The present invention relates in general to security application management and, in particular, to a system and process for reporting network events with a plurality of hierarchically-structured databases in a distributed computing environment.
Information networks interconnecting a wide range of computational resources have become a mainstay of corporate enterprise computing environments. Typically, several host computer systems are interconnected internally over an intranetwork to which individual workstations and network resources are connected. These intranetworks, also known as local area networks (LANs), make legacy databases and information resources widely available for access and utilization throughout the corporation. These same corporate resources can also be interconnected to wide area networks (WANs), including public information internetworks such as the Internet, to enable internal users access to remote computational resources, such as the World Wide Web, and to allow outside users access to select corporate resources for the purpose of completing limited transactions or data transfer.
Most current internetworks and intranetworks are based on the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, such as described in W. R. Stevens, xe2x80x9cTCP/IP Illustrated,xe2x80x9d Vol. 1, Ch. 1, Addison-Wesley (1994), the disclosure of which is incorporated herein by reference. Computer systems and network devices employing the TCP/IP suite implement a network protocol stack, which includes a hierarchically structured set of protocol layers. Each protocol layer performs a set of pre-defined functions as specified by the official TCP/IP standards set forth in applicable Requests for Comment (RFC).
The growth of distributed computing environments, especially TCP/IP environments, has created an increased need for computer security, particularly for protecting operating system and application software and stored data. A wide range of security applications are needed to ensure effective security. For example, firewalls and intrusion detection systems are necessary to combat would-be network intruders, the so-called xe2x80x9chackers,xe2x80x9d of the networking world. Similarly, antivirus scanning applications must be regularly executed and, equally importantly, updated, to detect and eradicate xe2x80x9cmalwarexe2x80x9d consisting of computer viruses, Trojan horses, and other forms of unauthorized content.
In addition to these forms of reactive security applications, proactive security applications are increasingly being adopted to prevent security breaches from happening. For instance, vulnerability scanners probe and identify potential security risks and concerns. Likewise, xe2x80x9choney potxe2x80x9d or decoy host systems create the illusion of a network of relatively unguarded, virtual hosts within which a would-be hacker can be tracked and identified.
These types of security applications form a powerful arsenal of defensive and offensive tools that can effectively identify and flag various network security events. Typically, these events can be categorized as either logs or alerts. A xe2x80x9clogxe2x80x9d is an event principally intended to record and inform an administrator of a network security condition of potential interest, for example, the normal shutdown of a client system. An xe2x80x9calert,xe2x80x9d on the other hand, is a spurious event which may require the attention of an administrator to resolve, for instance, a password which has failed three times in a row and indicates a possible network break-in attempt. Both logs and alerts must be analyzed and, under certain circumstances, such as in a C2-level secure operating environment, maintained in persistent storage.
Whether defensive or offensive, the majority of prior art security applications are directed at addressing specific network security concerns, such as antivirus scanning or intrusion detection. Consequently, most logs and alerts generated by these applications are expressed in proprietary formats with security application- or vendor-specific meanings. Moreover, such logs and alerts are usually communicated only within the limited context of the client system upon which the security application is executing or, when the remote security application is functioning, for instance, as a remote sensor, to a single centralized server. As a result, such proprietary logs and alerts are analyzed in relation to the context of the generating security application and are, therefore, of limited use in determining whether a security concern spanning different security applications, and potentially affecting a larger portion of the network, is present. In short, the cross-security application interaction or cooperation currently found in the art is limited to virtually meaningless for use on an enterprise-wide basis.
A related problem with prior art security applications arises from a lack of scalability. In particular, prior art security applications lack the ability to structure network security event reporting into layers of hierarchical events. Rather, logs and alerts generated by client security applications are maintained in local persistent storages. These logs and alerts might be shared with other client and server systems through proprietary and conventional data transfer means, such as encapsulated within messages sent as User Datagram Protocol (UDP) datagrams. However, as the network topology increases, the reporting of network security events can take an increasingly negative impact on communications bandwidth and available storage. At some point, the transfer of these events becomes unworkable, particularly in network topologies in which a centralized server receives all such events.
Therefore, there is a need for an approach to normalizing network security events, including logs and alerts, from multiple security applications into an arrangement enabling cross-security application analysis and reporting. Such an approach would preferably encapsulate individual security application events into security application-independent objects.
There is a further need for an approach to efficiently reporting network security events, including logs and alerts, in a scalable fashion. Such an approach would preferably store network security events in local event databases associated with each generating client system. The individual local event databases would be hierarchically-structured and network security events cascaded between successive layers to a centralized event database.
The present invention provides a system and process for processing cross-security application network events using a set of cross-reporting event databases, preferably structured in a hierarchical manner. Individual network events, including log and alert events, are generated by plug-in components operating on client systems. The network events are stored transitorily in local event databases and are forwarded to a centralized security management interface service operating on a centralized system. The local event databases can be structured into layers of nodes which temporarily store and forward the network events received from child nodes. The security management interface service includes a communications server service and database engine for interfacing to the event database. The communications server service also interfaces to one or more alert devices. In addition, an event viewer snap-in component interfaced to the security management interface service can generate graphical and tabular visualizations of the network event data received from the various client systems.
An embodiment of the present invention is a system and a process for reporting network events using hierarchically-structured event databases in a distributed computing environment. A centralized broker is executed on a designated system within the distributed computing environment. At least one security application is provided as a plug-in component on a client system interfaced remotely to the centralized broker. A local event database is maintained on the client system. The local event database includes a set of entries in which network events generated by the at least one security application are transitorily stored. Network events forwarded from the local event database are received via a communications server service. The communications server service exposes a set of communication interfaces implementing a plurality of event methods. Each communication interface defines an event management function which can be invoked by the centralized broker. Network entries in a centralized event database are accessed responsive to calls on the event management functions by the centralized broker. The centralized event database is maintained on the designated system. The centralized event database includes a set of entries in which network events received via the communications server service are stored.