Please download the dossier by clicking on the dossier button x
×

Adjusting sensor time in a network security system

  • US 7,809,131 B1
  • Filed: 12/23/2004
  • Issued: 10/05/2010
  • Est. Priority Date: 12/23/2004
  • Status: Expired due to Fees
First Claim
Patent Images

1. A method performed by an agent device of a network security system, the method comprising:

  • receiving a raw security event from a sensor device, wherein the raw security event originated in an event log that was generated by the sensor device, and wherein the raw security event includes an original timestamp that indicates a time determined at the sensor device;

    determining whether the original timestamp is within a non-zero timerange around a time determined at the agent device, the non-zero timerange representing a predetermined range of variance from the time determined at the agent device;

    identifying a time offset associated with the sensor device, the time offset representing a difference between the time determined at the sensor device and the time determined at the agent device, wherein the time offset was stored prior to receiving the raw security event;

    determining whether the time offset is in a non-initialized state;

    responsive to the original timestamp exceeding the timerange and responsive to the time offset being in the non-initialized state;

    adjusting the original timestamp by adding the time offset;

    generating a first modified security event by replacing the original timestamp in the raw security event with the adjusted timestamp; and

    sending the first modified security event for determining whether the first modified security event satisfies a condition of a rule, wherein the rule determines whether a security incident has occurred;

    responsive to the time offset being in an initialized state and the original timestamp being within the timerange;

    not applying the time offset; and

    sending the raw security event for determining whether the raw security event satisfies the condition of the rule;

    responsive to the time offset not being in an initialized state and the original timestamp being within the timerange;

    clearing the time offset to restore the time offset to an initialized state; and

    sending the raw security event for determining whether the raw security event satisfies the condition of the rule; and

    responsive to the time offset being in an initialized state and the original timestamp not being within the timerange;

    determining a new time offset;

    modifying the original timestamp by adding the new time offset to the original timestamp;

    generating a second modified security event by replacing the original timestamp in the raw security event with the modified timestamp; and

    sending the second modified security event for determining whether the second modified security event satisfies the condition of the rule.

View all claims
  • 11 Assignments
Timeline View
Assignment View
    ×
    ×