Event monitoring and collection
First Claim
1. A system for monitoring events on a monitored computer, the system comprising:
- a monitoring computer comprising a first processor and a first set of instructions, the first set of instructions operable, when executed by the first processor, to;
(a) monitor a network for a connection by a monitored computer;
(b) receive a set of one or more representations of events occurring on the monitored computer; and
(c) analyze the received representations of events to determine whether the events are associated with improper activities by a user of the monitored computer; and
a monitored computer comprising a second processor and a second set of instructions, the second set of instructions comprising instructions executable by the second processor, the second set of instructions comprising;
(aa) monitor a plurality of events, each of the plurality of events occurring at the monitored computer;
(bb) store a representation of each of the plurality of events in an event cache;
(cc) identify one of the plurality of events on the monitored computer as an event of interest, the identifying comprising;
analyzing each of the plurality of events against one or more rules defining characteristics of events that should be collected;
assigning at least one score to the plurality of events based on the analysis of the plurality of events;
comparing the at least one score assigned to the plurality of events with one or more thresholds; and
identifying one of the plurality of events on the monitored computer as the event of interest based on the comparison;
(dd) determine a window of interest prior in time to the event of interest, such that events falling within the window of interest should be collected;
(ee) identify, from the plurality of events, one or more events falling within the window of interest;
(ff) queue, for transmission to the monitoring computer, the representations of the event of interest and the one or more events falling within the window of interest;
(gg) establish connectivity with the monitoring computer; and
(hh) transmit the queued representations of events for reception by the monitoring computer;
wherein steps aa)-ff) occur while the monitored computer does not have connectivity with the monitoring computer, such that the queuing the representations of the event of interest and the one or more events falling within the window of interest comprises;
marking, in the event cache, each of the representations of the event of interest and the one or more events falling within the window of interest for later transmission to the monitoring computer.
14 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention provide systems, software and methods for monitoring events on a computer. In a set of embodiments, a monitoring application monitors events on a monitored computer. Each of the monitored events may be analyzed, and based on the analysis, some or all of the monitored events may be collected. A variety of rules may be used in analyzing events. In some cases, collected events can be queued, for example, by storing a representation of each collected event in an event cache. When connectivity with a monitoring computer is available, a connection with the monitoring computer may be established, and/or the queued events may be transmitted to the monitoring computer. In a particular set of embodiments, the monitoring application is designed to avoid detection by a user of the monitored computer.
130 Citations
39 Claims
-
1. A system for monitoring events on a monitored computer, the system comprising:
-
a monitoring computer comprising a first processor and a first set of instructions, the first set of instructions operable, when executed by the first processor, to; (a) monitor a network for a connection by a monitored computer; (b) receive a set of one or more representations of events occurring on the monitored computer; and (c) analyze the received representations of events to determine whether the events are associated with improper activities by a user of the monitored computer; and a monitored computer comprising a second processor and a second set of instructions, the second set of instructions comprising instructions executable by the second processor, the second set of instructions comprising; (aa) monitor a plurality of events, each of the plurality of events occurring at the monitored computer; (bb) store a representation of each of the plurality of events in an event cache; (cc) identify one of the plurality of events on the monitored computer as an event of interest, the identifying comprising; analyzing each of the plurality of events against one or more rules defining characteristics of events that should be collected; assigning at least one score to the plurality of events based on the analysis of the plurality of events; comparing the at least one score assigned to the plurality of events with one or more thresholds; and identifying one of the plurality of events on the monitored computer as the event of interest based on the comparison; (dd) determine a window of interest prior in time to the event of interest, such that events falling within the window of interest should be collected; (ee) identify, from the plurality of events, one or more events falling within the window of interest; (ff) queue, for transmission to the monitoring computer, the representations of the event of interest and the one or more events falling within the window of interest; (gg) establish connectivity with the monitoring computer; and (hh) transmit the queued representations of events for reception by the monitoring computer; wherein steps aa)-ff) occur while the monitored computer does not have connectivity with the monitoring computer, such that the queuing the representations of the event of interest and the one or more events falling within the window of interest comprises; marking, in the event cache, each of the representations of the event of interest and the one or more events falling within the window of interest for later transmission to the monitoring computer. - View Dependent Claims (2, 3)
-
-
4. A system for monitoring events on a monitored computer, the system comprising:
a monitored computer comprising a processor and a set of instructions executable by the processor, the set of instructions operable, when executed by the processor, to; monitor a plurality of events, each of the plurality of events occurring at the monitored computer; for each of the plurality of events; generate an identifier corresponding to the event; search an event cache for an existing identifier matching the generated identifier; store a copy of the event as a representation of the event if an existing identifier matching the generated identifier is not found in the search of the event cache; and store the generated identifier as the representation of the event if an existing identifier matching the generated identifier for the event is found in the search of the event cache; analyze each of the plurality of events against one or more rules defining characteristics of events that should be collected and, based on the analysis of the plurality of events, assign at least one score to the plurality of events; compare the at least one score assigned to the plurality of events with one or more thresholds, and, based on the comparison, identify one of the plurality of events on the monitored computer as an event of interest; queue the representation of the event of interest for transmission to a monitoring computer; determine that a set of one or more events occurring prior in time to the event of interest should be collected; determine a window of interest prior in time to the event of interest, such that events occurring during the window of interest should be collected; identify, from the plurality of events, one or more events falling within the window of interest; and queue the representation of each of the one or more events falling within the window of interest for transmission to a monitoring computer. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
34. A method of monitoring events on a monitored computer, the method comprising:
-
monitoring, with a software agent on the monitored computer, a plurality of events occurring on the monitored computer; for each of the monitored events; a) generating a hash value corresponding to the monitored event; b) searching an event cache for an existing hash value matching the generated hash value; c) if an existing hash value matching the generated hash value is found in the event cache, storing the generating hash value in the event cache as a representation of the monitored event; d) if no existing hash value matching the generated hash value is found in the event cache, storing a copy of the monitored event, along with the generated hash value, in the event cache as a representation of the monitored event; identifying one of the plurality of events as an event of interest, the identifying comprising; analyzing each of the plurality of events against one or more rules defining characteristics of events that should be collected; assigning at least one score to the plurality of events based on the analysis of the plurality of events; comparing the at least one score assigned to the plurality of events with one or more thresholds; and identifying one of the plurality of events on the monitored computer as the event of interest based on the comparison; determining a window of interest prior in time to the event of interest, such that events falling within the window of interest should be collected; identifying, from the plurality of events, one or more events falling within the window of interest; and queuing the representation of the event of interest and the one or more events falling within the window of interest for transmission to a monitoring computer. - View Dependent Claims (35, 36)
-
-
37. One or more computer-readable non-transitory storage media embodying software this is operable when executed by one or more computer systems to:
-
monitor a plurality of events occurring on the computer; for each of the plurality of events; generate an identifier corresponding to the event; search an event cache for an existing identifier matching the generated identifier; store a copy of the event as a representation of the event if an existing identifier matching the generated identifier is not found in the search of the event cache; and store the generated identifier as the representation of the event if an existing identifier matching the generated identifier for the event is found in the search of the event cache; analyze each of the plurality of events against one or more rules defining characteristics of events that should be collected and, based on the analysis of the plurality of events, assign at least one score to the plurality of events; compare the at least one score assigned to the plurality of events with one or more thresholds, and, based on the comparison, identify one of the plurality of events on the computer as an event of interest; determine that a set of one or more events occurring prior in time to the event of interest should be collected; specify a window of interest prior in time to the event of interest, such that events occurring during the window of interest should be collected; identify, from the plurality of events, one or more events falling within the window of interest; and queue, for transmission to a second computer, the representations of the event of interest and each of the one or more events falling within the window of interest. - View Dependent Claims (38, 39)
-
Specification