System and method for performing security management operations in network having non-static collection of nodes

US 10,111,208 B2
Filed: 06/06/2016
Issued: 10/23/2018
Est. Priority Date: 12/21/2012
Status: Active Grant

First Claim

Patent Images

1. A method of managing a network comprising a non-static collection of machines, comprising:

at a first node coupled to the network, the first node being a first machine among the non-static collection of machines;

proactively constructing and maintaining a respective local segment of a linear communication orbit in the network, wherein the proactive constructing and maintaining comprises;

obtaining, from a server of the network, contact information of one or more potential neighbor nodes for the first node, wherein the one or more potential neighbor nodes are machines that are known to the server as being coupled to the network;

proactively establishing, in accordance with a respective network communication protocol, a respective propagation channel from the first node to a downstream neighbor upon detecting that said respective propagation channel to the downstream neighbor does not already exist, wherein the downstream neighbor comprises a live succeeding node among the one or more potential neighbor nodes;

allowing a respective collection channel from the downstream neighbor to the first node to be established in accordance with the respective network communication protocol upon a request by the downstream neighbor, wherein the request has been generated by the downstream neighbor to establish a respective reporting channel thereof in accordance with the respective network communication protocol;

proactively establishing, in accordance with the respective network communication protocol, a respective reporting channel from the first node to an upstream neighbor upon detecting that said respective reporting channel to the upstream neighbor does not already exist, wherein the upstream neighbor comprises a live preceding node among the one or more potential neighbor nodes; and

allowing a respective receiving channel from the upstream neighbor to the first node to be established in accordance with the respective network communication protocol upon a request by the upstream neighbor, wherein the request has been generated by the upstream neighbor to establish a respective propagation channel thereof in accordance with the respective network communication protocol;

receiving a security management message from the upstream neighbor through the respective receiving channel from the upstream neighbor to the first node;

performing one or more security management operations in accordance with the security management message received from the upstream neighbor; and

forwarding the security management message to the downstream neighbor through the respective propagation channel from the first node to the downstream neighbor.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Machines in a managed network implement a set of rules that cause individual machines to directly interact with only a small number of machines in the network. Independent local actions of the individual machines collectively cause the individual machines to be self-organized into one or more communication orbits without any global control or coordination by a server or an administrator. The communication orbits are used for supporting security management, including, at a first node of the network, receiving a security management message from an upstream neighbor through a respective receiving channel from the upstream neighbor to the first node; performing one or more security management operations in accordance with the security management message received from the upstream neighbor; and forwarding the security management message to a downstream neighbor through a respective propagation channel from the first node to the downstream neighbor.

62 Citations

View as Search Results

23 Claims

1. A method of managing a network comprising a non-static collection of machines, comprising:
- at a first node coupled to the network, the first node being a first machine among the non-static collection of machines;
  
  proactively constructing and maintaining a respective local segment of a linear communication orbit in the network, wherein the proactive constructing and maintaining comprises;
  
  obtaining, from a server of the network, contact information of one or more potential neighbor nodes for the first node, wherein the one or more potential neighbor nodes are machines that are known to the server as being coupled to the network;
  
  proactively establishing, in accordance with a respective network communication protocol, a respective propagation channel from the first node to a downstream neighbor upon detecting that said respective propagation channel to the downstream neighbor does not already exist, wherein the downstream neighbor comprises a live succeeding node among the one or more potential neighbor nodes;
  
  allowing a respective collection channel from the downstream neighbor to the first node to be established in accordance with the respective network communication protocol upon a request by the downstream neighbor, wherein the request has been generated by the downstream neighbor to establish a respective reporting channel thereof in accordance with the respective network communication protocol;
  
  proactively establishing, in accordance with the respective network communication protocol, a respective reporting channel from the first node to an upstream neighbor upon detecting that said respective reporting channel to the upstream neighbor does not already exist, wherein the upstream neighbor comprises a live preceding node among the one or more potential neighbor nodes; and
  
  allowing a respective receiving channel from the upstream neighbor to the first node to be established in accordance with the respective network communication protocol upon a request by the upstream neighbor, wherein the request has been generated by the upstream neighbor to establish a respective propagation channel thereof in accordance with the respective network communication protocol;
  
  receiving a security management message from the upstream neighbor through the respective receiving channel from the upstream neighbor to the first node;
  
  performing one or more security management operations in accordance with the security management message received from the upstream neighbor; and
  
  forwarding the security management message to the downstream neighbor through the respective propagation channel from the first node to the downstream neighbor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein performing one or more security management operations in accordance with the security management message received from the upstream neighbor includes updating the security management message based on local status information at the first node in response to a security management query specified in the security management message.
  - 3. The method of claim 1, wherein performing one or more security management operations in accordance with the security management message received from the upstream neighbor includes performing a security-related action at the first node in accordance with a security management command specified in the security management message.
  - 4. The method of claim 1, wherein performing one or more security management operations in accordance with the security management message received from the upstream neighbor includes detecting presence of malicious programs at the first node in accordance with the security management message.
  - 5. The method of claim 1, wherein performing one or more security management operations in accordance with the security management message received from the upstream neighbor includes disabling or suspending one or more suspicious operations at the first node in accordance with the security management message.
  - 6. The method of claim 1, comprising:
    - updating information in the security management message in accordance with a local state at the first node before forwarding the security management message to the downstream node.
  - 7. The method of claim 1, comprising:
    - receiving a status report message from the downstream neighbor through the respective collection channel from the downstream neighbor to the first node;
      
      performing an aggregation of information in the status report message; and
      
      after performing the aggregation of information, forwarding the status report message received from the downstream neighbor to the upstream neighbor through the respective reporting channel from the first node to the upstream neighbor.
  - 8. The method of claim 1, wherein the proactive constructing and maintaining further comprises:
    - upon establishing the respective propagation channel from the first node to the downstream neighbor, terminating a previous propagation channel from the first node to another succeeding node.
  - 9. The method of claim 1, wherein the proactive constructing and maintaining further comprises:
    - upon establishing the respective reporting channel from the first node to the upstream neighbor, terminating a previous reporting channel from the first node to another preceding node.

10. A system, the system serving as a first node coupled to a network comprising a non-static collection of machines, the first node being a first machine among the non-static collection of machines and the system comprising:
- one or more processors; and
  
  memory storing instructions that, when executed by the one or more processors, cause the processors to perform operations including;
  
  proactively constructing and maintaining a respective local segment of a linear communication orbit in the network, wherein the proactive constructing and maintaining comprises;
  
  obtaining, from a server of the network, contact information of one or more potential neighbor nodes for the first node, wherein the one or more potential neighbor nodes are machines that are known to the server as being coupled to the network;
  
  proactively establishing, in accordance with a respective network communication protocol, a respective propagation channel from the first node to a downstream neighbor upon detecting that said respective propagation channel to the downstream neighbor does not already exist, wherein the downstream neighbor comprises a live succeeding node among the one or more potential neighbor nodes;
  
  allowing a respective collection channel from the downstream neighbor to the first node to be established in accordance with the respective network communication protocol upon a request by the downstream neighbor, wherein the request has been generated by the downstream neighbor to establish a respective reporting channel thereof in accordance with the respective network communication protocol;
  
  proactively establishing, in accordance with the respective network communication protocol, a respective reporting channel from the first node to an upstream neighbor upon detecting that said respective reporting channel to the upstream neighbor does not already exist, wherein the upstream neighbor comprises a live preceding node among the one or more potential neighbor nodes; and
  
  allowing a respective receiving channel from the upstream neighbor to the first node to be established in accordance with the respective network communication protocol upon a request by the upstream neighbor, wherein the request has been generated by the upstream neighbor to establish a respective propagation channel thereof in accordance with the respective network communication protocol;
  
  receiving a security management message from the upstream neighbor through the respective receiving channel from the upstream neighbor to the first node;
  
  performing one or more security management operations in accordance with the security management message received from the upstream neighbor; and
  
  forwarding the security management message to the downstream neighbor through the respective propagation channel from the first node to the downstream neighbor.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10, wherein performing one or more security management operations in accordance with the security management message received from the upstream neighbor includes updating the security management message based on local status information at the first node in response to a security management query specified in the security management message.
  - 12. The system of claim 10, wherein performing one or more security management operations in accordance with the security management message received from the upstream neighbor includes performing a security-related action at the first node in accordance with a security management command specified in the security management message.
  - 13. The system of claim 10, wherein performing one or more security management operations in accordance with the security management message received from the upstream neighbor includes detecting presence of malicious programs at the first node in accordance with the security management message.
  - 14. The system of claim 10, wherein performing one or more security management operations in accordance with the security management message received from the upstream neighbor includes disabling or suspending one or more suspicious operations at the first node in accordance with the security management message.
  - 15. The system of claim 10, wherein the operations further include:
    - updating information in the security management message in accordance with a local state at the first node before forwarding the security management message to the downstream node.
  - 16. The system of claim 10, wherein the operations further include:
    - receiving a status report message from the downstream neighbor through the respective collection channel from the downstream neighbor to the first node;
      
      performing an aggregation of information in the status report message; and
      
      after performing the aggregation of information, forwarding the status report message received from the downstream neighbor to the upstream neighbor through the respective reporting channel from the first node to the upstream neighbor.

17. A non-transitory computer-readable storage medium storing instructions that when executed by one or more processors, cause the processors to perform operations comprising:
- at a first node coupled to a network comprising a non-static collection of machines, the first node being a first machine among the non-static collection of machines;
  
  proactively constructing and maintaining a respective local segment of a linear communication orbit in the network, wherein the proactive constructing and maintaining comprises;
  
  obtaining, from a server of the network, contact information of one or more potential neighbor nodes for the first node, wherein the one or more potential neighbor nodes are machines that are known to the server as being coupled to the network;
  
  proactively establishing in accordance with a respective network communication protocol, a respective propagation channel from the first node to a downstream neighbor upon detecting that said respective propagation channel to the downstream neighbor does not already exist, wherein the downstream neighbor comprises a live succeeding node among the one or more potential neighbor nodes;
  
  allowing a respective collection channel from the downstream neighbor to the first node to be established in accordance with the respective network communication protocol upon a request by the downstream neighbor, wherein the request has been generated by the downstream neighbor to establish a respective reporting channel thereof in accordance with the respective network communication protocol;
  
  proactively establishing, in accordance with the respective network communication protocol, a respective reporting channel from the first node to an upstream neighbor upon detecting that said respective reporting channel to the upstream neighbor does not already exist, wherein the upstream neighbor comprises a live preceding node among the one or more potential neighbor nodes; and
  
  allowing a respective receiving channel from the upstream neighbor to the first node to be established in accordance with the respective network communication protocol upon a request by the upstream neighbor, wherein the request has been generated by the upstream neighbor to establish a respective propagation channel thereof in accordance with the respective network communication protocol;
  
  receiving a security management message from the upstream neighbor through the respective receiving channel from the upstream neighbor to the first node;
  
  performing one or more security management operations in accordance with the security management message received from the upstream neighbor; and
  
  forwarding the security management message to the downstream neighbor through the respective propagation channel from the first node to the downstream neighbor.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The computer-readable storage medium of claim 17, wherein performing one or more security management operations in accordance with the security management message received from the upstream neighbor includes updating the security management message based on local status information at the first node in response to a security management query specified in the security management message.
  - 19. The computer-readable storage medium of claim 17, wherein performing one or more security management operations in accordance with the security management message received from the upstream neighbor includes performing a security-related action at the first node in accordance with a security management command specified in the security management message.
  - 20. The computer-readable storage medium of claim 17, wherein performing one or more security management operations in accordance with the security management message received from the upstream neighbor includes detecting presence of malicious programs at the first node in accordance with the security management message.
  - 21. The computer-readable storage medium of claim 17, wherein performing one or more security management operations in accordance with the security management message received from the upstream neighbor includes disabling or suspending one or more suspicious operations at the first node in accordance with the security management message.
  - 22. The computer-readable storage medium of claim 17, wherein the operations further include:
    - updating information in the security management message in accordance with a local state at the first node before forwarding the security management message to the downstream node.
  - 23. The computer-readable storage medium of claim 17, wherein the operations further include:
    - receiving a status report message from the downstream neighbor through the respective collection channel from the downstream neighbor to the first node;
      
      performing an aggregation of information in the status report message; and
      
      after performing the aggregation of information, forwarding the status report message received from the downstream neighbor to the upstream neighbor through the respective reporting channel from the first node to the upstream neighbor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tanium Inc.
Original Assignee
Tanium Inc.
Inventors
Hindawi, David, Hindawi, Orion, Lippincott, Lisa, Lincroft, Peter
Primary Examiner(s)
Crutchfield, Christopher

Application Number

US15/174,850
Publication Number

US 20160286540A1
Time in Patent Office

869 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/04   Network management architec...

H04L 41/044   comprising hierarchical man...

H04L 41/082   the condition being updates...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 41/344   Out-of-band transfers

H04L 43/02   Capturing of monitoring data

H04L 43/04   Processing captured monitor...

H04L 43/0817   by checking functioning

H04L 43/10   Active monitoring, e.g. hea...

H04L 45/02   Topology update or discovery

H04L 61/00   Network arrangements, proto...

H04L 63/00   Network architectures or ne...

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/104   Peer-to-peer [P2P] networks

H04L 67/1046   Joining mechanisms

H04L 67/1048   Departure or maintenance me...

H04L 67/1063   Discovery through centralis...

H04L 67/1065 : Discovery involving distrib...

H04L 67/1072 : Discovery involving ranked ...

H04W 24/02 : Arrangements for optimising...

H04W 48/16 : Discovering, processing acc...

H04W 72/20 : Control channels or signall...

H04W 8/005 : Discovery of network device...

H04W 84/18 : Self-organising networks, e...

View All

System and method for performing security management operations in network having non-static collection of nodes

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for performing security management operations in network having non-static collection of nodes

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links