Abstract: An application mapping procedure obtains and aggregates application mapping information from a plurality of machines in a distributed system. An application dependency map, including first layer of application mapping information, is initialized, and then a first query is sent to one or more of the machines. In response, information identifying entities that have participated in predefined communications with entities identified in an existing layer of application mapping information in the application dependency map are received, and a second layer of application mapping information is added to the application dependency map, based at least in part on the information received in response to the first query. After adding the second layer of application mapping information to the application dependency map, a second query is sent to one or more of the of the endpoint machines, the second query being based at least in part on the application dependency map.

Abstract: Performance of a collection of machines, arranged in a linear sequence of machines that form a linear communication orbit (LCO), is monitored. Multiple machines in the LCO receive, via the LCO, a set of rules (or various subsets of the same set of rules), each rule specifying one or a combination of conditions (e.g., a performance metric and corresponding criterion) for satisfying the rule, evaluate those rules with respect to locally occurring events and local processes, and store results of those evaluations in a local database. In response to a query sent to the machines via the LCO, each of the machines returns a report, including information identifying processes whose performance during the specified time period satisfies at least one rule in the set of one or more rules. Those reports are aggregated and used to generate a merged report reflecting performance information with respect to a set of machines.

Abstract: In a distributed system that includes a collection of machines, a server system generates a global dictionary from sampling responses received from machines in the collection of machine, at least a subject of the sampling responses including information indicating one or more terms in a corpus of information stored at a respective machine in the collection of machines. The global dictionary includes global document frequency values corresponding to the document frequencies of terms in the corpora of information stored in the collection of machines. The server system generates a similarity search query for a target document, the similarity search query including identifiers of terms in the target document and optionally document frequency information for those terms, obtained from the global dictionary, and sends, through one or more linear communication orbits, the similarity search query to one or more respective machines in the collection of machines.

Abstract: A system and computer-readable storage medium perform a method for contextual inferring capacity for triggering a financial transaction by monitoring, via user device(s), objective contextual data of location, temporal, and volitional transaction information associated with an authorized user of a financial system. Subjective contextual data of personal calendar events, physiological data, and pacing of user interactions with the user device(s) is monitored. The objective and subjective contextual data is analyzed to create scenario(s) correlated with performing a volitional transaction. If not predictive a volitional transaction, a layer of security protocol is added for authentication prior to executing the volitional transaction. In response to determining that the current context is predictive of a volitional transaction, a determination is made whether the subjective contextual data satisfies criterion for incapacity to perform a volitional transaction.

Abstract: A system and computer-readable storage medium perform a method for contextual inferring capacity for triggering a financial transaction by monitoring, via user device(s), objective contextual data of location, temporal, and volitional transaction information associated with an authorized user of a financial system. Subjective contextual data of personal calendar events, physiological data, and pacing of user interactions with the user device(s) is monitored. The objective and subjective contextual data is analyzed to create scenario(s) correlated with performing a volitional transaction. If not predictive a volitional transaction, a layer of security protocol is added for authentication prior to executing the volitional transaction. In response to determining that the current context is predictive of a volitional transaction, a determination is made whether the subjective contextual data satisfies criterion for incapacity to perform a volitional transaction.

Abstract: Performance of a collection of machines, arranged in a linear sequence of machines that form a linear communication orbit (LCO), is monitored. Multiple machines in the LCO receive, via the LCO, a set of rules (or various subsets of the same set of rules), each rule specifying one or a combination of conditions (e.g., a performance metric and corresponding criterion) for satisfying the rule, evaluate those rules with respect to locally occurring events and local processes, and stores results of those evaluations in a local database. In response to a performance query sent to the machines via the LCO, each of the machines returns a report, including information identifying processes whose performance during the specified time period satisfies at least one rule in the set of one or more rules. Those reports are aggregated and used to present performance information to a user.

Abstract: An application mapping procedure obtains and aggregates application mapping information from a plurality of machines in a distributed system. A first layer of application mapping information is generated, identifying application entry points, each comprising a machine and a process executed by the identified machine. An application map is initialized with the first layer of application mapping information. A plurality of iterations of a predefined map gathering operation are performed, each iteration adding a layer of application mapping information to the application map, thereby producing an application map of the distributed processing of one or more respective applications. Each iteration sends queries, via one or more linear communication orbits, to machines in the distributed system, and obtains from the machines information identifying entities that have participated in predefined communications with entities identified in a most recently generated or added layer of application mapping information.

Abstract: A method of updating software, performed by respective machines in a linear communication orbit includes, at a local server executed by a respective machine, receiving, via the linear communication orbit, update metadata. At an update module executed by the respective machine, an update module evaluates software version information using the update metadata to determine a set of one or more updates to be applied to one or more software programs. A patch module sends, via the linear communication orbit, requests for one or more software update files corresponding to the set of one or more updates, and receives the one or more software update files corresponding to the set of one or more updates. The update module then updates the one or more of the software programs by applying the received one or more software update files to the one or more of the software programs.

Abstract: A method of updating software, performed by respective machines in a linear communication orbit includes, at a local server executed by a respective machine, receiving, via the linear communication orbit, update metadata. At an update module executed by the respective machine, an update module evaluates software version information using the update metadata to determine a set of one or more updates to be applied to one or more software programs. A patch module sends, via the linear communication orbit, requests for one or more software update files corresponding to the set of one or more updates, and receives the one or more software update files corresponding to the set of one or more updates. The update module then updates the one or more of the software programs by applying the received one or more software update files to the one or more of the software programs.

Abstract: In a distributed system, each of N machines receives a similarity search query through a linear communication orbit. The similarity search query includes token identifiers corresponding to tokens in a target document. Each machine, in response, identifies files that meet predefined similarity criteria with respect to the target document. Subsequent to receiving the similarity search query, the machine generates a first report, including a count of files stored at the machine that meet the predefined similarity criteria with respect to the target document, and/or information identifying a set of files that meet the predefined similarity criteria with respect to the target document; and sends the first report to a server through the linear communication orbit. The server produces a merged report presenting information with respect to files at a set of machines, including the N machines, that meet the predefined similarity criteria with respect to the target document.

Abstract: A method of updating software, performed by respective machines in a linear communication orbit includes, at a local server executed by a respective machine, receiving, via the linear communication orbit, update metadata. At an update module executed by the respective machine, an update module evaluates software version information using the update metadata to determine a set of one or more updates to be applied to one or more software programs. A patch module sends, via the linear communication orbit, requests for one or more software update files corresponding to the set of one or more updates, and receives the one or more software update files corresponding to the set of one or more updates. The update module then updates the one or more of the software programs by applying the received one or more software update files to the one or more of the software programs.

Abstract: This application is directed to a mapping method performed at a computational machine in a linear communication orbit. The computational machine receives an application definition the linear communication orbit. The application definition specifies criteria for establishing whether the computational machine executes a specified application, a component of the specified application, or communicate with another node executing the specified application or a component of the specified application. While a plurality of events are occurring locally at the computational machine, the computational machine identifies one or more operations meeting the application definition in real-time. The identified one or more operations meeting the application definition, and associated metadata are stored in a local mapping database of the computational machine and returned to the server system through the linear communication orbit in response to a map request received through the linear communication orbit.

Abstract: A system and computer-readable storage medium perform a method for contextual inferring capacity for triggering a financial transaction by monitoring, via user device(s), objective contextual data of location, temporal, and volitional transaction information associated with an authorized user of a financial system. Subjective contextual data of personal calendar events, physiological data, and pacing of user interactions with the user device(s) is monitored. The objective and subjective contextual data is analyzed to create scenario(s) correlated with performing a volitional transaction. If not predictive a volitional transaction, a layer of security protocol is added for authentication prior to executing the volitional transaction. In response to determining that the current context is predictive of a volitional transaction, a determination is made whether the subjective contextual data satisfies criterion for incapacity to perform a volitional transaction.

Abstract: A local environment verification method, performed by a server of a computer network, includes injecting, into a linear communication orbit, a bundle of information items regarding deployment of a respective local environment verification framework at each of a first subset of nodes in the computer network. The bundle of information items is distributed to a respective node of the first subset of nodes through the linear communication orbit, and used to establish the respective local environment verification framework at the respective node of the first subset of nodes. The respective node of the first subset of nodes is configured to perform a set of local environment verifications using the respective local environment verification framework. The method further includes injecting, into the linear communication orbit, a query message to collect respective local results of the set of local environment verifications from the first subset of nodes.

Abstract: This application is directed to a mapping method performed at a computational machine in a linear communication orbit. The computational machine receives an application definition the linear communication orbit. The application definition specifies criteria for establishing whether the computational machine executes a specified application, a component of the specified application, or communicate with another node executing the specified application or a component of the specified application. While a plurality of events are occurring locally at the computational machine, the computational machine identifies one or more operations meeting the application definition in real-time. The identified one or more operations meeting the application definition, and associated metadata are stored in a local mapping database of the computational machine and returned to the server system through the linear communication orbit in response to a map request received through the linear communication orbit.

Abstract: A method of updating software, performed by respective machines in a linear communication orbit includes, at a local server executed by a respective machine, receiving, via the linear communication orbit, update metadata. At an update module executed by the respective machine, an update module evaluates software version information using the update metadata to determine a set of one or more updates to be applied to one or more software programs. A patch module sends, via the linear communication orbit, requests for one or more software update files corresponding to the set of one or more updates, and receives the one or more software update files corresponding to the set of one or more updates. The update module then updates the one or more of the software programs by applying the received one or more software update files to the one or more of the software programs.

Abstract: This application is directed to an integrity monitoring method performed at a computational machine in a linear communication orbit. The computational machine receives a watch list through the linear communication orbit. The watch list identifies objects for which events are to be monitored at the computational machine. While a plurality of events are occurring locally at the computational machine, the computational machine identifies the plurality of events in real-time. The identified events include events for the objects identified by the watch list, and event information for these identified events is stored in a local database of the computational machine. In response to an integrity reporting request received through the linear communication orbit, the computational machine identifies event information for at least some of the objects identified by the watch list in the local database, and returns the identified event information to a server system through the linear communication orbit.

Abstract: In a distributed system, each of N machines receives a similarity search query through a linear communication orbit. The similarity search query includes token identifiers corresponding to tokens in a target document. Each machine, in response, identifies files that meet predefined similarity criteria with respect to the target document. Subsequent to receiving the similarity search query, the machine generates a first report, including a count of files stored at the machine that meet the predefined similarity criteria with respect to the target document, and/or information identifying a set of files that meet the predefined similarity criteria with respect to the target document; and sends the first report to a server through the linear communication orbit. The server produces a merged report presenting information with respect to files at a set of machines, including the N machines, that meet the predefined similarity criteria with respect to the target document.

Abstract: A respective node in a linear communication orbit receives an instruction packet through the linear communication orbit, where the instruction packet has been propagated from a starting node to the respective node through one or more upstream nodes along the linear communication orbit, and the instruction packet includes an instruction for establishing a direct duplex connection between the respective node and a respective server. In response to receiving the instruction packet, the respective node sends an outbound connection request to the respective server to establish the direct duplex connection. The respective node then uploads local data to the respective server through the direct duplex connection (e.g., in response to one or more queries, instructions, and requests received from the respective server through the direct duplex connection), where the respective server performs analysis on the local data received from the respective node through the direct duplex connection.

Abstract: A method for evaluating indicators of compromise (IOCs) is performed at a device having one or more processors and memory. The method includes receiving respective specifications of a plurality of IOCs, wherein the respective specifications of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC. The method further includes dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, and determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device.