| CPC H04L 63/1416 (2013.01) [H04L 43/12 (2013.01); H04L 63/1433 (2013.01); H04L 2463/121 (2013.01)] | 20 Claims |
|
1. An endpoint comprising:
one or more processors; and
a non-transitory storage medium coupled to the one or more processors, the non-transitory storage medium comprises an agent stored within the non-transitory storage medium and executed by the one or more processors, the agent including
(i) event monitoring logic that, when executed by the one or more processors, monitors for one or more types of events being performed on the endpoint,
(ii) metadata logic that, when executed by the one or more processors, is configured to collect metadata associated with a monitored event of the one or more event types being monitored,
(iii) timestamp generation logic configured to generate a timestamp associated with detection of the monitored event and the timestamp being stored as part of the collected metadata,
(iv) deduplication logic that, when executed by the one or more processors, is configured to conduct a first determination as to whether the monitored event is distinct among events monitored by the event monitoring logic by at least comparing a portion of the collected metadata to prior collected metadata, and
(v) count incrementing logic, when executed by the one or more processors and responsive to the deduplication logic determining that the portion of the collected metadata matches a corresponding portion of metadata associated with the monitored event, is configured to set a count identifying a number of occurrences of the monitored event that can prompt the deduplication logic to categorize the monitored event as distinct,
wherein, when the monitored event is categorized as distinct, the deduplication logic to provide at least the portion of the collected metadata to a cybersecurity sensor to conduct a second determination as to whether the monitored event is distinct across events being monitored by a plurality of endpoints including the endpoint.
|