Retention and accessibility of data characterizing events on an endpoint computer

US 10,354,066 B2
Filed: 11/17/2016
Issued: 07/16/2019
Est. Priority Date: 02/26/2016
Status: Active Grant

First Claim

Patent Images

1. A system for retaining data regarding potential software-based attacks on a computer, the system comprising:

computer hardware configured to perform operations comprising;

harvesting, by an endpoint computer system, data relating to a plurality of events occurring within an operating environment of the endpoint computer system, the harvesting comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system;

adding the data to a local data store maintained on the endpoint computer system; and

generating a query response in response to a query, the generating comprising identifying and retrieving responsive data from the local data store, the responsive data being related to an artifact on the endpoint computer system and/or to an event of the plurality of events;

wherein;

the data is initially harvested according to a first set of data collection criteria;

a software-based threat detection module executing on the endpoint computer system determines that a heightened level of alert is necessary; and

in response to the heightened level of alert, the data is harvested according to a second set of data collection criteria that are broader than the first set of data collection criteria which captures more data than what was harvested according to the first set of data collection criteria;

wherein the generating the query response comprises mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the responsive data that are most likely to be relevant to a subject of the query.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An endpoint computer system can harvest data relating to a plurality of events occurring within an operating environment of the endpoint computer system and can add the harvested data to a local data store maintained on the endpoint computer system. A query response can be generated, for example by identifying and retrieving responsive data from the local data store. The responsive data are related to an artifact on the endpoint computer system and/or to an event of the plurality of events. In some examples, the local data store can be an audit log and/or can include one or more tamper resistant features. Systems, methods, and computer program products are described.

15 Citations

27 Claims

1. A system for retaining data regarding potential software-based attacks on a computer, the system comprising:
- computer hardware configured to perform operations comprising;
  
  harvesting, by an endpoint computer system, data relating to a plurality of events occurring within an operating environment of the endpoint computer system, the harvesting comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system;
  
  adding the data to a local data store maintained on the endpoint computer system; and
  
  generating a query response in response to a query, the generating comprising identifying and retrieving responsive data from the local data store, the responsive data being related to an artifact on the endpoint computer system and/or to an event of the plurality of events;
  
  wherein;
  
  the data is initially harvested according to a first set of data collection criteria;
  
  a software-based threat detection module executing on the endpoint computer system determines that a heightened level of alert is necessary; and
  
  in response to the heightened level of alert, the data is harvested according to a second set of data collection criteria that are broader than the first set of data collection criteria which captures more data than what was harvested according to the first set of data collection criteria;
  
  wherein the generating the query response comprises mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the responsive data that are most likely to be relevant to a subject of the query.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. A system as in claim 1, wherein the harvesting according to at least one of the first set of data collection criteria and the second set of data collection criteria further comprises receiving and/or inferring at least some of the data using additional data generated external to the endpoint computer system.
  - 3. A system as in claim 1, wherein the adding of the data to the local data store further comprises determining, based on one or more criteria, to retain in the local data store a first subset of the data as more likely to be relevant and to exclude from the local data store and a second subset of the data as more likely to be irrelevant.
  - 4. A system as in claim 1, wherein the event comprises an action occurring on the endpoint computer system and involving one or more artifacts on the endpoint computer system.
  - 5. A system as in claim 4, wherein the event comprises a capture of what occurred at a specific point in time relating to the at least one artifact.
  - 6. A system as in claim 1, wherein the responsive data comprises one or more of one or more times that a particular file was accessed on the endpoint computer system, how the particular file was used on the endpoint computer system, when the particular file was first detected on the endpoint computer system, location of a registry persistence point, and use of a registry by a software routine to allow itself to persist after a reboot of the endpoint computing system.
  - 7. A system as in claim 1, wherein the mitigating of the amount of the data returned further comprises pruning the data to a reduced data set, the pruning comprising analyzing the data with a machine learning model running on the endpoint computer system and/or on one or more remote servers.
  - 8. A system as in claim 7, wherein the analyzing comprises the machine learning model enriching the data according to a likelihood of events of the plurality of events or artifacts on the endpoint being having forensic relevance.
  - 9. A system as in claim 1, wherein the one or more sensors comprises at least one of a kernel mode collector, a removable media sensor, a sensor that collects data about a current state of a computing environment executing on the endpoint computer, a malware detection and/or interdiction process, a user authentication process, and a user authentication re-verification process.
  - 10. A system as in claim 1, wherein the operations further comprise receiving the query from a server over a network connection.
  - 11. A system as in claim 1, wherein the operations further comprise initiating the query based on detection of a factor by a malware detection and/or interdiction process and/or by a user authentication verification process.
  - 12. A system as in claim 1, wherein the operations further comprise analyzing, in response to the query, the data added to the local data store by a machine learning model running on the endpoint compute system, the analyzing comprising:
    - eliminating, by the machine learning model, first data from the data that are not likely to be relevant;
      
      identifying, by the machine learning model, second data from the data that are likely to be relevant; and
      
      classifying third data that are not the first data or the second data as potentially relevant;
      
      wherein the query response excludes the first data.
  - 13. A system as in claim 12, wherein the operations further comprise discarding the first data and pushing the second data and the third data to a cloud-based, second machine learning model as part of the query response for further analysis.
  - 14. A system as in claim 12, wherein the operations further comprise receiving the query at the endpoint computer system from the cloud-based, second machine learning model and responding to the query as part of the query response using the second data and the third data based on attributes specified in the query.
  - 15. A system as in claim 12, wherein the operations further comprise the machine learning model building a causality chain over one or more forensically applicable events from the plurality of events, the one or more forensically applicable events being applicable to a given event and/or artifact specified in the query.
  - 16. A system as in claim 15, wherein the building of the causality chain comprises consideration of definitions for the first data, the second data, and the third data.
  - 17. A system as in claim 1, further comprising triggering the generating of the query response in reaction to detection of a suspicious artifact and/or a significant event by a malware detection and/or interdiction process executing on the endpoint computer system and/or by an user authentication verification process.
  - 18. A system as in claim 1, wherein the operations further comprise triggering the generating of the query response in reaction to detection of a suspicious file and/or a suspicious event by a malware detection and/or interdiction process executing not on the endpoint computer system and/or by an user authentication verification process.
  - 19. A system as in claim 1, wherein the threat detection module comprises a machine learning component.
  - 20. A system as in claim 19, wherein the machine learning component performs at least one operation selected from determining that the heightened level of alert is necessary, blocking or terminating execution of a process or thread, and determining that the alert level can be lowered back to the first set of data collection criteria.
  - 21. A system as in claim 20, wherein the machine learning component accomplishes the at least one operation by processing data already in the local data store to determine that a potentially undesirable event has occurred and/or by processing the harvested data as it is received to determine that a potentially undesirable event is currently occurring.
  - 22. A system as in claim 1, wherein the data in the local data store is arranged according to a series of data containers, each data container in the series comprising a tamper resistant feature, currently generated forensic data being stored in a current data container of the series while preceding data containers in the series are closed to further write operations.
  - 23. A system as in claim 1, wherein the local data store comprises at least one tamper resistant feature having a cryptographic fingerprint that references at least one prior data container in the series, and wherein the change in the tamper resistant feature comprises a data container of the series of data containers being referenced in the cryptographic fingerprint of a following data container but no longer being present in the audit log.
  - 24. A system as in claim 2, wherein the artifact comprises a digital item of interest comprising one or more of a file, a programs, and a system characteristic.
  - 25. A system as in claim 1, wherein the computer hardware comprises a programmable processor and a memory storing instructions.

26. A non-transitory computer readable medium storing instructions that, when executed by one or more programmable processors, cause the one or more programmable processors to perform operations for retaining data regarding potential software-based attacks on a computer comprising:
- harvesting, by an endpoint computer system, data relating to a plurality of events occurring within an operating environment of the endpoint computer system, the harvesting comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system;
  
  adding the data to a local data store maintained on the endpoint computer system; and
  
  generating a query response in response to a query, the generating comprising identifying and retrieving responsive data from the local data store, the responsive data being related to an artifact on the endpoint computer system and/or to an event of the plurality of events;
  
  wherein;
  
  the data is initially harvested according to a first set of data collection criteria;
  
  it is determined on the endpoint computer system that a heightened level of alert is necessary; and
  
  in response to the heightened level of alert, the data is harvested according to a second set of data collection criteria that are broader than the first set of data collection criteria which captures more data than what was harvested according to the first set of data collection criteriawherein the generating the query response comprises mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the responsive data that are most likely to be relevant to a subject of the query.

27. A computer-implemented method for retaining data regarding potential software-based attacks on a computer, the method comprising:
- harvesting, by an endpoint computer system, data relating to a plurality of events occurring within an operating environment of the endpoint computer system, the harvesting comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system;
  
  adding the data to a local data store maintained on the endpoint computer system; and
  
  generating a query response in response to a query, the generating comprising identifying and retrieving responsive data from the local data store, the responsive data being related to an artifact on the endpoint computer system and/or to an event of the plurality of events;
  
  wherein;
  
  the data is initially harvested according to a first set of data collection criteria;
  
  it is determined on the endpoint computer system that a heightened level of alert is necessary; and
  
  in response to the heightened level of alert, the data is harvested according to a second set of data collection criteria that are broader than the first set of data collection criteria which captures more data than what was harvested according to the first set of data collection criteria;
  
  wherein the generating the query response comprises mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the responsive data that are most likely to be relevant to a subject of the query.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cylance Inc. (Blackberry Limited)
Original Assignee
Cylance Inc. (Blackberry Limited)
Inventors
Permeh, Ryan, Wolff, Matthew, Oswald, Samuel John, Zhao, Xuan, Culley, Mark, Polson, Steve
Primary Examiner(s)
Dolly, Kendall
Assistant Examiner(s)
Fields, Courtney D

Application Number

US15/354,966
Publication Number

US 20170249461A1
Time in Patent Office

971 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/64   Protecting data integrity, ...

G06F 2221/2101   Auditing as a secondary aspect

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

H04L 9/30   Public key, i.e. encryption...

Retention and accessibility of data characterizing events on an endpoint computer

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

Retention and accessibility of data characterizing events on an endpoint computer

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others