14 2012-05-29 Cisco Technology, Inc. Method and system for automatically determining commands for a network element
US7359339B2 (en) * 2003-12-23 2008-04-15 Lenovo Singapore Pte Ltd Smart access point
US7392295B2 (en) * 2004-02-19 2008-06-24 Microsoft Corporation Method and system for collecting information from computer systems based on a trusted relationship
US7584382B2 (en) * 2004-02-19 2009-09-01 Microsoft Corporation Method and system for troubleshooting a misconfiguration of a computer system based on configurations of other computer systems
US20050198099A1 (en) * 2004-02-24 2005-09-08 Covelight Systems, Inc. Methods, systems and computer program products for monitoring protocol responses for a server application
US7676287B2 (en) * 2004-03-03 2010-03-09 Fisher-Rosemount Systems, Inc. Configuration system and method for abnormal situation prevention in a process plant
US7079984B2 (en) * 2004-03-03 2006-07-18 Fisher-Rosemount Systems, Inc. Abnormal situation prevention in a process plant
US8224937B2 (en) * 2004-03-04 2012-07-17 International Business Machines Corporation Event ownership assigner with failover for multiple event server system
US20050234988A1 (en) * 2004-04-16 2005-10-20 Messick Randall E Message-based method and system for managing a storage area network
JP2007535770A (en) * 2004-04-28 2007-12-06 オープンロジック インコーポレイテッド Tools for stacking uncooperative software projects
DE102004021031A1 (en) * 2004-04-29 2005-11-24 Siemens Ag Method for generating and managing templates for event management
US7664855B1 (en) * 2004-05-05 2010-02-16 Juniper Networks, Inc. Port scanning mitigation within a network through establishment of an a prior network connection
EP1754127A2 (en) * 2004-05-19 2007-02-21 Computer Associates Think, Inc. Systems and methods for minimizing security logs
WO2005117370A2 (en) * 2004-05-19 2005-12-08 Computer Associates Think, Inc. Using address ranges to detect malicious activity
US20050271128A1 (en) * 2004-06-02 2005-12-08 Williams Jeffery D Distributed SCADA system for remote monitoring and control of access points utilizing an intelligent uninterruptible power supply system for a WISP network
US20050289232A1 (en) * 2004-06-07 2005-12-29 Rudiger Ebert Method, apparatus, and system for monitoring performance remotely from a user
US20060015591A1 (en) * 2004-06-08 2006-01-19 Datla Krishnam R Apparatus and method for intelligent configuration editor
US7721304B2 (en) * 2004-06-08 2010-05-18 Cisco Technology, Inc. Method and apparatus providing programmable network intelligence
US8010952B2 (en) * 2004-06-08 2011-08-30 Cisco Technology, Inc. Method and apparatus for configuration syntax and semantic validation
US7735140B2 (en) * 2004-06-08 2010-06-08 Cisco Technology, Inc. Method and apparatus providing unified compliant network audit
JP2006013737A (en) * 2004-06-24 2006-01-12 Fujitsu Ltd Device for eliminating abnormal traffic
US10284571B2 (en) * 2004-06-28 2019-05-07 Riverbed Technology, Inc. Rule based alerting in anomaly detection
US8458783B2 (en) * 2004-06-30 2013-06-04 Citrix Systems, Inc. Using application gateways to protect unauthorized transmission of confidential data via web applications
US9154511B1 (en) 2004-07-13 2015-10-06 Dell Software Inc. Time zero detection of infectious messages
US7343624B1 (en) 2004-07-13 2008-03-11 Sonicwall, Inc. Managing infectious messages as identified by an attachment
US8589531B2 (en) * 2004-07-14 2013-11-19 Riverbed Technology, Inc. Network difference reporting
WO2006010347A1 (en) * 2004-07-21 2006-02-02 Memory Data Gmbh Rapid archivable worm memory system based on a hard disc
US7546635B1 (en) 2004-08-11 2009-06-09 Juniper Networks, Inc. Stateful firewall protection for control plane traffic within a network device
US20060034305A1 (en) * 2004-08-13 2006-02-16 Honeywell International Inc. Anomaly-based intrusion detection
US7778228B2 (en) * 2004-09-16 2010-08-17 The Boeing Company “Wireless ISLAND” mobile LAN-to-LAN tunneling solution
US7280030B1 (en) * 2004-09-24 2007-10-09 Sielox, Llc System and method for adjusting access control based on homeland security levels
US8499337B1 (en) * 2004-10-06 2013-07-30 Mcafee, Inc. Systems and methods for delegation and notification of administration of internet access
US8433768B1 (en) * 2004-10-14 2013-04-30 Lockheed Martin Corporation Embedded model interaction within attack projection framework of information system
US7408441B2 (en) * 2004-10-25 2008-08-05 Electronic Data Systems Corporation System and method for analyzing user-generated event information and message information from network devices
US20060168170A1 (en) * 2004-10-25 2006-07-27 Korzeniowski Richard W System and method for analyzing information relating to network devices
US7408440B2 (en) 2004-10-25 2008-08-05 Electronics Data Systems Corporation System and method for analyzing message information from diverse network devices
JP4938233B2 (en) * 2004-11-09 2012-05-23 キヤノン電子株式会社 Management server, information processing apparatus, control method therefor, network management system, computer program, and computer-readable storage medium
JP4422595B2 (en) * 2004-11-26 2010-02-24 富士通株式会社 Monitoring system, monitored device, monitoring device, and monitoring method
US8756682B2 (en) * 2004-12-20 2014-06-17 Hewlett-Packard Development Company, L.P. Method and system for network intrusion prevention
US8974304B2 (en) * 2004-12-22 2015-03-10 Wms Gaming Inc. System, method, and apparatus for detecting abnormal behavior of a wagering game machine
US9325728B1 (en) 2005-01-27 2016-04-26 Leidos, Inc. Systems and methods for implementing and scoring computer network defense exercises
US8266320B1 (en) * 2005-01-27 2012-09-11 Science Applications International Corporation Computer network defense
US7895167B2 (en) * 2005-02-16 2011-02-22 Xpolog Ltd. System and method for analysis and management of logs and events
US20060203736A1 (en) * 2005-03-10 2006-09-14 Stsn General Holdings Inc. Real-time mobile user network operations center
US8418226B2 (en) * 2005-03-18 2013-04-09 Absolute Software Corporation Persistent servicing agent
US9438683B2 (en) * 2005-04-04 2016-09-06 Aol Inc. Router-host logging
US7685292B1 (en) 2005-04-07 2010-03-23 Dell Marketing Usa L.P. Techniques for establishment and use of a point-to-point tunnel between source and target devices
US8140614B2 (en) * 2005-06-02 2012-03-20 International Business Machines Corporation Distributed computing environment with remote data collection management
JP4313336B2 (en) * 2005-06-03 2009-08-12 株式会社日立製作所 Monitoring system and monitoring method
US7184935B1 (en) * 2005-06-10 2007-02-27 Hewlett-Packard Development Company, L.P. Determining and annotating a signature of a computer resource
US8364841B2 (en) * 2005-06-16 2013-01-29 Infinera Corporation XML over TCP management protocol with tunneled proxy support and connection management
US7702780B2 (en) * 2005-06-22 2010-04-20 International Business Machines Corporation Monitoring method, system, and computer program based on severity and persistence of problems
US20060294588A1 (en) * 2005-06-24 2006-12-28 International Business Machines Corporation System, method and program for identifying and preventing malicious intrusions
US7877803B2 (en) * 2005-06-27 2011-01-25 Hewlett-Packard Development Company, L.P. Automated immune response for a computer
CN100479575C (en) 2005-06-30 2009-04-15 华为技术有限公司 Method and apparatus for realizing scheduled operation in equipment management
US7647634B2 (en) * 2005-06-30 2010-01-12 Microsoft Corporation Managing access to a network
US7664849B1 (en) * 2005-06-30 2010-02-16 Symantec Operating Corporation Method and apparatus for controlling finite impulse responses using alert definitions in policy-based automation
US9418040B2 (en) * 2005-07-07 2016-08-16 Sciencelogic, Inc. Dynamically deployable self configuring distributed network management system
US7832006B2 (en) * 2005-08-09 2010-11-09 At&T Intellectual Property I, L.P. System and method for providing network security
US7818625B2 (en) * 2005-08-17 2010-10-19 Microsoft Corporation Techniques for performing memory diagnostics
US8769663B2 (en) * 2005-08-24 2014-07-01 Fortinet, Inc. Systems and methods for detecting undesirable network traffic content
US7899903B2 (en) * 2005-09-30 2011-03-01 Microsoft Corporation Template based management system
US20070168349A1 (en) * 2005-09-30 2007-07-19 Microsoft Corporation Schema for template based management system
CA2623120C (en) 2005-10-05 2015-03-24 Byres Security Inc. Network security appliance
US7502971B2 (en) * 2005-10-12 2009-03-10 Hewlett-Packard Development Company, L.P. Determining a recurrent problem of a computer resource using signatures
US9419981B2 (en) * 2005-10-31 2016-08-16 The Trustees Of Columbia University In The City Of New York Methods, media, and systems for securing communications between a first node and a second node
JP4459890B2 (en) * 2005-11-04 2010-04-28 株式会社日立製作所 Information processing apparatus, incident response apparatus control method, and program
US7966654B2 (en) 2005-11-22 2011-06-21 Fortinet, Inc. Computerized system and method for policy-based content filtering
WO2007062004A2 (en) 2005-11-22 2007-05-31 The Trustees Of Columbia University In The City Of New York Methods, media, and devices for moving a connection from one point of access to another point of access
IL172289A (en) * 2005-11-30 2011-07-31 Rafael Advanced Defense Sys Limited bandwidth surveillance system and method with rotation among monitors
US7890315B2 (en) * 2005-12-29 2011-02-15 Microsoft Corporation Performance engineering and the application life cycle
US20070192344A1 (en) * 2005-12-29 2007-08-16 Microsoft Corporation Threats and countermeasures schema
US20070157311A1 (en) * 2005-12-29 2007-07-05 Microsoft Corporation Security modeling and the application life cycle
US20070157316A1 (en) * 2005-12-30 2007-07-05 Intel Corporation Managing rogue IP traffic in a global enterprise
US20070180101A1 (en) * 2006-01-10 2007-08-02 A10 Networks Inc. System and method for storing data-network activity information
JP2007215162A (en) * 2006-01-11 2007-08-23 Canon Inc Information processing apparatus, control method thereof, program and recording medium
US9183106B2 (en) * 2006-01-13 2015-11-10 Dell Products L.P. System and method for the automated generation of events within a server environment
US8234361B2 (en) * 2006-01-13 2012-07-31 Fortinet, Inc. Computerized system and method for handling network traffic
US7818788B2 (en) * 2006-02-14 2010-10-19 Microsoft Corporation Web application security frame
US8090838B2 (en) * 2006-02-16 2012-01-03 Microsoft Corporation Shell operation flow change
US7712137B2 (en) * 2006-02-27 2010-05-04 Microsoft Corporation Configuring and organizing server security information
US7721157B2 (en) * 2006-03-08 2010-05-18 Omneon Video Networks Multi-node computer system component proactive monitoring and proactive repair
US7996895B2 (en) * 2006-03-27 2011-08-09 Avaya Inc. Method and apparatus for protecting networks from unauthorized applications
US8831011B1 (en) 2006-04-13 2014-09-09 Xceedium, Inc. Point to multi-point connections
US7675867B1 (en) 2006-04-19 2010-03-09 Owl Computing Technologies, Inc. One-way data transfer system with built-in data verification mechanism
US8151322B2 (en) 2006-05-16 2012-04-03 A10 Networks, Inc. Systems and methods for user access authentication based on network access point
US8065666B2 (en) * 2006-06-02 2011-11-22 Rockwell Automation Technologies, Inc. Change management methodologies for industrial automation and information systems
US8117441B2 (en) * 2006-06-20 2012-02-14 Microsoft Corporation Integrating security protection tools with computer device integrity and privacy policy
US7913245B2 (en) * 2006-06-21 2011-03-22 International Business Machines Corporation Apparatus, system and method for modular distribution and maintenance of non-“object code only” dynamic components
US20070300312A1 (en) * 2006-06-22 2007-12-27 Microsoft Corporation Microsoft Patent Group User presence detection for altering operation of a computing system
WO2008001344A2 (en) * 2006-06-27 2008-01-03 Waterfall Solutions Ltd One way secure link
US20080004763A1 (en) * 2006-06-30 2008-01-03 Caterpillar Inc. Method and system for preventing excessive tire wear on machines
US20130276109A1 (en) * 2006-07-11 2013-10-17 Mcafee, Inc. System, method and computer program product for detecting activity in association with program resources that has at least a potential of an unwanted effect on the program
US7536276B2 (en) * 2006-07-27 2009-05-19 Siemens Buildings Technologies, Inc. Method and apparatus for equipment health monitoring
US8484718B2 (en) * 2006-08-03 2013-07-09 Citrix System, Inc. Systems and methods for enabling assured records using fine grained auditing of virtual private network traffic
US8495181B2 (en) 2006-08-03 2013-07-23 Citrix Systems, Inc Systems and methods for application based interception SSI/VPN traffic
US8869262B2 (en) 2006-08-03 2014-10-21 Citrix Systems, Inc. Systems and methods for application based interception of SSL/VPN traffic
US7843912B2 (en) * 2006-08-03 2010-11-30 Citrix Systems, Inc. Systems and methods of fine grained interception of network communications on a virtual private network
US7571349B2 (en) * 2006-08-18 2009-08-04 Microsoft Corporation Configuration replication for system recovery and migration
US20080052508A1 (en) * 2006-08-25 2008-02-28 Huotari Allen J Network security status indicators
IL177756A (en) * 2006-08-29 2014-11-30 Lior Frenkel Encryption-based attack prevention
US8903968B2 (en) * 2006-08-29 2014-12-02 International Business Machines Corporation Distributed computing environment
US8522304B2 (en) * 2006-09-08 2013-08-27 Ibahn General Holdings Corporation Monitoring and reporting policy compliance of home networks
US20120284790A1 (en) * 2006-09-11 2012-11-08 Decision-Zone Inc. Live service anomaly detection system for providing cyber protection for the electric grid
US8984579B2 (en) * 2006-09-19 2015-03-17 The Innovation Science Fund I, LLC Evaluation systems and methods for coordinating software agents
US8601530B2 (en) * 2006-09-19 2013-12-03 The Invention Science Fund I, Llc Evaluation systems and methods for coordinating software agents
US8607336B2 (en) * 2006-09-19 2013-12-10 The Invention Science Fund I, Llc Evaluation systems and methods for coordinating software agents
US8627402B2 (en) * 2006-09-19 2014-01-07 The Invention Science Fund I, Llc Evaluation systems and methods for coordinating software agents
US20080125887A1 (en) * 2006-09-27 2008-05-29 Rockwell Automation Technologies, Inc. Event context data and aggregation for industrial control systems
CN102831214B (en) 2006-10-05 2017-05-10 斯普兰克公司 time series search engine
US8312507B2 (en) 2006-10-17 2012-11-13 A10 Networks, Inc. System and method to apply network traffic policy to an application session
US7716378B2 (en) 2006-10-17 2010-05-11 A10 Networks, Inc. System and method to associate a private user identity with a public user identity
US8055904B1 (en) 2006-10-19 2011-11-08 United Services Automobile Assocation (USAA) Systems and methods for software application security management
US8544071B1 (en) * 2006-10-19 2013-09-24 United Services Automobile Association (Usaa) Systems and methods for software application security management
US8214889B2 (en) * 2006-11-03 2012-07-03 Microsoft Corporation Selective auto-revocation of firewall security settings
US20080126884A1 (en) * 2006-11-28 2008-05-29 Siemens Aktiengesellschaft Method for providing detailed information and support regarding an event message
US7415385B2 (en) * 2006-11-29 2008-08-19 Mitsubishi Electric Research Laboratories, Inc. System and method for measuring performances of surveillance systems
IL180020A (en) * 2006-12-12 2013-03-24 Waterfall Security Solutions Ltd Encryption -and decryption-enabled interfaces
US7944357B2 (en) * 2006-12-18 2011-05-17 Cummings Engineering Consultants, Inc. Method and system for a grass roots intelligence program
US8055760B1 (en) * 2006-12-18 2011-11-08 Sprint Communications Company L.P. Firewall doctor
US8640086B2 (en) * 2006-12-29 2014-01-28 Sap Ag Graphical user interface system and method for presenting objects
IL180748A (en) 2007-01-16 2013-03-24 Waterfall Security Solutions Ltd Secure archive
US8254882B2 (en) 2007-01-29 2012-08-28 Cisco Technology, Inc. Intrusion prevention system for wireless networks
US8312135B2 (en) * 2007-02-02 2012-11-13 Microsoft Corporation Computing system infrastructure to administer distress messages
JP4905165B2 (en) * 2007-02-07 2012-03-28 富士通株式会社 Monitoring support program, monitoring method and monitoring system
US8856782B2 (en) 2007-03-01 2014-10-07 George Mason Research Foundation, Inc. On-demand disposable virtual work system
US7870277B2 (en) * 2007-03-12 2011-01-11 Citrix Systems, Inc. Systems and methods for using object oriented expressions to configure application security policies
CN101682526B (en) * 2007-03-12 2013-11-20 思杰系统有限公司 Systems and methods for configuring, applying and managing security policies
US8490148B2 (en) 2007-03-12 2013-07-16 Citrix Systems, Inc Systems and methods for managing application security profiles
US7853679B2 (en) * 2007-03-12 2010-12-14 Citrix Systems, Inc. Systems and methods for configuring handling of undefined policy events
US7865589B2 (en) 2007-03-12 2011-01-04 Citrix Systems, Inc. Systems and methods for providing structured policy expressions to represent unstructured data in a network appliance
US7853678B2 (en) * 2007-03-12 2010-12-14 Citrix Systems, Inc. Systems and methods for configuring flow control of policy expressions
US8631147B2 (en) 2007-03-12 2014-01-14 Citrix Systems, Inc. Systems and methods for configuring policy bank invocations
US9922323B2 (en) 2007-03-16 2018-03-20 Visa International Service Association System and method for automated analysis comparing a wireless device location with another geographic location
US8280348B2 (en) 2007-03-16 2012-10-02 Finsphere Corporation System and method for identity protection using mobile device signaling network derived location pattern recognition
US9185123B2 (en) 2008-02-12 2015-11-10 Finsphere Corporation System and method for mobile identity protection for online user authentication
US9432845B2 (en) 2007-03-16 2016-08-30 Visa International Service Association System and method for automated analysis comparing a wireless device location with another geographic location
US9420448B2 (en) 2007-03-16 2016-08-16 Visa International Service Association System and method for automated analysis comparing a wireless device location with another geographic location
CN101681482B (en) * 2007-03-26 2012-11-14 Bpl环球有限公司 System and method for integrated asset protection
US8626844B2 (en) * 2007-03-26 2014-01-07 The Trustees Of Columbia University In The City Of New York Methods and media for exchanging data between nodes of disconnected networks
US9083712B2 (en) * 2007-04-04 2015-07-14 Sri International Method and apparatus for generating highly predictive blacklists
US8068415B2 (en) 2007-04-18 2011-11-29 Owl Computing Technologies, Inc. Secure one-way data transfer using communication interface circuitry
US8139581B1 (en) 2007-04-19 2012-03-20 Owl Computing Technologies, Inc. Concurrent data transfer involving two or more transport layer protocols over a single one-way data link
US7941526B1 (en) 2007-04-19 2011-05-10 Owl Computing Technologies, Inc. Transmission of syslog messages over a one-way data link
US8352450B1 (en) 2007-04-19 2013-01-08 Owl Computing Technologies, Inc. Database update through a one-way data link
US8234240B2 (en) * 2007-04-26 2012-07-31 Microsoft Corporation Framework for providing metrics from any datasource
US20080270469A1 (en) * 2007-04-26 2008-10-30 Microsoft Corporation Business metrics aggregated by custom hierarchy
US7966660B2 (en) * 2007-05-23 2011-06-21 Honeywell International Inc. Apparatus and method for deploying a wireless network intrusion detection system to resource-constrained devices
DE102008024668A1 (en) * 2007-05-24 2008-11-27 ABB Inc., Norwalk Inventory monitor for fieldbus devices
US8108924B1 (en) * 2007-05-24 2012-01-31 Sprint Communications Company L.P. Providing a firewall's connection data in a comprehendible format
US8533821B2 (en) * 2007-05-25 2013-09-10 International Business Machines Corporation Detecting and defending against man-in-the-middle attacks
US20080313228A1 (en) * 2007-06-15 2008-12-18 Rockwell Automation Technologies, Inc. Controller log and log aggregation
EP2054782B1 (en) * 2007-07-09 2018-11-21 ABB Research LTD Data recording apparatus
US8132248B2 (en) * 2007-07-18 2012-03-06 Trend Micro Incorporated Managing configurations of a firewall
US7992209B1 (en) 2007-07-19 2011-08-02 Owl Computing Technologies, Inc. Bilateral communication using multiple one-way data links
US9336387B2 (en) * 2007-07-30 2016-05-10 Stroz Friedberg, Inc. System, method, and computer program product for detecting access to a memory device
US8024802B1 (en) * 2007-07-31 2011-09-20 Hewlett-Packard Development Company, L.P. Methods and systems for using state ranges for processing regular expressions in intrusion-prevention systems
US8301676B2 (en) * 2007-08-23 2012-10-30 Fisher-Rosemount Systems, Inc. Field device with capability of calculating digital filter coefficients
US7702401B2 (en) 2007-09-05 2010-04-20 Fisher-Rosemount Systems, Inc. System for preserving and displaying process control data associated with an abnormal situation
IL187492A0 (en) * 2007-09-06 2008-02-09 Human Interface Security Ltd Information protection device
US8074278B2 (en) * 2007-09-14 2011-12-06 Fisher-Rosemount Systems, Inc. Apparatus and methods for intrusion protection in safety instrumented process control systems
DE102007046079A1 (en) * 2007-09-26 2009-04-02 Siemens Ag A method for establishing a secure connection from a service technician to an incident affected component of a remote diagnosable and / or remote controllable automation environment
US20090088883A1 (en) * 2007-09-27 2009-04-02 Rockwell Automation Technologies, Inc. Surface-based computing in an industrial automation environment
US8224942B1 (en) * 2007-10-02 2012-07-17 Google Inc. Network failure detection
US8055479B2 (en) 2007-10-10 2011-11-08 Fisher-Rosemount Systems, Inc. Simplified algorithm for abnormal situation prevention in load following applications including plugged line diagnostics in a dynamic process
US20090100430A1 (en) * 2007-10-15 2009-04-16 Marco Valentin Method and system for a task automation tool
US8223205B2 (en) 2007-10-24 2012-07-17 Waterfall Solutions Ltd. Secure implementation of network-based sensors
US8959624B2 (en) * 2007-10-31 2015-02-17 Bank Of America Corporation Executable download tracking system
US9282005B1 (en) * 2007-11-01 2016-03-08 Emc Corporation IT infrastructure policy breach investigation interface
US8516539B2 (en) * 2007-11-09 2013-08-20 Citrix Systems, Inc System and method for inferring access policies from access event records
US8990910B2 (en) * 2007-11-13 2015-03-24 Citrix Systems, Inc. System and method using globally unique identities
US20090150513A1 (en) * 2007-12-10 2009-06-11 At&T Knowledge Ventures, Lp Method and System for Gathering Network Data
KR20090065183A (en) * 2007-12-17 2009-06-22 한국전자통신연구원 Apparatus and method automatically generating security policy of selinux based on selt
US8095938B1 (en) * 2007-12-21 2012-01-10 Emc Corporation Managing alert generation
US9336385B1 (en) * 2008-02-11 2016-05-10 Adaptive Cyber Security Instruments, Inc. System for real-time threat detection and management
TWI406151B (en) * 2008-02-27 2013-08-21 Asustek Comp Inc Antivirus protection method and electronic device with antivirus protection
US20090228838A1 (en) * 2008-03-04 2009-09-10 Ryan Christopher N Content design tool
US8850568B2 (en) * 2008-03-07 2014-09-30 Qualcomm Incorporated Method and apparatus for detecting unauthorized access to a computing device and securely communicating information about such unauthorized access
US8965719B1 (en) * 2008-03-07 2015-02-24 Versify Solutions, Inc. Universal performance monitor for power generators
US8839460B2 (en) * 2008-03-07 2014-09-16 Qualcomm Incorporated Method for securely communicating information about the location of a compromised computing device
US8606686B1 (en) * 2008-03-07 2013-12-10 Versify Solutions, Inc. System and method for gathering and performing complex analyses on power data from multiple remote sources
US9240945B2 (en) * 2008-03-19 2016-01-19 Citrix Systems, Inc. Access, priority and bandwidth management based on application identity
US20090254970A1 (en) * 2008-04-04 2009-10-08 Avaya Inc. Multi-tier security event correlation and mitigation
US8761948B1 (en) 2008-04-25 2014-06-24 Versify Solutions, Inc. System and method for managing and monitoring renewable energy power generation
US8943575B2 (en) 2008-04-30 2015-01-27 Citrix Systems, Inc. Method and system for policy simulation
US20090276852A1 (en) * 2008-05-01 2009-11-05 International Business Machines Corporation Statistical worm discovery within a security information management architecture
US20090276469A1 (en) * 2008-05-01 2009-11-05 International Business Machines Corporation Method for transactional behavior extaction in distributed applications
US8339959B1 (en) 2008-05-20 2012-12-25 Juniper Networks, Inc. Streamlined packet forwarding using dynamic filters for routing and security in a shared forwarding plane
US8122503B2 (en) * 2008-05-31 2012-02-21 Hewlett-Packard Development Company, L.P. Methods and systems for managing a potential security threat to a network
US20100042912A1 (en) * 2008-06-12 2010-02-18 Eva Whitaker Reminder and notification system for a parent
US8312540B1 (en) * 2008-06-13 2012-11-13 Juniper Networks, Inc. System for slowing password attacks
WO2010008479A2 (en) 2008-06-25 2010-01-21 Versify Solutions, Llc Aggregator, monitor, and manager of distributed demand response
US8689335B2 (en) * 2008-06-25 2014-04-01 Microsoft Corporation Mapping between users and machines in an enterprise security assessment sharing system
US8711747B2 (en) 2008-07-07 2014-04-29 Apple Inc. Power saving methods for wireless systems
US20110087761A1 (en) * 2008-07-07 2011-04-14 Mo-Han Fong Power saving schemes for wireless systems
US8745268B2 (en) * 2008-08-18 2014-06-03 Schneider Electric USA, Inc. In-line security device
US9098698B2 (en) 2008-09-12 2015-08-04 George Mason Research Foundation, Inc. Methods and apparatus for application isolation
US8955107B2 (en) * 2008-09-12 2015-02-10 Juniper Networks, Inc. Hierarchical application of security services within a computer network
US8301759B2 (en) * 2008-10-24 2012-10-30 Microsoft Corporation Monitoring agent programs in a distributed computing platform
IL194943A0 (en) * 2008-10-27 2009-09-22 Human Interface Security Ltd Verification of data transmitted by computer
US8990573B2 (en) * 2008-11-10 2015-03-24 Citrix Systems, Inc. System and method for using variable security tag location in network communications
US9084937B2 (en) 2008-11-18 2015-07-21 Gtech Canada Ulc Faults and performance issue prediction
US8028196B2 (en) * 2008-11-18 2011-09-27 Gtech Corporation Predictive diagnostics and fault management
US8578491B2 (en) * 2008-12-11 2013-11-05 Alcatel Lucent Network based malware detection and reporting
US7996713B2 (en) * 2008-12-15 2011-08-09 Juniper Networks, Inc. Server-to-server integrity checking
US8019860B2 (en) * 2008-12-22 2011-09-13 Sap Ag Service accounting method and apparatus for composite service
US8737398B2 (en) * 2008-12-31 2014-05-27 Schneider Electric USA, Inc. Communication module with network isolation and communication filter
US8935773B2 (en) 2009-04-09 2015-01-13 George Mason Research Foundation, Inc. Malware detector
US9305189B2 (en) 2009-04-14 2016-04-05 Owl Computing Technologies, Inc. Ruggedized, compact and integrated one-way controlled interface to enforce confidentiality of a secure enclave
US20100269162A1 (en) 2009-04-15 2010-10-21 Jose Bravo Website authentication
FR2944886B1 (en) * 2009-04-22 2011-07-15 Thales Sa INTEGRATED SUPERVISION AND COMMAND SYSTEM
US8914878B2 (en) 2009-04-29 2014-12-16 Juniper Networks, Inc. Detecting malicious network software agents
US8504636B2 (en) * 2009-05-08 2013-08-06 Raytheon Company Monitoring communications using a unified communications protocol
EP2252006A1 (en) * 2009-05-15 2010-11-17 Panda Security S.L. System and method for obtaining a classification of an identifier
US9298583B2 (en) * 2009-06-04 2016-03-29 International Business Machines Corporation Network traffic based power consumption estimation of information technology systems
US8694905B2 (en) * 2009-06-10 2014-04-08 International Business Machines Corporation Model-driven display of metric annotations on a resource/relationship graph
US8863253B2 (en) 2009-06-22 2014-10-14 Beyondtrust Software, Inc. Systems and methods for automatic discovery of systems and accounts
US20100325687A1 (en) * 2009-06-22 2010-12-23 Iverson Gyle T Systems and Methods for Custom Device Automatic Password Management
US9160545B2 (en) * 2009-06-22 2015-10-13 Beyondtrust Software, Inc. Systems and methods for A2A and A2DB security using program authentication factors
US8839422B2 (en) 2009-06-30 2014-09-16 George Mason Research Foundation, Inc. Virtual browsing environment
US20110004589A1 (en) * 2009-07-06 2011-01-06 Rockwell Automation Technologies, Inc. Diagnostics in a distributed directory system
US11797997B2 (en) 2009-07-07 2023-10-24 Visa International Service Association Data verification in transactions in distributed network
US8752142B2 (en) * 2009-07-17 2014-06-10 American Express Travel Related Services Company, Inc. Systems, methods, and computer program products for adapting the security measures of a communication network based on feedback
US8788652B2 (en) * 2009-07-27 2014-07-22 Ixia Real world network testing combining lower layer network tests, application layer tests and interdependent interactions
CN102474532B (en) 2009-08-13 2014-08-06 国际商业机器公司 Automatic address range detection for IP networks
US8311987B2 (en) * 2009-08-17 2012-11-13 Sap Ag Data staging system and method
US9425976B2 (en) * 2009-08-19 2016-08-23 Hewlett Packard Enterprise Development Lp Reporting operational information of a network device
US20110047406A1 (en) * 2009-08-24 2011-02-24 General Devices Systems and methods for sending, receiving and managing electronic messages
US8789173B2 (en) * 2009-09-03 2014-07-22 Juniper Networks, Inc. Protecting against distributed network flood attacks
GB2474545B (en) * 2009-09-24 2015-06-24 Fisher Rosemount Systems Inc Integrated unified threat management for a process control system
US8335989B2 (en) * 2009-10-26 2012-12-18 Nokia Corporation Method and apparatus for presenting polymorphic notes in a graphical user interface
US20110106738A1 (en) * 2009-10-29 2011-05-05 Marianna Cheklin System and method for managing implementations
CN101714990B (en) * 2009-10-30 2013-06-05 清华大学 Network security safeguarding integrated system and control method thereof
US8369345B1 (en) 2009-11-13 2013-02-05 Juniper Networks, Inc. Multi-router system having shared network interfaces
US8302189B2 (en) * 2009-11-30 2012-10-30 At&T Intellectual Property I, L.P. Methods, devices, systems, and computer program products for edge driven communications network security monitoring
US8683609B2 (en) * 2009-12-04 2014-03-25 International Business Machines Corporation Mobile phone and IP address correlation service
US9756076B2 (en) * 2009-12-17 2017-09-05 American Express Travel Related Services Company, Inc. Dynamically reacting policies and protections for securing mobile financial transactions
US8621636B2 (en) 2009-12-17 2013-12-31 American Express Travel Related Services Company, Inc. Systems, methods, and computer program products for collecting and reporting sensor data in a communication network
US8650129B2 (en) 2010-01-20 2014-02-11 American Express Travel Related Services Company, Inc. Dynamically reacting policies and protections for securing mobile financial transaction data in transit
US8793789B2 (en) 2010-07-22 2014-07-29 Bank Of America Corporation Insider threat correlation tool
US8782209B2 (en) 2010-01-26 2014-07-15 Bank Of America Corporation Insider threat correlation tool
US9038187B2 (en) * 2010-01-26 2015-05-19 Bank Of America Corporation Insider threat correlation tool
US8800034B2 (en) * 2010-01-26 2014-08-05 Bank Of America Corporation Insider threat correlation tool
US8544100B2 (en) 2010-04-16 2013-09-24 Bank Of America Corporation Detecting secure or encrypted tunneling in a computer network
US8782794B2 (en) 2010-04-16 2014-07-15 Bank Of America Corporation Detecting secure or encrypted tunneling in a computer network
US20110258302A1 (en) * 2010-04-20 2011-10-20 No Limits Software, LLC System And Method For Remotely Determining Identification And Physical Location Of Equipment In A Rack
CN101848241B (en) * 2010-05-06 2012-12-19 安徽省电力公司合肥供电公司 Ies500 automatic real-time data and information system
AU2011252966B2 (en) 2010-05-14 2014-10-23 Joy Global Surface Mining Inc Cycle decomposition analysis for remote machine monitoring
US8489525B2 (en) 2010-05-20 2013-07-16 International Business Machines Corporation Automatic model evolution
US8533319B2 (en) 2010-06-02 2013-09-10 Lockheed Martin Corporation Methods and systems for prioritizing network assets
CN102281164A (en) * 2010-06-08 2011-12-14 腾讯科技(深圳)有限公司 Method, equipment and system for monitoring data
US8924296B2 (en) 2010-06-22 2014-12-30 American Express Travel Related Services Company, Inc. Dynamic pairing system for securing a trusted communication channel
US8850539B2 (en) 2010-06-22 2014-09-30 American Express Travel Related Services Company, Inc. Adaptive policies and protections for securing financial transaction data at rest
US10360625B2 (en) 2010-06-22 2019-07-23 American Express Travel Related Services Company, Inc. Dynamically adaptive policy management for securing mobile financial transactions
US8498982B1 (en) 2010-07-07 2013-07-30 Openlogic, Inc. Noise reduction for content matching analysis results for protectable content
WO2012012266A2 (en) 2010-07-19 2012-01-26 Owl Computing Technologies. Inc. Secure acknowledgment device for one-way data transfer system
JP5669507B2 (en) * 2010-10-05 2015-02-12 キヤノン株式会社 Management apparatus, management apparatus control method, and computer program
US8683591B2 (en) 2010-11-18 2014-03-25 Nant Holdings Ip, Llc Vector-based anomaly detection
US8788654B2 (en) * 2010-12-07 2014-07-22 Cisco Technology, Inc. System and method for allocating resources based on events in a network environment
US8826437B2 (en) 2010-12-14 2014-09-02 General Electric Company Intelligent system and method for mitigating cyber attacks in critical systems through controlling latency of messages in a communications network
TWI447574B (en) 2010-12-27 2014-08-01 Ibm Method,computer readable medium, appliance,and system for recording and prevevting crash in an appliance
US8499348B1 (en) * 2010-12-28 2013-07-30 Amazon Technologies, Inc. Detection of and responses to network attacks
US8935743B2 (en) 2011-01-27 2015-01-13 Sap Se Web service security cockpit
US8800031B2 (en) 2011-02-03 2014-08-05 International Business Machines Corporation Controlling access to sensitive data based on changes in information classification
US9058029B2 (en) * 2011-03-31 2015-06-16 Brad Radl System and method for creating a graphical control programming environment
US20120260251A1 (en) 2011-04-05 2012-10-11 International Business Machines Corporation Prevention of event flooding
US8838988B2 (en) 2011-04-12 2014-09-16 International Business Machines Corporation Verification of transactional integrity
US20120272314A1 (en) * 2011-04-21 2012-10-25 Cybyl Technologies, Inc. Data collection system
EP2518969A1 (en) * 2011-04-27 2012-10-31 Siemens Aktiengesellschaft Method for operating an automation device
US9237127B2 (en) * 2011-05-12 2016-01-12 Airmagnet, Inc. Method and apparatus for dynamic host operating system firewall configuration
US9927788B2 (en) 2011-05-19 2018-03-27 Fisher-Rosemount Systems, Inc. Software lockout coordination between a process control system and an asset management system
WO2012167066A2 (en) 2011-06-01 2012-12-06 Wilmington Savings Fund Society, Fsb Method and system for providing information from third party applications to devices
US10229280B2 (en) * 2011-06-14 2019-03-12 International Business Machines Corporation System and method to protect a resource using an active avatar
US9065744B2 (en) * 2011-06-20 2015-06-23 Netscout Systems, Inc. Performance optimized and configurable state based heuristic for the classification of real-time transport protocol traffic
WO2012174603A1 (en) * 2011-06-24 2012-12-27 Honeywell International Inc. Systems and methods for presenting dvm system information
US8547975B2 (en) 2011-06-28 2013-10-01 Verisign, Inc. Parallel processing for multiple instance real-time monitoring
US8526470B2 (en) 2011-07-05 2013-09-03 Ixia Synchronized commands for network testing
US8943177B1 (en) * 2011-07-13 2015-01-27 Google Inc. Modifying a computer program configuration based on variable-bin histograms
US8533219B2 (en) * 2011-09-02 2013-09-10 Bbs Technologies, Inc. Adjusting one or more trace filters in a database system
US9298917B2 (en) * 2011-09-27 2016-03-29 Redwall Technologies, Llc Enhanced security SCADA systems and methods
US20130086680A1 (en) * 2011-09-30 2013-04-04 General Electric Company System and method for communication in a network
EP2575065A1 (en) * 2011-09-30 2013-04-03 General Electric Company Remote health monitoring system
US8856936B2 (en) 2011-10-14 2014-10-07 Albeado Inc. Pervasive, domain and situational-aware, adaptive, automated, and coordinated analysis and control of enterprise-wide computers, networks, and applications for mitigation of business and operational risks and enhancement of cyber security
US8839089B2 (en) * 2011-11-01 2014-09-16 Microsoft Corporation Multi-dimensional data manipulation and presentation
WO2013082437A1 (en) 2011-12-02 2013-06-06 Invincia, Inc. Methods and apparatus for control and detection of malicious content using a sandbox environment
US9356839B2 (en) * 2011-12-09 2016-05-31 Riverbed Technology, Inc. Policy aggregation for computing network health
US8707100B2 (en) 2011-12-13 2014-04-22 Ixia Testing a network using randomly distributed commands
US9741003B2 (en) 2011-12-19 2017-08-22 Microsoft Technology Licensing, Llc Method and system for providing centralized notifications to an administrator
CN102495619B (en) * 2011-12-29 2013-08-28 深圳市再丰达科技有限公司 Parking lot management system
US9251535B1 (en) 2012-01-05 2016-02-02 Juniper Networks, Inc. Offload of data transfer statistics from a mobile access gateway
CL2013000281A1 (en) 2012-01-30 2014-08-18 Harnischfeger Tech Inc Monitoring methods of a mining machine that includes determining if the machine is operating in a first state, detecting a transition from the first state to a second operating state, generating messages that indicate parameters of machine operation in both states; mining machine monitor for the control of mining machines; a procedure for monitoring a mining drill; mining machine monitor for the monitoring of a mine drilling drill
EP2836910B1 (en) * 2012-04-13 2020-02-19 Nokia Solutions and Networks Oy Monitoring suspicious events in a cellular network
US8966321B2 (en) 2012-05-09 2015-02-24 Ixia Logical port and layer protocol test configuration resource manager
US8843953B1 (en) * 2012-06-24 2014-09-23 Time Warner Cable Enterprises Llc Methods and apparatus for providing parental or guardian control and visualization over communications to various devices in the home
US8917826B2 (en) 2012-07-31 2014-12-23 International Business Machines Corporation Detecting man-in-the-middle attacks in electronic transactions using prompts
US9392003B2 (en) 2012-08-23 2016-07-12 Raytheon Foreground Security, Inc. Internet security cyber threat reporting system and method
US9258321B2 (en) 2012-08-23 2016-02-09 Raytheon Foreground Security, Inc. Automated internet threat detection and mitigation system and associated methods
US9635037B2 (en) 2012-09-06 2017-04-25 Waterfall Security Solutions Ltd. Remote control of secure installations
US9047181B2 (en) 2012-09-07 2015-06-02 Splunk Inc. Visualization of data from clusters
US9594814B2 (en) 2012-09-07 2017-03-14 Splunk Inc. Advanced field extractor with modification of an extracted field
US20140208217A1 (en) 2013-01-22 2014-07-24 Splunk Inc. Interface for managing splittable timestamps across event records
US10394946B2 (en) 2012-09-07 2019-08-27 Splunk Inc. Refining extraction rules based on selected text within events
US8682906B1 (en) * 2013-01-23 2014-03-25 Splunk Inc. Real time display of data field values based on manual editing of regular expressions
US8751963B1 (en) 2013-01-23 2014-06-10 Splunk Inc. Real time indication of previously extracted data fields for regular expressions
US9753909B2 (en) 2012-09-07 2017-09-05 Splunk, Inc. Advanced field extractor with multiple positive examples
US11477068B2 (en) 2012-09-27 2022-10-18 Kaseya Limited Data network notification bar user interface
US10025686B2 (en) * 2012-10-30 2018-07-17 Intel Corporation Generating and communicating platform event digests from a processor of a system
US9189644B2 (en) 2012-12-20 2015-11-17 Bank Of America Corporation Access requests at IAM system implementing IAM data model
US9529629B2 (en) * 2012-12-20 2016-12-27 Bank Of America Corporation Computing resource inventory system
US9177139B2 (en) * 2012-12-30 2015-11-03 Honeywell International Inc. Control system cyber security
US10078317B2 (en) 2013-01-08 2018-09-18 Secure-Nok As Method, device and computer program for monitoring an industrial control system
US9152929B2 (en) * 2013-01-23 2015-10-06 Splunk Inc. Real time display of statistics and values for selected regular expressions
US9245147B1 (en) * 2013-01-30 2016-01-26 White Badger Group, LLC State machine reference monitor for information system security
US10635817B2 (en) 2013-01-31 2020-04-28 Micro Focus Llc Targeted security alerts
CN103971056B (en) * 2013-01-31 2016-05-11 腾讯科技(深圳)有限公司 A kind ofly prevent the unloaded method and apparatus of application program in operating system
US9275348B2 (en) 2013-01-31 2016-03-01 Hewlett Packard Enterprise Development Lp Identifying participants for collaboration in a threat exchange community
US9143517B2 (en) 2013-01-31 2015-09-22 Hewlett-Packard Development Company, L.P. Threat exchange information protection
US9729505B2 (en) 2013-01-31 2017-08-08 Entit Software Llc Security threat analysis
US9456001B2 (en) 2013-01-31 2016-09-27 Hewlett Packard Enterprise Development Lp Attack notification
US9118603B2 (en) * 2013-03-08 2015-08-25 Edward Blake MILLER System and method for managing attempted access of objectionable content and/or tampering with a content filtering device
US9596245B2 (en) * 2013-04-04 2017-03-14 Owl Computing Technologies, Inc. Secure one-way interface for a network device
US9419975B2 (en) 2013-04-22 2016-08-16 Waterfall Security Solutions Ltd. Bi-directional communication over a one-way link
US10318541B2 (en) 2013-04-30 2019-06-11 Splunk Inc. Correlating log data with performance measurements having a specified relationship to a threshold value
US10997191B2 (en) 2013-04-30 2021-05-04 Splunk Inc. Query-triggered processing of performance data and log data from an information technology environment
US10614132B2 (en) 2013-04-30 2020-04-07 Splunk Inc. GUI-triggered processing of performance data and log data from an information technology environment
US10346357B2 (en) 2013-04-30 2019-07-09 Splunk Inc. Processing of performance data and structure data from an information technology environment
US10353957B2 (en) 2013-04-30 2019-07-16 Splunk Inc. Processing of performance data and raw log data from an information technology environment
US10019496B2 (en) 2013-04-30 2018-07-10 Splunk Inc. Processing of performance data and log data from an information technology environment by using diverse data stores
US10225136B2 (en) 2013-04-30 2019-03-05 Splunk Inc. Processing of log data and performance data obtained via an application programming interface (API)
US10031647B2 (en) 2013-05-14 2018-07-24 Google Llc System for universal remote media control in a multi-user, multi-platform, multi-device environment
US9331894B2 (en) * 2013-05-31 2016-05-03 International Business Machines Corporation Information exchange in data center systems
US20140359694A1 (en) * 2013-06-03 2014-12-04 eSentire, Inc. System and method for computer system security
US9122853B2 (en) 2013-06-24 2015-09-01 A10 Networks, Inc. Location determination for user authentication
US10574548B2 (en) * 2013-07-31 2020-02-25 Splunk Inc. Key indicators view
US20150061858A1 (en) * 2013-08-28 2015-03-05 Unisys Corporation Alert filter for defining rules for processing received alerts
US20150067762A1 (en) * 2013-09-03 2015-03-05 Samsung Electronics Co., Ltd. Method and system for configuring smart home gateway firewall
US9680794B2 (en) 2013-09-04 2017-06-13 Owl Computing Technologies, Llc Secure one-way interface for archestra data transfer
CN103439911B (en) * 2013-09-11 2016-05-04 北京四方继保自动化股份有限公司 A kind of industrial control system method for managing security of various dimensions
CN103501345B (en) * 2013-10-12 2016-11-09 成都阜特科技股份有限公司 A kind of control method of remote centralized control system
US9246935B2 (en) 2013-10-14 2016-01-26 Intuit Inc. Method and system for dynamic and comprehensive vulnerability management
US9148869B2 (en) 2013-10-15 2015-09-29 The Toronto-Dominion Bank Location-based account activity alerts
US8667589B1 (en) * 2013-10-27 2014-03-04 Konstantin Saprygin Protection against unauthorized access to automated system for control of technological processes
US8779919B1 (en) 2013-11-03 2014-07-15 Instant Care, Inc. Event communication apparatus and method
US10719812B2 (en) * 2013-11-04 2020-07-21 Koninklijke Philips N.V. Method of notifying a user on a task of an apparatus
US8989053B1 (en) 2013-11-29 2015-03-24 Fedex Corporate Services, Inc. Association management in a wireless node network
US11165770B1 (en) 2013-12-06 2021-11-02 A10 Networks, Inc. Biometric verification of a human internet user
WO2015089116A1 (en) 2013-12-11 2015-06-18 Honeywell International Inc. Building automation control systems
US9794278B1 (en) * 2013-12-19 2017-10-17 Symantec Corporation Network-based whitelisting approach for critical systems
US9501345B1 (en) 2013-12-23 2016-11-22 Intuit Inc. Method and system for creating enriched log data
US10225347B2 (en) * 2013-12-24 2019-03-05 Verizon Patent And Licensing Inc. Message controlled appliances
US9323926B2 (en) 2013-12-30 2016-04-26 Intuit Inc. Method and system for intrusion and extrusion detection
US9742624B2 (en) * 2014-01-21 2017-08-22 Oracle International Corporation Logging incident manager
US9311810B2 (en) 2014-01-23 2016-04-12 General Electric Company Implementing standardized behaviors in a hosting device
DE102014201592A1 (en) * 2014-01-29 2015-07-30 Siemens Aktiengesellschaft Methods and apparatus for detecting autonomous, self-propagating software
US9325726B2 (en) 2014-02-03 2016-04-26 Intuit Inc. Method and system for virtual asset assisted extrusion and intrusion detection in a cloud computing environment
US20150304343A1 (en) 2014-04-18 2015-10-22 Intuit Inc. Method and system for providing self-monitoring, self-reporting, and self-repairing virtual assets in a cloud computing environment
EP2908195B1 (en) * 2014-02-13 2017-07-05 Siemens Aktiengesellschaft Method for monitoring security in an automation network, and automation network
US9866581B2 (en) 2014-06-30 2018-01-09 Intuit Inc. Method and system for secure delivery of information to computing environments
US10757133B2 (en) 2014-02-21 2020-08-25 Intuit Inc. Method and system for creating and deploying virtual assets
US11405410B2 (en) * 2014-02-24 2022-08-02 Cyphort Inc. System and method for detecting lateral movement and data exfiltration
US9276945B2 (en) 2014-04-07 2016-03-01 Intuit Inc. Method and system for providing security aware applications
JP6252254B2 (en) * 2014-02-28 2017-12-27 富士通株式会社 Monitoring program, monitoring method and monitoring apparatus
WO2015134572A1 (en) * 2014-03-06 2015-09-11 Foreground Security Internet security cyber threat reporting
US9245117B2 (en) 2014-03-31 2016-01-26 Intuit Inc. Method and system for comparing different versions of a cloud based application in a production environment using segregated backend systems
US11294700B2 (en) 2014-04-18 2022-04-05 Intuit Inc. Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets
US9374389B2 (en) 2014-04-25 2016-06-21 Intuit Inc. Method and system for ensuring an application conforms with security and regulatory controls prior to deployment
US9900322B2 (en) 2014-04-30 2018-02-20 Intuit Inc. Method and system for providing permissions management
US9235982B2 (en) * 2014-05-06 2016-01-12 International Business Machines Corporation Determining alert criteria in a network environment
US9330263B2 (en) 2014-05-27 2016-05-03 Intuit Inc. Method and apparatus for automating the building of threat models for the public cloud
US9634951B1 (en) * 2014-06-12 2017-04-25 Tripwire, Inc. Autonomous agent messaging
US10313257B1 (en) 2014-06-12 2019-06-04 Tripwire, Inc. Agent message delivery fairness
US10182046B1 (en) * 2015-06-23 2019-01-15 Amazon Technologies, Inc. Detecting a network crawler
US9575987B2 (en) 2014-06-23 2017-02-21 Owl Computing Technologies, Inc. System and method for providing assured database updates via a one-way data link
US9917759B2 (en) * 2014-07-21 2018-03-13 Ca, Inc. Incident-based adaptive monitoring of information in a distributed computing environment
US9473481B2 (en) 2014-07-31 2016-10-18 Intuit Inc. Method and system for providing a virtual asset perimeter
US10102082B2 (en) 2014-07-31 2018-10-16 Intuit Inc. Method and system for providing automated self-healing virtual assets
US20160092045A1 (en) 2014-09-30 2016-03-31 Splunk, Inc. Event View Selector
US11231840B1 (en) 2014-10-05 2022-01-25 Splunk Inc. Statistics chart row mode drill down
US20160098463A1 (en) 2014-10-05 2016-04-07 Splunk Inc. Event Segment Search Drill Down
IL235175A (en) 2014-10-19 2017-08-31 Frenkel Lior Secure remote desktop
US9489517B2 (en) * 2014-10-21 2016-11-08 Fujitsu Limited Determining an attack surface of software
US9960975B1 (en) * 2014-11-05 2018-05-01 Amazon Technologies, Inc. Analyzing distributed datasets
DE102014226398A1 (en) * 2014-12-18 2016-06-23 Siemens Aktiengesellschaft Method and device for the feedback-free acquisition of data
US11023449B2 (en) * 2014-12-19 2021-06-01 EMC IP Holding Company LLC Method and system to search logs that contain a massive number of entries
US10021137B2 (en) 2014-12-27 2018-07-10 Mcafee, Llc Real-time mobile security posture
WO2017078986A1 (en) 2014-12-29 2017-05-11 Cyence Inc. Diversity analysis with actionable feedback methodologies
US10341376B2 (en) 2014-12-29 2019-07-02 Guidewire Software, Inc. Diversity analysis with actionable feedback methodologies
US11855768B2 (en) 2014-12-29 2023-12-26 Guidewire Software, Inc. Disaster scenario based inferential analysis using feedback for extracting and combining cyber risk information
US11863590B2 (en) 2014-12-29 2024-01-02 Guidewire Software, Inc. Inferential analysis using feedback for extracting and combining cyber risk information
US9699209B2 (en) 2014-12-29 2017-07-04 Cyence Inc. Cyber vulnerability scan analyses with actionable feedback
US10050990B2 (en) 2014-12-29 2018-08-14 Guidewire Software, Inc. Disaster scenario based inferential analysis using feedback for extracting and combining cyber risk information
US10050989B2 (en) 2014-12-29 2018-08-14 Guidewire Software, Inc. Inferential analysis using feedback for extracting and combining cyber risk information including proxy connection analyses
US11817993B2 (en) 2015-01-27 2023-11-14 Dell Products L.P. System for decomposing events and unstructured data
US11362881B2 (en) * 2015-01-27 2022-06-14 Moogsoft Inc. Distributed system for self updating agents and provides security
US11924018B2 (en) 2015-01-27 2024-03-05 Dell Products L.P. System for decomposing events and unstructured data
US9977803B2 (en) 2015-01-30 2018-05-22 Splunk Inc. Column-based table manipulation of event data
US9922084B2 (en) 2015-01-30 2018-03-20 Splunk Inc. Events sets in a visually distinct display format
US10013454B2 (en) 2015-01-30 2018-07-03 Splunk Inc. Text-based table manipulation of event data
US11615073B2 (en) 2015-01-30 2023-03-28 Splunk Inc. Supplementing events displayed in a table format
US10061824B2 (en) 2015-01-30 2018-08-28 Splunk Inc. Cell-based table manipulation of event data
US11544248B2 (en) 2015-01-30 2023-01-03 Splunk Inc. Selective query loading across query interfaces
US10915583B2 (en) 2015-01-30 2021-02-09 Splunk Inc. Suggested field extraction
US9916346B2 (en) 2015-01-30 2018-03-13 Splunk Inc. Interactive command entry list
US9842160B2 (en) 2015-01-30 2017-12-12 Splunk, Inc. Defining fields from particular occurences of field labels in events
US9922082B2 (en) 2015-01-30 2018-03-20 Splunk Inc. Enforcing dependency between pipelines
US10726037B2 (en) 2015-01-30 2020-07-28 Splunk Inc. Automatic field extraction from filed values
US11442924B2 (en) 2015-01-30 2022-09-13 Splunk Inc. Selective filtered summary graph
EP3065076A1 (en) * 2015-03-04 2016-09-07 Secure-Nok AS System and method for responding to a cyber-attack-related incident against an industrial control system
US10404748B2 (en) 2015-03-31 2019-09-03 Guidewire Software, Inc. Cyber risk analysis and remediation using network monitored sensors and methods of use
US9350750B1 (en) * 2015-04-03 2016-05-24 Area 1 Security, Inc. Distribution of security rules among sensor computers
US10261489B2 (en) 2015-04-15 2019-04-16 Indegy Ltd. Detection of mis-configuration and hostile attacks in industrial control networks using active querying
US9917753B2 (en) * 2015-06-12 2018-03-13 Level 3 Communications, Llc Network operational flaw detection using metrics
US10290022B1 (en) 2015-06-23 2019-05-14 Amazon Technologies, Inc. Targeting content based on user characteristics
US10275320B2 (en) * 2015-06-26 2019-04-30 Commvault Systems, Inc. Incrementally accumulating in-process performance data and hierarchical reporting thereof for a data stream in a secondary copy operation
US9923758B2 (en) * 2015-06-30 2018-03-20 Ca, Inc. Alert damage index
US10057133B2 (en) * 2015-07-08 2018-08-21 Fedex Corporate Services, Inc. Systems, apparatus, and methods of enhanced monitoring for an event candidate associated with cycling power of an ID node within a wireless node network
EP3281114A4 (en) * 2015-07-16 2018-03-14 Canfield, Raymond Cyber security system and method using intelligent agents
US10419452B2 (en) 2015-07-28 2019-09-17 Sap Se Contextual monitoring and tracking of SSH sessions
US10015178B2 (en) * 2015-07-28 2018-07-03 Sap Se Real-time contextual monitoring intrusion detection and prevention
US10158657B1 (en) * 2015-08-06 2018-12-18 Microsoft Technology Licensing Llc Rating IP addresses based on interactions between users and an online service
US9641544B1 (en) 2015-09-18 2017-05-02 Palo Alto Networks, Inc. Automated insider threat prevention
US20170093887A1 (en) * 2015-09-24 2017-03-30 General Electric Company Network command evaluation and response system
US10326789B1 (en) * 2015-09-25 2019-06-18 Amazon Technologies, Inc. Web Bot detection and human differentiation
DK3151152T3 (en) * 2015-09-30 2020-06-15 Secure Nok Tech As Non-intrusive software agent for monitoring and detection of cyber security events and cyber-attacks in an industrial control system
US10375026B2 (en) * 2015-10-28 2019-08-06 Shape Security, Inc. Web transaction status tracking
US11991154B2 (en) * 2015-10-28 2024-05-21 Qomplx Llc System and method for fingerprint-based network mapping of cyber-physical assets
US10324956B1 (en) 2015-11-11 2019-06-18 Microsoft Technology Licensing, Llc Automatically mapping organizations to addresses
US10955810B2 (en) * 2015-11-13 2021-03-23 International Business Machines Corporation Monitoring communications flow in an industrial system to detect and mitigate hazardous conditions
US9894036B2 (en) * 2015-11-17 2018-02-13 Cyber Adapt, Inc. Cyber threat attenuation using multi-source threat data analysis
EP3171567B1 (en) * 2015-11-23 2018-10-24 Alcatel Lucent Advanced persistent threat detection
IL242808A0 (en) * 2015-11-26 2016-04-21 Rafael Advanced Defense Sys System and method for detecting a cyber-attack at scada/ics managed plants
US9929970B1 (en) 2015-12-03 2018-03-27 Innovium, Inc. Efficient resource tracking
US10366129B2 (en) 2015-12-04 2019-07-30 Bank Of America Corporation Data security threat control monitoring system
US10218589B1 (en) * 2015-12-17 2019-02-26 Innovium, Inc. Efficient resource status reporting apparatuses
CN105607954B (en) * 2015-12-21 2019-05-14 华南师范大学 A kind of method and apparatus that stateful container migrates online
US10154046B2 (en) 2015-12-28 2018-12-11 Schneider Electric USA, Inc. System and method for evaluation and response to cyber security exposure in an embedded control device
IL250010B (en) 2016-02-14 2020-04-30 Waterfall Security Solutions Ltd Secure connection with protected facilities
US10432429B1 (en) 2016-02-16 2019-10-01 Innovium, Inc. Efficient traffic management
US10027699B2 (en) * 2016-03-10 2018-07-17 Siemens Aktiengesellschaft Production process knowledge-based intrusion detection for industrial control systems
US10039113B2 (en) 2016-03-28 2018-07-31 Bank Of America Corporation Intelligent resource procurement system based on physical proximity to related resources
US10135817B2 (en) 2016-03-28 2018-11-20 Bank Of America Corporation Enhancing authentication and source of proof through a dynamically updatable biometrics database
US10080132B2 (en) 2016-03-28 2018-09-18 Bank Of America Corporation System for adaptation of multiple digital signatures in a distributed network
US9743272B1 (en) 2016-03-28 2017-08-22 Bank Of America Corporation Security implementation for resource distribution
US11108793B2 (en) * 2016-04-29 2021-08-31 Vmware, Inc. Preemptive alerts in a connected environment
US10038607B2 (en) 2016-06-17 2018-07-31 Bank Of America Corporation System for aggregated machine-initiated resource distribution
US10796253B2 (en) 2016-06-17 2020-10-06 Bank Of America Corporation System for resource use allocation and distribution
US10103936B2 (en) 2016-06-21 2018-10-16 Bank Of America Corporation Computerized resource reallocation system for transferring resource blocks based on custodian event
US10334462B2 (en) * 2016-06-23 2019-06-25 Bank Of America Corporation Predictive analytics for resource development based on information communicated from inter-related communication devices
US10439913B2 (en) 2016-07-01 2019-10-08 Bank Of America Corporation Dynamic replacement and upgrade of existing resources based on resource utilization
JP6786960B2 (en) 2016-08-26 2020-11-18 富士通株式会社 Cyber attack analysis support program, cyber attack analysis support method and cyber attack analysis support device
JP6690469B2 (en) * 2016-08-26 2020-04-28 富士通株式会社 Control program, control method, and information processing apparatus
US10242187B1 (en) * 2016-09-14 2019-03-26 Symantec Corporation Systems and methods for providing integrated security management
US10685279B2 (en) 2016-09-26 2020-06-16 Splunk Inc. Automatically generating field extraction recommendations
US10909140B2 (en) 2016-09-26 2021-02-02 Splunk Inc. Clustering events based on extraction rules
US10127400B2 (en) 2016-09-26 2018-11-13 Bank Of America Corporation Control device for aggregation and distribution of machine-initiated resource distribution
US10467632B1 (en) 2016-12-13 2019-11-05 Massachusetts Mutual Life Insurance Company Systems and methods for a multi-tiered fraud alert review
US10771483B2 (en) * 2016-12-30 2020-09-08 British Telecommunications Public Limited Company Identifying an attacked computing device
US10572658B2 (en) * 2017-01-23 2020-02-25 Paypal, Inc. Identifying computer behavior using visual data organization and graphs
EP3373181A1 (en) * 2017-03-09 2018-09-12 Siemens Aktiengesellschaft Method and computers to control protection measures against cyber criminal threats
US10230690B2 (en) * 2017-03-23 2019-03-12 International Business Machines Corporation Digital media content distribution blocking
US10440037B2 (en) * 2017-03-31 2019-10-08 Mcafee, Llc Identifying malware-suspect end points through entropy changes in consolidated logs
US10826925B2 (en) * 2017-04-28 2020-11-03 Honeywell International Inc. Consolidated enterprise view of cybersecurity data from multiple sites
US10977361B2 (en) 2017-05-16 2021-04-13 Beyondtrust Software, Inc. Systems and methods for controlling privileged operations
RU2651196C1 (en) 2017-06-16 2018-04-18 Акционерное общество "Лаборатория Касперского" Method of the anomalous events detecting by the event digest popularity
US10560487B2 (en) 2017-07-26 2020-02-11 International Business Machines Corporation Intrusion detection and mitigation in data processing
US10855656B2 (en) 2017-09-15 2020-12-01 Palo Alto Networks, Inc. Fine-grained firewall policy enforcement using session app ID and endpoint process ID correlation
US10931637B2 (en) 2017-09-15 2021-02-23 Palo Alto Networks, Inc. Outbound/inbound lateral traffic punting based on process risk
WO2019060326A1 (en) * 2017-09-20 2019-03-28 University Of Utah Research Foundation Parsing system event logs while streaming
EP3480672B1 (en) * 2017-11-06 2020-02-19 Siemens Aktiengesellschaft Method for identifying and indicating operator access to process objects and operator system
SE1751567A1 (en) * 2017-12-18 2019-06-19 Komatsu Forest Ab Work machine and method for monitoring a control system at a work machine
EP3525054A1 (en) * 2018-02-07 2019-08-14 Siemens Aktiengesellschaft An intrusion detection system for detection of intrusions in an automated infrastructure
US11463457B2 (en) * 2018-02-20 2022-10-04 Darktrace Holdings Limited Artificial intelligence (AI) based cyber threat analyst to support a cyber security appliance
EP4312420A3 (en) * 2018-02-20 2024-04-03 Darktrace Holdings Limited A method for sharing cybersecurity threat analysis and defensive measures amongst a community
US10554518B1 (en) 2018-03-02 2020-02-04 Uptake Technologies, Inc. Computer system and method for evaluating health of nodes in a manufacturing network
US10169135B1 (en) * 2018-03-02 2019-01-01 Uptake Technologies, Inc. Computer system and method of detecting manufacturing network anomalies
JP7163593B2 (en) * 2018-03-09 2022-11-01 富士通株式会社 Fraud monitoring program, fraud monitoring method, and information processing device
US11247706B2 (en) * 2018-04-09 2022-02-15 Cervello Ltd Methods systems devices circuits and functionally related machine executable instructions for transportation management network cybersecurity
US10999304B2 (en) 2018-04-11 2021-05-04 Palo Alto Networks (Israel Analytics) Ltd. Bind shell attack detection
US11122064B2 (en) * 2018-04-23 2021-09-14 Micro Focus Llc Unauthorized authentication event detection
WO2020006562A1 (en) * 2018-06-29 2020-01-02 Rocus Group, Llc Integrated security and threat prevention and detection device
US10602099B2 (en) * 2018-07-10 2020-03-24 Saudi Arabian Oil Company Cogen-mom integration using tabulated information recognition
US10986117B1 (en) * 2018-08-07 2021-04-20 Ca, Inc. Systems and methods for providing an integrated cyber threat defense exchange platform
US10740134B2 (en) 2018-08-20 2020-08-11 Interwise Ltd. Agentless personal network firewall in virtualized datacenters
US11212322B2 (en) * 2018-10-10 2021-12-28 Rockwelll Automation Technologies, Inc. Automated discovery of security policy from design data
US11025657B2 (en) * 2018-12-13 2021-06-01 Imperva, Inc. Selective database logging with smart sampling
US20200192572A1 (en) 2018-12-14 2020-06-18 Commvault Systems, Inc. Disk usage growth prediction system
US11184376B2 (en) 2019-01-30 2021-11-23 Palo Alto Networks (Israel Analytics) Ltd. Port scan detection using destination profiles
US11184377B2 (en) 2019-01-30 2021-11-23 Palo Alto Networks (Israel Analytics) Ltd. Malicious port scan detection using source profiles
US11184378B2 (en) 2019-01-30 2021-11-23 Palo Alto Networks (Israel Analytics) Ltd. Scanner probe detection
EP3924946A4 (en) * 2019-02-15 2023-11-01 AVEVA Software, LLC Process mapping and monitoring using artificial intelligence
US10949322B2 (en) * 2019-04-08 2021-03-16 Hewlett Packard Enterprise Development Lp Collecting performance metrics of a device
US11528149B2 (en) 2019-04-26 2022-12-13 Beyondtrust Software, Inc. Root-level application selective configuration
US11927946B2 (en) 2019-05-09 2024-03-12 Dürr Systems Ag Analysis method and devices for same
US11928628B2 (en) 2019-05-09 2024-03-12 Dürr Systems Ag Method for checking workpieces, checking facility and treatment facility
DE112020002303A5 (en) * 2019-05-09 2022-03-03 Dürr Systems Ag Analysis methods and devices for this
EP3987420A4 (en) 2019-06-21 2023-10-25 Cyemptive Technologies, Inc. Method to prevent root level access attack and measurable sla security and compliance platform
CN110543452B (en) * 2019-08-07 2022-07-05 浙江大华技术股份有限公司 Data acquisition method and equipment
EP4062427A4 (en) * 2019-11-20 2023-05-24 University of Tennessee Research Foundation Methods of detecting anomalous operation of industrial systems and respective control systems, and related systems and articles of manufacture
CN115004637B (en) * 2020-01-22 2024-03-08 西门子工业公司 Real-time and independent network attack monitoring and automatic network attack response system
US12086261B2 (en) * 2020-03-13 2024-09-10 International Business Machines Corporation Displaying cyber threat data in a narrative-like format
US20210294713A1 (en) * 2020-03-20 2021-09-23 5thColumn LLC Generation of an identification evaluation regarding a system aspect of a system
US11140553B1 (en) * 2020-05-21 2021-10-05 Motorola Solutions, Inc. Threat detection and mitigation for remote wireless communication network control systems
US11449407B2 (en) 2020-05-28 2022-09-20 Bank Of America Corporation System and method for monitoring computing platform parameters and dynamically generating and deploying monitoring packages
US10958523B1 (en) 2020-07-28 2021-03-23 Bank Of America Corporation Consistent deployment of monitoring configurations on multiple computing systems
US11188437B1 (en) 2020-07-30 2021-11-30 Bank Of America Corporation Remote deployment of monitoring agents on computing systems
US11341830B2 (en) 2020-08-06 2022-05-24 Saudi Arabian Oil Company Infrastructure construction digital integrated twin (ICDIT)
US11529277B2 (en) 2020-09-10 2022-12-20 Mammen Thomas Patient puller
US11509680B2 (en) * 2020-09-30 2022-11-22 Palo Alto Networks (Israel Analytics) Ltd. Classification of cyber-alerts into security incidents
US11461166B2 (en) 2020-11-10 2022-10-04 Sap Se Intelligent integration error handling in enterprise systems
CN112887267A (en) * 2021-01-05 2021-06-01 天津七所精密机电技术有限公司 Network isolation system with message authentication function and method thereof
US11687053B2 (en) 2021-03-08 2023-06-27 Saudi Arabian Oil Company Intelligent safety motor control center (ISMCC)
CN112994990B (en) * 2021-05-20 2021-07-30 蚂蚁金服(杭州)网络技术有限公司 Loop detection method and device, electronic equipment and storage medium
FR3123527A1 (en) * 2021-05-28 2022-12-02 Orange Network monitoring method, associated device and system
CN113344554A (en) * 2021-08-06 2021-09-03 捷尔杰(天津)设备有限公司 Digital solution method and system for auditing hierarchical process of factory
CN113472821A (en) * 2021-09-06 2021-10-01 成都卡莱博尔信息技术股份有限公司 Data acquisition and management integrated method, system, device and storage medium
CA3130972C (en) 2021-09-16 2024-04-09 Cameron Mackenzie Clark Wearable device that provides spaced retrieval alerts to assist the wearer to remember desired information
US12039017B2 (en) 2021-10-20 2024-07-16 Palo Alto Networks (Israel Analytics) Ltd. User entity normalization and association
US12113794B2 (en) 2021-11-17 2024-10-08 Saudi Arabian Oil Company System and method for controlling login access to computer resource assets
US11936621B2 (en) * 2021-11-19 2024-03-19 The Bank Of New York Mellon Firewall drift monitoring and detection
US11777823B1 (en) 2021-11-24 2023-10-03 Amazon Technologies, Inc. Metric anomaly detection across high-scale data
CN114301712B (en) * 2021-12-31 2023-04-07 西安交通大学 Industrial internet alarm log correlation analysis method and system based on graph method
US11799880B2 (en) 2022-01-10 2023-10-24 Palo Alto Networks (Israel Analytics) Ltd. Network adaptive alert prioritization system
US12024985B2 (en) 2022-03-24 2024-07-02 Saudi Arabian Oil Company Selective inflow control device, system, and method
US11880266B2 (en) 2022-05-04 2024-01-23 Target Brands, Inc. Malfunction monitor for computing devices
CN116149226B (en) * 2023-02-22 2023-11-10 山东中安电力科技有限公司 Switch cabinet remote control system based on data analysis
CN116722941B (en) * 2023-08-10 2023-10-20 南方电网数字电网研究院有限公司 Interactive verification method and device based on alarm information and secondary network data

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6279113B1 (en) * 1998-03-16 2001-08-21 Internet Tools, Inc. Dynamic signature inspection-based network intrusion detection
US6304975B1 (en) * 1996-10-07 2001-10-16 Peter M. Shipley Intelligent network security device and method
US20010044840A1 (en) * 1999-12-13 2001-11-22 Live Networking, Inc. Method and system for real-tme monitoring and administration of computer networks
US6367034B1 (en) * 1998-09-21 2002-04-02 Microsoft Corporation Using query language for event filtering and aggregation
US6377955B1 (en) * 1999-03-30 2002-04-23 Cisco Technology, Inc. Method and apparatus for generating user-specified reports from radius information
US6550012B1 (en) * 1998-12-11 2003-04-15 Network Associates, Inc. Active firewall system and methodology
US6574666B1 (en) * 1998-10-22 2003-06-03 At&T Corp. System and method for dynamic retrieval loading and deletion of packet rules in a network firewall
US6832332B2 (en) * 2001-06-22 2004-12-14 Honeywell International Inc. Automatic detection and correction of marginal data in polling loop system
US20050183143A1 (en) * 2004-02-13 2005-08-18 Anderholm Eric J. Methods and systems for monitoring user, application or device activity
US20050182969A1 (en) * 2003-06-09 2005-08-18 Andrew Ginter Periodic filesystem integrity checks
US7058710B2 (en) * 2001-02-22 2006-06-06 Koyo Musen Corporation Collecting, analyzing, consolidating, delivering and utilizing data relating to a current event
US7134141B2 (en) * 2000-06-12 2006-11-07 Hewlett-Packard Development Company, L.P. System and method for host and network based intrusion detection and response
US7296070B2 (en) * 2000-12-22 2007-11-13 Tier-3 Pty. Ltd. Integrated monitoring system

Family Cites Families (42)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5144659A (en) * 1989-04-19 1992-09-01 Richard P. Jones Computer file protection system
US5050212A (en) * 1990-06-20 1991-09-17 Apple Computer, Inc. Method and apparatus for verifying the integrity of a file stored separately from a computer
US5475844A (en) * 1992-11-27 1995-12-12 Nec Corporation Heavily loaded resource evaluation system
JP2541460B2 (en) * 1993-07-30 1996-10-09 日本電気株式会社 User status broadcasting with transmission restrictions
US5619656A (en) * 1994-05-05 1997-04-08 Openservice, Inc. System for uninterruptively displaying only relevant and non-redundant alert message of the highest severity for specific condition associated with group of computers being managed
US5608865A (en) * 1995-03-14 1997-03-04 Network Integrity, Inc. Stand-in Computer file server providing fast recovery from computer file server failures
US6181981B1 (en) * 1996-05-15 2001-01-30 Marconi Communications Limited Apparatus and method for improved vending machine inventory maintenance
US6374305B1 (en) * 1997-07-21 2002-04-16 Oracle Corporation Web applications interface system in a mobile-based client-server system
US6914893B2 (en) * 1998-06-22 2005-07-05 Statsignal Ipc, Llc System and method for monitoring and controlling remote devices
US6615091B1 (en) * 1998-06-26 2003-09-02 Eveready Battery Company, Inc. Control system and method therefor
US6560611B1 (en) * 1998-10-13 2003-05-06 Netarx, Inc. Method, apparatus, and article of manufacture for a network monitoring system
US6361034B1 (en) * 1999-03-03 2002-03-26 Kurt Manufacturing Company, Inc. Magnetic insert in jaw plate for holding vise parallels
US6405318B1 (en) * 1999-03-12 2002-06-11 Psionic Software, Inc. Intrusion detection system
US6438374B1 (en) * 1999-05-26 2002-08-20 Lucent Technologies Inc. Dynamic multi-step overload control for message processing in wireless communication service network
US6944774B2 (en) * 1999-06-18 2005-09-13 Zoom Telephonics, Inc. Data flow control unit
US6714977B1 (en) * 1999-10-27 2004-03-30 Netbotz, Inc. Method and system for monitoring computer networks and equipment
AT412196B (en) * 2000-03-17 2004-11-25 Keba Ag METHOD FOR ASSIGNING A MOBILE OPERATING AND / OR OBSERVATION DEVICE TO A MACHINE AND OPERATING AND / OR OBSERVATION DEVICE THEREFOR
US6519703B1 (en) * 2000-04-14 2003-02-11 James B. Joyce Methods and apparatus for heuristic firewall
US6971018B1 (en) * 2000-04-28 2005-11-29 Microsoft Corporation File protection service for a computer system
US20020032871A1 (en) * 2000-09-08 2002-03-14 The Regents Of The University Of Michigan Method and system for detecting, tracking and blocking denial of service attacks over a computer network
US20020066034A1 (en) * 2000-10-24 2002-05-30 Schlossberg Barry J. Distributed network security deception system
US20020065898A1 (en) * 2000-11-27 2002-05-30 Daniel Leontiev Remote Internet control of instruments
US20020078382A1 (en) * 2000-11-29 2002-06-20 Ali Sheikh Scalable system for monitoring network system and components and methodology therefore
US6973336B2 (en) * 2000-12-20 2005-12-06 Nokia Corp Method and apparatus for providing a notification of received message
US7284267B1 (en) * 2001-03-08 2007-10-16 Mcafee, Inc. Automatically configuring a computer firewall based on network connection
US7747764B2 (en) * 2001-04-20 2010-06-29 Rockwell Automation Technologies, Inc. Web access for non-TCP/IP control devices of an industrial control system
US6609083B2 (en) * 2001-06-01 2003-08-19 Hewlett-Packard Development Company, L.P. Adaptive performance data measurement and collections
US6912533B1 (en) * 2001-07-31 2005-06-28 Oracle International Corporation Data mining agents for efficient hardware utilization
US20030097557A1 (en) * 2001-10-31 2003-05-22 Tarquini Richard Paul Method, node and computer readable medium for performing multiple signature matching in an intrusion prevention system
US6973590B1 (en) * 2001-11-14 2005-12-06 Unisys Corporation Terminating a child process without risk of data corruption to a shared resource for subsequent processes
US7325248B2 (en) * 2001-11-19 2008-01-29 Stonesoft Corporation Personal firewall with location dependent functionality
US20030163608A1 (en) * 2002-02-21 2003-08-28 Ashutosh Tiwary Instrumentation and workload recording for a system for performance testing of N-tiered computer systems using recording and playback of workloads
US6880051B2 (en) * 2002-03-14 2005-04-12 International Business Machines Corporation Method, system, and program for maintaining backup copies of files in a backup storage device
US7484097B2 (en) * 2002-04-04 2009-01-27 Symantec Corporation Method and system for communicating data to and from network security devices
US7373666B2 (en) * 2002-07-01 2008-05-13 Microsoft Corporation Distributed threat management
US7376969B1 (en) * 2002-12-02 2008-05-20 Arcsight, Inc. Real time monitoring and analysis of events from multiple network security devices
US7043505B1 (en) * 2003-01-28 2006-05-09 Unisys Corporation Method variation for collecting stability data from proprietary systems
US8024795B2 (en) * 2003-05-09 2011-09-20 Q1 Labs, Inc. Network intelligence system
US20070050777A1 (en) * 2003-06-09 2007-03-01 Hutchinson Thomas W Duration of alerts and scanning of large data stores
US7346751B2 (en) * 2004-04-30 2008-03-18 Commvault Systems, Inc. Systems and methods for generating a storage-related metric
US7380171B2 (en) * 2004-12-06 2008-05-27 Microsoft Corporation Controlling software failure data reporting and responses
US7395187B2 (en) * 2006-02-06 2008-07-01 International Business Machines Corporation System and method for recording behavior history for abnormality detection

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6304975B1 (en) * 1996-10-07 2001-10-16 Peter M. Shipley Intelligent network security device and method
US6279113B1 (en) * 1998-03-16 2001-08-21 Internet Tools, Inc. Dynamic signature inspection-based network intrusion detection
US6367034B1 (en) * 1998-09-21 2002-04-02 Microsoft Corporation Using query language for event filtering and aggregation
US6574666B1 (en) * 1998-10-22 2003-06-03 At&T Corp. System and method for dynamic retrieval loading and deletion of packet rules in a network firewall
US6550012B1 (en) * 1998-12-11 2003-04-15 Network Associates, Inc. Active firewall system and methodology
US6377955B1 (en) * 1999-03-30 2002-04-23 Cisco Technology, Inc. Method and apparatus for generating user-specified reports from radius information
US20010044840A1 (en) * 1999-12-13 2001-11-22 Live Networking, Inc. Method and system for real-tme monitoring and administration of computer networks
US7134141B2 (en) * 2000-06-12 2006-11-07 Hewlett-Packard Development Company, L.P. System and method for host and network based intrusion detection and response
US7296070B2 (en) * 2000-12-22 2007-11-13 Tier-3 Pty. Ltd. Integrated monitoring system
US7058710B2 (en) * 2001-02-22 2006-06-06 Koyo Musen Corporation Collecting, analyzing, consolidating, delivering and utilizing data relating to a current event
US6832332B2 (en) * 2001-06-22 2004-12-14 Honeywell International Inc. Automatic detection and correction of marginal data in polling loop system
US20050182969A1 (en) * 2003-06-09 2005-08-18 Andrew Ginter Periodic filesystem integrity checks
US20050183143A1 (en) * 2004-02-13 2005-08-18 Anderholm Eric J. Methods and systems for monitoring user, application or device activity

Cited By (77)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050182969A1 (en) * 2003-06-09 2005-08-18 Andrew Ginter Periodic filesystem integrity checks
US20090276843A1 (en) * 2004-06-08 2009-11-05 Rajesh Patel Security event data normalization
US20060021021A1 (en) * 2004-06-08 2006-01-26 Rajesh Patel Security event data normalization
US9060024B2 (en) * 2004-06-08 2015-06-16 Log Storm Security, Inc. Security event data normalization
US20080048860A1 (en) * 2005-06-23 2008-02-28 International Business Machines Corporation Monitoring multiple channels of data from real time process to detect recent abnormal behavior
US7792660B2 (en) * 2005-06-23 2010-09-07 International Business Machines Corporation Monitoring multiple channels of data from real time process to detect recent abnormal behavior
US20080256217A1 (en) * 2007-04-11 2008-10-16 Lg Electronics Inc. Mobile communication device having web alarm function and operating method of the mobile communication device
US8239922B2 (en) * 2007-08-27 2012-08-07 Honeywell International Inc. Remote HVAC control with user privilege setup
US20090057424A1 (en) * 2007-08-27 2009-03-05 Honeywell International Inc. Remote hvac control with user privilege setup
US8296414B1 (en) * 2007-09-28 2012-10-23 Emc Corporation Techniques for automated application discovery
US20090204702A1 (en) * 2008-02-08 2009-08-13 Autiq As System and method for network management using self-discovering thin agents
WO2009128905A1 (en) 2008-04-17 2009-10-22 Siemens Energy, Inc. Method and system for cyber security management of industrial control systems
US8595831B2 (en) 2008-04-17 2013-11-26 Siemens Industry, Inc. Method and system for cyber security management of industrial control systems
US20110039237A1 (en) * 2008-04-17 2011-02-17 Skare Paul M Method and system for cyber security management of industrial control systems
US8713177B2 (en) * 2008-05-30 2014-04-29 Red Hat, Inc. Remote management of networked systems using secure modular platform
US20110096849A1 (en) * 2008-07-02 2011-04-28 Stefan Kubsch Optimized selection of transmission protocol respecting thresholds
US8649304B2 (en) * 2008-07-02 2014-02-11 Thomson Licensing Optimized selection of transmission protocol respecting thresholds
US9100297B2 (en) 2008-08-20 2015-08-04 Red Hat, Inc. Registering new machines in a software provisioning environment
US20100088197A1 (en) * 2008-10-02 2010-04-08 Dehaan Michael Paul Systems and methods for generating remote system inventory capable of differential update reports
US20100131625A1 (en) * 2008-11-26 2010-05-27 Dehaan Michael Paul Systems and methods for remote network management having multi-node awareness
US8775574B2 (en) * 2008-11-26 2014-07-08 Red Hat, Inc. Remote network management having multi-node awareness
US8782204B2 (en) 2008-11-28 2014-07-15 Red Hat, Inc. Monitoring hardware resources in a software provisioning environment
US8719392B2 (en) 2009-02-27 2014-05-06 Red Hat, Inc. Searching a managed network for setting and configuration data
US20100223473A1 (en) * 2009-02-27 2010-09-02 Dehaan Michael Paul Systems and methods for network management using secure mesh command and control framework
US9558195B2 (en) 2009-02-27 2017-01-31 Red Hat, Inc. Depopulation of user data from network
US20100223375A1 (en) * 2009-02-27 2010-09-02 Dehaan Michael Paul Systems and methods for searching a managed network for setting and configuration data
US9313105B2 (en) 2009-02-27 2016-04-12 Red Hat, Inc. Network management using secure mesh command and control framework
US8868907B2 (en) 2009-03-18 2014-10-21 University Of Louisville Research Foundation, Inc. Device, method, and system for processing communications for secure operation of industrial control system field devices
US8402267B1 (en) 2009-03-18 2013-03-19 University Of Louisville Research Foundation, Inc. Security enhanced network device and method for secure operation of same
US8566459B2 (en) 2009-05-29 2013-10-22 Red Hat, Inc. Systems and methods for integrated console management interface
US9280399B2 (en) 2009-05-29 2016-03-08 Red Hat, Inc. Detecting, monitoring, and configuring services in a netwowk
US10203946B2 (en) 2009-05-29 2019-02-12 Red Hat, Inc. Retiring target machines by a provisioning server
US20100306347A1 (en) * 2009-05-29 2010-12-02 Dehaan Michael Paul Systems and methods for detecting, monitoring, and configuring services in a network
US20100306334A1 (en) * 2009-05-29 2010-12-02 Dehaan Michael P Systems and methods for integrated console management interface
US8463885B2 (en) 2009-08-31 2013-06-11 Red Hat, Inc. Systems and methods for generating management agent installations
US20110055361A1 (en) * 2009-08-31 2011-03-03 Dehaan Michael Paul Systems and methods for generating management agent installations
US8166341B2 (en) 2009-08-31 2012-04-24 Red Hat, Inc. Systems and methods for testing results of configuration management activity
US20110055636A1 (en) * 2009-08-31 2011-03-03 Dehaan Michael Paul Systems and methods for testing results of configuration management activity
US8607093B2 (en) 2009-08-31 2013-12-10 Red Hat, Inc. Systems and methods for detecting machine faults in network using acoustic monitoring
US8914787B2 (en) 2009-08-31 2014-12-16 Red Hat, Inc. Registering software management component types in a managed network
US20110055669A1 (en) * 2009-08-31 2011-03-03 Dehaan Michael Paul Systems and methods for detecting machine faults in network using acoustic monitoring
US20110055810A1 (en) * 2009-08-31 2011-03-03 Dehaan Michael Paul Systems and methods for registering software management component types in a managed network
US9967169B2 (en) 2009-09-30 2018-05-08 Red Hat, Inc. Detecting network conditions based on correlation between trend lines
US20110078301A1 (en) * 2009-09-30 2011-03-31 Dehaan Michael Paul Systems and methods for detecting network conditions based on correlation between trend lines
US8719782B2 (en) 2009-10-29 2014-05-06 Red Hat, Inc. Integrated package development and machine configuration management
US8832707B2 (en) * 2009-12-21 2014-09-09 International Business Machines Corporation Tunable error resilience computing
US20110154351A1 (en) * 2009-12-21 2011-06-23 International Business Machines Corporation Tunable Error Resilience Computing
US20120054823A1 (en) * 2010-08-24 2012-03-01 Electronics And Telecommunications Research Institute Automated control method and apparatus of ddos attack prevention policy using the status of cpu and memory
US20120079098A1 (en) * 2010-09-29 2012-03-29 International Business Machines Corporation Performance Monitoring of a Computer Resource
US8423638B2 (en) * 2010-09-29 2013-04-16 International Business Machines Corporation Performance monitoring of a computer resource
US8516112B2 (en) * 2010-09-29 2013-08-20 International Business Machines Corporation Performance monitoring of a computer resource
US9524224B2 (en) 2010-10-05 2016-12-20 Red Hat Israel, Ltd. Customized monitoring of system activities
US9256488B2 (en) 2010-10-05 2016-02-09 Red Hat Israel, Ltd. Verification of template integrity of monitoring templates used for customized monitoring of system activities
US9363107B2 (en) 2010-10-05 2016-06-07 Red Hat Israel, Ltd. Accessing and processing monitoring data resulting from customized monitoring of system activities
US9355004B2 (en) * 2010-10-05 2016-05-31 Red Hat Israel, Ltd. Installing monitoring utilities using universal performance monitor
US20120084413A1 (en) * 2010-10-05 2012-04-05 Red Hat Israel, Ltd. Mechanism for Installing Monitoring Utilities Using Universal Performance Monitor
US8806009B2 (en) * 2010-12-30 2014-08-12 Kaspersky Lab, Zao System and method for optimization of security tasks by configuring security modules
US20130219495A1 (en) * 2010-12-30 2013-08-22 Kaspersky Lab, Zao System and method for optimization of security tasks by configuring security modules
US20120173710A1 (en) * 2010-12-31 2012-07-05 Verisign Systems, apparatus, and methods for network data analysis
US8935383B2 (en) * 2010-12-31 2015-01-13 Verisign, Inc. Systems, apparatus, and methods for network data analysis
US20120233694A1 (en) * 2011-03-11 2012-09-13 At&T Intellectual Property I, L.P. Mobile malicious software mitigation
US8695095B2 (en) * 2011-03-11 2014-04-08 At&T Intellectual Property I, L.P. Mobile malicious software mitigation
US9270560B2 (en) 2011-08-29 2016-02-23 Cisco Technology, Inc. Session layer for monitoring utility application traffic
US8688828B2 (en) * 2011-08-29 2014-04-01 Cisco Technology, Inc. Session layer for monitoring utility application traffic
US20130054784A1 (en) * 2011-08-29 2013-02-28 Cisco Technology, Inc. Session Layer for Monitoring Utility Application Traffic
US20140203941A1 (en) * 2011-09-29 2014-07-24 Tokyo Electron Limited Substrate processing apparatus, alarm management method of substrate processing apparatus, and storage medium
US9224283B2 (en) * 2011-09-29 2015-12-29 Tokyo Electron Limited Substrate processing apparatus, alarm management method of substrate processing apparatus, and storage medium
US20130086635A1 (en) * 2011-09-30 2013-04-04 General Electric Company System and method for communication in a network
US9678492B2 (en) 2012-02-01 2017-06-13 Abb Research Ltd. Dynamic configuration of an industrial control system
US20220038483A1 (en) * 2012-06-26 2022-02-03 Aeris Communications, Inc. Methodology for intelligent pattern detection and anomaly detection in machine to machine communication network
US20140108319A1 (en) * 2012-10-12 2014-04-17 Bruno KLAUSER Autonomic network sentinels
US9450819B2 (en) * 2012-10-12 2016-09-20 Cisco Technology, Inc. Autonomic network sentinels
TWI633771B (en) * 2014-02-23 2018-08-21 英特爾公司 Orchestration and management of services to deployed devices
US10721312B2 (en) 2014-02-23 2020-07-21 Intel Corporation Orchestration and management of services to deployed devices
WO2015126734A1 (en) * 2014-02-23 2015-08-27 Intel Corporation Orchestration and management of services to deployed devices
CN110191017A (en) * 2019-05-28 2019-08-30 上海连尚网络科技有限公司 It is a kind of for monitoring the monitoring system and method for routing device exception
WO2024063761A1 (en) * 2022-09-21 2024-03-28 Rakuten Mobile, Inc. Alarm tracking system and method

Also Published As

Publication number Publication date
EP1636704A2 (en) 2006-03-22
CA2526759A1 (en) 2004-12-23
US7246156B2 (en) 2007-07-17
WO2004111785A2 (en) 2004-12-23
AU2004248605B2 (en) 2009-08-13
US7779119B2 (en) 2010-08-17
AU2004248605A1 (en) 2004-12-23
WO2004111785A3 (en) 2005-12-22
EP1636704A4 (en) 2008-06-11
US20100023598A9 (en) 2010-01-28
CA2526759C (en) 2011-08-16
US20050015624A1 (en) 2005-01-20
US20050182969A1 (en) 2005-08-18
US20070294369A1 (en) 2007-12-20
US20100064039A9 (en) 2010-03-11

Similar Documents

Publication Publication Date Title
US7779119B2 (en) Event monitoring and management
US20090271504A1 (en) Techniques for agent configuration
US20070050777A1 (en) Duration of alerts and scanning of large data stores
US11689556B2 (en) Incorporating software-as-a-service data into a cyber threat defense system
Ozkan-Okay et al. A comprehensive systematic literature review on intrusion detection systems
US11888890B2 (en) Cloud management of connectivity for edge networking devices
US20240054234A1 (en) Methods and systems for hardware and firmware security monitoring
US7007301B2 (en) Computer architecture for an intrusion detection system
US7134141B2 (en) System and method for host and network based intrusion detection and response
US8640234B2 (en) Method and apparatus for predictive and actual intrusion detection on a network
EP1894443A2 (en) Duration of alerts and scanning of large data stores
US20060203815A1 (en) Compliance verification and OSI layer 2 connection of device using said compliance verification
US20040117658A1 (en) Security monitoring and intrusion detection system
Patel et al. Autonomic agent-based self-managed intrusion detection and prevention system
Beigh et al. Intrusion Detection and Prevention System: Classification and Quick
GB2381722A (en) intrusion detection (id) system which uses signature and squelch values to prevent bandwidth (flood) attacks on a server
KR20130033161A (en) Intrusion detection system for cloud computing service
Peterson Intrusion detection and cyber security monitoring of SCADA and DCS Networks
Allan Intrusion Detection Systems (IDSs): Perspective
Iudica A monitoring system for embedded devices widely distributed
KR20110070658A (en) Auto recovery apparatus and method for flight data
Kaskar et al. A system for detection of distributed denial of service (DDoS) attacks using KDD cup data set
US20240154981A1 (en) Logging configuration system and method
Ayala et al. Detection of Cyber-Attacks
Wu et al. Integrated vulnerability management system for enterprise networks

Legal Events

Date Code Title Description
AS Assignment

Owner name: VERANO, INC.,MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GINTER, ANDREW;KAWANO, KEGAN;HUTCHINSON, TOM;AND OTHERS;SIGNING DATES FROM 20040427 TO 20040505;REEL/FRAME:020569/0169

Owner name: VERANO, INC., MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GINTER, ANDREW;KAWANO, KEGAN;HUTCHINSON, TOM;AND OTHERS;SIGNING DATES FROM 20040427 TO 20040505;REEL/FRAME:020569/0169

AS Assignment

Owner name: INDUSTRIAL DEFENDER, INC.,MASSACHUSETTS

Free format text: CHANGE OF NAME;ASSIGNOR:VERANO;REEL/FRAME:020603/0832

Effective date: 20070516

Owner name: INDUSTRIAL DEFENDER, INC., MASSACHUSETTS

Free format text: CHANGE OF NAME;ASSIGNOR:VERANO;REEL/FRAME:020603/0832

Effective date: 20070516

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: CITIBANK, N.A., DELAWARE

Free format text: SECURITY INTEREST;ASSIGNORS:VAREC, INC.;REVEAL IMAGING TECHNOLOGIES, INC.;ABACUS INNOVATIONS TECHNOLOGY, INC.;AND OTHERS;REEL/FRAME:039809/0634

Effective date: 20160816

Owner name: CITIBANK, N.A., DELAWARE

Free format text: SECURITY INTEREST;ASSIGNORS:VAREC, INC.;REVEAL IMAGING TECHNOLOGIES, INC.;ABACUS INNOVATIONS TECHNOLOGY, INC.;AND OTHERS;REEL/FRAME:039809/0603

Effective date: 20160816

AS Assignment

Owner name: LOCKHEED MARTIN INDUSTRIAL DEFENDER, INC., MASSACH

Free format text: CHANGE OF NAME;ASSIGNOR:INDUSTRIAL DEFENDER, INC.;REEL/FRAME:039981/0357

Effective date: 20140602

Owner name: LEIDOS CYBER, INC., MASSACHUSETTS

Free format text: CHANGE OF NAME;ASSIGNOR:LOCKHEED MARTIN INDUSTRIAL DEFENDER, INC.;REEL/FRAME:039981/0376

Effective date: 20160816

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552)

Year of fee payment: 8

AS Assignment

Owner name: LEIDOS CYBER INC., MASSACHUSETTS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A.;REEL/FRAME:048386/0001

Effective date: 20190220

Owner name: LEIDOS CYBER, INC., MASSACHUSETTS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CITIBANK, N.A.;REEL/FRAME:048385/0921

Effective date: 20190220

AS Assignment

Owner name: CAPGEMINI AMERICA, INC., NEW YORK

Free format text: MERGER;ASSIGNORS:CAPGEMINI CYBER, INC.;CAPGEMINI AMERICA, INC.;REEL/FRAME:051152/0403

Effective date: 20190401

Owner name: CAPGEMINI CYBER, INC., MASSACHUSETTS

Free format text: CHANGE OF NAME;ASSIGNOR:LEIDOS CYBER, INC.;REEL/FRAME:051156/0889

Effective date: 20190226

AS Assignment

Owner name: IDEFENDER, LLC, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CAPGEMINI AMERICA, INC.;REEL/FRAME:051572/0339

Effective date: 20191231

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12