Timestamp modification in a network security system

US 8,230,512 B1
Filed: 06/26/2009
Issued: 07/24/2012
Est. Priority Date: 12/10/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A network security system comprising:

a first agent comprising a processor configured to collect a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock;

a second agent comprising a processor configured to collect a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock; and

a manager in communication with the agents, the manager comprising a processor configured to;

receive the first stream of alerts and the second stream of alerts;

identify a first alert in the first stream and a second alert in the second stream, wherein the first alert represents a particular event, and wherein the second alert represents the same particular event;

determine, based on the first alert and the second alert, whether the first clock and the second clock are synchronized; and

when the first clock and the second clock are not synchronized;

adjusting at least one of the first clock and the second clock to synchronize the first clock and the second clock;

modify at least one of a timestamp within the first alert and a timestamp within the second alert; and

after having modified at least one of the timestamp within the first alert and the timestamp within the second alert, determine whether the first alert and the second alert satisfy a condition of a rule, wherein the rule determines whether a security incident has occurred.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Clocks used by network security devices can be synchronized by a network security system. In one embodiment, the synchronization can include the network security system receiving a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock. Similarly, the network security system can receive a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock. The system can then identify a common event represented by a first alert in the first stream from the first network security device and by a second alert in the second stream from the second network security device, and then synchronize the first clock and the second clock using the common event.

83 Citations

View as Search Results

18 Claims

1. A network security system comprising:
- a first agent comprising a processor configured to collect a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock;
  
  a second agent comprising a processor configured to collect a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock; and
  
  a manager in communication with the agents, the manager comprising a processor configured to;
  
  receive the first stream of alerts and the second stream of alerts;
  
  identify a first alert in the first stream and a second alert in the second stream, wherein the first alert represents a particular event, and wherein the second alert represents the same particular event;
  
  determine, based on the first alert and the second alert, whether the first clock and the second clock are synchronized; and
  
  when the first clock and the second clock are not synchronized;
  
  adjusting at least one of the first clock and the second clock to synchronize the first clock and the second clock;
  
  modify at least one of a timestamp within the first alert and a timestamp within the second alert; and
  
  after having modified at least one of the timestamp within the first alert and the timestamp within the second alert, determine whether the first alert and the second alert satisfy a condition of a rule, wherein the rule determines whether a security incident has occurred.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The network security system of claim 1, wherein the manager'"'"'s processor is further configured to determine whether the first clock and the second clock are synchronized by comparing the time of detection included in the first alert and the time of detection included in the second alert.
  - 3. The network security system of claim 1, wherein adjusting at least one of the first clock and the second clock further comprises:
    - selecting one of the first clock and the second clock as a reference clock; and
      
      adjusting the other clock to the reference clock.
  - 4. The network security system of claim 3, wherein selecting one of the first clock and the second clock comprises determining a relationship of the first clock to a system-wide reference clock and a relationship of the second clock to the system-wide reference clock.
  - 5. The network security system of claim 1, wherein the manager'"'"'s processor is further configured to:
    - store at least one of a first time offset associated with the first clock and a second time offset associated with the second clock; and
      
      use a stored time offset to modify at least one of the timestamp within the first alert and the timestamp within the second alert.
  - 6. The network security system of claim 1, wherein the manager'"'"'s processor is further configured to cause the particular event to occur.

7. A method for modifying timestamps in a network security system, the method comprising:
- receiving a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock;
  
  receiving a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock;
  
  identifying a first alert in the first stream and a second alert in the second stream, wherein the first alert represents a particular event, and wherein the second alert represents the same particular event;
  
  determining, based on the first alert and the second alert, whether the first clock and the second clock are synchronized; and
  
  when the first clock and the second clock are not synchronized;
  
  adjusting at least one of the first clock and the second clock to synchronize the first clock and the second clock;
  
  modifying at least one of a timestamp within the first alert and a timestamp within the second alert; and
  
  after having modified at least one of the timestamp within the first alert and the timestamp within the second alert, determining whether the first alert and the second alert satisfy a condition of a rule, wherein the rule determines whether a security incident has occurred.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein determining whether the first clock and the second clock are synchronized comprises comparing the time of detection included in the first alert and the time of detection included in the second alert.
  - 9. The method of claim 7, wherein adjusting at least one of the first clock and the second clock further comprises:
    - selecting one of the first clock and the second clock as a reference clock; and
      
      adjusting the other clock to the reference clock.
  - 10. The method of claim 9, wherein selecting one of the first clock and the second clock comprises determining a relationship of the first clock to a system-wide reference clock and a relationship of the second clock to the system-wide reference clock.
  - 11. The method of claim 7, further comprising:
    - storing at least one of a first time offset associated with the first clock and a second time offset associated with the second clock; and
      
      using a stored time offset to modify at least one of the timestamp within the first alert and the timestamp within the second alert.
  - 12. The method of claim 7, further comprising causing the particular event to occur.

13. A non-transitory machine readable medium storing a set of instructions that, when executed by the machine, cause the machine to:
- receive a first stream of alerts from a first network security device having a first clock, each alert in the first stream representing an event detected by the first network security device and including a time of detection by the first network security device according to the first clock;
  
  receive a second stream of alerts from a second network security device having a second clock, each alert in the second stream representing an event detected by the second network security device and including a time of detection by the second network security device according to the second clock;
  
  identify a first alert in the first stream and a second alert in the second stream wherein the first alert represents a particular event, and wherein the second alert represents the same particular event;
  
  determine, based on the first alert and the second alert, whether the first clock and the second clock are synchronized; and
  
  when the first clock and the second clock are not synchronized;
  
  adjust at least one of the first clock and the second clock to synchronize the first clock and the second clock;
  
  modify at least one of a timestamp within the first alert and a timestamp within the second alert; and
  
  after having modified at least one of the timestamp within the first alert and the timestamp within the second alert, determine whether the first alert and the second alert satisfy a condition of a rule, wherein the rule determines whether a security incident has occurred.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory machine readable medium of claim 13, wherein determining whether the first clock and the second clock are synchronized comprises comparing the time of detection included in the first alert and the time of detection included in the second alert.
  - 15. The non-transitory machine readable medium of claim 13, wherein adjust at least one of the first clock and the second clock further comprises:
    - select one of the first clock and the second clock as a reference clock; and
      
      adjust the other clock to the reference clock.
  - 16. The non-transitory machine readable medium of claim 15, wherein selecting one of the first clock and the second clock comprises determining a relationship of the first clock to a system-wide reference clock and a relationship of the second clock to the system-wide reference clock.
  - 17. The non-transitory machine readable medium of claim 13, wherein the set of instructions further causes the machine to:
    - store at least one of a first time offset associated with the first clock and a second time offset associated with the second clock; and
      
      use a stored time offset to modify at least one of the timestamp within the first alert and the timestamp within the second alert.
  - 18. The non-transitory machine readable medium of claim 13, wherein the set of instructions further causes the machine to cause the particular event to occur.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Njemanze, Hugh S.
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
Debnath, Suman

Application Number

US12/493,012
Time in Patent Office

1,124 Days
Field of Search

713/176, 713/178, 726 22- 25, 709/224, 370/289, 370/503
US Class Current

726/25
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 63/16   Implementing security featu...

H04L 63/20   for managing network securi...

Timestamp modification in a network security system

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Timestamp modification in a network security system

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links