Threat detection using a time-based cache of reputation information on an enterprise endpoint

US 10,382,459 B2
Filed: 05/02/2018
Issued: 08/13/2019
Est. Priority Date: 09/14/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting an action at an endpoint;

receiving, from a threat management facility on the endpoint, a reputation score for the action and a time to live for the action, the reputation score based on a description of the action including a process, executing on the endpoint, that took the action and an object programmatically associated with the process through the action;

caching the description and the reputation score in an event cache on the endpoint for a duration equal to the time to live;

accumulating a plurality of the descriptions and reputation scores that have not expired in the event cache;

expiring at least one of the descriptions and reputation scores by removing the at least one of the descriptions and reputation scores from the event cache after the time to live;

generating a threat detection when a pattern of the descriptions and reputation scores in the event cache indicate malicious software operating on the endpoint; and

communicating the threat detection to an analysis facility external to the endpoint.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.

38 Citations

View as Search Results

20 Claims

1. A method comprising:
- detecting an action at an endpoint;
  
  receiving, from a threat management facility on the endpoint, a reputation score for the action and a time to live for the action, the reputation score based on a description of the action including a process, executing on the endpoint, that took the action and an object programmatically associated with the process through the action;
  
  caching the description and the reputation score in an event cache on the endpoint for a duration equal to the time to live;
  
  accumulating a plurality of the descriptions and reputation scores that have not expired in the event cache;
  
  expiring at least one of the descriptions and reputation scores by removing the at least one of the descriptions and reputation scores from the event cache after the time to live;
  
  generating a threat detection when a pattern of the descriptions and reputation scores in the event cache indicate malicious software operating on the endpoint; and
  
  communicating the threat detection to an analysis facility external to the endpoint.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the endpoint is within an enterprise network, and the analysis facility is external to the enterprise network.
  - 3. The method of claim 1, wherein the object is programmatically associated with the process through the action by at least one of triggering the action, being acted upon by the action, receiving data from the action, or providing data to the action.
  - 4. The method of claim 1, wherein the object includes a URL accessed by the action.
  - 5. The method of claim 1, wherein the object includes a filename accessed by the action.
  - 6. The method of claim 1, further comprising taking a remedial action at the endpoint when malicious activity is detected.
  - 7. The method of claim 1, wherein the reputation score is based on a geographical distribution of the description on a plurality of endpoints.
  - 8. The method of claim 1, wherein the reputation score is based on a number of prior occurrences of the description on a plurality of endpoints.

9. A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- detecting an action at an endpoint;
  
  receiving, from a threat management facility on the endpoint, a reputation score for the action and a time to live for the action, the reputation score based on a description of the action including a process, executing on the endpoint, that took the action and an object programmatically associated with the process through the action;
  
  caching the description and the reputation score in an event cache on the endpoint for a duration equal to the time to live;
  
  accumulating a plurality of the descriptions and reputation scores that have not expired in the event cache;
  
  expiring at least one of the descriptions and reputation scores by removing the at least one of the descriptions and reputation scores from the event cache after the time to live;
  
  generating a threat detection when a pattern of the descriptions and reputation scores in the event cache indicate malicious software operating on the endpoint; and
  
  communicating the threat detection to an analysis facility external to the endpoint.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computer program product of claim 9, wherein the object is programmatically associated with the process through the action by at least one of triggering the action, being acted upon by the action, receiving data from the action, or providing data to the action.
  - 11. The computer program product of claim 9, wherein the object includes a URL accessed by the action.
  - 12. The computer program product of claim 9, wherein the object includes a filename accessed by the action.
  - 13. The computer program product of claim 9, wherein the code further performs the step of taking a remedial action at the endpoint when malicious activity is detected.
  - 14. The computer program product of claim 9, wherein the reputation score is based on a geographical distribution of the description on a plurality of endpoints.
  - 15. The computer program product of claim 9, wherein the reputation score is based on a number of prior occurrences of the description on a plurality of endpoints.

16. A system comprising:
- a threat management facility configured to manage threats to an enterprise; and
  
  an endpoint of the enterprise having a memory and a processor, the memory storing an object, a process, and a threat management facility, and the processor configured to detect an action at the endpoint, to receive from the threat management facility a reputation score for the action and a time to live for the action, the reputation score based on a description of the action including a process and an object programmatically associated with the process through the action, to cache the description and the reputation score in an event cache on the endpoint for a duration equal to the time to live, to accumulate a plurality of the descriptions and reputation scores that have not expired in the event cache, to expire at least one of the descriptions and reputation scores by removing the at least one of the descriptions and reputation scores from the event cache after the time to live, to generate a threat detection for communication to an analysis facility external to the endpoint when a pattern of the descriptions and reputation scores in the event cache indicate malicious software operating on the endpoint.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the object is programmatically associated with the process through the action by at least one of triggering the action, being acted upon by the action, receiving data from the action, or providing data to the action.
  - 18. The system of claim 16, wherein the object includes at least one of a URL and a filename accessed by the action.
  - 19. The system of claim 16, wherein the reputation score is based on a geographical distribution of the description on a plurality of endpoints.
  - 20. The system of claim 16, wherein the reputation score is based on a number of prior occurrences of the description on a plurality of endpoints.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Harris, Mark D., Reed, Simon Neil, Ray, Kenneth D., Watkiss, Neil Robert Tyndale, Thomas, Andrew J., Cook, Robert W.
Primary Examiner(s)
Steinle, Andrew J

Application Number

US15/969,725
Publication Number

US 20180278631A1
Time in Patent Office

468 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04L 63/108   when the policy decisions a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Threat detection using a time-based cache of reputation information on an enterprise endpoint

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Threat detection using a time-based cache of reputation information on an enterprise endpoint

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links