Network security monitoring system employing bi-directional communication

US 7,650,638 B1
Filed: 12/02/2002
Issued: 01/19/2010
Est. Priority Date: 12/02/2002
Status: Active Grant

First Claim

Patent Images

1. A method performed by a processor-based manager of providing bi-directional communication, comprising:

receiving a heartbeat message from a software agent, the software agent configured to periodically send the heartbeat message and further configured to report a security event, wherein the security event originated in an event log that was generated by a network component, and wherein the security event comprises information about operation of the network component; and

in response to receiving the heartbeat message;

identifying the software agent;

determining how to respond to the heartbeat message, including determining a rule-initiated instruction to send to the software agent;

preparing a response message that includes the rule-initiated instruction; and

sending the response message to the software agent.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides for the receipt of a heartbeat message transmitted from a software agent within a host machine to a server-based agent manager. The server-based agent manager analyzes the heartbeat message to determine the identity of the sending software agent. The server-based agent manager then determines what information is to be included in a response message to the software agent. The server-based agent manager prepares the response message to be sent to the software agent. The server-based agent manager transmits the response message to the software agent over a bi-directional communication link between the software agent and the server-based agent manager. The software agent receives the response message; deserializes the response message; reviews the instructions within the response message; and performs operations necessary to carry out the instructions delivered in the response message.

170 Citations

View as Search Results

26 Claims

1. A method performed by a processor-based manager of providing bi-directional communication, comprising:
- receiving a heartbeat message from a software agent, the software agent configured to periodically send the heartbeat message and further configured to report a security event, wherein the security event originated in an event log that was generated by a network component, and wherein the security event comprises information about operation of the network component; and
  
  in response to receiving the heartbeat message;
  
  identifying the software agent;
  
  determining how to respond to the heartbeat message, including determining a rule-initiated instruction to send to the software agent;
  
  preparing a response message that includes the rule-initiated instruction; and
  
  sending the response message to the software agent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the heartbeat message is sent from the software agent at set intervals.
  - 3. The method of claim 2 wherein the set intervals are configurable.
  - 4. The method of claim 1 wherein identifying the software agent comprises:
    - parsing the heartbeat message for identity information; and
      
      comparing the identity information against a table of known software agents.
  - 5. The method of claim 1 wherein determining how to respond to the heartbeat message further includes determining a user-initiated instruction to send to the software agent, and wherein the response message further includes the user-initiated instruction.
  - 6. The method of claim 5 wherein user the user-initiated instruction comprises a command to modify the software agent'"'"'s configuration.
  - 7. The method of claim 5 wherein the user-initiated instruction comprises a command to stop or pause the software agent.
  - 8. The method of claim 1 wherein rules the rule-initiated instruction comprises a UNIX shell script.
  - 9. The method of claim 1 wherein the heartbeat message and the response message are transmitted on a bi-directional communication link between the software agent and an agent manager.
  - 10. The method of claim 1 further comprising deserializing, at the software agent, the response message.

11. A system, comprising:
- a bi-directional communication link between a software agent included within a host machine and a server-based agent manager, wherein the software agent is configured to periodically send a heartbeat message and further configured to report a security event, wherein the security event originated in an event log that was generated by a network component, and wherein the security event comprises information about operation of the network component;
  
  a first processor comprising;
  
  an agent interface component configured to transmit a first message onto and receive a second message from the bi-directional communication link; and
  
  an agent heartbeat receiver component configured to deserialize the second message received by the agent interface component; and
  
  a second processor comprising an agent-manager interface component configured to receive the first message from the bi-directional communication link and to transmit the second message onto the bi-directional communication link, wherein the second message includes a rule-initiated instruction to send to the software agent.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11 wherein the first message comprises a heartbeat message.
  - 13. The system of claim 11 wherein the agent interface component is further configured to transmit the first message at set intervals.
  - 14. The system of claim 13 wherein the set intervals are configurable.
  - 15. The system of claim 11 wherein the first message is received at the agent manager.
  - 16. The system of claim 11 further comprising an agent-manager identification component to identify the agent by parsing the first message for identity information and comparing the identity information against a table of known software agents.
  - 17. The system of claim 11 wherein the agent-manager interface component transmits the second message in response to receipt of the first message.
  - 18. The system of claim 11 wherein the second message includes an instruction related to the configuration and control of the software agent.
  - 19. The system of claim 11 wherein the second message further includes a user-initiated instruction to send to the software agent.
  - 20. The system of claim 11 wherein the rule-initiated instruction is automatically generated.

21. A computer storage medium, having stored thereon computer-readable instructions, which when executed in a computer system, cause the computer system to:
- receive a heartbeat message from a software agent, the software agent configured to periodically send the heartbeat message and further configured to report a security event, wherein the security event originated in an event log that was generated by a network component, and wherein the security event comprises information about operation of the network component; and
  
  in response to receiving the heartbeat message;
  
  identify the software agent;
  
  determine how to respond to the heartbeat message, including determining a rule-initiated instruction to send to the software agent;
  
  prepare a response message that includes the rule-initiated instruction; and
  
  send the response message to the software agent.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The computer storage medium of claim 21 wherein identifying the software agent comprises:
    - parsing the heartbeat message for identity information; and
      
      comparing the identity information against a table of known software agents.
  - 23. The computer storage medium of claim 21 wherein determining how to respond to the heartbeat message further includes determining a user-initiated instruction to send to the software agent, and wherein the response message further includes the user-initiated instruction.
  - 24. The computer storage medium of claim 23 wherein the user-initiated instruction comprises a command to modify the software agent'"'"'s configuration.
  - 25. The computer storage medium of claim 23 wherein the user-initiated instruction comprises a command to stop or pause the software agent.
  - 26. The computer storage medium of claim 21 wherein the rule-initiated instruction comprises a UNIX shell script.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valtrus Innovations Limited (f/k/a Dolya Holdco 9 Limited) (Key Patent Innovations Limited)
Original Assignee
Arcsight Incorporated (HP Inc.)
Inventors
Zeng, Qiang, Beedgen, Christian Friedrich, Njemanze, Hugh S., Aguilar-Macias, Hector, Kothari, Pravin S.
Primary Examiner(s)
Moazzami; Nasser G
Assistant Examiner(s)
Reza; Mohammad W

Application Number

US10/308,417
Time in Patent Office

2,605 Days
Field of Search

713/189, 713/201, 713/170, 726/22, 726/23, 726/24, 726/25
US Class Current

726/23
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Network security monitoring system employing bi-directional communication

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

170 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Network security monitoring system employing bi-directional communication

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

170 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links