Forensic analysis of computing activity

US 10,516,682 B2
Filed: 04/05/2018
Issued: 12/24/2019
Est. Priority Date: 04/15/2016
Status: Active Grant

First Claim

Patent Images

1. A computer program product for forensic analysis for computer processes, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on a computing device, performs the steps of:

instrumenting a first endpoint to record a sequence of events causally relating computing objects, and to preserve events in the sequence of events for a predetermined time window, the predetermined time window having a longer duration for a first type of the computing objects than for a second type of the computing objects;

detecting a security event associated with one of the computing objects;

in response to detecting the security event, traversing an event graph based on the sequence of events in a reverse order from the one of the computing objects associated with the security event to one or more preceding ones of the computing objects;

while traversing the event graph in the reverse order, identifying one of the computing objects as a cause of the security event; and

traversing the event graph forward from the cause of the security event to identify one or more other ones of the computing objects affected by the cause.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files. When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects. For a root cause analysis, the event graph may be traversed in a reverse order from the point of an identified security event (e.g., a malware detection event) to preceding computing objects, while applying one or more cause identification rules to identify a root cause of the security event. Once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised by the root cause.

Citations

19 Claims

1. A computer program product for forensic analysis for computer processes, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on a computing device, performs the steps of:
- instrumenting a first endpoint to record a sequence of events causally relating computing objects, and to preserve events in the sequence of events for a predetermined time window, the predetermined time window having a longer duration for a first type of the computing objects than for a second type of the computing objects;
  
  detecting a security event associated with one of the computing objects;
  
  in response to detecting the security event, traversing an event graph based on the sequence of events in a reverse order from the one of the computing objects associated with the security event to one or more preceding ones of the computing objects;
  
  while traversing the event graph in the reverse order, identifying one of the computing objects as a cause of the security event; and
  
  traversing the event graph forward from the cause of the security event to identify one or more other ones of the computing objects affected by the cause.

2. A method for forensic analysis for computer processes, the method comprising:
- instrumenting a first endpoint to record a sequence of events causally relating computing objects, and to preserve events in the sequence of events for a predetermined time window, the predetermined time window having a longer duration for one type of the computing objects than for a second type of the computing objects;
  
  detecting a security event associated with one of the computing objects;
  
  in response to detecting the security event, traversing an event graph based on the sequence of events in a reverse order from the one of the computing objects associated with the security event to one or more preceding ones of the computing objects;
  
  while traversing the event graph in the reverse order, identifying one of the computing objects as a cause of the security event;
  
  traversing the event graph forward from the cause of the security event to identify one or more other ones of the computing objects affected by the cause; and
  
  remediating one or more of the identified computing objects.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 3. The method of claim 2, wherein detecting the security event includes detecting a security compromise by applying static analysis to software objects on the first endpoint.
  - 4. The method of claim 2, wherein detecting the security event includes detecting a security compromise by applying behavioral analysis to code executing on the first endpoint.
  - 5. The method of claim 2, wherein detecting the security event includes detecting a hardware change.
  - 6. The method of claim 2, wherein detecting the security event includes detecting a potential data leakage.
  - 7. The method of claim 2, wherein the one or more computing objects include one or more types of computing objects selected from a group consisting of a data file, a process, an application, a registry entry, a network address, and a peripheral device.
  - 8. The method of claim 2, wherein the one or more computing objects include one or more network addresses, the one or more network addresses including at least one of a uniform resource locator (URL), an internet protocol (IP) address, and a domain name.
  - 9. The method of claim 2, wherein the one or more computing objects include one or more peripheral devices, the one or more peripheral devices including at least one of a universal serial bus (USB) memory, a camera, a printer, and a keyboard.
  - 10. The method of claim 2, wherein the one or more computing objects include at least one computing object on a device other than the first endpoint.
  - 11. The method of claim 10, wherein the device includes at least one of a second endpoint and a server.
  - 12. The method of claim 2, wherein identifying one of the computing objects as the cause of the security event includes associating the cause with one or more common malware entry points.
  - 13. The method of claim 12, wherein the one or more common malware entry points includes at least one of a word processing application, an electronic mail application, a spreadsheet application, a browser, and a universal serial bus (USB) drive.
  - 14. The method of claim 2, wherein identifying one of the computing objects as the cause of the security event includes associating the cause with a combination of a first process invoking a second process and then providing data to the second process.
  - 15. The method of claim 14, wherein the first process invoking the second process includes at least one of a spawning, a hijacking, and a remote launch over a network.
  - 16. The method of claim 14, wherein providing data to the second process includes creating a file for use by the second process.
  - 17. The method of claim 2, further comprising generating the event graph.
  - 18. The method of claim 2, wherein remediating the one or more identified computing objects includes one or more of displaying the identified computing objects to a user or deleting one or more of the identified computing objects.

19. A system for forensic analysis for computer processes comprising:
- a first endpoint;
  
  a data recorder instrumented to record a sequence of events causally relating computing objects, and to preserve events in the sequence of events for a predetermined time window, the predetermined time window having a longer duration for a first type of the computing objects than for a second type of the computing objects; and
  
  a processor and a memory disposed on the first endpoint or in communication with the first endpoint, the memory bearing computer code that, when executing on the processor, performs the steps of;
  
  detecting a security event associated with one of the computing objects;
  
  in response to detecting the security event, traversing an event graph based on the sequence of events in a reverse order from the one of the computing objects associated with the security event to one or more preceding ones of the computing objects;
  
  while traversing the event graph in the reverse order, identifying one of the computing objects as a cause of the security event;
  
  traversing the event graph forward from the cause of the security event to identify one or more other ones of the computing objects affected by the cause;
  
  examining the identified computing objects affected by the cause; and
  
  remediating compromised examined computing objects.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Ladnai, Beata, Harris, Mark David, Thomas, Andrew J., Smith, Andrew G. P., Humphries, Russell, Ray, Kenneth D.
Primary Examiner(s)
Smithers, Matthew

Application Number

US15/946,026
Publication Number

US 20180227320A1
Time in Patent Office

628 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/9024   Graphs; Linked lists G06F16...

G06Q 10/063   Operations research, analys...

G06Q 50/26   Government or public servic...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Forensic analysis of computing activity

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Forensic analysis of computing activity

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links