Synchronizing network security devices within a network security system

US 7,565,696 B1
Filed: 12/10/2003
Issued: 07/21/2009
Est. Priority Date: 12/10/2003
Status: Active Grant

First Claim

Patent Images

1. A network security system comprising:

a first distributed software agent comprising a processor configured to collect a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock;

a second distributed software agent comprising a processor configured to collect a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock; and

a manager module in communication with the distributed software agents, the manager module comprising a processor configured to;

receive the first and second stream of alerts;

identify a first alert in the first stream and a second alert in the second stream,wherein the first alert includes an Internet Protocol (IP) address, andwherein the second alert includes the IP address;

determine, based on the first alert and the second alert, whether the first clockand the second clock are synchronized; and

when the first clock and the second clock are not synchronized;

synchronize the first clock and the second clock;

modify at least one of a timestamp within the first alert and a timestamp within the second alert; and

after having modified at least one of the timestamp within the first alert and the timestamp within the second alert, determine whether the first alert and the second alert satisfy a condition of a rule, wherein the rule determines whether a security incident has occurred.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Clocks used by network security devices can be synchronized by a network security system. In one embodiment, the synchronization can include the network security system receiving a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock. Similarly, the network security system can receive a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock. The system can then identify a common event represented by a first alert in the first stream from the first network security device and by a second alert in the second stream from the second network security device, and then synchronize the first clock and the second clock using the common event.

Citations

23 Claims

1. A network security system comprising:
- a first distributed software agent comprising a processor configured to collect a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock;
  
  a second distributed software agent comprising a processor configured to collect a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock; and
  
  a manager module in communication with the distributed software agents, the manager module comprising a processor configured to;
  
  receive the first and second stream of alerts;
  
  identify a first alert in the first stream and a second alert in the second stream,wherein the first alert includes an Internet Protocol (IP) address, andwherein the second alert includes the IP address;
  
  determine, based on the first alert and the second alert, whether the first clockand the second clock are synchronized; and
  
  when the first clock and the second clock are not synchronized;
  
  synchronize the first clock and the second clock;
  
  modify at least one of a timestamp within the first alert and a timestamp within the second alert; and
  
  after having modified at least one of the timestamp within the first alert and the timestamp within the second alert, determine whether the first alert and the second alert satisfy a condition of a rule, wherein the rule determines whether a security incident has occurred.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network security system of claim 1, wherein the manager module synchronizes the first clock and the second clock by determining a synchronization error using the time of detection included in the first alert and the time of detection included in the second alert, and correcting the synchronization error.
  - 3. The network security system of claim 1, wherein the manager module synchronizes the first clock and the second clock by selecting one of the first and second clocks as a reference clock, and adjusting the other clock to the reference clock.
  - 4. The network security system of claim 3, wherein selecting one of the first and second clocks comprises determining a relationship of the first and second clocks to a system-wide reference clock.
  - 5. The network security system of claim 1, wherein the manager module synchronizes the first clock and the second clock by adjusting a time offset associated with the first clock.
  - 6. The network security system of claim 1, wherein the second alert corroborates the first alert.
  - 7. The network security system of claim 1, wherein the first network security device comprises an Intrusion Detection System (IDS).

8. A method performed by a network security system, the method comprising:
- receiving a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock;
  
  receiving a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock;
  
  identifying a first alert in the first stream and a second alert in the second stream, wherein the first alert includes an Internet Protocol (IP) address, and wherein the second alert includes the IP address;
  
  determining, based on the first alert and the second alert, whether the first clock and the second clock are synchronized; and
  
  when the first clock and the second clock are not synchronized;
  
  synchronizing the first clock and the second clock;
  
  modifying at least one of a timestamp within the first alert and a timestamp within the second alert; and
  
  after having modified at least one of the timestamp within the first alert and the timestamp within the second alert, determining whether the first alert and the second alert satisfy a condition of a rule, wherein the rule determines whether a security incident has occurred.
- View Dependent Claims (9, 10, 11, 12, 13, 22, 23)
- - 9. The method of claim 8, wherein synchronizing the first clock and the second clock comprises determining a synchronization error using the time of detection included in the first alert and the time of detection included in the second alert, and correcting the synchronization error.
  - 10. The method of claim 8, wherein synchronizing the first clock and the second clock comprises selecting one of the first and second clocks as a reference clock, and adjusting the other clock to the reference clock.
  - 11. The method of claim 10, wherein selecting one of the first and second clocks comprises determining a relationship of the first and second clocks to a system-wide reference clock.
  - 12. The method of claim 8, wherein synchronizing the first clock and the second clock comprises adjusting a time offset associated with the first clock.
  - 13. The method of claim 8, wherein the second alert corroborates the first alert.
  - 22. The method of claim 8, further comprising causing the event represented by the first alert to occur.
  - 23. The method of claim 22, further comprising causing the event represented by the second alert to occur.

14. A machine readable medium storing a set of instructions that, when executed by the machine, cause the machine to:
- receive a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock;
  
  receive a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock;
  
  identify a first alert in the first stream and a second alert in the second stream wherein the first alert includes an Internet Protocol (IP) address, and wherein the second alert includes the IP address;
  
  determine, based on the first alert and the second alert, whether the first clock and the second clock are synchronized; and
  
  when the first clock and the second clock are not synchronized;
  
  synchronize the first clock and the second clock;
  
  modify at least one of a timestamp within the first alert and a timestamp within the second alert; and
  
  after having modified at least one of the timestamp within the first alert and the timestamp within the second alert, determine whether the first alert and the second alert satisfy a condition of a rule, wherein the rule determines whether a security incident has occurred.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The machine readable medium of claim 14, wherein synchronizing the first clock and the second clock comprises determining a synchronization error using the time of detection included in the first alert and the time of detection included in the second alert, and correcting the synchronization error.
  - 16. The machine readable medium of claim 14, wherein synchronizing the first clock and the second clock comprises selecting one of the first and second clocks as a reference clock, and adjusting the other clock to the reference clock.
  - 17. The machine readable medium of claim 16, wherein selecting one of the first and second clocks comprises determining a relationship of the first and second clocks to a system-wide reference clock.
  - 18. The machine readable medium of claim 14, wherein synchronizing the first clock and the second clock comprises adjusting a time offset associated with the first clock.
  - 19. The machine readable medium of claim 14, wherein the second alert corroborates the first alert.

20. A network security system comprising:
- a plurality of distributed software agents, each comprising a processor configured to collect alerts from a plurality of corresponding network security devices, each network security device having a clock; and
  
  a manager module in communication with the distributed software agents, the manager module comprising a processor configured to;
  
  receive the alerts;
  
  identify alerts from a subset of the plurality of network security devices, wherein all of the identified alerts include a particular Internet Protocol (IP) address;
  
  determine, based on the identified alerts, whether the clocks of the subset of the plurality of network security devices are synchronized; and
  
  when the clocks of the subset of the plurality of network security devices are not synchronized;
  
  synchronize the clocks of the subset of the plurality of network security devices;
  
  modify at least one of a timestamp within a first identified alert and a timestamp within a second identified alert; and
  
  after having modified at least one of the timestamp within the first alert and the timestamp within the second alert, determine whether the first alert and the second alert satisfy a condition of a rule, wherein the rule determines whether a security incident has occurred.
- View Dependent Claims (21)
- - 21. The network security system of claim 20, wherein the manager module synchronizes the clocks of the subset of the plurality of network security devices by adjusting timestamps in each alert received from the subset of the plurality of network security devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Arcsight Incorporated (HP Inc.)
Inventors
Njemanze, Hugh S.
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
Debnath; Suman

Application Number

US10/733,073
Time in Patent Office

2,050 Days
Field of Search

726 22- 25, 713/176, 713/178, 709223-224, 370/389, 370/503
US Class Current

726/25
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 63/16   Implementing security featu...

H04L 63/20   for managing network securi...

Synchronizing network security devices within a network security system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Synchronizing network security devices within a network security system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links