Endpoint malware detection using an event graph
First Claim
Patent Images
1. A computer program product for detecting malware on an endpoint in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint, performs the steps of:
- instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint;
selecting a set of logical locations from the plurality of logical locations, the set of logical locations excluding at least one logical location of the plurality of logical locations associated with a known, good process;
recording a sequence of events causally relating the number of computing objects at the set of logical locations;
creating an event graph based on the sequence of events;
applying a malware detection rule to the event graph; and
remediating the endpoint when the malware detection rule and the event graph indicate a compromised security state.
5 Assignments
0 Petitions
Accused Products
Abstract
A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files, and patterns within this event graph can be used to detect the presence of malware on the endpoint. The underlying recording process may be dynamically adjusted in order to vary the amount and location of recording as the security state of the endpoint changes over time.
-
Citations
20 Claims
-
1. A computer program product for detecting malware on an endpoint in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint, performs the steps of:
-
instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint; selecting a set of logical locations from the plurality of logical locations, the set of logical locations excluding at least one logical location of the plurality of logical locations associated with a known, good process; recording a sequence of events causally relating the number of computing objects at the set of logical locations; creating an event graph based on the sequence of events; applying a malware detection rule to the event graph; and remediating the endpoint when the malware detection rule and the event graph indicate a compromised security state. - View Dependent Claims (2, 3, 4)
-
-
5. A method for malware detection comprising:
-
instrumenting a first endpoint to monitor a number of causal relationships among a number of computing objects at a first set of logical locations within a computing environment related to the first endpoint; excluding, from the first set of logical locations, at least one logical location associated with a known, good process; recording a sequence of events causally relating the number of computing objects at the first set of logical locations excluding the at least one logical location associated with the known, good process; creating an event graph based on the sequence of events; applying a malware detection rule to the event graph; and remediating the first endpoint when the malware detection rule and the event graph indicate a compromised security state. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. An endpoint comprising:
-
a network interface; a memory; and a processor configured by computer executable code stored in the memory to detect malware by performing the steps of instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a set of logical locations within a computing environment related to the endpoint, excluding, from the set of logical locations, at least one logical location of the set of logical locations associated with a known, good process, recording a sequence of events causally relating the number of computing objects at the set of logical locations excluding the at least one logical location of the set of logical locations associated with the known, good process, creating an event graph based on the sequence of events, applying a malware detection rule to the event graph, and remediating the endpoint when the malware detection rule and the event graph indicate a compromised security state. - View Dependent Claims (19, 20)
-
Specification