	US 12,463,985 B2
	Endpoint agent client sensors (cSENSORS) and associated infrastructures for extending network visibility in an artificial intelligence (AI) threat defense environment
Simon David Lincoln Fellows, Cambridge (GB); Jack Benjamin Stockdale, Cambridge (GB); and Thomas Alexander Chesney Jenkinson, Kent (GB)
Assigned to Darktrace Holdings Limited, Cambridge (GB)
Filed by Darktrace Holdings Limited, Cambridge (GB)
Filed on May 18, 2021, as Appl. No. 17/323,850.
Application 17/323,850 is a continuation in part of application No. 16/279,039, filed on Feb. 19, 2019, granted, now 11,477,219.
Claims priority of provisional application 63/026,446, filed on May 18, 2020.
Claims priority of provisional application 62/632,623, filed on Feb. 20, 2018.
Prior Publication US 2021/0273953 A1, Sep. 2, 2021
Int. Cl. H04L 9/40 (2022.01); G06N 5/04 (2023.01); G06N 20/00 (2019.01)

CPC H04L 63/1416 (2013.01) [G06N 5/04 (2013.01); G06N 20/00 (2019.01)]

20 Claims

1. An endpoint agent client sensor (cSensor) for extending network visibility in an endpoint computing device, comprising:

a security module configured to have an interface to cooperate with and integrate with an operating system (OS) of the endpoint computing device;

a network module configured to cooperate with the security module, where the network module is configured to monitor network information coming into and out of the endpoint computing device as a first set of traffic data, where the network module is configured to ingest the first set of traffic data transmitted via one or more connections between a network interface of the endpoint computing device and at least one or more network entities;

a collation module configured to collect the ingested first set of traffic data from the network module, where the collation module is configured to obtain input data from the collected first set of traffic data, where the input data includes at least an identity of a computing process running in the endpoint computing device at least one of sending the first set of traffic data and receiving the first set of traffic data;

an analyzer module having an intelligent deep packet inspection (DPI) engine, where the analyzer module is configured to receive the input data from the first set of traffic data being transmitted via the respective connection, wherein the intelligent DPI engine is configured to perform a first predetermined level of DPI on the input data from two or more possible levels of DPI based on one or more network parameters;

a communication module configured to securely transmit a second set of traffic data to a cyber security appliance located in a network, where the endpoint computing device also is part of the network, wherein the transmitted second set of traffic data is associated with the first predetermined level of DPI performed on the input data from the first set of traffic data;

an autonomous action module configured to perform one or more autonomous actions itself, rather than a human, in response to a cyber threat that is correlated to at least one of i) the first set of traffic data and ii) the second set of traffic data;

wherein, in conjunction with the communication module, the analyzer module is configured to thereby transmit the second set of traffic data over a secure connection to the cyber security appliance, and wherein the transmitted second set of traffic data comprises: (i) only all of a derived metadata from a full DPI, (ii) a portion of the derived metadata in conjunction with a remaining portions of the packets from a partial DPI, or (iii) only all of the packets from a non-DPI; and

where any instructions for the security module, the network module, the collation module, the analyzer module, the communication module, or the autonomous action module in the endpoint agent cSensor are stored on one or more non-transitory computer readable mediums in an executable state, which are to be executed by one or more processing units.