Timestamp modification in a network security system
First Claim
1. A network security system comprising:
- a first agent comprising a processor configured to collect a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock;
a second agent comprising a processor configured to collect a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock; and
a manager in communication with the agents, the manager comprising a processor configured to;
receive the first stream of alerts and the second stream of alerts;
identify a first alert in the first stream and a second alert in the second stream, wherein the first alert represents a particular event, and wherein the second alert represents the same particular event;
determine, based on the first alert and the second alert, whether the first clock and the second clock are synchronized; and
when the first clock and the second clock are not synchronized;
adjusting at least one of the first clock and the second clock to synchronize the first clock and the second clock;
modify at least one of a timestamp within the first alert and a timestamp within the second alert; and
after having modified at least one of the timestamp within the first alert and the timestamp within the second alert, determine whether the first alert and the second alert satisfy a condition of a rule, wherein the rule determines whether a security incident has occurred.
10 Assignments
0 Petitions
Accused Products
Abstract
Clocks used by network security devices can be synchronized by a network security system. In one embodiment, the synchronization can include the network security system receiving a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock. Similarly, the network security system can receive a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock. The system can then identify a common event represented by a first alert in the first stream from the first network security device and by a second alert in the second stream from the second network security device, and then synchronize the first clock and the second clock using the common event.
83 Citations
18 Claims
-
1. A network security system comprising:
-
a first agent comprising a processor configured to collect a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock; a second agent comprising a processor configured to collect a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock; and a manager in communication with the agents, the manager comprising a processor configured to; receive the first stream of alerts and the second stream of alerts; identify a first alert in the first stream and a second alert in the second stream, wherein the first alert represents a particular event, and wherein the second alert represents the same particular event; determine, based on the first alert and the second alert, whether the first clock and the second clock are synchronized; and when the first clock and the second clock are not synchronized; adjusting at least one of the first clock and the second clock to synchronize the first clock and the second clock; modify at least one of a timestamp within the first alert and a timestamp within the second alert; and after having modified at least one of the timestamp within the first alert and the timestamp within the second alert, determine whether the first alert and the second alert satisfy a condition of a rule, wherein the rule determines whether a security incident has occurred. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for modifying timestamps in a network security system, the method comprising:
-
receiving a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock; receiving a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock; identifying a first alert in the first stream and a second alert in the second stream, wherein the first alert represents a particular event, and wherein the second alert represents the same particular event; determining, based on the first alert and the second alert, whether the first clock and the second clock are synchronized; and when the first clock and the second clock are not synchronized; adjusting at least one of the first clock and the second clock to synchronize the first clock and the second clock; modifying at least one of a timestamp within the first alert and a timestamp within the second alert; and after having modified at least one of the timestamp within the first alert and the timestamp within the second alert, determining whether the first alert and the second alert satisfy a condition of a rule, wherein the rule determines whether a security incident has occurred. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A non-transitory machine readable medium storing a set of instructions that, when executed by the machine, cause the machine to:
-
receive a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock; receive a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock; identify a first alert in the first stream and a second alert in the second stream wherein the first alert represents a particular event, and wherein the second alert represents the same particular event; determine, based on the first alert and the second alert, whether the first clock and the second clock are synchronized; and when the first clock and the second clock are not synchronized; adjust at least one of the first clock and the second clock to synchronize the first clock and the second clock; modify at least one of a timestamp within the first alert and a timestamp within the second alert; and after having modified at least one of the timestamp within the first alert and the timestamp within the second alert, determine whether the first alert and the second alert satisfy a condition of a rule, wherein the rule determines whether a security incident has occurred. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification