Threat detection using a time-based cache of reputation information on an enterprise endpoint
US-2018278631-A1 · Sep 27, 2018 · US
Using indications of compromise for reputation based network security
US10225286B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10225286-B2 |
| Application number | US-201815969713-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 2, 2018 |
| Priority date | Sep 14, 2014 |
| Publication date | Mar 5, 2019 |
| Grant date | Mar 5, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: collecting a plurality of indications of compromise from an endpoint, each one of the indications of compromise based upon one or more actions taken by one or more processes executing on the endpoint, and at least one of the plurality of indications of compromise including a category of one or more objects related to the one or more actions and a description of one or more objects related to the one or more actions; identifying a low-reputation behavior based upon a quantity of other endpoints that have seen the plurality of indications of compromise and a context for the one or more actions on the endpoint; creating a coloring rule for the low-reputation behavior based upon an occurrence of the plurality of indications of compromise; receiving the coloring rule at a security facility on the endpoint; and applying the coloring rule with the security facility to color low reputation objects. 2. The method of claim 1 , wherein the context for the one or more actions on the endpoint includes an inferred behavior of the one or more objects. 3. The method of claim 1 , wherein the context for the one or more actions includes a source of the one or more objects. 4. The method of claim 1 , wherein the context for the one or more actions includes a type of the one or more objects. 5. The method of claim 1 , wherein the at least one of the plurality of indications of compromise further includes a specific identification of one of the objects. 6. The method of claim 1 , wherein the at least one of the plurality of indications of compromise further includes a genetic identification of one of the one or more objects based on one or more characteristics or actions of the one of the one or more objects. 7. The method of claim 1 , wherein the category includes an application type. 8. A method comprising: collecting a plurality of indications of compromise from an endpoint, each indication of compromise based upon one or more actions taken by one or more processes executing on the endpoint, and at least one of the plurality of indications of compromise including a category of one or more objects related to the one or more actions and a description of one or more objects related to the one or more actions; identifying a low-reputation behavior based upon a quantity of other endpoints that have seen the plurality of indications of compromise and a context for the one or more actions on the endpoint; creating a coloring rule for the low-reputation behavior based upon an occurrence of the plurality of indications of compromise; and when the plurality of indications of compromise are detected on the endpoint, taking an action based upon the coloring rule. 9. The method of claim 8 , wherein taking an action includes initiating a remedial action for the endpoint. 10. The method of claim 8 , wherein the context for the one or more actions on the endpoint includes an inferred behavior of the one or more objects. 11. The method of claim 8 , wherein the context for the one or more actions includes a source of the one or more objects. 12. The method of claim 8 , wherein the context for the one or more actions includes a type of the one or more objects. 13. The method of claim 8 , wherein the at least one of the plurality of indications of compromise further includes a specific identification of one of the objects. 14. A computer program product comprising a non-transitory computer readable medium having stored thereon computer executable code that, when executing on one or more computing devices, cause the one or more computing devices to perform the steps of: collecting a plurality of indications of compromise from an endpoint, each one of the indications of compromise based upon one or more actions taken by one or more processes executing on the endpoint, and at least one of the plurality of indications of compromise including a category of one or more objects related to the one or more actions and a description of the one or more objects related to the one or more actions; identifying a low-reputation behavior based upon a quantity of other endpoints that have seen the plurality of indications of compromise and a context for the one or more actions on the endpoint; creating a coloring rule for the low-reputation behavior based upon an occurrence of the plurality of indications of compromise; receiving the coloring rule at a security facility on the endpoint; and applying the coloring rule with the security facility to color low reputation objects. 15. The computer program product of claim 14 , wherein the computer executable code further causes the one or more computing devices to perform the step of applying the coloring rule to identify the low-reputation behavior based on the occurrence of the plurality of indications of compromise. 16. The computer program product of claim 14 , wherein the at least one of the plurality of indications of compromise includes a specific identification of one of the objects. 17. The computer program product of claim 14 , wherein the at least one of the plurality of indications of compromise includes a genetic identification of one of the objects based on one or more characteristics or actions of the one of the objects. 18. The computer program product of claim 14 , wherein the context for the one or more actions on the endpoint includes an inferred behavior of the one or more objects. 19. The computer program product of claim 14 , wherein the context for the one or more actions includes a source of the one or more objects. 20. The computer program product of claim 14 , wherein the context for the one or more actions includes a source of the one or more objects.
Assignees
Inventors
Classifications
Rule management · CPC title
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Physics · mapped topic
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
Clustering or classification · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10225286B2 cover?
- Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-…
- Who is the assignee on this patent?
- Sophos Ltd
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 05 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).