Host entry synchronization
First Claim
Patent Images
1. A method performed by data processing apparatus, the method comprising:
- identifying a host table of a first sensor, the host table of the first sensor including, for each of a plurality of host devices monitored by the first sensor on a network, a record describing host device attributes including;
an IP address assigned to the respective host device;
an agent identifier of an agent installed on the respective host device;
a media access control (MAC) address of the respective host device;
an information probe type of an information probe used by the first sensor to collect data from the respective host device; and
a time stamp indicating when the respective host attributes were stored in the record;
receiving from a peer sensor of the first sensor in connection with a synchronization event, a peer record for a first host device, the peer record comprising data describing attributes of the first host device stored in a host table of the peer sensor, wherein the synchronization event is triggered by recovery of at least one of the first sensor and peer sensor from an offline condition; and
comparing host device attributes of a particular record in the host table with host device information of the peer record, wherein the comparing includes;
determining that a MAC address of a particular record stored in the host table matches a MAC address of the peer record;
determining that the information probe type of the particular record is different from an information probe type of the peer record;
determining that the peer record is more recent than the particular record of the host table based on a comparison of a time stamp of the peer record with the time stamp of the particular record in the host table; and
updating the information probe type stored in the particular record with the information probe type of the peer record, wherein the updating causes the first sensor to use an information probe of the information probe type of the peer record in subsequent probes of the first host device.
10 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, synchronizing records in peer devices. In one aspect, a method includes comparing, in a first peer device, a peer record received from a second peer device based on an IP address of the peer record from the second peer device and an IP address of a record stored in a host table of the first peer device. Unique agent identifiers, MAC addresses and time stamps are also compared to determine whether the peer record indicates a new host device, a new IP assignment to a known host device, or a new user logged into a known host device.
85 Citations
15 Claims
-
1. A method performed by data processing apparatus, the method comprising:
-
identifying a host table of a first sensor, the host table of the first sensor including, for each of a plurality of host devices monitored by the first sensor on a network, a record describing host device attributes including; an IP address assigned to the respective host device; an agent identifier of an agent installed on the respective host device; a media access control (MAC) address of the respective host device; an information probe type of an information probe used by the first sensor to collect data from the respective host device; and a time stamp indicating when the respective host attributes were stored in the record; receiving from a peer sensor of the first sensor in connection with a synchronization event, a peer record for a first host device, the peer record comprising data describing attributes of the first host device stored in a host table of the peer sensor, wherein the synchronization event is triggered by recovery of at least one of the first sensor and peer sensor from an offline condition; and comparing host device attributes of a particular record in the host table with host device information of the peer record, wherein the comparing includes; determining that a MAC address of a particular record stored in the host table matches a MAC address of the peer record; determining that the information probe type of the particular record is different from an information probe type of the peer record; determining that the peer record is more recent than the particular record of the host table based on a comparison of a time stamp of the peer record with the time stamp of the particular record in the host table; and updating the information probe type stored in the particular record with the information probe type of the peer record, wherein the updating causes the first sensor to use an information probe of the information probe type of the peer record in subsequent probes of the first host device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A data processing apparatus, comprising a memory subsystem, an input/output subsystem that transmits and receives data over a network, and a processor in data communication with the memory subsystem and the input/output subsystem, the processor programmed to perform operations comprising:
-
identifying a host table of a first sensor, the host table of the first sensor including, for each of a plurality of host devices monitored by the first sensor on a network, a record describing host device attributes including; an IP address assigned to the respective host device; an agent identifier of an agent installed on the respective host device; a media access control (MAC) address of the respective host device; an information probe type of an information probe used by the first sensor to collect data from the respective host device; and a time stamp indicating when the respective host attributes were stored in the record; receiving from a peer sensor of the first sensor in connection with a synchronization event, a peer record for a first host device, the peer record comprising data describing attributes of the first host device stored in a host table of the peer sensor, wherein the synchronization event is triggered by recovery of at least one of the first sensor and peer sensor from an offline condition; and comparing host device attributes of a particular record in the host table with host device information of the peer record, wherein the comparing includes; determining that a MAC address of a particular record stored in the host table matches a MAC address of the peer record; determining that the information probe type of the particular record is different from an information probe type of the peer record; determining that the peer record is more recent than the particular record of the host table based on a comparison of a time stamp of the peer record with the time stamp of the particular record in the host table; and updating the information probe type stored in the particular record with the information probe type of the peer record, wherein the updating causes the first sensor to use an information probe of the information probe type of the peer record in subsequent probes of the first host device. - View Dependent Claims (9, 10, 11)
-
-
12. A system, comprising:
-
a pair of peer sensors configured to control access to a network for a plurality of host devices, each of the sensors including a memory subsystem, an input/output subsystem that transmits and receives data over the network, and a processor in data communication with the memory subsystem and the input/output subsystem, wherein each sensor is configured to perform operations comprising; identifying in the memory of the sensor a host table, the host table including, for each of the plurality of host devices monitored on the network by the peer sensors, a record describing host device attributes including; an IP address assigned to the respective host device; an agent identifier of an agent installed on the respective host device; a media access control (MAC) address of the respective host device; an information probe type of an information probe used by the first sensor to collect data from the respective host device; and a time stamp indicating when the respective host attributes were stored in the record; receiving from the other peer sensor, in response to a synchronization event, a peer record for a host device, the peer record being a record stored in the host table in the memory of the other peer sensor, wherein the synchronization event is triggered by recovery of at least one of the peer sensors from an offline condition; and comparing host device attributes of a record in the host table with host device information of the peer record, wherein the comparing includes; determining whether the MAC address of the record in the host table matches a MAC address of the peer record; determining whether the information probe type of the record in the host table is different from an information probe type of the peer record; determining whether the peer record is more recent than the record in the host table based on a comparison of a time stamp of the peer record with the time stamp of the record in the host table; and updating the information probe type stored in the record in the host table with the information probe type of the peer record in response to determining that the information probe type of the record in the host table is different from an information probe type of the peer record and that the peer record is more recent than the record in the host table, wherein updating the information probe type causes the sensor to use an information probe of the information probe type of the peer record in subsequent probes of the particular host device. - View Dependent Claims (13, 14, 15)
-
Specification