Policy management

US 10,333,989 B2
Filed: 12/20/2017
Issued: 06/25/2019
Est. Priority Date: 09/13/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

organizing a number of applications into a number of application types;

providing a policy management service for an enterprise network, the policy management service configured to provide protection services to one or more endpoints in the enterprise network based on the application types;

detecting an application executing on one of the endpoints;

disassembling a binary executable for the application to recreate functional blocks of code for the application;

grouping a number of the functional blocks into a phenotype;

categorizing the application into one of the application types based on the phenotype; and

applying the protection services to the endpoint based on the one of the application types of the application.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In embodiments of the present invention improved capabilities are described for the operation of a threat management facility, wherein the threat management facility may provide for a plurality of computer asset protection services to a corporate computer network. The threat management facility may provide a policy management service as one of the plurality of protection services, wherein the policy management service may be adapted to provide corporate policy updates to a plurality of computer facilities associated with the corporate computer network. In addition, the corporate policy updates, and a related corporate policy, may relate to the acceptability of an operation of a computer application.

Citations

20 Claims

1. A method comprising:
- organizing a number of applications into a number of application types;
  
  providing a policy management service for an enterprise network, the policy management service configured to provide protection services to one or more endpoints in the enterprise network based on the application types;
  
  detecting an application executing on one of the endpoints;
  
  disassembling a binary executable for the application to recreate functional blocks of code for the application;
  
  grouping a number of the functional blocks into a phenotype;
  
  categorizing the application into one of the application types based on the phenotype; and
  
  applying the protection services to the endpoint based on the one of the application types of the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein disassembling the binary executable for the application to recreate functional blocks of code for the application includes reconstructing the application in an unpacked state.
  - 3. The method of claim 1, wherein each functional block contains a combination of API calls and strings referenced within the functional block.
  - 4. The method of claim 1, wherein the functional blocks of the code for the application are representative of at least one function and at least one execution flow of the application.
  - 5. The method of claim 1, wherein the functional blocks of the code for the application include a sequence of application program interface calls.
  - 6. The method of claim 1, wherein the functional blocks of the code for the application include string references.
  - 7. The method of claim 1, wherein applying the protection services includes one or more of updating at least one of a whitelist of acceptable applications, a whitelist of a group of application types, a blacklist of applications, or a blacklist of unacceptable application types.
  - 8. The method of claim 1, wherein applying the protection services includes providing a malicious code protection update service.
  - 9. The method of claim 1, wherein applying the protection services includes providing a firewall service.
  - 10. The method of claim 1, wherein applying the protection services includes conditionally limiting network access by the application.
  - 11. The method of claim 1, wherein applying the protection services includes restricting access to external resources for the one of the endpoints.
  - 12. The method of claim 1, wherein applying the protection services includes restricting access to internal functions of the one of the endpoints.
  - 13. The method of claim 1, wherein applying the protection services includes blocking execution of the application.
  - 14. The method of claim 1, wherein the application includes at least one of a network application and a web application.
  - 15. The method of claim 1, wherein the protection services are further configured to conditionally restrict use of the application on the one of the endpoints based on a user type for the one of the endpoints.
  - 16. The method of claim 1, wherein applying the protection services includes applying the protection services from a threat management facility for the enterprise network.
  - 17. The method of claim 1, wherein the one of the applications types corresponds to messaging applications.
  - 18. The method of claim 1, wherein the number of application types includes at least one of a messaging category, an electronic mail category, a browser category, and a word processing category and a database category.

19. A computer program product comprising non-transitory computer executable code embodied in a computer readable medium that, when executing on one or more computing devices, performs the steps of:
- providing a policy management service for an enterprise network, the policy management service configured to provide protection services to one or more endpoints in the enterprise network based on application types;
  
  detecting an application executing on one of the endpoints;
  
  disassembling a binary executable for the application to recreate functional blocks of code for the application;
  
  forming a list of genes associated with the functional blocks, each gene corresponding to an identifying characteristic of the application;
  
  matching phenotypes against the list of genes to identify a phenotype;
  
  categorizing the application into one of a number of application types based on the phenotype; and
  
  conditionally limiting network access by the application based on the one of the number of application types of the application.

20. A system comprising:
- a threat management facility storing information in a database organizing a number of applications into a number of application types, the threat management facility providing a policy management service including protection services for one or more endpoints of an enterprise network;
  
  a data network; and
  
  an endpoint coupled to the threat management facility through the data network the endpoint configured by computer executable code stored in a memory of the endpoint to perform the steps of detecting an application executing on the one of the endpoints, disassembling an executable for the application to recreate functional blocks of code for the application, categorizing the application into one of the application types based on phenotypes derived from the functional blocks, and applying the protection services to the endpoint based on the one of the application types of the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Jacobs, Richard
Primary Examiner(s)
Korsak, Oleg

Application Number

US15/848,922
Publication Number

US 20180205761A1
Time in Patent Office

552 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/101   Access control lists [ACL]

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Policy management

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Policy management

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links