Ranking alerts based on network monitoring

US 10,389,574 B1
Filed: 02/07/2018
Issued: 08/20/2019
Est. Priority Date: 02/07/2018
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising:

instantiating a monitoring engine to perform actions, including;

monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics; and

providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and

instantiating an inference engine to perform actions including associating each entity in the plurality of entities with an importance score based on the device relation model and the one or more metrics, wherein each importance score is based on a significance of an entity to one or more operations of the one or more networks and an importance of one or more other entities to the entity based on the one or more other entities and the entity being members of a same cluster and interacting with a same resource while non-communicating with each other; and

instantiating an alert engine to perform actions, including;

generating a plurality of alerts associated with the plurality of entities based on the one or more metrics;

providing feedback from one or more users regarding the plurality of entities, wherein the feedback includes one or more of user interaction history with one or more of the plurality of entities, importance of the user interaction with the one or more entities, or one or more roles of the one or more users that provided feedback; and

providing one or more ranked alerts to the one or more users based on the provided feedback from the one or more users and a ranking of the importance scores associated with one or more entities.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring network traffic. A monitoring engine may monitor network traffic associated with a plurality of entities in networks to provide metrics. And provide a device relation model based on the plurality of entities, the network traffic, and the metrics. An inference engine may associate each entity in the plurality of entities with an importance score based on the device relation model and the metrics such that each importance score is associated with a significance of an entity to operations of the networks. An alert engine may generate a plurality of alerts associated with the plurality of entities based on the metrics. And provide one or more alerts from the plurality of alerts to one or more users based on one or more ranked importance scores associated with one or more entities.

244 Citations

28 Claims

1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics; and
  
  providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and
  
  instantiating an inference engine to perform actions including associating each entity in the plurality of entities with an importance score based on the device relation model and the one or more metrics, wherein each importance score is based on a significance of an entity to one or more operations of the one or more networks and an importance of one or more other entities to the entity based on the one or more other entities and the entity being members of a same cluster and interacting with a same resource while non-communicating with each other; and
  
  instantiating an alert engine to perform actions, including;
  
  generating a plurality of alerts associated with the plurality of entities based on the one or more metrics;
  
  providing feedback from one or more users regarding the plurality of entities, wherein the feedback includes one or more of user interaction history with one or more of the plurality of entities, importance of the user interaction with the one or more entities, or one or more roles of the one or more users that provided feedback; and
  
  providing one or more ranked alerts to the one or more users based on the provided feedback from the one or more users and a ranking of the importance scores associated with one or more entities.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the actions of the inference engine further comprise, modifying the importance score associated with each entity based on one or more characteristics including one or more of resources accessed by an entity, resources provided by an entity, users that access an entity, users that are logged in to an entity, or an uptime of the entity.
  - 3. The method of claim 1, wherein the actions of the monitoring engine further comprise:
    - modifying the device relation model based on an addition or removal of one or more entities in the network; and
      
      modifying the importance score associated with each entity based on the modification to the device relation model.
  - 4. The method of claim 1, wherein the inference engine performs further actions, comprising:
    - providing one or more other entities based on a traversal of the device relation model; and
      
      modifying each importance score that is associated with the one or more other entities based on the traversal.
  - 5. The method of claim 1, wherein the actions of the inference engine further comprise, modifying the importance score of the entity based on one or more applications shared by the entity and one or more other entities, dependencies shared by the entity and the one or more other entities, or activities of the one or more users.
  - 6. The method of claim 1, wherein the actions of the inference engine further comprise, increasing the importance score for the entity based on a metric value that is associated with another entity that is linked to the entity.
  - 7. The method of claim 1, wherein the actions of the inference engine further comprises:
    - associating two or more entities that are communicating based on one or more public key infrastructure (PKI) certificates; and
      
      increasing each importance score associated with the two or more associated entities based on one or more anomalies associated with the one or more PKI certificates.

8. A processor readable non-transitory storage media that includes instructions for monitoring network traffic using one or more network monitoring computers, wherein execution of the instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics; and
  
  providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and
  
  instantiating an inference engine to perform actions including associating each entity in the plurality of entities with an importance score based on the device relation model and the one or more metrics, wherein each importance score is based on a significance of an entity to one or more operations of the one or more networks and an importance of one or more other entities to the entity based on the one or more other entities and the entity being members of a same cluster and interacting with a same resource while non-communicating with each other; and
  
  instantiating an alert engine to perform actions, including;
  
  generating a plurality of alerts associated with the plurality of entities based on the one or more metrics;
  
  providing feedback from one or more users regarding the plurality of entities, wherein the feedback includes one or more of user interaction history with one or more of the plurality of entities, importance of the user interaction with the one or more entities, or one or more roles of the one or more users that provided feedback; and
  
  providing one or more ranked alerts to the one or more users based on the provided feedback from the one or more users and a ranking of the importance scores associated with one or more entities.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The media of claim 8, wherein the actions of the inference engine further comprise, modifying the importance score associated with each entity based on one or more characteristics including one or more of resources accessed by an entity, resources provided by an entity, users that access an entity, users that are logged in to an entity, or an uptime of the entity.
  - 10. The media of claim 8, wherein the actions of the monitoring engine further comprise:
    - modifying the device relation model based on an addition or removal of one or more entities in the network; and
      
      modifying the importance score associated with each entity based on the modification to the device relation model.
  - 11. The media of claim 8, wherein the inference engine performs further actions, comprising:
    - providing one or more other entities based on a traversal of the device relation model; and
      
      modifying each importance score that is associated with the one or more other entities based on the traversal.
  - 12. The media of claim 8, wherein the actions of the inference engine further comprise, modifying the importance score of the entity based on one or more applications shared by the entity and one or more other entities, dependencies shared by the entity and the one or more other entities, or activities of the one or more users.
  - 13. The media of claim 8, wherein the actions of the inference engine further comprise, increasing the importance score for the entity based on a metric value that is associated with another entity that is linked to the entity.
  - 14. The media of claim 8, wherein the actions of the inference engine further comprises:
    - associating two or more entities that are communicating based on one or more public key infrastructure (PKI) certificates; and
      
      increasing each importance score associated with the two or more associated entities based on one or more anomalies associated with the one or more PKI certificates.

15. A system for monitoring network traffic in a network:
- one or more network computers, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics; and
  
  providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and
  
  instantiating an inference engine to perform actions including associating each entity in the plurality of entities with an importance score based on the device relation model and the one or more metrics, wherein each importance score is based on a significance of an entity to one or more operations of the one or more networks and an importance of one or more other entities to the entity based on the one or more other entities and the entity being members of a same cluster and interacting with a same resource while non-communicating with each other; and
  
  instantiating an alert engine to perform actions, including;
  
  generating a plurality of alerts associated with the plurality of entities based on the one or more metrics;
  
  providing feedback from one or more users regarding the plurality of entities, wherein the feedback includes one or more of user interaction history with one or more of the plurality of entities, importance of the user interaction with the one or more entities, or one or more roles of the one or more users that provided feedback; and
  
  providing one or more ranked alerts to the one or more users based on the provided feedback from the one or more users and a ranking of the importance scores associated with one or more entities; and
  
  one or more client computers, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing one or more portions of the network traffic.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein the actions of the inference engine further comprise, modifying the importance score associated with each entity based on one or more characteristics including one or more of resources accessed by an entity, resources provided by an entity, users that access an entity, users that are logged in to an entity, or an uptime of the entity.
  - 17. The system of claim 15, wherein the actions of the monitoring engine further comprise:
    - modifying the device relation model based on an addition or removal of one or more entities in the network; and
      
      modifying the importance score associated with each entity based on the modification to the device relation model.
  - 18. The system of claim 15, wherein the inference engine performs further actions, comprising:
    - providing one or more other entities based on a traversal of the device relation model; and
      
      modifying each importance score that is associated with the one or more other entities based on the traversal.
  - 19. The system of claim 15, wherein the actions of the inference engine further comprise, modifying the importance score of the entity based on one or more applications shared by the entity and one or more other entities, dependencies shared by the entity and the one or more other entities, or activities of the one or more users.
  - 20. The system of claim 15, wherein the actions of the inference engine further comprise, increasing the importance score for the entity based on a metric value that is associated with another entity that is linked to the entity.
  - 21. The system of claim 15, wherein the actions of the inference engine further comprises:
    - associating two or more entities that are communicating based on one or more public key infrastructure (PKI) certificates; and
      
      increasing each importance score associated with the two or more associated entities based on one or more anomalies associated with the one or more PKI certificates.

22. A network computer for monitoring communication over a network between two or more computers, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  instantiating a monitoring engine to perform actions, including;
  
  monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics; and
  
  providing a device relation model based on the plurality of entities, the network traffic, and the one or more metrics; and
  
  instantiating an inference engine to perform actions including associating each entity in the plurality of entities with an importance score based on the device relation model and the one or more metrics, wherein each importance score is based on a significance of an entity to one or more operations of the one or more networks and an importance of one or more other entities to the entity based on the one or more other entities and the entity being members of a same cluster and interacting with a same resource while non-communicating with each other; and
  
  instantiating an alert engine to perform actions, including;
  
  generating a plurality of alerts associated with the plurality of entities based on the one or more metrics;
  
  providing feedback from one or more users regarding the plurality of entities, wherein the feedback includes one or more of user interaction history with one or more of the plurality of entities, importance of the user interaction with the one or more entities, or one or more roles of the one or more users that provided feedback; and
  
  providing one or more ranked alerts to the one or more users based on the provided feedback from the one or more users and a ranking of the importance scores associated with one or more entities.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The network computer of claim 22, wherein the actions of the inference engine further comprise, modifying the importance score associated with each entity based on one or more characteristics including one or more of resources accessed by an entity, resources provided by an entity, users that access an entity, users that are logged in to an entity, or an uptime of the entity.
  - 24. The network computer of claim 22, wherein the actions of the monitoring engine further comprise:
    - modifying the device relation model based on an addition or removal of one or more entities in the network; and
      
      modifying the importance score associated with each entity based on the modification to the device relation model.
  - 25. The network computer of claim 22, wherein the inference engine performs further actions, comprising:
    - providing one or more other entities based on a traversal of the device relation model; and
      
      modifying each importance score that is associated with the one or more other entities based on the traversal.
  - 26. The network computer of claim 22, wherein the actions of the inference engine further comprise, modifying the importance score of the entity based on one or more applications shared by the entity and one or more other entities, dependencies shared by the entity and the one or more other entities, or activities of the one or more users.
  - 27. The network computer of claim 22, wherein the actions of the inference engine further comprise, increasing the importance score for the entity based on a metric value that is associated with another entity that is linked to the entity.
  - 28. The network computer of claim 22, wherein the actions of the inference engine further comprises:
    - associating two or more entities that are communicating based on one or more public key infrastructure (PKI) certificates; and
      
      increasing each importance score associated with the two or more associated entities based on one or more anomalies associated with the one or more PKI certificates.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Wu, Xue Jun, Braun, Nicholas Jordan, Deaguero, Joel Benjamin, Montague, Michael Kerber Krause, Khanal, Bhushan Prasad
Primary Examiner(s)
Springer, James E

Application Number

US15/891,273
Publication Number

US 20190245734A1
Time in Patent Office

559 Days
Field of Search

709224
US Class Current
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/958   Organisation or management ...

H04L 41/0609   based on severity or priority

H04L 41/12   Discovery or management of ...

H04L 41/145   involving simulating, desig...

H04L 41/16   using machine learning or a...

H04L 41/40   using virtualisation of net...

H04L 43/08   Monitoring or testing based...

H04L 43/0823   Errors, e.g. transmission e...

H04L 43/091   Measuring contribution of i...

H04L 43/20   the monitoring system or th...

H04L 9/006   involving public key infras...

Ranking alerts based on network monitoring

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

244 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Ranking alerts based on network monitoring

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

244 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links