Supplementing network flow analysis with endpoint information

Assignee

• Ziften Technologies, Inc. · US

Inventors

• Ryan Holeman · Austin, US
• Al Hartmann · Round Rock, US
• Josh Harriman · Austin, US
• Josh Applebaum · Austin, US

Key dates

Classification

• Technology area (CPC Y)Emerging Cross-Sectional Technologies
• CPC primaryY02D30/50
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

Techniques are disclosed for supplementing network flow analysis with data collected from endpoint computer systems in a network. An endpoint analysis agent may run on endpoints to collect information relating to computing activity internal to the endpoint, including system configuration information, event information, and network, user, process, and file activity. This information may be reported to a network flow analyzer using an extensible flow data record format. The flow analyzer may then correlate this information with network flow data records received from flow collectors in the network to perform a security analysis. In various embodiments, the endpoint analysis agent may cache the collected information when the endpoint is offline. The agent may also perform data reduction operations (such as compression) on the collected information before reporting; data may be further reduced by reporting data only during specified time periods. An analysis agent may also be deployed in a cloud environment.