Adjusting sensor time in a network security system

US 7,809,131 B1
Filed: 12/23/2004
Issued: 10/05/2010
Est. Priority Date: 12/23/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method performed by an agent device of a network security system, the method comprising:

receiving a raw security event from a sensor device, wherein the raw security event originated in an event log that was generated by the sensor device, and wherein the raw security event includes an original timestamp that indicates a time determined at the sensor device;

determining whether the original timestamp is within a non-zero timerange around a time determined at the agent device, the non-zero timerange representing a predetermined range of variance from the time determined at the agent device;

identifying a time offset associated with the sensor device, the time offset representing a difference between the time determined at the sensor device and the time determined at the agent device, wherein the time offset was stored prior to receiving the raw security event;

determining whether the time offset is in a non-initialized state;

responsive to the original timestamp exceeding the timerange and responsive to the time offset being in the non-initialized state;

adjusting the original timestamp by adding the time offset;

generating a first modified security event by replacing the original timestamp in the raw security event with the adjusted timestamp; and

sending the first modified security event for determining whether the first modified security event satisfies a condition of a rule, wherein the rule determines whether a security incident has occurred;

responsive to the time offset being in an initialized state and the original timestamp being within the timerange;

not applying the time offset; and

sending the raw security event for determining whether the raw security event satisfies the condition of the rule;

responsive to the time offset not being in an initialized state and the original timestamp being within the timerange;

clearing the time offset to restore the time offset to an initialized state; and

sending the raw security event for determining whether the raw security event satisfies the condition of the rule; and

responsive to the time offset being in an initialized state and the original timestamp not being within the timerange;

determining a new time offset;

modifying the original timestamp by adding the new time offset to the original timestamp;

generating a second modified security event by replacing the original timestamp in the raw security event with the modified timestamp; and

sending the second modified security event for determining whether the second modified security event satisfies the condition of the rule.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Sensor device times can vary and may be set significantly wrong. In one embodiment, the present invention can adjust a sensor'"'"'s time by receiving a raw security event from a sensor device, determining whether a timestamp included in the raw security event is within a timerange around a time known by the agent, determining whether a time offset is in a non-initialized state, and determining whether to adjust the timestamp by applying the time offset to the timestamp, the determination being based on whether the timestamp included in the security event is within the timerange around the time known by the agent and whether the time offset is in a non-initialized state.

Citations

12 Claims

1. A method performed by an agent device of a network security system, the method comprising:
- receiving a raw security event from a sensor device, wherein the raw security event originated in an event log that was generated by the sensor device, and wherein the raw security event includes an original timestamp that indicates a time determined at the sensor device;
  
  determining whether the original timestamp is within a non-zero timerange around a time determined at the agent device, the non-zero timerange representing a predetermined range of variance from the time determined at the agent device;
  
  identifying a time offset associated with the sensor device, the time offset representing a difference between the time determined at the sensor device and the time determined at the agent device, wherein the time offset was stored prior to receiving the raw security event;
  
  determining whether the time offset is in a non-initialized state;
  
  responsive to the original timestamp exceeding the timerange and responsive to the time offset being in the non-initialized state;
  
  adjusting the original timestamp by adding the time offset;
  
  generating a first modified security event by replacing the original timestamp in the raw security event with the adjusted timestamp; and
  
  sending the first modified security event for determining whether the first modified security event satisfies a condition of a rule, wherein the rule determines whether a security incident has occurred;
  
  responsive to the time offset being in an initialized state and the original timestamp being within the timerange;
  
  not applying the time offset; and
  
  sending the raw security event for determining whether the raw security event satisfies the condition of the rule;
  
  responsive to the time offset not being in an initialized state and the original timestamp being within the timerange;
  
  clearing the time offset to restore the time offset to an initialized state; and
  
  sending the raw security event for determining whether the raw security event satisfies the condition of the rule; and
  
  responsive to the time offset being in an initialized state and the original timestamp not being within the timerange;
  
  determining a new time offset;
  
  modifying the original timestamp by adding the new time offset to the original timestamp;
  
  generating a second modified security event by replacing the original timestamp in the raw security event with the modified timestamp; and
  
  sending the second modified security event for determining whether the second modified security event satisfies the condition of the rule.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprising determining whether the adjusted timestamp is within the timerange.
  - 3. The method of claim 2, further comprising recalculating the time offset if the adjusted timestamp is not within the timerange.

4. An agent device for a network security system, the agent device comprising:
- a sensor interface to receive a raw security event from a sensor device, wherein the raw security event originated in an event log that was generated by the sensor device, and wherein the raw security event includes an original timestamp that indicates a time determined at the sensor device; and
  
  a processor configured to perform operations comprising;
  
  determining whether the original timestamp is within a non-zero timerange around a time determined at the agent device, the non-zero timerange representing a predetermined range of variance from the time determined at the agent device;
  
  identifying a time offset associated with the sensor device, the time offset representing a difference between the time determined at the sensor device and the time determined at the agent device, wherein the time offset was stored prior to receiving the raw security event;
  
  determining whether the time offset is in a non-initialized state;
  
  responsive to the original timestamp exceeding the time range and responsive to the time offset being in the non-initialized state;
  
  adjusting the original timestamp by adding the time offset;
  
  generating a modified security event by replacing the original timestamp in the raw security event with the adjusted timestamp; and
  
  sending the modified security event for determining whether the modified security event satisfies a condition of a rule, wherein the rule determines whether a security incident has occurred;
  
  responsive to the time offset being in an initialized state and the original timestamp being within the timerange;
  
  not applying the time offset; and
  
  sending the raw security event for determining whether the raw security event satisfies the condition of the rule;
  
  responsive to the time offset not being in an initialized state and the original timestamp being within the timerange;
  
  clearing the time offset to restore the time offset to an initialized state; and
  
  sending the raw security event for determining whether the raw security event satisfies the condition of the rule; and
  
  responsive to the time offset being in an initialized state and the original timestamp not being within the timerange;
  
  determining a new time offset;
  
  modifying the original timestamp by adding the new time offset to the original timestamp;
  
  generating a second modified security event by replacing the original timestamp in the raw security event with the modified timestamp; and
  
  sending the second modified security event for determining whether the second modified security event satisfies the condition of the rule.
- View Dependent Claims (5, 6, 7, 8)
- - 5. The agent device of claim 4, wherein the operations further comprise determining whether the adjusted timestamp is within the timerange.
  - 6. The agent device of claim 5, wherein the operations further comprise recalculating the time offset if the adjusted timestamp is not within the timerange.
  - 7. The agent device of claim 4, wherein the sensor device comprises a message concentrator.
  - 8. The agent device of claim 7, wherein the message concentrator comprises a Syslog.

9. A non-transitory machine-readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- receiving a raw security event from a sensor device, wherein the raw security event originated in an event log that was generated by the sensor device, and wherein the raw security event includes an original timestamp that indicates a time determined at the sensor device;
  
  determining whether the original timestamp is within a non-zero timerange around a time determined at an agent device, the non-zero timerange representing a predetermined range of variance from the time determined at the agent device;
  
  identifying a time offset associated with the sensor device, the time offset representing a difference between the time determined at the sensor device and the time determined at the agent device, wherein the time offset was stored prior to receiving the raw security event;
  
  determining whether the time offset is in a non-initialized state;
  
  responsive to the original timestamp exceeding the timerange and responsive to the time offset being in the non-initialized state;
  
  adjusting the original timestamp by adding the time offset;
  
  generating a modified security event by replacing the original timestamp in the raw security event with the adjusted timestamp; and
  
  sending the modified security event for determining whether the modified security event satisfies a condition of a rule, wherein the rule determines whether a security incident has occurred;
  
  responsive to the time offset being in an initialized state and the original timestamp being within the timerange;
  
  not applying the time offset; and
  
  sending the raw security event for determining whether the raw security event satisfies the condition of the rule;
  
  responsive to the time offset not being in an initialized state and the original timestamp being within the timerange;
  
  clearing the time offset to restore the time offset to an initialized state; and
  
  sending the raw security event for determining whether the raw security event satisfies the condition of the rule; and
  
  responsive to the time offset being in an initialized state and the original timestamp not being within the timerange;
  
  determining a new time offset;
  
  modifying the original timestamp by adding the new time offset to the original timestamp;
  
  generating a second modified security event by replacing the original timestamp in the raw security event with the modified timestamp; and
  
  sending the second modified security event for determining whether the second modified security event satisfies the condition of the rule.
- View Dependent Claims (10, 11)
- - 10. The machine-readable medium of claim 9, wherein the instructions further cause the processor to determine whether the adjusted timestamp is within the timerange.
  - 11. The machine-readable medium of claim 10, wherein the instructions further cause the processor to recalculate the time offset if the adjusted timestamp is not within the timerange.

12. A method for adjusting an original timestamp generated by a sensor device, wherein the method is performed by an agent device of a network security system, the method comprising:
- identifying a time offset associated with the sensor device, the time offset representing a difference between a time determined at the sensor device and a time determined at the agent device;
  
  determining whether an original timestamp indicating the time determined at the sensor device is within a non-zero timerange around the time determined at the agent device, the non-zero timerange representing a predetermined range of variance from the time determined at the agent device;
  
  determining whether the time offset is in a non-initialized state;
  
  responsive to the original timestamp exceeding the timerange and responsive to the time offset being in the non-initialized state;
  
  adjusting the original timestamp by adding the time offset to the original timestamp;
  
  identifying a security event that originated in an event log that was generated by the sensor device;
  
  modifying the security event by replacing the original timestamp with the adjusted timestamp; and
  
  sending the modified security event including the adjusted timestamp for determining whether the modified security event satisfies a condition of a rule, wherein the rule determines whether a security incident has occurred;
  
  responsive to the time offset being in an initialized state and the original timestamp being within the timerange;
  
  not applying the time offset; and
  
  sending the raw security event for determining whether the raw security event satisfies the condition of the rule;
  
  responsive to the time offset not being in an initialized state and the original timestamp being within the timerange;
  
  clearing the time offset to restore the time offset to an initialized state; and
  
  sending the raw security event for determining whether the raw security event satisfies the condition of the rule; and
  
  responsive to the time offset being in an initialized state and the original timestamp not being within the timerange;
  
  determining a new time offset;
  
  modifying the original timestamp by adding the new time offset to the original timestamp;
  
  generating a second modified security event by replacing the original timestamp in the raw security event with the modified timestamp; and
  
  sending the second modified security event for determining whether the second modified security event satisfies the condition of the rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Arcsight Incorporated (HP Inc.)
Inventors
Njemanze, Hugh S., Aguilar-Macias, Hector
Primary Examiner(s)
Korzuch; William R
Assistant Examiner(s)
Vaughan; Michael R

Application Number

US11/021,601
Time in Patent Office

2,112 Days
Field of Search

713/176, 713/178, 726 22- 24, 370/389, 370/503
US Class Current

380/2
CPC Class Codes

G06F 21/725 operating on a secure refer...

H04L 63/1408 by monitoring network traff...

Adjusting sensor time in a network security system

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Adjusting sensor time in a network security system

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links