Systems and methods for computer environment situational awareness

US 10,158,654 B2
Filed: 10/31/2016
Issued: 12/18/2018
Est. Priority Date: 10/31/2016
Status: Active Grant

First Claim

Patent Images

1. A system for monitoring states of operation of assets in a network of computer devices, the system comprising:

one or more servers communicatively coupled to a computer network, the one or more servers include;

a controller engine, executed by one or more hardware processors of the one or more servers, configured to identify a target asset of the computer network;

a scheduling engine, executed by the one or more hardware processors of the one or more servers, configured to establish a communication link with a computing device associated with the target asset; and

an asset profiling engine, executed by the one or more hardware processors of the one or more servers, configured to;

transmit, via the communication link, according to a hierarchical profiling scheme defining a plurality of profiling steps, a plurality of sequential profiling queries to the computing device, each profiling step of the plurality of profiling steps associated with a corresponding profiling query that includes a corresponding set of parameters to be requested, the corresponding set of parameters associated with corresponding criteria or threshold values;

receive, at each profiling step, from the computing device via the communication link, a respective set of parameter values corresponding to the set of parameters in the profiling query associated with the profiling step;

compare, at each profiling step, the respective set of parameter values to the criteria or threshold values associated with the corresponding set of parameters in the corresponding profiling query to determine a following profiling step or a state of operation of the target asset; and

determine the state of operation of the target asset based on comparing a set of parameter values associated with a final profiling query of the plurality of sequential profiling queries to corresponding criteria or threshold values, the state of operation indicative of an abnormal behavior associated with the target asset.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for monitoring states of operation of a computer environment can include one or more computer servers identifying a target asset of the computer environment and establishing a communication link with a computing device associated with the target asset. The one or more computer servers can determine a first set of parameters for profiling the target asset, transmit a first query for the first set of parameters to the computing device via the communication link, and receive one or more first parameter values corresponding to the first set of parameters responsive to the query. The one or more computer servers can compare the one or more first parameter values to one or more first criteria or threshold values, an determine a state of operation of the target asset based on the comparison. The state of operation can be indicative of an abnormal behavior associated with the target asset.

Citations

18 Claims

1. A system for monitoring states of operation of assets in a network of computer devices, the system comprising:
- one or more servers communicatively coupled to a computer network, the one or more servers include;
  
  a controller engine, executed by one or more hardware processors of the one or more servers, configured to identify a target asset of the computer network;
  
  a scheduling engine, executed by the one or more hardware processors of the one or more servers, configured to establish a communication link with a computing device associated with the target asset; and
  
  an asset profiling engine, executed by the one or more hardware processors of the one or more servers, configured to;
  
  transmit, via the communication link, according to a hierarchical profiling scheme defining a plurality of profiling steps, a plurality of sequential profiling queries to the computing device, each profiling step of the plurality of profiling steps associated with a corresponding profiling query that includes a corresponding set of parameters to be requested, the corresponding set of parameters associated with corresponding criteria or threshold values;
  
  receive, at each profiling step, from the computing device via the communication link, a respective set of parameter values corresponding to the set of parameters in the profiling query associated with the profiling step;
  
  compare, at each profiling step, the respective set of parameter values to the criteria or threshold values associated with the corresponding set of parameters in the corresponding profiling query to determine a following profiling step or a state of operation of the target asset; and
  
  determine the state of operation of the target asset based on comparing a set of parameter values associated with a final profiling query of the plurality of sequential profiling queries to corresponding criteria or threshold values, the state of operation indicative of an abnormal behavior associated with the target asset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the asset profiling engine is configured to:
    - transmit, at a first profiling step, via the communication link, a first profiling query for a corresponding first set of parameters to the computing device;
      
      receive, from the computing device via the communication link, responsive to the first profiling query, a first set of parameter values corresponding to the first set of parameters;
      
      compare the first set of parameter values to corresponding first criteria or threshold values;
      
      determine, based on comparing the first set of parameter values to the corresponding first criteria or threshold values, a second profiling step associated with a corresponding second profiling query that includes a corresponding second set of parameters;
      
      transmit, via the communication link, at the second profiling step, the second query for the second set of parameters to the computing device;
      
      receive, via the communication link, a second set of parameter values corresponding to the second set of parameters, responsive to the second profiling query;
      
      compare the second set of parameter values to corresponding second criteria or threshold values.
  - 3. The system of claim 2, wherein the asset profiling engine is configured to determine a cause of the abnormal behavior based on the second set of parameter values or the comparison of the second set of parameter values to corresponding second criteria or threshold values.
  - 4. The system of claim 3, wherein in determining a cause of the abnormal behavior, the asset profiling engine is configured to:
    - determine, based on comparing the second set of parameter values to the corresponding second criteria or threshold values, a third profiling step associated with a corresponding third profiling query that includes a third set of parameters;
      
      transmit, via the communication link, at the third profiling step, the third query for the third set of parameters to the computing device;
      
      receive, via the communication link, a third set of parameter values corresponding to the third set of parameters, responsive to the third profiling query;
      
      compare the third set of parameter values to corresponding third criteria or threshold values; and
      
      determine a cause of the abnormal behavior associated with the computing device based on the third set of parameter values or the comparison of the third set of parameter values to the corresponding third criteria or threshold values.
  - 5. The system of claim 1, wherein each profiling query is associated with a corresponding profiling template defining the set of parameters for the profiling query.
  - 6. The system of claim 1, wherein the asset profiling engine is configured to:
    - determine a profiling decision tree representing the hierarchical profiling scheme for profiling the computing device, each node of a plurality of nodes of the profiling decision tree representing a potential profiling step of the plurality of profiling steps; and
      
      determine, at each node of the profiling decision tree, the state of operation of the target asset if the node of the profiling decision tree is a leaf node, otherwise determine a next profiling step by determining a corresponding child of the node of the profiling decision tree.
  - 7. The system of claim 1, wherein the controller engine is configured to identify the target asset based on a detected or scheduled event associated with one or more assets in the computer network.
  - 8. The system of claim 1, wherein the controller engine is further configured to:
    - provide an indication of the abnormal behavior or an indication of a cause of the abnormal behavior for display on a display device.
  - 9. The system of claim 1, wherein the target asset is a first target asset and the computing device includes a second target asset communicating with the first target asset, and wherein the scheduling engine is further configured to:
    - determine that the first target asset is not responding to one or more communication requests; and
      
      upon determining that the first target asset is not responding to the one or more communication requests, establish communication link with the computing device.

10. A method of monitoring states of operation of assets in a network of computer devices, the method comprising:
- identifying, by one or more computer devices, a target asset of the computer network;
  
  establishing, by the one or more computer devices, a communication link with a computing device associated with the target asset;
  
  transmitting, by the one or more computer devices, via the communication link, a plurality of sequential profiling queries to the computing device according to a hierarchical profiling scheme defining a plurality of profiling steps, each profiling step of the plurality of profiling steps associated with a corresponding profiling query that includes a corresponding set of parameters to be requested, the corresponding set of parameters associated with corresponding criteria or threshold values;
  
  receiving, by the one or more computer devices, at each profiling step via the communication link, a respective set of parameter values corresponding to the set of parameters in the profiling query associated with the profiling step;
  
  comparing, by the one or more computer devices at each profiling step, the respective set of parameter values to the criteria or threshold values associated with the corresponding set of parameters in the corresponding profiling query to determine a following profiling step or a state of operation of the target asset; and
  
  determining, by the one or more computer devices, the state of operation of the target asset based on comparing a set of parameter values associated with a final profiling query of the plurality of sequential profiling queries to corresponding criteria or threshold values, the state of operation indicative of an abnormal behavior associated with the target asset.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10 comprising:
    - transmitting, at a first profiling step, via the communication link, a first profiling query for a corresponding first set of parameters to the computing device;
      
      receiving, from the computing device via the communication link, responsive to the first profiling query, a first set of parameter values corresponding to the first set of parameters;
      
      comparing the first set of parameter values to corresponding first criteria or threshold values;
      
      determining, based on comparing the first set of parameter values to the corresponding first criteria or threshold values, a second profiling step associated with a corresponding second profiling query that includes a corresponding second set of parameters;
      
      transmitting via the communication link, at the second profiling step, the second query for the second set of parameters to the computing device;
      
      receiving via the communication link, a second set of parameter values corresponding to the second set of parameters from the computing device, responsive to the second profiling query;
      
      comparing the second set of parameter values to corresponding second criteria or threshold values.
  - 12. The method of claim 11 comprising determining a cause of the abnormal behavior based on the second set of parameter values or the comparison of the second set of parameter values to corresponding second criteria or threshold values.
  - 13. The method of claim 12, wherein determining a cause of the abnormal behavior includes:
    - determining, based on comparing the second set of parameter values to the corresponding second criteria or threshold values, a third profiling step associated with a corresponding third profiling query that includes a third set of parameters;
      
      transmitting, via the communication link, at the third profiling step, the third query for the third set of parameters to the computing device;
      
      receiving, via the communication link, a third set of parameter values corresponding to the third set of parameters, responsive to the third profiling query;
      
      comparing the third set of parameter values to corresponding third criteria or threshold values; and
      
      determining a cause of the abnormal behavior associated with the computing device based on the third set of parameter values or the comparison of the third set of parameter values to the corresponding third criteria or threshold values.
  - 14. The method of claim 10, wherein each profiling query is associated with corresponding profiling template defining the set of parameters for the profiling query.
  - 15. The method of claim 10 further comprising:
    - determining a profiling decision tree representing the hierarchical profiling scheme for profiling the computing device, each node of a plurality of nodes of the profiling decision tree representing a potential profiling step of the plurality of profiling steps; and
      
      determining, at each node of the profiling decision tree, the state of operation of the target asset if the node of the profiling decision tree is a leaf node, otherwise determine a next profiling step by determining a corresponding child of the node of the profiling decision tree.
  - 16. The method of claim 10, wherein identifying the target asset includes identifying the target asset based on a detected or scheduled event associated with one or more assets in the computer network.
  - 17. The method of claim 10 further comprising:
    - providing an indication of the abnormal behavior or an indication of a cause of the abnormal behavior for display on a display device.

18. A non-transitory computer-readable medium with computer code instructions stored thereon, the computer code instructions when executed by one or more hardware processors cause the one or more hardware processors to:
- identify a target asset of the computer network;
  
  establish a communication link with a computing device associated with the target asset;
  
  transmit, via the communication link, a plurality of sequential profiling queries to the computing device according to a hierarchical profiling scheme defining a plurality of profiling steps, each profiling step of the plurality of profiling steps associated with a corresponding profiling query that includes a corresponding set of parameters to be requested, the corresponding set of parameters associated with corresponding criteria or threshold values;
  
  receive at each profiling step via the communication link, a respective set of parameter values corresponding to the set of parameters in the profiling query associated with the profiling step;
  
  compare, at each profiling step, the respective set of parameter values to the criteria or threshold values associated with the corresponding set of parameters in the corresponding profiling query to determine a following profiling step or a state of operation of the target asset; and
  
  determine the state of operation of the target asset based on comparing a set of parameter values associated with a final profiling query of the plurality of sequential profiling queries to corresponding criteria or threshold values, the state of operation indicative of an abnormal behavior associated with the target asset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Acentium Inc.
Original Assignee
Acentium Inc.
Inventors
Hamdi, Amine
Primary Examiner(s)
Lemma, Samson B

Application Number

US15/339,437
Publication Number

US 20180124072A1
Time in Patent Office

778 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 11/3006   where the computing system ...

G06F 11/3013   where the computing system ...

G06F 11/3051   Monitoring arrangements for...

G06F 11/3055   Monitoring arrangements for...

G06F 11/3058   Monitoring arrangements for...

G06F 11/323   Visualisation of programs o...

G06F 11/3428   Benchmarking

G06F 11/3452   Performance evaluation by s...

G06F 11/3466   Performance evaluation by t...

G06F 16/951   Indexing; Web crawling tech...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2201/81   Threshold

H04L 41/0853   by actively collecting conf...

H04L 43/0817   by checking functioning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/30   Profiles

Systems and methods for computer environment situational awareness

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for computer environment situational awareness

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links