US 12,341,796 B2
Systems, methods, and media for distributed network monitoring using local monitoring devices
Robert W. Techentin, Rochester, MN (US); David R. Holmes, III, Rochester, MN (US); and Barry K. Gilbert, Rochester, MN (US)
Assigned to Mayo Foundation for Medical Education and Research, Rochester, MN (US)
Appl. No. 18/040,694
Filed by Mayo Foundation for Medical Education and Research, Rochester, MN (US)
PCT Filed Aug. 6, 2021, PCT No. PCT/US2021/044892
§ 371(c)(1), (2) Date Feb. 6, 2023,
PCT Pub. No. WO2022/032065, PCT Pub. Date Feb. 10, 2022.
Claims priority of provisional application 63/062,216, filed on Aug. 6, 2020.
Prior Publication US 2023/0283621 A1, Sep. 7, 2023
Int. Cl. G06F 21/55 (2013.01); H04L 9/40 (2022.01)
CPC H04L 63/1425 (2013.01) [H04L 63/0236 (2013.01); H04L 63/1441 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A system for distributed network monitoring, comprising:
a plurality of local monitoring devices, each of the plurality of local monitoring devices disposed between at least one computing device and a networking router, each particular local monitoring device of the plurality of devices comprising:
at least one processor that is programmed to:
receive, over a first period of time, network traffic between the at least one computing device and the networking router associated with the particular local monitoring device;
generate a model of normal network traffic over the first period of time based on the network traffic between the at least one computing device and the networking router associated with the particular local monitoring device;
receive, over a second period of time subsequent to the first period of time, network traffic between the at least one computing device and the networking router associated with the particular local monitoring device;
calculate a metric based on a parameter of metadata associated with the network traffic received over the second period of time;
determine, based on the metric, whether the network traffic received over the second period of time is anomalous; and
in response to determining that the network traffic received over the second period of time is anomalous, transmit, to a central monitoring system, information indicating that the network traffic received over the second period of time is anomalous; and
the central monitoring system comprising:
at least one second processor that is programmed to:
receive, from a first local monitoring device of the plurality of local monitoring devices, information indicating that the network traffic received over the second period of time is anomalous;
receive, from the first local monitoring device, information related to the network traffic received by the first local monitoring device over the second period of time;
determine, based on the information related to the network traffic received by the first local monitoring device over the second period of time, that the network traffic received by the first local monitoring device over the second period of time is anomalous; and
in response to determining that the network traffic received by the first local monitoring device over the second period of time is anomalous, take an action to secure communications across a portion of the network associated with the first local monitoring device.