Automated risk assessment based on machine generated investigation

US 10,411,982 B1
Filed: 06/14/2019
Issued: 09/10/2019
Est. Priority Date: 01/08/2019
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic using one or more network computers over one or more networks, wherein the execution of instructions by the one or more network computers perform the method comprising:

providing information that is associated with one or more anomalies that are associated with one or more users over one or more portions of the monitored network traffic;

annotating the provided information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic;

employing the annotated anomaly information to determine a communication channel that is separate from the monitored network traffic and associated with the one or more users;

determining one or more investigative agents based on the annotated anomaly information; and

providing a report based on an evaluation of investigative information provided by the one or more investigative agents.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring network traffic using a network computer. The network computer provides anomaly information associated with anomalies that may be associated with monitored network traffic. An inference engine may determine the users associated with the anomalies based on the monitored network traffic. A communication channel associated with the users may be determined based on the anomalies and the monitored network traffic such that the communication channel may be separate from the monitored network traffic. The communication channel may be employed to provide investigative agents to the users. Investigative information may be collected from the investigative agents over the communication channel. The inference engine may provide a risk value that is associated with the anomalies based on the investigative information.

21 Citations

28 Claims

1. A method for monitoring network traffic using one or more network computers over one or more networks, wherein the execution of instructions by the one or more network computers perform the method comprising:
- providing information that is associated with one or more anomalies that are associated with one or more users over one or more portions of the monitored network traffic;
  
  annotating the provided information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic;
  
  employing the annotated anomaly information to determine a communication channel that is separate from the monitored network traffic and associated with the one or more users;
  
  determining one or more investigative agents based on the annotated anomaly information; and
  
  providing a report based on an evaluation of investigative information provided by the one or more investigative agents.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - classifying the one or more anomalies based on one or more profiles, wherein the one or more profiles are associated with one or more risk levels.
  - 3. The method of claim 1, further comprising:
    - employing the investigative information and one or more profiles to classify the one or more anomalies, wherein the evaluation is further based on the classification of the one or more anomalies.
  - 4. The method of claim 1, further comprising;
    - annotating one or more profiles associated with the one or more anomalies, wherein the annotation of the one or more profiles is employed to provide one or more of classification the one or more anomalies or resolution of one or more subsequent anomalies.
  - 5. The method of claim 1, wherein determining the communication channel further comprises employing the one or more anomalies and the one or more portions of the monitored network traffic.
  - 6. The method of claim 1, further comprises:
    - employing the communication channel to;
      
      provide the one or more investigative agents to the one or more users;
      
      orprovide the investigative information from the one or more investigative agents.
  - 7. The method of claim 1, further comprising:
    - determining one or more remediation actions based on the investigative information, wherein the one or more remediation actions includes one or more of quarantining an endpoint, blocking network traffic, or locking a user account.

8. A system for monitoring network traffic in one or more networks:
- one or more network computers, comprising;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing information that is associated with one or more anomalies that are associated with one or more users over one or more portions of the monitored network traffic;
  
  annotating the provided information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic;
  
  employing the annotated anomaly information to determine a communication channel that is separate from the monitored network traffic and associated with the one or more users;
  
  determining one or more investigative agents based on the annotated anomaly information; and
  
  providing a report based on an evaluation of investigative information provided by the one or more investigative agents; and
  
  one or more client computers, comprising;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing one or more of the one or more portions of the monitored network traffic.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the one or more processors of the one or more network computers perform further actions, comprising:
    - classifying the one or more anomalies based on one or more profiles, wherein the one or more profiles are associated with one or more risk levels.
  - 10. The system of claim 8, wherein the one or more processors of the one or more network computers perform further actions, comprising:
    - employing the investigative information and one or more profiles to classify the one or more anomalies, wherein the evaluation is further based on the classification of the one or more anomalies.
  - 11. The system of claim 8, wherein the one or more processors of the one or more network computers perform further actions, comprising:
    - annotating one or more profiles associated with the one or more anomalies, wherein the annotation of the one or more profiles is employed to provide one or more of classification the one or more anomalies or resolution of one or more subsequent anomalies.
  - 12. The system of claim 8, wherein the one or more processors of the one or more network computers perform further actions, comprising:
    - employing the one or more anomalies and the one or more portions of the monitored network traffic to further determine the communication channel.
  - 13. The system of claim 8, wherein the one or more processors of the one or more network computers perform further actions, comprising:
    - employing the communication channel to;
      
      provide the one or more investigative agents to the one or more users;
      
      orprovide the investigative information from the one or more investigative agents.
  - 14. The system of claim 8, wherein the one or more processors of the one or more network computers perform further actions, comprising:
    - determining one or more remediation actions based on the investigative information, wherein the one or more remediation actions includes one or more of quarantining an endpoint, blocking network traffic, or locking a user account.

15. A network computer for monitoring network traffic in one or more networks, comprising:
- a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing information that is associated with one or more anomalies that are associated with one or more users over one or more portions of the monitored network traffic;
  
  annotating the provided information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic;
  
  employing the annotated anomaly information to determine a communication channel that is separate from the monitored network traffic and associated with the one or more users;
  
  determining one or more investigative agents based on the annotated anomaly information; and
  
  providing a report based on an evaluation of investigative information provided by the one or more investigative agents.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The network computer of claim 15, wherein the one or more processors perform further actions, comprising:
    - classifying the one or more anomalies based on one or more profiles, wherein the one or more profiles are associated with one or more risk levels.
  - 17. The network computer of claim 15, wherein the one or more processors perform further actions, comprising:
    - employing the investigative information and one or more profiles to classify the one or more anomalies, wherein the evaluation is further based on the classification of the one or more anomalies.
  - 18. The network computer of claim 15, wherein the one or more processors perform further actions, comprising:
    - annotating one or more profiles associated with the one or more anomalies, wherein the annotation of the one or more profiles is employed to provide one or more of classification the one or more anomalies or resolution of one or more subsequent anomalies.
  - 19. The network computer of claim 15, wherein the one or more processors perform further actions, comprising:
    - employing the one or more anomalies and the one or more portions of the monitored network traffic to further determine the communication channel.
  - 20. The network computer of claim 15, wherein the one or more processors perform further actions, comprising:
    - employing the communication channel to;
      
      provide the one or more investigative agents to the one or more users;
      
      orprovide the investigative information from the one or more investigative agents.
  - 21. The network computer of claim 15, wherein the one or more processors perform further actions, comprising:
    - determining one or more remediation actions based on the investigative information, wherein the one or more remediation actions includes one or more of quarantining an endpoint, blocking network traffic, or locking a user account.

22. A processor readable non-transitory storage media that includes instructions for monitoring network traffic over one or more networks using one or more network monitoring computers, wherein execution of the instructions by the one or more network computers perform the method comprising:
- providing information that is associated with one or more anomalies that are associated with one or more users over one or more portions of the monitored network traffic;
  
  annotating the provided information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic;
  
  employing the annotated anomaly information to determine a communication channel that is separate from the monitored network traffic and associated with the one or more users;
  
  determining one or more investigative agents based on the annotated anomaly information; and
  
  providing a report based on an evaluation of investigative information provided by the one or more investigative agents.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The processor readable non-transitory storage media of claim 22, further comprising:
    - classifying the one or more anomalies based on one or more profiles, wherein the one or more profiles are associated with one or more risk levels.
  - 24. The processor readable non-transitory storage media of claim 22, further comprising:
    - employing the investigative information and one or more profiles to classify the one or more anomalies, wherein the evaluation is further based on the classification of the one or more anomalies.
  - 25. The processor readable non-transitory storage media of claim 22, further comprising;
    - annotating one or more profiles associated with the one or more anomalies, wherein the annotation of the one or more profiles is employed to provide one or more of classification the one or more anomalies or resolution of one or more subsequent anomalies.
  - 26. The processor readable non-transitory storage media of claim 22, wherein determining the communication channel further comprises employing the one or more anomalies and the one or more portions of the monitored network traffic.
  - 27. The processor readable non-transitory storage media of claim 22, further comprises:
    - employing the communication channel to;
      
      provide the one or more investigative agents to the one or more users;
      
      orprovide the investigative information from the one or more investigative agents.
  - 28. The processor readable non-transitory storage media of claim 22, further comprising:
    - determining one or more remediation actions based on the investigative information, wherein the one or more remediation actions includes one or more of quarantining an endpoint, blocking network traffic, or locking a user account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Driggs, Edmund Hope, Rothstein, Jesse Abraham
Primary Examiner(s)
Jaroenchonwanit, Bunjob

Application Number

US16/442,257
Time in Patent Office

88 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 41/0816   the condition being an adap...

H04L 41/142   using statistical or mathem...

H04L 43/062   related to network traffic

H04L 43/0876   Network utilisation, e.g. v...

H04L 43/12   Network monitoring probes

H04L 43/14   using software, i.e. softwa...

H04L 43/16   Threshold monitoring

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

Automated risk assessment based on machine generated investigation

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Automated risk assessment based on machine generated investigation

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links