主权项 |
1. A network security system comprising:
a plurality of subsystems, each subsystem comprising:
a plurality of distributed software agents, each agent configured:
to collect a base security event from a monitor device; andto transmit the base security event;a local manager module coupled to the plurality of distributed software agents, configured:
to receive, from each agent, the base security event;to generate one or more local correlated events by correlating the received base security events, wherein a local correlated event comprises a conclusion drawn from the received base security events according to a rule based on at least a vulnerability of a target network node, the rule grouping security incidents associated with the base security events into a plurality of threat levels, and wherein the conclusion indicates that a plurality of the received base security events is associated with a same security incident; andto transmit the one or more local correlated events; anda filter coupled to the local manager module, configured:
to receive the one or more local correlated events;to select local correlated events; andto transmit the selected local correlated events; and a global manager module coupled to the plurality of subsystems, comprising a processor configured:
to receive, from each subsystem, the selected local correlated events; andto generate one or more global correlated events by correlating the received selected local correlated events, wherein a global correlated event comprises a second conclusion drawn from the received selected local correlated events according to a second rule, and wherein the second conclusion indicates that a plurality of the received selected local correlated events is associated with a second same security incident. |