Integrity monitoring in a local network

US 10,498,744 B2
Filed: 09/22/2017
Issued: 12/03/2019
Est. Priority Date: 03/08/2016
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring a network comprising a plurality of machines located at a non-static collection of nodes that form a linear communication orbit, the method comprising:

at a respective node in the linear communication orbit, wherein each machine of the plurality of machines has a respective machine identifier, and the plurality of machines have self-organized into an ordered sequence in accordance with a predefined order of the respective machine identifiers of the plurality of machines, performing a set of integrity monitoring operations, comprising;

receiving a watch list through the linear communication orbit, wherein the watch list is sent by a server system coupled to the linear communication orbit, and propagates from node to node along the linear communication orbit until reaching the respective node, and the watch list identifies one or more objects for which events are to be monitored;

identifying a plurality of events that occur locally at the respective node, including events for the one or more objects identified by the received watch list, in real-time while the plurality of events are occurring;

storing in a local database event information for the identified plurality of events at the respective node;

receiving an integrity reporting request through the linear communication orbit, wherein the integrity reporting request is sent by the server system, and propagates from node to node along the linear communication orbit until reaching the respective node;

in response to the integrity reporting request, identifying a subset of the event information for the identified plurality of events in the local database, the subset corresponding to event information for at least some of the one or more objects identified by the received watch list, and returning the identified subset of the event information to the server system through the linear communication orbit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This application is directed to an integrity monitoring method performed at a computational machine in a linear communication orbit. The computational machine receives a watch list through the linear communication orbit. The watch list identifies objects for which events are to be monitored at the computational machine. While a plurality of events are occurring locally at the computational machine, the computational machine identifies the plurality of events in real-time. The identified events include events for the objects identified by the watch list, and event information for these identified events is stored in a local database of the computational machine. In response to an integrity reporting request received through the linear communication orbit, the computational machine identifies event information for at least some of the objects identified by the watch list in the local database, and returns the identified event information to a server system through the linear communication orbit.

112 Citations

View as Search Results

58 Claims

1. A method of monitoring a network comprising a plurality of machines located at a non-static collection of nodes that form a linear communication orbit, the method comprising:
- at a respective node in the linear communication orbit, wherein each machine of the plurality of machines has a respective machine identifier, and the plurality of machines have self-organized into an ordered sequence in accordance with a predefined order of the respective machine identifiers of the plurality of machines, performing a set of integrity monitoring operations, comprising;
  
  receiving a watch list through the linear communication orbit, wherein the watch list is sent by a server system coupled to the linear communication orbit, and propagates from node to node along the linear communication orbit until reaching the respective node, and the watch list identifies one or more objects for which events are to be monitored;
  
  identifying a plurality of events that occur locally at the respective node, including events for the one or more objects identified by the received watch list, in real-time while the plurality of events are occurring;
  
  storing in a local database event information for the identified plurality of events at the respective node;
  
  receiving an integrity reporting request through the linear communication orbit, wherein the integrity reporting request is sent by the server system, and propagates from node to node along the linear communication orbit until reaching the respective node;
  
  in response to the integrity reporting request, identifying a subset of the event information for the identified plurality of events in the local database, the subset corresponding to event information for at least some of the one or more objects identified by the received watch list, and returning the identified subset of the event information to the server system through the linear communication orbit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, further comprising:
    - at the server system coupled to the linear communication orbit, sending the watch list through the linear communication orbit to two or more machines of the plurality of machines in the linear communication orbit, and performing the set of integrity monitoring operations at each of the two or more machines.
  - 3. The method of claim 1, wherein the watch list defines one or more event types to be monitored locally at the respective node for each of the one or more objects identified in the watch list.
  - 4. The method of claim 3, wherein for each respective object of the one or more objects, the one or more event types include at least one of creation, deletion, modification, renaming and access permission change of the respective object.
  - 5. The method of claim 1, wherein the one or more objects identified by the watch list include one of a file and a directory.
  - 6. The method of claim 1, wherein the server system is coupled to an administrator machine, further comprising:
    - at the server system, receiving from the administrator machine an integrity monitoring instruction to deploy the watch list to a first subset of nodes in the linear communication orbit, the integrity monitor instruction including the watch list and identifiers of the first subset of nodes including the respective node.
  - 7. The method of claim 6, wherein receiving the integrity monitoring instruction further comprises:
    - receiving a user selection of a target operating system; and
      
      receiving a selection of the one or more objects identified by the watch list from a watch list template including a predefined list of files and directories to be monitored at the first subset of nodes in the linear communication orbit, wherein two or more machines are located at the first subset of nodes and configured to execute the target operating system.
  - 8. The method of claim 6, wherein receiving the integrity monitoring instruction further comprises:
    - receiving at the server system a user input to exclude a directory path or a directory path type from the watch list.
  - 9. The method of claim 1, wherein storing in the local database event information for the identified plurality of events at the respective node further comprises:
    - creating a plurality of integrity warning tags to identify a subset of the events for the one or more objects identified by the received watch list, wherein each integrity warning tag indicates that a respective one of the subset of events has been identified for the one or more objects according to the watch list; and
      
      storing in the local database each of the plurality of integrity warning tags in association with the respective one of the subset of events.
  - 10. The method of claim 9, wherein the integrity reporting request includes a command to return to the server system event information for any event that is stored in the local database with an integrity warning tag, and identifying and returning the subset of the event information further comprises:
    - in response to the integrity reporting request;
      
      identifying in the local database the subset of the events for the one or more objects identified by the received watch list, the identified subset of the events being stored with the plurality of integrity warning tags; and
      
      returning to the server system event information for the identified subset of the events for the one or more objects identified by the received watch list.
  - 11. The method of claim 1, wherein the integrity reporting request is received periodically from the server system according to a predetermined schedule.
  - 12. The method of claim 1, wherein the integrity reporting request includes an encryption key for encrypting the identified subset of the event information at the respective node before uploading the identified subset of the event information to the server system, and the server system possesses a decryption key corresponding to the encryption key.
  - 13. The method of claim 1, further comprising:
    - at the server system, after receiving the subset of the event information for the identified plurality of events, labeling respective events in the events for the one or more objects identified by the received watch list with predefined labels that correspond to predefined event evaluations.
  - 14. The method of claim 1, wherein the integrity reporting request includes an integrity reporting criterion, and the subset of the event information for the identified plurality of events corresponds to event information in the local database that satisfies the integrity reporting criterion.
  - 15. The method of claim 14, wherein the integrity reporting criterion defines a time window, and returning the identified subset of the event information to the server system includes:
    - in accordance with the integrity reporting criterion, returning event information in the local database for at least some events that occurred within the time window for the one or more objects identified by the received watch list.
  - 16. The method of claim 14, wherein the integrity reporting criterion defines at least one of:
    - a time window within which one or more events of interest corresponding to the subset of the event information occurred;
      
      one or more users who initiate the one or more events of interest corresponding to the subset of the event information; and
      
      a list of authorized applications that are permitted to make changes to the one or more objects identified by the watch list.
  - 17. The method of claim 1, further comprising:
    - at the server system, after receiving the subset of the event information for the identified plurality of events, identifying one or more events of interest by filtering the subset of the event information for the identified plurality of events according to an integrity monitoring criterion.
  - 18. The method of claim 17, wherein the integrity monitoring criterion defines at least one of:
    - a time window within which the one or more events of interest corresponding to the subset of the event information occurred;
      
      one or more users who initiate the one or more events of interest corresponding to the subset of the event information; and
      
      a list of authorized applications that are permitted to make changes to the one or more objects identified by the watch list.
  - 19. The method of claim 1, further comprising:
    - receiving from the server system a direct communication instruction for establishing a direct duplex connection between the respective node and the server system;
      
      in response to receiving the direct communication instruction through the linear communication orbit, sending an outbound connection request to the server system to establish a direct duplex connection between the respective node and the server system; and
      
      uploading local context data related to an event of interest to the server system through the direct duplex connection, wherein the server system is configured to perform analysis on the local context data received from the respective node to investigate integrity of a respective object corresponding to the event of interest that has occurred at the respective node.
  - 20. The method of claim 19, wherein the direct duplex connection is a secure websocket connection.
  - 21. The method of claim 19, wherein the server system is separated from the network by a firewall.
  - 22. The method of claim 1, wherein the subset of the event information for the identified plurality of events that is identified in the local database includes a first subset of the event information for the identified plurality of events, the method further comprising:
    - at the respective node, in response to the integrity reporting request;
      
      receiving a second subset of the event information for a second plurality of events that are identified at a second node in the linear communication orbit, the second node being distinct from the respective node, the second subset corresponding to at least some of the one or more objects identified by the watch list received at the second node; and
      
      aggregating the first subset of the event information for the plurality of events identified at the respective node and the second subset of the event information for the second plurality of events identified at the second node, wherein the aggregated first and second subsets of event information are returned to the server system via the linear communication orbit.

23. A method of monitoring a network comprising a plurality of machines located at a non-static collection of nodes that form a linear communication orbit, the method comprising:
- at a server system coupled to the linear communication orbit, wherein each machine of the plurality of machines has a respective machine identifier, and the plurality of machines have self-organized into an ordered sequence in accordance with a predefined order of the respective machine identifiers of the plurality of machines, performing a set of integrity monitoring operations, comprising;
  
  sending a watch list through the linear communication orbit to two or more machines of the plurality of machines in the linear communication orbit, wherein the watch list propagates from node to node along the linear communication orbit until reaching each of the two or more machines, and the watch list identifies one or more objects for which events are to be monitored at the two or more machines;
  
  sending an integrity reporting request through the linear communication orbit to the two or more machines, wherein the integrity reporting request propagates from node to node along the linear communication orbit until reaching each of the two or more machines;
  
  in response to the integrity reporting request, receiving from each of the two or more machines a subset of event information for a plurality of events, wherein the plurality of events are identified locally in real-time at the two or more machines, and the event information for the plurality of events is stored in local databases of the two or more machines, the subset of the event information corresponding to event information for at least some of the one or more objects identified by the watch list.
- View Dependent Claims (24)
- - 24. The method of claim 23, further comprising:
    - identifying an event of interest based on the subset of the event information for the plurality of events received from a first machine of the two or more machines;
      
      sending a direct communication instruction for establishing a direct duplex connection between the first machine and the server system;
      
      in response to sending the direct communication instruction through the linear communication orbit, receiving an outbound connection request from the first machine to establish a direct duplex connection between the first machine and the server system; and
      
      receiving local context data related to the event of interest from the first machine through the direct duplex connection, wherein the server system is configured to perform analysis on the local context data received from the first machine through the direct duplex connection to investigate integrity of a respective object corresponding to the event of interest that has occurred at the first machine.

25. A server system for monitoring a network comprising a plurality of machines located at a non-static collection of nodes that form a linear communication orbit, the server configured to be coupled to the linear communication orbit, wherein each machine of the plurality of machines has a respective machine identifier, and the plurality of machines have self-organized into an ordered sequence in accordance with a predefined order of the respective machine identifiers of the plurality of machines;
- the server system comprising;
  
  one or more processors; and
  
  memory storing one or more programs, the one or more programs including instructions for performing a set of integrity monitoring operations, including;
  
  sending a watch list through the linear communication orbit to two or more machines of the plurality of machines in the linear communication orbit, wherein the watch list propagates from node to node along the linear communication orbit until reaching each of the two or more machines, and the watch list identifies one or more objects for which events are to be monitored at the two or more machines;
  
  sending an integrity reporting request through the linear communication orbit to the two or more machines, wherein the integrity reporting request propagates from node to node along the linear communication orbit until reaching each of the two or more machines;
  
  in response to the integrity reporting request, receiving from each of the two or more machines a subset of event information for a plurality of events, wherein the plurality of events are identified locally in real-time at the two or more machines, and the event information for the plurality of events is stored in local databases of the two or more machines, the subset of the event information corresponding to event information for at least some of the one or more objects identified by the watch list.
- View Dependent Claims (26)
- - 26. The server system of claim 25, wherein the one or more programs include instructions for:
    - identifying an event of interest based on the subset of the event information for the plurality of events received from a first machine of the two or more machines;
      
      sending a direct communication instruction for establishing a direct duplex connection between the first machine and the server system;
      
      in response to sending the direct communication instruction through the linear communication orbit, receiving an outbound connection request from the first machine to establish a direct duplex connection between the first machine and the server system; and
      
      receiving local context data related to the event of interest from the first machine through the direct duplex connection, wherein the server system is configured to perform analysis on the local context data received from the first machine through the direct duplex connection to investigate integrity of a respective object corresponding to the event of interest that has occurred at the first machine.

27. A non-transitory computer readable storage medium storing one or more programs configured for execution by a server system for monitoring a network comprising a plurality of machines located at a non-static collection of nodes that form a linear communication orbit;
- wherein each machine of the plurality of machines has a respective machine identifier, and the plurality of machines have self-organized into an ordered sequence in accordance with a predefined order of the respective machine identifiers of the plurality of machines;
  
  the one or more programs comprising instructions for;
  
  sending a watch list through the linear communication orbit to two or more machines of the plurality of machines in the linear communication orbit, wherein the watch list propagates from node to node along the linear communication orbit until reaching each of the two or more machines, and the watch list identifies one or more objects for which events are to be monitored at the two or more machines;
  
  sending an integrity reporting request through the linear communication orbit to the two or more machines, wherein the integrity reporting request propagates from node to node along the linear communication orbit until reaching each of the two or more machines; and
  
  in response to the integrity reporting request, receiving from each of the two or more machines a subset of event information for a plurality of events, wherein the plurality of events are identified locally in real-time at the two or more machines, and the event information for the plurality of events is stored in local databases of the two or more machines, the subset of the event information corresponding to event information for at least some of the one or more objects identified by the watch list.
- View Dependent Claims (28)
- - 28. The non-transitory computer readable storage medium of claim 27, wherein the one or more programs include instructions for:
    - identifying an event of interest based on the subset of the event information for the plurality of events received from a first machine of the two or more machines;
      
      sending a direct communication instruction for establishing a direct duplex connection between the first machine and the server system;
      
      in response to sending the direct communication instruction through the linear communication orbit, receiving an outbound connection request from the first machine to establish a direct duplex connection between the first machine and the server system; and
      
      receiving local context data related to the event of interest from the first machine through the direct duplex connection, wherein the server system is configured to perform analysis on the local context data received from the first machine through the direct duplex connection to investigate integrity of a respective object corresponding to the event of interest that has occurred at the first machine.

29. A computational machine for monitoring a network comprising a plurality of machines located at a non-static collection of nodes that form a linear communication orbit, comprising:
- one or more processors; and
  
  memory having instructions stored thereon, which when executed by the one or more processors cause the computational machine to perform a set of integrity monitoring operations including;
  
  at a respective node in the linear communication orbit, wherein each machine of the plurality of machines has a respective machine identifier, and the plurality of machines have self-organized into an ordered sequence in accordance with a predefined order of the respective machine identifiers of the plurality of machines;
  
  receiving a watch list through the linear communication orbit, wherein the watch list is sent by a server system coupled to the linear communication orbit, and propagates from node to node along the linear communication orbit until reaching the respective node, and the watch list identifies one or more objects for which events are to be monitored;
  
  identifying a plurality of events that occur locally at the respective node, including events for the one or more objects identified by the received watch list, in real-time while the plurality of events are occurring;
  
  storing in a local database event information for the identified plurality of events at the respective node;
  
  receiving an integrity reporting request through the linear communication orbit, wherein the integrity reporting request is sent by the server system, and propagates from node to node along the linear communication orbit until reaching the respective node; and
  
  in response to the integrity reporting request, identifying a subset of the event information for the identified plurality of events in the local database, the subset corresponding to event information for at least some of the one or more objects identified by the received watch list, and returning the identified subset of the event information to the server system through the linear communication orbit.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 30. The computational machine of claim 29, wherein the watch list defines one or more event types to be monitored locally at the respective node for each of the one or more objects identified in the watch list.
  - 31. The computational machine of claim 30, wherein for each respective object of the one or more objects, the one or more event types include at least one of creation, deletion, modification, renaming and access permission change of the respective object.
  - 32. The computational machine of claim 29, wherein the one or more objects identified by the watch list include one of a file and a directory.
  - 33. The computational machine of claim 29, wherein storing in the local database event information for the identified plurality of events at the respective node further comprises:
    - creating a plurality of integrity warning tags to identify a subset of the events for the one or more objects identified by the received watch list, wherein each integrity warning tag indicates that a respective one of the subset of events has been identified for the one or more objects according to the watch list; and
      
      storing in the local database each of the plurality of integrity warning tags in association with the respective one of the subset of events.
  - 34. The computational machine of claim 33, wherein the integrity reporting request includes a command to return to the server system event information for any event that is stored in the local database with an integrity warning tag, and identifying and returning the subset of the event information further comprises:
    - in response to the integrity reporting request;
      
      identifying in the local database the subset of the events for the one or more objects identified by the received watch list, the identified subset of the events being stored with the plurality of integrity warning tags; and
      
      returning to the server system event information for the identified subset of the events for the one or more objects identified by the received watch list.
  - 35. The computational machine of claim 33, wherein the integrity reporting request includes a command to return to the server system event information for any event that is stored in the local database with an integrity warning tag, and identifying and returning the subset of the event information further comprises:
    - in response to the integrity reporting request;
      
      identifying in the local database the subset of the events for the one or more objects identified by the received watch list, the identified subset of the events being stored with the plurality of integrity warning tags; and
      
      returning to the server system event information for the identified subset of the events for the one or more objects identified by the received watch list.
  - 36. The computational machine of claim 29, wherein the integrity reporting request is received periodically from the server system according to a predetermined schedule.
  - 37. The computational machine of claim 29, wherein the integrity reporting request includes an encryption key for encrypting the identified subset of the event information at the respective node before uploading the identified subset of the event information to the server system, and the server system possesses a decryption key corresponding to the encryption key.
  - 38. The computational machine of claim 29, wherein the integrity reporting request includes an integrity reporting criterion, and the subset of the event information for the identified plurality of events corresponds to event information in the local database that satisfies the integrity reporting criterion.
  - 39. The computational machine of claim 38, wherein the integrity reporting criterion defines a time window, and returning the identified subset of the event information to the server system includes:
    - in accordance with the integrity reporting criterion, returning event information in the local database for at least some events that occurred within the time window for the one or more objects identified by the received watch list.
  - 40. The computational machine of claim 38, wherein the integrity reporting criterion defines at least one of:
    - a time window within which one or more events of interest corresponding to the subset of the event information occurred;
      
      one or more users who initiate the one or more events of interest corresponding to the subset of the event information; and
      
      a list of authorized applications that are permitted to make changes to the one or more objects identified by the watch list.
  - 41. The computational machine of claim 29, wherein the set of integrity monitoring operations further includes:
    - receiving from the server system a direct communication instruction for establishing a direct duplex connection between the respective node and the server system;
      
      in response to receiving the direct communication instruction through the linear communication orbit, sending an outbound connection request to the server system to establish a direct duplex connection between the respective node and the server system; and
      
      uploading local context data related to an event of interest to the server system through the direct duplex connection, wherein the server system is configured to perform analysis on the local context data received from the respective node to investigate integrity of a respective object corresponding to the event of interest that has occurred at the respective node.
  - 42. The computational machine of claim 41, wherein the direct duplex connection is a secure websocket connection.
  - 43. The computational machine of claim 41, wherein the server system is separated from the network by a firewall.
  - 44. The computational machine of claim 29, wherein the subset of the event information for the identified plurality of events that is identified in the local database includes a first subset of the event information for the identified plurality of events, and the set of integrity monitoring operations further includes:
    - at the respective node, in response to the integrity reporting request;
      
      receiving a second subset of the event information for a second plurality of events that are identified at a second node in the linear communication orbit, the second node being distinct from the respective node, the second subset corresponding to at least some of the one or more objects identified by the watch list received at the second node; and
      
      aggregating the first subset of the event information for the plurality of events identified at the respective node and the second subset of the event information for the second plurality of events identified at the second node, wherein the aggregated first and second subsets of event information are returned to the server system via the linear communication orbit.

45. A non-transitory computer readable storage medium storing one or more programs configured for execution by a computational machine for monitoring a network comprising a plurality of machines located at a non-static collection of nodes that form a linear communication orbit, the one or more programs comprising instructions for:
- at a respective node in the linear communication orbit, wherein each machine of the plurality of machines has a respective machine identifier, and the plurality of machines have self-organized into an ordered sequence in accordance with a predefined order of the respective machine identifiers of the plurality of machines;
  
  receiving a watch list through the linear communication orbit, wherein the watch list is sent by a server system coupled to the linear communication orbit, and propagates from node to node along the linear communication orbit until reaching the respective node, and the watch list identifies one or more objects for which events are to be monitored;
  
  identifying a plurality of events that occur locally at the respective node, including events for the one or more objects identified by the received watch list, in real-time while the plurality of events are occurring;
  
  storing in a local database event information for the identified plurality of events at the respective node;
  
  receiving an integrity reporting request through the linear communication orbit, wherein the integrity reporting request is sent by the server system, and propagates from node to node along the linear communication orbit until reaching the respective node; and
  
  in response to the integrity reporting request, identifying a subset of the event information for the identified plurality of events in the local database, the subset corresponding to event information for at least some of the one or more objects identified by the received watch list, and returning the identified subset of the event information to the server system through the linear communication orbit.
- View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
- - 46. The non-transitory computer readable medium of claim 45, wherein the watch list defines one or more event types to be monitored locally at the respective node for each of the one or more objects identified in the watch list.
  - 47. The non-transitory computer readable medium of claim 46, wherein for each of the one or more objects, the one or more event types include at least one of creation, deletion, modification, renaming and access permission change of the respective object.
  - 48. The non-transitory computer readable medium of claim 45, wherein the one or more objects identified by the watch list include one of a file and a directory.
  - 49. The non-transitory computer readable medium of claim 45, wherein storing in the local database event information for the identified plurality of events at the respective node further comprises:
    - creating a plurality of integrity warning tags to identify a subset of the events for the one or more objects identified by the received watch list, wherein each integrity warning tag indicates that a respective one of the subset of events has been identified for the one or more objects according to the watch list; and
      
      storing in the local database each of the plurality of integrity warning tags in association with the respective one of the subset of events.
  - 50. The non-transitory computer readable medium of claim 45, wherein the integrity reporting request is received periodically from the server system according to a predetermined schedule.
  - 51. The non-transitory computer readable medium of claim 45, wherein the integrity reporting request includes an encryption key for encrypting the identified subset of the event information at the respective node before uploading the identified subset of the event information to the server system, and the server system possesses a decryption key corresponding to the encryption key.
  - 52. The non-transitory computer readable medium of claim 45, wherein the integrity reporting request includes an integrity reporting criterion, and the subset of the event information for the identified plurality of events corresponds to event information in the local database that satisfies the integrity reporting criterion.
  - 53. The non-transitory computer readable medium of claim 52, wherein the integrity reporting criterion defines a time window, and returning the identified subset of the event information to the server system includes:
    - in accordance with the integrity reporting criterion, returning event information in the local database for at least some events that occurred within the time window for the one or more objects identified by the received watch list.
  - 54. The non-transitory computer readable medium of claim 52, wherein the integrity reporting criterion defines at least one of:
    - a time window within which one or more events of interest corresponding to the subset of the event information occurred;
      
      one or more users who initiate the one or more events of interest corresponding to the subset of the event information; and
      
      a list of authorized applications that are permitted to make changes to the one or more objects identified by the watch list.
  - 55. The non-transitory computer readable medium of claim 45, wherein the one or more programs include instructions for:
    - receiving from the server system a direct communication instruction for establishing a direct duplex connection between the respective node and the server system;
      
      in response to receiving the direct communication instruction through the linear communication orbit, sending an outbound connection request to the server system to establish a direct duplex connection between the respective node and the server system; and
      
      uploading local context data related to an event of interest to the server system through the direct duplex connection, wherein the server system is configured to perform analysis on the local context data received from the respective node to investigate integrity of a respective object corresponding to the event of interest that has occurred at the respective node.
  - 56. The non-transitory computer readable medium of claim 55, wherein the direct duplex connection is a secure websocket connection.
  - 57. The non-transitory computer readable medium of claim 55, wherein the server system is separated from the network by a firewall.
  - 58. The non-transitory computer readable medium of claim 45, wherein the subset of the event information for the identified plurality of events that is identified in the local database includes a first subset of the event information for the identified plurality of events, and the one or more programs include instructions for:
    - at the respective node, in response to the integrity reporting request;
      
      receiving a second subset of the event information for a second plurality of events that are identified at a second node in the linear communication orbit, the second node being distinct from the respective node, the second subset corresponding to at least some of the one or more objects identified by the watch list received at the second node; and
      
      aggregating the first subset of the event information for the plurality of events identified at the respective node and the second subset of the event information for the second plurality of events identified at the second node, wherein the aggregated first and second subsets of event information are returned to the server system via the linear communication orbit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tanium Inc.
Original Assignee
Tanium Inc.
Inventors
Hunt, Christian L., Gissel, Thomas R., Tarter, Aaron, Floyd, Daniel, Hobbs, Benjamin, Smith, Michael
Primary Examiner(s)
Patel, Haresh N

Application Number

US15/713,518
Publication Number

US 20180013768A1
Time in Patent Office

802 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 12/4625   Single bridge functionality...

H04L 41/0681   Configuration of triggering...

H04L 41/069   using logs of notifications...

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0442   wherein the sending and rec...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 67/141   Setup of application sessio...

Integrity monitoring in a local network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

112 Citations

58 Claims

Specification

Solutions

Use Cases

Quick Links

Integrity monitoring in a local network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

58 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links