Patents Assigned to ExtraHop Networks,Inc.
-
Patent number: 11296967Abstract: Embodiments are directed monitoring network traffic using network monitoring computers. Metrics may be determined based on monitoring network traffic associated with entities in the network such that the metrics may be included in profiles associated each entity. The profiles may be compared with other profiles in a context database based on the metrics included in each profile and each other profile. In response to the profiles being unmatched by other profiles one or more active probes may be performed to collect other metrics that may be used to update profiles. In response to the one or more profiles being matched by the other profiles in the context database, a timestamp associated with the other profiles may be updated to a current time value. Reports that include information associated with the entities and the profiles or the updated profiles may be generated.Type: GrantFiled: September 23, 2021Date of Patent: April 5, 2022Assignee: ExtraHop Networks, Inc.Inventors: Jesse Abraham Rothstein, Benjamin Thomas Higgins, Michael Kerber Krause Montague, Kevin Michael Seguin
-
Patent number: 11165814Abstract: Embodiments are directed to monitoring network traffic using NMCs that may be arranged to provide scores based on threat assessments associated with anomaly classes such that the anomaly classes may be associated with types of anomalous activity. NMCs may employ the anomaly classes, the scores, characteristics of the anomaly classes, or the like, to determine triage models. The NMCs may modify the scores based on the triage models or archival information associated with the anomaly classes. The NMCs may associate the modified scores with the anomaly classes. In response to detecting anomalous activity, the NMCs may provide other scores based on the anomalous activity and provide a report that includes the other scores to a user.Type: GrantFiled: July 29, 2019Date of Patent: November 2, 2021Assignee: ExtraHop Networks, Inc.Inventors: Po-Shen Lee, Songqian Chen, Amanda Jewitt, Olga Kazakova, Todd Kemmerling, Bhushan Prasad Khanal, Katherine Megan Porterfield, Jade Alexi Tabony, Karan Rajesh Thakker, Xue Jun Wu
-
Patent number: 11165823Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Anomalous events may be classified based on the monitored network traffic and attack models such that the classification determines that targets of the anomalous events may be currently subject to attacks by entities communicating on the networks. A honeypot trap may be provided in the networks based on the classified events such that the honeypot trap mimics characteristics of the targets. The portions of the network traffic associated with the honeypot trap may be monitored. Characteristics of the attacks may be determined based on the monitored portions of network traffic. Reports that include information based on the characteristics of the attacks may be generated.Type: GrantFiled: December 17, 2019Date of Patent: November 2, 2021Assignee: ExtraHop Networks, Inc.Inventors: Xue Jun Wu, Bhushan Prasad Khanal, Swagat Dasgupta, Changhwan Oh, J. Braund
-
Patent number: 11165831Abstract: Embodiments are directed to monitoring communication between computers using network monitoring computers (NMCs). NMCs identify a secure communication session established between two of the computers based on an exchange of handshake information associated with the secure communication session. Key information that corresponds to the secure communication session may be obtained from a key provider such that the key information may be encrypted by the key provider. NMCs may decrypt the key information. NMCs may derive the session key based on the decrypted key information and the handshake information. NMCs may decrypt network packets included in the secure communication session. NMCs may be employed to inspect the one or more decrypted network packets to execute one or more rule-based policies.Type: GrantFiled: May 4, 2018Date of Patent: November 2, 2021Assignee: ExtraHop Networks, Inc.Inventors: Benjamin Thomas Higgins, Jesse Abraham Rothstein
-
Patent number: 11012329Abstract: Embodiments are directed to monitoring network traffic using a monitoring engine that monitors network traffic in networks to provide metrics. An inference engine may provide activity profiles based on portions of the network traffic where each activity profile includes features associated with the portions of network traffic. The inference engine may determine other activity profiles correlated with the activity profiles based on correlation models such that the determination of the other activity profiles occurs prior to monitoring an occurrence of other portions of the network traffic. The inference engine may modify monitoring actions of the monitoring engine based on the other activity profiles. The inference engine may provide reports based on the portions of the network traffic, the activity profiles, the other portions of the network traffic, or the other activity profiles.Type: GrantFiled: September 9, 2019Date of Patent: May 18, 2021Assignee: ExtraHop Networks, Inc.Inventors: Eric Jacob Ball, Eric Joseph Hammerle, Benjamin Thomas Higgins, Bhushan Prasad Khanal, Michael Kerber Krause Montague, Xue Jun Wu
-
Patent number: 10979282Abstract: Embodiments are directed to monitoring network traffic. A monitoring engine may monitor network traffic associated with a plurality of entities in networks to provide metrics. And provide a device relation model based on the plurality of entities, the network traffic, and the metrics. An inference engine may associate each entity in the plurality of entities with an importance score based on the device relation model and the metrics such that each importance score is associated with a significance of an entity to operations of the networks. An alert engine may generate a plurality of alerts associated with the plurality of entities based on the metrics. And provide one or more alerts from the plurality of alerts to one or more users based on one or more ranked importance scores associated with one or more entities.Type: GrantFiled: August 16, 2019Date of Patent: April 13, 2021Assignee: ExtraHop Networks, Inc.Inventors: Xue Jun Wu, Nicholas Jordan Braun, Joel Benjamin Deaguero, Michael Kerber Krause Montague, Bhushan Prasad Khanal
-
Patent number: 10965702Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). NMCs may determine requests provided to a server based on a first portion of network traffic. NMCs may determine suspicious requests based on characteristics of the provided requests. NMCs may employ the characteristics of the suspicious requests to provide correlation information that is associated with the suspicious requests. NMCs may determine dependent actions associated with the server based on a second portion of the network traffic and the correlation information. And, in response to determining anomalous activity associated with the evaluation of the dependent actions, NMCs may provide reports associated with the anomalous activity.Type: GrantFiled: May 28, 2019Date of Patent: March 30, 2021Assignee: ExtraHop Networks, Inc.Inventors: Benjamin Thomas Higgins, Jesse Abraham Rothstein, Xue Jun Wu, Michael Kerber Krause Montague, Kevin Michael Seguin
-
Patent number: 10742677Abstract: Embodiments are directed to monitoring network traffic to determine users and assets based on the network traffic. A user role model may assign a user role and provide a role confidence score for the users based on network traffic associated with the users. An asset model may assign an asset type and provide an asset confidence score the assets based on network traffic associated with the assets. The users may be associated with assets based on the network traffic. The role confidence scores provided for the users may be modified based on the asset type assigned to assets associated with the users. The asset confidence score provided for the assets may be modified based on the user role assigned to the users associated with the assets. A report that includes information about the user roles and the asset types may be provided.Type: GrantFiled: September 4, 2019Date of Patent: August 11, 2020Assignee: ExtraHop Networks, Inc.Inventors: Xue Jun Wu, Benjamin Thomas Higgins, Michael Kerber Krause Montague, Po-Shen Lee, Songqian Chen, Jade Alexi Tabony, Katherine Megan Porterfield
-
Patent number: 10742530Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by bridge devices may be monitored by NMCs. The bridge devices may modify network traffic passed from one network segment to another network segment. Flows in network segments may be determined based on monitored network traffic associated with the network segments. Other flows in other network segments may be determined based on other monitored network traffic associated with the other network segments. A correlation score for two or more flows in different network segments may be provided based on a correlation model. Two or more related flows may be determined based on a value of the correlation score of the two or more related flows located in different network segments. A report that includes information about the two or more related flows may be provided.Type: GrantFiled: August 5, 2019Date of Patent: August 11, 2020Assignee: ExtraHop Networks, Inc.Inventors: Xue Jun Wu, Arindum Mukerji, Jeff James Costlow, Michael Kerber Krause Montague
-
Patent number: 10728126Abstract: Embodiments are directed to monitoring network traffic using network computers. A monitoring engine may monitor network traffic associated with a plurality of entities in a network to provide metrics. A device relation model may be provided based on the plurality of entities, the network traffic, and the metrics. Interest information for a user may be provided based on one or more properties associated with the user. An inference engine may associate each entity in the plurality of entities with an interest score based on the interest information, the device relation model, and the metrics. An alert engine may generate a plurality of alerts associated with the plurality of entities based on the metrics. Some of the alerts may be provided to the user based on ranked interest scores associated with the entities.Type: GrantFiled: July 30, 2018Date of Patent: July 28, 2020Assignee: ExtraHop Networks, Inc.Inventors: Xue Jun Wu, Nicholas Jordan Braun, Joel Benjamin Deaguero, Michael Kerber Krause Montague, Bhushan Prasad Khanal
-
Patent number: 10616084Abstract: Embodiments are directed to monitoring network traffic over a network. A monitoring engine may monitor flows of network packets in the network. The monitoring engine may determine an observation port that provided the network packets. The monitoring engine may determine primary network packets provided by an authoritative observation port based on which observation port provided the network packets and provide them to an analysis engine. The monitoring engine may discard a remainder of the network packets that may be associated with non-authoritative observation ports. The analysis engine may analyze the one or more primary network packets.Type: GrantFiled: July 1, 2019Date of Patent: April 7, 2020Assignee: ExtraHop Networks, Inc.Inventors: Eric Joseph Hammerle, Jesse Abraham Rothstein, Michael Kerber Krause Montague
-
Patent number: 10594718Abstract: Embodiments are directed to monitoring network traffic associated with networks to provide metrics. A monitoring engine may determine an anomaly based on the metrics exceeding threshold values. An inference engine may be instantiated to provide an anomaly profile based on portions of the network traffic that are associated with the anomaly. The inference engine may provide an investigation profile based on the anomaly profile such that the investigation profile includes information associated with investigation activities associated with an investigation of the anomaly. The inference engine may monitor the investigation of the anomaly based on other portions of the network traffic such that the other portions of the network traffic are associated with monitoring an occurrence of the investigation activities. The inference engine may modify a performance score associated with the investigation profile based on the occurrence of the investigation activities and a completion status of the investigation.Type: GrantFiled: August 21, 2018Date of Patent: March 17, 2020Assignee: ExtraHop Networks, Inc.Inventors: Joel Benjamin Deaguero, Edmund Hope Driggs, Xue Jun Wu, Nicholas Jordan Braun, Michael Kerber Krause Montague, Michael Christopher Kelly
-
Patent number: 10594709Abstract: Embodiments are directed to monitoring network traffic using network computers. Monitoring triggers associated with one or more conditions and one or more actions may be provided. A monitoring engine may monitor information that is associated with network traffic associated with networks based on an inspection detail level. The monitoring engine may compare the monitored information to the conditions associated with the monitoring triggers. The monitoring engine may activate one or more monitoring triggers based on a result of the comparison. The monitoring engine may modify the inspection detail level based on the actions associated with the activated monitoring triggers to increase the amount of the information monitored by the monitoring engine. An analysis engine may provide analysis of the network traffic based on the monitored information.Type: GrantFiled: April 15, 2019Date of Patent: March 17, 2020Assignee: ExtraHop Networks, Inc.Inventors: Xue Jun Wu, Nicholas Jordan Braun, Joel Benjamin Deaguero, Michael Kerber Krause Montague, Bhushan Prasad Khanal
-
Patent number: 10587638Abstract: Embodiments are directed to monitoring network traffic over a network using one or more network monitoring computers. A monitoring engine may be instantiated to perform actions, including: monitoring network traffic to identify client requests provided by clients and server responses provided by servers in response to the client requests; determining request metrics associated with the client requests; and determining response metrics associated with the server responses. An analysis engine may be instantiated that performs actions, including: comparing the request metrics with the response metrics; determining atypical behavior associated with the clients based on the comparison such that the atypical behavior includes an absence of adaption by the clients to changes in the server responses; and providing alerts that may identify the clients be associated with the atypical behavior.Type: GrantFiled: April 22, 2019Date of Patent: March 10, 2020Assignee: ExtraHop Networks, Inc.Inventors: Arindum Mukerji, Khurram Waheed
-
Patent number: 10511499Abstract: Embodiments are directed to monitoring network traffic in a network. A network monitoring engine may monitor networks to collect characteristics associated with network flows. The network monitoring engine may be arranged to identify entities on the network based on characteristics associated with the network flows. The network monitoring engine may provide entity profiles based on the identified entities and the characteristics. A configuration management engine may compare the entity profiles with configuration item (CI) entries in a database. The configuration management engine may provide discrepancy notices based on differences discovered during the comparison. Accordingly, the network monitoring engine may execute one or more policies to perform one or more additional actions based on the one or more discrepancies notices. Also, the configuration management engine may perform audits of an organization's information technology infrastructure to identify one or more violations of compliance policies.Type: GrantFiled: April 15, 2019Date of Patent: December 17, 2019Assignee: ExtraHop Networks, Inc.Inventors: Arindum Mukerji, Jeffery Bradford Fry
-
Patent number: 10476673Abstract: Embodiments are direct to monitoring communication between computers may be using network monitoring computers (NMCs). Network packets that are communicated between the computers may be captured and stored in a data store. If the NMCs identify a secure communication session established between two computers, the NMCs may obtain key information that corresponds to the secure communication session that includes a session key that may be provided by a key provider. Correlation information associated with the secure communication session may be captured by the NMCs. The correlation information may include tuple information associated with the secure communication session. And, the key information and the correlation information may be stored in a key escrow. The key information may be indexed in the key escrow using the correlation information.Type: GrantFiled: March 22, 2017Date of Patent: November 12, 2019Assignee: ExtraHop Networks, Inc.Inventors: Benjamin Thomas Higgins, Charlotte Ching-Hsing Tan, Jesse Abraham Rothstein
-
Patent number: 10411978Abstract: Embodiments are directed to monitoring network traffic using a monitoring engine that monitors network traffic in networks to provide metrics. An inference engine may provide activity profiles based on portions of the network traffic where each activity profile includes features associated with the portions of network traffic. The inference engine may determine other activity profiles correlated with the activity profiles based on correlation models such that the determination of the other activity profiles occurs prior to monitoring an occurrence of other portions of the network traffic. The inference engine may modify monitoring actions of the monitoring engine based on the other activity profiles. The inference engine may provide reports based on the portions of the network traffic, the activity profiles, the other portions of the network traffic, or the other activity profiles.Type: GrantFiled: August 9, 2018Date of Patent: September 10, 2019Assignee: ExtraHop Networks, Inc.Inventors: Eric Jacob Ball, Eric Joseph Hammerle, Benjamin Thomas Higgins, Bhushan Prasad Khanal, Michael Kerber Krause Montague, Xue Jun Wu
-
Patent number: 10411982Abstract: Embodiments are directed to monitoring network traffic using a network computer. The network computer provides anomaly information associated with anomalies that may be associated with monitored network traffic. An inference engine may determine the users associated with the anomalies based on the monitored network traffic. A communication channel associated with the users may be determined based on the anomalies and the monitored network traffic such that the communication channel may be separate from the monitored network traffic. The communication channel may be employed to provide investigative agents to the users. Investigative information may be collected from the investigative agents over the communication channel. The inference engine may provide a risk value that is associated with the anomalies based on the investigative information.Type: GrantFiled: June 14, 2019Date of Patent: September 10, 2019Assignee: ExtraHop Networks, Inc.Inventors: Edmund Hope Driggs, Jesse Abraham Rothstein
-
Patent number: 10389574Abstract: Embodiments are directed to monitoring network traffic. A monitoring engine may monitor network traffic associated with a plurality of entities in networks to provide metrics. And provide a device relation model based on the plurality of entities, the network traffic, and the metrics. An inference engine may associate each entity in the plurality of entities with an importance score based on the device relation model and the metrics such that each importance score is associated with a significance of an entity to operations of the networks. An alert engine may generate a plurality of alerts associated with the plurality of entities based on the metrics. And provide one or more alerts from the plurality of alerts to one or more users based on one or more ranked importance scores associated with one or more entities.Type: GrantFiled: February 7, 2018Date of Patent: August 20, 2019Assignee: ExtraHop Networks, Inc.Inventors: Xue Jun Wu, Nicholas Jordan Braun, Joel Benjamin Deaguero, Michael Kerber Krause Montague, Bhushan Prasad Khanal
-
Patent number: 10382303Abstract: Embodiments are directed to monitoring network traffic in a network. A device relation model that may be comprised of two or more nodes and one or more edges stored in memory of the network computer may be provided to a network monitoring computer (NMC), such that each node represents an agent and each edge represents a relationship between two agents. If error signals are detected by the NMC, the NMC perform further actions to process the error signals. The device relation model may be traversed to identify agents associated with the error signals. The network traffic associated with the error signals and the agents may be analyzed by the NMC. If the error signals are associated with anomalies in the network traffic, users may be notified. The device relation model may be updated upon discovery of new computing devices, new applications, or new associations between agents.Type: GrantFiled: August 7, 2017Date of Patent: August 13, 2019Assignee: ExtraHop Networks, Inc.Inventors: Bhushan Prasad Khanal, Xue Jun Wu