| CPC G06F 21/552 (2013.01) [G06F 2221/034 (2013.01)] | 17 Claims |
|
1. A method for optimizing computing resources used to monitor a user at an endpoint in a computing system for abnormal behavior, the method comprising:
installing a backend software component at a server and under microprocessor control, and an agent at the endpoint;
collecting a plurality of historical metrics from the endpoint, wherein the historical metrics are related to binary scripts executed by an application installed at the endpoint and;
building a baseline profile for the binary scripts of the application executed at the endpoint based on the plurality of historical metrics collected from the endpoint;
intercepting, by the agent at the endpoint, first data of the user, wherein the data comprises a set of first metrics comprising all binary scripts executed by the application at the endpoint during a first time period;
parsing, by the agent at the endpoint, the intercepted first data and storing the intercepted first data in a structured format;
submitting the stored intercepted first data to the backend software component at the server;
building, by the backend software component at the server, a profile for the user based on binary scripts executed by the application at the endpoint from the intercepted first data;
intercepting, by the agent, second data of the user, wherein the second intercepted data comprises the set of first metrics related to binary scripts executed by the application at the endpoint while under the user's control during a second time period;
predicting, by the backend software component at the server, a deviation trend in the second intercepted data of the user, wherein the trend is calculated as the variation in the second intercepted data from the profile for the user either toward or away from the baseline profile for the binary scripts of the application executed at the endpoint;
creating, by the backend software component at the server, second set of metrics comprising a reduced set of binary scripts of the application when the predicted deviation trend from the profile for the user is toward the baseline profile above a predetermined threshold;
distributing the second set of metrics to the agent;
intercepting, by the agent at the endpoint, third data of the user, wherein the third intercepted data comprises reduced data corresponding to the reduced set of binary scripts of the application.
|