Firewall techniques for colored objects on endpoints

US 10,122,687 B2
Filed: 09/14/2014
Issued: 11/06/2018
Est. Priority Date: 09/14/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing an application firewall deployed at a gateway and in communication with an endpoint through a network, the application firewall configured to provide conditional, rule-based access to network resources by an application executing on the endpoint;

labeling data on the endpoint as secure data for type-dependent processing;

monitoring the application executing on the endpoint;

on the endpoint, coloring the application in response to a first observed action that includes an exposure to out-of-network data with a descriptor of a context for the first observed action, the descriptor including one or more attributes selected for a relevance to threat detection;

applying a rule dependent on the descriptor at the endpoint in response to a second observed action of the application to detect a reportable event, the second observed action including a transmission, from the endpoint, of the data labeled as secure data;

communicating the reportable event through the network from the endpoint to the application firewall; and

limiting access by the application through the gateway to a network resource with the application firewall based on the reportable event.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.

64 Citations

View as Search Results

20 Claims

1. A method comprising:
- providing an application firewall deployed at a gateway and in communication with an endpoint through a network, the application firewall configured to provide conditional, rule-based access to network resources by an application executing on the endpoint;
  
  labeling data on the endpoint as secure data for type-dependent processing;
  
  monitoring the application executing on the endpoint;
  
  on the endpoint, coloring the application in response to a first observed action that includes an exposure to out-of-network data with a descriptor of a context for the first observed action, the descriptor including one or more attributes selected for a relevance to threat detection;
  
  applying a rule dependent on the descriptor at the endpoint in response to a second observed action of the application to detect a reportable event, the second observed action including a transmission, from the endpoint, of the data labeled as secure data;
  
  communicating the reportable event through the network from the endpoint to the application firewall; and
  
  limiting access by the application through the gateway to a network resource with the application firewall based on the reportable event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 further comprising applying firewall rules based on a reputation of the application when the application launches.
  - 3. The method of claim 1 further comprising changing an access rule for the endpoint based upon the reportable event.
  - 4. The method of claim 1 wherein the endpoint is a web server.
  - 5. The method of claim 1 wherein the endpoint is a client device.
  - 6. The method of claim 1 wherein the rule depends on a plurality of observed actions on the endpoint.
  - 7. The method of claim 1 wherein the application firewall is included on the endpoint.
  - 8. The method of claim 1 wherein the application firewall is included on a destination server.
  - 9. The method of claim 1 wherein the application firewall is included as part of a routing of the network.
  - 10. The method of claim 1 wherein the descriptor includes a category for an object, static threat detection information for the object, and a specific identifier of the object.
  - 11. The method of claim 10 wherein the object is the application.
  - 12. The method of claim 10 wherein the object is an item accessed by the application.
  - 13. The method of claim 1, wherein the exposure to out-of-network data includes exposure to an external object known to be or suspected to be malicious.

14. A computer program product comprising a non-transitory computer readable medium bearing computer executable code that, when executing on one or more computing devices, performs the steps of:
- providing an application firewall deployed at a gateway and in communication with an endpoint through a network, the application firewall configured to provide conditional, rule-based access to network resources by an application executing on the endpoint;
  
  labeling data on the endpoint as secure data for type-dependent processing;
  
  monitoring the application executing on the endpoint;
  
  on the endpoint, coloring the application in response to a first observed action that includes an exposure to out-of-network data with a descriptor of a context for the first observed action, the descriptor including one or more attributes selected for a relevance to threat detection;
  
  applying a rule dependent on the descriptor at the endpoint in response to a second observed action of the application to detect a reportable event, the second observed action including a transmission, from the endpoint, of the data labeled as secure data;
  
  communicating the reportable event through the network from the endpoint to the application firewall; and
  
  limiting access by the application through the gateway to a network resource with the application firewall based on the reportable event.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer program product of claim 14 wherein the computer executable code further performs the step of applying firewall rules based on a reputation of the application when the application launches.
  - 16. The computer program product of claim 14 wherein the computer executable code further performs the step of changing an access rule for the endpoint based upon the reportable event.
  - 17. The computer program product of claim 14 wherein the endpoint is a web server.
  - 18. The computer program product of claim 14 wherein the endpoint is a client device.
  - 19. The computer program product of claim 14 wherein the rule depends on a plurality of observed actions on the endpoint.

20. A system comprising:
- an application firewall deployed at a gateway and in communication with an endpoint through a network, the application firewall configured to provide conditional, rule-based access to network resources by applications executing on endpoints in an enterprise; and
  
  an endpoint of the enterprise having a processor and a memory, the memory storing an application executing on the endpoint, and the processor configured to label data on the endpoint as secure data for type-dependent processing, monitor the application executing on the endpoint, to color the application in response to a first observed action that includes an exposure to out-of-network data with a descriptor of a context for the first observed action, the descriptor including one or more attributes selected for a relevance to threat detection, to apply a rule dependent on the descriptor at the endpoint in response to a second observed action of the application to detect a reportable event, the second observed action including a transmission, from the endpoint, of the data labeled as secure data, to communicate the reportable event through the network from the endpoint to the application firewall, and to limit access by the application through the gateway to a network resource with the application firewall based on the reportable event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Thomas, Andrew J., Watkiss, Neil Robert Tyndale, Schiappa, Daniel Salvatore, Ray, Kenneth D.
Primary Examiner(s)
Duong, Hien L

Application Number

US14/485,782
Publication Number

US 20160191465A1
Time in Patent Office

1,514 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Firewall techniques for colored objects on endpoints

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Firewall techniques for colored objects on endpoints

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others