US 11,658,986 B2
Detecting attacks on computing devices
Puneet Sharma, Milpitas, CA (US); and Anand Mudgerikar, Palo Alto, CA (US)
Assigned to Hewlett Packard Enterprise Development LP, Spring, TX (US)
Filed by HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP, Houston, TX (US)
Filed on Dec. 16, 2020, as Appl. No. 17/123,342.
Application 17/123,342 is a division of application No. 15/885,447, filed on Jan. 31, 2018, granted, now 10,897,470.
Prior Publication US 2021/0136092 A1, May 6, 2021
Int. Cl. H04L 29/06 (2006.01); H04L 9/40 (2022.01); H04L 9/32 (2006.01)
CPC H04L 63/1416 (2013.01) [H04L 9/3236 (2013.01); H04L 9/3242 (2013.01); H04L 9/3297 (2013.01); H04L 63/08 (2013.01); H04L 63/14 (2013.01); H04L 63/145 (2013.01)] 7 Claims
OG exemplary drawing
 
1. A system comprising:
a first computing device comprising instructions executable by a hardware processor to:
transmit, responsive to detecting a second computing device initially attempting to connect to the network for a first time, an agent to the second computing device to generate log files of initial processes running on the second computing device during an initial operation time period of the second computing device, initial system calls made by the initial processes during the initial operation time period, subsequent processes running on the second computing device during a subsequent operation time period of the second computing device, and subsequent system calls made by the subsequent processes during the subsequent operation time period, wherein the initial system calls comprise initial programmatic requests of services from a kernel of an operating system executing on the second computing device, and the subsequent system calls comprise subsequent programmatic requests of services from the kernel;
create, responsive to detecting the second computing device initially attempting to connect to the network, an unpopulated baseline profile for the second computing device;
populate the baseline profile with the initial processes and the initial system calls;
monitor, during the subsequent operation time period, the subsequent processes and the subsequent system calls; and
detect an attack on the second computing device based on a comparison of the subsequent processes and the subsequent system calls to the populated baseline profile.