Systems and methods for automated whitelisting of files
First Claim
1. A computer-implemented method for automated whitelisting of computer files, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- obtaining, by the computing device, telemetry information that identifies, for each computing system in a set of computing systems, computer files located on the computing system;
grouping, by the computing device, selected computing systems based on how they are used within an organization by grouping the selected computing systems of the set of computing systems into a group of computing systems that each store a specific computer file and share a role or a department of users within the organization as indicated by the telemetry information;
establishing, by the computing device, a whitelist of computer files for the group of computing systems by, for each file identified by the telemetry information;
calculating, by the computing device, an amount by which a cost for using the whitelist will increase if the file is included in the whitelist;
calculating, by the computing device, an amount by which whitelist coverage of computer files in the group of computing systems will increase if the file is included in the whitelist;
determining, by the computing device, whether to include the file in the whitelist by balancing the increase in the cost against the increase in whitelist coverage and determining if a coverage threshold is met; and
using, by the computing device, the whitelist to protect the group of computing systems from undesirable computer files by preventing the undesirable computer files from being installed on the group of computing systems protected by the whitelist.
6 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for automated whitelisting of files may include (1) obtaining telemetry information that identifies files located on a set of computing systems, (2) establishing a whitelist of files for the set of computing systems by, for each file identified by the telemetry information, (A) calculating an amount by which a cost for using the whitelist will increase if the file is included in the whitelist, (B) calculating an amount by which whitelist coverage of files in the set of computing devices will increase if the file is included in the whitelist, (C) determining whether to include the file in the whitelist by balancing the increase in the cost against the increase in whitelist coverage, and (3) using the whitelist to protect the set of computing systems from undesirable files. Various other methods, systems, and computer-readable media are also disclosed.
12 Citations
20 Claims
-
1. A computer-implemented method for automated whitelisting of computer files, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
obtaining, by the computing device, telemetry information that identifies, for each computing system in a set of computing systems, computer files located on the computing system; grouping, by the computing device, selected computing systems based on how they are used within an organization by grouping the selected computing systems of the set of computing systems into a group of computing systems that each store a specific computer file and share a role or a department of users within the organization as indicated by the telemetry information; establishing, by the computing device, a whitelist of computer files for the group of computing systems by, for each file identified by the telemetry information; calculating, by the computing device, an amount by which a cost for using the whitelist will increase if the file is included in the whitelist; calculating, by the computing device, an amount by which whitelist coverage of computer files in the group of computing systems will increase if the file is included in the whitelist; determining, by the computing device, whether to include the file in the whitelist by balancing the increase in the cost against the increase in whitelist coverage and determining if a coverage threshold is met; and using, by the computing device, the whitelist to protect the group of computing systems from undesirable computer files by preventing the undesirable computer files from being installed on the group of computing systems protected by the whitelist. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for automated whitelisting of computer files, the system comprising:
-
a telemetry module, stored in memory, that obtains telemetry information that identifies, for each computing system in a set of computing systems, computer files located on the computing system and that groups selected computing systems based on how they are used within an organization by grouping the selected computing systems of the set of computing systems into a group of computing systems that each store a specific computer file and share a role or a department of users within the organization as indicated by the telemetry information; a calculating module, stored in memory, that establishes a whitelist of computer files for the group of computing systems by, for each file identified by the telemetry information; calculating an amount by which a cost for using the whitelist will increase if the file is included in the whitelist; calculating an amount by which whitelist coverage of computer files in the group of computing systems will increase if the file is included in the whitelist; determining whether to include the file in the whitelist by balancing the increase in the cost against the increase in whitelist coverage and determining if a coverage threshold is met; a protecting module, stored in memory, that uses the whitelist to protect the group of computing systems from undesirable computer files by preventing the undesirable computer files from being installed on the group of computing systems protected by the whitelist; and at least one physical processor configured to execute the telemetry module, the calculating module, and the protecting module. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
obtain, by the computing device, telemetry information that identifies, for each computing system in a set of computing systems, computer files located on the computing system; group, by the computing device, selected computing systems based on how they are used within an organization by grouping the selected computing systems of the set of computing systems into a group of computing systems that each store a specific computer file and share a role or a department of users within the organization, as indicated by the telemetry information; establish, by the computing device, a whitelist of computer files for the group of computing systems by, for each file identified by the telemetry information; calculate an amount by which a cost for using the whitelist will increase if the file is included in the whitelist; calculate an amount by which whitelist coverage of computer files in the group of computing systems will increase if the file is included in the whitelist; determine whether to include the file in the whitelist by balancing the increase in the cost against the increase in whitelist coverage and determining if a coverage threshold is met; and use the whitelist to protect the group of computing systems from undesirable computer files by preventing the undesirable computer files from being installed on the group of computing systems protected by the whitelist.
-
Specification