Method for batching events for transmission by software agent
First Claim
Patent Images
1. A method, comprising:
- storing, in an event buffer of an agent device, a plurality of security events from a network device;
determining a number of the security events stored in the event buffer;
responsive to the number of security events in the event buffer reaching a predetermined number, selecting a set of security events from the plurality of security events based on a batching priority for each of the security events stored in the event buffer, wherein the batching priority for each security event is based on an event priority of the security event, an amount of time the security event has been stored in the event buffer, and a number of event batches that have been created since the security event was stored in the event buffer; and
creating a batch of security events for transport to a security event manager by including the selected set of security events in the batch,wherein storing the plurality of security events comprises storing the plurality of security events in a prioritized event buffer based on an importance of the event priority of each of the security events.
10 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, the present invention provides for receiving security events from a network device by a distributed software agent of a network security system, determining a priority of each received security event, and storing the security events in a plurality of prioritized event buffers based on the determined priorities for a period of time determined by a timer. Upon expiration of the timer, a batch of security events for transport to a security event manager of the network security system can be created by including security events in the batch in order of priority until the batch is full.
171 Citations
15 Claims
-
1. A method, comprising:
-
storing, in an event buffer of an agent device, a plurality of security events from a network device; determining a number of the security events stored in the event buffer; responsive to the number of security events in the event buffer reaching a predetermined number, selecting a set of security events from the plurality of security events based on a batching priority for each of the security events stored in the event buffer, wherein the batching priority for each security event is based on an event priority of the security event, an amount of time the security event has been stored in the event buffer, and a number of event batches that have been created since the security event was stored in the event buffer; and creating a batch of security events for transport to a security event manager by including the selected set of security events in the batch, wherein storing the plurality of security events comprises storing the plurality of security events in a prioritized event buffer based on an importance of the event priority of each of the security events. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, comprising:
-
for a predetermined period of time, storing a plurality of security events received from a network device in an event buffer of an agent device; responsive to storing a security event of the plurality of security events, incrementing a counter; responsive to expiration of the period of time or the counter reaching a predetermined number, selecting a set of security events from the plurality of security events based on a batching priority of each of the plurality of security events stored in the event buffer, wherein the batching priority for each security event is based on an event priority of the security event, an amount of time the security event has been stored in the event buffer, and a number of event batches that have been created since the security event was stored in the event buffer; and creating a batch of security events for transport to a security event manager by including the selected set of security events in the batch. - View Dependent Claims (9)
-
-
10. A method, comprising:
-
receiving security events; determining a priority of each received security event, the event priority relating to an importance of the event; storing, for a period of time determined by a timer, the security events in a plurality of prioritized event buffers in an agent device based on the determined event priorities; and upon expiration of the timer; selecting a set of the security events from the plurality of prioritized event buffers based on a batching priority of each security event, wherein the batching priority is based on the determined event priority of the security event, an amount of time the security event has been stored in one of the event buffers, and a number of event batches that have been created since the security event was stored in the one of the event buffers; and creating a batch of security events by including security events in the batch in order of the batching priority until the batch is full, where the batch of security events has at most a predetermined number of security events.
-
-
11. A method comprising:
-
receiving security events; storing, in one or more event buffers of an agent device, a number of the received security events having an event priority related to an importance of the event; and responsive to storing the number of security events in the one or more event buffers, batching the security events stored in the one or more event buffers to include a set of security events selected from the received security events in accordance with a batching priority of the security events that is determined in accordance with the event priority of the security event, an amount of time the security event has been stored in the one or more event buffers, and a number of event batches that have been created since the security event was stored in the one or more event buffers, wherein a batch of security events has at most a predetermined number of security events.
-
-
12. A non-transitory computer-readable storage medium comprising machine readable instructions that when executed by a computer, cause the computer to:
-
storing, store in an event buffer of an agent device, a security event; responsive to storing the security event, increment a counter; responsive to the counter reaching a predetermined number, select a set of security events from a plurality of security events stored in the event buffer, wherein the selection of the set of security events is based on a batching priority of each of the security events stored in the event buffer, the batching priority being based on an event priority of the security event, an amount of time the security event has been stored in the event buffer, and a number of event batches that have been created since the security event was stored in the event buffer; and create a batch of security events for transport to a security event manager by including the selected set of security events in the batch.
-
-
13. A system, comprising:
-
a processor; and a non-transitory computer-readable storage medium coupled to the processor and storing instructions executed by the processor to perform operations comprising; storing, in an event buffer of an agent device, a security event; incrementing, responsive to storing the security event, a counter; selecting, responsive to the counter reaching a predetermined number, a set of security events from a plurality of security events stored in the event buffer, the selecting based upon a batching priority of the security events stored in the event buffer, the batching priority determined in accordance with an event priority of the security event, an amount of time the security event has been stored in the event buffer, and a number of event batches that have been created since the security event was stored in the event buffer; and creating a batch of security events for transport to a security event manager by including the selected set of security events in the batch.
-
-
14. A method, comprising:
-
receiving a plurality of security events from a network device; determining an event priority for each of the plurality of security events; storing the plurality of security events in prioritized event buffers based on the determined event priorities; determining a count of the security events for each of the prioritized event buffers; determining whether a number of the plurality of security events stored in the prioritized event buffers has reached a predetermined number; responsive to the number of the plurality of security events stored in the prioritized event buffers reaching the predetermined number, selecting a subset of the security events from the prioritized event buffers based on the determined event priorities, an amount of time the security event has been stored in one of the prioritized event buffers, and a number of event batches that have been created since the security event was stored in the one of the event buffers, the determined count for each prioritized event buffer, and a batch size; and creating a batch of security events according to the batch size and for transport to a security event manager by including the selected subset of security events in the batch. - View Dependent Claims (15)
-
Specification