Endpoint malware detection using an event graph

US 10,460,105 B2
Filed: 03/19/2018
Issued: 10/29/2019
Est. Priority Date: 04/15/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product for detecting malware on an endpoint in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint, performs the steps of:

instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint;

selecting a set of logical locations from the plurality of logical locations, the set of logical locations excluding at least one logical location of the plurality of logical locations associated with a known, good process;

recording a sequence of events causally relating the number of computing objects at the set of logical locations;

creating an event graph based on the sequence of events;

applying a malware detection rule to the event graph; and

remediating the endpoint when the malware detection rule and the event graph indicate a compromised security state.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files, and patterns within this event graph can be used to detect the presence of malware on the endpoint. The underlying recording process may be dynamically adjusted in order to vary the amount and location of recording as the security state of the endpoint changes over time.

Citations

20 Claims

1. A computer program product for detecting malware on an endpoint in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint, performs the steps of:
- instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint;
  
  selecting a set of logical locations from the plurality of logical locations, the set of logical locations excluding at least one logical location of the plurality of logical locations associated with a known, good process;
  
  recording a sequence of events causally relating the number of computing objects at the set of logical locations;
  
  creating an event graph based on the sequence of events;
  
  applying a malware detection rule to the event graph; and
  
  remediating the endpoint when the malware detection rule and the event graph indicate a compromised security state.
- View Dependent Claims (2, 3, 4)
- - 2. The computer program product of claim 1, wherein selecting the set of logical locations includes selecting a group of logical locations from the plurality of logical locations based on exposure to an external environment.
  - 3. The computer program product of claim 1, wherein selecting the set of logical locations includes selecting a group of logical locations from the plurality of logical locations based on reputation.
  - 4. The computer program product of claim 1, wherein selecting the set of logical locations includes increasing a number of logical locations in the set of logical locations based on an inconsistency between a reputation of a first process and a reputation of a second process calling the first process.

5. A method for malware detection comprising:
- instrumenting a first endpoint to monitor a number of causal relationships among a number of computing objects at a first set of logical locations within a computing environment related to the first endpoint;
  
  excluding, from the first set of logical locations, at least one logical location associated with a known, good process;
  
  recording a sequence of events causally relating the number of computing objects at the first set of logical locations excluding the at least one logical location associated with the known, good process;
  
  creating an event graph based on the sequence of events;
  
  applying a malware detection rule to the event graph; and
  
  remediating the first endpoint when the malware detection rule and the event graph indicate a compromised security state.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 6. The method of claim 5, wherein the first set of logical locations includes logical locations associated with processes of unknown reputation.
  - 7. The method of claim 5, further comprising adding one or more logical locations to the first set of logical locations in response to a detected increase in security risk.
  - 8. The method of claim 5, further comprising removing a logical location from the first set of logical locations in response to a detected decrease in security risk.
  - 9. The method of claim 5, further comprising filtering one or more of the events in the sequence of events according to reputation.
  - 10. The method of claim 5, wherein the first set of logical locations includes at least one endpoint separate from the first endpoint.
  - 11. The method of claim 5, wherein the first set of logical locations includes at least one programming interface to a human interface device.
  - 12. The method of claim 5, further comprising identifying one of the number of computing objects as a cause of the compromised security state and remediating the one of the number of computing objects.
  - 13. The method of claim 5, wherein the number of causal relationships include a data flow.
  - 14. The method of claim 5, wherein the number of causal relationships include a control flow.
  - 15. The method of claim 5, wherein the number of causal relationships include a network flow.
  - 16. The method of claim 5, wherein the one or more computing objects include one or more types of computing objects selected from a group consisting of a data file, a process, an application, a registry entry, a network address, and a peripheral device.
  - 17. The method of claim 5, wherein a number of events within the sequence of events are preserved for a predetermined time window, and further wherein the predetermined time window has a different duration for at least two different types of computing objects.

18. An endpoint comprising:
- a network interface;
  
  a memory; and
  
  a processor configured by computer executable code stored in the memory to detect malware by performing the steps of instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a set of logical locations within a computing environment related to the endpoint, excluding, from the set of logical locations, at least one logical location of the set of logical locations associated with a known, good process, recording a sequence of events causally relating the number of computing objects at the set of logical locations excluding the at least one logical location of the set of logical locations associated with the known, good process, creating an event graph based on the sequence of events, applying a malware detection rule to the event graph, and remediating the endpoint when the malware detection rule and the event graph indicate a compromised security state.
- View Dependent Claims (19, 20)
- - 19. The endpoint of claim 18, wherein the processor is further configured to adjust the set of logical locations by adding a new logical location, removing an existing logical location, or changing a level of filtering at one of the set of logical locations according to a security state of the endpoint.
  - 20. The endpoint of claim 18, wherein the number of causal relationships include one or more of a data flow, a control flow, and a network flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Ladnai, Beata, Harris, Mark David, Thomas, Andrew J., Smith, Andrew G. P., Humphries, Russell
Primary Examiner(s)
Smithers, Matthew

Application Number

US15/924,460
Publication Number

US 20180276380A1
Time in Patent Office

589 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2101   Auditing as a secondary aspect

G06F 8/65   Updates security arrangemen...

Endpoint malware detection using an event graph

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Endpoint malware detection using an event graph

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links