Abstract: A server system obtains, for machines in a distributed system, system risk information, such as information identifying open sessions between respective users and respective machines, information identifying vulnerabilities in respective machines; and administrative rights information identifying groups of users having administrative rights to respective machines. The server system determines security risk factors, including risk factors related to lateral movement between logically coupled machines, and generates machine risk assessment values for at least a subset of the machines, based on a weighted combination of the risk factors. A user interface that includes a list of machines, sorted in accordance with the machine risk assessment values is presented to a user.

Abstract: A server system in communication with a plurality of machines that form a linear communication orbit establishes a direct duplex connection between the server system and a first endpoint machine. The server system enrolls the first endpoint machine as a satellite endpoint machine, which enables the satellite endpoint machine to execute one or more function modules. Typically, the server system authenticates, via the direct duplex connection, the first endpoint machine, and, after authenticating the first endpoint machine, sends, to the first endpoint machine, an instruction for executing a function module. The server system receives a report including information obtained by the first endpoint machine executing the function module. At least one of the establishing a direct duplex connection, sending the instruction, and receiving the report includes sending or receiving a communication between the first endpoint machine and the server system via the linear communication orbit.

Abstract: Performance of a collection of machines, arranged in a linear sequence of machines that form a linear communication orbit (LCO), is monitored. Multiple machines in the LCO receive, via the LCO, a set of rules (or various subsets of the same set of rules), each rule specifying one or a combination of conditions (e.g., a performance metric and corresponding criterion) for satisfying the rule, evaluate those rules with respect to locally occurring events and local processes, and store results of those evaluations in a local database. In response to a query sent to the machines via the LCO, each of the machines returns a report, including information identifying processes whose performance during the specified time period satisfies at least one rule in the set of one or more rules. Those reports are aggregated and used to generate a merged report reflecting performance information with respect to a set of machines.

Abstract: A server system sends, via a linearly ordered communication orbit, to computational machines at a first subset of nodes in a computer network, a set of local environment verification tests and a set of mappings that map results of the local environment verification tests into a set of risk scores. Requests sent by the server system cause the computational machines at the plurality of nodes to: locally evaluate the set of local environment verification tests to produce test results, and locally map the test results using the set of mappings into a set of risk scores. Queries sent by the server cause the computational machines at the plurality of nodes to return to the server system at least a portion of the test results and risk scores. The server, identifies, based on the received test results and risk scores, computational machines and/or control categories having risk scores satisfying predefined criteria.

Abstract: A method is provided of managing a non-static collection of machines. A first client machine runs a first communication protocol. The non-static collection of machines includes a first linear communication orbit, the first linear communication orbit comprising a sequence of machines that run the first communication protocol, and a second linear communication orbit, the second linear communication orbit comprising a sequence of machines that run a second communication protocol distinct from the first communication protocol. The first client machine receives an instruction from a server to install the second communication protocol, installs the second communication protocol, and then submits a registration request to the server. The first client machine receives, from the server, contact information of a list of potential neighbors. The first client machine then, proactively constructs and maintains a respective local segment of the second linear communication orbit.

Abstract: A server system, coupled to a linear communication orbit, has a plurality of function modules. Each function module is configured to collect data from machines located at nodes of the linear communication orbit, process collected data according to a schema definition to generate result data, and store the result data in a database. Data collection requests, based on the schema definition, are sent through the linear communication orbit to collecting data from a set of machines via the linear communication orbit. In some embodiments, a central data management module of the one or more servers is configured to provide the schema definition to and receive result data reported from the function modules.

Abstract: An application mapping procedure obtains and aggregates application mapping information from a plurality of machines in a distributed system. An application dependency map, including first layer of application mapping information, is initialized, and then a first query is sent to one or more of the machines. In response, information identifying entities that have participated in predefined communications with entities identified in an existing layer of application mapping information in the application dependency map are received, and a second layer of application mapping information is added to the application dependency map, based at least in part on the information received in response to the first query. After adding the second layer of application mapping information to the application dependency map, a second query is sent to one or more of the of the endpoint machines, the second query being based at least in part on the application dependency map.

Abstract: Performance of a collection of machines, arranged in a linear sequence of machines that form a linear communication orbit (LCO), is monitored. Multiple machines in the LCO receive, via the LCO, a set of rules (or various subsets of the same set of rules), each rule specifying one or a combination of conditions (e.g., a performance metric and corresponding criterion) for satisfying the rule, evaluate those rules with respect to locally occurring events and local processes, and store results of those evaluations in a local database. In response to a query sent to the machines via the LCO, each of the machines returns a report, including information identifying processes whose performance during the specified time period satisfies at least one rule in the set of one or more rules. Those reports are aggregated and used to generate a merged report reflecting performance information with respect to a set of machines.

Abstract: In a distributed system that includes a collection of machines, a server system generates a global dictionary from sampling responses received from machines in the collection of machine, at least a subject of the sampling responses including information indicating one or more terms in a corpus of information stored at a respective machine in the collection of machines. The global dictionary includes global document frequency values corresponding to the document frequencies of terms in the corpora of information stored in the collection of machines. The server system generates a similarity search query for a target document, the similarity search query including identifiers of terms in the target document and optionally document frequency information for those terms, obtained from the global dictionary, and sends, through one or more linear communication orbits, the similarity search query to one or more respective machines in the collection of machines.

Abstract: A server system obtains, for machines in a distributed system, system risk information, such as information identifying open sessions between respective users and respective machines, information identifying vulnerabilities in respective machines; and administrative rights information identifying groups of users having administrative rights to respective machines. The server system determines security risk factors, including risk factors related to lateral movement between logically coupled machines, and generates machine risk assessment values for at least a subset of the machines, based on a weighted combination of the risk factors. A user interface that includes a list of machines, sorted in accordance with the machine risk assessment values is presented to a user.

Abstract: A first machine identifies, from among a non-static collection of machines, a respective set of forward contacts that comprises a set of machines. The set of forward contacts are distributed along the ordered sequence in the forward direction away from the respective machine in an order of increasing similarity between the respective channel number assigned to the first machine and a respective channel number assigned to each of the set of forward contacts. The first machine establishes a respective direct communication channel between the first machine and each of the set of forward contacts. The first machine sends a first query to a first forward contact and sends collected answers for the first query to at least a second forward contact that has a greater similarity to the first machine based on the respective channel numbers of the first machine and the first and second forward contacts.

Abstract: A server system sends, via a linearly ordered communication orbit, to computational machines at a first subset of nodes in a computer network, a set of local environment verification tests and a set of mappings that map results of the local environment verification tests into a set of risk scores. Requests sent by the server system cause the computational machines at the plurality of nodes to: locally evaluate the set of local environment verification tests to produce test results, and locally map the test results using the set of mappings into a set of risk scores. Queries sent by the server cause the computational machines at the plurality of nodes to return to the server system at least a portion of the test results and risk scores. The server, identifies, based on the received test results and risk scores, computational machines and/or control categories having risk scores satisfying predefined criteria.

Abstract: A method is provided of managing a non-static collection of machines. A first client machine runs a first communication protocol. The non-static collection of machines includes a first linear communication orbit, the first linear communication orbit comprising a sequence of machines that run the first communication protocol, and a second linear communication orbit, the second linear communication orbit comprising a sequence of machines that run a second communication protocol distinct from the first communication protocol. The first client machine receives an instruction from a server to install the second communication protocol, installs the second communication protocol, and then submits a registration request to the server. The first client machine receives, from the server, contact information of a list of potential neighbors. The first client machine then, proactively constructs and maintains a respective local segment of the second linear communication orbit.

Abstract: A server system, coupled to a linear communication orbit, has a plurality of function modules. Each function module is configured to collect data from machines located at nodes of the linear communication orbit, process collected data according to a schema definition to generate result data, and store the result data in a database. Data collection requests, based on the schema definition, are sent through the linear communication orbit to collecting data from a set of machines via the linear communication orbit. In some embodiments, a central data management module of the one or more servers is configured to provide the schema definition to and receive result data reported from the function modules.

Abstract: Performance of a collection of machines, arranged in a linear sequence of machines that form a linear communication orbit (LCO), is monitored. Multiple machines in the LCO receive, via the LCO, a set of rules (or various subsets of the same set of rules), each rule specifying one or a combination of conditions (e.g., a performance metric and corresponding criterion) for satisfying the rule, evaluate those rules with respect to locally occurring events and local processes, and stores results of those evaluations in a local database. In response to a performance query sent to the machines via the LCO, each of the machines returns a report, including information identifying processes whose performance during the specified time period satisfies at least one rule in the set of one or more rules. Those reports are aggregated and used to present performance information to a user.

Abstract: A server system sends, via a linearly ordered communication orbit, to computational machines at a first subset of nodes in a computer network, a set of local environment verification tests and a set of mappings that map results of the local environment verification tests into a set of risk scores. Requests sent by the server system cause the computational machines at the plurality of nodes to: locally evaluate the set of local environment verification tests to produce test results, and locally map the test results using the set of mappings into a set of risk scores. Queries sent by the server cause the computational machines at the plurality of nodes to return to the server system at least a portion of the test results and risk scores. The server, identifies, based on the received test results and risk scores, computational machines and/or control categories having risk scores satisfying predefined criteria.

Abstract: A first machine identifies, from among a non-static collection of machines, a respective set of forward contacts that comprises a set of machines. The set of forward contacts are distributed along the ordered sequence in the forward direction away from the respective machine in an order of increasing similarity between the respective channel number assigned to the first machine and a respective channel number assigned to each of the set of forward contacts. The first machine establishes a respective direct communication channel between the first machine and each of the set of forward contacts. The first machine sends a first query to a first forward contact and sends collected answers for the first query to at least a second forward contact that has a greater similarity to the first machine based on the respective channel numbers of the first machine and the first and second forward contacts.

Abstract: A machine in a linear communication orbit receives a query, including a set of one or more rules, through the linear communication orbit. The machine, for each respective rule: identifies files that contain content that satisfies the respective rule, generates a first report identifying a count of files at the machine that contain content satisfying the rule, and sends the first report through the linear communication orbit to a server. The machine receives an instruction packet from an external machine that includes an instruction for establishing a direct duplex connection between the respective machine and the external machine. then sends a request to the external machine to establish the direct duplex connection. The machine sends to the external machine, via the direct duplex connection, a second report including information identifying files at the machine that contain file content satisfying each rule in the set of one or more rules.

Abstract: An application mapping procedure obtains and aggregates application mapping information from a plurality of machines in a distributed system. A first layer of application mapping information is generated, identifying application entry points, each comprising a machine and a process executed by the identified machine. An application map is initialized with the first layer of application mapping information. A plurality of iterations of a predefined map gathering operation are performed, each iteration adding a layer of application mapping information to the application map, thereby producing an application map of the distributed processing of one or more respective applications. Each iteration sends queries, via one or more linear communication orbits, to machines in the distributed system, and obtains from the machines information identifying entities that have participated in predefined communications with entities identified in a most recently generated or added layer of application mapping information.

Abstract: A method of updating software, performed by respective machines in a linear communication orbit includes, at a local server executed by a respective machine, receiving, via the linear communication orbit, update metadata. At an update module executed by the respective machine, an update module evaluates software version information using the update metadata to determine a set of one or more updates to be applied to one or more software programs. A patch module sends, via the linear communication orbit, requests for one or more software update files corresponding to the set of one or more updates, and receives the one or more software update files corresponding to the set of one or more updates. The update module then updates the one or more of the software programs by applying the received one or more software update files to the one or more of the software programs.