Personalization of alerts based on network monitoring

US 10,728,126 B2
Filed: 07/30/2018
Issued: 07/28/2020
Est. Priority Date: 02/08/2018
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising:

instantiating a monitoring engine to perform actions, including;

providing a device relation model based on one or more metrics and one or more types of communication protocols used in monitored network traffic associated with a plurality of entities in one or more networks; and

instantiating an inference engine to perform actions including;

associating each entity with an interest score based on the device relation model, wherein the one or more metrics and the one or more types of communication protocols are employed to weight one or more relationships between two or more entities, and wherein one or more portions of the one or more relationships having a weight that is a priority are included as one or more edges in the device relation model, and wherein one or more other portions of the relationships having a weight that is a non-priority are non-included as edges in the device relation model; and

including one or more phantom edges in the device relation model based on one or more relationships between two or more other entities that indirectly communicate with each other; and

instantiating an alert engine to perform actions, including;

providing one or more alerts to the user from one or more alerts based on one or more ranked interest scores associated with the one or more entities based on the device relation model; and

assigning one or more decay functions to the interest score associated with each entity, wherein the one or more decay functions are employed to decrease the interest score associated with an entity over time based on one or more of a lack of the user'"'"'s interaction with the entity or a lack of the user'"'"'s actions in response to one or more alerts regarding the entity, and wherein the one or more decay functions cause an increase or a decrease in an amount of the alerts associated with the entity that are provided to the user.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring network traffic using network computers. A monitoring engine may monitor network traffic associated with a plurality of entities in a network to provide metrics. A device relation model may be provided based on the plurality of entities, the network traffic, and the metrics. Interest information for a user may be provided based on one or more properties associated with the user. An inference engine may associate each entity in the plurality of entities with an interest score based on the interest information, the device relation model, and the metrics. An alert engine may generate a plurality of alerts associated with the plurality of entities based on the metrics. Some of the alerts may be provided to the user based on ranked interest scores associated with the entities.

439 Citations

28 Claims

1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
  
  providing a device relation model based on one or more metrics and one or more types of communication protocols used in monitored network traffic associated with a plurality of entities in one or more networks; and
  
  instantiating an inference engine to perform actions including;
  
  associating each entity with an interest score based on the device relation model, wherein the one or more metrics and the one or more types of communication protocols are employed to weight one or more relationships between two or more entities, and wherein one or more portions of the one or more relationships having a weight that is a priority are included as one or more edges in the device relation model, and wherein one or more other portions of the relationships having a weight that is a non-priority are non-included as edges in the device relation model; and
  
  including one or more phantom edges in the device relation model based on one or more relationships between two or more other entities that indirectly communicate with each other; and
  
  instantiating an alert engine to perform actions, including;
  
  providing one or more alerts to the user from one or more alerts based on one or more ranked interest scores associated with the one or more entities based on the device relation model; and
  
  assigning one or more decay functions to the interest score associated with each entity, wherein the one or more decay functions are employed to decrease the interest score associated with an entity over time based on one or more of a lack of the user'"'"'s interaction with the entity or a lack of the user'"'"'s actions in response to one or more alerts regarding the entity, and wherein the one or more decay functions cause an increase or a decrease in an amount of the alerts associated with the entity that are provided to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the alert engine performs further actions comprising generating the one or more alerts associated with the plurality of entities based on the one or more metrics.
  - 3. The method of claim 1, wherein the monitoring engine performs further actions comprising providing interest information for the user based on one or more properties associated with the user, wherein a level of interest of the user is based on the interest information, the device relation model, and the one or more metrics.
  - 4. The method of claim 1, wherein the inference engine performs further actions comprising employing monitored network traffic to identify a type of one or more of activities or interactions that the user has with the one or more entities.
  - 5. The method of claim 1, wherein the inference engine performs further actions including increasing the interest score associated with an entity that is related to another entity that the user repeatedly accesses.
  - 6. The method of claim 1, wherein the inference engine performs further actions including recommending another entity to the user based on one or more interactions by another user with the other entity, wherein the other user previously interacted with at least one different entity that the user also previously interacted with.
  - 7. The method of claim 1, wherein the inference engine performs further actions including recommending another entity to the user based on one or more of input or feedback from the user.

8. A processor readable non-transitory storage media that includes instructions for monitoring network traffic using one or more network monitoring computers, wherein execution of the instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
  
  providing a device relation model based on one or more metrics and one or more types of communication protocols used in monitored network traffic associated with a plurality of entities in one or more networks; and
  
  instantiating an inference engine to perform actions including;
  
  associating each entity with an interest score based on the device relation model, wherein the one or more metrics and the one or more types of communication protocols are employed to of weight one or more relationships between two or more entities, and wherein one or more portions of the one or more relationships having a weight that is a priority are included as one or more edges in the device relation model, and wherein one or more other portions of the relationships having a weight that is a non-priority are non-included as edges in the device relation model; and
  
  including one or more phantom edges in the device relation model based on one or more relationships between two or more other entities that indirectly communicate with each other; and
  
  instantiating an alert engine to perform actions, including;
  
  providing one or more alerts to the user from one or more alerts based on one or more ranked interest scores associated with the one or more entities based on the device relation model; and
  
  assigning one or more decay functions to the interest score associated with each entity, wherein the one or more decay functions are employed to decrease the interest score associated with an entity over time based on one or more of a lack of a user'"'"'s interaction with the entity or a lack of the user'"'"'s actions in response to one or more alerts regarding the entity, and wherein the one or more decay functions cause an increase or a decrease in an amount of the alerts associated with the entity that are provided to the user.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The media of claim 8, wherein the alert engine performs further actions comprising generating the one or more alerts associated with the plurality of entities based on the one or more metrics.
  - 10. The media of claim 8, wherein the monitoring engine performs further actions comprising providing interest information for the user based on one or more properties associated with the user, wherein a level of interest of the user is based on the interest information, the device relation model, and the one or more metrics.
  - 11. The media of claim 8, wherein the inference engine performs further actions comprising employing monitored network traffic to identify a type of one or more of activities or interactions that the user has with the one or more entities.
  - 12. The media of claim 8, wherein the inference engine performs further actions including increasing the interest score associated with an entity that is related to another entity that the user repeatedly accesses.
  - 13. The media of claim 8, wherein the inference engine performs further actions including recommending another entity to the user based on one or more interactions by another user with the other entity, wherein the other user previously interacted with at least one different entity that the user also previously interacted with.
  - 14. The media of claim 8, wherein the inference engine performs further actions including recommending another entity to the user based on one or more of input or feedback from the user.

15. A system for monitoring network traffic in a network:
- one or more network computers, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  instantiating a monitoring engine to perform actions, including;
  
  providing a device relation model based on one or more metrics and one or more types of communication protocols used in monitored network traffic associated with a plurality of entities in one or more networks; and
  
  instantiating an inference engine to perform actions including;
  
  associating each entity with an interest score based on the device relation model, wherein the one or more metrics and the one or more types of communication protocols are employed to weight one or more relationships between two or more entities, and wherein one or more portions of the one or more relationships having a weight that is a priority are included as one or more edges in the device relation model, and wherein one or more other portions of the relationships having a weight that is a non-priority are non-included as edges in the device relation model; and
  
  including one or more phantom edges in the device relation model based on one or more relationships between two or more other entities that indirectly communicate with each other; and
  
  instantiating an alert engine to perform actions, including;
  
  providing one or more alerts to the user from one or more alerts based on one or more ranked interest scores associated with the one or more entities based on the device relation model; and
  
  assigning one or more decay functions to the interest score associated with each entity, wherein the one or more decay functions are employed to decrease the interest score associated with an entity over time based on one or more of a lack of a user'"'"'s interaction with the entity or a lack of the user'"'"'s actions in response to one or more alerts regarding the entity, and wherein the one or more decay functions cause an increase or a decrease in an amount of the alerts associated with the entity that are provided to the user; and
  
  one or more client computers, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing one or more portions of the network traffic.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein the alert engine performs further actions comprising generating the one or more alerts associated with the plurality of entities based on the one or more metrics.
  - 17. The system of claim 15, wherein the monitoring engine performs further actions comprising providing interest information for the user based on one or more properties associated with the user, wherein a level of interest of the user is based on the interest information, the device relation model, and the one or more metrics.
  - 18. The system of claim 15, wherein the inference engine performs further actions comprising employing monitored network traffic to identify a type of one or more of activities or interactions that the user has with the one or more entities.
  - 19. The system of claim 15, wherein the inference engine performs further actions including increasing the interest score associated with an entity that is related to another entity that the user repeatedly accesses.
  - 20. The system of claim 15, wherein the inference engine performs further actions including recommending another entity to the user based on one or more interactions by another user with the other entity, wherein the other user previously interacted with at least one different entity that the user also previously interacted with.
  - 21. The system of claim 15, wherein the inference engine performs further actions including recommending another entity to the user based on one or more of input or feedback from the user.

22. A network computer for monitoring communication over a network between two or more computers, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  instantiating a monitoring engine to perform actions, including;
  
  providing a device relation model based on one or more metrics and one or more types of communication protocols used in monitored network traffic associated with a plurality of entities in one or more networks; and
  
  instantiating an inference engine to perform actions including;
  
  associating each entity with an interest score based on the device relation model, wherein the one or more metrics and the one or more types of communication protocols are employed to of weight one or more relationships between two or more entities, and wherein one or more portions of the one or more relationships having a weight that is a priority are included as one or more edges in the device relation model, and wherein one or more other portions of the relationships having a weight that is a non-priority are non-included as edges in the device relation model; and
  
  including one or more phantom edges in the device relation model based on one or more relationships between two or more other entities that indirectly communicate with each other; and
  
  instantiating an alert engine to perform actions, including;
  
  providing one or more alerts to the user from one or more alerts based on one or more ranked interest scores associated with the one or more entities based on the device relation model; and
  
  assigning one or more decay functions to the interest score associated with each entity, wherein the one or more decay functions are employed to decrease the interest score associated with an entity over time based on one or more of a lack of a user'"'"'s interaction with the entity or a lack of the user'"'"'s actions in response to one or more alerts regarding the entity, and wherein the one or more decay functions cause an increase or a decrease in an amount of the alerts associated with the entity that are provided to the user.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The network computer of claim 22, wherein the alert engine performs further actions comprising generating the one or more alerts associated with the plurality of entities based on the one or more metrics.
  - 24. The network computer of claim 22, wherein the monitoring engine performs further actions comprising providing interest information for the user based on one or more properties associated with the user, wherein a level of interest of the user is based on the interest information, the device relation model, and the one or more metrics.
  - 25. The network computer of claim 22, wherein the inference engine performs further actions comprising employing monitored network traffic to identify a type of one or more of activities or interactions that the user has with the one or more entities.
  - 26. The network computer of claim 22, wherein the inference engine performs further actions including increasing the interest score associated with an entity that is related to another entity that the user repeatedly accesses.
  - 27. The network computer of claim 22, wherein the inference engine performs further actions including recommending another entity to the user based on one or more interactions by another user with the other entity, wherein the other user previously interacted with at least one different entity that the user also previously interacted with.
  - 28. The network computer of claim 22, wherein the inference engine performs further actions including recommending another entity to the user based on one or more of input or feedback from the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Wu, Xue Jun, Braun, Nicholas Jordan, Deaguero, Joel Benjamin, Montague, Michael Kerber Krause, Khanal, Bhushan Prasad
Primary Examiner(s)
Osman, Ramy M

Application Number

US16/048,939
Publication Number

US 20190245763A1
Time in Patent Office

729 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/9535   Search customisation based ...

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

H04L 41/06   Management of faults, event...

H04L 41/0681   Configuration of triggering...

H04L 41/14   Network analysis or design

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 43/045   for graphical visualisation...

H04L 43/08   Monitoring or testing based...

Personalization of alerts based on network monitoring

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

439 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Personalization of alerts based on network monitoring

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

439 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links