Event aggregation in a network

US 8,099,782 B1
Filed: 11/17/2009
Issued: 01/17/2012
Est. Priority Date: 10/27/2004
Status: Active Grant

First Claim

Patent Images

1. A method for aggregating events in a network, comprising:

receiving an event from a network device;

selecting one of a plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum time range;

identifying an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many events are represented by the aggregate event;

incrementing the count field value to represent the received event; and

transmitting the aggregate event when a time range of the events represented by the aggregate event exceeds the maximum time range.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network system can have a plurality of distributed software agents configured to collect events from network devices. In one embodiment, the agents are configured to aggregate the events. In one embodiment of the present invention, an agent includes a device interface to receive an event from a network device, a plurality of aggregation profiles, and an agent aggregate module to select one of the plurality of aggregation profiles, and increment an event count of an aggregate event representing the received event using the selected aggregation profile.

Citations

24 Claims

1. A method for aggregating events in a network, comprising:
- receiving an event from a network device;
  
  selecting one of a plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum time range;
  
  identifying an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many events are represented by the aggregate event;
  
  incrementing the count field value to represent the received event; and
  
  transmitting the aggregate event when a time range of the events represented by the aggregate event exceeds the maximum time range.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein selecting the one aggregation profile comprises selecting an aggregation profile associated with an event filter when the received event satisfies the event filter.
  - 3. The method of claim 1, wherein the selected aggregation profile further defines parameters for events that are represented by the aggregate event.
  - 4. The method of claim 1, wherein the selected aggregation profile enumerates one or more event fields whose values must match for two events to be considered satisfactorily similar for aggregation.
  - 5. The method of claim 1, wherein the selected aggregation profile enumerates one or more event fields preserved by the aggregate event.
  - 6. The method of claim 1, wherein the selected aggregation profile further defines a maximum event count.
  - 7. The method of claim 6, further comprising transmitting the aggregate event when the incremented count field value equals the maximum event count.
  - 8. The method of claim 1, further comprising:
    - selecting a second aggregation profile of the plurality of aggregation profiles;
      
      identifying a second aggregate event corresponding to the second selected aggregation profile, wherein the second aggregate event includes a count field whose value indicates how many events are represented by the second aggregate event; and
      
      incrementing the count field value of the second aggregate event to represent the received event.
  - 9. The method of claim 8, further comprising transmitting the second aggregate event to an entity different from the entity receiving the aggregate event.
  - 10. The method of claim 1, wherein the network device comprises a firewall or an intrusion detection system.

11. A non-transitory computer readable medium having stored thereon computer readable instructions which, when executed by a processor, cause the processor to perform a method for aggregating events in a network, the method comprising:
- receiving an event from a network device;
  
  selecting one of a plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum time range;
  
  identifying an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many events are represented by the aggregate event;
  
  incrementing the count field value to represent the received event; and
  
  transmitting the aggregate event when a time range of the events represented by the aggregate event exceeds the maximum time range.

12. A system for aggregating events in a network, comprising:
- a non-transitory computer readable medium storing computer readable instructions for performing a method, the method comprising;
  
  receiving an event from a network device;
  
  selecting one of a plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum time range;
  
  identifying an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many events are represented by the aggregate event;
  
  incrementing the count field value to represent the received event; and
  
  transmitting the aggregate event when a time range of the events represented by the aggregate event exceeds the maximum time range; and
  
  a processor configured to execute the computer readable instructions stored by the computer readable medium.

13. A method for aggregating events in a network, comprising:
- receiving an event from a network device;
  
  selecting one of a plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum event count;
  
  identifying an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many events are represented by the aggregate event;
  
  incrementing the count field value to represent the received event; and
  
  transmitting the aggregate event when the incremented count field value equals the maximum event count.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The method of claim 13, wherein selecting the one aggregation profile comprises selecting an aggregation profile associated with an event filter when the received event satisfies the event filter.
  - 15. The method of claim 13, wherein the selected aggregation profile further defines parameters for events that are represented by the aggregate event.
  - 16. The method of claim 13, wherein the selected aggregation profile enumerates one or more event fields whose values must match for two events to be considered satisfactorily similar for aggregation.
  - 17. The method of claim 13, wherein the selected aggregation profile enumerates one or more event fields preserved by the aggregate event.
  - 18. The method of claim 13, wherein the selected aggregation profile further defines a maximum time range.
  - 19. The method of claim 18, further comprising transmitting the aggregate event when the time range of the events represented by the aggregate event exceeds the maximum time range.
  - 20. The method of claim 13, further comprising:
    - selecting a second aggregation profile of the plurality of aggregation profiles;
      
      identifying a second aggregate event corresponding to the second selected aggregation profile, wherein the second aggregate event includes a count field whose value indicates how many events are represented by the second aggregate event; and
      
      incrementing the count field value of the second aggregate event to represent the received event.
  - 21. The method of claim 20, further comprising transmitting the second aggregate event to an entity different from the entity receiving the aggregate event.
  - 22. The method of claim 13, wherein the network device comprises a firewall or an intrusion detection system.

23. A non-transitory computer readable medium having stored thereon computer readable instructions which, when executed by a processor, cause the processor to perform a method for aggregating events in a network, the method comprising:
- receiving an event from a network device;
  
  selecting one of a plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum event count;
  
  identifying an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many events are represented by the aggregate event;
  
  incrementing the count field value to represent the received event; and
  
  transmitting the aggregate event when the incremented count field value equals the maximum event count.

24. A system for aggregating events in a network, comprising:
- a non-transitory computer readable medium storing computer readable instructions for performing a method, the method comprising;
  
  receiving an event from a network device;
  
  selecting one of a plurality of aggregation profiles, wherein the selected aggregation profile defines a maximum event count;
  
  identifying an aggregate event corresponding to the selected aggregation profile, wherein the aggregate event includes a count field whose value indicates how many events are represented by the aggregate event;
  
  incrementing the count field value to represent the received event; and
  
  transmitting the aggregate event when the incremented count field value equals the maximum event count; and
  
  a processor configured to execute the computer readable instructions stored by the computer readable medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Dash, Debabrata, Aguilar-Macias, Hector
Primary Examiner(s)
Truong, Thanhnga

Application Number

US12/620,345
Time in Patent Office

791 Days
Field of Search

726/14, 726 22- 24, 703/17
US Class Current

726/22
CPC Class Codes

H04L 63/0218 Distributed architectures, ...

H04L 63/1416 Event detection, e.g. attac...

Event aggregation in a network

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Event aggregation in a network

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links