Computer defenses and counterattacks
First Claim
1. A system comprising:
- a processing system including one or more processors;
memory accessible to the processing system, wherein the memory stores instructions executable by at least one processor of the one or more processors to cause the at least one processor to;
instantiate a first detection agent based on detection criteria, wherein the first detection agent includes first program code executable by a second processor to monitor network activity;
send the first program code of the first detection agent to a remote computing device for execution, wherein, when the first program code of the first detection agent is executed at the remote computing device, the first detection agent is configured to;
monitor operations of components of the remote computing device including operations of a trusted component,generate an operational signature corresponding to the monitored operations of the trusted component of the remote computing device,monitor network activity of the remote computing device based on the operational signature while emulating activity of the trusted component of the remote computing device, andtransmit network activity data to the processing system, and wherein the processing system updates the detection criteria based on the network activity data and generates updated detection criteria;
instantiate a second detection agent based on the updated detection criteria, wherein the second detection agent includes second program code; and
send the second program code of the second detection agent to the remote computing device for execution.
1 Assignment
0 Petitions
Accused Products
Abstract
A method includes instantiating a first detection agent based on detection criteria, where the first detection agent includes first program code executable by a second computing device to monitor network activity. The method further includes sending the first program code of the first detection agent to the second computing device for execution. When the first program code of the first detection agent is executed at the second computing device, the first detection agent causes network activity data to be transmitted to a network monitor, and the network monitor updates the detection criteria based on the network activity data to generate updated detection criteria. The method also includes instantiating a second detection agent based on the updated detection criteria and sending second program code of the second detection agent to the second computing device for execution.
-
Citations
20 Claims
-
1. A system comprising:
-
a processing system including one or more processors; memory accessible to the processing system, wherein the memory stores instructions executable by at least one processor of the one or more processors to cause the at least one processor to; instantiate a first detection agent based on detection criteria, wherein the first detection agent includes first program code executable by a second processor to monitor network activity; send the first program code of the first detection agent to a remote computing device for execution, wherein, when the first program code of the first detection agent is executed at the remote computing device, the first detection agent is configured to; monitor operations of components of the remote computing device including operations of a trusted component, generate an operational signature corresponding to the monitored operations of the trusted component of the remote computing device, monitor network activity of the remote computing device based on the operational signature while emulating activity of the trusted component of the remote computing device, and transmit network activity data to the processing system, and wherein the processing system updates the detection criteria based on the network activity data and generates updated detection criteria; instantiate a second detection agent based on the updated detection criteria, wherein the second detection agent includes second program code; and send the second program code of the second detection agent to the remote computing device for execution. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method comprising:
-
instantiating, at a first computing device, a first detection agent based on detection criteria, wherein the first detection agent includes first program code executable by a second computing device to monitor network activity; sending the first program code of the first detection agent to the second computing device for execution, wherein, when the first program code of the first detection agent is executed at the second computing device, the first detection agent; monitors operations of components of the second computing device including operations of a trusted component; generates an operational signature corresponding to the monitored operations of the trusted component of the second computing device; monitors network activity of the second computing device based on the operational signature while emulating activity of the trusted component of the second computing device; and causes network activity data to be transmitted to a processing system, and wherein the processing system updates the detection criteria based on the network activity data and generates updated detection criteria; instantiating, at the first computing device, a second detection agent based on the updated detection criteria; and sending second program code of the second detection agent to the second computing device for execution. - View Dependent Claims (16, 17)
-
-
18. A computer-readable storage device storing instructions that are executable by a processor to cause the processor to:
-
instantiate a first detection agent based on detection criteria, wherein the first detection agent includes first program code executable by a remote computing device to monitor network activity; send the first program code of the first detection agent to the remote computing device for execution, wherein, when the first program code of the first detection agent is executed at the remote computing device, the first detection agent is configured to; monitor operations of components of the remote computing device including operations of a trusted component, generate an operational signature corresponding to the monitored operations of the trusted component of the remote computing device, monitor network activity of the remote computing device based on the operational signature whereby the first detection agent emulates activity of the trusted component of the remote computing device, and transmit network activity data to a processing system, and wherein the processing system updates the detection criteria based on the network activity data to generate updated detection criteria; instantiate a second detection agent based on the updated detection criteria; and send second program code of the second detection agent to the remote computing device for execution. - View Dependent Claims (19, 20)
-
Specification