Security event aggregation at software agent

US 7,644,438 B1
Filed: 10/27/2004
Issued: 01/05/2010
Est. Priority Date: 10/27/2004
Status: Expired due to Fees

First Claim

Patent Images

1. In a network security system, a method for aggregating security events, the method comprising:

receiving a security event from a network device;

selecting one of a plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum time range;

identifying an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many security events are represented by the aggregate event;

incrementing the count field value to represent the received security event; and

transmitting the aggregate event when the time range of the security events represented by the aggregate event exceeds the maximum time range.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security system can have a plurality of distributed software agents configured to collect security events from network devices. In one embodiment, the agents are configured to aggregate the security events. In one embodiment of the present invention, an agent includes a device interface to receive a security event from a network device, a plurality of aggregation profiles, and an agent aggregate module to select one of the plurality of aggregation profiles, and increment an event count of an aggregate event representing the received security event using the selected aggregation profile.

214 Citations

30 Claims

1. In a network security system, a method for aggregating security events, the method comprising:
- receiving a security event from a network device;
  
  selecting one of a plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum time range;
  
  identifying an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many security events are represented by the aggregate event;
  
  incrementing the count field value to represent the received security event; and
  
  transmitting the aggregate event when the time range of the security events represented by the aggregate event exceeds the maximum time range.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein selecting the one aggregation profile comprises selecting an aggregation profile associated with an event filter when the received security event satisfies the event filter.
  - 3. The method of claim 1, wherein the selected aggregation profile further defines parameters for security events that are represented by the aggregate event.
  - 4. The method of claim 1, wherein the selected aggregation profile enumerates one or more event fields whose values must match for two events to be considered satisfactorily similar for aggregation.
  - 5. The method of claim 4, wherein the aggregate event contains only fields enumerated in the selected aggregation profile.
  - 6. The method of claim 1, wherein the selected aggregation profile further defines a maximum event count.
  - 7. The method of claim 6, further comprising transmitting the aggregate event when the incremented event count equals the maximum event count.
  - 8. The method of claim 1, further comprising:
    - selecting a second aggregation profile of the plurality of aggregation profiles;
      
      identifying a second aggregate event corresponding to the second selected aggregation profile, wherein the second aggregate event includes a count field whose value indicates how many security events are represented by the second aggregate event; and
      
      incrementing the count field value of the second aggregate event to represent the received security event.
  - 9. The method of claim 8, further comprising transmitting the second aggregate event to an entity different from the entity receiving the aggregate event.
  - 10. The method of claim 1, wherein the network device comprises a firewall or an intrusion detection system.

11. An agent of a network security system, the agent comprising:
- a device interface to receive a security event from a network device;
  
  a plurality of aggregation profiles; and
  
  an agent aggregate module to;
  
  select one of the plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum time range;
  
  identify an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many security events are represented by the aggregate event;
  
  increment the count field value to represent the received security event; and
  
  transmit the aggregate event when the time range of the security events represented by the aggregate event exceeds the maximum time range.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 25, 26, 27)
- - 12. The agent of claim 11, wherein the agent aggregate module comprises one or more event filters used to select the aggregation profile.
  - 13. The agent of claim 11, wherein the selected aggregation profile further defines parameters for security events that are represented by the aggregate event.
  - 14. The agent of claim 11, wherein the selected aggregation profile enumerates one or more event fields whose values must match for two events to be considered satisfactorily similar for aggregation.
  - 15. The agent of claim 11, wherein the selected aggregation profile enumerates one or more event fields preserved by the aggregate event.
  - 16. The agent of claim 11, wherein the selected aggregation profile further defines a maximum event count.
  - 17. The agent of claim 11, wherein the network device comprises a firewall or an intrusion detection system.
  - 25. The agent of claim 16, wherein the agent aggregate module is further configured to transmit the aggregate event when the incremented event count equals the maximum event count.
  - 26. The agent of claim 11, wherein the agent aggregate module is further configured to:
    - select a second aggregation profile of the plurality of aggregation profiles;
      
      identify a second aggregate event corresponding to the second selected aggregation profile, wherein the second aggregate event includes a count field whose value indicates how many security events are represented by the second aggregate event; and
      
      increment the count field value of the second aggregate event to represent the received security event.
  - 27. The agent of claim 26, wherein the agent aggregate module is further configured to transmit the second aggregate event to an entity different from the entity receiving the aggregate event.

18. A machine-readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- receiving a security event from a network device;
  
  selecting one of a plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum time range;
  
  identifying an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many security events are represented by the aggregate event;
  
  incrementing the count field value to represent the received security event; and
  
  transmitting the aggregate event when the time range of the security events represented by the aggregate event exceeds the maximum time range.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 28, 29, 30)
- - 19. The machine-readable medium of claim 18, wherein selecting the one aggregation profile comprises selecting an aggregation profile associated with an event filter when the received security event satisfies the event filter.
  - 20. The machine-readable medium of claim 18, wherein the selected aggregation profile further defines parameters for security events that are represented by the aggregate event.
  - 21. The machine-readable medium of claim 18, wherein the selected aggregation profile enumerates one or more event fields whose values must match for two events to be considered satisfactorily similar for aggregation.
  - 22. The machine-readable medium of claim 21, wherein the aggregate event contains only fields enumerated in the selected aggregation profile.
  - 23. The machine-readable medium of claim 18, wherein the selected aggregation profile further defines a maximum event count for the aggregate event.
  - 24. The machine-readable medium of claim 18, wherein the instructions further cause the processor to perform operations comprising:
    - selecting a second aggregation profile of the plurality of aggregation profiles;
      
      identifying a second aggregate event corresponding to the second selected aggregation profile, wherein the second aggregate event includes a count field whose value indicates how many security events are represented by the second aggregate event; and
      
      incrementing the count field value of the second aggregate event to represent the received security event.
  - 28. The machine-readable medium of claim 23, wherein the instructions further cause the processor to perform operations comprising transmitting the aggregate event when the incremented event count equals the maximum event count.
  - 29. The machine-readable medium of claim 24, wherein the instructions further cause the processor to perform operations comprising transmitting the second aggregate event to an entity different from the entity receiving the aggregate event.
  - 30. The machine-readable medium of claim 18, wherein the network device comprises a firewall or an intrusion detection system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Arcsight Incorporated (HP Inc.)
Inventors
Dash, Debabrata, Aguilar-Macias, Hector
Primary Examiner(s)
Truong; Thanhnga B

Application Number

US10/975,962
Time in Patent Office

1,896 Days
Field of Search

726/14, 726 22- 24, 709223-224, 703/17, 340/531
US Class Current

726/22
CPC Class Codes

H04L 63/0218 Distributed architectures, ...

H04L 63/1416 Event detection, e.g. attac...

Security event aggregation at software agent

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

214 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Security event aggregation at software agent

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

214 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others