Real-time model of states of monitored devices
First Claim
1. A system comprising:
- one or more processors; and
memory storing;
a model which represents system components and events of a plurality of monitored devices as data objects, wherein each data object has a scope, wherein a system component present on multiple ones of the plurality of monitored devices is represented in the model by at least two data objects including a first data object with a device-specific scope and a second data object with a group-specific scope or a global scope, and wherein the device-specific scope, the group-specific scope, and the global scope differ in scope; and
computer-executable instructions which, when executed by the one or more processors, cause the system to;
select one of a plurality of different actions based at least in part on;
a propagation of a property from the first data object to the second data object; and
(i) the device-specific scope of the first data object or (ii) the group-specific scope or the global scope of the second data object; and
perform the selected one of the plurality of different actions.
4 Assignments
0 Petitions
Accused Products
Abstract
A model representing system components and events of a plurality of monitored devices as data objects is described herein. The model resides on a security service cloud and is updated in substantially real-time, as security-relevant information about the system components and events is received by the security service cloud. Each data object in the model has a scope and different actions are taken by security service cloud modules depending on different data object scopes. Further, the security service cloud maintains a model specific to each monitored device built in substantially real-time as the security-relevant information from that device is received. The security service cloud utilizes these device-specific models to detect security concerns and respond to those concerns in substantially real-time.
-
Citations
24 Claims
-
1. A system comprising:
-
one or more processors; and memory storing; a model which represents system components and events of a plurality of monitored devices as data objects, wherein each data object has a scope, wherein a system component present on multiple ones of the plurality of monitored devices is represented in the model by at least two data objects including a first data object with a device-specific scope and a second data object with a group-specific scope or a global scope, and wherein the device-specific scope, the group-specific scope, and the global scope differ in scope; and computer-executable instructions which, when executed by the one or more processors, cause the system to; select one of a plurality of different actions based at least in part on; a propagation of a property from the first data object to the second data object; and (i) the device-specific scope of the first data object or (ii) the group-specific scope or the global scope of the second data object; and perform the selected one of the plurality of different actions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method implemented by one or more devices of a security service cloud, comprising:
-
receiving security-relevant information from a monitored device; representing the security-relevant information in a model specific to the monitored device in real-time as the security-relevant information is received, wherein a system component or an event associated with the security-relevant information received from the monitored device is represented in the model by at least two data objects including a first data object with a device-specific scope and a second data object with a group-specific scope or a global scope, and wherein the device-specific scope, the group-specific scope, and the global scope differ in scope; propagating a property from the first data object to the second data object; detecting, in real-time as the security-relevant information is represented, a security concern associated with the security-relevant information represented in the model; and in response to detecting the security concern; selecting an action among a plurality of different actions based at least in part on the propagating of the property from the first data object to the second data object; and taking the action, in real-time as the security concern is detected. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. One or more non-transitory computer-readable media having stored thereon a plurality of programming instructions which, when executed by one or more computing devices, cause the one or more computing devices to perform actions comprising:
-
receiving security-relevant information associated with system components and events of a plurality of monitored devices; in real-time as the security-relevant information is received, updating a graph model representing the system components and events of the plurality of monitored devices as data objects, wherein a system component or an event associated with the security-relevant information received from the plurality of monitored devices is represented in the graph model by at least two data objects including a first data object with a device-specific scope and a second data object with a group-specific scope or a global scope, and wherein the device-specific scope, the group-specific scope, and the global scope differ in scope; propagating a property from the first data object to the second data object; and in real-time as the system components and events are represented, detecting a security concern associated with the represented system components and events, and in response to detecting the security concern; selecting an action among a plurality of different actions based at least in part on the propagating of the property from the first data object to the second data object; and taking the action, in real-time as the security concern is detected. - View Dependent Claims (20, 21, 22, 23, 24)
-
Specification