System and method for run-time object classification
US-9747446-B1 · Aug 29, 2017 · US
Labeling computing objects for improved threat detection
US10673902B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10673902-B2 |
| Application number | US-201815963718-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 26, 2018 |
| Priority date | Sep 14, 2014 |
| Publication date | Jun 2, 2020 |
| Grant date | Jun 2, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: processing a first object on an endpoint, the first object from a location external to the endpoint; in response to a first observed action, coloring the first object with a descriptor of a context for the first observed action by persistently associating the descriptor with the first object, the context including one or more attributes selected for a relevance to threat detection, including at least one attribute identifying at least one of a source or a type of the first object; at a second object internal to the endpoint, inheriting the descriptor when the second object is a target of an action by the first object; applying a rule dependent on the descriptor, including the at least one attribute identifying the at least one of the source or the type of the first object, in response to a second observed action of the second object to detect a reportable event based in part on a source or a type of the second object; and transmitting information to a threat management facility about the reportable event, the information including a description of the reportable event and the second object along with the descriptor of the context. 2. The method of claim 1 , wherein the first observed action and the second observed action are the same action. 3. The method of claim 1 , wherein the first object includes at least one of a process, a function, an executable, a dynamic linked library, a script, a file, a data structure, a URL, and data. 4. The method of claim 1 , wherein the descriptor includes a reputation of the first object. 5. The method of claim 1 , wherein the descriptor includes a reputation selected from a group consisting of good, bad, and unknown. 6. The method of claim 1 , wherein the descriptor includes a reputation selected from a group consisting of in or out. 7. The method of claim 1 , wherein the first observed action includes a behavior of the first object and the descriptor is inferred based on the behavior. 8. The method of claim 1 , wherein the first object includes data, and wherein the descriptor includes an ownership of the first object including one or more of private and corporate. 9. The method of claim 1 , wherein the descriptor includes information about a network resource requested in the first observed action. 10. The method of claim 1 , wherein the descriptor includes information about access to an unprotected object requested in the first observed action. 11. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: processing a first object on an endpoint, the first object from a location external to the endpoint; in response to a first observed action, coloring the first object with a descriptor of a context for the first observed action, the context including at least one attribute identifying at least one of a source or a type of the first object; at a second object internal to the endpoint, inheriting the descriptor when the second object is a target of an action by the first object; in response to a second observed action of the second object, applying a rule dependent on the descriptor to detect a reportable event based in part on a source or a type of the second object; and transmitting, to a threat management facility, information including a description of the reportable event and the second object along with the descriptor of the context. 12. The computer program product of claim 11 , wherein the first observed action and the second observed action are the same action. 13. The computer program product of claim 11 , wherein the first object includes at least one of a process, a function, an executable, a dynamic linked library, a script, a file, a data structure, a URL, and data. 14. The computer program product of claim 11 , wherein the descriptor includes a reputation of the first object. 15. The computer program product of claim 11 , wherein the descriptor includes a reputation selected from a group consisting of good, bad, and unknown. 16. The computer program product of claim 11 , wherein the descriptor includes a reputation selected from a group consisting of in or out. 17. The computer program product of claim 11 , wherein the first observed action includes a behavior of the first object and the descriptor is inferred based on the behavior. 18. The computer program product of claim 11 , wherein the first object includes data, and wherein the descriptor includes an ownership of the first object including one or more of private and corporate. 19. The computer program product of claim 11 , wherein the descriptor includes information about a network resource requested in the first observed action, information about access to an unprotected object requested in the first observed action, or a combination thereof. 20. A system comprising: an endpoint of an enterprise having a processor and a memory, the memory storing a first object and a second object, and the processor configured to process the first object, to color the first object, in response to a first observed action, with a descriptor of a context for the first observed action by persistently associating the descriptor with the first object, the context including one or more attributes selected for a relevance to threat detection, including at least one attribute identifying at least one of a source or a type of the first object, to inherit, at the second object internal to the endpoint, the descriptor when the second object is a target of an action by the first object, to apply a rule dependent on the descriptor, in response to a second observed action of the second object to detect a reportable event based in part on a source or a type of the second object, and to transmit, to a threat management facility, information including a description of the reportable event and the second object along with the descriptor of the context.
Assignees
Inventors
Classifications
Rule management · CPC title
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Event detection, e.g. attack signature detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10673902B2 cover?
- Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-…
- Who is the assignee on this patent?
- Sophos Ltd
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 02 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).