Security event aggregation at software agent
First Claim
Patent Images
1. In a network security system, a method for aggregating security events, the method comprising:
- receiving a security event from a network device;
selecting one of a plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum time range;
identifying an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many security events are represented by the aggregate event;
incrementing the count field value to represent the received security event; and
transmitting the aggregate event when the time range of the security events represented by the aggregate event exceeds the maximum time range.
11 Assignments
0 Petitions
Accused Products
Abstract
A network security system can have a plurality of distributed software agents configured to collect security events from network devices. In one embodiment, the agents are configured to aggregate the security events. In one embodiment of the present invention, an agent includes a device interface to receive a security event from a network device, a plurality of aggregation profiles, and an agent aggregate module to select one of the plurality of aggregation profiles, and increment an event count of an aggregate event representing the received security event using the selected aggregation profile.
214 Citations
30 Claims
-
1. In a network security system, a method for aggregating security events, the method comprising:
-
receiving a security event from a network device; selecting one of a plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum time range; identifying an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many security events are represented by the aggregate event; incrementing the count field value to represent the received security event; and transmitting the aggregate event when the time range of the security events represented by the aggregate event exceeds the maximum time range. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An agent of a network security system, the agent comprising:
-
a device interface to receive a security event from a network device; a plurality of aggregation profiles; and an agent aggregate module to; select one of the plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum time range; identify an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many security events are represented by the aggregate event; increment the count field value to represent the received security event; and transmit the aggregate event when the time range of the security events represented by the aggregate event exceeds the maximum time range. - View Dependent Claims (12, 13, 14, 15, 16, 17, 25, 26, 27)
-
-
18. A machine-readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
-
receiving a security event from a network device; selecting one of a plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum time range; identifying an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many security events are represented by the aggregate event; incrementing the count field value to represent the received security event; and transmitting the aggregate event when the time range of the security events represented by the aggregate event exceeds the maximum time range. - View Dependent Claims (19, 20, 21, 22, 23, 24, 28, 29, 30)
-
Specification