Retention and accessibility of data characterizing events on an endpoint computer

US 10,354,067 B2
Filed: 11/18/2016
Issued: 07/16/2019
Est. Priority Date: 02/26/2016
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

computer hardware having at least one data processor and memory storing instructions which, when executed by the at least one data processor, result in configured to perform operations comprising;

harvesting, by an endpoint computer system, data relating to a plurality of events occurring within an operating environment of the endpoint computer system, the harvesting comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system;

adding the data to a local data store maintained on the endpoint computer system, the local data store comprising an audit log, the audit log comprising a series of data containers, each data container in the series comprising a tamper resistant feature, currently generated forensic data being stored in a current data container of the series while preceding data containers in the series are closed to further write operations;

generating a query response in response to a query specifying an artifact on the endpoint computer system and/or an event of the plurality of events, the generating comprising identifying and retrieving responsive data from the local data store, the responsive data being related to the artifact on the endpoint computer system specified by the query and/or to the event of the plurality of events specified by the query, the generating further comprising mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the responsive data that are most likely to be relevant to a subject of the query; and

taking an action based on the detecting that the audit log has been compromised, the action comprising one or more of;

quarantining a thread, process, and/or routine responsible for the compromising of the audit log; and

protection and/or other prevention of corruption of the forensic data that are used to generate the audit log and local cache.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An endpoint computer system can harvest data relating to a plurality of events occurring within an operating environment of the endpoint computer system and can add the harvested data to a local data store maintained on the endpoint computer system. In some examples, the local data store can be an audit log and/or can include one or more tamper resistant features. Systems, methods, and computer program products are described.

15 Citations

18 Claims

1. A system, comprising:
- computer hardware having at least one data processor and memory storing instructions which, when executed by the at least one data processor, result in configured to perform operations comprising;
  
  harvesting, by an endpoint computer system, data relating to a plurality of events occurring within an operating environment of the endpoint computer system, the harvesting comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system;
  
  adding the data to a local data store maintained on the endpoint computer system, the local data store comprising an audit log, the audit log comprising a series of data containers, each data container in the series comprising a tamper resistant feature, currently generated forensic data being stored in a current data container of the series while preceding data containers in the series are closed to further write operations;
  
  generating a query response in response to a query specifying an artifact on the endpoint computer system and/or an event of the plurality of events, the generating comprising identifying and retrieving responsive data from the local data store, the responsive data being related to the artifact on the endpoint computer system specified by the query and/or to the event of the plurality of events specified by the query, the generating further comprising mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the responsive data that are most likely to be relevant to a subject of the query; and
  
  taking an action based on the detecting that the audit log has been compromised, the action comprising one or more of;
  
  quarantining a thread, process, and/or routine responsible for the compromising of the audit log; and
  
  protection and/or other prevention of corruption of the forensic data that are used to generate the audit log and local cache.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A system as in claim 1, wherein the artifact comprises a digital item of interest comprising one or more of a file, a programs, and a system characteristic.
  - 3. A system as in claim 1, further comprising detecting that the audit log has been compromised based on a change in the tamper resistant feature.
  - 4. A system as in claim 1, wherein the tamper resistant feature comprises a cryptographic fingerprint that references at least one prior data container in the series, and wherein the change in the tamper resistant feature comprises a data container of the series of data containers being referenced in the cryptographic fingerprint of a following data container but no longer being present in the audit log.
  - 5. A system as in claim 1, wherein the tamper resistant feature comprises data compression and signing with a public key and/or enciphering of a combination of the data container plus a signature comprising the public key.
  - 6. A system as in claim 1, wherein the audit log and the local cache are both stored on the endpoint computer.
  - 7. A system as in claim 1, wherein each data container of the series of data containers in the audit log is encrypted and wherein the forensic data are written to the current data container in an append-only manner.
  - 8. A system as in claim 1, wherein the harvesting further comprises receiving and/or inferring at least some of the data using additional data generated external to the endpoint computer system.
  - 9. A system as in claim 1, wherein the adding of the data to the local data store further comprises determining, based on one or more criteria, to retain in the local data store a first subset of the data as more likely to be relevant and to exclude from the local data store and a second subset of the data as more likely to be irrelevant.
  - 10. A system as in claim 1, wherein the event comprises an action occurring on the endpoint computer system and involving one or more artifacts on the endpoint computer system and/or wherein the event comprises a capture of what occurred at a specific point in time relating to the at least one artifact.
  - 11. A system as in claim 1, wherein the responsive data comprises one or more of one or more times that a particular file was accessed on the endpoint computer system, how the particular file was used on the endpoint computer system, when the particular file was first detected on the endpoint computer system, location of a registry persistence point, and use of a registry by a software routine to allow itself to persist after a reboot of the endpoint computing system.
  - 12. A system as in claim 1, wherein the one or more sensors comprises at least one of a kernel mode collector, a removable media sensor, a sensor that collects data about a current state of a computing environment executing on the endpoint computer, a malware detection and/or interdiction process, a user authentication process, and a user authentication re-verification process.
  - 13. A system as in claim 1, wherein the operations further comprise:
    - harvesting the data according to a first set of data collection criteria;
      
      determining, via a threat detection module, that a heightened level of alert is necessary based on a determination that data stored in the audit log indicates that a threat or an attack is underway or imminent; and
      
      in response to the a heightened level of alert, harvesting the data according to a second set of data collection criteria, wherein the second set of data collection criteria is put into operation when the threat detection module indicates that a threat or attack is (i) in progress, (ii) might be imminent, or (iii) has just occurred, and directs the system to harvest data with (a) added detail, (b) added complexity and/or (c) granularity.
  - 14. A system as in claim 13, wherein the threat detection module comprises a machine learning component.
  - 15. A system as in claim 14, wherein the machine learning component performs at least one operation selected from determining that the heightened level of alert is necessary, blocking or terminating execution of a process or thread, and determining that the alert level can be lowered back to the first set of data collection criteria.
  - 16. A system as in claim 14, wherein the machine learning component accomplishes the at least one operation by processing data already in the local data store to determine that a potentially undesirable event has occurred and/or by processing the harvested data as it is received to determine that a potentially undesirable event is currently occurring.

17. A non-transitory computer readable medium storing instructions that, when executed by one or more programmable processors, cause the one or more programmable processors to perform operations comprising:
- harvesting, by an endpoint computer system, data relating to a plurality of events occurring within an operating environment of the endpoint computer system, the harvesting comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system;
  
  adding the data to a local data store maintained on the endpoint computer system, the local data store comprising an audit log, the audit log comprising a series of data containers, each data container in the series comprising a tamper resistant feature, currently generated forensic data being stored in a current data container of the series while preceding data containers in the series are closed to further write operations;
  
  generating a query response in response to a query specifying an artifact on the endpoint computer system and/or an event of the plurality of events, the generating comprising identifying and retrieving responsive data from the local data store, the responsive data being related to the artifact on the endpoint computer system specified by the query and/or to the event of the plurality of events specified by the query, the generating further comprising mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the responsive data that are most likely to be relevant to a subject of the query; and
  
  taking an action based on the detecting that the audit log has been compromised, the action comprising one or more of;
  
  quarantining a thread, process, and/or routine responsible for the compromising of the audit log; and
  
  protection and/or other prevention of corruption of the forensic data that are used to generate the audit log and local cache.

18. A computer-implemented method comprising:
- harvesting, by an endpoint computer system, data relating to a plurality of events occurring within an operating environment of the endpoint computer system, the harvesting comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system;
  
  adding the data to a local data store maintained on the endpoint computer system, the local data store comprising an audit log, the audit log comprising a series of data containers, each data container in the series comprising a tamper resistant feature, currently generated forensic data being stored in a current data container of the series while preceding data containers in the series are closed to further write operations;
  
  generating a query response in response to a query specifying an artifact on the endpoint computer system and/or an event of the plurality of events, the generating comprising identifying and retrieving responsive data from the local data store, the responsive data being related to the artifact on the endpoint computer system specified by the query and/or to the event of the plurality of events specified by the query, the generating further comprising mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the responsive data that are most likely to be relevant to a subject of the query; and
  
  taking an action based on the detecting that the audit log has been compromised, the action comprising one or more of;
  
  quarantining a thread, process, and/or routine responsible for the compromising of the audit log; and
  
  protection and/or other prevention of corruption of the forensic data that are used to generate the audit log and local cache.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cylance Inc. (Blackberry Limited)
Original Assignee
Cylance Inc. (Blackberry Limited)
Inventors
Permeh, Ryan, Wolff, Matthew, Oswald, Samuel John, Zhao, Xuan, Culley, Mark, Polson, Steve
Primary Examiner(s)
Dolly, Kendall
Assistant Examiner(s)
Fields, Courtney D

Application Number

US15/356,029
Publication Number

US 20170249462A1
Time in Patent Office

970 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/64   Protecting data integrity, ...

G06F 2221/2101   Auditing as a secondary aspect

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

H04L 9/30   Public key, i.e. encryption...

Retention and accessibility of data characterizing events on an endpoint computer

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Retention and accessibility of data characterizing events on an endpoint computer

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links