Endpoint malware detection using an event graph
First Claim
Patent Images
1. A computer program product for detecting malware on an endpoint in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint, performs the steps of:
- instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint;
selecting a set of logical locations from the plurality of logical locations;
recording a sequence of events causally relating the number of computing objects at the set of logical locations;
creating an event graph based on the sequence of events;
applying a malware detection rule to the event graph to identify a compromised security state of the endpoint;
when the malware detection rule in the event graph identifies the compromised security state of the endpoint, traversing the event graph forward to identify one or more other ones of the number of computing objects affected by the compromised security state; and
remediating one or more of the identified one or more other ones of the number of computing objects affected by the compromised security state.
5 Assignments
0 Petitions
Accused Products
Abstract
A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files, and patterns within this event graph can be used to detect the presence of malware on the endpoint. The underlying recording process may be dynamically adjusted in order to vary the amount and location of recording as the security state of the endpoint changes over time.
-
Citations
20 Claims
-
1. A computer program product for detecting malware on an endpoint in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on the endpoint, performs the steps of:
-
instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment related to the endpoint; selecting a set of logical locations from the plurality of logical locations; recording a sequence of events causally relating the number of computing objects at the set of logical locations; creating an event graph based on the sequence of events; applying a malware detection rule to the event graph to identify a compromised security state of the endpoint; when the malware detection rule in the event graph identifies the compromised security state of the endpoint, traversing the event graph forward to identify one or more other ones of the number of computing objects affected by the compromised security state; and remediating one or more of the identified one or more other ones of the number of computing objects affected by the compromised security state.
-
-
2. A method for malware detection comprising:
-
instrumenting an endpoint to monitor a number of causal relationships among a number of computing objects at a first set of logical locations within a computing environment related to the endpoint; recording a sequence of events causally relating the number of computing objects at the first set of logical locations; creating an event graph based on the sequence of events; applying a malware detection rule to the event graph to identify a compromised security state of the endpoint; and when the malware detection rule in the event graph identifies the compromised security state of the endpoint, traversing the event graph forward to identify one or more other ones of the number of computing objects affected by the compromised security state. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. An endpoint comprising:
-
a network interface; a memory; and a processor configured by computer executable code stored in the memory to detect malware by performing the steps of instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a set of logical locations within a computing environment related to the endpoint, creating an event graph based on a sequence of events causally relating the number of computing objects at the set of logical locations, applying a malware detection rule in the event graph to identify a compromised security state of the endpoint, and when the malware detection rule identifies the compromised security state of the endpoint, traversing the event graph forward to identify one or more other ones of the number of computing objects affected by the compromised security state. - View Dependent Claims (19, 20)
-
Specification