METHODS, SYSTEMS, AND DEVICES FOR DYNAMICALLY MODELING AND GROUPING ENDPOINTS FOR EDGE NETWORKING
First Claim
1. A dynamic endpoint-based edge networking system for protecting security and integrity of an elastic computer network, the system comprising:
- a plurality of agents, wherein each of the plurality of agents is installed on a target endpoint device, the target endpoint device being one of a plurality of endpoint devices forming an elastic computer network, and wherein each of the plurality of agents is configured to;
access an operating system of the target endpoint device on which the agent is installed to obtain visibility of operating system processes and network communications of the target endpoint device;
monitor the operating system processes and the network communications of the target endpoint device to obtain target endpoint data, the target endpoint data comprising information regarding at least one of the system processes or network processes of the target endpoint device;
transmit the target endpoint data to a central server system;
identify, using a local security protocol, one or more local anomalous indicators on the target endpoint device based at least in part on the target endpoint data; and
respond to the one or more local anomalous indicators on an endpoint-level based at least in part on the local security protocol,wherein the local security protocol comprises one or more rule sets, policies, or access rights designed to ensure local security of each of the plurality of endpoint devices; and
a central server system comprising;
one or more computer readable storage devices configured to store a plurality of computer executable instructions; and
one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the central server system to;
receive the target endpoint data from each of the plurality of agents installed on a target endpoint device;
analyze the target endpoint data received from each of the plurality of agents to identify network-wide activity patterns;
identify, using a network-wide security protocol, one or more network-wide anomalous indicators on a network level across the plurality of endpoint devices based at least in part on the identified network-wide activity patterns; and
respond to the one or more network-wide anomalous indicators on the network level across the plurality of endpoint devices based at least in part on the network-wide security protocol.
2 Assignments
0 Petitions
Accused Products
Abstract
Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.
-
Citations
30 Claims
-
1. A dynamic endpoint-based edge networking system for protecting security and integrity of an elastic computer network, the system comprising:
-
a plurality of agents, wherein each of the plurality of agents is installed on a target endpoint device, the target endpoint device being one of a plurality of endpoint devices forming an elastic computer network, and wherein each of the plurality of agents is configured to; access an operating system of the target endpoint device on which the agent is installed to obtain visibility of operating system processes and network communications of the target endpoint device; monitor the operating system processes and the network communications of the target endpoint device to obtain target endpoint data, the target endpoint data comprising information regarding at least one of the system processes or network processes of the target endpoint device; transmit the target endpoint data to a central server system; identify, using a local security protocol, one or more local anomalous indicators on the target endpoint device based at least in part on the target endpoint data; and respond to the one or more local anomalous indicators on an endpoint-level based at least in part on the local security protocol, wherein the local security protocol comprises one or more rule sets, policies, or access rights designed to ensure local security of each of the plurality of endpoint devices; and a central server system comprising; one or more computer readable storage devices configured to store a plurality of computer executable instructions; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the central server system to; receive the target endpoint data from each of the plurality of agents installed on a target endpoint device; analyze the target endpoint data received from each of the plurality of agents to identify network-wide activity patterns; identify, using a network-wide security protocol, one or more network-wide anomalous indicators on a network level across the plurality of endpoint devices based at least in part on the identified network-wide activity patterns; and respond to the one or more network-wide anomalous indicators on the network level across the plurality of endpoint devices based at least in part on the network-wide security protocol. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A computer-implemented method for protecting security and integrity of an elastic computer network, the method comprising:
-
installing a software agent on each of a plurality of endpoint devices forming an elastic computer network; accessing, by each software agent, an operating system of an endpoint device on which the software agent is installed to obtain visibility of operating system processes and network communications of the endpoint device; monitoring, by each software agent, the operating system processes and the network communications of the endpoint device to obtain endpoint data, the endpoint data comprising information regarding at least one of the system processes or network processes of the endpoint device; transmitting, by each software agent, the endpoint data to a central server system; identifying, by the software agent using a local security protocol, one or more local anomalous indicators on the endpoint device based at least in part on the endpoint data; responding, by each software agent, to the one or more local anomalous indicators on an endpoint-level based at least in part on the local security protocol, wherein the local security protocol comprises one or more rule sets, policies, or access rights designed to ensure local security of each of the plurality of endpoint devices; receiving, by the central server system, the endpoint data from each software agent on each of the plurality of endpoint devices; analyzing, by the central server system, the endpoint data received from each software agent on each of the plurality of endpoint devices to identify network-wide activity patterns; identifying, by the central server system using a network-wide security protocol, one or more network-wide anomalous indicators on a network level across the plurality of endpoint devices based at least in part on the identified network-wide activity patterns; and responding, by the central server system, to the one or more network-wide anomalous indicators on the network level across the plurality of endpoint devices based at least in part on the network-wide security protocol, wherein the central server system comprises a computer processor and an electronic storage medium. - View Dependent Claims (29, 30)
-
Specification