Patent Grant
11914495
The present disclosure relates to secure search and management of computers in computer networks.
Network administrators (e.g., administrators of enterprise-level networks, such as banking networks, e-Commerce networks, etc.) often have difficulty obtaining timely performance evaluation for all the machines in large distributed systems, which often have thousands, tens of thousands or even hundreds of thousands of machines of numerous types. In addition, there are many ways to evaluate the performance of a machine or process, and the performance definitions used by one enterprise many not be suitable for another enterprise. Further, the machines used, and the operating systems and applications used are often in a somewhat constant state of flux, making performance evaluation even more challenging. Another challenging aspect of performance evaluation is the sheer volume of performance information that can be generated by the machines in a distributed system, making it difficult to efficiently convey (or collect) and evaluate of such performance information.
Accordingly, there is a need within the realm of machine and process performance evaluation for new tools to facilitate the efficient and timely evaluation of the performance of machines in processes in a distributed system. To that end, a method is provided for monitoring performance in a network, including a collection of machines that forms a linear communication orbit (LCO). Multiple machines in the LCO receive, via the LCO, the same set of rules (or various subsets of the same set of rules), each rule specifying one condition or a combination of two or more conditions (e.g., each condition corresponding to a performance metric and a corresponding criterion) for satisfying the rule, evaluate those rules with respect to locally occurring events and local processes, and stores results of those evaluations in a local database. In response to one or more performance queries sent to the machines via the LCO, each of the machines having performance information relevant to any of the evaluated rules returns a report, including information identifying processes whose performance during the specified time period satisfies at least one rule in the set of one or more rules. Those reports are aggregated, at a server or the like, and used to present performance information to a user.
Like reference numerals refer to corresponding parts throughout the drawings.
Some methods and devices described herein improve upon network and endpoint machine performance evaluation and management by having endpoint machines perform portions of the performance evaluation, and having a server or other machine aggregate and present performance evaluation information produced by the endpoint machines. As a result, the computational burdens of evaluating the performance of a large number (e.g., thousands or tens of thousands) of machines are spread over a large number of machines, the data transmission burdens are greatly reduced, and performance evaluations can be completed in a small fraction of the time such tasks normally take to complete.
Other embodiments and advantages will be apparent to those skilled in the art in light of the descriptions and drawings in this specification.
In some embodiments, a client is a respective machine in a collection of machines that forms a linear communication network (e.g., a non-branching bi-directional communication orbit) as described in the Incorporated Disclosure, which sets forth a network topology in which messages are passed from machine to machine within the linear communication orbit. Each respective client machine, in a set of the client machines, automatically persistently stores, locally at the respective machine, in a time series database, a predefined set of performance metrics and metadata for events associated with processes executed by the respective machine.
To initiate performance evaluation or monitoring of client machines in the collection of machines, a respective server injects a set of performance evaluation rules into the linear communication orbit. This set of rules travels from machine to machine though machines upstream (in the linear communication orbit) of the respective machine before reaching the respective machine. The machines in the linear communication orbit, which is a linearly arranged sequence of machines, e.g., linearly ordered in accordance with unique identifiers of the machines, are configured to sequentially convey messages to each machine in the linearly arranged sequence of machines in the linear communication orbit. In response to receiving the set of performance evaluation rules, the respective machine, for each respective rule in the set of one or more rules, using information stored in the time series database, identifies processes, if any, whose performance during a specified time period satisfy the criterion specified by the respective rule.
In response to a performance query, sent to the respective machine via the linear communication orbit, the respective machine sends to the respective server, via the linear communication orbit, a report that includes information identifying processes whose performance during a specified time period satisfies at least one rule in the set of one or more rules.
Linear communication orbits are described below with reference to
Examples of managed network 100 include enterprise networks or other networks under common management. In some embodiments, at least some of machines 102 coupled to managed network 100 are distributed across different geographical areas and/or localized at the same physical location. In some embodiments, machines 102 coupled to managed network 100 are divided into several sub-networks separated by one or more firewalls 104. In some embodiments, the network 100 is separated from external networks by one or more firewalls 104.
In some embodiments, machines 102 currently coupled to network 100 are self-organized into one or more contiguous segments 106 of a single linear communication orbit. In some embodiments, each contiguous segment 106 constitutes a respective linear communication orbit. Methods of self-organization of linear communication orbits are further described in U.S. Pat. No. 10,136,415, entitled “System, Security and Network Management Using Self-Organizing Communications Orbits in Distributed Networks,” which is hereby incorporated by reference in its entirety.
In some embodiments, managed network 100 also includes server 108 that facilitates the creation and maintenance of the one or more contiguous segments 106. The server 108 may be relatively lightweight, and in some embodiments may be elected from machines 102 in the network.
In some embodiments, as shown in
An important feature of linear communication orbit(s) 106 is that, in some embodiments, they are automatically formed without global, continuous, and/or active intervention by any network administrative program or personnel. Each machine 102 joining network 100 is equipped with (or provided with) a set of predetermined organization rules. According to the set of predetermined organization rules, each machine 102 finds its immediate neighbor machines and coordinates with these immediate neighbor machines to self-organize into a local segment of the linear communication orbit. The local segments of adjacent machines overlap and fuse into a contiguous segment of the linear communication orbit. In some embodiments, the linear communication orbit grows or contracts as machines join and leave network 100 (e.g., the network is non-static), through the independent local actions of the machines in network 100, without global, continuous, and/or active intervention by any network administrative programs or personnel. Although all machines 102 implement the same set of predetermined organization rules, and each machine directly interacts only with its immediate neighbor machines to facilitate the formation of the orbit, the predetermined organization rules are designed in a way that cause the machines' independent local actions to be globally consistent and to result in self-organization and automatic repair and maintenance of linear communication orbit(s) 106.
In some embodiments, all machines 102 coupled to network 100 are sorted into an ordered sequence according to a respective unique identifier associated with each machine 102. These identifiers are also referred to as the addresses of the machines in the network, or as machine identifiers. For example, in some embodiments, respective IP addresses of machines 102 are used as the identifiers to sort the machines into a linearly ordered sequence. In some embodiments, the machines are sorted according to decreasing IP address values, an upstream direction of the linear communication orbit is the direction of increasing IP address values, and a downstream direction of the linear communication orbit is the direction of decreasing IP address values. In some embodiments, the machines are sorted according to increasing IP address values, an upstream direction of the linear communication orbit is the direction of decreasing IP address values, and a downstream direction of the linear communication orbit is the direction of increasing IP address values.
In some embodiments, other types of unique identifiers or addresses may be used. For each type of unique identifier or address, the set of predetermined organization rules provides a deterministic way of sorting the unique identifiers or addresses of that type into an ordered sequence. Given the identifiers or addresses of two machines in the network, the relative order of the two machines and their distances in the linear communication orbit (also referred to as an interval between the two machines) can be determined. In some embodiments, not all possible addresses are occupied by a corresponding machine in the network.
In some embodiments, each machine 102 receiving a communication message (e.g., a message including a question part, and an answer part) from its upstream neighbor machine acts upon the message by providing an update to the message based on its local state or information, performing some aggregation of the information in the message (e.g., by adding to or modifying aggregated results already included in the message as received from its upstream neighbor), and/or forwarding the message to its downstream neighbor machine along the linear communication orbit. Essentially, each machine expends a small amount of resources to take on a small part of the duties of data aggregation without being overly burdened. More details on how the system, security, and network management messages are propagated to and collected from machines 102 in network 100 through linear communication orbit(s) 106 are provided in the Incorporated Disclosure.
An advantage of conveying message communications over the linear communication orbit is that queries, answers, and/or instructions (e.g., device management instructions) can be quickly passed to and from many machines without excessive communication and computational overhead. In some embodiments, server 108 (or a remote server 110 in communication with server 108) generates individual queries, where each query contains a request for evaluation of one or more rules at one or more targeted machines (e.g., machines that meet certain criteria specified in the query). In some embodiments, the server determines the order, frequency, and/or priority by which the queries should be injected. The individual machines perform local evaluation of the rules in accordance with the evaluation criteria, and send the results back to server 108 through the linear communication orbit.
The machines in the linear communication orbit are configured to sequentially convey messages to each machine in the linearly arranged sequence of machines in the linear communication orbit, e.g., by conveying each such message along a linear request path or linear return path through the linear communication orbit. In some embodiments, some messages are configured to be sequentially conveyed to each of the machines in a linear communication orbit, without waiting for each of those machines to perform local processing or add information to the message before passing it to the next machine in the linearly arranged sequence of machines. For example, such a message can be used to initiate performance of a task or set of tasks at one or more of the machines, such as evaluation of a query or a set of rules. Subsequently, a second message is sent through the linear communication orbit to collect results produced by the machines that perform the task or set of tasks, with each machine in the linear communication orbit adding any results it was to a payload portion of the second message before conveying it to a next machine (if any) in the linear communication orbit; upon reaching a last machine (e.g., at an end node of the linear communication orbit), the second message, including its payload of accumulated results, is conveyed back to the server that injected the queries into the linear communication orbit. In this way, the tasks or set of tasks are performed at multiple machines along the linear communication orbit in parallel, and the results are “picked up” by a subsequent message. When a linear communication orbit includes dozens or hundreds of machines all performing the same task or set of tasks, the end-to-end processing time from the initial injection of the first message to the return of results from all the machines can be reduced by a factor of ten or more, or even hundreds or more, compared with alternative techniques in which the machines individually communicate with the server.
In some embodiments, server 108 sends the results (e.g., sends an aggregated response) to remote server 110. In some embodiments, remote server 110 communicates with server 108 via secure connection 114. In some embodiments, when remote server 110 needs to send a message or instruction packet to a particular machine in the network and a direct connection between remote server 110 and the particular machine does not already exist, remote server 110 optionally sends the message to server 108 and has server 108 forward the message or instruction packet to the particular machine along the linear communication orbit. In some embodiments, remote server 110 starts a network-wide information gathering processes by sending a series of queries to server 108 (or a head machine of the linear communication orbit), allowing server 108 (or the head machine) to propagate the queries into the network along the linear communication orbit, and receiving the answers or evaluation results (e.g., individual answers, aggregated answers, and/or metrics and statistics computed based on the answers or evaluation results collected from the machines in the network) from server 108 (or an end machine of the linear communication orbit).
The lightweight, decentralized mechanism (e.g., the set of common action rules observed by the machines in the network) allows the machines in the network to self-organize into one or more linear communication orbits, and allows the linear communication orbits to recover/self-heal from broken links and slow connections (e.g., by temporarily bypassing the unresponsive machines) without active administrative intervention. The self-organization and self-healing aspects of the linear communication orbits ensure that communication and data collection bottlenecks are quickly discovered and eliminated, without causing much observable impact on the communication and data collection speed. In addition, when collecting data along the linear communication orbits, the server may inject queries regarding different aspects of the machines in separate messages, and the messages may be propagated down the linear communication orbit, processed in parallel at the machines, and answered by as many machines as possible (e.g., machines that satisfy per matching criteria specified by the messages), without being held up by any slow responding machines. In fact, communication with and data collection from any and all machines in the network (e.g., enterprise networks with thousands or millions of machines) may be accomplished in substantially real-time (e.g., a matter of seconds), as opposed to taking days and weeks in a network with a conventional hierarchical or hub-and-spoke configuration. For example, messages are delivered to the machines at the speed at which messages are propagated through the linear communication orbit, and the processing of the queries at the machines occurs after receiving the messages, in parallel at the machines. In some embodiments, answers to the queries are collected in a subsequent traversal of the linear communication orbit by either the original messages (propagating in the reverse direction) or by subsequent “answer collection” messages.
Direct duplex connection 112 is particularly useful when a remote server needs to take a deep-dive into a respective machine in the network (e.g., to carry out frequent back and forth interactions and/or to transfer large amount of local event data and/or to request sensitive information), rather than investigating the network at-large. The messages and/or queries can be analogous to those described above (or can contain different material), but they are sent directly to the respective machine via direct duplex connection 112 (rather than being propagated through linear communication orbit 106a), and without the communication needing to be bridged by server 108. In some embodiments, only those queries sent via a direct duplex connection return certain types of information to the external server (e.g., snippets of file text are only sent via secure direct duplex connections, not through a linear communication orbit). In some embodiments, remote server 110 can communicate with the respective machine either through direct duplex connection 112 (e.g., when remote server 110 wants to query only the respective machine) or through linear communication orbit 106a (e.g., when remote server 110 wants an aggregated response to a query from some or all of the machines 102 in the linear communication orbit 106a).
As described herein, the direct duplex connection between a particular machine and remote server 110 is established with the particular machine as the initiating party. In other words, from the perspective of the network, the connection is established with an outbound connection request sent from the machine, rather than with an inbound connection request sent from the remote server. When the direct duplex connection is established with an outbound connection request sent from the machine (e.g., the machine sends the initial connection request in the connection establishment protocol (e.g., the handshake request in establishing a WebSocket connection)), there is no need to open the firewall of the network, which would expose the network to outside security risks.
In some embodiments, in order to prompt a particular machine to initiate the connection request for a direct duplex connection, remote server 110 sends a message or instruction packet 122 to the particular machine (e.g., machine 102f) through a server of the network (e.g., server 108) and has the message or instruction packet 122 propagated to the particular machine through the linear communication orbit (e.g., linear communication orbit 106a). The message or instruction packet 122 contains instructions and necessary data (e.g., public certificate for encryption, IP address, port #) for the particular machine to establish the direct point-to-point persistent connection (e.g., a Web Socket connection) with the remote server. When the particular machine receives the instruction packet 122 from its upstream machine, the particular machine initiates the outbound connection request 124 to the remote server. After the remote server receives the connection request 124 from the particular machine, the remote server and the machine can proceed to establish the duplex connection according to the connection protocol.
In some embodiments, the direct connection is encrypted as described above. In some embodiments, the instructions comprise an instruction packet 122 that includes an encryption key for encrypting the local data at the respective machine before uploading to the local data to the respective server. The respective server possesses a decryption key corresponding to the encryption key. The instruction packet further includes instructions for encrypting the local data before uploading the local data to the respective server through the direct connection.
In some embodiments, apart from presenting the network monitoring user interface to an administrator, the administrator's device can also be a regular machine in the network and have the same characteristics and functions of other machines in the network with respect to the maintenance and workings of the linear communication orbit. In some embodiments, the server of the network can be lightweight and in some embodiments may be implemented by a machine in the network; thus, the administrator's device can also serve as the server of the network in some scenarios. When the administrator's device also serves as the server of the network, actions performed “through the server of the network” are performed by the administrator's device directly.
In some embodiments, the instruction packet 122 can be dispatched to one or more particular machines at the command of a network administrator or security incident responder. For example, the network administrator uses an administrator's device 116 to connect to remote server 110 (e.g., via a web interface or a client application provided by a service provider associated with the remote server 110) and manually selects the particular machines using a network monitoring user interface. In some embodiments, the network monitoring user interface provides other functions as described in the Incorporated Disclosure.
In some embodiments, an event recorder (e.g., event recorder module 551,
An administrator can query these local event databases from the network monitoring user interface by issuing questions to the network through the linear communication orbit. For example, the administrator's device can send the questions to the server of the network and the questions may be packaged in query messages and propagated to the machines through the server of the network. Each machine along the linear communication orbit will be able to respond quickly to these questions based on the past event data stored in their respective local event databases. After the answers have been collected from all relevant machines in the network, the server of the network forwards the answers back to the administrator's device.
In some embodiments, after a direct duplex connection has been established between a particular machine and the remote server, the administrator (using the administrator's device) can also query the local event database of the particular machine through the direction duplex connection. In addition, the administrator (using the administrator's device) can take a snapshot of the local event database (or a particular portion of the local event database) on the particular machine and have it uploaded to the remote server, so that in-depth analysis regarding the particular machine may be performed at the remote server (e.g., according to instructions provided by the administrator to the remote server).
In some embodiments, the local rules database 202 of the respective machine also stores rule evaluation results 208, while in some other embodiments rule evaluation results 208 are stored in another local database (e.g., local database for rule evaluation results 545,
In some embodiments, rule evaluation results 208 include a second report 220, which includes aggregated event information, such as counts 222 events (e.g., counts of one or more types of events) at the respective machine that satisfy the respective rule (e.g., events at processes that satisfy rule R 204-R) in a predefined time period.
In some embodiments, the first report 224 and second report 220 are automatically generated by a background processing module (e.g., background processing module 550,
It is noted that in the description of
Each respective endpoint machine (e.g., 102a, 102d, etc.) in the collection of machines receives (408) the set of one or more rules and stores a copy of those rules in its local rules database (e.g., local rules database 528,
In some embodiments, each respective endpoint machine that has received and locally stored rules in the set of one or more rules performs a background evaluation of the rules in the set of one or more rules (410). In some embodiments, the background rule evaluation is performed by background processing module 550 (
In some embodiments, the background evaluation (at each respective endpoint machine) is performed by a background processing module (or process) that automatically monitors a predefined set of performance metrics of the respective machine, including memory usage, processor usage, and communication channel usage. Furthermore, the background processing module automatically persistently stores, locally at the respective machine, in a time series database, the monitored predefined set of performance metrics and metadata for events associated with processes executed by the respective machine. The rules in the set of one or rules are evaluated using the information in the time series database.
At a first time, subsequent to receiving the rules (408), a respective machine 102a in the collection of machines 1002 receives (416) a performance query through the linear communication orbit, wherein the performance query has been propagated (414) from a respective server (e.g., server 108) to the respective machine (e.g., machine 402a) though one or more upstream machines (e.g., machines that are upstream of the respective machine 102a) along the linear communication orbit 406. In some embodiments, the performance query is a request for results corresponding to an individual rule, or a subset of the set of one or more rules, or all the rules in the set of one or more rules. Typically, the performance query is received (at the first time) after the set of one or more rules has been forwarded (406) to the respective machine 102a, and the respective machine 102a has evaluated the one or more rules (410) for one or more time periods. In some embodiments, the time periods are predefined, such as successive hourly time periods, while in other embodiments or in some circumstances (e.g., a respective rule specifies a different time period than the time period used for one or more other rules) the time period for a respective rule is defined by the rule itself. In some embodiments, the performance query may request results for a time period that is not yet complete, in which case the received results will be for a subset of the time period, bracketed by a predefined start time for the time period and an end time that is either specified by the performance query or corresponding to the time at which the performance query is received by the respective machine.
In response to receiving the performance query, the respective machine, for each respective rule in the set of one or more rules, identifies events (if any), in either its locally stored time series database 544 (e.g., in embodiments in which background rule evaluation is not implemented) or its local database 546 for rule evaluation results, that satisfy the respective rule. Subsequent to receiving the performance query, the respective machine retrieves (e.g., from local database 546 for rule evaluation results) or generates (418) a first performance report identifying processes whose performance during the specified time period satisfies at least one rule in the set of one or more rules, and sends (420) the first performance report through the linear communication orbit to the respective server via an end machine (e.g., at an end machine) of the linear communication orbit. In some embodiments, the first performance report corresponds to the first report 224 described above with reference to
In some embodiments, the respective machine sends the first performance report by adding the first performance report to a payload portion of the performance query, and then forwarding the performance query to a next downstream machine in the same linear communication orbit 402 as the respective machine. In some embodiments, the end machine aggregates all the first performance reports from machines in the linear communication orbit 402, and sends that aggregated report to the respective server. In some embodiments, the respective server itself aggregates the first performance reports from the machines in the linear communication orbit, while in yet other embodiments, each endpoint machine aggregates its first performance report with all performance reports (if any) already included in the payload portion of the performance query. In some embodiments, the respective server forwards (422) the aggregated report to an external machine, such as external machine 116. As described above, in some embodiments the information included in the first performance report is computed by the respective machine, and stored in a local rules database 202 or local database 546 for rule evaluation results of the respective machine, using background processing, prior to receiving the performance query.
In some embodiments, the predefined set of performance metrics of the respective machine and the metadata for events associated with processes executed by the respective machine, which the background processing module stores in the time series database, include one or more workload metrics, memory storage unit usage metrics, predefined events including application malfunctions, processor usage exceeding a predefined threshold, memory usage exceeding a predefined threshold, communication network impairments, and/or events that violate predefined rules.
In some embodiments, the first query includes, in addition to the set of one or more rules, one or more singleton rules, and a respective singleton rule specifies a performance metric in the monitored predefined set of performance metrics and a criterion against which the specified performance metric is evaluated to produce a result. In some instances, a respective singleton rule specifies an event type, such as a process failure or communication failure, in which case existence of an event of that event type is the criterion. In some embodiments, a respective rule in the set of one of more rules includes a first portion specifying an event type and a second portion specifying a performance metric and a criterion against which the specified performance metric is evaluated to produce a result.
In some embodiments, the first performance report includes, as discussed above with respect to first report 224 and
In some embodiments, the first performance report includes, for each process identified as satisfying at least one rule in the set of one or more rules, information concerning values of a plurality of the performance metrics of the process during the specified time period. For example, the information included in the first performance report includes average, median and/or peak values of at least first, second and third performance metrics in the plurality of the performance metrics of the process during the specified time period. Optionally, the information included in the first performance report includes one or more counts of events during the specified time period, with respect to an identified process, that satisfy at least one rule in the set of one or more rules.
At a second time, subsequent to the first time, the respective machine receives (428) from an external machine, external to the linear communication orbit, an instruction packet 424 (e.g., corresponding to instruction packet 122 in
After the direct duplex connection has been established, the respective machine sends to the external machine, via the direct duplex connection, additional information (e.g., second report 434), not included in the first report, with respect to performance information (and/or event metadata) stored locally in the time series database of the respective machine. As shown in
In some embodiments, sending the additional information includes sending a continuing stream of the additional information, including information corresponding to current performance of the respective machine. In some embodiments, after the direct duplex connection has been established, the respective machine receives (432) one or more queries (e.g., second query 430) specifying performance information to be sent to the external machine, and in response to the one or more queries, sends the specified performance information on continuing basis, as a continuing stream of additional information. In some embodiments, the continuing stream of additional information (e.g., performance metrics for executing processes; event information for detected events) is produced and sent to the external machine in real time, as events and process conditions satisfying the one or more rules are detected. In some embodiments, the continuing stream of additional information (e.g., performance metrics for executing processes; event information for detected events) comprises performance metrics and event information (e.g., for events and process conditions satisfying one or more rules, or one or more specified queries) produced at predefined repeating intervals (sometimes called regular intervals), e.g., every N seconds, where N is typically a number between 1 and 60. and sent to the external machine in real time, as events and process conditions satisfying the one or more rules, or one or more specified queries, are detected.
The additional information, not included in the first performance report (e.g., a second report 434), sent to the external machine via the direct duplex connection, is then received (436) and processed by the external machine. In some embodiments, the additional information (e.g., second report 234) is determined by the respective machine (e.g., extracted from the locally stored time series database, or generated based at least in part from information in the locally stored time series database) in response to one or more queries (e.g., second query 434), received by the respective machine after the direct duplex connection has been established, while in other embodiments or circumstances, the additional information is computed prior to receiving the second query, as part of the background processing 410. In some embodiments, the additional information includes a snapshot of the locally stored time series database (or a particular portion of the locally stored time series database) on the particular machine and have it uploaded to the external machine, so that in-depth analysis regarding the particular machine may be performed at the external machine (e.g., according to instructions provided by an administrator to the external machine).
The external machine can be used to send further queries, e.g., third query 438, and the respective machine sends further reports (e.g., query response 440) in response. For example, after inspection of the information received in response to the first and second queries, the administrator of the external server may send one or more follow up queries, based on the response to the first and/or second queries, to further investigate the causes of conditions detected using the responses to the first and/or second queries. The responses to the subsequent queries sent by the respective machine may include locally stored files (stored at the respective machine), metadata or content from files stored at the respective machine, and/or information stored in other databases at the respective machine.
In some embodiments, the server 108 or external machine 116 includes instructions or a module (e.g., remediation module 634,
In some embodiments, the direct duplex connection used for the second and third reports is an encrypted communication connection in which information sent by the respective machine to the external machine is encrypted. (e.g., to protect confidential information).
In some embodiments, a respective rule in the set of one or more rules includes executable instructions, or a reference to executable instructions (also herein called executable code), for determining if events matching a set of one or more conditions specified by the respective rule also satisfy additional criteria required for satisfying the respective rule. In some embodiments, optionally, the executable code is part of the rule and is evaluated as part of evaluation of the rule, or alternatively, is evaluated only after all other portions of the rule are evaluated. In one example, the executable instructions determine whether the process associated with the event is exempted from, or specially targeted by, the rule.
In some embodiments, the external machine sends 438 a third query to the respective machine, where the third query includes an updated version of at least one rule in the set of one or more rules. In some embodiments, updated rules are treated like new rules, and are evaluated, in the background, against all applicable information in the time series database, as described above for the original set of one or more rules. The respective machine returns 440 a query response, either in response to the third query (438) or a subsequent query, for example, a response that includes any of the reports described herein.
In some embodiments, input/output interface 506 includes a display and input devices such as a keyboard, a mouse, or a track-pad. However, in some embodiments, endpoint machine 102 does not include an input/output interface 506. In some embodiments, communication buses 510 include circuitry (sometimes called a chipset) that interconnects and controls communications between system components. In some embodiments, non-persistent memory 504 includes high-speed random-access memory, such as DRAM, SRAM, DDR RAM or other random-access solid-state memory devices. In some embodiments, persistent memory 503 includes CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, magnetic disk storage devices, optical disk storage devices, flash memory devices, or other non-volatile solid-state storage devices. In some embodiments, persistent memory 503 optionally includes one or more storage devices remotely located from the one or more processors 502. In some embodiments, persistent memory 503 and/or the non-volatile memory device(s) within the non-persistent memory 504 comprises a non-transitory computer readable storage medium.
In some embodiments, memory 504 or alternatively the non-transitory computer readable storage medium stores the following programs, modules and data structures, instructions, or a subset thereof:
In some embodiments, input/output interface 606 includes a display and input devices such as a keyboard, a mouse, or a track-pad. However, in some embodiments, server system 108 does not include an input/output interface 606. In some embodiments, communication buses 610 include circuitry (sometimes called a chipset) that interconnects and controls communications between system components. In some embodiments, non-persistent memory 604 includes high-speed random access memory, such as DRAM, SRAM, DDR RAM or other random access solid state memory devices. In some embodiments, persistent memory 603 includes CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, magnetic disk storage devices, optical disk storage devices, flash memory devices, or other non-volatile solid state storage devices. In some embodiments, persistent memory 603 optionally includes one or more storage devices remotely located from the one or more processors 602. In some embodiments, persistent memory 603 and/or the non-volatile memory device(s) within the non-persistent memory 604 comprises a non-transitory computer readable storage medium.
In some embodiments, memory 604, or alternatively the non-transitory computer readable storage medium, stores the following programs, modules, data structures, instructions, or a subset thereof:
In some embodiments, input/output interface 706 includes a display and input devices such as a keyboard, a mouse, or a track-pad. However, in some embodiments, administrator machine 116 does not include an input/output interface 706. In some embodiments, communication buses 710 include circuitry (sometimes called a chipset) that interconnects and controls communications between system components. In some embodiments, non-persistent memory 704 includes high-speed random access memory, such as DRAM, SRAM, DDR RAM or other random access solid state memory devices. In some embodiments, persistent memory 703 includes CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, magnetic disk storage devices, optical disk storage devices, flash memory devices, or other non-volatile solid state storage devices. In some embodiments, persistent memory 703 optionally includes one or more storage devices remotely located from the one or more processors 702. In some embodiments, persistent memory 703 and/or the non-volatile memory device(s) within the non-persistent memory 704, comprises non-transitory computer readable storage medium.
In some embodiments, memory 704, or alternatively the non-transitory computer readable storage medium, stores the following programs, modules, data structures, instructions, or a subset thereof:
The foregoing description, for purpose of explanation, has been described with reference to specific embodiments. However, the illustrative discussions above are not intended to be exhaustive or to limit the invention to the precise forms disclosed. Many modifications and variations are possible in view of the above teachings. The embodiments were chosen and described in order to best explain the principles of the invention and its practical applications, to thereby enable others skilled in the art to best utilize the invention and various embodiments with various modifications as are suited to the particular use contemplated.
It will be understood that, although the terms “first,” “second,” etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first widget could be termed a second widget, and, similarly, a second widget could be termed a first widget, without changing the meaning of the description, so long as all occurrences of the “first widget” are renamed consistently and all occurrences of the “second widget” are renamed consistently. The first widget and the second widget are both widgets, but they are not the same widget.
The terminology used herein is for the purpose of describing particular implementations only and is not intended to be limiting of the claims. As used in the description of the implementations and the appended claims, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term “and/or” as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. As used herein, the term “if” may be construed to mean “when” or “upon” or “in response to determining” or “in accordance with a determination” or “in response to detecting,” that a stated condition precedent is true, depending on the context. Similarly, the phrase “if it is determined [that a stated condition precedent is true]” or “if [a stated condition precedent is true]” or “when [a stated condition precedent is true]” may be construed to mean “upon determining” or “upon a determination that” or “in response to determining” or “in accordance with a determination” or “upon detecting” or “in response to detecting” that the stated condition precedent is true, depending on the context.
This application is a continuation of U.S. application Ser. No. 16/943,307, filed Jul. 30, 2020, which claims priority to U.S. Provisional Patent Application 62/890,556, filed Aug. 22, 2019, and is a continuation-in-part of U.S. application Ser. No. 16/870,742, filed May 8, 2020, now U.S. Pat. No. 11,372,938, titled “System and Method for Performing Search Requests in a Network,” which claims priority to U.S. Provisional Application No. 62/845,827, filed May 9, 2019, and U.S. application Ser. No. 16/870,742 is also a continuation-in-part of U.S. application Ser. No. 16/532,391, filed Aug. 5, 2019, now U.S. Pat. No. 10,929,345, which is a continuation-in-part of both (1) U.S. application Ser. No. 15/215,474, filed Jul. 20, 2016, now U.S. Pat. No. 10,482,242, titled “System and Method for Performing Event Inquiries in a Network,” and (2) U.S. application Ser. No. 15/215,468, filed Jul. 20, 2016, now U.S. Pat. No. 10,372,904, titled “Cost Prioritized Evaluations of Indicators of Compromise,” both of which claim the benefit of U.S. Provisional Application Ser. No. 62/333,768, filed May 9, 2016, titled “System and Method for Performing Event Inquiries in a Network,” and U.S. Provisional Patent Application Ser. No. 62/305,482, filed Mar. 8, 2016, titled “Cost Prioritized Evaluations of Indicators of Compromise.” The content of each of the above applications is hereby incorporated by reference in its entirety. This application is related to U.S. patent application Ser. No. 13/797,946, filed Mar. 12, 2013, now U.S. Pat. No. 9,246,977, titled “System and Network Management Using Self-Organizing Communication Orbits in Distributed Networks”; U.S. patent application Ser. No. 12/412,623, filed Mar. 27, 2009, now U.S. Pat. No. 8,086,729, titled “Distributed Statistical Detection of Network Problems and Causes”; U.S. patent application Ser. No. 13/084,923, filed Apr. 12, 2011, now U.S. Pat. No. 8,904,039, titled “Large-Scale Network Querying and Reporting”; U.S. patent application Ser. No. 13/107,625, filed May 13, 2011, now U.S. Pat. No. 8,903,973, titled “Parallel Distributed Network Management”; U.S. patent application Ser. No. 14/553,769, filed Nov. 25, 2014, now U.S. Pat. No. 9,769,037, titled “Fast Detection and Remediation of Unmanaged Assets”; U.S. patent application Ser. No. 14/554,739, filed Nov. 26, 2014, now U.S. Pat. No. 9,769,275, titled “Data Caching and Distribution in a Local Network”; and U.S. patent application Ser. No. 15/136,790, filed Apr. 22, 2016, now U.S. Pat. No. 9,910,752, titled “Reliable Map-Reduce Communications in a Decentralized, Self-Organizing Communication Orbit of a Distributed Network.” Content of each of the above applications is hereby incorporated by reference in its entirety. The above applications are also referred to hereafter as “the Related Applications” or “the Incorporated Disclosure.”
| Number | Name | Date | Kind |
|---|---|---|---|
| 5220596 | Patel | Jun 1993 | A |
| 5842202 | Kon | Nov 1998 | A |
| 5949755 | Uphadya et al. | Sep 1999 | A |
| 6049828 | Dev et al. | Apr 2000 | A |
| 6615213 | Johnson | Sep 2003 | B1 |
| 6879979 | Hindawi et al. | Apr 2005 | B2 |
| 6885644 | Knop et al. | Apr 2005 | B1 |
| 6959000 | Lee et al. | Oct 2005 | B1 |
| 7043550 | Knop et al. | May 2006 | B2 |
| 7096503 | Magdych | Aug 2006 | B1 |
| 7120693 | Chang et al. | Oct 2006 | B2 |
| 7225243 | Wilson | May 2007 | B1 |
| 7240044 | Chaudhuri et al. | Jul 2007 | B2 |
| 7299047 | Dolan et al. | Nov 2007 | B2 |
| 7555545 | McCasland | Jun 2009 | B2 |
| 7600018 | Maekawa et al. | Oct 2009 | B2 |
| 7698453 | Samuels et al. | Apr 2010 | B2 |
| 7720641 | Alagappan et al. | May 2010 | B2 |
| 7761557 | Fellenstein et al. | Jul 2010 | B2 |
| 7769848 | Choy et al. | Aug 2010 | B2 |
| 7844687 | Gelvin et al. | Nov 2010 | B1 |
| 8078668 | Moreau | Dec 2011 | B2 |
| 8086729 | Hindawi et al. | Dec 2011 | B1 |
| 8139508 | Roskind | Mar 2012 | B1 |
| 8185612 | Arolovitch et al. | May 2012 | B1 |
| 8185615 | McDysan et al. | May 2012 | B1 |
| 8271522 | Mehul et al. | Sep 2012 | B2 |
| 8392530 | Manapragada et al. | Mar 2013 | B1 |
| 8477660 | Lee et al. | Jul 2013 | B2 |
| 8504879 | Poletto et al. | Aug 2013 | B2 |
| 8510562 | Ramakrishnan et al. | Aug 2013 | B2 |
| 8813228 | Magee et al. | Aug 2014 | B2 |
| 8819769 | Van Dijk | Aug 2014 | B1 |
| 8885521 | Wang et al. | Nov 2014 | B2 |
| 8903973 | Hindawi et al. | Dec 2014 | B1 |
| 8904039 | Hindawi et al. | Dec 2014 | B1 |
| 9009827 | Albertson et al. | Apr 2015 | B1 |
| 9059961 | Hindawi et al. | Jun 2015 | B2 |
| 9246977 | Hindawi et al. | Jan 2016 | B2 |
| 9609007 | Rivlin et al. | Mar 2017 | B1 |
| 9667738 | Hindawi et al. | May 2017 | B2 |
| 9716649 | Bent et al. | Jul 2017 | B2 |
| 9769037 | Hindawi et al. | Sep 2017 | B2 |
| 9800603 | Sidagni et al. | Oct 2017 | B1 |
| 9985982 | Bartos et al. | May 2018 | B1 |
| 10095864 | Hunt et al. | Oct 2018 | B2 |
| 10136415 | Hindawi et al. | Nov 2018 | B2 |
| 10261770 | Devagupthapu et al. | Apr 2019 | B2 |
| 10482242 | Hunt et al. | Nov 2019 | B2 |
| 10484429 | Fawcett | Nov 2019 | B1 |
| 10498744 | Hunt et al. | Dec 2019 | B2 |
| 10795906 | Teubner | Oct 2020 | B1 |
| 10824729 | Hoscheit et al. | Nov 2020 | B2 |
| 10929345 | Stoddard et al. | Feb 2021 | B2 |
| 11153383 | Richards et al. | Oct 2021 | B2 |
| 20010056461 | Kampe et al. | Dec 2001 | A1 |
| 20020007404 | Vange et al. | Jan 2002 | A1 |
| 20020042693 | Kampe et al. | Apr 2002 | A1 |
| 20020073086 | Thompson et al. | Jun 2002 | A1 |
| 20020198867 | Lohman et al. | Dec 2002 | A1 |
| 20030101253 | Saito et al. | May 2003 | A1 |
| 20030131044 | Nagendra et al. | Jul 2003 | A1 |
| 20030212676 | Bruce et al. | Nov 2003 | A1 |
| 20030212821 | Gillies et al. | Nov 2003 | A1 |
| 20040037374 | Gonikberg | Feb 2004 | A1 |
| 20040044727 | Abdelaziz | Mar 2004 | A1 |
| 20040044790 | Loach | Mar 2004 | A1 |
| 20040054723 | Dayal | Mar 2004 | A1 |
| 20040054889 | Pitsos | Mar 2004 | A1 |
| 20040064522 | Zhang | Apr 2004 | A1 |
| 20040076164 | Vanderveen et al. | Apr 2004 | A1 |
| 20040190085 | Silverbrook et al. | Sep 2004 | A1 |
| 20050004907 | Bruno et al. | Jan 2005 | A1 |
| 20050053000 | Oliver et al. | Mar 2005 | A1 |
| 20050108356 | Rosu et al. | May 2005 | A1 |
| 20050108389 | Kempin et al. | May 2005 | A1 |
| 20050195755 | Senta et al. | Sep 2005 | A1 |
| 20060039371 | Castro et al. | Feb 2006 | A1 |
| 20060128406 | Macartney | Jun 2006 | A1 |
| 20060282505 | Hasha et al. | Dec 2006 | A1 |
| 20070005738 | Alexion-Tiernan et al. | Jan 2007 | A1 |
| 20070171844 | Loyd et al. | Jul 2007 | A1 |
| 20070211651 | Ahmed et al. | Sep 2007 | A1 |
| 20070230482 | Shim et al. | Oct 2007 | A1 |
| 20080082628 | Rowstron et al. | Apr 2008 | A1 |
| 20080133582 | Andersch et al. | Jun 2008 | A1 |
| 20080258880 | Smith et al. | Oct 2008 | A1 |
| 20080263031 | George et al. | Oct 2008 | A1 |
| 20080288646 | Hasha et al. | Nov 2008 | A1 |
| 20090125639 | Dam et al. | May 2009 | A1 |
| 20090271360 | Bestgen et al. | Oct 2009 | A1 |
| 20090285204 | Gallant et al. | Nov 2009 | A1 |
| 20090319503 | Mehul et al. | Dec 2009 | A1 |
| 20090328115 | Malik | Dec 2009 | A1 |
| 20100011060 | Hilterbrand et al. | Jan 2010 | A1 |
| 20100070570 | Lepeska | Mar 2010 | A1 |
| 20100085948 | Yu et al. | Apr 2010 | A1 |
| 20100094862 | Bent et al. | Apr 2010 | A1 |
| 20100296416 | Lee et al. | Nov 2010 | A1 |
| 20100306252 | Jarvis et al. | Dec 2010 | A1 |
| 20110231431 | Kamiwada et al. | Sep 2011 | A1 |
| 20110271319 | Venable, Sr. | Nov 2011 | A1 |
| 20120053957 | Atkins | Mar 2012 | A1 |
| 20120110183 | Miranda et al. | May 2012 | A1 |
| 20120221692 | Steiner et al. | Aug 2012 | A1 |
| 20120269096 | Roskind | Oct 2012 | A1 |
| 20130110931 | Kim et al. | May 2013 | A1 |
| 20130170336 | Chen et al. | Jul 2013 | A1 |
| 20130276053 | Hugard, IV et al. | Oct 2013 | A1 |
| 20130326494 | Nunez et al. | Dec 2013 | A1 |
| 20140075505 | Subramanian | Mar 2014 | A1 |
| 20140101133 | Carston et al. | Apr 2014 | A1 |
| 20140149557 | Lohmar et al. | May 2014 | A1 |
| 20140164552 | Kim et al. | Jun 2014 | A1 |
| 20140181247 | Hindawi et al. | Jun 2014 | A1 |
| 20140181295 | Hindawi et al. | Jun 2014 | A1 |
| 20140244727 | Kang et al. | Aug 2014 | A1 |
| 20140279044 | Summers | Sep 2014 | A1 |
| 20140280280 | Singh | Sep 2014 | A1 |
| 20140282586 | Shear | Sep 2014 | A1 |
| 20140375528 | Ling | Dec 2014 | A1 |
| 20150080039 | Ling et al. | Mar 2015 | A1 |
| 20150149624 | Hindawi et al. | May 2015 | A1 |
| 20150163121 | Mahaffey et al. | Jun 2015 | A1 |
| 20150172228 | Zalepa et al. | Jun 2015 | A1 |
| 20150256575 | Scott | Sep 2015 | A1 |
| 20150302458 | Dides | Oct 2015 | A1 |
| 20150312335 | Ying | Oct 2015 | A1 |
| 20150372911 | Yabusaki et al. | Dec 2015 | A1 |
| 20150373043 | Wang et al. | Dec 2015 | A1 |
| 20160080408 | Coleman et al. | Mar 2016 | A1 |
| 20160119251 | Solis et al. | Apr 2016 | A1 |
| 20160255142 | Hunt et al. | Sep 2016 | A1 |
| 20160255143 | Hunt et al. | Sep 2016 | A1 |
| 20160269434 | DiValentin et al. | Sep 2016 | A1 |
| 20160286540 | Hindawi et al. | Sep 2016 | A1 |
| 20160352588 | Subbarayan et al. | Dec 2016 | A1 |
| 20160360006 | Hopkins et al. | Dec 2016 | A1 |
| 20170118074 | Feinstein et al. | Apr 2017 | A1 |
| 20170286690 | Chari | Oct 2017 | A1 |
| 20170346824 | Mahabir | Nov 2017 | A1 |
| 20180013768 | Hunt et al. | Jan 2018 | A1 |
| 20180039486 | Kulkami et al. | Feb 2018 | A1 |
| 20180074796 | Alabes et al. | Mar 2018 | A1 |
| 20180191747 | Nachenberg et al. | Jul 2018 | A1 |
| 20180267794 | Atchison et al. | Sep 2018 | A1 |
| 20180351792 | Hunter et al. | Dec 2018 | A1 |
| 20180351793 | Hunter et al. | Dec 2018 | A1 |
| 20190081981 | Bansal | Mar 2019 | A1 |
| 20190260638 | Yocam et al. | Aug 2019 | A1 |
| 20190280867 | Kurian | Sep 2019 | A1 |
| 20190319987 | Levy | Oct 2019 | A1 |
| 20200028890 | White et al. | Jan 2020 | A1 |
| 20200053072 | Glozman et al. | Feb 2020 | A1 |
| 20200195693 | Price | Jun 2020 | A1 |
| 20200198867 | Nakamichi | Jun 2020 | A1 |
| 20200304536 | Mahabir et al. | Sep 2020 | A1 |
| Number | Date | Country |
|---|---|---|
| 1553747 | Jul 2005 | EP |
| 2493118 | Aug 2012 | EP |
| Entry |
|---|
| Abdalkarim Awad et al., Virtual Cord Protocol (VCP): A Flexible DHT-like Routing Service for Sensor Networks, In Proceedings of the 5th IEEE International Conference on Mobile Ad Hoc and Sensor Systems, 2008, 10 pp. 133-142. |
| Hood, Proactive Network-Fault Detection, Sep. 1997, 9 pages. |
| Mongeau, D., et al., “Ensuring integrity of network inventory and configuration data,” Telecommunications Network Strategy and Planning Symposium, Networks 2004, 11th International Vienna, Austria, Jun. 13-16, 2004, 6 pgs. |
| Weixiong Rao et al., “Optimal Resource Placement in Structured Peer-to-Peer Networks,” Jul. 2010, IEEE Transactions on Parallel and Distributed Systems, vol. 21, No. 7, 16 pgs. |
| Tanium Inc., International Search Report and Written Opinion, PCT/US2013/076971, dated Apr. 4, 2014, 17 pgs. |
| Tanium Inc., International Preliminary Report on Patentability, PCT/US2013/076971 dated Jun. 23, 2015, 14 pgs. |
| Tanium Inc., International Search Report and Written Opinion, PCT/US2014/067607 dated Feb. 18, 2015, 15 pgs. |
| Tanium Inc., International Preliminary Report on Patentability, PCT/US2014/067607 dated May 31, 2016, 10 pgs. |
| Tanium Inc., International Search Report and Written Opinion, PCT/US2015/020780 dated Jul. 2, 2015, 13 pgs. |
| Tanium Inc., International Preliminary Report on Patentability, PCT/US2015/020780 dated Sep. 27, 2016, 9 pgs. |
| Hindawi, Office Action, U.S. Appl. No. 15/702,617 dated Jun. 1, 2018, 37 pgs. |
| Hindawi, Final Office Action, U.S. Appl. No. 15/702,617 dated Dec. 27, 2018, 54 pgs. |
| Hunt, Office Action dated Oct. 4, 2018, U.S. Appl. No. 15/215,468, 13 pgs. |
| Hunt, Notice of Allowance dated Jan. 24, 2019, U.S. Appl. No. 15/215,468, 8 pgs. |
| Hunt, Notice of Allowance dated Apr. 1, 2019, U.S. Appl. No. 15/215,468, 8 pgs. |
| Hunt, Office Action dated Sep. 10, 2018, U.S. Appl. No. 15/215,474, 10 pgs. |
| Hunt, Final Office Action dated Apr. 1, 2019, U.S. Appl. No. 15/215,474, 7 pgs. |
| Hunt, Notice of Allowance, U.S. Appl. No. 15/713,518, dated Apr. 10, 2019, 14 pgs. |
| Lippincott, Notice of Allowance, U.S. Appl. No. 15/878,286, dated Apr. 25, 2019, 9 pgs. |
| Jae Woo Lee et al., 0 to 10k in 20 Seconds: Bootstrapping Large-Scale DHT Networks, 2011 IEE International Conference on Communications, Jun. 9, 2011, pp. 1-6. |
| Stoica, et al., Chord: A Scalable Peer-to-Peer Lookup Service for Internet Applications, 2001, pp. 1-12 (Year: 2002). |
| Ping Wang, Baber Aslann, Cliff C. Zou, Peer-to-Peer Botnets: The Next Generation of Botnet Attacks, Jan. 2010, pp. 1-25 (Year: 2010). |
| Sean Rhea, Dennis Geels, Timothy Roscoe, and John Kubiatowicz, Handling Churn in a DHT, 2004, pp. 1-14 (Year: 2004). |
| Richards, Non-Final Office Action, U.S. Appl. No. 16/443,720, dated Sep. 4, 2020, 11 pgs. |
| Richards, Notice of Allowance, U.S. Appl. No. 16/443,720, dated Feb. 9, 2021, 8 pgs. |
| Richards, Notice of Allowance, U.S. Appl. No. 16/443,720, dated Jun. 15, 2021, 7 pgs. |
| Goela, Non-Final Office Action, U.S. Appl. No. 16/943,291, dated Jul. 16, 2021, 15 pgs. |
| Freilich, Non-Final Office Action, U.S. Appl. No. 17/129,638, dated Jul. 23, 2021, 6 pgs. |
| Richards, Notice of Allowance, U.S. Appl. No. 16/443,720, dated Aug. 4, 2021, 2 pgs. |
| Goela, Notice of Allowance, U.S. Appl. No. 16/943,291, dated Oct. 1, 2021, 8 pgs. |
| Hindawi, Non-Final Office Action, U.S. Appl. No. 16/917,800, dated Jul. 1, 2021, 6 pgs. |
| Hindawi, Notice of Allowance, U.S. Appl. No. 16/917,800, dated Oct. 25, 2021, 2 pgs. |
| Hindawi, Notice of Allowance, U.S. Appl. No. 16/917,800, dated Oct. 15, 2021, 7 pgs. |
| Goela, Notice of Allowance, U.S. Appl. No. 16/943,291, dated Oct. 18, 2021, 5 pgs. |
| Hoscheit, Non-Final Office Action, U.S. Appl. No. 17/001,586, dated Jun. 9, 2022, 6 pgs. |
| Freilich, Notice of Allowance, U.S. Appl. No. 17/129,638, dated Nov. 4, 2021, 8 pgs. |
| Hindawi, Notice of Allowance, U.S. Appl. No. 16/917,800, dated Nov. 18, 2021, 2 pgs. |
| Hindawi, Notice of Allowance, U.S. Appl. No. 16/917,800, dated Dec. 16, 2021, 2 pgs. |
| Stoddard, Non-Final Office Action, U.S. Appl. No. 16/870,742, dated Oct. 28, 2021, 5 pgs. |
| Stoddard, Notice of Allowance, U.S. Appl. No. 16/870,742, dated Mar. 7, 2022, 8pgs. |
| Lippincott, Notice of Allowance, U.S. Appl. No. 15/878,286, dated Jul. 31, 2019, 5 pgs. |
| Lippincott, Notice of Allowance, U.S. Appl. No. 15/136,790, dated Nov. 20, 2017, 9 pgs. |
| Lippincott, Notice of Allowance, U.S. Appl. No. 15/930,342, dated May 25, 2022, 8 pgs. |
| Number | Date | Country | |
|---|---|---|---|
| 62890556 | Aug 2019 | US | |
| 62845827 | May 2019 | US | |
| 62333768 | May 2016 | US | |
| 62305482 | Mar 2016 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 16943307 | Jul 2020 | US |
| Child | 18123930 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 16870742 | May 2020 | US |
| Child | 16943307 | US | |
| Parent | 16532391 | Aug 2019 | US |
| Child | 16870742 | US | |
| Parent | 15215474 | Jul 2016 | US |
| Child | 16532391 | US | |
| Parent | 15215468 | Jul 2016 | US |
| Child | 15215474 | US |
