Modular agent for network security intrusion detection system

US 7,788,722 B1
Filed: 12/02/2002
Issued: 08/31/2010
Est. Priority Date: 12/02/2002
Status: Active Grant

First Claim

Patent Images

1. A machine-readable medium encoded with:

a plurality of software modules, wherein each software module is configured to receive a normalized event, to modify the normalized event, and to output the modified normalized event; and

software agent instructions that, when executed by a processor, cause the processor to perform instructions comprising;

receiving, from a first device, an event, that originated in an event log that was generated by the first device;

parsing the event received from the first device;

creating a normalized event based on the parsed event;

modifying the normalized event using a set of software modules, wherein the set of software modules comprises two or more software modules of the plurality of software modules and does not comprise all of the plurality of software modules; and

transmitting the modified normalized event to a second device;

wherein a configuration file, associated with the software agent instructions, indicates which software modules of the plurality of software modules are in the set of software modules that are used by the software agent instructions, and wherein the configuration file is stored on a second machine-readable medium.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides for the receipt of a request to modify a software agent'"'"'s configuration at a server-based manager. A determination of the modifications to the software agent is made at the server-based manager. The requested modifications are then delivered to the software agent. The software agent interprets the requested modifications and implements them.

Citations

21 Claims

1. A machine-readable medium encoded with:
- a plurality of software modules, wherein each software module is configured to receive a normalized event, to modify the normalized event, and to output the modified normalized event; and
  
  software agent instructions that, when executed by a processor, cause the processor to perform instructions comprising;
  
  receiving, from a first device, an event, that originated in an event log that was generated by the first device;
  
  parsing the event received from the first device;
  
  creating a normalized event based on the parsed event;
  
  modifying the normalized event using a set of software modules, wherein the set of software modules comprises two or more software modules of the plurality of software modules and does not comprise all of the plurality of software modules; and
  
  transmitting the modified normalized event to a second device;
  
  wherein a configuration file, associated with the software agent instructions, indicates which software modules of the plurality of software modules are in the set of software modules that are used by the software agent instructions, and wherein the configuration file is stored on a second machine-readable medium.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The machine-readable medium of claim 1 wherein the set of software modules comprises a batch software module.
  - 3. The machine-readable medium of claim 1 wherein the set of software modules comprises a transport software module.
  - 4. The machine-readable medium of claim 1 wherein the second device includes the second machine-readable medium.
  - 5. The machine-readable medium of claim 1 wherein the first device comprises a network device.
  - 6. The machine-readable medium of claim 1 wherein an event comprises a security event.
  - 7. The machine-readable medium of claim 1 wherein the software agent instructions, when executed by the processor, further cause the processor to receive the event from the first device in a format specific to the first device.
  - 8. The machine-readable medium of claim 1 wherein the software agent instructions, when executed by the processor, further cause the processor to transmit the modified normalized event to the second device in a format not specific to the first device.
  - 9. The machine-readable medium of claim 1 wherein the configuration file comprises an ASCII (American Standard Code for Information Interchange) text file.
  - 10. The machine-readable medium of claim 1 wherein the set of software modules comprises a time correction software module that is configured to modify a normalized event by modifying an agent time within the normalized event or by modifying a detect time within the normalized event.
  - 11. The machine-readable medium of claim 1 wherein the set of software modules comprises an aggregate software module that is configured to modify a normalized event by modifying a count field within the normalized event.
  - 12. The machine-readable medium of claim 1 wherein the set of software modules comprises a resolver software module that is configured to modify a normalized event by modifying an address description within the normalized event.
  - 13. The machine-readable medium of claim 1, further encoded with:
    - second software agent instructions that, when executed by a processor, cause the processor to receive an event from a third device, to modify the event received from the third device using a second set of software modules, and to transmit the modified event to the second device, wherein the second set of software modules comprises two or more software modules of the plurality of software modules;
14. The machine-readable medium of claim 13 wherein the second configuration file is stored on the second machine-readable medium.
15. The machine-readable medium of claim 1 wherein the software agent instructions support a set of commands.
16. The machine-readable medium of claim 15 wherein the set of commands comprises a command to add a software module to the set of software modules.
17. The machine-readable medium of claim 15 wherein the set of commands comprises a command to remove a software module from the set of software modules.
18. The machine-readable medium of claim 15 wherein the set of commands comprises a command to send a signal to the first device.
19. The machine-readable medium of claim 1 wherein the software agent instructions, when executed by the processor, further cause the processor to receive a command from the second device.
20. The machine-readable medium of claim 19 wherein the command was initiated by a user.
21. The machine-readable medium of claim 19 wherein the command was generated by a rules engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Arcsight Incorporated (HP Inc.)
Inventors
Njemanze, Hugh S., Aguilar-Macias, Hector, Zeng, Qiang, Beedgen, Christian Friedrich
Primary Examiner(s)
Lipman; Jacob

Application Number

US10/308,548
Time in Patent Office

2,829 Days
Field of Search

726/22, 726/23
US Class Current

726/23
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/0631   using root cause analysis; ...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Modular agent for network security intrusion detection system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Modular agent for network security intrusion detection system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links