Endpoint Anomaly Detection Patent: Local Counters | CipherDocket

Most anomaly detection ships raw events to a central brain. A Forcepoint patent claims the opposite: let the endpoint maintain counters and flag its own deviations. The claim explains the tradeoff.

There is a quiet architectural decision inside every endpoint-detection product where does the thinking happen? You can ship every raw event off the endpoint to a central engine that sees everything, or you can push some of the detection logic down onto the endpoint itself. Forcepoint's grant stakes the second approach, and reading the claim shows you the engineering tradeoff cleanly.

US11632382B2, "Anomaly detection using endpoint counters" (issued April 2023, classified under H04L 63/1425 — the subclass for monitoring network activity to detect intrusion), claims maintaining counters at the endpoint and detecting anomalies from those counters. A counter here is a running statistic the endpoint keeps about its own behavior — how often some action happens, how many connections of a type, how a rate compares to its norm. The endpoint watches its own numbers and raises a flag when they deviate.

The detection method claimed has an immediate practical appeal. Streaming every raw event from thousands of endpoints to a central analyzer is expensive in bandwidth and storage, and it introduces latency — the central brain has to receive, queue, and process before it reacts. Keeping counters locally means the endpoint can notice "this is abnormal for me" and respond without a round trip. For detecting a fast-moving local anomaly, that speed is the whole point.

But the tradeoff is real and the claim implicitly encodes it, which is what makes it honest to read closely. An endpoint watching only its own counters lacks the cross-endpoint context a central system has. A behavior that is normal on one machine but anomalous across the fleet — the signature of, say, lateral movement — is exactly what a purely local view can miss. This is why it complements rather than replaces the coordinated, cross-vantage detection in families like FireEye's, covered elsewhere on this desk.

It is worth situating against that prior art deliberately, since this column tracks how detection methods relate. The FireEye/Trellix family makes endpoint and network verify each other; Forcepoint's grant pushes detection logic down into the endpoint. Both are answers to the false-positive and scale problems of detection, from opposite directions — corroborate centrally, or decide locally.

The standing caveats a granted claim covers the specific counter-based mechanism, not the general idea of anomaly detection, and it is not evidence of a particular shipping product's effectiveness. But it is a clean window into a genuine design axis in EDR architecture, with the bandwidth-versus-context tradeoff written right into what the claim chooses to do at the endpoint.

How Anomaly Detection Works When the Endpoint Keeps Its Own Counters