Method for batching events for transmission by software agent

US 7,219,239 B1
Filed: 12/02/2002
Issued: 05/15/2007
Est. Priority Date: 12/02/2002
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving security events from a network device by a distributed software agent of a network security system;

determining a first priority of each received security event, the first priority relating to an importance of the event;

storing the security events in a plurality of prioritized event buffers based on the determined first priorities for a period of time determined by a timer; and

upon expiration of the timer;

determining a batching priority for ones of the stored security events in accordance with both their first priority and with how long they have been waiting to be sent, andcreating a batch of security events for transport to a security event manager of the network security system by including security events in the batch in order of the batching priority until the batch is full, where a batch of security events has at most a predetermined number of security events and the predetermined number can be more than the number of stored security events waiting to be sent.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, the present invention provides for receiving security events from a network device by a distributed software agent of a network security system, determining a priority of each received security event, and storing the security events in a plurality of prioritized event buffers based on the determined priorities for a period of time determined by a timer. Upon expiration of the timer, a batch of security events for transport to a security event manager of the network security system can be created by including security events in the batch in order of priority until the batch is full.

204 Citations

27 Claims

1. A method, comprising:
- receiving security events from a network device by a distributed software agent of a network security system;
  
  determining a first priority of each received security event, the first priority relating to an importance of the event;
  
  storing the security events in a plurality of prioritized event buffers based on the determined first priorities for a period of time determined by a timer; and
  
  upon expiration of the timer;
  
  determining a batching priority for ones of the stored security events in accordance with both their first priority and with how long they have been waiting to be sent, andcreating a batch of security events for transport to a security event manager of the network security system by including security events in the batch in order of the batching priority until the batch is full, where a batch of security events has at most a predetermined number of security events and the predetermined number can be more than the number of stored security events waiting to be sent.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the security events conform to a normalized security event schema.
  - 3. The method of claim 2, wherein the normalized security event schema includes a priority field, and determining the first priority of each received security event comprises scanning information contained in the priority field of each security event.
  - 4. The method of claim 3, wherein scanning for high priority security events is based on a normalized priority scale of the normalized security event schema, and the plurality of prioritized event buffers correspond to the priority scale.
  - 5. The method of claim 4, wherein the priority scale of the normalized security event schema includes a very-high priority, a high priority, a medium priority, a low priority, or an unknown priority, and the plurality of prioritized event buffers comprise five event buffers, each corresponding to one priority of the priority scale.
  - 6. The method of claim 1, wherein the security event manager resides on a machine linked by a communications medium to a machine on which the agent resides.
  - 7. The method of claim 6, further comprising sending the batched security events over the communications medium using a transport protocol request.

8. A distributed software agent, stored in a memory of a data processing system and executed by a processor of the data processing system, comprising:
- a channel access component configured to receive security events from a network device monitored by the agent; and
  
  an agent batch component comprising;
  
  a priority scanner configured to determine a first priority of each received security event;
  
  a plurality of prioritized event buffers for storing the security events;
  
  a timer configured to store the received security events in the plurality of prioritized event buffers according to the first priority of each security event as determined by the priority scanner until the timer expires; and
  
  means for creating a batch of security events for transport to a security event manager of a network security system by including security events in the batch in order of a batching priority, the batching priority of an event based on both the event'"'"'s first priority and with how long the event has been waiting to be sent, until the batch is full, where a batch of security events has at most a predetermined number of security events and the predetermined number can be more than the number of stored security events waiting to be sent.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The agent of claim 8, wherein the security events conform to a normalized security event schema used by the network security system.
  - 10. The agent of claim 9, wherein the normalized security event schema includes a priority field, and the priority scanner determines the first priority of each received security event by scanning information contained in the priority field of each security event.
  - 11. The agent of claim 10, wherein scanning for high priority security events is based on a normalized priority scale of the normalized security event schema, and the plurality of prioritized event buffers correspond to the priority scale.
  - 12. The agent of claim 11, wherein the priority scale of the normalized security event schema includes a very-high priority, a high priority, a medium priority, a low priority, or an unknown priority, and the plurality of prioritized event buffers comprise five event buffers, each corresponding to one priority of the priority scale.

13. A machine-readable medium containing data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- receiving security events from a network device by a distributed software agent of a network security system;
  
  determining a priority of each received security event;
  
  storing the security events in a plurality of prioritized event buffers based on the determined priorities for a period of time determined by a timer; and
  
  upon expiration of the timer;
  
  determining a batching priority for ones of the stored security events in accordance with both their first priority and with how long they have been waiting to be sent, andcreating a batch of security events for transport to a security event manager of the network security system by including security events in the batch in order of the batching priority until the batch is full, where a batch of security events has at most a predetermined number of security events and the predetermined number can be more than the number of stored security events waiting to be sent.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The machine-readable medium of claim 13, wherein the security events conform to a normalized security event schema.
  - 15. The machine-readable medium of claim 14, wherein the normalized security event schema includes a priority field, and determining the first priority of each received security event comprises scanning information contained in the priority field of each security event.
  - 16. The machine-readable medium of claim 15, wherein scanning for high priority security events is based on a normalized priority scale of the normalized security event schema, and the plurality of prioritized event buffers correspond to the priority scale.
  - 17. The machine-readable medium of claim 16, wherein the priority scale of the normalized security event schema includes a very-high priority, a high priority, a medium priority, a low priority, or an unknown priority, and the plurality of prioritized event buffers comprise five event buffers, each corresponding to one priority of the priority scale.
  - 18. The machine-readable medium of claim 14, wherein the security event manager resides on a machine linked by a communications medium to a machine on which the agent resides.
  - 19. The machine-readable medium of claim 18, wherein the instructions further cause the processor to send the batched security events over the communications medium using a transport protocol request.

20. A method comprising:
- receiving security events from a network device by a distributed software agent of a network security system;
  
  storing, in one or more event buffers, a number of received security events having a first priority related to the event'"'"'s importance; and
  
  upon storing the number of security events in the one or more event buffers, batching the security events stored in the one or more event buffers, in accordance with a batching priority of the security events that is determined in accordance with both a first priority of the security events and with how long the security events have been waiting to be sent, for transport to a security event manager of the network security system, where a batch of security events has at most a predetermined number of security events and the predetermined number can be more than the number of stored security events waiting to be sent.
- View Dependent Claims (21, 22, 23)
- - 21. The method of claim 20, further comprising sending the batched security events to the security event manager.
  - 22. The method of claim 21, wherein sending the batched security events comprises making a transfer protocol request.
  - 23. The method of claim 21, wherein sending the batched security events comprises sending an http request.

24. A machine-readable medium containing data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- receiving security events from a network device by a distributed software agent of a network security system;
  
  storing, in one or more event buffers, a number of received security events; and
  
  upon storing the number of security event in the one or more event buffers, batching the security events stored in the one or more event buffers, in accordance with a batching priority of the security events that is determined in accordance with both a first priority of the security events and with how long the security events have been waiting to be sent, for transport to a security event manager of the network security system, where a batch of security events has at most a predetermined number of security events and the predetermined number can be more than the number of stored security events waiting to be sent.
- View Dependent Claims (25, 26, 27)
- - 25. The machine-readable medium of claim 24, further comprising sending the batched security events to the security event manager.
  - 26. The machine-readable medium of claim 25, wherein sending the batched security events comprises making a transfer protocol request.
  - 27. The machine-readable medium of claim 25, wherein sending the batched security events comprises sending an http request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Arcsight Incorporated (HP Inc.)
Inventors
Njemanze, Hugh S., Aguilar-Macias, Hector, Beedgen, Christian Friedrich
Primary Examiner(s)
Moise; Emmanuel L.
Assistant Examiner(s)
LOVING, JARIC E

Application Number

US10/308,585
Time in Patent Office

1,625 Days
Field of Search

726/22
US Class Current

726/3
CPC Class Codes

H04L 63/0218 Distributed architectures, ...

H04L 63/1416 Event detection, e.g. attac...

Method for batching events for transmission by software agent

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

204 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method for batching events for transmission by software agent

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

204 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links