Adjusting sensor time in a network security system
First Claim
1. A method performed by an agent device of a network security system, the method comprising:
- receiving a raw security event from a sensor device, wherein the raw security event originated in an event log that was generated by the sensor device, and wherein the raw security event includes an original timestamp that indicates a time determined at the sensor device;
determining whether the original timestamp is within a non-zero timerange around a time determined at the agent device, the non-zero timerange representing a predetermined range of variance from the time determined at the agent device;
identifying a time offset associated with the sensor device, the time offset representing a difference between the time determined at the sensor device and the time determined at the agent device, wherein the time offset was stored prior to receiving the raw security event;
determining whether the time offset is in a non-initialized state;
responsive to the original timestamp exceeding the timerange and responsive to the time offset being in the non-initialized state;
adjusting the original timestamp by adding the time offset;
generating a first modified security event by replacing the original timestamp in the raw security event with the adjusted timestamp; and
sending the first modified security event for determining whether the first modified security event satisfies a condition of a rule, wherein the rule determines whether a security incident has occurred;
responsive to the time offset being in an initialized state and the original timestamp being within the timerange;
not applying the time offset; and
sending the raw security event for determining whether the raw security event satisfies the condition of the rule;
responsive to the time offset not being in an initialized state and the original timestamp being within the timerange;
clearing the time offset to restore the time offset to an initialized state; and
sending the raw security event for determining whether the raw security event satisfies the condition of the rule; and
responsive to the time offset being in an initialized state and the original timestamp not being within the timerange;
determining a new time offset;
modifying the original timestamp by adding the new time offset to the original timestamp;
generating a second modified security event by replacing the original timestamp in the raw security event with the modified timestamp; and
sending the second modified security event for determining whether the second modified security event satisfies the condition of the rule.
11 Assignments
0 Petitions
Accused Products
Abstract
Sensor device times can vary and may be set significantly wrong. In one embodiment, the present invention can adjust a sensor'"'"'s time by receiving a raw security event from a sensor device, determining whether a timestamp included in the raw security event is within a timerange around a time known by the agent, determining whether a time offset is in a non-initialized state, and determining whether to adjust the timestamp by applying the time offset to the timestamp, the determination being based on whether the timestamp included in the security event is within the timerange around the time known by the agent and whether the time offset is in a non-initialized state.
-
Citations
12 Claims
-
1. A method performed by an agent device of a network security system, the method comprising:
-
receiving a raw security event from a sensor device, wherein the raw security event originated in an event log that was generated by the sensor device, and wherein the raw security event includes an original timestamp that indicates a time determined at the sensor device; determining whether the original timestamp is within a non-zero timerange around a time determined at the agent device, the non-zero timerange representing a predetermined range of variance from the time determined at the agent device; identifying a time offset associated with the sensor device, the time offset representing a difference between the time determined at the sensor device and the time determined at the agent device, wherein the time offset was stored prior to receiving the raw security event; determining whether the time offset is in a non-initialized state; responsive to the original timestamp exceeding the timerange and responsive to the time offset being in the non-initialized state; adjusting the original timestamp by adding the time offset; generating a first modified security event by replacing the original timestamp in the raw security event with the adjusted timestamp; and sending the first modified security event for determining whether the first modified security event satisfies a condition of a rule, wherein the rule determines whether a security incident has occurred; responsive to the time offset being in an initialized state and the original timestamp being within the timerange; not applying the time offset; and sending the raw security event for determining whether the raw security event satisfies the condition of the rule; responsive to the time offset not being in an initialized state and the original timestamp being within the timerange; clearing the time offset to restore the time offset to an initialized state; and sending the raw security event for determining whether the raw security event satisfies the condition of the rule; and responsive to the time offset being in an initialized state and the original timestamp not being within the timerange; determining a new time offset; modifying the original timestamp by adding the new time offset to the original timestamp; generating a second modified security event by replacing the original timestamp in the raw security event with the modified timestamp; and sending the second modified security event for determining whether the second modified security event satisfies the condition of the rule. - View Dependent Claims (2, 3)
-
-
4. An agent device for a network security system, the agent device comprising:
-
a sensor interface to receive a raw security event from a sensor device, wherein the raw security event originated in an event log that was generated by the sensor device, and wherein the raw security event includes an original timestamp that indicates a time determined at the sensor device; and a processor configured to perform operations comprising; determining whether the original timestamp is within a non-zero timerange around a time determined at the agent device, the non-zero timerange representing a predetermined range of variance from the time determined at the agent device; identifying a time offset associated with the sensor device, the time offset representing a difference between the time determined at the sensor device and the time determined at the agent device, wherein the time offset was stored prior to receiving the raw security event; determining whether the time offset is in a non-initialized state; responsive to the original timestamp exceeding the time range and responsive to the time offset being in the non-initialized state; adjusting the original timestamp by adding the time offset; generating a modified security event by replacing the original timestamp in the raw security event with the adjusted timestamp; and sending the modified security event for determining whether the modified security event satisfies a condition of a rule, wherein the rule determines whether a security incident has occurred; responsive to the time offset being in an initialized state and the original timestamp being within the timerange; not applying the time offset; and sending the raw security event for determining whether the raw security event satisfies the condition of the rule; responsive to the time offset not being in an initialized state and the original timestamp being within the timerange; clearing the time offset to restore the time offset to an initialized state; and sending the raw security event for determining whether the raw security event satisfies the condition of the rule; and responsive to the time offset being in an initialized state and the original timestamp not being within the timerange; determining a new time offset; modifying the original timestamp by adding the new time offset to the original timestamp; generating a second modified security event by replacing the original timestamp in the raw security event with the modified timestamp; and sending the second modified security event for determining whether the second modified security event satisfies the condition of the rule. - View Dependent Claims (5, 6, 7, 8)
-
-
9. A non-transitory machine-readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
-
receiving a raw security event from a sensor device, wherein the raw security event originated in an event log that was generated by the sensor device, and wherein the raw security event includes an original timestamp that indicates a time determined at the sensor device; determining whether the original timestamp is within a non-zero timerange around a time determined at an agent device, the non-zero timerange representing a predetermined range of variance from the time determined at the agent device; identifying a time offset associated with the sensor device, the time offset representing a difference between the time determined at the sensor device and the time determined at the agent device, wherein the time offset was stored prior to receiving the raw security event; determining whether the time offset is in a non-initialized state; responsive to the original timestamp exceeding the timerange and responsive to the time offset being in the non-initialized state; adjusting the original timestamp by adding the time offset; generating a modified security event by replacing the original timestamp in the raw security event with the adjusted timestamp; and sending the modified security event for determining whether the modified security event satisfies a condition of a rule, wherein the rule determines whether a security incident has occurred; responsive to the time offset being in an initialized state and the original timestamp being within the timerange; not applying the time offset; and sending the raw security event for determining whether the raw security event satisfies the condition of the rule; responsive to the time offset not being in an initialized state and the original timestamp being within the timerange; clearing the time offset to restore the time offset to an initialized state; and sending the raw security event for determining whether the raw security event satisfies the condition of the rule; and responsive to the time offset being in an initialized state and the original timestamp not being within the timerange; determining a new time offset; modifying the original timestamp by adding the new time offset to the original timestamp; generating a second modified security event by replacing the original timestamp in the raw security event with the modified timestamp; and sending the second modified security event for determining whether the second modified security event satisfies the condition of the rule. - View Dependent Claims (10, 11)
-
-
12. A method for adjusting an original timestamp generated by a sensor device, wherein the method is performed by an agent device of a network security system, the method comprising:
-
identifying a time offset associated with the sensor device, the time offset representing a difference between a time determined at the sensor device and a time determined at the agent device; determining whether an original timestamp indicating the time determined at the sensor device is within a non-zero timerange around the time determined at the agent device, the non-zero timerange representing a predetermined range of variance from the time determined at the agent device; determining whether the time offset is in a non-initialized state; responsive to the original timestamp exceeding the timerange and responsive to the time offset being in the non-initialized state; adjusting the original timestamp by adding the time offset to the original timestamp; identifying a security event that originated in an event log that was generated by the sensor device; modifying the security event by replacing the original timestamp with the adjusted timestamp; and sending the modified security event including the adjusted timestamp for determining whether the modified security event satisfies a condition of a rule, wherein the rule determines whether a security incident has occurred; responsive to the time offset being in an initialized state and the original timestamp being within the timerange; not applying the time offset; and sending the raw security event for determining whether the raw security event satisfies the condition of the rule; responsive to the time offset not being in an initialized state and the original timestamp being within the timerange; clearing the time offset to restore the time offset to an initialized state; and sending the raw security event for determining whether the raw security event satisfies the condition of the rule; and responsive to the time offset being in an initialized state and the original timestamp not being within the timerange; determining a new time offset; modifying the original timestamp by adding the new time offset to the original timestamp; generating a second modified security event by replacing the original timestamp in the raw security event with the modified timestamp; and sending the second modified security event for determining whether the second modified security event satisfies the condition of the rule.
-
Specification