DETECTING AND REPORTING CHANGES ON NETWORKED COMPUTERS

US 20070022315A1
Filed: 06/22/2006
Published: 01/25/2007
Est. Priority Date: 06/29/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for centrally administering a network that includes a plurality of computing devices, to detect changes on the computing devices, comprising the steps of:

(a) maintaining structured data for each of a plurality of different predefined types of entities, the structured data being updated from time-to-time, using data that are produced by a local agent running on each of the plurality of computing devices;

(b) using the structured data for detecting any new entities on any of the computing devices that are coupled to the network, where the new entities are entities that have recently been added to the computing devices since the structured data were last updated; and

(c) reporting the new entities as new unknown entities if not previously detected on any of the computing devices that are coupled to the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system detects changes to the computers on a computer network, and reports these changes in a simple and useful format. Two compatible components are used, including a Local Agent that runs locally on each computer, and a Digester that is run centrally by a system administrator. Changes in the system are detected and classified, and a report is produced that arranges data from several tables for different types of entities detected on the computers into a work order format for output to a text file. Any entities that are new and correspond to previously identified flagged exceptions are so identified, and any new unknown entities that were not previously found on a computer in the network are indicated so that they can be evaluated. Changes that may be undesirable can thus be readily identified for evaluation and possible removal before indicated by other third party sources.

42 Citations

View as Search Results

29 Claims

1. A method for centrally administering a network that includes a plurality of computing devices, to detect changes on the computing devices, comprising the steps of:
- (a) maintaining structured data for each of a plurality of different predefined types of entities, the structured data being updated from time-to-time, using data that are produced by a local agent running on each of the plurality of computing devices;
  
  (b) using the structured data for detecting any new entities on any of the computing devices that are coupled to the network, where the new entities are entities that have recently been added to the computing devices since the structured data were last updated; and
  
  (c) reporting the new entities as new unknown entities if not previously detected on any of the computing devices that are coupled to the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising the step of reclassifying the new entities as flagged exceptions if previously detected and determined to be undesirable.
  - 3. The method of claim 2, further comprising the step of automatically creating a report indicating the computing devices on which new entities corresponding to flagged exceptions have been found.
  - 4. The method of claim 3, further comprising the step of employing the report to automatically initiate a work order to remove the new entity corresponding to a flagged exception from any computing device on which it was found.
  - 5. The method of claim 1, further comprising the step of enabling a user to reclassify new entities included in the structured data after manually evaluating the functionality of the new entities.
  - 6. The method of claim 2, further comprising the step of enabling a system administrator to define at least one parameter used to identify at least one flagged exception.
  - 7. A computing device readable memory medium on which machine instructions are stored for carrying out the steps of claim 1.

8. A method for detecting and reporting changes on a plurality of computing devices connected to a network, comprising the steps of:
- (a) for each of the plurality of computing devices that is connected to the network, from time-to-time automatically;
  
  (i) detecting any of a plurality of different predefined types of entities on the computing device; and
  
  (ii) storing data identifying the different types of entities detected on the computing device, at a designated location accessible over the network, in association with an identification of the computing device; and
  
  (b) at a central computing device, automatically periodically;
  
  (i) updating and storing a data aggregation for each different predefined type of entity, wherein the data aggregation includes the data stored by the computing devices for that predefined type of entity; and
  
  (ii) comparing the data aggregation for each different predefined type of entity to data for entities of that predefined type that have been previously detected on any computing device connected to the network, to identify any new unknown entities that have not been previously detected on any computing device connected to the network, and reporting to a user each computing device on which any new unknown entity was detected.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 9. The method of claim 8, further comprising the step of comparing the data aggregation for each different predefined type of entity to flagged exceptions for that predefined type of entity, to determine if any of the entities detected on the plurality of computing devices corresponds to a flagged exception that was previously identified as undesirable, and reporting to a user each computing device on which an entity is found that matches a flagged exception.
  - 10. The method of claim 8, further comprising the step of adding each new unknown entity that was detected to a group of previously identified unknown entities of that predefined type.
  - 11. The method of claim 8, further comprising the step of enabling a user to evaluate any new unknown entity reported, to attempt to determine whether the new unknown entity should be reclassified as a flagged exception that is undesirable and should be removed from each computing device connected to the network on which said new unknown entity was detected.
  - 12. The method of claim 8, wherein after the new unknown entity is reported to the user, further comprising the step of reclassifying any new unknown entity as an unknown entity, until a functionality of the unknown entity is determined.
  - 13. The method of claim 12, further comprising the step of reclassifying an unknown entity that has been evaluated and found not to be undesirable, as a known entity that is not a flagged exception.
  - 14. The method of claim 8, wherein for the computing devices on which an entity corresponding to a flagged exception was found, further comprising the step of automatically preparing a work order to facilitate removal of the entity from each computing device on which the entity was found.
  - 15. The method of claim 8, wherein the plurality of different predefined entities comprise at least two of:
    - (a) loaded executable code;
      
      (b) ports that are open; and
      
      (c) startup programs that are executed when an operating system on the computing device is restarted.
  - 16. The method of claim 8, wherein the step of storing the data aggregation comprises the step of combining the data stored by the computing devices in a data structure, for each predefined type of entity.
  - 17. The method of claim 8, further comprising the step of enabling a user to determine whether an unknown entity that has been reported is undesirable for the computing devices connected to the network.
  - 18. The method of claim 17, wherein if an unknown entity has been reported as undesirable, further comprising the step of changing a flag for said entity indicating that it is an unknown entity to an existing flag indicating that it is an undesirable type of entity, or to a new flag for the data aggregation indicating that it is an undesirable type of entity.
  - 19. The method of claim 8, wherein the flagged exceptions are each associated with at least one of:
    - (a) adware;
      
      (b) spyware;
      
      (c) executable code that can threaten normal operation of at least one computing device that is coupled to the network;
      
      (d) bots that perform undesired functions; and
      
      (e) worms that perform undesired functions.
  - 20. The method of claim 8, further comprising the steps of:
    - (a) collecting and formatting inventory data for each of the computing devices coupled to the network, the inventory data indicating specific application programs and hardware that are installed on the computer; and
      
      (b) storing the inventory data at an accessible location on the network.
  - 21. The method of claim 20, further comprising the step of enabling a user to access the inventory data to assist in evaluating any unknown entity that is reported in the data aggregation.
  - 22. The method of claim 8, further comprising the step of pushing a local agent onto any computing device that attempts to connect to the network that is not already executing the local agent, wherein the local agent implements steps 8(a)(i) and 8(a)(ii).
  - 23. The method of claim 8, wherein the step of detecting any of a plurality of different predefined types of entities on the computing device is carried out in response to at least one of:
    - (a) a user logging in on the computing device;
      
      (b) a user logging in on the network;
      
      (c) rebooting the computing device;
      
      (d) in response to a user prompt;
      
      (e) a request being received over the network;
      
      (f) lapse of a predefined time interval; and
      
      (g) a system call to open a network port or to load a module.
  - 24. A computing device readable memory medium on which machine instructions are stored for carrying out the steps of claim 8.

25. A system for centrally administering a plurality of computing devices that are coupled to a network, to detect changes on the computing devices, comprising:
- (a) a memory storing machine instructions and data produced by each of the computing devices;
  
  (b) a network interface that enables communication with over the network; and
  
  (c) a processor coupled to the network interface and the memory, the processor executing the machine instructions to carry out a plurality of functions, including;
  
  (i) creating and maintaining structured data for each of a plurality of different predefined types of entities, the structured data being updated from time-to-time, using data that are produced by a local agent on each of the plurality of computing devices;
  
  (ii) using the structured data for detecting any new entities on any of the computing devices that are coupled to the network, where the new entities are entities that have recently been added to the computing devices since the structured data were last updated; and
  
  (iii) reporting the new entities as new unknown entities if not previously detected on any of the computing devices that are coupled to the network.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The system of claim 25, wherein execution of the machine instructions further causes the processor to reclassify the new entities as flagged exceptions if previously detected and determined to be undesirable.
  - 27. The system of claim 25, wherein execution of the machine instructions further causes the processor to automatically create a report indicating the computing devices on which new entities corresponding to flagged exceptions have been found.
  - 28. The system of claim 27, wherein execution of the machine instructions further causes the processor to employ the report to automatically produce a work order to remove the new entity corresponding to a flagged exception from any computing device on which it was found.
  - 29. The system of claim 25, wherein execution of the machine instructions further causes the processor to enable a user to reclassify new entities included in the structured data after manually evaluating their functionality.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
University of Washington
Original Assignee
University of Washington
Inventors
Comegys, William

Application Number

US11/425,912
Publication Number

US 20070022315A1
Time in Patent Office

Days
Field of Search
US Class Current

714/4
CPC Class Codes

H04L 41/00   Arrangements for maintenanc...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

DETECTING AND REPORTING CHANGES ON NETWORKED COMPUTERS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

42 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING AND REPORTING CHANGES ON NETWORKED COMPUTERS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links