METHODS, SYSTEMS, AND DEVICES FOR DYNAMICALLY MODELING AND GROUPING ENDPOINTS FOR EDGE NETWORKING

US 20190052659A1
Filed: 08/08/2018
Published: 02/14/2019
Est. Priority Date: 08/08/2017
Status: Active Grant

First Claim

Patent Images

1. A dynamic endpoint-based edge networking system for protecting security and integrity of an elastic computer network, the system comprising:

a plurality of agents, wherein each of the plurality of agents is installed on a target endpoint device, the target endpoint device being one of a plurality of endpoint devices forming an elastic computer network, and wherein each of the plurality of agents is configured to;

access an operating system of the target endpoint device on which the agent is installed to obtain visibility of operating system processes and network communications of the target endpoint device;

monitor the operating system processes and the network communications of the target endpoint device to obtain target endpoint data, the target endpoint data comprising information regarding at least one of the system processes or network processes of the target endpoint device;

transmit the target endpoint data to a central server system;

identify, using a local security protocol, one or more local anomalous indicators on the target endpoint device based at least in part on the target endpoint data; and

respond to the one or more local anomalous indicators on an endpoint-level based at least in part on the local security protocol,wherein the local security protocol comprises one or more rule sets, policies, or access rights designed to ensure local security of each of the plurality of endpoint devices; and

a central server system comprising;

one or more computer readable storage devices configured to store a plurality of computer executable instructions; and

one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the central server system to;

receive the target endpoint data from each of the plurality of agents installed on a target endpoint device;

analyze the target endpoint data received from each of the plurality of agents to identify network-wide activity patterns;

identify, using a network-wide security protocol, one or more network-wide anomalous indicators on a network level across the plurality of endpoint devices based at least in part on the identified network-wide activity patterns; and

respond to the one or more network-wide anomalous indicators on the network level across the plurality of endpoint devices based at least in part on the network-wide security protocol.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Citations

30 Claims

1. A dynamic endpoint-based edge networking system for protecting security and integrity of an elastic computer network, the system comprising:
- a plurality of agents, wherein each of the plurality of agents is installed on a target endpoint device, the target endpoint device being one of a plurality of endpoint devices forming an elastic computer network, and wherein each of the plurality of agents is configured to;
  
  access an operating system of the target endpoint device on which the agent is installed to obtain visibility of operating system processes and network communications of the target endpoint device;
  
  monitor the operating system processes and the network communications of the target endpoint device to obtain target endpoint data, the target endpoint data comprising information regarding at least one of the system processes or network processes of the target endpoint device;
  
  transmit the target endpoint data to a central server system;
  
  identify, using a local security protocol, one or more local anomalous indicators on the target endpoint device based at least in part on the target endpoint data; and
  
  respond to the one or more local anomalous indicators on an endpoint-level based at least in part on the local security protocol,wherein the local security protocol comprises one or more rule sets, policies, or access rights designed to ensure local security of each of the plurality of endpoint devices; and
  
  a central server system comprising;
  
  one or more computer readable storage devices configured to store a plurality of computer executable instructions; and
  
  one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the central server system to;
  
  receive the target endpoint data from each of the plurality of agents installed on a target endpoint device;
  
  analyze the target endpoint data received from each of the plurality of agents to identify network-wide activity patterns;
  
  identify, using a network-wide security protocol, one or more network-wide anomalous indicators on a network level across the plurality of endpoint devices based at least in part on the identified network-wide activity patterns; and
  
  respond to the one or more network-wide anomalous indicators on the network level across the plurality of endpoint devices based at least in part on the network-wide security protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The dynamic endpoint-based edge networking system of claim 1, wherein monitoring the operating system processes and the network communications of the target endpoint device comprises continuously verifying and authenticating target endpoint activities.
  - 3. The dynamic endpoint-based edge networking system of claim 1, wherein the plurality of endpoint devices comprise one or more cellphones, servers, virtual machines, laptops, tablets, desktop computers, Internet of Things (IoT) devices, landline phones, wearable devices, or smart home devices.
  - 4. The dynamic endpoint-based edge networking system of claim 1, wherein the local anomalous indicator comprises activities of malicious software on the target endpoint device.
  - 5. The dynamic endpoint-based edge networking system of claim 4, wherein the malicious software comprises a virus, malware, ransomware, adware, spyware, Trojan horse, worm, rootkit, scareware, rogueware, active content software, or logic bomb.
  - 6. The dynamic endpoint-based edge networking system of claim 4, wherein the malicious software comprises zero-day software.
  - 7. The dynamic endpoint-based edge networking system of claim 1, wherein responding to the one or more local anomalous indicators based on the local security protocol comprises controlling one or more operating system processes or network communications of the target device.
  - 8. The dynamic endpoint-based edge networking system of claim 1, wherein responding to the one or more local anomalous indicators based on the local security protocol comprises limiting one or more operating system processes or network communications of the target device.
  - 9. The dynamic endpoint-based edge networking system of claim 8, wherein limiting one or more operating system processes or the network communications of the target device effectively isolates malicious software located on the target endpoint.
  - 10. The dynamic endpoint-based edge networking system of claim 1, wherein at least one endpoint device of the plurality of endpoint devices is located outside of a computer network firewall.
  - 11. The dynamic endpoint-based edge networking system of claim 1, wherein one or more of the central server system or plurality of agents is further configured to analyze the target endpoint data to determine typical network access behavior and typical processor behavior of the target endpoint.
  - 12. The dynamic endpoint-based edge networking system of claim 11, wherein the determined typical network access behavior and typical processor behavior of the target endpoint is used to update the local security protocol.
  - 13. The dynamic endpoint-based edge networking system of claim 11, wherein one or more artificial intelligence (AI) techniques are employed by one or more of the central server system or plurality of agents to analyze the target endpoint data to determine typical network access behavior and typical processor behavior of the target endpoint.
  - 14. The dynamic endpoint-based edge networking system of claim 1, wherein the central server system is further caused to group and one or more endpoints of the plurality of endpoints into an endpoint cluster, wherein the one or more endpoints of the endpoint cluster comprise one or more similar processing or network access patterns.
  - 15. The dynamic endpoint-based edge networking system of claim 14, wherein the central server system is further caused to generate and assign a common local security protocol to each of the one or more endpoints of the endpoint cluster.
  - 16. The dynamic endpoint-based edge networking system of claim 1, wherein each of the plurality of agents is further configured to perform a point-in-time validation of the target endpoint device, wherein the point-in-time validation comprises a verification that no local anomalous indicators are present on the target endpoint device.
  - 17. The dynamic endpoint-based edge networking system of claim 1, wherein the local anomalous indicator is a pattern of local anomalous activity on the target endpoint device.
  - 18. The dynamic endpoint-based edge networking system of claim 1, wherein one or more of the local security protocol or the network-wide security protocol is manually configured by a network administrator.
  - 19. The dynamic endpoint-based edge networking system of claim 1, wherein one or more of the local security protocol or the network-wide security protocol is based on a pre-configured rule set.
  - 20. The dynamic endpoint-based edge networking system of claim 1, wherein one or more of the local security protocol or the network-wide security protocol is automatically generated and assigned by one or more of the central server system or plurality of agents.
  - 21. The dynamic endpoint-based edge networking system of claim 1, wherein a unique local security protocol is generated for each of the plurality of endpoint devices.
  - 22. The dynamic endpoint-based edge networking system of claim 1, wherein the local security protocol is dynamically updated by one or more of the central server or plurality of agents based on one or more operating system processes or network communications of the target endpoint device.
  - 23. The dynamic endpoint-based edge networking system of claim 1, wherein the local security protocol comprises one or more policies for restricting or allowing access between the target endpoint device and another endpoint device of the plurality of endpoint devices, between the target endpoint device and an outside service or system, or between the target endpoint device and an internal service or system.
  - 24. The dynamic endpoint-based edge networking system of claim 1, wherein the plurality of agents are further configured to scan a visible network to identify devices in or in proximity to a network.
  - 25. The dynamic endpoint-based edge networking system of claim 24, wherein the scan comprises utilizing discovery protocols to identify the devices in or in proximity to the network and obtain data therefrom.
  - 26. The dynamic endpoint-based edge networking system of claim 25, wherein the data obtained from the devices in or in proximity to the network comprises one or more of an operating system type, device type, IP address, or MAC address.
  - 27. The dynamic endpoint-based edge networking system of claim 1, wherein responding to the one or more local anomalous indicators based on the local security protocol comprises one or more of altering data access rights of the target endpoint device, excluding access to the target endpoint device by a user, or locking the target endpoint device.

28. A computer-implemented method for protecting security and integrity of an elastic computer network, the method comprising:
- installing a software agent on each of a plurality of endpoint devices forming an elastic computer network;
  
  accessing, by each software agent, an operating system of an endpoint device on which the software agent is installed to obtain visibility of operating system processes and network communications of the endpoint device;
  
  monitoring, by each software agent, the operating system processes and the network communications of the endpoint device to obtain endpoint data, the endpoint data comprising information regarding at least one of the system processes or network processes of the endpoint device;
  
  transmitting, by each software agent, the endpoint data to a central server system;
  
  identifying, by the software agent using a local security protocol, one or more local anomalous indicators on the endpoint device based at least in part on the endpoint data;
  
  responding, by each software agent, to the one or more local anomalous indicators on an endpoint-level based at least in part on the local security protocol, wherein the local security protocol comprises one or more rule sets, policies, or access rights designed to ensure local security of each of the plurality of endpoint devices;
  
  receiving, by the central server system, the endpoint data from each software agent on each of the plurality of endpoint devices;
  
  analyzing, by the central server system, the endpoint data received from each software agent on each of the plurality of endpoint devices to identify network-wide activity patterns;
  
  identifying, by the central server system using a network-wide security protocol, one or more network-wide anomalous indicators on a network level across the plurality of endpoint devices based at least in part on the identified network-wide activity patterns; and
  
  responding, by the central server system, to the one or more network-wide anomalous indicators on the network level across the plurality of endpoint devices based at least in part on the network-wide security protocol,wherein the central server system comprises a computer processor and an electronic storage medium.
- View Dependent Claims (29, 30)
- - 29. The computer-implemented method of claim 28, wherein at least one endpoint device of the plurality of endpoint devices is located outside of a computer network firewall.
  - 30. The computer-implemented method of claim 28, wherein a common local security protocol is generated for a portion of the plurality of endpoint devices and a unique local security protocol is generated for another portion of the plurality of endpoint devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sentinel Labs Israel, Ltd. (SentinelOne Inc.)
Original Assignee
Sentinel Labs Israel, Ltd. (SentinelOne Inc.)
Inventors
Weingarten, Tomer, Cohen, Almog

Granted Patent

US 10,462,171 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 8/61   Installation

G06F 9/44526   Plug-ins; Add-ons

H04L 41/046   comprising network manageme...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/12   Discovery or management of ...

H04L 41/122   of virtualised topologies, ...

H04L 41/145   involving simulating, desig...

H04L 41/16   using machine learning or a...

H04L 41/40   using virtualisation of net...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/205 : involving negotiation or de...

H04L 67/10 : in which an application is ...

H04L 67/34 : involving the movement of s...

View All

METHODS, SYSTEMS, AND DEVICES FOR DYNAMICALLY MODELING AND GROUPING ENDPOINTS FOR EDGE NETWORKING

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS, SYSTEMS, AND DEVICES FOR DYNAMICALLY MODELING AND GROUPING ENDPOINTS FOR EDGE NETWORKING

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links