Abstract: Decoupling of a first machine from a plurality of machines in a network is disclosed. Each machine has a machine identifier. The plurality of machines are organized into a linearly ordered sequence in accordance with a predefined order of the machine identifiers. The first machine is configured to receive a query from a preceding machine and propagate the query to a succeeding machine in the linearly ordered sequence. Prior to decoupling from the network, the first machine informs respective presence of a first subset of machines to a second subset of machines that are not overlapping with the first subset of machines. The first subset of machines includes a machine having a lower machine identifier relative to the machine identifier of the first machine, and the second subset of machines includes a machine having a higher machine identifier relative to the machine identifier of the first machine.

Abstract: A method is provided of managing a non-static collection of machines. A first client machine runs a first communication protocol. The non-static collection of machines includes a first linear communication orbit, the first linear communication orbit comprising a sequence of machines that run the first communication protocol, and a second linear communication orbit, the second linear communication orbit comprising a sequence of machines that run a second communication protocol distinct from the first communication protocol. The first client machine receives an instruction from a server to install the second communication protocol, installs the second communication protocol, and then submits a registration request to the server. The first client machine receives, from the server, contact information of a list of potential neighbors. The first client machine then, proactively constructs and maintains a respective local segment of the second linear communication orbit.

Abstract: This application is directed to a distributed data processing method performed at a server system coupled to a linear communication orbit. The server system has a plurality of function modules. Each function module is configured to collect data related to a core function from the linear communication orbit. Each function module includes an internal client configured to adaptively perform a set of data processing operations according to a schema definition, including generating a data collection request for collecting raw data items, sending the data collection request through the linear communication orbit, collecting the requested raw data items from a set of machines via the linear communication orbit, and performing analysis on the collected raw data items. In some embodiments, a central data management module of the one or more servers is configured to provide the schema definition to and receive result data reported from the function modules.

Abstract: In a distributed system, each of N machines receives a similarity search query through a linear communication orbit. The similarity search query includes token identifiers corresponding to tokens in a target document. Each machine, in response, identifies files that meet predefined similarity criteria with respect to the target document. Subsequent to receiving the similarity search query, the machine generates a first report, including a count of files stored at the machine that meet the predefined similarity criteria with respect to the target document, and/or information identifying a set of files that meet the predefined similarity criteria with respect to the target document; and sends the first report to a server through the linear communication orbit. The server produces a merged report presenting information with respect to files at a set of machines, including the N machines, that meet the predefined similarity criteria with respect to the target document.

Abstract: A method of updating software, performed by respective machines in a linear communication orbit includes, at a local server executed by a respective machine, receiving, via the linear communication orbit, update metadata. At an update module executed by the respective machine, an update module evaluates software version information using the update metadata to determine a set of one or more updates to be applied to one or more software programs. A patch module sends, via the linear communication orbit, requests for one or more software update files corresponding to the set of one or more updates, and receives the one or more software update files corresponding to the set of one or more updates. The update module then updates the one or more of the software programs by applying the received one or more software update files to the one or more of the software programs.

Abstract: This application is directed to a mapping method performed at a computational machine in a linear communication orbit. The computational machine receives an application definition the linear communication orbit. The application definition specifies criteria for establishing whether the computational machine executes a specified application, a component of the specified application, or communicate with another node executing the specified application or a component of the specified application. While a plurality of events are occurring locally at the computational machine, the computational machine identifies one or more operations meeting the application definition in real-time. The identified one or more operations meeting the application definition, and associated metadata are stored in a local mapping database of the computational machine and returned to the server system through the linear communication orbit in response to a map request received through the linear communication orbit.

Abstract: A local environment verification method, performed by a server of a computer network, includes injecting, into a linear communication orbit, a bundle of information items regarding deployment of a respective local environment verification framework at each of a first subset of nodes in the computer network. The bundle of information items is distributed to a respective node of the first subset of nodes through the linear communication orbit, and used to establish the respective local environment verification framework at the respective node of the first subset of nodes. The respective node of the first subset of nodes is configured to perform a set of local environment verifications using the respective local environment verification framework. The method further includes injecting, into the linear communication orbit, a query message to collect respective local results of the set of local environment verifications from the first subset of nodes.

Abstract: In a network of a plurality of machines and a server, the machines have self-organized into a linearly ordered sequence in accordance with a predefined order of their respective machine identifiers. The linearly ordered sequence includes one or more local segments each include a first machine followed by a sequence of second machines. A query regarding management information of a local segment is injected into the network at the first machine of the local segment. The query is forwarded along the local segment, and each machine in the local segment responds to the query by adding its own local information to any answers already accumulated in the payload of the query. A second machine in the local segment sends a report message containing aggregated management information that has been collected in the payload of the query to the server.

Abstract: In one aspect, machines in a managed network implements a set of rules that cause individual machines to directly interact with only a small number of machines in the network (i.e., a local neighborhood within the network), while the independent local actions of the individual machines collectively cause the individual machines to be self-organized into one or more communication orbits without any global control or coordination by a server or an administrator. The communication orbits are used for supporting network, security and system management communications in the managed network.

Abstract: Method and system for providing message communications with failure detection and recovery are disclosed. At a respective node of a non-static collection of nodes forming a linear communication orbit: the node identifies, from among the non-static collection of nodes, a set of forward contacts distributed in a forward direction along the linear communication orbit; the node monitors a propagation state of a first query that has departed from the respective node to travel in the forward direction along the linear communication orbit; and upon detecting a propagation failure of the first query based on the monitoring, the node sends the first query directly to a first forward contact among the set of forward contacts to initiate a failure recovery process within at least part of a segment of the linear communication orbit between the respective node and the first forward contact of the respective node.

Abstract: This application is directed to an integrity monitoring method performed at a computational machine in a linear communication orbit. The computational machine receives a watch list through the linear communication orbit. The watch list identifies objects for which events are to be monitored at the computational machine. While a plurality of events are occurring locally at the computational machine, the computational machine identifies the plurality of events in real-time. The identified events include events for the objects identified by the watch list, and event information for these identified events is stored in a local database of the computational machine. In response to an integrity reporting request received through the linear communication orbit, the computational machine identifies event information for at least some of the objects identified by the watch list in the local database, and returns the identified event information to a server system through the linear communication orbit.

Abstract: A respective node in a linear communication orbit receives an instruction packet through the linear communication orbit, where the instruction packet has been propagated from a starting node to the respective node through one or more upstream nodes along the linear communication orbit, and the instruction packet includes an instruction for establishing a direct duplex connection between the respective node and a respective server. In response to receiving the instruction packet, the respective node sends an outbound connection request to the respective server to establish the direct duplex connection. The respective node then uploads local data to the respective server through the direct duplex connection (e.g., in response to one or more queries, instructions, and requests received from the respective server through the direct duplex connection), where the respective server performs analysis on the local data received from the respective node through the direct duplex connection.

Abstract: A data caching and distribution method, performed by a plurality of computational machines in a linear communication orbit, includes generating a data request by a first machine to request specific data, and passing the data request along a data request path that tracks the linear communication orbit until the request is received at a second machine, in the linear communication orbit, that returns the specific data in response to the data request. The method includes, at a third machine between the second machine and the first machine in the linear communication orbit, conditionally storing the specific data in a local cache of the third machine according to a data caching method.

Abstract: A method for evaluating indicators of compromise (IOCs) is performed at a device having one or more processors and memory. The method includes receiving respective specifications of a plurality of IOCs, wherein the respective specifications of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC. The method further includes dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, and determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device.

Abstract: A first managed machine of a plurality of managed machines arranged in a linear communication orbit based on a predefined order of respective machine identifiers of the managed machines scans for live unmanaged machines within a selected portion of the network that is associated with a first range of machine identifiers that includes identifiers between the respective identifiers of the first managed machine and a respective neighbor machine of the first managed machine, determines whether the remedial instruction specifies a respective remedial operation applicable to the one or more live unmanaged machines that have been detected within the selected portion of the network, and requests the one or more live unmanaged machines to execute the respective remedial operation specified by the remedial instruction.

Abstract: In one aspect, machines in a managed network implements a set of rules that cause individual machines to directly interact with only a small number of machines in the network (i.e., a local neighborhood within the network), while the independent local actions of the individual machines collectively cause the individual machines to be self-organized into one or more communication orbits without any global control or coordination by a server or an administrator. The communication orbits are used for supporting network, security and system management communications in the managed network.

Abstract: Machines in a managed network implement a set of rules that cause individual machines to directly interact with only a small number of machines in the network. Independent local actions of the individual machines collectively cause the individual machines to be self-organized into one or more communication orbits without any global control or coordination by a server or an administrator. The communication orbits are used for supporting security management, including, at a first node of the network, receiving a security management message from an upstream neighbor through a respective receiving channel from the upstream neighbor to the first node; performing one or more security management operations in accordance with the security management message received from the upstream neighbor; and forwarding the security management message to a downstream neighbor through a respective propagation channel from the first node to the downstream neighbor.

Abstract: A remote server dispatches an instruction packet to a node in a network through a linear communication orbit formed by a collection of nodes. The instruction packet propagates from node to node along the linear communication orbit until reaching the node. The instruction packet includes instructions for establishing a direct duplex connection between the node and the remote server. After dispatching the instruction packet to the node through the linear communication orbit, the remote server receives, from the node, a request for establishing the direct duplex connection. In response to receiving the request from the node, the remote server establishes the direct duplex connection. After establishing the direct duplex connection, the remote server issues instructions to the node to upload local data from the node to the remote server through the direct duplex connection.

Abstract: Method and system for providing message communications with failure detection and recovery are disclosed. At a respective node of a non-static collection of nodes forming a linear communication orbit: the node identifies, from among the non-static collection of nodes, a set of forward contacts distributed in a forward direction along the linear communication orbit; the node monitors a propagation state of a first query that has departed from the respective node to travel in the forward direction along the linear communication orbit; and upon detecting a propagation failure of the first query based on the monitoring, the node sends the first query directly to a first forward contact among the set of forward contacts to initiate a failure recovery process within at least part of a segment of the linear communication orbit between the respective node and the first forward contact of the respective node.

Abstract: In one aspect, methods, system, and computer-readable media for monitoring unmanaged assets in a network having a plurality of managed machines include: at a first managed machine of the plurality of managed machines, wherein the plurality of managed machine are arranged in a linear communication orbit and have respective identifiers, and each managed machine is coupled to at least one respective neighbor by a corresponding local segment of the linear communication orbit: responding to a detection instruction for detecting unmanaged assets currently present in the network, by: scanning for live unmanaged machines within a selected portion of the network that is associated with a range of identifiers that includes identifiers between the respective identifiers of the first managed machine and a respective neighbor of the first managed machine; and generating a local report identifying one or more unmanaged machines that have been detected within the selected portion of the network.