WO2001091350A2 - System and method for performing remote security management of client computer systems - Google Patents

System and method for performing remote security management of client computer systems Download PDF

Info

Publication number
WO2001091350A2
WO2001091350A2 PCT/KR2000/001090 KR0001090W WO0191350A2 WO 2001091350 A2 WO2001091350 A2 WO 2001091350A2 KR 0001090 W KR0001090 W KR 0001090W WO 0191350 A2 WO0191350 A2 WO 0191350A2
Authority
WO
WIPO (PCT)
Prior art keywords
security
client
information
event
server
Prior art date
Application number
PCT/KR2000/001090
Other languages
French (fr)
Other versions
WO2001091350A3 (en
Inventor
Byoung-Il Park
Byoung-Kyu Ahn
Original Assignee
Cyberpatrol Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cyberpatrol Co., Ltd. filed Critical Cyberpatrol Co., Ltd.
Priority to AU76897/00A priority Critical patent/AU7689700A/en
Publication of WO2001091350A2 publication Critical patent/WO2001091350A2/en
Publication of WO2001091350A3 publication Critical patent/WO2001091350A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5061Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the interaction between service providers and their network customers, e.g. customer relationship management
    • H04L41/5064Customer relationship management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/40Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present invention relates to a computer security management system. Specifically, the invention relates to a computer security management system for conducting a real-time and integrated monitoring of the security problems of a plurality of client computer systems and immediately and adaptively responding to the security problems.
  • the security management system solves the security problems of the client systems by adaptively utilizing the remote control service and the dispatch service of the security personnel.
  • the security management system may receive, store and analyze the security state information transmitted from the client servers, and may provide the clients with the information and advice with respect to their security states.
  • the security management system first attempts to solve the problem by means of remote control employing various security solutions.
  • the security management system of the present invention automatically initiates a dispatch service of the security personnel.
  • the security management system comprises an integrated console receiving and monitoring security state information from the client servers in a consolidated manner and generating an alarm when the security state information includes a pre-defined security event indicating a security problem of a client system; a management console including a plurality of security consoles receiving the security state information from the client systems and solving the security problem detected by the integrated console by remote controlling the client system using the plurality of security consoles; a CTI server receiving the security event from said integrated console and determining the grade of the security event with reference to an event grade database, and reading client information associated with the security event from a client information database; and a GIS server receiving the security event, the event grade and the client information from said CTI server, and selecting a patrol car to be dispatched to the client using the client information received from said CTI server and pre-stored geographic information and patrol information.
  • FIG. 1 is a block diagram showing the overall structure of the security management system according to a preferred embodiment of the invention
  • Fig. 2 is a block diagram illustrating the operation of the integrated console and the management console at the security control center in response to an occurrence of a security problem at a client server;
  • Fig. 3 is a flowchart illustrating an example of a combined operation of the security control center and the patrol service system
  • Fig. 4 is a flowchart illustrating the process of managing a undefined security event by means of log analysis
  • Fig. 5A is a flowchart illustrating the security management process responding to an intrusion attempt by associating the intrusion detection server and the firewall;
  • Fig. 5B is a flowchart illustrating the security management process responding to the detection of a virus introduced from the outside;
  • Fig. 5C is a flowchart illustrating the security management process responding to the risk factors detected through the vulnerability analysis
  • Fig. 6 is a flowchart illustrating the process of managing the patrol car location information required for patrol service
  • Fig. 7A is a flowchart illustrating the process of storing security information logs and preparing a log analysis report
  • Fig. 7B is a flowchart illustrating the process of providing a security information log analysis report on the web site.
  • the security control center 10 comprises an integrated console 100, a management console 200, a CTI server 300, a GIS server 400, a web server 500, a log storage 900, a multi- cube 1000 and a back-up means 1100.
  • the security control center 10 receives the client security information from a plurality of client servers.
  • Client servers 800 include various security solutions such as a firewall 810, an intrusion detection server 820, an anti-virus server 830 and a mail server 840 (see Figs. 2A and 2B) .
  • the client servers are connected to the integrated console 100 and the management console 200 at the security control center 10 via virtual private network (VPN) .
  • the integrated console 100 and the management console 200 receive messages including client's security state information from the client servers.
  • the messages have a SNMP trap format using SNMP (Simple Network Management Protocol) network protocol.
  • the SNMP trap includes, for example, a security event code, an IP address, a timestamp (i.e., a code indicating the time when the security event occurred) .
  • the integrated console 100 monitors the security state information provided by various security tools and solutions of the client servers in a real-time and integrated manner.
  • the integrated console 100 of the present invention includes a trap-D 110 and an event manager 120.
  • the integrated console detects any security information indicating a certain type of security problem of the client server, it generates an alarm and notifies- the security problem to a CTI (Computer Telephony Integration) sever 300.
  • the management console 200 is a console for separately managing specific security solutions and equipment at the client servers.
  • the management console 200 is used to solve to the security problems occurred at the client servers by means of remote control.
  • the management console also receives logs of each security solutions of the clients and stores them in a log storage 900.
  • the CTI server 300 includes a client information database, a CTI information database, event grade database and a problem treatment history database.
  • the CTI server 300 determines the grade of the security events received from the integrated console 100 with reference to the event grade database, and instruct the patrol service personnel to solve the problem when the security event has a grade requiring a dispatch service.
  • the CTI server also provides the security event, event grade and the client information to a GIS (Geographic Information System) server 400 including a GIS database 410 and a GPS (Global Positioning System) 420, which are used to find the locations of the client with a security problem and available patrol cars.
  • GIS Geographic Information System
  • the GIS server 400 includes databases storing the geographic information and the patrol information, and it provides the CTI server 300 with the information of the available patrol cars.
  • a multi-cube 1000 Connected to the GIS server is a multi-cube 1000, which is a large-scale monitor showing the general status information including the locations of the clients and the availability of patrol cars and the like using the GIS and GPS technologies.
  • a Mobile Data Terminal (MDT) 620 carried by the patrol personnel 610 or mounted at the patrol car 600 receives the client information and the job instruction from the CTI server 300 through the GIS server 400 and sends an acknowledgement message to the CTI server 300 through the GIS server 400.
  • the MDT 620 is also connected to the GIS and/or the GPS in the GIS server 400 to update the patrol information thereto and download necessary information therefrom.
  • the log storage 900 is a device for storing the logs received by the management console 200 from the client servers.
  • the logs are stored in the log storage 900 for the analysis of the security states of the client servers on a daily, weekly or monthly basis.
  • the logs of the client server stored in the log storage are also stored in an off-line backup server 1100 for a predetermined period of time.
  • the log analysis result is provided to a web server 500 so that the client may retrieve the log analysis result stored in the log storage 900.
  • an OTP (One Time Password) server 700 is connected to provide an authentication when a client makes access to the web server 500.
  • the log analysis result and the consulting information stored in the log storage may be provided to the clients in the form of a printed report.
  • the client server 800 and the integrated console 100, the client server 800 and the management console 200 are respectively connected via a virtual private network (VPN) for security purposes.
  • the integrated console and the management console receive the security state information from the client server 800 in a format of SNMP trap message.
  • the management console also receives the logs of each security solutions of the client servers.
  • the client server 800 may include various security- related servers (solutions) , such as a firewall 810, an intrusion detection server 820, an anti-virus server 830, and mail server 840.
  • the firewall 810 is a security server managing the network security of the client. In the present embodiment, the firewall is remote controlled by the firewall management console 210 of the management console 200.
  • the intrusion detection server 820 is a security server detecting and responding to an unauthorized intrusion into the client's network, and it is remote controlled by the intrusion management console 220 of the management console 200.
  • the anti-virus server 830 is a security server checking the virus introduced from the outside by e-mails and other types of communications, and it is remote controlled by the anti-virus management console 230 of the management console 200.
  • the integrated console 100 includes a trap-D 110, which is a demon capturing the SNMP trap messages regarding the client security states, and an event manager 120 filtering SNMP trap messages to separate client's security state information therefrom.
  • the trap-D 110 of the integrated console receives messages representing any abnormal security states (security events) occurred at the client servers.
  • the event manager 120 extracts and filters the security events from the received massages, and generates an alarm when the event corresponds to a predetermined type of security problems.
  • the integrated console performs a function of monitoring any security events of the client servers and generating an alarm when a detected event is a predetermined type of event representing a security problem.
  • the security problem is first handled by the personnel at the security control center by means of the remote control through the management console.
  • the integrated console 100 transmits the security state information (client's IP address, event code, timestamp) to the CTI server 300.
  • the management console 200 includes a firewall management console 210, a server for remotely managing (monitoring and controlling) the client's firewall; an intrusion detection management console 220 for remotely managing client' s intrusion detection server; an anti-virus console 230 for managing client's anti-virus server; and a vulnerability analysis console 240 for checking and analyzing the vulnerability of the client's security servers.
  • the firewall 810, the intrusion detection server 820, the anti-virus server 830 of the client server are automatically controlled according to the predetermined security policy (rule) of each client system. These security servers are monitored and remote controlled by the integrated console and the management console of the control center at all times. Particularly, the firewall management console 210, the intrusion detection management console 220, the anti-virus management console, the vulnerability analysis console 240 of the management console 200 performs real-time monitoring of the security states of the client servers 24 hours a day, and store the logs of the security states of the client servers in the log storage 900.
  • One of the main functions of the management console of the present invention is to remote control the client security servers to solve the client's security problems, when a security problem is detected and an alarm is generated by the integrated console 100.
  • the integrated console 100 when the integrated console 100 generates an alarm (step 3020) to notify a security problem of the client server, the security personnel at the control center begins to solve the problem by means of the remote control through the management console 200 (step 3030) .
  • the security problem may be solved by the security personnel at the control center through the remote control using the firewall management console 210 and the intrusion detection management console 220.
  • the security problems of the client system may be solved by a remote control associating multiple security solutions of the management console 200.
  • the intrusion detection management console 210 of the management console may terminate the intrusion process at the client system, and at the same time terminate the network session from a specific IP by means of the firewall management console 210.
  • a session with respect to a specific IP may be terminated by means of the firewall management console.
  • the management console of the present invention may solve the security problems of the client system through a remote control interconnecting the various security solutions of the management console 200.
  • the remote control operation of by the management console will be explained in further detail referring to Figs. 5A to 5C.
  • the security state logs transmitted from the client system to the management console 200 are stored in the log storage 900 for a predetermined time period, and the logs may be analyzed with expert tools to provide a security state analysis report.
  • the process of providing a security analysis report to the client will be explained below referring to Figs 7A and 7B.
  • Figs. 3A and 3B are flowcharts illustrating an embodiment of the combined operation of the control center and the patrol service.
  • the security management system uses remote control method when the security problem may be resolved through a remote control. Otherwise, the security management system adopts active problem prevention and solution measures by directly dispatching security personnel to the clients.
  • a CTI server 300 and a GIS server 400 are provided at the control center 10.
  • the security event is transmitted to the management console 200 and the integrated console 100 in a format of SNMP trap, and the event is captured by the trap- D of the integrated console.
  • the event manager 120 of the integrated console 100 determines if the received security event involves any security problem with reference to the pre-defined event data (step 3010) .
  • the integrated console 100 When a pre-defined type of event indicating a security problem is detected, the integrated console 100 generates an alarm on a display screen or by any other means (step 3020) .
  • the security personnel at the control center first treat the security problem using the remote control functions of the management console 200 (step 3030) and terminate the process if the security problem is completely solved by the remote control service.
  • the integrated console 100 transmits the security state information (the IP address, event code, timestamp, etc.) to the CTI server 300 (step 3040) .
  • the CTI server 300 Upon receiving the security state information such as the IP address, event code, timestamp from the integrated console, the CTI server 300 evaluates the risk grade of the event with reference to the event grade database (step 3050) . When the CTI server 300 determined that the security event has a grade of a serious security problem requiring dispatch service, the CTI server reads the client information, such as the name and location of the client server corresponding to the IP address, from the client information database. Then, the CTI server sends the event code, event grade and the client information to the GIS server 400 (step 3060) in order to initiate a patrol service .
  • the client information such as the name and location of the client server corresponding to the IP address
  • the GIS server 400 retrieves the location of the client from a map database using the client information received from the CTI server. Then, based on the client location, the GIS server retrieves the location and availability information of the patrol cars in the vicinity of the client from the patrol information database, and displays the information on the multi-cube (step 3070) . Then, the security personnel at the control center may select an available patrol car from the GIS server console
  • step 3080 the GIS server 400 provides the information of the selected patrol car to the CTI server
  • the CTI server automatically calls the selected patrol car 600 via any type of communications network such as PSTN or mobile telecommunication network.
  • the security personnel at the control center confirm the availability of the patrol car through the CTI server, and give a job instruction to the patrol personnel (step 3090) .
  • the CTI server upgrades the patrol information database with respected to the selected patrol car, and the patrol personnel in receipt of a job instruction download the basic client information and the job information concerning the specific client problem from the CTI and the GIS servers (step 3100) .
  • the patrol personnel resolve the client's security problem based on the downloaded information and inform the contents of the job to the control center.
  • the relevant fields of the patrol information database and the problem treatment history database are respectively updated (step 3110) .
  • the security service process is terminated, and the problem treatment history and result stored in the problem treatment history database is reported to the client (step 3120) .
  • Fig. 4 illustrates the process of the controlling the pre-defined or undefined security events by means of log management.
  • the security events of client systems are transmitted to the management console and the integrated console in the SNMP trap format, and the events are captured by the trap-D of the integrated console.
  • the event manager 120 of the integrated console determines whether the captured events include any event indicating a security problem with reference to a pre-defined event data.
  • the security event has to be pre-defined. Where an event has not previously defined, the event is separately analyzed and defined by analyzing the log of the events received by the management console.
  • the client server 800 normally transmits its operation logs to the management console 200 at the control center (step 4000) .
  • the client system determines whether the event is a defined event or not (step 4020) , and transmits the IP address of the server, event code, timestamp to the management console and the integrated console in a form of SNMP trap message (step 4030) .
  • the SNMP trap message is captured by the trap-D 110 of the integrated console, and filtered by the event manager 120 to recognize the type of the event (step 4050) .
  • the integrated console When the event corresponds to a pre-defined event indicating a security problem, the integrated console generates an alarm to the control center personnel in a form of a pop-up message or a mail (step 4070) , and the processes below step 3020 in Fig. 3 are conducted.
  • the events to be treated as "abnormal events" by the client server are defined by the client server based on all the security problems that previously happened to the client. However, when the security event happened to the client server is not a pre-defined event, the event may not be properly controlled by the integrated console or the management console, and may lead to an unexpected security accident.
  • the system separately analyze the logs of undefined events received by the management console 200, and recognize the security problem associated with the undefined events (step 4040) .
  • the security problem may be resolved by the remote control of the management console or by the dispatch service of the patrol personnel (step 4060) .
  • the event is manually defined as a new event type and it is updated in the client server 800 and the management console and integrated console. Thereafter, such events may be automatically detected and treated by the security management system of the present invention (step 4080) .
  • Figs. 5A to 5C show the flow of the active security control operation according to the present invention.
  • the security control system actively responds to various security problems by interconnecting various security solutions.
  • a security problem detected at the client's intrusion detection server may be resolved by using the intrusion management console 220 of the management console and changing the setting of the client's firewall 810 by the firewall management console 210.
  • the anti-virus management console 230 removes the virus and changes the setting of the client's firewall in connection with the firewall management console 210.
  • the security policy of the client server may be readjusted by means of the security servers of the management console.
  • FIG. 5A is a flowchart illustrating the process of responding to an attack such as intrusion attempt, network service interruption by interconnecting the intrusion detection server and the firewall.
  • the client intrusion detection server 820 sends the security event information (event code, IP address, timestamp) to the integrated console (step 5120), and the integrated console generates an alarm to the security control center personnel (step 5130) .
  • the management console terminates the intrusion process by the intrusion management console (step 5140) .
  • the management console transmits the event information to the firewall management console 210 according to a rule setting (step 5160) , and the firewall management console completely terminates the network session of the intruder (step 5170). Accordingly, the client system may maintain security against an intrusion attempt by the cooperation of the intrusion detection server and the firewall. Meanwhile, the integrated console 100 sends the event information to the CTI server (step 5150) to generate problem treatment history data and to initiate patrol service depending on the grade of the security event (step 5190) .
  • Fig. 5B is a flowchart illustrating the process of responding to the detection of a virus in the client system.
  • the anti-virus server of the client system performs virus check with respect to any mails or information delivered through the firewall (steps 5210 and 5220) .
  • the virus server 830 detects the introduced virus (step 5230) , and transmits the event information (event code, IP address, timestamp) to the integrated console and the management console (step 5240) .
  • the client anti-virus server removes the detected virus (step 5250) and transmits the event information to the firewall, and the firewall cuts off the particular IP session (step 5260) .
  • the management console 230 updates the anti-virus engine (step 5270) , and then security checked e-mails are sent to the mail server (step 5280) .
  • the anti-virus solution according to the present invention may actively respond to the virus infection in cooperation with the firewall 110.
  • Fig. 5C is a flowchart illustrating the process of responding to the risk factors detected by the vulnerability analysis console 240 by readjusting the firewall.
  • the control center checks the security vulnerability of the client server periodically or as necessary using the specific tools installed in the vulnerability analysis console (step 5300).
  • the analysis results obtained by the vulnerability analysis server 240 are transmitted to the management console (step 5320) .
  • the management console readjusts the client firewall policy (rule) using the firewall management console (step 5330) .
  • the vulnerability analysis information is provided to the client (step 5340) so that it may be used in establishing the future security policy.
  • Fig. 6 shows the process of managing the patrol car location information to dispatch service personnel to the client when the security problem is judged as a serious problem requiring a dispatch service.
  • the dispatch service is conducted only for the security problems that may not be resolved by the remote control of the management console.
  • the dispatch service is also used to provide after service or preventive service as to security problems.
  • the patrol service is performed using the CTI (Computer Telephony Integration) server 300, and the GIS server 400 including the GIS 410 and the GPS 420.
  • CTI Computer Telephony Integration
  • the system begins to manage the patrol information when security personnel 610 board a patrol car 600, each having an ID (step 6000) .
  • the security personnel Using a MDT 620, the security personnel set the location information transmission period and transmit the personal information (ID) and other related information to the GPS of the control center (step 6010) .
  • the information transmitted from the MDT is stored in the patrol information database, and continuously managed during the patrol service.
  • the patrol security personnel receive job instruction from the control center via telecommunication network such as mobile telephone (step 6020, 6030). Departing for the client, the patrol personnel send the updated patrol information and the location information using the MDP (step 6030) . The patrol personnel also request the basic information, such as the client information and the contents of the problem to the GIS by MDT (step 6040) , and the GIS downloads the client information and the problem contents received from the CTI server to the MDT terminal (step 6050) . Upon completion of the service (step 6060) , the patrol personnel reports the completion of mission to the control center, and the CTI system of the control center updates the patrol information database. The patrol personnel input their job record in the problem treatment history database (step 6070)
  • Fig. 7A is a flowchart illustrating the process of preparing a security log analysis report.
  • the logs generated at the client server are sent to the management console of the control center, and stored in the log storage 900 connected to the management console (step 7100) .
  • the log data is moved to a back-up means, which is an off-line storage device (step 7120) .
  • the log data is deleted from the back-up means after a time period predetermined for respective service grade (step 7140) .
  • the stored logs are processed with log analysis tools into daily or weekly analysis data (step 7130) .
  • the analysis data may be provided to the client via web server 500 in an HTML format document (step 7160) .
  • an analysis report with consulting information may be provided to the client in a printed document (step 7170) .
  • Fig. 7B shows the process of providing a log analysis report to the client via web. Because the confidentiality of the analysis report is highly important, the report is provided only to the authenticated clients via an OTP server 700.
  • the client inputs the URL of the control center using a web browser 1200 (step 7200).
  • the client's access request is first authenticated by the firewall (step 7210), and after entering a password it receives a second authentication by the OTP server (step 7220) . Then, the client may retrieve the analysis report by accessing to corresponding HTML document page (step 7230) .
  • the security management system and method according to the present invention has an advantages of reinforcing the security level of client systems because it enables to monitor the security state of the client systems and to prevent or immediately respond to the security problems of the client servers. Further, adaptively providing remote control service interconnecting various security solutions and dispatch service of security experts according to the types of security problems, the present invention allows the client system to respond to any type of security problems in a prompt and active manner. This feature of the invention also eliminates the need for individual client to secure expensive security equipment and security experts.
  • the present invention has an advantage over the conventional computer security system using a separate security management console for each security solution product because present invention consolidates all event information generated by various security solutions to the integrated console and centralize the monitoring function to the integrated console. Further, upon detection of a security problem at the integrated console, the management console solves the problem by means of remote control interconnecting various security solutions, and the security problems that cannot be solved by the remote control are solved by dispatch service of security personnel supported by CTI and GIS technologies. By the adaptable interconnection of the remote control service and the dispatch service, the security management system of the present invention may provide effective and economic response to any type of security problems. Also, because the security logs transmitted from the client systems are stored and maintained in separate log storage, it is possible to trace and analyze the cause of the security problems afterwards.
  • the security management level may be continuously improved and updated. Also, since the client may obtain its security information record and an analysis report from the security management center, the client may utilize the information in establishing its future security policy.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)
  • Debugging And Monitoring (AREA)
  • Alarm Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A security management system and a method for performing real-time monitoring of various security problems of a plurality of scattered client servers at a remote location in a consolidated manner are provided. When a security problem is detected at the client servers, the security system and method may immediately respond thereto by way of remote control or dispatch service of security personnel. The security management system comprises an integrated console receiving and monitoring security state information from client systems in a consolidated manner and generating an alarm when the security state information includes any security event indicating a certain security problem; a management console including a plurality of security consoles receiving the security state information and logs from the client systems and solving the security problem of the client server by remote control associating the plurality of security consoles; a CTI server receiving security state information from the integrated console and determining the grade of the security event with reference to an event grade database and reading the client information from a built-in database; a GIS server receiving the security event, event grade and the client information from the CTI server and selecting a patrol car to be dispatched to the client using the client information and pre-stored geographic information and patrol information, and transmitting the information of the selected patrol car to the CTI server.

Description

SYSTEM AND METHOD FOR PERFORMING REMOTE SECURITY MANAGEMENT OF CLIENT COMPUTER SYSTEMS
TECHNICAL FIELD
The present invention relates to a computer security management system. Specifically, the invention relates to a computer security management system for conducting a real-time and integrated monitoring of the security problems of a plurality of client computer systems and immediately and adaptively responding to the security problems. The security management system solves the security problems of the client systems by adaptively utilizing the remote control service and the dispatch service of the security personnel.
BACKGROUND ART
With the advent of the computer network environment interconnecting multiple computer systems via variety of communication networks such as internet, computer systems became more vulnerable to the damages caused by hacking activities, viruses and the like. Accordingly, the needs for maintaining the computer system security against the outside attacks are increasing, and various network security products have been developed and sold.
Most of the existing computer security products have been sold as separate products for specific security control purposes. For establishing a security system with such standalone type security products (or solutions) , various security solutions have to be used together according to the characteristics of the computer systems and their security needs. Such a security system has limitations and difficulties in performing a comprehensive and overall security control of the computer system. Further, for the lack of experienced computer security experts, it is particularly difficult to operate such a security system. Further, establishing and operating such security system for each computer system require excessive costs because each system operator has to independently purchase various security solutions and hire security personnel . Such problems of the conventional computer security systems created needs for a centralized security management system, which is able to perform simultaneous and real-time monitoring and analysis of the security problems of a plurality of client systems, and at the same time, able to adaptively respond to the security problems in accordance to the nature of the problems.
DISCLOSURE OF THE INVENTION
It is, therefore, a primary object of the present invention to provide a security management system which is able to monitor, store and analyze the security problems of a plurality of client servers on a real-time basis, and which is also able to solve the security problems by utilizing remote control service and personal dispatch service in an adaptive manner according to the nature of the security problems. Specifically, the security management system according to the present invention may receive, store and analyze the security state information transmitted from the client servers, and may provide the clients with the information and advice with respect to their security states. When a security problem of a client is detected, the security management system first attempts to solve the problem by means of remote control employing various security solutions. When the security problem is judged to be a serious problem that may not be solved by the remote control service, the security management system of the present invention automatically initiates a dispatch service of the security personnel.
The security management system according to the present invention comprises an integrated console receiving and monitoring security state information from the client servers in a consolidated manner and generating an alarm when the security state information includes a pre-defined security event indicating a security problem of a client system; a management console including a plurality of security consoles receiving the security state information from the client systems and solving the security problem detected by the integrated console by remote controlling the client system using the plurality of security consoles; a CTI server receiving the security event from said integrated console and determining the grade of the security event with reference to an event grade database, and reading client information associated with the security event from a client information database; and a GIS server receiving the security event, the event grade and the client information from said CTI server, and selecting a patrol car to be dispatched to the client using the client information received from said CTI server and pre-stored geographic information and patrol information.
BRIEF DESCRIPTIONS OF THE DRAWINGS
The above and other objects and features of the present invention will become apparent from the following description of preferred embodiments given in conjunction with the accompanying drawings, in which: Fig. 1 (Figs. 1A and IB) is a block diagram showing the overall structure of the security management system according to a preferred embodiment of the invention;
Fig. 2 (Figs. 2A and 2B) is a block diagram illustrating the operation of the integrated console and the management console at the security control center in response to an occurrence of a security problem at a client server;
Fig. 3 (Figs. 3A and 3B) is a flowchart illustrating an example of a combined operation of the security control center and the patrol service system;
Fig. 4 is a flowchart illustrating the process of managing a undefined security event by means of log analysis;
Fig. 5A is a flowchart illustrating the security management process responding to an intrusion attempt by associating the intrusion detection server and the firewall;
Fig. 5B is a flowchart illustrating the security management process responding to the detection of a virus introduced from the outside;
Fig. 5C is a flowchart illustrating the security management process responding to the risk factors detected through the vulnerability analysis;
Fig. 6 is a flowchart illustrating the process of managing the patrol car location information required for patrol service;
Fig. 7A is a flowchart illustrating the process of storing security information logs and preparing a log analysis report; and Fig. 7B is a flowchart illustrating the process of providing a security information log analysis report on the web site. MODE OF CARRYING OUT THE INVENTION
Referring to Figs. 1A and IB, a preferred embodiment of the present invention will be described in detail below. The security control center 10 according to one embodiment of the present invention comprises an integrated console 100, a management console 200, a CTI server 300, a GIS server 400, a web server 500, a log storage 900, a multi- cube 1000 and a back-up means 1100. The security control center 10 receives the client security information from a plurality of client servers.
Client servers 800 include various security solutions such as a firewall 810, an intrusion detection server 820, an anti-virus server 830 and a mail server 840 (see Figs. 2A and 2B) . The client servers are connected to the integrated console 100 and the management console 200 at the security control center 10 via virtual private network (VPN) . The integrated console 100 and the management console 200 receive messages including client's security state information from the client servers. The messages have a SNMP trap format using SNMP (Simple Network Management Protocol) network protocol. The SNMP trap includes, for example, a security event code, an IP address, a timestamp (i.e., a code indicating the time when the security event occurred) .
The integrated console 100 monitors the security state information provided by various security tools and solutions of the client servers in a real-time and integrated manner. For this purpose, the integrated console 100 of the present invention includes a trap-D 110 and an event manager 120. When the integrated console detects any security information indicating a certain type of security problem of the client server, it generates an alarm and notifies- the security problem to a CTI (Computer Telephony Integration) sever 300. The management console 200 is a console for separately managing specific security solutions and equipment at the client servers. The management console 200 is used to solve to the security problems occurred at the client servers by means of remote control. The management console also receives logs of each security solutions of the clients and stores them in a log storage 900.
The CTI server 300 includes a client information database, a CTI information database, event grade database and a problem treatment history database. The CTI server 300 determines the grade of the security events received from the integrated console 100 with reference to the event grade database, and instruct the patrol service personnel to solve the problem when the security event has a grade requiring a dispatch service. The CTI server also provides the security event, event grade and the client information to a GIS (Geographic Information System) server 400 including a GIS database 410 and a GPS (Global Positioning System) 420, which are used to find the locations of the client with a security problem and available patrol cars.
The GIS server 400 includes databases storing the geographic information and the patrol information, and it provides the CTI server 300 with the information of the available patrol cars. Connected to the GIS server is a multi-cube 1000, which is a large-scale monitor showing the general status information including the locations of the clients and the availability of patrol cars and the like using the GIS and GPS technologies. A Mobile Data Terminal (MDT) 620 carried by the patrol personnel 610 or mounted at the patrol car 600 receives the client information and the job instruction from the CTI server 300 through the GIS server 400 and sends an acknowledgement message to the CTI server 300 through the GIS server 400. The MDT 620 is also connected to the GIS and/or the GPS in the GIS server 400 to update the patrol information thereto and download necessary information therefrom.
The log storage 900 is a device for storing the logs received by the management console 200 from the client servers. The logs are stored in the log storage 900 for the analysis of the security states of the client servers on a daily, weekly or monthly basis. The logs of the client server stored in the log storage are also stored in an off-line backup server 1100 for a predetermined period of time. Also, the log analysis result is provided to a web server 500 so that the client may retrieve the log analysis result stored in the log storage 900. To the web server 500, an OTP (One Time Password) server 700 is connected to provide an authentication when a client makes access to the web server 500. Alternatively, the log analysis result and the consulting information stored in the log storage may be provided to the clients in the form of a printed report. Referring to Figs. 2A and 2B, the operations of the integrated console 100 and the management console 200 are explained in further detail. The client server 800 and the integrated console 100, the client server 800 and the management console 200 are respectively connected via a virtual private network (VPN) for security purposes. The integrated console and the management console receive the security state information from the client server 800 in a format of SNMP trap message. The management console also receives the logs of each security solutions of the client servers.
The client server 800 may include various security- related servers (solutions) , such as a firewall 810, an intrusion detection server 820, an anti-virus server 830, and mail server 840. The firewall 810 is a security server managing the network security of the client. In the present embodiment, the firewall is remote controlled by the firewall management console 210 of the management console 200. The intrusion detection server 820 is a security server detecting and responding to an unauthorized intrusion into the client's network, and it is remote controlled by the intrusion management console 220 of the management console 200. The anti-virus server 830 is a security server checking the virus introduced from the outside by e-mails and other types of communications, and it is remote controlled by the anti-virus management console 230 of the management console 200.
The integrated console 100 includes a trap-D 110, which is a demon capturing the SNMP trap messages regarding the client security states, and an event manager 120 filtering SNMP trap messages to separate client's security state information therefrom. The trap-D 110 of the integrated console receives messages representing any abnormal security states (security events) occurred at the client servers. The event manager 120 extracts and filters the security events from the received massages, and generates an alarm when the event corresponds to a predetermined type of security problems. As such, the integrated console performs a function of monitoring any security events of the client servers and generating an alarm when a detected event is a predetermined type of event representing a security problem.
Upon generation of an alarm by the integrated console, the security problem is first handled by the personnel at the security control center by means of the remote control through the management console. At the same time, the integrated console 100 transmits the security state information (client's IP address, event code, timestamp) to the CTI server 300.
The management console 200 according to one embodiment of the invention includes a firewall management console 210, a server for remotely managing (monitoring and controlling) the client's firewall; an intrusion detection management console 220 for remotely managing client' s intrusion detection server; an anti-virus console 230 for managing client's anti-virus server; and a vulnerability analysis console 240 for checking and analyzing the vulnerability of the client's security servers.
The firewall 810, the intrusion detection server 820, the anti-virus server 830 of the client server are automatically controlled according to the predetermined security policy (rule) of each client system. These security servers are monitored and remote controlled by the integrated console and the management console of the control center at all times. Particularly, the firewall management console 210, the intrusion detection management console 220, the anti-virus management console, the vulnerability analysis console 240 of the management console 200 performs real-time monitoring of the security states of the client servers 24 hours a day, and store the logs of the security states of the client servers in the log storage 900.
One of the main functions of the management console of the present invention is to remote control the client security servers to solve the client's security problems, when a security problem is detected and an alarm is generated by the integrated console 100. As depicted in Fig. 3A, when the integrated console 100 generates an alarm (step 3020) to notify a security problem of the client server, the security personnel at the control center begins to solve the problem by means of the remote control through the management console 200 (step 3030) . For example, when a security problem occurs at the firewall or the intrusion detection server of the client system, the security problem may be solved by the security personnel at the control center through the remote control using the firewall management console 210 and the intrusion detection management console 220. One of the features of the present invention resides in that, as indicated by the arrows in Fig. 2, the security problems of the client system may be solved by a remote control associating multiple security solutions of the management console 200. For example, as will be explained referring to Fig. 5A, the intrusion detection management console 210 of the management console may terminate the intrusion process at the client system, and at the same time terminate the network session from a specific IP by means of the firewall management console 210. Also, as illustrated in Fig. 5B, after removing a detected virus by the anti-virus server, a session with respect to a specific IP may be terminated by means of the firewall management console. As such, the management console of the present invention may solve the security problems of the client system through a remote control interconnecting the various security solutions of the management console 200. The remote control operation of by the management console will be explained in further detail referring to Figs. 5A to 5C.
The security state logs transmitted from the client system to the management console 200 are stored in the log storage 900 for a predetermined time period, and the logs may be analyzed with expert tools to provide a security state analysis report. The process of providing a security analysis report to the client will be explained below referring to Figs 7A and 7B.
Figs. 3A and 3B are flowcharts illustrating an embodiment of the combined operation of the control center and the patrol service. The security management system according to the present invention uses remote control method when the security problem may be resolved through a remote control. Otherwise, the security management system adopts active problem prevention and solution measures by directly dispatching security personnel to the clients. In order to provide a personal service of security personnel, a CTI server 300 and a GIS server 400 are provided at the control center 10. When a security event occurs at the client system 800 (step 3000) , the security event is transmitted to the management console 200 and the integrated console 100 in a format of SNMP trap, and the event is captured by the trap- D of the integrated console. The event manager 120 of the integrated console 100 determines if the received security event involves any security problem with reference to the pre-defined event data (step 3010) . When a pre-defined type of event indicating a security problem is detected, the integrated console 100 generates an alarm on a display screen or by any other means (step 3020) . Upon generation of the alarm, the security personnel at the control center first treat the security problem using the remote control functions of the management console 200 (step 3030) and terminate the process if the security problem is completely solved by the remote control service. At the same time, the integrated console 100 transmits the security state information (the IP address, event code, timestamp, etc.) to the CTI server 300 (step 3040) .
Upon receiving the security state information such as the IP address, event code, timestamp from the integrated console, the CTI server 300 evaluates the risk grade of the event with reference to the event grade database (step 3050) . When the CTI server 300 determined that the security event has a grade of a serious security problem requiring dispatch service, the CTI server reads the client information, such as the name and location of the client server corresponding to the IP address, from the client information database. Then, the CTI server sends the event code, event grade and the client information to the GIS server 400 (step 3060) in order to initiate a patrol service .
The GIS server 400 retrieves the location of the client from a map database using the client information received from the CTI server. Then, based on the client location, the GIS server retrieves the location and availability information of the patrol cars in the vicinity of the client from the patrol information database, and displays the information on the multi-cube (step 3070) . Then, the security personnel at the control center may select an available patrol car from the GIS server console
(step 3080) . Then, the GIS server 400 provides the information of the selected patrol car to the CTI server
300, and the CTI server automatically calls the selected patrol car 600 via any type of communications network such as PSTN or mobile telecommunication network. The security personnel at the control center confirm the availability of the patrol car through the CTI server, and give a job instruction to the patrol personnel (step 3090) . The CTI server upgrades the patrol information database with respected to the selected patrol car, and the patrol personnel in receipt of a job instruction download the basic client information and the job information concerning the specific client problem from the CTI and the GIS servers (step 3100) . The patrol personnel resolve the client's security problem based on the downloaded information and inform the contents of the job to the control center. Then, the relevant fields of the patrol information database and the problem treatment history database are respectively updated (step 3110) . Then, the security service process is terminated, and the problem treatment history and result stored in the problem treatment history database is reported to the client (step 3120) .
Fig. 4 illustrates the process of the controlling the pre-defined or undefined security events by means of log management. As explained above, in step 3010 of Fig. 3, the security events of client systems are transmitted to the management console and the integrated console in the SNMP trap format, and the events are captured by the trap-D of the integrated console. The event manager 120 of the integrated console determines whether the captured events include any event indicating a security problem with reference to a pre-defined event data. In order for the integrated console to determine the occurrence of a security problem at the client, the security event has to be pre-defined. Where an event has not previously defined, the event is separately analyzed and defined by analyzing the log of the events received by the management console.
In Fig. 4, the client server 800 normally transmits its operation logs to the management console 200 at the control center (step 4000) . When a security event is occurred at the client system (step 4010), the client system determines whether the event is a defined event or not (step 4020) , and transmits the IP address of the server, event code, timestamp to the management console and the integrated console in a form of SNMP trap message (step 4030) . The SNMP trap message is captured by the trap-D 110 of the integrated console, and filtered by the event manager 120 to recognize the type of the event (step 4050) . When the event corresponds to a pre-defined event indicating a security problem, the integrated console generates an alarm to the control center personnel in a form of a pop-up message or a mail (step 4070) , and the processes below step 3020 in Fig. 3 are conducted. The events to be treated as "abnormal events" by the client server are defined by the client server based on all the security problems that previously happened to the client. However, when the security event happened to the client server is not a pre-defined event, the event may not be properly controlled by the integrated console or the management console, and may lead to an unexpected security accident. In order to prevent such problems, the system according to the present invention separately analyze the logs of undefined events received by the management console 200, and recognize the security problem associated with the undefined events (step 4040) . When the security problem associated with event is recognized, the security problem may be resolved by the remote control of the management console or by the dispatch service of the patrol personnel (step 4060) . After the recognition and treatment of an undefined event, the event is manually defined as a new event type and it is updated in the client server 800 and the management console and integrated console. Thereafter, such events may be automatically detected and treated by the security management system of the present invention (step 4080) .
Figs. 5A to 5C show the flow of the active security control operation according to the present invention. The security control system actively responds to various security problems by interconnecting various security solutions. For example, a security problem detected at the client's intrusion detection server may be resolved by using the intrusion management console 220 of the management console and changing the setting of the client's firewall 810 by the firewall management console 210. When a virus is detected by the client's anti-virus server, the anti-virus management console 230 removes the virus and changes the setting of the client's firewall in connection with the firewall management console 210. When a vulnerable point of the client security system is detected by the vulnerability analysis console 240 of the management console, the security policy of the client server may be readjusted by means of the security servers of the management console. Referring to Figs. 5A to 5C, these processes are described in further detail. Fig. 5A is a flowchart illustrating the process of responding to an attack such as intrusion attempt, network service interruption by interconnecting the intrusion detection server and the firewall. When an intrusion attempt is detected by the client firewall and the intrusion detection system (step 5110) , the client intrusion detection server 820 sends the security event information (event code, IP address, timestamp) to the integrated console (step 5120), and the integrated console generates an alarm to the security control center personnel (step 5130) . Then, the management console terminates the intrusion process by the intrusion management console (step 5140) . The management console transmits the event information to the firewall management console 210 according to a rule setting (step 5160) , and the firewall management console completely terminates the network session of the intruder (step 5170). Accordingly, the client system may maintain security against an intrusion attempt by the cooperation of the intrusion detection server and the firewall. Meanwhile, the integrated console 100 sends the event information to the CTI server (step 5150) to generate problem treatment history data and to initiate patrol service depending on the grade of the security event (step 5190) . Fig. 5B is a flowchart illustrating the process of responding to the detection of a virus in the client system. The anti-virus server of the client system performs virus check with respect to any mails or information delivered through the firewall (steps 5210 and 5220) . The virus server 830 detects the introduced virus (step 5230) , and transmits the event information (event code, IP address, timestamp) to the integrated console and the management console (step 5240) . The client anti-virus server removes the detected virus (step 5250) and transmits the event information to the firewall, and the firewall cuts off the particular IP session (step 5260) . The management console 230 updates the anti-virus engine (step 5270) , and then security checked e-mails are sent to the mail server (step 5280) . As such, the anti-virus solution according to the present invention may actively respond to the virus infection in cooperation with the firewall 110.
Fig. 5C is a flowchart illustrating the process of responding to the risk factors detected by the vulnerability analysis console 240 by readjusting the firewall. The control center checks the security vulnerability of the client server periodically or as necessary using the specific tools installed in the vulnerability analysis console (step 5300). The analysis results obtained by the vulnerability analysis server 240 are transmitted to the management console (step 5320) . Based on the results, the management console readjusts the client firewall policy (rule) using the firewall management console (step 5330) . The vulnerability analysis information is provided to the client (step 5340) so that it may be used in establishing the future security policy.
Fig. 6 shows the process of managing the patrol car location information to dispatch service personnel to the client when the security problem is judged as a serious problem requiring a dispatch service. In the security management system of the present invention, the dispatch service is conducted only for the security problems that may not be resolved by the remote control of the management console. The dispatch service is also used to provide after service or preventive service as to security problems. The patrol service is performed using the CTI (Computer Telephony Integration) server 300, and the GIS server 400 including the GIS 410 and the GPS 420.
The system begins to manage the patrol information when security personnel 610 board a patrol car 600, each having an ID (step 6000) . Using a MDT 620, the security personnel set the location information transmission period and transmit the personal information (ID) and other related information to the GPS of the control center (step 6010) . The information transmitted from the MDT is stored in the patrol information database, and continuously managed during the patrol service.
The patrol security personnel receive job instruction from the control center via telecommunication network such as mobile telephone (step 6020, 6030). Departing for the client, the patrol personnel send the updated patrol information and the location information using the MDP (step 6030) . The patrol personnel also request the basic information, such as the client information and the contents of the problem to the GIS by MDT (step 6040) , and the GIS downloads the client information and the problem contents received from the CTI server to the MDT terminal (step 6050) . Upon completion of the service (step 6060) , the patrol personnel reports the completion of mission to the control center, and the CTI system of the control center updates the patrol information database. The patrol personnel input their job record in the problem treatment history database (step 6070)
Fig. 7A is a flowchart illustrating the process of preparing a security log analysis report. The logs generated at the client server are sent to the management console of the control center, and stored in the log storage 900 connected to the management console (step 7100) . Upon completion of the log analysis (step 7110) , the log data is moved to a back-up means, which is an off-line storage device (step 7120) . The log data is deleted from the back-up means after a time period predetermined for respective service grade (step 7140) . The stored logs are processed with log analysis tools into daily or weekly analysis data (step 7130) . The analysis data may be provided to the client via web server 500 in an HTML format document (step 7160) . Also, an analysis report with consulting information may be provided to the client in a printed document (step 7170) .
Fig. 7B shows the process of providing a log analysis report to the client via web. Because the confidentiality of the analysis report is highly important, the report is provided only to the authenticated clients via an OTP server 700. To access the report, the client inputs the URL of the control center using a web browser 1200 (step 7200). The client's access request is first authenticated by the firewall (step 7210), and after entering a password it receives a second authentication by the OTP server (step 7220) . Then, the client may retrieve the analysis report by accessing to corresponding HTML document page (step 7230) .
Because the logs of the client server are recorded in the remote control center in real-time, outside intruders may not delete their logs after breaking into the client system. When a client system is not monitored by a remote security management system in real-time, it is difficult to find an intrusion attempt afterwards when the intruder has deleted the logs of his activities. When the logs of a client system is monitored and stored by a remote security management system, any hacking activities may be traced and responded to by using the information stored in the log storage .
The security management system and method according to the present invention has an advantages of reinforcing the security level of client systems because it enables to monitor the security state of the client systems and to prevent or immediately respond to the security problems of the client servers. Further, adaptively providing remote control service interconnecting various security solutions and dispatch service of security experts according to the types of security problems, the present invention allows the client system to respond to any type of security problems in a prompt and active manner. This feature of the invention also eliminates the need for individual client to secure expensive security equipment and security experts.
In the technical aspects, the present invention has an advantage over the conventional computer security system using a separate security management console for each security solution product because present invention consolidates all event information generated by various security solutions to the integrated console and centralize the monitoring function to the integrated console. Further, upon detection of a security problem at the integrated console, the management console solves the problem by means of remote control interconnecting various security solutions, and the security problems that cannot be solved by the remote control are solved by dispatch service of security personnel supported by CTI and GIS technologies. By the adaptable interconnection of the remote control service and the dispatch service, the security management system of the present invention may provide effective and economic response to any type of security problems. Also, because the security logs transmitted from the client systems are stored and maintained in separate log storage, it is possible to trace and analyze the cause of the security problems afterwards. Also, since undefined security events may be analyzed and defined through the log analysis, the security management level may be continuously improved and updated. Also, since the client may obtain its security information record and an analysis report from the security management center, the client may utilize the information in establishing its future security policy.
While the present invention has been described and illustrated with respect to a preferred embodiment of the invention, it will be apparent to those skilled in the art that variations and modifications are possible without deviating from the broad principles and teachings of the present invention which should be limited solely by the scope of the claims appended hereto.

Claims

What is claimed is :
1. A remote computer security management system for detecting and solving the security problems of a plurality of client systems in an integrated manner comprising,
an integrated console receiving and monitoring the security state information sent from the client systems and generating an alarm when the security state information includes a pre-defined security event indicating a security problem of a client system;
a management console including a plurality of security consoles receiving the security state information from the client systems and solving the security problem detected by said integrated console by remote controlling the client system using said plurality of security consoles;
a CTI server receiving the security event from said integrated console and determining the grade of the security event with reference to an event grade database, and reading client information associated with the security event from a client information database; and
a GIS server receiving the security event, the event grade and the client information from said CTI server, and selecting a patrol car to be dispatched to the client using the client information received from said CTI server and pre-stored geographic information and patrol information.
2. The system of claim 1, wherein the client security state information received from the client systems includes an event code, client IP address, a timestamp, and the information is transmitted in a format of SNMP trap message.
3. The system of claim 2, wherein said integrated console includes a trap-D which is a demon receiving the security state information being transmitted in the SNMP trap massage, and an event manager filtering the security events included in the SNMP trap message.
4. The system of claim 1, wherein said management console includes a firewall management console for managing client firewall; an intrusion detection management console for managing client intrusion detection server; an anti- virus management console for managing client anti-virus server; a security vulnerability analysis console for checking and analyzing security vulnerability of client servers.
5. The system of claim 4, wherein the remote control by said management console involves at least two of said firewall management console, said intrusion management console, said anti-virus management console, and said vulnerability analysis console.
6. The system of Claim 1, wherein said CTI server includes a client information database, a CTI information database, an event grade database, and a problem treatment history database, and said CTI server transmits the client information, the security event and the event grade to said GIS server when the security event has a grade of predefined serious security problems.
7. ' The system of Claim 1, wherein said GIS server includes a GPS and a GIS for finding location of the client having a security problem and location of available patrol cars, and the GIS server selects a patrol car to be dispatched to the client using the client information and the security event received from said CTI server and transmits information of the selected patrol car to said CTI server.
8. The system of Claim 7, wherein said GIS server transmits the client information and the security event received from the CTI server to a mobile data terminal (MDT) of the selected patrol car.
9. The system of Claim 7, wherein said GIS server is connected to a multi-cube indicating patrol information including locations of the clients and locations of the patrol car.
10. The system of Claim 1, wherein said management console receives logs of the client systems and stores the logs in a log storage.
11. The system of Claim 10, further comprising a back-up means for storing processed logs in said log storage and a web server for providing a log analysis data to clients.
12. The system of Claim 10, wherein logs of undefined event received from the client systems are analyzed and defined as a new security event when the logs involve a security problem of the client system.
13. A computer security management method for remotely detecting and solving the security problems of a plurality of client systems in an integrated manner comprising the steps of,
(a) receiving and monitoring security state information provided by the client computer systems and generating an alarm by an integrated console when the security state information includes a pre-defined security event indicating a security problem of a client system;
(b) in response to the generation of an alarm, solving the security problem by remote controlling the client system using a management console, the management console including a plurality of security consoles respectively managing corresponding security servers of the client systems;
(c) receiving the security state information from said integrated console and determining the grade of the security event with reference to a pre-stored event grade database by a CTI server;
(d) reading client information associated with the security event from a client information database at said CTI server;
(e) sending the security event, the client information and the event grade from said CTI server to a GIS server;
(f) based on the information received from said CTI server, selecting a patrol car to be dispatched to the client using pre-stored geographic information and patrol information by said GIS server;
(g) sending information of the selected patrol car information to said CTI server by said GIS server
14. The method of claim 13, wherein the process is terminated when the event grade determined in said step (c) does not belong to the grades of pre-defined serious security problems.
15. The method of Claim 13, wherein said integrated console includes a trap-D which is a demon receiving the client security information transmitted in a SNMP trap message, and an event manager filtering the security events included in the SNMP trap message.
16. The method of Claim 13, wherein in step (b) said management console remote controls the security problem of the client by employing a firewall management console; an intrusion detection management console; an anti-virus management console; and a security vulnerability analysis console .
17. The method of Claim 13, wherein said management console receives logs of the client systems and stores the logs in a log storage.
18. The method of Claim 17, wherein the logs of undefined event are analyzed and defined as a new security event when the logs involve a security problem of the client system.
19. The method of Claim 17, further comprising a step of providing the log analysis data to the client by a web server or in a printed report.
20. A computer security management method for remotely detecting and solving the security problems of a plurality of client systems in an integrated manner comprising the steps of, (a) receiving and monitoring the security state information provided by the client systems and generating an alarm by an integrated console when the security state information includes a security event representing a pre-defined security problem; (b) upon generation of an alarm by said integrated console, solving the security problem by remote controlling the client system using a management console, the management console including a plurality of security consoles respectively managing corresponding security servers of the client systems; (c) receiving the security state information from said integrated console by a CTI server and determining the grade of the security event with reference to an event grade database in said CTI server; (d) when the security event grade corresponds to a type of pre-defined serous security problems, sending the security event and the event grade to a GIS server by said CTI server along with client information associated with the security event; (e) based on the information received from said CTI server, selecting a patrol car to be dispatched to the client using pre-stored geographic information and patrol information and sending information of the selected patrol car to said CTI server by said GIS server;
(f) giving job instructions to the selected patrol car by said CTI server; and
(g) downloading the client information, the security event and the event grade from said GIS server by a MDT mounted on the selected patrol car.
21. The method of Claim 13 or Claim 20, wherein said CTI server includes a client information database, a CTI information database, an event grade database and a problem treatment history database.
22. The method of Claim 13 or Claim 20, wherein said GIS server includes a GPS and a GIS for finding the location of the client and the locations of available patrol cars, and the GIS server is connected to a multi-cube display indicating the patrol information including the locations of the client and the patrol cars.
23. The method of Claim 20, further comprising the steps of storing the job records in said CTI server upon completion of the job instructed by said CTI server, and updating the patrol state information to said GIS server, and reporting the service result to the client.
PCT/KR2000/001090 2000-05-20 2000-09-29 System and method for performing remote security management of client computer systems WO2001091350A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU76897/00A AU7689700A (en) 2000-05-20 2000-09-29 System and method for performing remote security management of client computer systems

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020000027210A KR20020000225A (en) 2000-05-20 2000-05-20 A system and method for performing remote security management of multiple computer systems
KR2000/27210 2000-05-20

Publications (2)

Publication Number Publication Date
WO2001091350A2 true WO2001091350A2 (en) 2001-11-29
WO2001091350A3 WO2001091350A3 (en) 2003-01-30

Family

ID=19669394

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2000/001090 WO2001091350A2 (en) 2000-05-20 2000-09-29 System and method for performing remote security management of client computer systems

Country Status (4)

Country Link
JP (1) JP2001331388A (en)
KR (1) KR20020000225A (en)
AU (1) AU7689700A (en)
WO (1) WO2001091350A2 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101841427A (en) * 2010-04-30 2010-09-22 翁荣森 Multi-point touch server terminal management system
US8370939B2 (en) 2010-07-23 2013-02-05 Kaspersky Lab, Zao Protection against malware on web resources
CN107802977A (en) * 2017-11-06 2018-03-16 贵州泰永长征技术股份有限公司 Firefighting Pump Control and cruising inspection system based on internet+technology and networking technology
US10021124B2 (en) 2003-07-01 2018-07-10 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US10075466B1 (en) 2003-07-01 2018-09-11 Securityprofiling, Llc Real-time vulnerability monitoring
US10104110B2 (en) 2003-07-01 2018-10-16 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20010097070A (en) * 2000-04-19 2001-11-08 장성철 Remote security consulting and security hole patch system through homepage for authorized clients
KR20030035142A (en) * 2001-10-30 2003-05-09 주식회사 이글루시큐리티 Method for Providing Enterprise Security Management Service
KR100412238B1 (en) * 2001-12-27 2003-12-24 한국전자통신연구원 The Management System and method of Internet Security Platform for IPsec
KR100466798B1 (en) * 2001-12-29 2005-01-17 (주)대정아이앤씨 Public network and private network combination security system and method thereof
KR20030094921A (en) * 2002-06-10 2003-12-18 주식회사데이콤 System and method for Security Information Management and Vulnerability Analysis
KR20030097208A (en) * 2002-06-20 2003-12-31 주식회사 케이티 method of reporting network element failure in NGN
JP2006504178A (en) * 2002-10-22 2006-02-02 ウンホ チェ Comprehensive infringement accident response system in IT infrastructure and its operation method
KR100826780B1 (en) * 2006-08-22 2008-04-30 에스케이 텔레콤주식회사 System and Method for Monitoring of User Terminal, Apparatus for the Same and Security Agent
KR200458327Y1 (en) * 2009-06-30 2012-02-15 두산엔진주식회사 Crane lifting beam
US20120084432A1 (en) * 2010-09-30 2012-04-05 Soprovich Greg F Method and apparatus for protocol event management
US20220207127A1 (en) * 2020-12-30 2022-06-30 Dell Products, L.P. Console-based validation of secure assembly and delivery of information handling systems

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999044115A2 (en) * 1998-02-26 1999-09-02 Sun Microsystems, Inc. Per-method designation of security requirements
WO2000011559A1 (en) * 1998-08-25 2000-03-02 Cybex Computer Products Corporation An apparatus, method and system for controlling and monitoring a keyboard, video and mouse switching system

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH07295910A (en) * 1994-04-20 1995-11-10 Hitachi Ltd Client management method in client-server system
JP2708010B2 (en) * 1995-05-15 1998-02-04 日本電気株式会社 Terminal security management device
JPH10124345A (en) * 1996-10-09 1998-05-15 Hewlett Packard Co <Hp> Method for protecting remote computer
JPH1139268A (en) * 1997-07-15 1999-02-12 Nec Corp Client leave-the-seat management system for distributed system
JP3871163B2 (en) * 1998-02-13 2007-01-24 株式会社日立情報システムズ Server transfer / editing method of virus check result and program recording medium thereof
KR100333061B1 (en) * 1999-11-23 2002-04-22 오경수 A remote computer anti-virus system and process on the network
KR20010096738A (en) * 2000-04-14 2001-11-08 정재용 Central Control Type Computer Remote Management Method using Network
KR100401088B1 (en) * 2000-05-12 2003-10-10 시큐아이닷컴 주식회사 Union security service system using internet

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999044115A2 (en) * 1998-02-26 1999-09-02 Sun Microsystems, Inc. Per-method designation of security requirements
WO2000011559A1 (en) * 1998-08-25 2000-03-02 Cybex Computer Products Corporation An apparatus, method and system for controlling and monitoring a keyboard, video and mouse switching system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
PATENT ABSTRACTS OF JAPAN vol. 99, no. 5 31 May 1999 & JP 11 039 268 A 12 February 1999 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10021124B2 (en) 2003-07-01 2018-07-10 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US10050988B2 (en) 2003-07-01 2018-08-14 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US10075466B1 (en) 2003-07-01 2018-09-11 Securityprofiling, Llc Real-time vulnerability monitoring
US10104110B2 (en) 2003-07-01 2018-10-16 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10154055B2 (en) 2003-07-01 2018-12-11 Securityprofiling, Llc Real-time vulnerability monitoring
US10547631B1 (en) 2003-07-01 2020-01-28 Securityprofiling, Llc Real-time vulnerability monitoring
US10893066B1 (en) 2003-07-01 2021-01-12 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US11310262B1 (en) 2003-07-01 2022-04-19 Security Profiling, LLC Real-time vulnerability monitoring
US11632388B1 (en) 2003-07-01 2023-04-18 Securityprofiling, Llc Real-time vulnerability monitoring
CN101841427A (en) * 2010-04-30 2010-09-22 翁荣森 Multi-point touch server terminal management system
US8370939B2 (en) 2010-07-23 2013-02-05 Kaspersky Lab, Zao Protection against malware on web resources
CN107802977A (en) * 2017-11-06 2018-03-16 贵州泰永长征技术股份有限公司 Firefighting Pump Control and cruising inspection system based on internet+technology and networking technology

Also Published As

Publication number Publication date
JP2001331388A (en) 2001-11-30
KR20020000225A (en) 2002-01-05
WO2001091350A3 (en) 2003-01-30
AU7689700A (en) 2001-12-03

Similar Documents

Publication Publication Date Title
US7877804B2 (en) Comprehensive security structure platform for network managers
WO2001091350A2 (en) System and method for performing remote security management of client computer systems
US7159237B2 (en) Method and system for dynamic network intrusion monitoring, detection and response
US6353385B1 (en) Method and system for interfacing an intrusion detection system to a central alarm system
USRE45649E1 (en) Method and process for configuring a premises for monitoring
US20070203972A1 (en) Remote application publication and communication system
JP2004021549A (en) Network monitoring system and program
WO2008079210A1 (en) On-demand alerting and response system and method
WO2005072075A2 (en) Arrangement of units to form a monitoring system
US9231827B2 (en) Formalizing, diffusing and enforcing policy advisories and monitoring policy compliance in the management of networks
KR100607110B1 (en) Security information management and vulnerability analysis system
WO2005064854A1 (en) System for integrated security management based on the network
US20020006791A1 (en) Troubleshooting method and apparatus
JP2001319273A (en) Wide area managing system for car washing device or car washing place
KR20070008804A (en) Host-based security system and method for providing security service
CN111259383A (en) Safety management center system
KR100503772B1 (en) A monitoring system and method of auditing performanced work connected to database server by utility method
KR100599929B1 (en) Method for Data Process of Agent Layer of ISM System
US7607572B2 (en) Formalizing, diffusing, and enforcing policy advisories and monitoring policy compliance in the management of networks
CN113127856A (en) Network security operation and maintenance management method and device, computing equipment and storage medium
JP2002271524A (en) Combustion controller alarm supervisory system and remote supervisory device
KR100427448B1 (en) The mechanism of security policy stores and detection alert generation in Ladon-SGS
CN114650150B (en) Oilfield network communication system and method
CN110011873B (en) Method, device and medium for detecting working state of IP-free equipment
JP2005508553A (en) An apparatus and method for creating, distributing, and enforcing policy advice and monitoring policy compliance in the management of a network of computing devices.

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AU CA CN IL IN SG

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase